NAMUR: Process control elements (PCEs) with protective functions

Protective functions can be implemented in different ways depending on the desired quality. They can be hardwired, for instance, or alternatively integrated in a safety controller or – if certain conditions apply – in a basic process control system. These options are nothing new; however the requirements regarding protective functions in the basic process control system are specified in greater detail in current regulations. Learn more.

Process plants often have two separate systems for automation:

  1. The Basic Process Control System (BPCS), and
  2. The Safety Instrumented System (SIS).

Whenever a new plant is built, or an existing one expanded, measures to reduce the risks are defined (if necessary) in the framework of a safety analysis. If the risks for life, limb and the environment are low or negligible (in other words, if RRF (risk reduction factor) <= 10), these measures can be realized by means of functions in the basic process control system, which is responsible for all production steps and workflows. All other protective functions (RRF > 10) are generally implemented in the safety instrumented system (SIS).

Grafische Darstellung der verschiedenen Schutzebenen einer Prozessanlage („Zwiebelschalenmodell“)
Diagram showing the layers of protection in a process plant (“onion skin model”)

Protective functions

Protective functions can be implemented in different ways depending on the desired quality. They can be hardwired, for instance, or alternatively integrated in a safety controller or – if certain conditions apply – in a basic process control system. These options are nothing new; however the requirements regarding protective functions in the basic process control system are specified in greater detail in current regulations (e.g. IEC 61511:2016 or TRGS725).

The needs and capabilities have been discussed and identified by NAMUR WG 4.5 (Functional Safety) and VCI plant safety representatives. Exactly why the NAMUR working group is addressing this issue is described in the following!

Quick questions

To Udo Menck, Global Functional Safety Manager, Dow Chemical (Stade, Germany), in his role as a member of NAMUR Working Group 4.5 (Functional Safety)

Udo Menck
Udo Menck

Thomas Schindler of Yokogawa: Mr. Menck, how is the amendment to IEC 61511 ed2 impacting on the work area of NAMUR WG 4.5?

Udo Menck: Thanks to the capabilities outlined above, protective functions with a low or additional risk reduction factor can also be realized in the normal basic process control system (BPCS). This automatically takes us to the next question, namely how can this be achieved in practice? Unfortunately, no concrete implementation guidance is provided in the standards. NAMUR WG 4.5 is therefore working on potential solutions to reconcile these measures with the requirements of IEC 61511.

The aim here is to develop a single solution that will enable plant safety to be implemented simultaneously with explosion protection.

Thomas Schindler of Yokogawa: What issues is NAMUR addressing in this connection?

Udo Menck: We’re particularly looking at practical aspects. Which devices are suitable? How often do they have to be serviced? What form should change management take? What about programming, verification and validation?

Thomas Schindler of Yokogawa: Why do you believe it’s important to involve the manufacturers of basic process control systems (BPCS)?

Udo Menck: The biggest challenge for anyone seeking to implement PCEs (process control elements) with protective functions is to make sure they’re sufficiently independent of the normal process control elements.

The NAMUR Working Group

The NAMUR Working Group has established that, so far, not one single control system manufacturer has investigated how these protective functions should actually be implemented in the control system.

There’s a noticeable discrepancy between the requirements defined in the standards, the desired capabilities and the products available in the market, which is preventing user friendly implementation.

Surveys of end users have shown that the hardware of normal control systems is considered sufficiently reliable to implement PCEs with protective functions. Suppliers need to confirm that to us too in the future.

End users mainly have reservations regarding the control system’s daily use. For instance, a programmer who makes a change to the operating program could accidentally disable a PCE with protective functions or trigger undesirable behavior by modifying certain parameters. This is currently done manually using a very complicated change management system.

To simplify things for end users here, NAMUR is presently formulating the requirements for control systems together with the system manufacturers (in the framework of a NAMUR Recommendation – NE165). We’re hoping that PCEs with protective functions will then be allowed to be used by design. In the future, manufacturers who meet these requirements can, and should, certify to their end users that a particular system is in conformity with NAMUR NE165.

Umsetzung der automatisierten Schutzschichten in Gerätetechnik (NAMUR Proposal)
Automated layers of protection implemented in equipment technology (NAMUR proposal)

It’s an exciting time: we’re collaborating closely and continuously with NAMUR to enable the requirements for independent control and protective functions to be implemented in the future. As soon as we have any further news to report, you’ll be the first to know.


NAMUR-Hauptsitzung 2017 

Udo Menck (Dow) and Gregor Schmitt-Pauksztat (Bayer) gave a presentation on “Process control elements (PCEs) with protective functions” on November 9, 2017. Click here for more information.


If you have any questions, observations, criticisms or suggestions upfront, just write us a comment. We look forward to exchanging ideas and opinions with you! 

If you’d like to learn more about safety & security, click here.

1 thought on “NAMUR: Process control elements (PCEs) with protective functions”

  1. Sahat P Hutagalung

    Dear Yokogawa engineer and Namur expert;

    May I be given more information relate with NAMUR BCPS-C and BPCS-P to giving the secure of Layer Protection of process control?. The second what the different between NOA as NAMUR Open Architect with NOA as Navy/Naval Open Architect because both was claim they are open and securing the MES

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top