Summary
Safety system sensors deployed in combination with logic solvers and final elements that make up a Safety Instrumented System (SIS) have evolved significantly since their inception 80 years ago. Without knowing the capabilities of old and new technologies with new functionality and cost-saving features, it’s highly likely that the wrong selection will be made. Understanding SIS and the pros and cons of mechanical switches, smart switches, and safety and process transmitters will help to make the appropriate choice.
Safety via Alarm and Shutdown
When considering functional safety and safety instrumented systems (SIS), the safety function is usually a matter of turning something on or off. Allowing a plant to continue to operate in the presence of abnormal conditions is an alarm function. Alarms can take on many forms ranging from a siren or warning light to a signal sent to a logic solver. In this sense, the goal is to turn “on” the alarm at the appropriate time in order to provide a warning of abnormal conditions. An emergency shutdown (ESD), in an effort to bring the plant to a safe state, may entail stopping an overspeeding turbine generator, for example, or the equivalent of turning something “off”. Functional safety, therefore, is truly an on/off switching function.
Mechanical Switches in Functional Safety Applications
Manufacturers and SIS engineers commonly follow international standards including IEC 61508 and 61511 in an effort to standardize their functional safety designs. These safety instrumented functions, or SIFs, are typically separate from the basic process control system. Prior to these standards, it was common for mechanical switches to provide the alarm or shutdown signals. Switches have distinct advantages here:
- Mechanical switches have response times as fast as 5 milliseconds.
- Mechanical switches do not require power to actuate. More importantly, switches can continue to provide a safety function in the absence of power.
- Mechanical switches are inherently simple and low-cost devices. Their simple mechanisms have been proven in use since the 1930’s and are still specified for use in plant upgrades and greenfield projects for non-SIS applications.
However, in order to manage increased risk, SIS designs became more complex. Engineers tend to seek instrumentation that is certified for use in SIS by a third party. A requirement for this certification is to design the instrumentation per the IEC 61508 standard, which requires a fully documented design process and component analysis. Many mechanical switch designs were completed long before these standards were put into practice, making it nearly impossible to certify these existing designs after-the-fact. In addition, mechanical switches are inherently “blind” devices. They have no self diagnostic capabilities and no way to report their health status. You can never be certain that a switch will activate when called on to do so.
Smart Switches
“Smart” switches began to appear in the late 90’s as a response to the self-diagnostics issue. These electronic switches were designed to eliminate many of the common issues associated with their mechanical counterparts:
- Solid state; no moving parts extends the life of the device
- Electronically adjustable set point and deadband, always have the right device in inventory
- Accurate and highly repeatable even in harsh environments with vibration and hazardous locations
In addition to these attributes, “smart” switches include self-diagnostic capability, using a separate health status output to indicate the detection of a fault. These features made it possible to use smart switches in applications where traditional mechanical switches could not perform. High cycle rates and tight deadbands were now possible, eliminating some of the objections. The addition of self-diagnostics opened the door using smart electronic switches in SIS designs. The only item lacking was a truly “certified” smart electronic switch.
Traditionally, practitioners of SIS were forced to consider process transmitters that provided the SIL certificate. These transmitters are repurposed custody transfer controls and provide extremely high accuracy and equally high price. For functional safety applications, accuracy plays a much smaller role when initiating an alarm or emergency shutdown.
For example, in a typical steam boiler application, steam is monitored to make sure that the pressure remains at a safe level, below 3,200 psi. If the pressure begins to rise and reaches the set point, the safety function (alarm or emergency shutdown) will initiate. Assuming a conservative set point and a sensor range of 4,500 psi, a typical process transmitter with 0.05% accuracy will have 2.25 psi error band compared to the One Series Safety Transmitter error band of 11.25 psi with 0.25% accuracy. If the safety function initiates anywhere before the design limit pressure of 4,500 is reached, a safe state will be achieved. The difference of 9 psi between the two instruments is negligible, allowing the less accurate One Series Safety Transmitter to perform perfectly in a functional safety application.
The One Series Safety Transmitter – Designed Specifically for Safety Instrumented Systems
Announced in December of 2013, United Electric Controls unveiled a novel and new approach to safety instrumentation – the One Series Safety Transmitter. These pressure and temperature transmitters were designed specifically for use in safety instrumented systems. With an integral relay and digital display, one instrument can perform the functions of 3:
- Transmitter – NAMUR standard 4-20 mA analog output for health status and process monitoring/trending without HART communications for security against cyber hacking
- Switch – programmable safety relay output (SRO) that initiates the alarm or emergency shutdown function. When connected directly to the final element, the SRO provides the safety function in 100 milliseconds or less, bypassing the need for a safety PLC and saving labor, hardware, and programming cost.
- Gauge – a backlit digital display shows the process variable, health status and provides the user interface for programming various functions and parameters, without the need for a handheld programmer
Additional outputs provide an indication that the setpoint has been reached and the overall health status of the instrument. These discrete outputs facilitate redundant and voting logic SIS designs, necessary to achieve higher safety integrity levels. The One Series Safety Transmitter carries a 3rd-party exida certification for use in SIL 2 functional safety systems with the capability to perform in a SIL 3 application. By developing a device solely for safety applications, end users get added functionality needed for safety without adding costly features. The Safety Transmitter is auguably the most affordable device for SIS available today.
To learn more about this topic and United Electric Controls (UE) capabilities, please contact the author at rfrauton@ueonline.com or see us at ueonline.com. UE Viewpoints are published and copyrighted by UE. The information may not be reproduced without prior permission from UE.
Comments