Two major developments which have taken place recently in the process control sector will have a significant impact on the way chemical manufacturers configure and run their plant in the future.

The first of these, the introduction of new safety legislation developed primarily to improve the levels of safe control available in automation systems, is likely to bring huge benefits to the chemical industry. A second, important step towards improved safe operation of chemical plants comes with the increased use of what have become known as Safety PLCs (programmable logic controllers). These systems are designed to act as an extra layer of protection over and above regular process control systems, while maintaining and maximising plant availability through built in redundancy and fault tolerance.
Until now, safety-related controls such as those involving the shutdown of equipment to protect personnel, emergency stop circuits and remote shutdown of plant have primarily been handled by hard-wired or solid-state logic systems.
The recent introduction of EN 954-1 now makes it possible for manufacturers and users of plant and machinery to configure communications networks that carry both logic and safety data across the same bus. This means that actions such as the operation of an E-stop no longer rely on a hard-wired connection.
Another new piece of legislation; IEC 615081, is designed to provide generic standards for the functional safety of electrical, electronic and programmable electronic systems. IEC61508 was published during 1999/2000 primarily to act as best engineering practice on the use of programmable electronic systems in safety-related applications. The standard covers applications in the process sector, as well as many others.
Engineers considering design and implementation of any new installation of programmable equipment for a safety duty must follow the safety lifecycle approach of the IEC61508 standard, as well as certain prescriptions on justifying the safety integrity and reliability of equipment they eventually use. While IEC 61508 covers all industries, from automotive manufacturing to the production of medical equipment, a development of this standard - IEC 61511 - deals much more specifically with the control of process machinery, although it is still in draft form.
In addition to this, European legislation has also arrived in the form of the Control Of Major Accident Hazards (COMAH) directive. COMAH will force major accident hazard sites to produce safety cases for onshore plant for the first time. Safety case reports are essentially an argument about why the system is safe to operate.
As Jon Keswick, manager of process safety at Siemens Moore Process Automation (SMPA), explains, the new pieces of legislation will have a significant effect on the chemical industry. "One of the major decisions now facing operators and owners of process control systems is the selection of their independent PLC system that provides the appropriate level of safety. The use of standard PLCs, which were originally designed as a direct replacement for relays in SIL2 and SIL3 applications, is not acceptable."
PLCs obviously have much more functionality and flexibility than relays. However, there is one distinction that is of vital importance to chemical manufacturers - they do not have the same failure characteristics2. Relays fail safe (open circuit), solid-state electronic systems do not. Solid-state devices such as transistors and triacs are just as likely to fail short circuit as open circuit. They may fail less often, but that is not the main issue for a safety system. The primary concern is that their failure mode is not predictable and is often difficult to detect.
To counter this dilemma, some PLC systems may incorporate a level of self-diagnostics, whereas others are simple relay replacement devices. For example, if a PLC was controlling a conveyor belt in a factory, the system would not necessarily require extensive diagnostics in the event of a failure. When the system fails it will be blatantly obvious to everyone that something is wrong, as the conveyor belt will malfunction. However, if the PLC was monitoring a high-pressure switch on a chemical reactor, would the system be able to detect, for example, a shorted triac in an output module that serves to keep the reactor inlet valve open?
The main issue over using PLCs in safety applications is to do with the nature of duty of the safety system. On-demand safety systems are by nature dormant or passive. Therefore, all failures are not necessarily revealed until it is too late. Failures may exist, yet remain completely undetected (latent), because the system is not actively switching inputs and outputs on a regular basis.

Safety PLCs versus Standard PLCs

Safety PLCs, such as QUADLOG and S7 400-F/FH developed by Siemens Automation and Drives for process applications in hazardous environments, are somewhat different in design to standard PLCs.
A Safety PLC has been designed with a view to increasing diagnostics to a level far above that of a standard PLC. This is primarily to counter the problem of undetected failures that can occur in a standard PLC used in a 'dormant' safety duty. The fact is if the PLC has not been designed to detect latent failures, then it is highly unlikely that these failures will ever become apparent until the PLC is required to perform the shutdown duty. By this time, depending upon the failure, the standard PLC may only act as a delay in the inevitable catastrophic failure. By contrast, a Safety PLC will be constantly monitoring for internal faults and external wiring errors. Any faults will be reported and the necessary remedial action taken to keep the system in its safe state.
It becomes very difficult to build a safety case without good safety and reliability data. The system owner (normally the end-user) has to verify that the SIL (Safety Integrity Level) determined at the start of the project as the target SIL has been met at the end of the project by the equipment installed. To do this, failure rates of sub-systems used in the safety loop have to be modelled in order to justify diagnostic coverage.
Standard PLC manufacturers are, according to Jon Keswick, unable to provide any third-party assurance that their embedded software is functionally safe, nor are they able to give any idea about the fraction of safe and dangerous failures posed by their hardware design. They are equally unable to provide sufficient detail for safety cases in justifying conformance to IEC61508. In short, engineers should consider the use of standard PLCs in SIL1 and SIL2 applications very carefully before embarking on what is likely to be a very costly journey.
SMPA provides complete system solutions based upon QUADLOG and S7-400 F/FH Safety PLCs for use in the chemical, oil and gas, power and pharmaceutical industries.
Furthermore, SMPA provides safety lifecycle services from initial hazard analysis phases through to final SIL verification.

References
1 International Electrotechnical Commission IEC61508 - Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems
2 Comparison Of Safety Systems - Paul Gruhn P.E., Siemens Moore Process Automation, September 1997.