This document discusses managing the lifecycle safety and performance of PLCs used on dive systems. It provides background on PLC development and modern PLC components. It emphasizes that PLCs are now ubiquitous in automated dive systems. Proper management over the entire lifecycle is important for safety, including factors like competent resources, design specifications, verification and testing, and training. The document recommends using the IEC 61508 functional safety standard as a reference for a lifecycle approach to managing risk from PLC-based dive systems.
1. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
PLCs in diving systems: a life cycle
Presented by Ed Gardyne of Safewell
2. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Some Background
• Founder of Safewell specialists in the safety of compressed air and gas
used for respiratory protection and critical processes www.safewell.info
• 30 Years Experience in the Application of PLC’s in Various Sectors
• Member of Institute of Measurement and Control
• Working as part of the Shell Diving Safety Assurance Team since 2009
carrying out audits on various DSV’s
• Helping to develop the Shell Dive System Assurance Process DSAP
• Assisted Several Operators and Contractors in UK & Norway carry out
audits on automated DSV’s and Incident Investigations e.g Skandi Arctic
Bell Drop
3. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Original Patent for a PLC System - 1974
4. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• In 1968 General Motors in the US wrote a
specification for a programmable controller to
replace large unwieldy relay logic panels
• Contract was won by Bedford Associates who
created the Modicon 084 and sold 1000 units
• Allen Bradley began R&D in 1969 and filed a
patent in 1974 for a programmable logic
controller PLC becoming market leader
• In intervening years many suppliers
developed PLC technology
• Current market leaders are Siemens, Allen
Bradley (Rockwell Automation) & Schneider
Early PLC Development History
Dick Morley
5. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Modern PLC uses modular building blocks to integrate a system
Communication
Network
Power Supply
Input / Output
Modules to
Sensors,
Instruments,
Actuators
Chassis in
Enclosure
PLC – Programmable Logic Controller
Processor
with App
Software
What Does a Modern PLC Look Like?
With Ethernet switches built automation systems can
now be easily networked with business IT systems!
9. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Current PLCTrends?
Market Research Demands More Safety Integration in PLC’s
Siemens SIMATIC Safety CPUs +17% in FY 2013/14
(Standard CPUs + 2,8%)
10. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
PLC Safety - Current Trends?
• Standard PLC’s now with safety integrated
• Implement process and safety control in a single PLC
• Fail safe IO modules with Enhanced Hardware Diagnostics
• Implement Safety Logic in PLC using Software instead of
external safety relays
• Use of proven certified library safety code and firmware with
3rd party approvals e.g. TUV
• Auto Generated Standards compliant documentation
• Reduced safety hardware and wiring
• Improved Development Tools with PLC Simulation
• Reduced debug time and more rapid commissioning
There is No excuse to build an unsafe automated dive
system using PLC’s
11. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
PLC Safety - Certification?
Functional safety certified to EN 61508
Certified according to
EN 61508 2nd Edition and
EN ISO 13849-1 PL e
12. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• Education and Awareness – Understand the Pervasive Impact of PLC’s
on Dive Systems and the Benefits!
• Appreciate & Focus on the Invisible? Risks when Using PLC’s
• Generate a Clear Mind set for Effective Life Cycle Management of PLC’s
• Tune all this into the existing DSV assurance and audit cycles
• Stimulate Open Discussion of the Issues
• Remove the Fear Factor - The people in the industry already have the
technical capability to deal with this
After All It’s Not ….. Hard to Manage This When You Become Aware
Our Objectives Today
13. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
ENSURE VISIBILITY OF SAFETY RISKS
PREVENT COMPLACENCY
The Invisible Risks
14. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
PLC AUTOMATION UBIQUITOUS,PERVASIVE, DISRUPTIVE
The Way It Was The Way It is Now & Getting More Automated!
e.g. Drilling Industry – When Automation changed things in the 80’s and 90’s
Why is This Important?
15. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• Modern DSV’s designs are highly
automated
• 7 Atlantic, Scandi Arctic,7 Havila, are
good examples
• Automation is applied to many
processes and machinery
• Systems are complex and more
difficult to audit unless you have the
necessary knowledge and experience
• The control software may be invisible
& only understood by a few
And In The Diving Industry?
16. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• Bell launch and recovery systems
• Bell Utilities
• Compression / Decompression
• Controlling gas pressure
• Oxygen Concentration Control
• CO2 Monitoring / Scrubbing
• Humidity & Temperature Monitoring
• Environmental Monitoring
• Data Logging
• Warnings / Alarms
• HPU Control
• ROV, DP
• Cranes, Pipe Lay
• Intelligent Drives, Instruments DSV ‘7 Havila (image courtesy SS7)
Experience Shows PLC’s Turn Up When Least Expected!
Extent of Automation on DSV’s
17. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
What does an automated DSV look like…from an auditors perspective?
Like This Example - DSV ‘7 Havila Dive Control Room (images courtesy SS7)
Extent of Automation on DSV’s
18. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
And This - DSV ‘7 SAT Control Room (images courtesy SS7)
What does an automated DSV look like…from an auditors perspective?
Extent of Automation on DSV’s
19. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
And From a PLC Engineers Perspective?
Extent of Automation on DSV’s
20. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Benefits of Automation on DSV’s?
• Safer Diving Operations using high integrity (certified) safety hardware
and software to implement risk mitigation and bring systems to a safe
state
• Providing advanced tools to manage complex risks e.g. running several
chamber profiles simultaneously
• Providing sophisticated instantaneous oversight over complex operations
• Capturing data for analysis and improvement
• Eliminating human error during repetitive work tasks which may arise from
tiredness or temporary lack of focus
Thought: These days commercial air flights are highly
automated but we don’t think twice about boarding?
21. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• How engaged and aware are senior management?
• How well are automated PLC based dive systems safety assessed?
• How good are the technical specifications?
• Competency and quality assurance of designers, manufacturers,
engineers, operators, class bodies, auditors
• Hardware and Software testing and life cycle software configuration control
• Competence of Maintenance Technicians / Availability of Spares / Tools
• System Security
• Management of Change during system life cycle
This Raises Some Lifecycle Questions
22. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
IMCA:
• Issued Draft Addendum to
IMCA D 024
• And an Information Note in
August 2012
Industry Response to PLC’s To Date
23. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• OGP working group developing dive vessel safety
assurance audit tool DSAP for use by all operators and
dive vessel owners – document in draft
• Objective is to develop a consistent and systematic audit
approach
• Shell currently piloting the tool during DSV audits
Industry Response to PLC’s To Date - OGP
24. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• The objective was / is to create awareness and drive change in
the management of risk in automated PLC based diving
operations by embedding a life cycle approach to management
of PLC based dive systems
• The functional safety standard IEC61508 was chosen as a
basic reference standard for the life cycle model
• This does not mean every system will have a SIS with a SIL
greater than 0 – more later on this . May just have redundancy
with higher availability to eliminate SP failures
• IEC61508 has already been adopted by some companies in the
diving sector and embedded in their ISO9000 system
Overall Objectives
26. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Relationship Between Safety Standards
SAFETY
RELATED
ELECTRICAL
CONTROL
SYSTEM
SAFETY
INSTRUMENTED
SYSTEM
SAFETY
RELATED
PARTS OF A
CONTROL
SYSTEM
IEC61508 underpins other standards
With its life cycle map it has a foot in either camp i.e.
machinery and process
27. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Benefits of IEC61508?
• Guidance on the use of Electrical, Electronic and Programmable
Electronic Systems which perform safety functions
• Comprehensive approach involving concepts of ‘safety life-cycle’ and all
elements of a protective system
• Risk based approach leading to determination of Safety Integrity Levels
(SILs). Safety measures adopted are proportionate to the calculated
risk
• Covers the Safety Related Loop “ end to end”
• International standard allowing end users worldwide to operate in
accordance with common standard providing confidence to system
owners, users and regulators
• Systematic and technically sound approach
• Coherent based on commonly accepted underlying principles based on
sound engineering logic and practise
28. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
What does SIL mean?
SIL = Safety Integrity Level SIF = Safety Instrumented Function
29. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
To Determine an Overall SIL?
Safety
Function
Design 1
Safety
Function
Design 2
Safety
Function
Design 3
30. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Safety Requirements Specification
Typical Index of the SRS
• Identify protection layers
• Identify each SIF; provide a functional description
• Describe Methodology Used to Determine SIL
• SIL Target Allocation Assessment
• Describe Each Safety Related Function
• Actions on Detection of Faults (C&E)
• Definition of Safe State / Response Time
• How to Reset SIS after shutdown
• Interfaces with operators / other systems
• Modes of Operation
• SIS Inhibits/ Overrides/ Maintenance By Passes
• Environmental Conditions Impact on SIS
31. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Do You Need a SIS?
Possibly Not if you have layers of protection. Consider a PLC used for Bell
LARS
• It is programmed with sequential logic to launch and recover the bell
• If a single PLC fails, there may be redundancy in the design to allow the
LARS operation to continue
• If both PLC’s fail there may be a back up independent system allowing
emergency recovery
• If the back up system fails there may be an option to directly control the
bell winch or use the guide wire winch for recovery or a crane or a second
bell to recover the divers
32. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Do You Need a SIS?
Possibly Not but let’s say on a PLC used for Bell LARS
• It is programmed to monitor the bell winch load cell as a back up to prevent
a bell drop incident by applying braking over X tonnes (in addition to E-
Stop functions)
• If this was the only mitigation then a SIS would be required
• The PLC used would have to have a higher safety integrity and fail safe
attributes – and be suitable for a SIL along with all other components of the
SIF
• This really need to be analysed during the development of the safety
requirements specification i.e. at the outset of the system design
33. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
PLC Software?
• The PLC software is the most invisible component of an automated dive
system but there are safe standard techniques to assure safety
35. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Tool Uses
Checklists for Each
Process Module to
Validate Compliance
This is cradle to grave
process which must be
applied consistently to
assure safety
IEC61508 Life Cycle Process
36. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
• Do You Have PLC’s on Your Dive
Vessel?
• Is there a High Level List of PLC
Systems?
• How Extensive is the Automation?
• Is there High Level Management
Awareness?
• Are the Certifying Authorities Aware?
Note! -Previous Find Searches of FMEA and O&M Documents relating
to automated dive systems have yielded no results for the term ‘PLC’
DSAP Checklist 1 – Extent of Awareness?
37. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 2 – The Supply Chain?
• Who is designing and implementing the
automation system on your vessel? Convoluted
Supply Chain?
• Dive System Knowledge?
• Do they Have a Good Safety Culture?
• Any Functional Safety Experience / Certification?
• Who will Provide Life Cycle Support?
• External Audit Results?
Note! – On Some New DSV builds Automation Specialists are becoming
embedded in the dive equipment manufacturer’s organisation to assist
38. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 3 – Safety Management
Studies have found that the most important factor in the
occurrence of accidents is the management commitment to
safety and the basic safety culture (human factors) in the
organisation or industry.
39. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 3 – Safety Management
Key Initial Questions to Ask when designing automated dive systems
using PLC’s:
• Is the PLC / programmable system programmed to mitigate a known
machinery or process risk to a tolerable level?
• Is the PLC / programmable system the primary safety barrier?
• Does the PLC / programmable system provide process information or
data on which operational safety judgements are based?
Ideally the answer is NO. If the answer is YES then a SIL assessment will
be required and a Safety Requirements Specification must be produced.
This will require functional safety verification by a certified FS specialist
40. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Further Questions to Ask if your organisation is involved in designing
automated dive systems using PLC’s:
• Do you have the competence to manage and formally document a
functional safety process?
• Are key members of the operational team involved in the development of
the safety requirements specification?
• Can you challenge any assumptions made when deciding the SIL?
• To what extent have you the system owner delegated the safety
assessment and verification of the PLC systems?
• Do you review and revise the safety specification during the management
of change process?
41. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 4 – Competent Resources?
• Do You Have Staff Assigned to Life Cycle
Management of PLC’s?
• Are there written procedures and work
instructions for PLC related work?
• Do staff have the necessary training &
competence to manage PLC issues?
• Are sub suppliers audited to check their
training competence and resource levels?
• Do Safety Cultures Align?
42. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 5 – Design Specifications?
• Who Defines the Automated Dive System
User Requirements Specification - URS?
• Is the Functional Design Specification FDS
based on the approved Functional Safety
Assessment?
• Are these documents subject to formal
document revision control during the
development
43. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 6 – Verification & Testing?
• Were simulation tools used during development
of the PLC systems ?
• How Thorough was the Factory Acceptance
Testing of the PLC systems?
• Did the FAT test both functional and safety
design features e.g. PLC redundancy,
diagnostics, SIL testing and validation
• Was the FAT documented and signed off by
competent personnel
• Following successful FAT was PLC software
version control in place & recorded?
• Is the PLC code open or proprietary?
44. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 7 – System Validation?
• How good are the vessel site acceptance test
procedure records in relation to PLC’s?
• Did the SAT validate both the functional and
the failure modes of the automation system
• If a SIL is applicable were safety loops
validated to assure risk mitigation
• Were the e-stop functions and safety relays
validated and recorded?
• If a SIL is applicable has proof testing
frequency been determined. Is there
awareness that failure to proof test many
invalidate the SIL
45. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 8 – Training, Ops, Security
• Do Management understand the limitations of
the automated systems on their dive system?
• Do staff have the training and competence to
understand and use the PLC systems
• Are PLC failure modes and back up systems
fully understood ?
• Do regular drills simulate PLC failure modes
and emergency response procedures?
• Has system security been defined with
appropriate user levels and passwords?
• Is there vendor remote access and if so how
is this controlled & how secure is this?
46. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 8 – Training, Ops, Security
The FAA’s Flight Deck Automation
Working Group warned in
September 2013 of “a perceived
erosion in basic knowledge
required to manage the flight path”
and called for pilots to practice
flying manual during normal
passenger operations.
The report said that long-term over-reliance on technology “may
atrophy the skills needed to anticipate, monitor and react”.
“Use of automated systems has not replaced the need for basic knowledge
and skills, including hand flying, instrument cross-check, system knowledge
and maintaining situation awareness and aircraft state awareness”.
47. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 9 – Life Cycle Maintenance
• Do the PLC’s register on the PMS with part
numbers and firmware versions?
• Are the necessary PLC spares held on board?
• Do the technicians have the training and
competence to carry out the tasks
• Do they have the tools e.g. programming
software, cables etc
• Does the system track PLC hardware /
software compatibility & obsolescence?
• Is the frequency of sensor failure logged and
reported?
48. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
DSAP Checklist 10 – Management of Change
• Is there a formal documented management of
change procedure ?
• Does it specify MOC competence & approval
levels?
• Does it apply to all PLC hardware, software,
sensor, communications & actuator changes?
• Does the MOC specify testing requirements
following the change?
• Is the original safety case reviewed and
updated during the MOC
• Is the software version control and change
history log updated?
49. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
Conclusions
• The risk of using PLC’s in automated dive systems is manageable
• The diving industry already has a strong safety culture and a mind set of
continuous improvement. It just needs to apply this to PLC’s
• The industry is now focussing its mind on this issue and can take control
• Operators like Shell are piloting new audit approaches and tools
• The trend among manufacturers and integrators is to provide safer PLC
hardware with certified levels of safety reliability and diagnostics
• This trend extends to the use of standard certified PLC software modules
again with higher reliability
• Integration Tools provide standards based documentation for traceability
50. Managing Lifecycle Safety & Performance of PLC’s Used on Dive Systems
LETS GET PLC RELATED RISK UNDER CONTROL
YOUR SAFETY IS OUR PASSION
THANK YOU
Q&A