TABLE OF CONTENTS Many people have replaced relay systems with programmable logic controllers (PLCs). Their typical response as to why they did so is usually, "That's what a PLC was designed for to replace relays." How a system operates is certainly important. Obviously a PLC can do everything a relay system could, and a whole lot more (e.g., timers, math functions, etc.). However, the main concern for a safety system should not be so much how the system operates, but rather how the system fails. This concept is so simple that it's often overlooked. This is the underlying reason why dormant safety systems differ from active control systems and why safety instrumented systems have unique design considerations.
It may be somewhat of a simplification, but safety systems are considered to fail in two ways. First, systems may initiate nuisance trips. They may shut the plant down when nothing is actually wrong. An example would be a closed and energized relay that just pops open. People have given these type of failures many different names; overt, revealed, initiating, fail-safe, etc. The term used in the standards for this type of failure is "safe failure". Granted, there's nothing "safe" about a nuisance trip, therefore many don't like this term. Safe failures result in plant shutdowns; therefore they tend to be costly in terms of lost production downtime. People want to avoid safe failure primarily for economic reasons. When systems suffer too many safe failures like this,...
