Electrical protective or emergency shutdown systems are utilized throughout the petrochemical industry for safety and to avoid severe environmental and/or economic events. Requirements fur these critical systems are that they work every time, on demand, and do not initiate nuisance events. These requirements were difficult to achieve in most early systems but the systems have improved over the years. Emergency shutdown system design has been unregulated in the U.S., but new standards will require strict guidelines for design, application, docllmentation, and software testing and control.

1. Ev luti n f Pr tective
tr •ystems int
ch icai Industry
Robert S. Adamski
Exxon Chemical Company
Electrical protective oremergency
shutdown systems are utilized
throughout the petrochemical in-
dustry for safety and to avoid se-
vere environmental and/or
economic events. Requirements
fur these critical systems are that
they work every time, on demand,
and do ...ot initiate nuisance
events. These requirements were
difficult to achieve in most early
systems but the systems have im-
proved over the years. Emergency
shutdown system design has been
unregulated in the U.S., but new
standards will require strict
guidelines for design, application,
docllmentation, and software
testing and control.
The evolution of protective sys-
tems was driven by the use of
solid-state devices and later by
the use ofintegrated circuits with
programmable (software) capa-
bilities. The demand for higher
availability (reliability) has fur-
ther moved the industry from sin-
gle PLCs to programmable
minicomputers with complex
software. This new generation of
protective systems utilizes hard-
ware/firmware/and software in
"triple modular redundant"
(TMR) fault tolerant systems.
INTRODUCTION
The term "protective systems"
can refer to many different defini-
tions and applications, some of
which can be confusing. 1'.fpical
names in the industry are: safety
shutdown systems, critical instru-
mentation, emergency shutdown
systems, safety critical systems,
interlock systems, etc. Although
names and applications may dif-
fer, a common requirement can
be found in most.
The most appropriate defini-
tion this author has found that ap-
plies to protective systems in the
petrochemical industry is stated
in the Health and Safety Docu-
ment published in the U. K.; i. e.,
1
' Protective System: A system de-
signed to respond to conditions in
the plant which may be hazard-
ous in themselves or, if no action
was taken, could eventually give
rise to a hazard, and to generate
the c'Orrect outputs to mitigate the
hazardous consequences or pre-
vent the hazard." [1]
Requirements of protective sys-
tems that until recently were diffi-
cult to achieve are: (A) the
protective system must work
every time, as designed, on de-
mand, or 11
zero defects," (2) and
(B) it must not initiate erroneous
outputs or inputs.
This paper will attempt to trace
the evolution of these systems
ISSN 0019-0578/91/04/0027/6/$2.50 ©ISA 1991
from simple electromechanical re-
lays with single field devices to
triple modular redundant (TMR)
fault tolerant systerr.s with multi-
ple field devices. The evolution is
being driven for two reasons: (A)
safety and (B) economic. Lately
another concern has appeared on
the scene from outside the indus-
try, and that is environmental im-
pact. This last item has developed
into a powerful incentive that will
not only force many companies to
re-evaluate and replace existing
protective systems but will also
place new, tougher availability re-
quirementson these systems.
DESIGN GUIDELINES/
REQUIREMENTS/STANDARDS
In the USA, insurance under-
writers have set requirements for
protective systems in selected ap-
plications such as NFPA for
burner management. Industry
standards are not available for
most applications, but many com-
panies such as Exxon have written
mandatory engineering standards
for protective systems to ensure
that safety, environmental, and
economic requirements are met.
Europe is far ahead of the U.S.
in protective sys,em standards,
which in some countries are legal
requirements. Documents such as
Health and Safety Executive
VOLUME 30 •NUMBER 4 • 1991 27

2. SAFETY SYSTEMS
Europe is far ahead of the U.S. in protective system
standards, which in some countries are legal require-
ments.
(HSE), TUV, and DIN 19250 are
available for use.
Both sides of the ocean have
recognized that changing technol-
ogies and safety requirements
have demanded new standards.
The Instrument Society of Amer-
ica (ISA) has formed a committee
called SP84, and the European
community has formed a commit-
tee called IEC SC65A. This author
feels that the IEC document will
become the worldwide industry
standard.
These standards will not come
easy, for there are many issues to
discuss (e.g., classificationsofhaz-
ards, reliability calculations on
hardware and software, applica-
tions programming, systems
maintenance, etc.). One of the
most difficult issues in the indus-
try today is control of application
software changes and variables
embedded in the program (e.g.,
set points, alarm values, etc.).
Those of us utilizing protective
systems have been forced to de-
sign some control, but it will be a
challenge to agree on standard
procedurt:~.
1932) are an example. Relay sys-
tems were the industry standard
until the 1960s when the first
solid-state (transistor) switching
and logic devices became popular
as relay replacements in the auto-
mobile industry. Solid-state tech-
nology was a real boon to
complex sequence control appli-
cations, but what about protective
systems? It was known that tran-
sistors, diodes, and especially
triacs had an unpredictable failure
mode; that is, they could fail
11
high" or 11
low" in about a 50-50
split [3]. Fail safe requirements in
a protective system using hard-
wired solid-state devices could
only be achieved by redundancy.
Systems utilizing dual (2/2) or tri-
ple (2/3) redundancy were pro-
duced by manufacturers to meet
fail-safe requirements. In Europe,
fail-safe systems were certified by
third parties, e.g., TUV in accor-
dance with legislative standards
(VDE) [4].
When Texas Instruments in-
vented the integrated circuit (IC)
in 1958 [5), it paved the way for
microcomputers or microproces-
---------~~--------
- ~ ~ ---~ -. -. "!,.
Those of us utilizing protective systems have been
forced to de~ign some control, but it will be a chal-
lenge to agree on standard procedures.
HISTORY sors. Hard-wired based relays and
solid-state logic could be coded in
Standards were not used, and software (programmed) and exe-
seldom, if ever, were reliability cute functions through the micro-
calculations performed on sys- processor (CPU). Those devices
terns designed before 1980. Most became known as programmable
early protective systems were de- logic controllers (PLCs). Utiliza-
signed, installed, and maintained tion of PLCs is well known in the
by an electrical group utilizing manufacturing business, espe-
simple switches and relays. Early cially in the automobile industry.
railroad switching systems (circa Some off-the-shelf units can be
28 ISA TRANSACTIONS
purchased for as low as $250. 11
As
with hard-wired solid-state mod-
ules, the end user learned the hard
way that CPUs and 1/0 modules
have unpredictable failure modes.
Applying those devices in protec-
tive systems will automatically
lead to unsafe situations." [6] Like
solid-state devices, PLCs had to
incorporate redundancy and vot-
ing schemes to achieve fail-safe re-
quirements. Dual 2/2 PLCs using
off-the-shelf devices configured in
a redundant scheme were speci-
fied by many engineers for critical
protective systems. This move-
ment for protective system appli-
cations was a mistake, in the
opinion of this author. Not only
was there a concern for safety, but
the dual configuration was re-
sponsible for many nuisance
''trips." Fail-to-safe incidents be-
came unacceptable to many users.
Some users are dismantling their
dual PLCs and replacing them
with conventional relay or solid-
state logic.
Protective system applications
became more complex, dictating a
need for programmable micropro-
cessor technology, but so was the
demand for higher availability on
these systems. As mentioned
above, safety, environmental, and
economic requirements were di-
rectly responsible for high de-
mands of availabiiity =99.98%
(1-H/D).
In the middle 1980s, attempts
were made by manufacturers to
provide fault tolerant systems to
meet high availability require-
ments. Most, if not all of these sys-
tems, when tested by some users
(Exxon), were found to be unac-
ceptable for fault tolerant applica-
tions. Today at least two
manufacturers produce a fault tol-
erant, triple modular redundant
(TMR) machine. Both of these de-
vices have been tested and one is
being utilized extensively. We an-
ticipate many more manufactur-
ers, especially from Europe, will
enter the protective system mar-

3. ket. These new devices look and
"feel" like PLCs, but they are actu-
ally minicomputers with power-
ful control capabilities.
Experienced PLC programmers
are impressed by the potential of
this new technology but also un-
derstand that misapplication, or
poor design, can create some seri-
ous safety and economic events.
There has been a tendency to in-
clude other control functions than
just protective system tasks. Other
functions without good documen-
tation and planning can cause
confusion and violate the com-
plete i~~lation requirements of the
pmiecbve system. We anticipate
new standards will require, and
advise on, controls for applica-
tions programming and docu-
mentation to reduce potential
risks.
RELAY·BASED SYSTEMS
As mentioned above, relay sys-
tems, as indicate~. in Figure 1,
were the first protective systems
installed and are still considered
to be the most reliable because of
their high 98% predictable failure
mode (3, 101. Indeed, there are still
relay-based systems being in-
stalled today. In some industries,
however, a 2% unpredictable fail-
ure mode is not acceptable.
Relay systems are easy to un-
derstand for simple applications,
but, if high functionality is re-
quired, complexity grows very
rapidly [4]. Below are some disad-
vantages of relay use:
1. They arc not necessarily
fail-safe because
- a relay contact can stick be-
cause of dirt building up or
because of induction signal
build-up;
- the spring can break;
- the contacts can bum in;
- the contact fingers can
break.
EVOLUTION OF PROTECTIVE SYSTEMS IN PETROCHEMICAL INDUSTRY
....---------- 120 voe----------UPS
SlllllDl"A"'
S11111ttH"C"
SD ••••••••••
,•
Figure 1-AHard-Wired Relay Unit
2. They take a lot of panel
space (addition of timers
takes more space).
3. They require a controlled
environment for contact in-
tegrity unless relays are
hermetically sealed.
4. It is necessary to standard-
ize on coil and contact volt-
age to avoid mishaps.
5. The organization of relay
use by areas is necessary
for ease of maintenance.
6. Complex relay systems are
difficult to troubleshoot
and maintain.
7. Documentation can be
very busy and complex.
8. Modifications are difficult.
9. Since most systems are fail-
safe, relays remain ener-
gized and hot, lowering
theirMTBF.
10. Only digital 1/0 can be
used with such systems.
In summary, it should be noted
again that despite the disadvan-
tages listed above, relays are_ ~till
considered to be the most reliable
system, provided the power
source is also reliable.
llEllUNIWfl' SCllDOCS
LATCHINC
HARD-WIRED,SOLID-STATE
LOGIC-BASEDSYSTEMS
The evaluation of hard-wired
solid-state logic systems, as indi-
cated by Fig. 2, brought the pro-
tective system design, application,
and maintenance inio the world of
instrumentatior,. Solid-state tech-
nology became the first replace-
ment of relay systems with a
much smaller footprint. The major
flaw in using these electronic de-
vices is that unlike a relay, which
in 98% of the cases can be pre-
dicted to fai1 in the safe direction,
solid-state devices have more of a
50-50 split [3].
The following are some pros
and cons of solid-state systems:
1. They have limited diagnos-
tics, using LEDs.
2. There is no flexibility for
logic modification without
backplane wiring.
3. They are easy to test and
troubleshoot.
4. Most hardware is obsolete,
and it is difficult to obtain
spare or replacement parts.
5. Only digital 1/0 is used.
VOLUME 30 0 NUMBER 4 • 1991 29

4. SAFETY SYSTEMS
---es!
---g
RA , 20 voe
.--------....._
---6
---g
RB
===a --Re
... aw
.·
SOLID STATE LOGIC
Figure 2-A Solld-State Unit
6. They have proven to be
very reliable in a 2/3 vot-
ing configuration.
7. Their documentation is
easier to read.
It is obvious that, because ofthe
high and unpredictable failure
rate of solid-state devices, they
could not be used in protective
systems unless some redundacy
could be employed. Redundant
protective systems were installed
in plants throughout the world
with two-out-of-three (2oo3) or
two-out-of-two (2oo2) voting
logic.
REDUNDANT PLC SYSTEMS
A block diagram for a redun-
dant PLC is shown by Fig. 3. This
author feels that there are more
misapplications of redundant
PLCs than any other technology
used for protective systems. The
Europeans were not as ambitious
as the U.S. in utilizing these sys-
tems because most of their stan-
dards would prohibit nonfail-safe
configurations. Those systems de-
signed to be fail-safe had very
30 ISA TRANSACTIONS
poor MTBFs and availability
numbers.
The following are some other
issues relating to redundant PLCs:
1. They have proven to be re-
liable on energize-to-trip
protective systems.
2. Analog and digital 1/0 are
available for use.
3. Set points are easy to
change.
TERMINATION
TERMINATION
Figure 3-Dual Processor Slngle 1/0
FaultTolerant Approach
4. They have better diagnos-
tics than hard-wired logic.
5. A communication bus can
be used with them.
6. The reliability would not
be high on a deenergize-to-
trip system.
7. The question is: "Which
processor is correct, A or
B?"
8. The switchover between
processors is not smooth.
9. Program verification in
processors A and B is a
problem.
10. Duplicate 1/0 is necessary
for the processors.
11. They have a larger foot-
print.
12. Troubl~shooting such sys-
tems is difficult.
13. Program changes are risky
to make.
14. Service is risky.
FAULTTOLERANTTMR
TECHNOLOGY
A block diagram is shown in
Fig. 4 of a "triple modular redun-
dant" (TMR) fault tolerant system
with 2-out of-3 voting logic.
Definitions of fault tolerant
technology can be found in a lim-
ited number of papers published
by manufacturers (2, 8, & 9].
The following are some re-
quirements of this technology:
1. A single fault in the system
must not create erroneous
inputs or outputs, nor shall
it prevent the system from
functioning as designed.
2. Any fault must be alarmed
and indicate the location of
occurrence.
3. Any single fault must be re-
pairableon-line without in-
terruption in operation.
Note that a requirement is that
not only must the protective sys-
tem tolerate a fault, it must alarm

5. Figure4-TMR 2-out-3 Voting Fault
Tolerant Control
that fault! It's obvious that if an
undetected fault occurs, it could
remain in the system until a sec-
ond fault occurs that could fail the
system to safe (erroneous shut-
down) or danger (prevent a sht't-
down when needed). Neither
condition is desirable.
There are two approaches to
the design of a fault tolerant sys-
tem, and although no manufac-
turer can claim to be 100% reliable
for either design, their systems
can be categorized as either IDFI'
or SIFf. IDFr is a hardware-im-
p!emented fault tolerance system,
and SIFT is a software-imple-
mented fault tolerance system.
Both of these systems have been
tested by the Exxon team.
The primary features that de-
fine the HIFr system are as fol-
lows:
1. It utilizes integrated cir-
cuits for fault diagnostics.
2. The processing time is
about 3 ms/1000 elements
of logic.
3. It uses simple software.
4. A 3-2-0 mode of operation
(fail-safe) is used.
5. Typically, it has 10
kilobytes of ROM.
EVOLUTION OF PROTECTIVE SYSTEMS IN PETROCHEMICAL INDUSTRY
The primary features that de-
fine the SIFT system are as fol-
lows:
1. It utilizes software for fault
diagnostics.
2. The fault diagnostics speed
is a function of scan time;
e.g., 100-200 maximum.
3. The processing time is 1.7
ms/1000 elements of logic.
4. It requires complex soft-
ware.
5. A 3-2-1-0 mode of opera-
tion is used. The 3-2-0
mode must be pro-
grammed.
6. Typically, it has 100
kilobytes of ROM.
With respect to the HIIT sys-
tem, some advantages and disad-
vantages are noted. The
advantages include:
• fast scan time if you need it
(dm/sec.);
• simple software; and
• the single-ended input cards
can be utilized for critical
and noncritical inputs.
The disadvantages include:
• no on-line hot spare;
• fault tolerant inputs must be
hard-wired;
• limited field experience;
• diagnostics for TMR mustbe
user-written (therefore, it
runs on the applications
level.); and
• some single points offailure.
The SIFT system also has a
number of advantages and disad-
vantages, which include:
• a hot-on-line spare available
forl/0;
• detailed diagnostic informa-
tion;
• good field experience;
• isolation of main processors;
• system level diagnostics; and
• simplex modules can be
mixed with TMR modules in
same system.
The disadvantages include:
• software and firmware
changes are coming too
often;
• complex software is re-
quired; and
• upgrades from an early ver-
sion to later versions can be
expensive.
CONCLUSION
At this point, it would appear
· the so-called SIFT system is a bet-
terapproach for protectivesystem
applications. Extensive diagnos-
tics with latent fault detection and
ability for on-line repair may be
two good reasons for the selection
of a SIFT system. These two re-
quirements are also significant
factors for achieving high avail-
ability.
In summary, the features that
recommend a TMR fault tolerant
systemare:
• fault tolerant =high avail-
ability =99.98%;
• on-line service =low MTBR
=high availability;
• good quality = high system
MTBF >100 y~ars;
• easy integration to DCS via a
network module;
• good programming tools,
e.g., expressions, functions;
• extensive TMRdiagnostics;
• user friendly;
• small footprint;
• good communications via
networks; and
• excellent documentation ca-
pability.
REFERENCES
1. ''Programmable Electronic
Systems and Safety-Re-
lated Applications," Health
and Safety Executive, U.K.,
1987.
VOLUME 30 GI NUMBER 4 GI 1991 31

6. SAFETY SYSTEMS
2. Crosby, Phillip B., Quality
Without Tears, McGraw-
Hill, NY, 1984.
3. Balls, Basil W., et al., Design
Principles for Safety Systems,
Industrial Control Services,
Inc., Houston, Texas.
4. "Electrical Equipment for
Furnaces," DIN VOE 57116,
1979.
5. Understanding Solid-State
Electronics, Texas Instru-
ments Learning Center,
1972.
32 ISA TRANSACTIONS
6. Hinssen, Henk, "Safety
Shutdowns-Application
Aspects," European
Honeywell Users Group
Meeting, Cagliari, June,
1989.
7. Fredrickson, Tony, Compar-
ison of Fault Tolerant Con-
trollers Used in Safety
Applications, Triconex
Corp.
8. Smith, Steve, Triple Redun-
dant Fault Tolerance: A
Hardware Implemented Ap-
proach, Triplex, 1988.
9. Alleman, Glen B., Fault Tol-
erant System Reliability in
the Presence of Imperfect Di-
agnostic Coverage, Triconex
Corp., 1989.
10. "Reliability Analysis of the
Relay Logic for a Burner
Control and Safety System
in a Boiler Installation,"
Safety and Reliability Di-
rectorate, United Kingdom
Atomic Energy Authority,
SRS/ASG/ 31610/2, De-
cember, 1988.