Skip navigation
Go to Global Navigation
Go to Primary Contents
Go to Site Information

YOKOGAWA

Yokogawa Electric Corporation

Global

Font Size
Small Text
Medium Text
Large Text

Safety World Tour vol.4

Safety and Availability

Hello, everyone. My fourth and final essay is about the safety and availability of safety instrumented systems.

 “Safety” can be understood as a state where there is a continued absence of any threat that could cause injury or damage. For instance, I say that my car is in the safest condition when its engine is not running and it is parked in the garage at my house. It is still vulnerable to natural phenomena such as an earthquake or a lightning strike that causes a fire; however, these unexpected accidents are designated as external risks and are not addressed by industrial safety standards. These standards concern only internal risks which are managerial and controllable.

Then what does “safe” mean in industrial plants? A plant is safe when it is shut down, like the car that is safe when it is parked in my garage. The plant is physically in the safest condition when it is not in operation. However, this goes against the very purpose of the business.

There can be no business without the plant – investors invest in a plant so that it can produce products that will earn them money. “Safety first” is a fundamental rule in plant management. But when a plant is in operation, it always is exposed to some risks. “Safety first” is the idea of avoiding risks by controlling them so that the plant can be operated safely.


A safety instrumented system for industrial use is designed to meet certain standards to avoid various risks associated with plant processes. After reading my previous essays on safety loops andthe safety life cycle, I assume that you understand this. But do you know how safety instrumented systems function that have been designed based on these standards?


The purpose of a plant safety instrumented system is to restore safety as quickly as possible when a dangerous situation occurs. Basically part or all of the plant’s operations are shut down when the safety instrumented system is activated. Then, what is a dangerous situation?

This certainly includes the generation of abnormal signals by a process, but not just that. Even when a process is in a normal state, a failure of a safety loop component will lead to an unnecessary plant shutdown initiated by the safety instrumented system.
The IEC defines this inability to detect a danger as “failure on demand” and uses it to quantitatively calculate the safety integrated level (SIL). “Probability of failure on demand (PFD)” refers to the likelihood of various components in the safety loops not being able to accurately detect a dangerous situation, and each instrument has its own PFD value.

Based on these PFD values, the SILs are then calculated. Suppose that you have finished all the PFD calculations and the safety loops in your plant meet the required safety standards. Do you think that your plant is now fully protected against all risks?


A spurious trip is one cause of an unexpected plant shutdown initiated by a safety instrumented system. Namely, if a safety loop component fails to function, the safety instrumented system is prompted to shut down that part of the plant’s operation. This is done because the failure of a particular safety loop can prevent the safety instrumented system from functioning properly. It does not guarantee plant safety.

Thus, the system shuts down the safety loop where the failure occurs. Furthermore, when one part of a process is shut down, it can cause shutdowns one after the other that affect other parts of the operation. In the worst case, the entire plant can stop operating.

If one were to apply to a car the idea of shutting down a process when safety cannot be guaranteed, the car’s engine would be switched off when its brakes cease to function correctly. Even when I am following all the traffic rules and driving my car safely, I could still die if my brakes failed. So shutting off the engine would be a necessary preemptive measure to ensure safety. At the same time, if this sort of thing happened too frequently, the car would be of no use.

Let us be reminded that SIL certification is a guarantee of safety. The design of the individual instruments in the safety loops, the configuration of the safety loops, and the life cycle functional safety provide a basis for maintaining plant safety. In other words, SIL certification indicates the reliability of a plant’s shutdown system. SIL certification is a guarantee that the system will prevent damage to the plant by shutting it down if the instrumentation in one of its safety loops fails.

SIL certification does not guarantee that the instrumentation is free of defects. I will go as far to say that, even if the instrumentation frequently fails but the system functions properly to stop the process when an emergency occurs, SIL certification will be granted.

In actual operations, if the SIL-certified instrumentation in a plant’s safety loops fails frequently and causes the plant to shut down, it is of no use. Obviously, this instrumentation is not supposed to fail.


The mechanism of shutting down a plant safely is referred to as “safety” and the healthiness of the instrumentation that prevents spurious trips caused by failures is referred to as “availability.” Some people mistakenly think that SIL-certified instrumentation has high availability. But SIL certification bodies do not conduct availability audits of instrumentation. They confirm whether the instrumentation will be safe even if it fails. Knowledgeable plant managers evaluate their safety instrumented systems from both the “safety” and “availability” perspectives.


Yokogawa’s SIS logic solver, ProSafe-RS, inherits the same basic configuration of the CENTUM series of integrated process control systems (DCSs), which have proven for the past 30+ years to have high availability. Data collected over the last 10+ years show that, with its “pair & spare” architecture, CENTUM now has an availability that surpasses “seven 9s” (99.99999).


This pair & spare architecture has been applied to the ProSafe-RS input/output modules as well as to the CENTUM series CPU modules to ensure safety. These modules also have high level self-diagnostic functions.

Even with a single input/output module configuration, ProSafe-RS is certified to SIL3. And in a duplex configuration, it sustains SIL3 even if one of the modules fails ( see chart ). In contrast, many other safety instrumented systems available on the market fall to SIL2 when a system component fails, even if a plant shutdown does not occur. ProSafe-RS delivers the world’s highest level of safety and availability.



It is no use having a high performance engine in your car if that car cannot run because of brake or electrical system malfunctions. Similarly, it is very important to select a safety instrumented system that not only is SIL certified but is equipped with functions that secure availability.

Even when a plant is designed for high performance and effective operations, it can have a negative business impact if unstable safety loops cause frequent spurious trips. Yokogawa’s ProSafe-RS has sufficient functions and reliability to function as an independent safety instrumented system, but when integrated with our CENTUM series of DCSs it can also help visualize advanced process information.

Through these four essays I have been sharing with you my thoughts on safety in industrial processes. I hope that this has given you a better understanding. Yokogawa will continue to increase the operational efficiency and safety of industrial plants and to invest in the development of useful instruments and systems for delivery to the markets. Thank you!

Indian Music

I took this picture in India at a hotel where I had dinner. When we refer to Indian music, many of you may think of the sitar played by the noted musician Ravi Shankar. It is getting more common nowadays for musicians at hotels and the like to use synthesizers. And recently, electronic technology has been playing a larger role in the folk music field. But the two musicians in this picture were different. Their performance was simple yet touching, and the melodies were enchanting.

 


There were microphones in front of them, but these were not for amplifying their voices. I do not know the name of the music instrument the man on the right was playing, but it sounded similar to an ancient Egyptian instrument, the oud, which was said to be a precursor to string such as the guitar and violin. This one had four pairs of strings, like what you see on a 12-string guitar. I guessed that this was to create an acoustic overtone.

 

The player on the left was playing a percussive instrument that is called the “tabla.” It was finely tuned to harmonize with the strings as a basso continuo. Rather than beating the tabla with his palms, he tapped it with his fingers to create delicate sounds in time with the rhythm of the music. They played several triple time songs. The musician on the stringed instrument played the melody along with the basso continuo, going up and down the scale rather than playing chords. On the C major scale, he played the fourth note (F) as a sharp, giving the music a very mysterious and soothing effect.

 

Some TV programs might have given you the impression that India was a chaotic place with lots of cars and motorbikes filling the streets and hordes of people passing by. But when you visit rural villages, tranquility takes over and there you can understand how and where this kind of soothing music originated. I realized that it’s the people living in noisy urban environments who crave soothing sounds that give their minds some peace.


By the way, “Hindi pop” is quite popular in the current Indian music scene. It is a combination of rock ‘n’ roll and Japanese folk music (e.g. Awaodori dance), and its music videos feature scenes of dancing men and women. Hindi pop is also adopted in Indian musical films, which are extremely popular there. When I was visiting India, I was given an opportunity to watch DVDs of this stuff for six straight hours in a car. Obviously it was too much for one time!


I also enjoyed it whenever I came across a happy event such as a wedding reception. Some weddings last for three nights and three days! Imagine if the event took place at the hotel where you were staying; you might find it difficult to sleep at night. In that case, something as simple as a pair of earplugs could serve as your emergency shutdown system -- no need here for a ProSafe-RS system to enjoy a peaceful night’s sleep!!

Back Number

Safety World Tour vol.1 < Risk >
Safety World Tour vol.2 < Safety Loops in Industrial Process >
Safety World Tour vol.3 < Safety Life Cycle>

  • Field Wireless Solution

Login Member's Page

Case Studies


Service overview
Update information
Library

Global

Movie Center

 We go to a staging  center to take a detailed  look at the ProSafe-RS  hardware.

Security Policy


Industrial Automation and Control Business
Solution-based Software
Plant Asset Management, PRM
Field Digital Solutions
Field Instruments
Environmental & Analytical Products
SCADA
VigilantPlant Services™
Production Control Systems
System Migration
Fieldeye CCTV Solutions
IT Machine Controllers (PLC) FA-M3R
Films, Sheets
Network-based Control Systems
Safety Instrumented Systems (SIS)
__Safety Instrumented Systems (SIS)
Products
__Products
ProSafe-RS
ProSafe-SLS / PLC
Release Information
Documents
Archives
ProSafe-RS Terms
FAQs
Controllers, Recorders & Data Acquisition
Semiconductor Related Products & Systems
Magnetoencephalograph (MEG) Systems
Confocal Scanner Unit
Services Business
Service Business
Photonic Network Business
High-Content Analysis
Optical Fiber Sensing
Contact Us