IEC 61511 is a technical standard which establishes practices that ensure the safety of industrial processes through the use of instrumentation. Such systems are referred to as
Safety Instrumented Systems. The title of IEC 61511 is "
Functional safety - Safety instrumented systems for the process industry sector".
Traditional safety systems that follow the
IEC 61511 standard consists of three major components:
a sensor, or a transmitter; a
logic solver, or a safety PLC; and the
final element, which is often a pilot valve.
Many major manufacturers provide process transmitters with safety integrity level third-party certifications to provide the industry standard for 4-20 milliamp output. This analog signal retransmits the process variable to the safety PLC for analysis where algorithms test to see if the process is within safe operating parameters. If abnormal conditions are determined to exist, an alarm may be sounded and if dangerous conditions are confirmed, an emergency shutdown sequence may be initiated.
Further exploring the roles of each of these safety system components, all three must work together flawlessly in order to bring the plan to a safe state, or allow the process to continue and run in a safe manner. Reliability of each component becomes paramount to the proper operation of the safety instrumented function, or SIP, and therefore the safe operation in the plant.
For example, the central component must continuously monitor the process variable and provide this information to the safety PLC via a hardwired connection. What actually occurs however, is the analog signal from the sensor transducer is converted to the digital domain for processing. Digital signal processing occurs inside the transmitters electronics to adjust the signal for ambient and process temperature conditions, sensor response errors, signal filtering, user settings, sensor calibration, and the process variable display. The resulting conditioned and process signals converted back to the analog domain to retransmit the 4 to 20 milliamp signal over the hardwired connection to the safety PLC. The PLC must now determine if the analog signal reveals a dangerous condition by comparing the level of the analog signal with pre-programmed set points. Here is what actually occurs. The retransmitted analog 4-20 mA signal must be converted back to the digital domain for processing inside the safety PLC's electronics. The level of the signal is compared to a pre-programmed threshold that is set at the limit of safe operation. If the signal level is determined to be within the safe limits of operation, a relay inside the safety PLC will remain closed. If the signal level is determined to be outside in the safe operating limits of the process, the safety relay will open. The safety relay state - is it open or is it closed - will determine what action the final element will take via a hardwired connection.
The final element must now take action to perform the safety function. An example of a final element is a steam cut-off valve to a turbine generator. The valve, or the final element, can quickly close to cut off the steam that passes through the generator's rotor in order to stop the rotation. Here is what actually happens. A pilot valve is connected to the plant air supply. The pilot valve is actuated by energizing 120VAC solenoid coil. When the coil is energized, the valve is held open, allowing plant air to enter the pneumatic actuator for the steam valve. Air pressure is used to hold the steam valve open allowing steam to enter, and cause the turbine generator to rotate. If the signal from the safety PLC opens to de-energize the pilot valve coil, the pilot valve will close, cutting off the air supply to the steam valve, which will cause the steam valve to close. This is an example of a de-energized to trip (or DTT) safety function.
As you can see there are a lot of components that must operate as designed to shut down the turbine generator in the event that an abnormal condition exists. Examples of abnormal conditions may include low lubrication oil pressure, high lubrication oil temperature, steam pressure that's too high, inadequate plant air pressure, etc. In order to decrease the safety instrumented functions probability to fail on-demand, all of the functions described here must work flawlessly.