You can expand a safety PLC to protect an entire facility or implement multiple distributed PLCs. Covering the facility with one does yield the lowest cost per I/O point; however, it also means putting all your eggs in one climate-controlled basket. A safety PLC failure could put the whole plant at risk. In addition, necessary maintenance or testing potentially could impact the entire production unit.
Relays support a cost-effective distributed safety system that can be local to the specific equipment being controlled and monitored. Maintenance and testing of distributed safety systems only affect the local equipment these systems are designed to protect.
8. Application programming for modern safety PLCs is so easy that anyone can do it. With drag-and-drop interfaces, function blocks and some training, almost anyone can program a PLC in some fashion. But translating critical safety logic into the PLC application program requires close cooperation among programmers, process control engineers, and operations and maintenance personnel.
This cooperation should include an upfront program specification agreed to by all prior to PLC programming. A non-existent or poorly documented application program specification can lead to badly executed programming with a significant negative impact on the risk reduction due to systematic failures. Disorganized and complex programming yields an application program that's difficult to understand, properly test and safely modify.
9. Only process safety must be under a management system that ensures its integrity. Regulations for the protection of workers and the public mandate safety measures. No directives govern equipment protection or overall loss prevention — so, companies view such efforts as an optional business decision. However, a major non-safety-related event often can pose potential danger to personnel and equipment just like a safety-related one. Even when a non-safety-related event doesn't result in injury, a company can incur devastating losses from business interruption, equipment damage, repair costs, harm to its reputation, and disruption of supply to customers.
Compressors, pumps, heaters and boilers have many shutdown systems intended to prevent losses. While these systems aren't specifically covered by IEC 61511, you still should design and manage them to lower risk of a loss. IEC 61511 recognizes this benefit in Clause 1k, stating that it may be applied in non-safety applications such as asset protection. Where the equipment is process-critical, it's best to opt for a conservative design and use low-spurious-trip architectures.
Leading companies have found that comprehensively examining all potential losses and following sound loss-prevention practices generate value to their stakeholders.
10. As long as the SIS is designed to fail-safe, the design is optimal. This concept became prevalent after the issuance of IEC 61511, which focuses on the safety aspects of the instrumentation design and management. The standard's concentration on failing safe is appropriate given its underlying purpose to support worldwide process safety regulations — but reliability is just as important as safety for many chemical processes.
Plant operators need trustworthy and reliable instrumentation. Many incidents have occurred because operators ignored information from instruments they perceived to be untrustworthy or because unreliable instruments had been bypassed to keep a process online.
The Center for Chemical Process Safety's "Guidelines for Safe and Reliable Instrumented Protective Systems" (CCPS IPS) considers reliability a key factor for process safety instrumentation. This book advises treating reliability as equal in importance to IEC 61511's safety integrity for instrumented systems.
11. If the SIS is configured to alarm on detected failure, the process is safe as long as repair is completed within the assumed mean time to repair. An inherently safe design configures detected failure toward the trip condition and uses redundancy to achieve reliability. Configuring an SIS to alarm often increases the risk of loss of containment by at least an order of magnitude, because the SIS either is degraded in the case of a fault-tolerant SIS or disabled when no fault tolerance is provided.