Safety instrumented systems: Applying measurement best practices

The measurement part of a safety system tends to be the most troublesome. However, new technologies offer ways to overcome many common-cause problems.

By Mark Menezes, PEng February 13, 2017

Designers and operators of safety instrumented systems (SIS) in hydrocarbon processing industries can benefit from a variety of new technologies related to design, diversity, and diagnostics. Products and application best practices have worked together to make an SIS and individual safety instrumented functions (SIFs) work more effectively, and as a result, can eliminate many common-cause problems that can interfere with safety loop performance.

Most of these problems are related to the measurement side of the equation, when a variety of sensing technologies are used. This article considers several examples related to pressure and level in applications common in hydrocarbon processing and other industries. The elements of design, diversity, and diagnostics don’t apply to every example, but one or more will be applicable in each case. 

Dealing with common-cause problems

Best practice design concepts for an SIS have evolved over the past decade, prompted by widespread adoption of the ANSI/ISA-S84.01-2004 and IEC 61511 standards. Calculation methods for quantifying risk are well understood, but for measurements, the key challenge is finding relevant data related to instrument performance. While suppliers often provide safety statistics they claim are certified by third parties, the data typically are derived from white papers or laboratory analysis and apply to the device itself in isolation, installed in laboratory conditions.

Unfortunately, in real hydrocarbon processing environments, the risk of a transmitter not responding properly to an incident, thereby falsely reporting safe conditions, can be significantly higher for a variety of real-world interface risks such as:

  • Pressure instrument impulse line plugging or freezing
  • Slow sensor or capillary response as a result of cold temperatures
  • Temperature sensor coating
  • Erosion or coating of primary flow element
  • Process fluid density change in level measurement.

In cases where one or more of these risk conditions affects more than one transmitter—creating a common cause—it will dominate overall system risk in a typical redundant installation. Unfortunately, this is often the case, because the root cause of the risk usually is a characteristic of the process itself. For example, the root cause of line plugging usually is dirty process fluid, which, of course, will be in contact with and affect all transmitters connected to the specific process.

For example, suppose the risk of a dangerous pressure transmitter failure-meaning it reports the process pressure is in a safe range when it is actually past a safety limit-is 0.01 failures per year. So, if 100 devices are installed in the same application, one device could experience such a dangerous failure each year. Extending the example, suppose the risk of the impulse lines connecting the transmitter to the process will plug is 0.005 failures per year. We can assume that if the impulse lines connecting one transmitter become plugged, the line(s) connecting the other(s) probably eventually will become plugged as well because they are exposed to the same environment. That makes this is a common-cause risk.

Risk with a single transmitter = λTransmitter + λPlugging = (0.01)1 + 0.005 = 0.0150

Risk with two transmitters = (λTransmitter)2 + λPlugging = (0.01)2 + 0.005 = 0.0051

Risk with three transmitters = (λTransmitter)3 + λPlugging = (0.01)3 + 0.005 = 0.0050

This simplified calculation shows how when the transmitters are redundant, any common cause will dominate safety risk for the measurement. Therefore, adding more transmitters subject to the same common cause provides minimal safety risk reduction. Trying to quantify the risk of a real-world common cause-related failure with any degree of precision-especially in a new application-is difficult. Consequently, an engineer should aim to minimize each common-cause risk by using best practices for design, technology, diversity, and diagnostics available with smart transmitters. 

Improving pressure measurements: Design and diagnostics

In general, safety engineers should use the same design best practices in safety applications as those proven effective in basic process control applications. Of course, best practices evolve over time as users and suppliers gain greater familiarity with new technologies, accommodating their strengths and weaknesses.

As previously mentioned, pressure transmitters usually are connected to the process using sensing or impulse lines. These lines make it possible to locate the transmitter remotely from the process connection, where it may be better protected or accessed more easily for maintenance. Where differential pressure (DP) is measured (for example, to obtain level in a closed vessel or pressure drop across a flow element or a filter), sensing lines allow the transmitter to be installed between the two taps. Sensing lines filled with process liquid are called "wet legs." However, they are called "dry legs" if filled with process vapor. Most users find both require frequent maintenance because fluids in wet legs tend to evaporate or become contaminated, and process vapors in dry legs tend to condense. For these and other reasons, many users replace wet or dry legs with oil-filled seals and filled capillary tubes.

If the process and environment are at different temperatures, the temperature along the sensing line will change as heat is transferred to or from the environment. This complicates design when the process is consistently hot but the ambient temperature varies, as is common in outdoor installations. If the line is short, insufficient heat will be dissipated in summer, possibly allowing the transmitter to become overheated and damaged. This is usually an overt failure, making it easy to spot, but the transmitter will need to be replaced. On the other hand, if the line is long, too much heat may be dissipated in winter. Figure 1 shows how a typical sensing line can cool by 140°C in 160 mm (6 inches) when the ambient temperature is 0°C.

As the temperature falls, the process fluid or capillary fill fluid may begin to thicken, crystallize, or separate before it reaches the transmitter. Lowering the temperature increases the viscosity of various capillary fill fluids, just as it does with typical process fluids in hydrocarbon processing industries (see Table). In general, boiling point rises along with molecular weight and so does viscosity.

Raising viscosity in a sensing line or capillary beyond an acceptable limit slows the sensor’s response to changing pressure. A 5-m capillary tube with a 10-mm internal diameter filled with a less-than 5 centistokes (cSt) fluid will dampen response time by 1 to 2 seconds. If the fluid viscosity increases to more than 150 cSt, the same system will see response time increase by more than 30 seconds. Of course, a system with solid-fill fluid will provide no response at all, but this may not be obvious because even a plugged system can retain its previous pressure.

Even where redundant transmitters have physically different connections to the process, the lines often will have similar length and be filled with the same fluid. For this reason, all connected transmitters typically suffer the same slow response or possibly no response. When this happens, if process pressure changes quickly, the value measured by the impaired device may be significantly different from the process pressure, but the logic solver will not detect any deviation between the transmitters. In this example, if a pressure excursion can cause a safety risk within 30 seconds-which is often true-the safety system will not initiate a shutdown in time and a safety incident could follow.

Even with insulation, heat dissipation in outdoor applications can be five to 10 times faster in winter than summer. For this reason, it is usually not possible to design a single set of sensing lines that can avoid overheating in summer and overcooling in winter. This leaves many users installing thermostatically-controlled heat tracing, as shown on the upper right in Figure 2, on sensing lines and capillaries to maintain optimum temperatures. But this adds significant upfront and ongoing maintenance costs. 

Design and diagnostic solutions

Modern smart transmitters have many diagnostic capabilities built in. For example, some manufacturers include the ability to listen to the process and allow the system to compile a noise profile to reflect a stable and well-running process. The listening is done through the sensing lines, and if they become plugged or if the fill fluid becomes too viscous, the amplitude decreases or the sound shuts off completely. Changes observed over time indicate developing problems and can alert operators of questionable values caused by sensing line blockages. This doesn’t solve the problem, but it provides a warning of when it is happening.

Taking advantage of design advances can eliminate the problem entirely. Newer capillary designs do away with the need for sensing line heating without compromising response time. As shown in the upper left area of Figure 2, the seal is directly connected to the vessel or pipe containing the hot process fluid. The design of the seal and internal copper tube are optimized to transfer sufficient heat along the line to keep the fill oil warm enough to stay responsive without overheating the transmitter.

For very hot processes, or where the user wishes to locate the transmitter at a long distance from the process, a two-oil solution may be needed (see Figure 2, lower area). High molecular weight (MW) oil is used adjacent to the hot process to provide fast response and high temperature stability. Low MW oil such as Syltherm XLT is used after the intermediate seal when the oil has cooled, and it runs through the capillary to the transmitter. Such low MW fluids retain low viscosity at temperatures below -50°C, ensuring fast response even in the coldest climates. These new single- and dual-oil systems illustrate how modern design practices can eliminate a significant common-cause risk, with minimal extra capital and operating costs. 

Improving level measurements: Technology diversity and diagnostics

Most pressure instruments use the same underlying sensing technology, so there are few ways to solve a problem by changing the basic measuring technique. On the other hand, there are many ways to measure level with at least a dozen basic approaches. Therefore, when an SIS depends on a reliable level measurement, there are many options, each with its own strengths and weaknesses. This presents an excellent opportunity to optimize the technology diversity.

For a particularly difficult application, no single technology may solve all the problems, and getting around a common-cause conundrum may involve using multiple technologies: a second, different measuring approach to back up the first. The secondary technology is not necessarily better or worse. Instead it is selected because its strengths and weaknesses are complementary to the primary.

For example, consider a boiler-drum level application. If the water level in the drum gets too low, the drum can overheat and become damaged. If it gets too high, water can be entrained in the steam and damage downstream equipment. Given the severe consequences from either situation, virtually all boilers use multiple redundant level measurement devices.

There are two common technologies used with boiler drums; both are DP, which measures the hydrostatic head between the high and low points on the boiler, and mechanical displacers. While this combination is widely used, both technologies suffer from error when the pressure or temperature changes. For example, when the water in the drum becomes hotter, it becomes less dense. Even with a fixed level, lower water density will cause the displacer to float lower, and the DP transmitter to read less pressure, which it interprets as a lower level. For this reason, these technologies exhibit significant level errors as drum pressure or temperature changes (see Figure 3).

Designers understand these characteristics and typically build in some form of compensation. Nonetheless, these approaches are best under steady-state conditions. Unfortunately, real-use conditions usually are more dynamic with load swings and startup/shutdown cycles. Often, the compensation mechanism is not fast enough. Worse, when steam flow out of the boiler increases quickly, the pressure above the boiling water decreases, causing the water to froth up (swell) and the level to increase, while at the same time, the decreasing density of the water causes the displacer or DP transmitter to read lower. This problem of the measurement moving in the opposite direction of the process is known as "inverse response." The reverse (shrink) also can happen causing both devices to say the level is higher than it really is.

Using redundant DP transmitters or displacers does not help because all devices are affected identically by the common cause of changing fluid density. A better approach is to employ diversity, using a backup technology unaffected by such a change, such as guided-wave radar (GWR).

GWR is a familiar technology to users in hydrocarbon industries. It involves an electromagnetic pulse that is emitted by the transmitter mounted on top of the vessel and is guided down along a probe. Some of the pulse’s energy is reflected back from the liquid surface, and the transit time determines distance to the surface. This approach works because the pulse’s speed is normally constant in the vapor space above the liquid, at least when working with the pressures and temperatures found in hydrocarbon processing applications.

However, it is not true for high-density steam. The dielectric constant of high-density steam is significantly higher, which means the speed of the pulse is significantly lower compared to low-density steam, air, or hydrocarbon vapors. If not corrected, this can lead to significant errors in level (see Figure 3). Fortunately, this error can be characterized, and then appropriate compensation can be built into the measurement.

As shown in Figure 4, newer GWR units include a fixed reflector at a known distance, typically at the high-level alarm point, say 10 cm below the flange. The first applications of this fixed reflector were to simplify periodic proof testing. Rather than sending a technician to climb on top of the tank to visually verify the liquid level, the user would simply confirm the reflector always appeared at 10 cm.

Because the GWR transmitter simultaneously can provide the primary level on the 4-20 mA analog signal and the reflector distance as a secondary variable along with other diagnostic data via HART, it is a simple matter to calculate an appropriate correction factor for the conditions in the boiler continuously online, without interrupting its safety function. If the reflector measurement suggests a correction of +1.46% is necessary at this moment, the same compensation factor is applied to the level measurement. This approach is proven across the entire operating range, including during load swings and startup/shutdown cycles, in a variety of industrial boiler applications. A GWR can replace a mechanical displacer, or as shown in Figure 5, it can be integrated with an integral magnetic level indicator and transmitter to provide visual indication and redundant measurement.

To achieve a safe and reliable process, designers must ensure a safe and reliable SIS is working on top of a stable and well-controlled process. Understanding and minimizing common-cause problems in all areas of the operation is critical, and users can take advantage of a variety of new technologies to broaden the range of design, diversity, and diagnostics when making process measurements. 

Mark Menezes, PEng, manages the Emerson Automation Solutions measurement business in Canada, including pressure, temperature, level, flow, and corrosion. He has 27 years of experience in process automation; 20 of them with Emerson. He has a degree in chemical engineering from the University of Toronto and an MBA from York-Schulich. Edited by Jack Smith, content manager, CFE Media, Control Engineering,


Key concepts

  • The risk of a transmitter not responding properly to an incident can be caused by pressure instrument impulse lines plugging or freezing, erosion or coating of the primary flow element, and/or slow sensor or capillary response as a result of cold temperatures.
  • The root cause of line plugging usually is dirty process fluid, which will be in contact with and affect all transmitters connected to the specific process.
  • A newer style guided-wave radar (GWR) level transmitter can replace a mechanical displacer, or it can be integrated with an integral magnetic level indicator and transmitter to provide visual indication and redundant measurement. 

Consider this

Are there hidden risks in your processes?

ONLINE extra

See related articles below, offering more information about safety instrumented systems (SIS), and pressure and level measurement.