Using diagnostic functions to improve system safety

Some diagnostic capabilities are built into smart instruments, while others are designed into a process.

By Mark Menezes, Emerson Automation Solutions, Canada May 31, 2017

Effective process automation systems depend on many types of field devices, controllers, and networks to provide basic control functions along with safety-instrumented functions. Unfortunately, all these systems can fail in a variety of ways, allowing problems to develop or escalate if not countered quickly and effectively. Users cannot assume failures simply don’t happen, so they must make appropriate plans for how to deal with these possibilities.


Among the best practices and technologies available today are diagnostic functions built into smart field instruments that are capable of identifying covert failures as they happen. This improves safety, and also can predict failures before they happen, improving availability. In other cases, a plant may design its own diagnostic, adding devices such as pressure relief valves, rupture disks, and corrosion/erosion monitors in critical places to watch for larger things going wrong. Let’s consider all three approaches. 

Making temperature sensors smarter and safer

Many temperature measurement applications suffer from electrical noise, spiking, and signal dropouts. Noise can come from radios, motors, and lightning. Other problems can be caused by wiring problems, mechanical shock, or vibration. Temperature measurements are more susceptible than most other field instruments because the sensors-resistance temperature detectors (RTDs) and thermocouples (TCs)-provide very low-amplitude signals that must then be processed and amplified by the transmitter before being sent to the logic solver. For example, the signal strength of a TC is about 1/400th the strength of the 4-20 mA signal provided by the transmitter. For this reason, best practices suggest locating the transmitter as close to the sensor as possible, minimizing the length of the lead wire (see Figure 1).

Even with close coupling between sensor and transmitter, noise or dropouts still can be problematic in some installations, so most users apply damping to suppress spikes and dropouts. While damping improves stability, it slows down the response of the transmitter to rapid changes in process temperature. Because redundant sensors typically are exposed to the same electrical and physical conditions, most users will set the same damping for all, so this slow response is a common cause.

A better approach is to use a signal validation capability built into a transmitter as part of its signal processing and diagnostic functions. The thermal inertia of a temperature sensor inside a thermowell makes extremely fast temperature changes, such as from 200°C (392°F) to 400°C (752°F) in half a second, physically impossible. Even if the transmitter sees such an instantaneous and unrealistic shift between successive readings, it can reasonably assume the change is a spike (or dropout if the change is moving lower), and simply repeat the last good measurement. This approach provides stability without damping or slow response, but it should not be applied where the measurement can legitimately see fast full-scale excursions.

Although a sensor can be damaged by a single extreme mechanical shock, most failures are caused by ongoing vibration, loose or corroding connections, or chemical attack. These weaken the sensor and wiring, causing the frequency of spikes and dropouts to increase over time. The transmitter can detect and trend this increasing frequency and predict impending failure, alerting maintenance early enough to take action and prevent total signal loss. Signal validation digs more deeply into the condition of the sensor itself, which can improve both safety and availability of temperature measurements.

Spotting tricky TC failures

Here’s a typical application where validation can predict sensor failure. In hydrocarbon processing applications, TCs are often preferred over RTDs when fast response or high temperatures (greater than 600°C or 1,112°F) are involved. TCs are typically more physically robust than RTDs, but they can fail in a way not readily apparent. The junction at the tip where the dissimilar wires are joined is the measuring point, but if physical shock or vibration breaks down the insulation and the two wires form a contact (short circuit) somewhere else, the new contact point becomes the measuring point, wherever it might be.

Because this new junction is invariably farther from the hot process, in most hydrocarbon applications, a damaged TC will read low, although the opposite is true in cryogenic applications. Most processes are dangerous when they run too hot, so a low reading can create a safety risk. Because one physical shock could damage multiple TCs designed to be redundant, especially when they are installed close to each other or the lead wires are routed in the same bundle, this problem can manifest itself as a common cause.

Modern smart temperature transmitters are configurable to accept either RTD or TC inputs. When configured for a TC, they use their voltage circuitry to determine temperature. But transmitters also can use their resistance measuring circuitry, which would be used with an RTD, to monitor the resistance of the TC. While resistance of the TC cannot be used to determine temperature, it does help to detect and predict failures.

Changes in TC circuit resistance can suggest several things. If resistance goes to infinity, the circuit is open. If resistance decreases from its normal level, there is probably a short circuit. If resistance increases, the wire or termination is probably corroding. These changes may be immediate, but more often they’re gradual, so measuring and trending resistance changes can be used to predict failure and improve availability. 

Adding diagnostics to the physical protection layer

If both the basic process control system (BPCS) and safety instrumented system (SIS) fail, a plant relies on physical protection to reduce the consequences of an incident to employees and the community. As with the BPCS and SIS, for each hazard the user must identify and quantify the risk of a physical protection failure, and must apply best practices and technology to minimize the possibility of it happening. For example, in the case of an over-pressure event, most hydrocarbon and chemical processing plants rely on pressure relief devices for physical protection, such as pressure relief valves (PRVs) and rupture discs.

The PRV is set to open when the process pressure approaches the safe limits of the process equipment or piping, with the excess pressure typically vented to the flare. It has the highest pressure setting and should only work if all the other safety instrumented functions fail. Excess flaring causes environmental impacts, usually resulting in penalties. Although the PRV will close itself after the pressure returns to a safe condition, it is common for dirt in the process fluid to prevent it from fully re-seating, leading to small, ongoing leaks. These leaks are often difficult to detect, yet over time can cause significant process loss and environmental impact. Because PRVs are mechanical devices, there are no electronic elements capable of providing diagnostic functions. But as smart transmitters can improve performance of temperature sensors, new devices can add diagnostic capabilities to these simple but critical physical protection devices.

New instruments combining acoustic and temperature sensors capable of capturing telltale sounds from malfunctioning valves can identify direct releases as well as ongoing leaks from incomplete valve seating. Such devices can be wired, or can communicate via WirelessHART, in either case, sending data to the BPCS. PRVs often "simmer," releasing small amounts of product, before pressure reaches the full release point. An acoustic instrument can detect simmering, providing operators with another indication of a possible developing incident, and giving them time to call for maintenance, or to make a process adjustment and avoid the release entirely. 

Spotting leaking rupture disks

Users in hydrocarbon and chemical plants often install a rupture disc just upstream of the PRV. In the case of a toxic or hazardous fluid, the rupture disc provides a more positive barrier and layer of protection to minimize the risk of PRV leakage. Where the process contains a corrosive fluid, only the rupture disc is normally wetted. This means the plant often can avoid having to install an expensive PRV made from a corrosion-resistant material. Only the rupture disc has to be made from an exotic alloy.

Unfortunately, this approach creates another risk (see Figure 2). If a small pinhole leak appears in the rupture disc, any leaked fluid will be trapped between the rupture disc and the PRV. This creates a backpressure on the outside of the disk, so instead of bursting at the design pressure, the disc will not burst until the rising process pressure can overcome the disk and the pressure between the disk and valve.

Under these conditions, the burst pressure may exceed the safe design limit of the process, risking an uncontrolled and potentially catastrophic release into the environment. To prevent this, the American Society of Mechanical Engineers (ASME) recommends installing a pressure gauge or instrument between the rupture disc and the PRV to monitor the pressure in the space between the devices. This can be a wired device, but given that these are typically located in physically inaccessible, hazardous, or toxic environments, such locations are particularly well suited to wireless devices.

Online corrosion/erosion monitoring

Users in hydrocarbon processing industries understand where their processes are corrosive or erosive. Engineers carefully design piping and other mechanical systems to last at least until the next scheduled outage. In the meantime, expected corrosion/erosion "hotspots"—for example, on the outside elbows of pipes—are manually inspected, annually or more often. Unfortunately, the rate of corrosion or erosion on a given asset is not easy to predict and can vary widely day-to-day due to changes in flowrate, fluid composition, temperature, pressure, use of corrosion inhibitors, and other conditions. The risk to a user is that a faster-than-expected rate of metal loss can lead to a catastrophic loss of containment over a relatively short period of time, even days or weeks.

A better approach than periodic manual inspection is continuous online monitoring. Available in either wired or wireless versions, online sensors attached to the outside of the pipe or vessel use ultrasonic technology to measure metal thickness continuously. Historical data determines the rate of metal loss and expected time to failure. While a small number of corrosion/erosion sensors provide immediate safety and labor benefits from reduced need for manual inspection of hot spots, the real payback comes when a user combines a network of wall thickness sensors with other sensors to measure and predict fluid corrosion/erosion, including intrusive coupon-based sensors, temperature (intrusive or clamp-on), pH, flow, pressure, and others (see Figure 3).

Comprehensive, plant-wide visibility and corrosion/erosion prediction allows users to operate more aggressively without increased risk:

  • Extends time between shutdown intervals
  • Reduces use of corrosion-inhibiting chemicals
  • Increases capability to use "opportunity crudes," lower-cost but more highly corrosive/erosive feedstocks.

Diagnostic functions, whether they are built into a smart device, or something designed within a given plant, help detect problems early while they are still easy to manage. Discovering that a TC is quietly corroding before there is a loss of operation, a PRV is headed toward failure before a more catastrophic incident, or a pipe is about to start leaking, can prevent downtime, avoid environmental damage, and prevent fatalities. There are many ways to put these measures into place, provided a plant is willing to make the critical first steps.

Accessing HART diagnostics from safety systems

The control and monitoring systems in many plants only use the 4-20 mA analog signal from their HART devices, missing out on the value provided by the HART information. This is particularly true for smart instruments and valve actuators used with safety systems, which send their analog signal to a dedicated logic solver, meaning valuable process variables and condition diagnostics never make it back to the control system.

But there is a solution, as many users can access the HART information in their safety devices by outfitting their existing sensors and actuators with wireless adapters. These adapters connect to HART devices and communicate variables and diagnostics via a WirelessHART network. The adapter converts a wired HART input to a WirelessHART output, and this wireless signal is sent to a gateway through a WirelessHART network. The gateway is hardwired to the target system, such as an asset management system or a distributed control system (DCS). The hardwired link is usually Modbus or Ethernet.

The wireless adapter shown in Figure A has been evaluated by Exida as a component and has an FMEDA report available online. It does not affect the analog loop, and therefore has a minimal effect on SIS loop calculations.

A limitation for using wireless adapters in SIS loops has been the availability of different types of certifications for the device, which in the past was only intrinsically safe (IS). The wireless adapter in Figure A now is rated for use in hazardous areas in North America where the explosion-proof method of protection is used. The adapter connects directly onto HART devices via a threaded conduit, creating a rated assembly. This new explosion-proof certification is especially useful in SIS applications where it can be used to access stranded variables and diagnostic data from safety systems. 

Mark Menezes manages the Emerson Automation Solutions measurement business in Canada, including pressure, temperature, level, flow, and corrosion. He has a chemical engineering degree from the University of Toronto, with an MBA from York-Schulich. Menezes has 20 years of experience with Emerson, and 27 years of experience in process automation.

This article appears in the Applied Automation supplement for Control Engineering 
and Plant Engineering

– See other articles from the supplement below.