Sensor Considerations in Safety Instrumented System Implementation and Operation by Jonathan Martins

contents

Sensor Considerations in Safety Instrumented System Implementation and Operation Craig McIntyre Chemical Industry Manager Endress+Hauser Greenwood, IN 46143

KEYWORDS Safety Integrity Level, Safety Instrumented Systems, IEC 61508, IEC 61511, ISA/ANSI 84.01, process, sensor, SIL

ABSTRACT The emergence of ISA/ANSI 84.01 2003 and related IEC 61511 and 61508 standards are giving (SIS) engineers better tools to model and evaluate Safety Instrumented System (SIS) designs. Components used in safety systems are available with SIL metrics that allow Probable Fail on Demand average (PFDavg) and the Mean Time To Failure spurious (MTTFs) to be calculated. This goes a long way to ensure that the SIS being designed not only meets the target SIL, but also desired reliability. Although Safety PLC performance may be fully defined by SIL evaluations this may not be true for the associated sensors and valves/actuators. Other considerations that determine the true performance of an SIS need to be taken into account. This paper explores the impact of sensors on SIS performance in process applications beyond that defined in instrument SIL evaluations. This includes consideration of application issues as well as the impact the use of smart sensors and the management of these sensors through HART based management tools has on the true reliability of an SIS. Comparisons of SIL evaluated instruments using different measurement technologies but having the same SIL evaluation metrics are made. The impact of emerging safety bus standards such as ProfiSafe and FF SIS are considered.

INTRODUCTION Safety controllers depend on input from sensors to determine if an unsafe condition exists and whether a shutdown sequence needs to be initiated. In process safety instrumented systems the sensor(s) monitor temperature, pressure, level, flow or other properties at critical points of a process. These sensors may be switches providing a discrete signal to the safety controller or increasingly a 4-20mADC transmitter signal. The signal(s) are continuously monitored by the controller and logic within the controller determines when a warning should be given and/or a safety shutdown initiated. Periodic function (interlock) checks are conducted as required on the Safety Instrumented System (SIS) to verify it is able to detect an unsafe condition and act as designed under its designed SIL. The condition and function of the sensor(s) are examined to confirm their readiness to perform until the next function test.. While this may verify the readiness of the SIS to respond to an unsafe condition it does not test the susceptibility of the SIS to false trip. False trips can have a significant impact on plant economics so prevention is important. You don’t want a $500 sensor to shutdown a 100 million dollar plant. You also don’t want frequent false trips to create a “cry wolf” mentality and mask a real unsafe event. What causes false/spurious trips? .... Looking past the SIL calculations it may be selection of the wrong sensor technologies, the wrong sensor application/installation or the wrong sensor voting scheme. Beyond this it may be the lack of a sensor condition monitoring solution to alert those responsible for the SIS that a problem is developing in the sensor that will eventually initiate a false safety shutdown.

Safety Integrity Level (SIL) – an important safety tool The development and adoption of SIL methodology is providing safety engineers with a valuable tool to design safety instrumented systems. There are several publications which cover this methodology and its practical implementation under IEC 61511 and ANSI/ISA 84.01(Reference 1 and 2). One must still address influences not covered by SIL device evaluations/certifications to determine the true performance of an Safety Instrumented Function (SIF). Failure of a measurement device to deliver correct information due to plugging, process buildup, corrosion can cause a false trip or possibly miss an unsafe condition. (Figure 1) These application and installation factors need to be considered on top of the base of Effects and Diagnostics Analysis (FMEDA) metrics. SIL Safety Controller – PFDave and MTTFs metrics address almost 100% of the performance of a safety controller.

SIL Sensors and Actuators - PFDave and MTTFs metrics address safety performance of these devices themselves but not 100% of the performance to be expected in a specific application/installation.

Impact of sensing technology on application and installation SIL methodology does not fully take into account the influences on the performance of a sensor/transmitter in an application or the impact of its installation. For example, measurement instrument form and materials of construction are not weighed in a SIL Failure Modes, Effects and Diagnostics Analysis (FMEDA) evaluation. Even third party IEC 61508 SIL certifications cover the function of the measurement sensor only without real world application or installation variations. Consider the following FMEDA evaluated measurement devices using different measurement technologies considered for an overspill Safety Instrumented Function (SIF). Measurement Pressure transmitter Radar level transmitter TDR level transmitter Vibration level switch

PFDavg

MTTFs

0.4 X 10-2 0.4 X 10-2 0.4 X 10-2 0.4 X 10-2

20.8 years 19.34 years 22.42 years 25.45 years

All are rated the same from a SIL standpoint but the performance in a particular process application can be considerably different. Each has associated with it an installation cost, testing cost and more importantly different capabilities to deal with environments that impact their function. Each device has a given contribution to Mean Time To Failure spurious (MTTFs). In a given installation the actual MTTFs may be much different due to process influences on the measurement device itself then the calculated MTTFs. Although the weighted MTTFs contribution of 20+ years from the sensor as given in an FMEDA might be high the actual contribution in a given application may be few months. Some examples: Given an overspill SIS with SIL-2 pressure transmitters applied to measure hydrostatic level: Process material buildup on pressure sensor diaphragms due to minor process upsets/variations may drive a pressure transmitter output to a point where controller logic interprets responds with a false trip. The same SIS with TDR level transmitters with the same SIL metrics may have a greater resistance to this buildup and higher resistance to false trips. Given an overpressure shutdown SIS with SIL-2 metal fluid filled diaphragm pressure transmitters: Copyright 2004 by ISA â&#x20AC;&#x201C; The Instrumentation, Systems and Automation Society. Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org

If hydrogen permeation occurs the transmitter may drive its output to a point where controller logic responds with a false trip. The same SIS with SIL-2 pressure transmitters using fill fluid free ceramic cell diaphragms would not be impacted by this.

Impact of voting Depending on the safety consequences and the cost of a spurious trip one may chose to use voting logic with multiple sensors. (Figure 2) For applications where the costs of a false trip and the safety consequence are low a low SIL is assigned to the SIS. A one out of one (1oo1) sensor vote may be sufficient. For safety systems where the consequence of an unsafe event and false trips are high a 2 out of 3 voting solution may used. One has to be careful to understand the full scope of voting. 2oo3 voting can be used for high safety exposure applications but sometimes this is only taken to the transmitter level. For example three SIL-2 certified pressure transmitters on a single flow element may not provide true 2oo3 voting if the flow element itself experiences a pressure drop change (i.e. partial plugging or corrosion) that is not reflective of the true flow rate. A SIS with 2oo3 voting with appropriate SIL metrics can achieve a SIL-3 performance and also provide better information reducing the chances of a spurious trip. If one measurement sensor indicates an unsafe condition and the other two do not it gives reason to interpret that a false condition has occurred and not to immediately initiate a shutdown. Safety Instrumented system controllers rely completely on the information provided by the measurement transmitters/sensors to determine if a shutdown is to be initiated. To reduce the costs associated with safety measurement instruments, their installation and continuing maintenance some have sought to use SIL-3 FMEDA rated sensors/transmitters with 1oo2 voting. However, calculated Mean Time To Failure spurious (MTTFs) performance is only reflected in the real world only if other process application and installation considerations are not a factor. Other wise it may be best to use SIL-2 certified devices that take these factors into consideration in a 2oo3 voting . An SIS with 1oo2 sensor voting might achieve SIL-3 performance with SIL-3 certified sensors. However the risk of a false trip due to an application related condition compromising one of the sensors is higher than a 2oo3 approach even if on paper the SIL-3 performance is achieved. It remains to decide if the voting sensors be identical or of different measurement technologies. Some operators choose to employ different sensor/transmitter technologies in the voting to address process application and installation effects. For example, the positioning of a continuous level device along with discrete levelswitches provides improved information to the safety controller then using three of the same measurement technologies.(Figure 3) The PFDavg and MTTFs contribution from each of these devices in a mathematical evaluation of an SIS might be the same but the actual performance can be different.

Impact of condition monitoring Safety Instrumented systems are generally migrating from sensors with discrete outputs to sensor/transmitters with continuous 4-20mADC outputs. Many of the FMEDA evaluated continuous sensors/transmitters have HART communications. Although HART communications might not be used in the logic of a safety controller but they can be used to provide condition monitoring without interfering with the SIS. HART gateways that have a FMEDA evaluation ( to address their lack of interference on sensor/transmitter or actuator 4-20mADC loops) can be used to continuously monitor the diagnostics information available within the device (Figure 4) A HART gateway also provides a path for asset management tools (Reference 3) to evaluate the diagnostic information within HART devices and provide advisory warnings of conditions leading to a failure of a device or conditions that are compromising the information it is providing. Field Device Tool (FDT) is an open asset management platform provided by several vendors to monitor diagnostics in HART, Profibus and Foundation Fieldbus devices.

FUTURE TRENDS Work by Profibus International and Foundation Fieldbus to expand their bus technologies into process safety applications continues. The main advantage will be the continuous access to intelligent SIS components and the condition information that can be used to more carefully access the safety performance of the SIS and manage spurious trips down even further.

CONCLUSIONS The methodology provided by IEC 61508, IEC 61511 and ISA/ANSI 84.01 goes a long way to give safety engineers best practice tools to evaluate Safety Instrument System solutions. Even so, it is important to know how far these tools will take you. It is still required to consult application and installation knowledge sources to define the final selection of components. The rise of condition monitoring solutions provides another means to improve the performance of process Safety Instrumented Systems.

REFERENCES

1. Marszal, Ed; Scharpf, Eric, "Tolerable Risk", Safety Integrity Level Selection, ISBN 155617-777-1, The Instrumentation, Systems, and Automation Society, Published 2002.

2. Jackson, Thomas, "Safety Instrumented System Design and Implementation: Impacts to the Engineering and Construction Work Process", Safety Instrumented Systems for the Process Industry, ISA Volume 438, Presented March 17, 2003, Houston, Texas 3.

Robbins, Marty; Szabo, Louis, "SIS and Asset Management – the role of the multifunction instrument”, Texas A&M, College Station, TX, January 20, 2004.

ex SIL Safety System Design Influences 100% Installation considerations

80% 60%

Application considerations

40%

SIL Calculation

20% 0% Sensor

Safety Actuator Controller

Figure 1

Sensor Voting High false trip cost

2oo2

2oo3 High safety consequences

Low safety consequences

1oo2

1oo1

Low false trip cost Figure 2

Voting with different technology sensors TDR level transmitter

Vibration levelswitch

Voting

3oo3

Level trip

2oo3

Level high

1oo3

Level Figure 3

Condition Monitoring via HART gateway OPC FDT

SIS

commDTM

Safety Controller

wireless

DeviceDTM Asset Management

HART Gateway

Figure 4