De-energized Override

Context

A safety function for a control application is being designed.

The SEPARATED SAFETY pattern has been utilized so that the control system functionality is divided into two separate systems: basic control system and safety system. The system has, in context of the considered safety function, a well-defined safe state. The safe state is always the same regardless of the state of the system, but tripping of the safety function can depend on various aspects.

Problem

Safety system and basic control system control the same process quantities.

Consequently, the basic control system may interfere with operation of the safety system, but the safety system must have the final word on system operation.

Forces

Safety: Safety control system must always be able to drive the system into safe state (i.e. state in which system minimizes the risk of damaging itself or people around it) regardless of the state of the basic control system.

Safety: The safe state is always the same.

Separation: Separation of the safety and basic control system is required.

Hardware: Additional hardware is problematic in the system (e.g. in terms of space and weight).

Cost-efficiency: Additional separate actuator for safety system increases cost of the safety system.

Hardware: Actuators with sufficient safety properties and suitability to safety and control tasks are available.

Solution

Use de-energization of the basic control system actuator(s) to obtain safe state and to override the control signal of the basic control system. The safety function must have a well-defined safe state that is independent from the system state. When the safety function is tripped, the control actuator is de-energized and the actuator takes a safe

Functional Safety System Patterns 13

state. Now, regardless of the basic control system input the actuator is in safe state and the basic control system is overridden by the safety system.

In this approach a dedicated safety actuator is replaced with a relay (or similar switching device) that is used to de-energize the control actuator. The safety system controls the power supply of the control actuator through the relay. The principle of the approach is depicted in Fig. 6. The control system is responsible to provide the normal control signal to the actuator. Whenever the safety function trips, it de-energizes the actuator, which then enters the predefined safe state forced by a mechanical load.

A relay is typically more compact in terms of size and weight than a dedicated safety actuator (a valve for example). However, the control actuator has to be mechanically loaded (e.g. spring loaded) to be able to enable the safe state when de-energized. This increases the size and weight of the control actuator. In addition the control actuator (or at least the mechanical loading system) has to be compatible with the dedicated safety integrity level of the safety function. This may increase the cost of the actuator significantly as complex actuators with high safety integrity properties are not cheap. Notice that also the relay controlled by the safety system needs to have sufficient safety properties as it is part of the safety function.

The architecture is not suitable for all cases. The architecture may not be applicable if there is a risk that the actuator type used in the control is not able to obtain a desired state to enable the safe state. For example, the architecture must not be used if there is a risk of blocking of the actuator (e.g. in some hydraulic systems/environments due to impurities).

Ensure that the safety function cannot be circumvented or bypassed in any way by the control system. If such architecture is used, it must be ensured that the safety system is able to drive all the actuators effecting the application of the considered safety function into safe state.

Relay

Fig. 6. Safety actuation through de-energization Uncontrolled

Functional Safety System Patterns 14

Example

A possible application of the de-energized override principle can be found for example in processes in which the flow of steam to heat exchanger is controlled (see Fig 7). The safety function is to prevent overheating of the heated element. The control system is responsible for controlling the flow using a proportional valve. The safety functionality is actuated with the same valve through de-energization. The safety system controls a relay through which the power to the control valve is supplied. When safety system trips the power is cut from the valve actuator and spring loading turns the valve into the safe state position. Now, regardless of the basic control system the safety control system may halt steam flow in the pipe. Notice that the figure illustrates only a part of a system.

Fig 7. Example of de-energized override in steam flow control

Consequences

Safety is retained by safety system regardless of the basic control system Separation between the safety system and the basic control systems remains No need for additional safety actuator reduced weight, size and (potentially) power consumption

System wide power loss results a safe state of the actuator Only one safe state can be applied

Requires an actuator suitable to the control task with sufficient safety properties…

…that is mechanically loaded to actuate safe state when de-energized…

…which typically results an expensive actuator

Still requires a relay or similar switching device to detach actuator from its power supply

Resulting Context

The safety control system may override the control system in all situations and thus safety is not dependent on the control system.

Functional Safety System Patterns 15

Related Patterns

The SAFETY LIMITER pattern describes an alternative solution to the problem. Safe operation can be achieved by circumventing the control signal through a safety function that limits the value without a need for an additional relay or other hardware.

Consequently no additional hardware is required besides the control actuator, but potentially complex safety-related application software needs to be developed.

The SEPARATED OVERRIDE pattern describes an alternative solution to the problem.

Safety system is provided with dedicated actuator. This gives safety system more alternatives to actuate the safety function, but also requires additional actuator.

The SAFE WHEN UNPOWERED pattern describes a generic process design related principle of constructing a system so that safe state is obtained whenever power is lost.