1 June 2005
Safety under pressure
Sensor considerations in a safety instrumented system.
Safety controllers depend on input from sensors to determine if an unsafe condition exists and whether a shutdown sequence needs to launch. In process safety instrumented systems, sensors monitor temperature, pressure, level, flow, or other properties at critical points of a process.
These sensors may be switches providing a discrete signal to the safety controller or increasingly a 4-20mADC transmitter signal. The controller continuously monitors the signals, and logic within the controller determines when a warning should go out and when it should initiate a safety shutdown.
Periodic function (interlock) checks go on as required on the safety instrumented system (SIS) to verify it is able to detect an unsafe condition and act as designed under its designed SIL.
The condition and function of the sensors undergo examination to confirm their readiness to perform until the next function test. While this may verify the readiness of the SIS to respond to an unsafe condition, it does not test the susceptibility of the SIS to false trip. False trips can have a significant impact on plant economics, so prevention is important. You don't want a $500 sensor to shut down a $100 million plant. You also don't want frequent false trips to create a "cry wolf" mentality and mask a real unsafe event.
What causes false or spurious trips? Looking past the SIL calculations, it may be selection of the wrong sensor technologies, the wrong sensor application and installation, or the wrong sensor voting scheme. Beyond this, it may be the lack of a sensor condition monitoring solution to alert those responsible for the SIS that a problem is developing in the sensor and will eventually initiate a false safety shutdown.
Safety integrity level
The development and adoption of SIL methodology is providing safety engineers with a valuable tool to design safety instrumented systems. Several publications cover this methodology and its practical implementation under IEC 61511 and ANSI/ISA 84.01 (Reference 1 and 2).
One must still address influences not covered by SIL device evaluations and certifications to determine the true performance of a safety instrumented function (SIF). Failure of a measurement device to deliver correct information due to plugging, process buildup, or corrosion can cause a false trip or possibly miss an unsafe condition. These application and installation factors need consideration on top of the base of effects and diagnostics analysis (FMEDA) metrics.
SIL safety controller—Probability of failure on demand, average (PFDavg) and mean-time-to-failure spurious (MTTFs) metrics address almost 100% of the performance of a safety controller.
SIL sensors and actuators—PFDavg and MTTFs metrics address safety performance of these devices themselves, but not 100% of the performance comes in a specific application/installation.
SIL methodology does not fully take into account the influences on the performance of a sensor/transmitter in an application or the impact of its installation. For example, measurement instrument form and materials of construction are not a part of a SIL failure mode, effects, and diagnostics analysis (FMEDA) evaluation. Even third party IEC 61508 SIL certifications cover the function of the measurement sensor only without real-world application or installation variations.
Consider the following FMEDA evaluated measurement devices using different measurement technologies considered for an overspill SIF:
|Pressure transmitter||0.4 x 10-2||20.8 years|
|Radar level transmitter||0.4 x 10-2||19.34 years|
|TDR level transmitter||0.4 x 10-2||22.42 years|
|Vibration level switch||0.4 x 10-2||25.45 years|
All rate the same from a SIL standpoint, but the performance in a particular process application can be considerably different. Each has associated with it an installation cost, testing cost, and more importantly, different capabilities to deal with environments that impact their function. Each device has a given contribution to MTTFs. In a given installation, the actual MTTFs may be much different due to process influences on the measurement device itself then the calculated MTTFs. Although the weighted MTTFs contribution of 20+ years from the sensor as given in an FMEDA might be high, the actual contribution in a given application may be a few months.
Given an overspill SIS with SIL-2 pressure transmitters applied to measure hydrostatic level: Process material buildup on pressure sensor diaphragms due to minor process upsets and variations may drive a pressure transmitter output to a point where controller logic responds with a false trip. The same SIS with TDR level transmitters with the same SIL metrics may have a greater resistance to this buildup and higher resistance to false trips.
Given an overpressure shutdown SIS with SIL-2 metal fluid filled diaphragm pressure transmitters: If hydrogen permeation occurs, the transmitter may drive its output to a point where controller logic responds with a false trip. The same SIS with SIL-2 pressure transmitters using fill fluid free ceramic cell diaphragms would not feel the impact of this.
The vote is in
Depending on the safety consequences and the cost of a spurious trip, one may chose to use voting logic with multiple sensors.
For applications where the costs of a false trip and the safety consequence are low, a low SIL assigns to the SIS. A one out of one (1oo1) sensor vote may be sufficient. For safety systems where the consequence of an unsafe event and false trips are high, a two out of three (2oo3) voting solution may come into play. One has to be careful to understand the full scope of voting. 2oo3 voting can see use for high safety exposure applications, but sometimes this occurs on the transmitter level. For example, three SIL-2 certified pressure transmitters on a single flow element may not provide true 2oo3 voting if the flow element itself experiences a pressure drop change (i.e. partial plugging or corrosion) that is not reflective of the true flow rate.
A SIS with 2oo3 voting with appropriate SIL metrics can achieve a SIL-3 performance and also provide better information reducing the chances of a spurious trip. If one measurement sensor indicates an unsafe condition and the other two do not, it gives reason to interpret that a false condition has occurred and not to immediately initiate a shutdown.
Safety instrumented system controllers rely completely on the information provided by the measurement transmitters and sensors to determine if it needs to initiate a shutdown. To reduce the costs associated with safety measurement instruments, their installation and continuing maintenance some have sought to use SIL-3 FMEDA rated sensors and transmitters with 1oo2 voting. However, calculated MTTFs performance occurs in the real world only if other process application and installation considerations are not a factor. Otherwise, it may be best to use SIL-2 certified devices that take these factors into consideration in a 2oo3 voting.
A SIS with 1oo2 sensor voting might achieve SIL-3 performance with SIL-3 certified sensors. However, the risk of a false trip due to an application related condition compromising one of the sensors is higher than a 2oo3 approach even if on paper it achieves SIL-3 performance. It remains to decide if the voting sensors are identical or of different measurement technologies.
Some operators choose to employ different sensor and transmitter technologies in the voting to address process application and installation effects. For example, the positioning of a continuous level device along with discrete level switches provides improved information to the safety controller then using three of the same measurement technologies. The PFDavg and MTTFs contribution from each of these devices in a mathematical evaluation of a SIS might be the same, but the actual performance can be different.
Impact of condition monitoring
Safety instrumented systems are generally migrating from sensors with discrete outputs to sensor and transmitters with continuous 4-20mADC outputs. Many of the FMEDA evaluated continuous sensors and transmitters have HART communications. Although HART communications might not be in the logic of a safety controller, they can provide condition monitoring without interfering with the SIS. HART gateways that have a FMEDA evaluation (to address their lack of interference on sensor/transmitter or actuator 4-20mADC loops) can continuously monitor the diagnostics information available within the device.
A HART gateway also provides a path for asset management tools to evaluate the diagnostic information within HART devices and provide advisory warnings of conditions leading to a failure of a device or conditions that are compromising the information it is providing. Field device tool (FDT) is an open asset management platform provided by several vendors to monitor diagnostics in HART, Profibus, and Foundation Fieldbus devices.
Work by Profibus International and Foundation Fieldbus to expand their bus technologies into process safety applications continues. The main advantage will be the continuous access to intelligent SIS components and the condition information that can more carefully access the safety performance of the SIS and manage spurious trips down even further.
The methodology provided by IEC 61508, IEC 61511, and ISA/ANSI 84.00.01-2004 (Reference Parts 1 and 2) goes a long way to give safety engineers best practice tools to evaluate safety instrument system solutions. Even so, it is important to know how far these tools will take you. It is still required to consult application and installation knowledge sources to define the final selection of components. The rise of condition monitoring solutions provides another means to improve the performance of process safety instrumented systems. CP
Behind the byline
Craig McIntyre is the chemical industry manager at Endress+Hauser in Greenwood, Ind.