InTech Home Features
Bookmark and Share
09 May 2001

Hazard analysis and risk assessment impact each device

by John Donnelly, Arthur Womack

ANSI, ISA, and IEC standards provide few guidelines for choosing sensors.

Sensors play a critical role in safety-instrumented systems (SIS). The lack of guidance that the standards bodies provide is perplexing but reflects the industry's lack of consensus on a benchmark sensor technology.

Every design engineer should ask: What type of sensor is best for my SIS? An electromechanical switch is economical and well understood. For an incremental cost, an analog transmitter will give the benefit of a continuous output.

A smart transmitter will provide increased accuracy and higher levels of communication. The diagnostic coverage and reliability of a safety-certified transmitter is unrivaled by anything else on the market today.

Hybrid devices, commonly referred to as electronic switches, may have the combined features of a switch and a transmitter with diagnostics. One could easily fall into the trap of selecting a sensor based on prior experience or one seen as the latest and greatest technology.

However, proper sensor selection for a SIS is more than a personal preference or a slick marketing campaign. It requires evaluation of the sensor performance characteristics, the impact those characteristics have on system performance and reliability, and the economics of the SIS design.

Before proceeding with a comparison of sensor technologies, it is necessary to fully understand the process as well as the operational requirements of the SIS, from start-up to shutdown. This takes place during the development of the safety requirements specification (SRS).

Understanding process variable stability, which includes factors such as rate of change, amount of change, and duration of change for both normal and abnormal operating conditions, is most important. Depending on the specific function of each sensor in the SIS, it might be necessary to respond differently to the same process change.

Don't accept ambiguity

Experienced hands in industry can attest that comparing sensor specifications for similar products from different manufacturers can be quite difficult, as each manufacturer attempts to present its product in the best possible light.

Do not accept ambiguity and verbal assurances of intended meanings for a basic process control system, or BPCS, design, let alone a SIS. Whenever the exact meaning of a manufacturer's published specification is vague, request that the vendor use consistent terms such as those that ISA's Comprehensive Dictionary of Measurement and Control define.

Specifications that normally require a rigorous analysis include accuracy, linearity, hysteresis, repeatability, temperature influence, and power supply effect. Suggested methodologies for comparing these specifications, such as total probable error, provide consistent results once one chooses a sensor. It also affords discrimination among products from various manufacturers.

Applying this same approach to a comparison of different sensor types and/or technologies may yield results of indeterminate value, as specifications may not be common or easily inferred.

For example, compare the repeatability specification for an electromechanical switch, referencing ANSI/ISA-51.1-1979 (R1993), Process Instrumentation Terminology (ISA 51), with that of a current or voltage alarm trip. Because the electromechanical switch connects directly to the process, its repeatability in terms of absolute process variable is unambiguous.

The alarm trip may have a repeatability specification, an input accuracy specification, and a line voltage effect, in addition to the specifications of the instrument measuring the process. One must evaluate them all.

Require further scrutiny

What is the best way to compare these devices? Whatever the methodology, it should not obscure the primary goal of understanding the predictable performance of a specific sensor in the SIS application.

Electromechanical switches and simple, analog transmitters are generally recognized as having the fastest response times, with published values between 1 millisecond (ms) and 25 ms (90% full-scale output).

Electronic devices other than the simplest analog transmitter are microprocessor based, enabling enhancement of performance, diagnostic, and communication capabilities—improvements that generally sacrifice device response times.

Most smart transmitters have response times ranging from 100 to 700 ms, with 200 ms (T63) being a common order of magnitude. On the surface, it would appear that comparisons to simple analog transmitters are acceptable when microprocessor-based devices are operated in either analog or digital mode.

However, there are characteristics of microprocessor devices that require further scrutiny. Two of the more prominent are sampling rate and response time.

Response time has the distinction of being the most misinterpreted sensor parameter, due to incomplete or ambiguous information. In comparison, other sensor specifications may appear to be straightforward. But one should closely examine the issue.

Ultimately, it is the responsibility of the design engineer to develop a thorough understanding of all sensor characteristics, beyond what is stated in a manufacturer's published specifications, to ensure that the performance of the SIS is not compromised.

Sensor impacts reliability

After selecting a device that meets both sensor and system performance requirements as defined by the SRS, the next step is to evaluate the effect it will have on system reliability.

The question is no longer whether the sensor will function as required but a matter of it operating properly when required. Safety Shutdown Systems: Design, Analysis and Justification noted that sensors cause roughly 42% of SIS failures.

An engineer involved in SIS development is much concerned with the concept of average probability of failure on demand (PFDavg) and its order of magnitude relationship required for a specified safety integrity level.

As each and every field device impacts this total number, selecting sensors that minimize the total system PFDavg are preferred. SIS designers recognize that selecting analog over discrete sensors, divergent instead of redundant technology, and sensors with increased diagnostic coverage are methods to minimize system PFDavg.

There are general application guidelines for each sensor technology used in a SIS:

  • Make sure discrete switches have energized normally closed contacts during everyday operation.
  • Leverage redundancy when using analog transmitters, as they can fail either high or low.
  • Smart transmitters provide diagnostic coverage greater than 50%, while safety-certified transmitters provide diagnostic coverage exceeding 90%.
  • Electronic switches include self-diagnostics not found in their electromechanical counterparts; however, they are still relatively new to the market, and industry-accepted coverage values have not been determined.

Stake in the heart

Integration of sensor diagnostics with the logic solver must take full advantage of an intelligent sensor's capability in the SIS. One device may drive its output to a programmable fail-safe condition, regardless of the type of fault detected. Another device detecting the same fault may remain online in its transmitter output but provide a digital error message for operator evaluation.

Some devices driven to fail-safe conditions may automatically reset, while others require manual acknowledgment of the fault condition. Therefore, the logic solver should capitalize on the available sensor diagnostic information to minimize the PFDavg of the system.

There are also human factors to consider in the selection of a sensor type or technology. Operator and technician familiarity with the technology, security against unauthorized changes in sensor calibration, and output configuration are all factors that may impact SIS reliability. Tamperproof switches, password-protected programmable devices, and write-protected smart transmitters are examples of sensor specifications that help minimize the system PFDavg.

One should fully examine the sensor's impact on system reliability for improvement opportunities after assurance that the sensor satisfies the SRS. A sensor that responds reliably yet inadequately is of dubious value. Overall SIS design can compensate for shortcomings in sensor PFDavg, but sensor performance deficiencies are a stake in the heart of the SIS.

Cutting corners on design

If financial resources were unlimited, the industry would not concern itself with the design of a SIS. Every facility would have multiple, redundant systems to prevent hazards and large maintenance teams to ensure that every field device was performing properly.

Of course, this is not the case, and design engineers are required to minimize costs associated with purchased materials, installation, training, and maintenance without sacrificing SIS performance and reliability.

When comparing sensor technologies, there may be different peripherals associated with each type, adding to the total installed cost of the system. These peripherals include number of process connections, instrument valves, thermowells, voltage or current alarm trips, power supplies, cable, conduit, logic solver I/O cards, and programming.

This analysis becomes a simple comparison of unit price if only one sensor technology is suited to the application.

When comparing sensor types, there may also be differences in operational costs, making it necessary to consider the procedures, test intervals, spare parts, and calibration equipment required for reliable operation. Lost production resulting from spurious trips should also be factored into any life-cycle cost estimates being prepared.

On the surface, an analysis of the design costs appears to be a significant undertaking. However, a comparison of life-cycle costs should not obscure the primary objective of designing a safe system that meets the criteria established by the SRS.

Any costs savings associated with cutting corners on the design are lost if the system fails to perform! IT

Sidebars

Author Information

John Donnelly, P.E., has a mechanical engineering degree from the University of Illinois and more than 22 years of experience with pressure, temperature, level, and flow instrumentation and controls. He is a regional sales manager at Cylex.

Arthur Womack received an electrical engineering degree from Rose-Hulman Institute of Technology in Indiana. He has eight years of experience with manufacturers of pressure, temperature, level, and flow instrumentation and controls. He's product manager at SOR, Inc.


Coming Next

Ask The Experts

Read questions answered by our experts or join the email list.

Feedback Hub

ISA Jobs

All contents copyright of ISA © 1995-2012 All rights reserved.
Find Local Sections | ISA Home | Report a Problem | Privacy & Legal Policies | Site Map | Help | Contact Us
ISA  |  67 T.W. Alexander Drive, Research Triangle Park, NC 27709 USA  |  (919) 549-8411