Selecting Transmitters for Safety Instrumented Systems

Stephen R. Brown Control Systems Engineer DuPont Fluoroproducts Parkersburg, WV 26102 Mark Menezes Manager Pressure & PlantWeb (Americas) Rosemount Inc. Chanhassen, MN 55317

KEYWORDS
Safety, reliability, transmitters, IEC standards, risk, safety integrity level, common cause, diagnostics

ABSTRACT
Users design safety systems to mitigate risk of identified process hazards within tolerable levels, using application-specific risk models, defined user inspection schedules, and safety data for the devices under consideration. The safety data are often provided by suppliers, but validated and/or certified by third parties such as Factory Mutual and/or TV under laboratory conditions. While laboratory testing of software and electronics may predict installed safety for control systems, it does not for field devices such as transmitters or valves. For field devices, most dangerous failures are caused not by software or electronics, but rather by common causes and process specific issues: transmitter repeatability, impulse line plugging, orifice plate erosion, resistance temperature detector (RTD) drift, etc. Addressing these factors will typically improve not only safety but, as an added benefit, availability. This paper will present recommended best practices, which allow the user to quantify and minimize these real-world influences.

INTRODUCTION STANDARDS AND TERMINOLOGY

The process industries particularly chemical, refining and upstream oil & gas are leading the charge to adopt existing and emerging standards which define methodologies for documenting system safety and availability. These standards include ANSI/ISA S84.01, IEC-61508 and IEC-61511. IEC-61508 is intended to guide manufacturers of equipment (sub-systems). ANSI/ISA S84.01 and draft standard IEC-61511 guide users and integrators in designing complete safety instrumented systems. Although the focus of this paper is on selecting and maintaining transmitters, this selection cannot begin until the user first determines the required level of risk mitigation for each particular safety instrumented

function (SIF). Although the user should consult other sources for details of this methodology1, key steps include: Identify hazards Quantify risk of each hazard Quantify consequences of potential catastrophe associated with the hazard (human, equipment, environmental) Determine desired level of risk mitigation.

For each hazard, the output of this methodology is a Safety Integrity Level (SIL), where: SIL 1 = risk reduction > 101 SIL 2 = risk reduction > 102 SIL 3 = risk reduction > 103. Note that a given SIL applies to a particular hazard for example, the risk of a column overpressure event may lead to a SIL 3 designation, while the same event mitigated by a rupture disc and relief valve might be designated SIL 2. Additional hazards may also be associated with the given area or even the given unit, but the risk, cost and desired risk reduction for each hazard is calculated independently.

CALCULATING SYSTEM SAFETY

Once the SIL requirement for a particular loop is determined using the methodology briefly described above, the user needs to select and maintain sub-systems, including logic solver, control valve(s) and transmitter(s), to achieve this overall loop SIL. Again, although this methodology is also well documented2, key steps are given below and include: Design a Safety Instrumented System to mitigate the risk of the potential hazard. Calculate the system risk reduction using simplified equations, Markov analysis, or fault tree analysis, and mean time to fail dangerous (MTTFd) values for the individual components of the system. Be aware that using MTTFd data either when certified by TV or FM - can produce overly optimistic results because it considers software and electronics design only, and neglects the process connection. Typically, MTTFd values are based on data from internal sources (proven in use), other companies, hazards consultants, or the Offshore Reliability Database (OREDA)3 If this risk reduction is not achieved, improve system components or maintenance practices.

The user should maximize Safety-ROI with upgrades that yield the largest improvement in safety with the smallest investment. While improving the safety of the least-safe devices will have the most significant impact on overall loop risk reduction, steps can include: Replace discrete switches with analog transmitters. For example, while the dangerous failure of a pressure switch is detected only by manual testing, failure of a pressure transmitter usually causes the 4-20 mA signal to go off-scale (detected failure). As a result, the MTTFd for a pressure

transmitter can be an order of magnitude larger than for a switch, which is reflected both in the manufacturer-supplied data and in the OREDA data. Replace less-safe with more-safe. If a transmitter is a significant source of dangerous failures, relative to other loop components, upgrading that transmitter to one with a higher MTTFd will increase overall loop safety. Increase inspection frequency. Because covert failures can only be discovered during inspection, more frequent inspections increase safety. Add redundancy. Generally, one-out-of-two (1oo2) redundancy increases safety, at the expense of availability. 2oo3 redundancy with a voting circuit can increase both safety and availability.

However, redundancy only adds safety or availability where it is accompanied by common cause strength. Where a single fault can affect multiple devices, redundancy improves neither safety nor availability. Even if the failure can not be prevented, common cause Diagnostics can alert the user that something may be wrong, and an inspection is required. Many users rely on device safety data provided by suppliers and usually validated by independent third parties such as FM and/or TV. This data includes the impact of common cause strength and diagnostics, but in a laboratory environment. For control systems, this laboratory safety can provide a useful predictor of real-world installed safety. However, it has been the experience of the authors that, for field devices such as transmitters, real world installed safety is always much worse.

EVALUATING INSTALLED SAFETY FOR TRANSMITTERS

Why does laboratory safety predict installed safety for a logic solver, such as a control system, but not for a field device, such as a transmitter? A covert failure for a control system occurs when the control system is informed by the measurement device(s) that the process is operating in an unsafe condition and should be shut down, yet does not send a shut down signal to the valve (or other final control element). Neglecting systematic problems such as application or configuration errors, which should be found during commissioning, an undetected failure is most likely to be caused by software or electronics faults. Fortunately, not only are electronics and software thoroughly examined during a laboratory safety evaluation, most control systems are actually installed in laboratory conditions, e.g., climate controlled instrument equipment room, fan cooled units, cabinets with rubber seals, etc. In contrast, a covert failure for a measurement occurs when the loop is operating in an unsafe condition, yet the transmitter shows the loop to be operating safely. In rare cases this can be caused by software or electronics - quantified during a laboratory safety evaluation. In most cases, the authors have found that measurement covert failures are caused by: Transmitter performance: Every shutdown limit provides a safety margin between where the process can be safely shut down and where the hazard can occur. Can uncertainty in the measurement - caused by poor installed repeatability exceed this safety margin?

Some hazards develop slowly, others quickly. The user needs to match the hazard development time to the transmitter response time. This is most often a concern with pressure or flow systems, which can enter a hazardous condition faster than the response time of some smart transmitters. Process interfaces: Devices such as pressure transmitters are connected to the process using impulse lines. What is the likelihood that these lines will plug or freeze? Even where independent impulse lines are used for redundant transmitters how long before the process conditions, which plug the first line, also affect the second line? Plugged impulse lines do not cause an immediate shift in transmitter output; rather, they cause the signal to respond slowly to changes. Therefore, a rapid change in pressure will be detected only very slowly, possibly not in time to prevent the catastrophe. As another example for a temperature measurement whats the likelihood that a thermowell will coat, causing slow response to a rapidly changing temperature? What is the magnitude of RTD drift? Again, can the same process conditions affect both redundant temperature elements, in the same direction or randomly? As a final example when using a differential pressure (DP) flowmeter, how often do redundant transmitters share the same primary element, such as an orifice plate? A shift in the primary element caused by erosion, for example will cause covert output shifts in all of the transmitters. Transmitter and sensor robustness and quality control: Corrosion and hydrogen permeation can eventually cause overt failure of a pressure transmitter. However, for a period of time leading up to this failure, the measurement will suffer a gradual, covert drift. For DP transmitters, a rapid and severe over-pressure can cause a zero shift, which is covert and detected only during calibration/inspection. Unfortunately, most over-pressures are caused by not correctly equalizing line pressure during re-installation after calibration, so this error may not be detected until the next calibration/inspection. Finally, many manufacturing defects either in the electronics or the sensor will initially manifest as gradual, covert output drifts, impacting safety, but eventually causing overt failure, impacting availability. Note that these are manufacturing rather than design defects, so will not be reflected in third party (laboratory) testing. Selection, installation and maintenance practices: Can the same engineer select the wrong material for all redundant transmitters, causing gradual corrosion, undetected measurement drift, and eventually device failure? Can a shared plant standard specify redundant impulse lines that all suffer from consistent hydrostatic head error? Can the same individual calibrate all redundant transmitters using a biased reference?

Any increase in measurement uncertainty caused by the transmitter, sensor, interface or practices which is greater than the safety margin can impact both safety and availability.

QUANTIFYING COMMON CAUSE STRENGTH - INSTALLED REPEATABILITY How can the user determine if the uncertainty associated with a given measurement will exceed the safety margin? Consider, for example, a DP transmitter with 0.1% reference accuracy installed on an orifice plate will the complete measurement system provide 0.1%, 1% or 10% flow repeatability? The first step is to identify factors that will cause a transmitter to be less accurate and repeatable outside of a laboratory. For a DP transmitter, key factors include: Ambient Temperature Variation: In the vast majority of real-world flow measurements, the transmitter can operate at a very different ambient temperature than the one at which it was calibrated. In some outdoor applications, ambient temperatures can vary more than 50oF from calibration. These variations can have a significant effect, which is easily simulated on the bench blow warm air over a transmitter, and watch its output change. High Static Line Pressures: The DP transmitter used to infer flow can be significantly affected by a high line pressure. To simulate this effect on the bench, the user should apply a small DP across a transmitter. Then, add several hundred pounds of additional static pressure to both sides of the transmitter. In theory, the measured differential pressure should not change. In reality, it does. Drift/Stability: The output of any analog component will vary over time. As with the ambient temperature effect described above, this can affect all flow technologies. Better, smart transmitters are more stable, requiring less frequent calibration than older, analog transmitters or transducers, without any sacrifice in accuracy and repeatability.

Next, quantify the impact of these real-world conditions for the given application and transmitter of interest, using published specifications. Figure 1 shows this at 100% flow:

Reference Accuracy "Better" .075% ref accy "Worse" .075% ref accy Analog (.2% ref accy)

Ambient Temp (+/- 25oF)

Line Pressure (300 psig)

Drift (12 months)

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Flow Error at 100% Flow (%)

FIG. 1 FLOW ERROR FROM DIFFERENTIAL PRESSURE TRANSMITTER4 While these errors may seem small at 100% flow, since the errors are fixed over the entire transmitter range, and DP flow2, small errors at 100% - and small differences in transmitter accuracy - are magnified at lower flowrates, as seen in Figure 2.

Flowrate (scfm) 1000 750 500 250

DP 100 50 25 6.25

"Better" .075% 0.09% 0.16% 0.37% 1.46%

"Worse" .075% 0.21% 0.38% 0.85% 3.40%

Analog 0.65% 1.16% 2.60% 10.20%

FIG. 2 FLOW ERROR FROM DIFFERENTIAL PRESSURE TRANSMITTER Two conclusions from this typical application: Flow applications typically become unsafe at low rather than high flows for example, if fuel flow into a furnace becomes too low, the flame may go out, allowing an explosive mixture to build up. At a flow of 25%, the analog transmitter contributes 10% repeatability. If the safety margin is set to less than 10%, at a 25% flow the analog transmitter can either miss a real trip, reducing safety, or cause a spurious trip, reducing availability. The reference accuracy of the transmitter is not useful for predicting installed repeatability. From Figure 2, when installed the two 0.075% transmitters differ by nearly 2%.

Software tools are available from suppliers that allow users to quantify installed repeatability for specific transmitters in specific, user-defined application conditions5.

DETECTING PROCESS INTERFACE COVERT FAILURES - ADVANCED DIAGNOSTICS Basic device diagnostics have been available for years to diagnose overt and covert component failures. While these diagnostics provide some value in improved safety and availability, for most users they offer diminishing returns by making an extremely safe device even safer how often are onscale failures of microprocessors observed in the field? Advanced diagnostics, in comparison, promise significant improvements in installed safety and availability by diagnosing and in some same cases predicting all-too-common process interface failures. Specific diagnostics which have been described in the literature6 some of which are planned, and some which are available in products shipping today - include: Pressure: Pressure-Level: Temperature: Temperature: Vortex Flow: Magnetic Flow: Coriolis Flow: Plugged impulse line detection and prediction Leaking diaphragm seal detection Fast, predictable detection of failed RTD or thermocouple Prediction of RTD failure, detection of RTD drift Detection of application changes (viscosity, density, etc) Detection of faulty ground or electrodes, high process noise Detection of slug flow, tube coating

pH:

Detection and prediction of faulty electrodes

In general, these diagnostics are made possible by the dramatic increases in computing power in modern microprocessors. Surprisingly to many users, most of these diagnostics can only be performed in the field devices themselves, and not higher-level expert or Abnormal Situation Management systems, because they require: Extremely high speed and resolution: Even when a flow appears completely steady at the control system, it includes high frequency noise due to flow turbulence. When an impulse line plugs, this noise is dampened. The difference between normal noise and dampened noise can only be detected by a transmitter that measures the process signal with a frequency at least as high as that of the process noise. This is not only too fast for many control systems, but is also too fast for all but the fastest pressure transmitters. Extremely high accuracy: Detecting RTD drift requires the user to continuously compare the signal from redundant RTDs. While a deviation alert can of course be configured into any control system, the system will have so many dissimilar elements from the different physical locations of the thermowells, to the different A/D converters in the control system that even at commissioning a difference of 4-5oF is not unusual. This means, of course, that a drift of less than 5oF cannot be detected without false alarms. When a dual-element RTD is used, and is sensor-matched to the transmitter by the supplier using Calender van Dusen constants the installed deviation should be less than 0.5oF. This allows the user to reliably detect very small drifts, with a corresponding increase in measurement confidence, although common causes related to the single thermowell remain a concern.

A catastrophic fault for example, failure of an RTD should cause the transmitter output to immediately fail to a high (>20 mA) or low (<4 mA) state, whichever represents a safe condition. For a less severe fault - for example, prediction of impending impulse line plugging the transmitter should continue to provide a usable output. However, an alert should appear on the transmitters local display, and ideally also at a connected Asset Management maintenance terminal, as shown in Figure 3. The vast majority of smart transmitters used in safety applications use the HART protocol, which allows the process variable to be communicated to the control system using a standard analog 4-20 mA signal, while the diagnostic alerts are communicated to the Asset Management software using the superimposed digital signal. This digital information can be stripped off by the Asset Management system without interfering with the 4-20 mA signal used by the logic solver.

Plugged Impulse Line Detection

50/60 Hz Noise



RTD Drift or Failure Alert

Magmeter Grounding Fault

FIG. 3 ASSET MANAGEMENT SOFTWARE SHOWS FAILURES

EVALUATING TRANSMITTER AND SENSOR ROBUSTNESS AND QUALITY CONTROL Many users attempt to compare and quantify robustness and quality control for different manufacturers by evaluating designs and the vendors professed commitment to concepts such as continuous improvement, ISO 9000, etc. Unfortunately, such comparisons typically degenerate into dueling slideshows that are not useful for decision-making. Equally worthless are mean-timebetween-failure (MTBF) values provided by suppliers when they are based on user-reported failures. Since of course most users do not report all failed transmitters, this inflates MTBF, and actually penalizes suppliers with better customer service and communications. A more useful value is obtained through Highly Accelerated Life-Cycle Testing (HALT). During this process, a device is subjected to severe environmental conditions temperature, vibration, humidity, etc. until it fails. The time to failure under these severe conditions is then used to predict MTBF under more-normal plant conditions using statistical models such as the Arrhenius equation7. Unfortunately, HALT requires destruction of large numbers of transmitters, making it prohibitively expensive for all but the highest-volume suppliers.

Since vendors use different methodologies to calculate MTBF, the results cannot be usefully compared. For most users, the best predictor of installed reliability is experience in general, Serial #100 of a device will be much less robust and of lower quality than Serial #100,000. The question to the supplier therefore becomes how many thousands of devices, or devices of similar design, have been installed in similar applications and please provide references.

BEST PRACTICES FOR SELECTION, INSTALLATION & MAINTENANCE

Users try to use best practices wherever possible to minimize both overt and covert failures. However, as technology evolves, so do best practices. For example, users historically: Installed pressure transmitters with long impulse lines, to facilitate access. Todays modern transmitters, however, are so much more reliable than older transmitters, that users find that most maintenance is due to the impulse lines themselves. Using short, horizontal impulse lines where possible will reduce maintenance, eliminate hydrostatic head errors and improve dynamic response. Balanced capillary lengths for a remote seal system on a pressurized vessel, to balance out ambient effects. Experience has shown, however, that the best repeatability, fastest dynamic response and lowest cost are obtained by direct-connecting the lower seal. Calibrated all safety-related transmitters on a fixed schedule for example, every year. Instead, the user should quantify the calibration frequency that will provide the desired repeatability, for a specific device and application. In some cases, the necessary frequency will be much shorter than one year, in others, much longer.

Generally, the likelihood that a user will be familiar with the best practices for a device is proportional to the users experience with that specific device. It follows that the user will minimize their risk of sub-optimal selection, installation and maintenance by selecting devices with which they have substantial experience.

SAFETY CERTIFICATION Finally - it is important to reiterate that a SIL applies only to a particular SIF there is no entity approval, as with intrinsic safety. The user must calculate risk reduction for the entire loop, and combining a logic solver, transmitter and valve each with SIL-2 certification does not ensure a SIL-2 loop. Despite this, some suppliers promote their devices as certified to a particular SIL by third party such as FM or TV. It is the view of the authors that a SIL certification for a field device such as a transmitter has little relevance, and may mislead the user into a false sense of security, because: As detailed above, the SIL that a transmitter achieves in a laboratory does not predict the measurements risk of covert failure under installed conditions. A transmitter is only one component in a loop SIL must be calculated for the entire loop, and will often involve redundant transmitters.

Most importantly to achieve certification, some transmitter suppliers have been forced to develop brand new devices, typically with redundant software and electronics, which have not been proven in the field by either suppliers or users.

When reputable suppliers introduce new products, including those that have undergone extensive laboratory and beta testing, they recommend users install the devices in non-critical applications so that both user and manufacturer can gain experience and correct bugs not discovered in the laboratory. Specifying an unproven device, solely on the basis of favorable laboratory testing - and possibly an impressive slide show - for the most safety-critical applications in a plant contradicts common sense.

CONCLUSION
In conclusion: when designing safety instrumented systems, users need to consider: Relevant safety system standards System risk reduction (SIL) in a laboratory environment Factors which can cause installed safety and availability for field devices to be much worse than expected from laboratory calculations Best practices to quantify and minimize these real-world factors

REFERENCES
1. Guidelines for Safe Automation of Chemical Processes, published by the Center for Chemical Process Safety of the AICHE, provides an example using 2 such methods in chapter 7, section 4. 2. ibid, chapter 5. 3. for more information refer to: www.sintef.no/units/indman/sipaa/prosjekt/oreda/ 4. Menezes & Graber, Measurement Best Practices for Improving Chemical Plant Safety, Availability and Efficiency (DP Flow Gas & Steam Examples), presented to New York Chemshow, 1999. 5. ibid. 6. Menezes, Improve Plant Safety through Advanced Measurement Diagnostics, Chemical Engineering, Oct/2000. 7. Kececioglu, D., Reliability & Life Testing Handbook, Vol. 1, page 191.