www.kisknowlogy.com info@risknowlogy.

com

INTRODUCTION TO DIAGNOSTIC SYSTEMS OF PROGRAMMABLE ELECTRONIC SAFETY SYSTEMS

M.J.M. Houtermans1, Mr. Risknowlogy, Schinveld, The Netherlands D.M. Karydas, Mr. Factory Mutual, Norwood, MA, USA A.C. Brombacher Mr. Eindhoven University of Technology, The Netherlands September 2005 Abstract
This paper will focus on Programmable Electronic Safety Systems (PES) and their diagnostic systems. A PES is defined as a system for control, protection or monitoring based on one or more programmable electronic devices, including elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, and actuators and other output devices. The diagnostic systems of PES comprise hardware and software elements that identify and reveal on-line PES covert failures, when they occur. Thus, immediate repair of the PES safety system is performed before an upset condition of the safeguarded process occurs. A measure of the effectiveness of diagnostic systems is the so called "coverage factor". This expresses the fraction of the total number of possible covert failures of the safeguarding PES that will be revealed by the diagnostics. Our examination will cover the basic elements of PES and address practical questions, such as the nature of diagnostic systems, how diagnostics are realized and examples for the different PES components, what level of diagnostic efficiency can be achieved by different approaches and systems, and methods of evaluation of the diagnostic coverage factor.

Introduction
Computers based systems, in general referred to as Programmable Electronic Systems (PES), were originally introduced during the early seventies in the Process Control area. They are increasingly being used to carry out safety functions. A PES is defined as a System for control, protection or monitoring based on one or more programmable electronic devices, including elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, and actuators and other output devices [1]. The flexibility of PES makes them applicable to many different kinds of industrial environments. PES can be found in the Oil and Gas, the Chemical or Petrochemical, the Pulp and Paper, the power generation (Nuclear, conventional), and the Pharmaceutical industry, to mention a few. Because of the variety of industries there is also a variety of applications for PES. PES are being used as Burner Management Systems, Emergency Shutdown Systems, Turbine control, Power and Recovery Boiler Management systems, Fire and Gas detection systems, Batch control and other kinds of applications. The PES play an especially important role in the safety industry.

Author to whom all correspondence should be addressed. 1

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

The safety market has been dominated for a long time by safety systems that are based on hardwired relay logic or solid-state technology. The relay and solid state technology still represent a considerable part of the safety system market. However their share has more or less been stabilized since the introduction of PES. Unlike the relay and solid state technology, a PES is relatively easy to re-program, which makes it possible to change the program that controls the process in a relative short time without physically replacing or changing hardware components. The use of PES has been growing drastically, because they have been proven to be cost-effective, flexible and capable of executing complex logic [2]. The PES are part of the Safety Protection Layer Philosophy, which is present in most modern chemical plants. The possible Protection Layers in a plant can be divided into two categories, (1) layers for prevention and (2) layers for mitigation. The Prevention Layers prevent the occurrence of upset conditions leading to an accident, e.g., pressure too high. The Mitigation Layers mitigate the consequences' once an unwanted event occurred, e.g., rupture of a vessel. In [3] the following possible protection layers are identified: Basic Process Design; Basic Process Control System, Process Alarms, Operator Supervision; Critical Alarms, Operator supervision, Manual Intervention; Automated Safety Instrumented System (relay, PES); Physical protection (relief devices, dikes, sprinklers) Plant emergency response, Community emergency response;

A PES based safety system, in the process industry also known as Safety Instrumented System (SIS), just like a Basic Process Control System (BPCS), monitors an industrial process continuously. However a safety system only intervenes in the process when certain predetermined conditions are violated. Two examples are when the measurement of a temperature set point is too low or a pressure set point is too high. PES based SISs are part of the prevention layers and they are used to bring the process into a safe state when a demand is placed on the PES. In [4] a safe state is defined as a state that the Equipment Under Control (EUC), or process, shall attain as defined by the Process Hazard Analysis (PHA), e.g., the state reached after shut-down of the process. The basic task of a PES based safety system is to safeguard the process. It does this by carrying out specific identified safety functions. A safety function is defined as a function to be implemented by safetyrelated systems or external risk reduction facilities, which is intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event. These safety functions are determined on the basis of a Process Hazard Analysis (PHA) or Hazard and Risk Analysis. Common techniques used for PHAs include What-If Analysis, HAZOP, Checklists, FMEA, Fault Tree, Event Tree, and Human Reliability Analysis among others. An extensive PHA will include the identification of hazards, hazardous events, event sequences leading to hazardous events and the risk associated with each hazardous event. The associated risk, expressed in qualitatively or quantitatively terms, can help define the necessary risk reduction and specify the safety functions that will accomplish such risk reduction. The so defined safety functions can be allocated to one or more safety related systems which may comprise PES' or other risk reduction technology, e.g., rupture disks, relief valves, sprinkler systems, etc. Standards like the IEC1508 [1] and the ANSI/ISA S84.01 [5] specify the Safety Integrity Level (SIL). This is a quantitative index of the required reliability of the PES as a function of the criticality of the process. In practice there are four discrete SIL levels, see

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

Table 1. The higher the SIL level is, the higher are the reliability requirements from the PES. There is a direct relationship between the process, the safety function to be carried out by the PES and the SIL level of the PES. The criticality of the process determines the criticality of the safety function(s), which determines the required SIL level of the PES. The aforementioned IEC1508 draft standard gives guidance on how to allocate a SIL to a PES based safety related systems (IEC1508 [1] part 2).

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

Table 1. SIL levels in terms of (un)availability Probability of Fail To Level SIL 4 SIL 3 SIL 2 SIL 1 Function on Demand 10-5 -- <10-4 10-4 -- <10-3 10-3 -- <10-2 10-2 -- <10-1

Although a PES functions like a normal computer, there are certain important aspects that make a PES distinctly different from a computer. The hardware and software are designed for specific use in industry and by industrial personnel. Hardware is modular, which makes it easy to exchange in case of malfunctioning. The application software is written in special languages, which are easy to understand by plant personnel. The IEC1131 standard [4] addresses four of these languages (Ladder Logic, Functional Block Diagrams, Sequential Function Charts, Boolean Logic). Another important aspect is that the PES is a computer designed to work in an industrial environment. This imposes some extra requirements on a PES because the PES needs to be designed to work in an environment subject to stressors like chemicals, dust, humidity, high or low temperatures, electrical noise, electro-magnetic interference, mechanical vibration, etc. To protect the PES against such stressors the PES is equipped with diagnostic functions. The diagnostic functions of the PES monitor the PES just as the safety functions of the PES monitor the industrial process. The basic task of the diagnostic functions is to determine whether the PES is capable of carrying out the safety functions and thus safeguard the process against upset plant conditions. The diagnostic functions reveal online PES covert failures, when they occur. Thus, immediate repair of the PES safety system can be performed before an upset condition of the safeguarded process occurs. The diagnostics play an important role in the reliability and availability aspects of the PES. They have a significant contribution in achieving the required SIL as defined by the aforementioned standards. It is important to understand difference between detection by diagnostics, proof test or safe failures. This paper will give an overview of the structure and elements of PES and address practical questions, such as the nature of diagnostic systems, examples of how diagnostics are designed and implemented, what level of diagnostic efficiency can be achieved by different approaches and systems, and methods of evaluation of the diagnostic coverage factor. This paper does not address every single PES architecture, every diagnostic technique and all aspects related to PES diagnostics. The field of PES is very wide and the technology of diagnostics is very complex to allow an exhaustive examination in this paper. We will first start with an overview of the basic structure and elements of Programmable Electronic Systems, to facilitate our examination of PES diagnostics, the main topic of this paper.

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

Programmable Electronic Systems

The PE and its Input & Output (I/O) Devices
Figure 1 gives an overview of a PES as it is defined in [1]. The basic elements of a PES are: Input Device(s), Input Module(s), Main Processor(s), Output Module(s) and Output Device(s). The Main Processor (MP), together with the Input and Output Modules are known as the Programmable Electronic. The Programmable Electronic (PE) forms the core of the PES. The PE interacts with the process through the Input Devices. It interprets the received information and diagnoses the process, i.e., compares the process state parameters with set values programmed in its memory. Then, it makes decisions based on this diagnosis and sends the appropriate command signals to the Output Devices.

Programmable Electronic System Programmable Electronic Input Input Output Main Devices Modules Processor Modules
S S S S S

Output Devices
A A A

Discrete I Analog
scan sequence

Discrete O Analog

A A

Figure 1. Basic Elements of a PES

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

The Input Devices are the basic elements of collection of information or knowledge necessary to characterize the process. They measure the physical parameters that are important to understand the current state of the process. Input Devices can be sensors that measure, for example, temperature, pressure, flow, humidity, pH-values, voltage, current, etc. Input Devices can be divided into discrete, analog or digital devices. Discrete Input Devices are selector switches, push buttons, limit switches, etc. Analog Input Devices are, for example, flow transmitters, pressure and temperature transmitters. Examples of Digital Input Devices are binary encoders, bar code readers or thumb-wheel switches. Once the PE has processed the input information, it sends signals to the Output Devices. The Output Devices reflect the decisions of the PE on how to control the process. Like the Input Devices, the Output Devices can be divided into discrete, analog and digital devices. Discrete Output Devices are motor starters, valves, solenoid valves, alarms, etc. Analog Output Devices are electrical motor drivers, chart recorders, current-to-pressure units, electrical valves, and so on. Examples of digital Output Devices are led displays, position controllers and intelligent panels. Output Devices can be used for informational purposes or to actually change the state of a component, such as closing a valve, or starting a motor.

The Programmable Electronic

A PE based safety system is often modular (see Figure 2). The modules are configured in a Module Rack. The modular architecture makes a PES very maintenance friendly. The PE comprises Input/Output (I/O) Modules, Main-Processor (MP) modules and power supply modules. The I/O Modules are intermediary elements between the Input or Output Devices and the MP. The Input Modules translate the signals from the field into the language of the MP. The Output Modules do the opposite; they convert the signals from the MP into standard Output Device signals. In practice, signals from the field devices, like voltages or currents, are translated into digital signals for the MP and vice versa. Because of the variety of possible signals that need to be sent to and from the MP, there is also a variety of I/O modules available. The I/O Modules are characterized by the type of signal they handle, i.e., analog, discrete or digital, and by the number of signals they can handle, usually expressed as channels (2, 4, 8, 16, etc. channels). Besides the standard I/O modules that handle the input and output devices, there are additional modules available for specific tasks. For example, Power Supply modules provide power, while communication modules communicate with other computers, printers, monitors, third party equipment or modules for network connections.

Figure 2. Example Programmable Electronic

The MP is the brain of the PE. The two main components of the MP are the micro-processor and the memory. The MP monitors the state of the controlled process through the Input Devices and controls the Output Devices. The MP executes the executive programs, which are part of the design of the PE, and the application programs. The executive programs manage the basic system activities, e.g., updating inputs and outputs, interpreting the user defined programs into instructions that the MP understands, performing diagnostics functions, etc. An application program is a set of instructions designed by process
www.safetyusersgroup.com
6

This document is available on

www.kisknowlogy.com info@risknowlogy.com

engineers to control a specific process. Another important component of the MP is the communications function. Different components of the MP communicate with each other, MP's communicate with other MPs, or with Input and Output Devices, displays, printers, etc.

Memory
The advantage of a PES used for safety, compared to conventional safety systems, lies in the fact that it is programmable. The memory component of a PE makes it possible to reprogram the PE, so that it can easily accommodate changes in the process or EUC. Memory is used for two reasons, (1) to store executive application software and (2) to store user applications. The executive application software is part of the PES and cannot be changed by the user of the PES. The user can only make changes to the applications software. A PES is equipped with two types of memory, Volatile and Non-volatile memory. Everything that is stored in the volatile memory will be lost when there is a loss of power. There are several technologies used for non-volatile memory. These include ROM, EPROM, EEPROM and EAPROM. Any of the above will be used for executive programs. Non-volatile memory may also be used for application programs that must survive power loss. Volatile memory (RAM) will be used for values that change, such as the most recent values from sensors. It may also be used for application programs that will be reloaded after power loss.

The Scanning Process

The PES continuously monitors the process and the diagnostics part continuously monitors the PES. In practice this is performed by the scanning process. The scanning process plays an important role in performing the diagnostic functions of a PES. The scanning process continuously repeats a defined sequence of steps that enables the PES to control the process and to perform the diagnostic functions of the PES. Figure 3 gives a possible sequence of the steps to be executed during a scan. The time to perform the actual scan is affected by the number of inputs, number of outputs, peripherals, size of the user defined application program, etc. The scan time is a significant parameter of a PES used for safety. It can take a couple of seconds, in case of a demand on the PES, from updating the information from the input devices, processing the information by the MP, to the final action at the output devices.

Inputs
0

User Limit defined Diagnostics Outputs Peripherals program

# milliseconds

Scan Time

Figure 3. Example of a possible scan process

Diagnostics and PES

Programmable electronic safety systems were introduced to improve the safety and availability of industrial plants. They are used as a Safety Protection Layer and therefore must be highly reliable and safe. To achieve this, PES are equipped with diagnostic functions. The diagnostics of a PES verify that the PES is capable of performing its safety functions. The meaning of the verb "to diagnose" is "to ascertain the cause or nature of a disorder, a malfunction or a problem from the symptoms". To be able to make a diagnosis one has to understand the system
www.safetyusersgroup.com
7

This document is available on

www.kisknowlogy.com info@risknowlogy.com

subject to the diagnosis, its components, its behavior under all circumstances and the possible influences from the operational environment of the system. The basic concept of diagnosis is based on the ability to understand signs and symptoms and to infer the cause or nature of a problem or situation based on these signs and symptoms. This fundamental concept is valid within PES. Designers of PES base the diagnostic functions of the PES on the known signs and symptoms that can be derived from the PES. This kind of knowledge is often derived from the experience that the designers develop over the years with these systems (e.g., through research, customer feedback). The level of the designer's success in developing good diagnostics can be quantified by the "diagnostic coverage factor". The diagnostic coverage factor is defined as the percentage of hardware failures detected by diagnostic tests [1]. Good diagnostic capabilities improve the reliability of a PES in terms of safety and availability of the system [7, 8, 9, 10] and can, therefore, result in a higher SIL. From section 2 it can be concluded that a PES is a complex system. A PES consists of hardware and software; there are mechanical, electrical and electronic parts. All those parts perform different functions, different processes take place within each part and communication takes place between these parts. The components of PES may fail in many different modes. Failure modes of a PES that cause a spurious trip are characterized as safe. Failure modes that cause the PES to fail to respond to a demand initiated by a process upset condition are characterized as dangerous [5, 11]. It is the task of the diagnostic functions to characterize a failure is as safe or dangerous. The outcome of the diagnosis is used by the PES to make a decision on how to act on this diagnosis. A possible decision can be to shutdown the process or to send a message to the operator to repair the failure. This depends on whether it is still possible for the PES, to carry out the safety functions. The overall diagnostic system of a PES is a hybrid system that deploys many techniques to perform the specific diagnostic functions. The diagnostic functions of a PES are mainly performed on-line and on a continuous basis during each scan, but they can also be carried out more thoroughly off-line and on a periodic basis, e.g., during a periodic scheduled maintenance check. The diagnostic systems can cover specific parts or combinations of parts, e.g., a diagnosis can be made of one channel, a set of channels or the complete I/O module. A diagnosis can be made on a part, a module, or system level. The diagnostic systems can be hardware or software driven, but more often are a combination of both. Based on the different domains and processes that take place in a PES it is possible to characterize the diagnostic functions as follows: voltage measurements, current measurements, signal timing measurements, signal sequencing measurements, signal and information comparison. The essence of diagnostic functions is mainly the execution of sequential and time dependent software routines. The fundamental concept behind diagnostics is based on comparison, reference or a combination of both [6]. Comparative diagnostic functions address two or more PES units or parts of a PES to compare relevant data or signals from each other. A problem can be diagnosed when the data from one PES deviate from one or more other PES. Reference diagnostic functions use predetermined fixed references of a successful operating PES (operating as designed). A problem can be diagnosed if the input data deviate from the reference base. Modern PES use both techniques to maximize the results. A Watchdog timer is probably the best known diagnostic technique used in connection with PES. The Watchdog timer may consist of hardware, software or a combination of both. A Watchdog timer can monitor several functions of the PES. Its operating principle is based on a timer which needs to be triggered before it reaches a predetermined value. If the watchdog timer ever times out it will take the appropriate action because it assumes failure of one of the functions it is monitoring. A watchdog is mainly used to monitor the microprocessor's activities and the program sequencing. For example, a function can be the monitoring of the cycle time of a program, whether it is too long or too short. If the cycle time is too long it would mean an interruption of the execution of the program, too short would mean that certain parts of the program were skipped. Other examples of diagnostic techniques are mentioned in

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

Table 2. This table lists in the first column typical PES components. The second column gives some of their failure modes, and the third column possible diagnostic techniques that can be used with these components. This table is limited and different manufactures might incorporate different components and diagnostic techniques. The characters between the brackets (L = Low, M = Medium, H = High) indicates the diagnostic coverage that can be achieved with these techniques and should only be used for guidance. It is not possible to give fixed numbers for diagnostic techniques. Each case should be evaluated on an individual bases.

Evaluation of the Diagnostic Coverage factor

Perfect diagnostic coverage of PES, which would imply 100% effective diagnostics, is not yet attainable. Good diagnostics improve the safety and availability aspects of the PES, which may result in a higher SIL. Analysis used to determine the diagnostic coverage factor should include all the elements of the PES that are used to effectively perform the safety functions. The issue of failure diagnosis has received considerable attention in the literature; different methodologies have been proposed for different systems and problems. These methodologies include, but are not limited to, qualitative modeling [12], quantitative modeling [13], artificial intelligence and failure injection techniques [14]. Currently, the diagnostic coverage factor of PES is in practice evaluated with a modified version of Failure Modes and Effects Analysis (FMEA) and fault injection techniques [1, 6].

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

Table 2 Examples of components and diagnostic techniques [1, 15] COMPONENT sensor valve micro processor FAILURE MODES stuck at, oscillation stuck at, oscillation output stuck (low, high), input open, output open, short circuit, open circuit stuck at, read error, write error no data, wrong data, stuck at, wrong address, wrong time TECHNIQUE pulse testing, reference sensor (L-H) pulse testing, monitoring (L-H) watchdog, comparator, self-test by software, register test, arithmetic test, byte, word, long word addressing test, program counter test, instruction set test (M-H) march test, galpath test, modified checksum, signature one word, double word, hamming code (M-H) transmission redundancy, information redundancy, time out checking, message sequencing, address verification, watchdog (M-H) watchdog timer (M-H) temperature measurement, thermal fuse, fan control, (M-H)

memory

communication and signals

power supply environment

voltage to high, to low operating temperature to high Coverage: L = Low, M = Medium, H = High

The FMEA approach follows a systematic methodology to document each failure mode of the different components, what caused those failures and the effects of these failures on system level. For the purpose of determining the coverage factor, these failure modes are categorized in terms of failures that lead to a nuisance trip (safe failures), or failures that cause no system response to process upsets (dangerous failures). The total failure rate of a component can then be divided into a safe and dangerous failure rate. For each failure mode, safe and dangerous, it has to be determined whether it can be detected by the diagnostic system. For each category the failure rates that can be detected are summed together. The coverage factors, for safe and dangerous detected failures, can then be calculated, as the fraction of the total failure rate that corresponds to safe or dangerous failures respectively. The disadvantage of the FMEA approach is that this technique can only take into account hardware failures, while the actual PES is a composite of hardware and software. The FMEA approach is therefore complemented with fault injection techniques, like [14], to reveal any failures that where not taken into account because of the limitations of the FMEA approach and to verify the results derived from FMEA. The fault injection techniques are especially appropriate for the analysis of the Programmable Electronic part of the PES.

Diagnostics, proof tests and detection by safe failures

Failures in PES can be revealed via three different methods. Failures can be detected via diagnostics, proof tests or reveal themselves because of safe failures. It is important to understand in terms of the IEC 61508 standard what the difference are between the three detection methods as they all have their own influence on the functional safety parameters. According to IEC 61508 a test is a diagnostics test if it meets the following criteria [16]: 1. It is carried out automatically (without human interaction) and frequently (related to the process safety time considering the hardware fault tolerance) by the system software and/or hardware; 2. The test is used to find failures that can prevent the safety function from being available; and 3. The system automatically acts upon the results of the test.

www.safetyusersgroup.com

10

This document is available on

www.kisknowlogy.com info@risknowlogy.com

In all other cases a test is considered to be a proof test. In practice a proof test is scheduled periodically and needs to be carried out by humans. Even though you can automated a proof test to a certain extend it is in general not possible to carry it out fully automatic and it is not carried out with the required frequency of a diagnostic test. Proof tests are often carried out once in a six months or a year. It is important to differentiate between the two different testing methods because the IEC 61508 standard requires the calculation of the so-called safe failure fraction. The safe failure fraction is defined as the ratio of the average rate of safe failures plus dangerous detected failures of the subsystem2 to the total average failure rate of the subsystem, see formula below.

SFF =

SD + SU + DD SD + SU + DD + DU

A high safe failure fraction can be accomplished if we either have a lot of safe failures (detected or undetected does not really matter for the SFF) or if we can detect a lot of the possible dangerous failures. Only failures detected by diagnostic tests can be accounted for in the safe failure fraction calculation. Failures detected by periodic proof tests cannot be accounted for in the safe failure fraction calculations. It is important for safety system product suppliers to provide with their products the safe failure fraction of the product and that this safe failure fraction is based on diagnostic tests only. Many product suppliers provide the data taking into account proof tests. This is incorrect as a product supplier does not know whether an end-user will actually carry out the proof test, whether the proof tests discover the failures and if it is carried out how often. Another form of detection is via safe failures. Safe failures can lead to the execution of the safety function without a demand from the process. In that case it is of course possible for an end-user to detect the failure. In the worst case the end-user detects the failure because the plant trips. A better scenario exists in case of redundancy where an end-user can see that one out of several channels has failed safe. Also this is a form of detection but also this form cannot be account for in the safe failure fraction calculation. A product supplier cannot present a safe failure fraction number based on detection via a plant trip. No enduser should accept that argument.

Conclusions
This paper gives an overview of PES and their diagnostic systems. PES systems used for safety are complex systems with diverse interacting operating domains. The PES, as well as the diagnostic functions of the PES, consists of hardware and software. Many different diagnostic techniques are being used. The process of the evaluation of the diagnostic coverage factor is complex, and tedious. The limitations of the FMEA approach make it insufficient to handle the complexity of a PES. Fault injection techniques represent the current state of the art regarding the evaluation of the diagnostic coverage factor, but they mainly focus on the PE part only. The industry needs a methodology to evaluate the complete Safety Instrumented System (SIS), taking into account the hardware, software and the operational environment of the SIS. Industry also needs to differentiate between detection via diagnostics, proof tests or safe failure as only detection via diagnostic tests can be accounted for in the safe failure fraction.

References
1. IEC1508: Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems, IEC, 1997.
2

Each safety function is carried out by a safety system. The safety system can be divided into as many subsystems as necessary. The safe failure fraction needs to be calculated per subsystem. 11

www.safetyusersgroup.com

This document is available on

www.kisknowlogy.com info@risknowlogy.com

2. Guarro S., Yau M., Motamed M., Development of Tools for Safety Analysis of Control Software in Advanced Reactors, NUREG/CR-6465, April, 1996. 3. Drake E.M., Thurston C.W., A safety evaluation framework for process hazard management in chemical facilities with PES-based controls, Process Safety Progress, vol. 12, 9-13, 1993. 4. IEC1131-3, Programmable Controllers, International Electrotechnical Commission, 1997 5. ANSI/ISA S84.01-1996, Applications of Safety Instrumented Systems for the Process Industry, ISA, 1996. 6. Goble W.M., Bukowski J.W., Brombacher A.C., How diagnostic coverage improves safety in programmable electronic systems, Proceedings ISATECH96, Chicago, September, 1996. 7. Smith S.E., Fault Coverage in Plant Protection Systems, ISA Transactions, vol. 30, no. 1, 1991 8. Goble W.M., Speader W.J., 1oo1D - Diagnostics Make Programmable Safety Systems Safer, Proceedings of the ISA92 Conference and Exhibit, Toronto, ISA, 1992. 9. Goble W.M., Bukowski J.V., Brombacher A.C., How Diagnostic Coverage Improves Safety in Programmable Electronic Systems, Proceedings ISATECH96, Chicago, 1997. 10. ISA dTR84.0.02-4, Electronic (E) / Electrical (E) / Programmable Electronic (PE) Safety Systems, Part 4, ISA, 1997. 11. Houtermans M.J.M., Goble W.M., Brombacher A.C., Creating Markov Models for Applications in the Process Industry, Proceedings of the 15th International Conference on Computer Safety, Reliability and Security, Vienna, Austria, 23-25 October, 1996. 12. Frank. P., Fault Diagnosis in dynamic systems using analytical and knowledge based redundancy - A survey and some new results, Automatica, vol. 26, 1990. 13. Goble W.M., Evaluating Control System Reliability - Techniques and Applications, Raleigh, ISA, 1992. 14. Brombacher A.C., et. al., RIFIT: a technique to analyze safety of combined Hardware / Software structures, Proceedings ISATECH97, Anaheim, October, 1997. 15. Meeldijk V., Electronic Components, Selection and Application Guidelines, John Wiley & Sons, 1995 16. Houtermans M.J.M., Velten-Philipp W., The effect of diagnostics and proof tests on the reliability of safety systems, 1st International TUV Symposium, Cleveland, OH, USA, May 2005

www.safetyusersgroup.com

12

This document is available on