Using Alarm Annunciators in SIL rated Safety Systems |

Using Alarm Annunciators in SIL rated Safety Systems

By Darren Barratt, Omniflex

In modern processing plants the issues of functional safety are steadily gaining importance. The introduction of IEC61508 standard introduced a very broad but systematic framework which allows plant engineers to apply the functional safety concepts systematically to all modern control equipment.

Alarm annunciators are an integral part of safety planning, especially in processing plants where alarm conditions can be numerous. An alarm, or combination of several alarm conditions, will require a reaction of an operator in order to either investigate the cause of alarms or take the steps required by safety procedures in order to eliminate the condition.

Alarm annunciators today are seldom included as an integral part of true safety-related shutdown systems, as reliability of the human operator is generally considered insufficient to meet the high reliability requirements.

The IEC61508 standard does not exclude the possibility of a person being part of a safety-related system but human factor requirements are not considered in detail in the standard (Part 1, par. 1.2 Note 2). The reliability associated with human operator is most often considered to have an associated PFD (Probability of Failure on Demand) of 1E-01 (90% probability that the operator will successfully respond to the alarm). This would make even a SIL1 system impossible to design where a human operator is involved (1E-01 to 1E-02 is required for a SIL1 safety-related system).

However, with a high level of training and clear procedures in place, it can be accepted that the operator PFD can be as good as 1E-02, in which case using an alarm annunciator in a SIL1 safety loop is possible. When applying IEC61508 to assess safety-related systems it therefore becomes clear that alarm annunciators which involve the human operator in safety functions can only be targeted at SIL1 level at best.

It is possible for alarm annunciators to include a secondary relay output that complies with the requirements of the standard in a true PES (Programmable-Electronic System), where the relay output is used to implement an automatic safety function, which can then be reliably assessed without including the operator reliability. The practice of mixing the automatic safety-related system with functions that are part of the Layer of Protection is considered problematic at best, as the complexity of the multi-channel alarm annunciator is to the detriment of the safety loop and creates a higher chance for common-mode failures that affect the PFD of the device. The preferred engineering practice is therefore always to separate the safety functions from the alarm annunciator as an independent Layer of Protection.

There is a different use for alarm annunciators in safety-related applications when we consider a purpose-made alarm device such as the two-channel Omni2 annunciator from Omniflex. This type of device is designed for performing a dedicated safety function automatically without operator intervention. There is no requirement for a human operator to undertake any action while the hazardous condition is present. When applied as, for example, a door warning sign in radiological surveillance systems, the device is used to prevent personnel from entering the hazardous area. In this case the main purpose is to provide a highly reliable safety warning.

Because of the obvious safety risk to personnel it is logical to choose to have a SFF (Safe Failure Fraction) and PFD at a higher SIL2 level, even if the device is not technically part of an electronic PES. There is also an additional benefit of providing automatic output for actuators, for locking doors for example, which then also complies with SIL2 parameters. Such a specialised annunciator function can logically be targeted at SIL2 levels of reliability as it is an entirely electronic system and does not rely on the actions of the human operator.

There is no doubt that with the growing emphasis of functional safety and risk reduction, the alarm annunciator is an important tool in achieving safety objectives. Omniflex is dedicated to providing state-of-the-art products in this field and to promote an understanding of functional-safety issues.
Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now
Back to top
Posted in:
Related Portals:
Process Safety