Safety related control systems may operate in low demand mode, where they are required to carry out their safety function occasionally (not more than once/year) or in high demand (more than once/year) or continuous mode where failure to perform the required safety function will result in an unsafe state or place a demand on another protective system.
The likelihood of failure of a low demand system is expressed as probability of failure on demand, and as failure rate per hour for high/continuous demand systems. Safety related control systems operating in continuous or high demand mode where the E/E/PES (Electrical, Electronic and Programmable Electronic System) is the primary risk reduction measure have been known as HIPS (high integrity protective systems).
The dangerous failure modes of the control system should be determined and taken into account in overall safety system specification. The control system should also be sufficiently independent of the safety systems. The system should be designed to prevent or verify operator commands that might place a demand upon the protective system.
Consideration should be given to failure behavior so as to minimize the demands placed on the protective systems such as under the following circumstances:
-
I/O power failure
-
Main power failure
-
I/O faults (open/short circuit, out of range)
-
Module/processor failure (I/O, controller, cell, supervisory)
-
Communications failure (at all levels of the architecture)
Consideration should also be given to change control and software back-up systems. As the control system provides control, monitoring and logging functions that significantly aid the operator, consideration should be given to survival of the control system during hazardous events and emergency response.
It should be demonstrated that the process control system does not exercise safety functions during sequences and changes of state under its control. For example, where the control system batch sequence controls the mixing of quantities of materials or reagents which, if incorrect quantities are admitted, may result in an unintended reaction, then measures of sufficient safety integrity, other than the control system, should be taken to ensure that the residual risk is as low as reasonable practicable.
The last issue concerns software. Software in large systems is frequently updated and it can be difficult to control. Small changes to configuration of the control functions are often made and may have unforeseen effects on other control functions that are sharing data.