Practice Safe Sensing
With process safety and sensors, sometimes garbage in equals more than garbage out. Because these devices measure pressure, temperature, flow, level, and other process parameters, they play a pivotal role in determining a process unit’s output. A wrong reading can produce waste or create a catastrophe that costs lives and makes national news.
Now, thanks to advances in technology, sensor systems have greater intelligence and therefore more diagnostic capabilities. Today, sensors can be certified by third parties to meet safety integrity levels, or SIL, designations found in IEC 61508. One positive result of this is the potential to use fewer sensors without compromising safety, leading to a decrease in wiring and installation costs. Another positive effect is the potential for improved process control, largely due to increasingly intelligent sensors.
“Certified products deliver higher design quality,” asserts William Goble, principal partner and co-founder of exida, a company that offers functional safety training, technical support, and expertise from its North American headquarters in Sellersville, PA. (The company’s European base is in Fischbachau, Germany.) This better design is due not to success but rather to failure, notes Goble. “Nearly half of the products that attempt certification fail on the first try. Only when the design process is improved and diagnostics are added do they pass.”
Goble’s data shows that the number of certified sensors has exploded in recent years, with the cumulative total of such devices moving from five in 2003 to eight in 2005 and 24 in 2007. There have been indications that vendors are converting, or will soon convert, entire future sensor lines to certified products. Goble notes that taking full advantage of such sensors will require that systems be configured correctly. For example, running diagnostics in certified sensors may send the reading out of range. An incorrectly configured controller will interpret this as a fault, shutting down the process unnecessarily. A better approach would be to implement a hold-last-value strategy, with action taken only if a reading stays out of range for longer than a specified time.
|A loading bay for Shell petroleum products in the U.K. makes use of safety-certified mass flowmeters. Courtesy Endress+Hauser.|
One of the first companies to offer a certified sensor was bought a few years ago by Siemens Energy and Automation (SEA). Louis DiNapoli is application engineering and technical support manager for the SEA process instrumentation unit that makes safety certified sensors. DiNapoli says that these sensors differ from non-certified equivalents.
For example, they often contain two microprocessors, from different vendors, which are based on different technology and implementations. Each microprocessor takes input from the transducer, the unit that translates the physical parameter into an electrical output. The results of the two different calculations can then be compared, with similar results ensuring that the microprocessors are performing correctly. Another failsafe feature of the new sensors includes the ability to force the sensor via software to a predetermined level, such as 80% of full scale. This result can then be measured and compared to what’s expected, providing another indication that the sensor is working correctly.
A key point to be aware of regarding these features is that they do not function to ensure a correct sensor reading. They also don’t prevent a failure. But, notes DiNapoli, that’s not what a safety-certified sensor is designed to achieve. “You don’t care that it fails. You care that it fails in a known fashion,” he says. What is transmitted in the case of sensor failure is a known, pre-determined quantity, allowing that failure to be detected. Of course, the system has to be configured not only to detect the fault but also not act on the value, since it is the result of a failure.
While internal computations and values transmitted to the outside world are checked, sensor systems may have only one transducer in them. This front end of the entire chain, says DiNapoli, turns out to be the area where it is most difficult to assure reliable operation, in part because there’s only one process measurement. Since there’s nothing to provide a check or reference, assurance has to be inferred.
However, increasing intelligence, along with some sophisticated algorithms, may make such indirect checking easier to do so. Five years ago, sensor packages were relatively dumb. Today, they’re much more intelligent and provide information that helps ensure safe operation as well as improve the process.
For example, sensors can have registers that count every time the pressure goes above one of three set points. One of those points could be the process design maximum. From those counts, a simple histogram could reveal important information, such as the process being above design maximum pressure a majority of the time. These types of results may indicate a design flaw or a control system isn’t working well, says DiNapoli.
Another company with a long history in safety-rated sensors is Endress+Hauser of Reinach, Switzerland. The company has local sales centers and representatives, with the U.S. headquarters in Greenwood, IN. Endress+Hauser also partners with Rockwell Automation.
|Safety-certified mass flowmeters are used in the oil and gas industry. Courtesy Endress+Hauser|
Gerold Klotz-Engmann is head of department technical safety for the company’s German sales center. He notes that the company designs products to conform to IEC 61508; all new product designs will meet this standard. Achieving that requires self diagnostics so that passive internal component faults can be spotted, along with steps to ensure no software glitches or problems.
Nearly all company products have undergone third party assessment and can be used in SIL 2 or SIL 3 safety instrumented systems. The system architecture determines how many compliant sensors should be used. For example, if a SIL 2 level is required, then the situation is relatively simple, says Klotz-Engmann. “Normally a single channel architecture with a SIL 2 compliant sensor is sufficient.” Things get more complicated if a higher level of safety is required, he adds. Then it may be necessary to use two or three sensors, with the sensors voting to arrive at a consensus measurement. The advantage of the three sensor arrangement is increased safety and greater availability, since the trio will continue to provide information even if one or two sensors fail.
Carl Sonoda, marketing manager for field instrument solutions at the Yokogawa Electric Corporation of Tokyo, says the company’s first certified sensor appeared in 2003. Today, Yokogawa has a series of temperature sensors, pressure transmitters, and multivariable transmitters, all safety-rated and designed to achieve a SIL 2 or 3 performance.
The best practice for a safety loop design, he notes, is to use multiple transmitters, with each voting. Adding to redundancy costs are the number of devices, wiring, post-installation testing, and ongoing maintenance.
A safety-rated device can help reduce the number of sensors required and thereby cut such expenses. “Our IEC SIL 2/3 certified transmitter can provide functionality so that it’s possible to use one safety transmitter instead of two standard transmitters,” says Sonoda.
Deployment choice: many or few
The question about how many sensors to use isn’t clear cut. Dale Perry, pressure marketing manager for the Chanhassen, MN-based Rosemount division of Emerson Process Management, notes that using fewer sensors is a mixed blessing. Fewer sensors increase the possibility of a false alarm, which carries a cost since it might shut down a process needlessly. Thus, the total outlay of any solution will have to be carefully considered. The correct answer about how to implement a sensor strategy will depend upon many factors in addition to installation and commissioning costs.
|A safety-certified transmitter helps keep a pharmaceutical process running smoothly and safely. Courtesy Siemens Energy and Automation|
Rosemount’s history with safety certified sensors parallels that of other manufacturers. Initially, safety certified products were unique, and they faced a distinctive requirement in that they had to meet the applicable standard. Over time, incorporating the features needed for certification into standard devices became a company best practice. This evolution explains why the price differential between standard and safety-rated sensors has diminished significantly.
However, it may never disappear entirely. A certified device carries extra expenses, not all of which can be found in hardware or software. At Rosemount, for example, Perry says incoming orders are checked to ensure that all options ordered with the device are within the safety certification scope.
Also, a copy of the product safety certificate, a document listing the certified failure modes, effects, and diagnostic analysis (FMEDA), as well as the device serial number and failure data are shipped with each transmitter. Doing so provides required documentation says Perry. The same intelligence that makes sensors safer increasingly supplies other capabilities, he says. Users demand predictive diagnostics beyond the sensor. They want this functionality because more insight into a process helps prevent abnormal, and potentially unprofitable or dangerous, situations. These demands could lead to changes in safety-rated sensors, says Perry. “We see these advanced process diagnostics, as well as loop diagnostics, being included in future safety certified products.”
|Source: Control Engineering and exida|