Proof Testing Level Instruments

Similar documents
Safety in the process industry

Simply reliable: Process safety from Endress+Hauser

Soliphant M with electronic insert FEM52

Products Solutions Services. Safety by Design. Ask questions, get answers! Slide 1 06/15/2017. Ngo

Failure Modes, Effects and Diagnostic Analysis

Functional safety manual Liquiphant M/S with FEL57 and Nivotester FTL325P

Failure Modes, Effects and Diagnostic Analysis

Liquiphant S, Nivotester FDL60/61, FTL670

Safety instrumented systems

United Electric Controls One Series Safety Transmitter Safety Manual

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Certification Report of the ST3000 Pressure Transmitter

Mobrey Magnetic Level Switches

100 & 120 Series Pressure and Temperature Switches Safety Manual

Certification Report of the ST 3000 Pressure Transmitter with HART 6

Rosemount Functional Safety Manual. Manual Supplement , Rev AF March 2015

Failure Modes, Effects and Diagnostic Analysis

Applying Buncefield Recommendations and IEC61508 and IEC Standards to Fuel Storage Sites

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

The evolution of level switches and detectors

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S Rønde Denmark

PPA Michaël GROSSI - FSCE PR electronics

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

IEC61511 Standard Overview

FUNCTIONAL SAFETY MANUAL

Only a safe plant is economical

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Failure Modes, Effects and Diagnostic Analysis

Proservo NMS5- / NMS7-

Digital EPIC 2 Safety manual

SAFETY MANUAL. Electrochemical Gas Detector GT3000 Series Includes Transmitter (GTX) with H 2 S or O 2 Sensor Module (GTS)

Failure Modes, Effects and Diagnostic Analysis

Is your current safety system compliant to today's safety standard?

Safety Instrumented Systems

Advanced Diagnostics for HART Protocol Rosemount 3051S Scalable Pressure, Flow, and Level Solutions

Functional Safety Solutions

FMEDA Report. Failure Modes, Effects and Diagnostic Analysis. KFD0-CS-Ex*.54* and KFD0-CS-Ex*.56* Project: X7300

SAFETY MANUAL. IR5000 Open Path Hydrocarbon Gas Monitoring System

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511

Safety Transmitter / Logic Solver Hybrids. Standards Certification Education & Training Publishing Conferences & Exhibits

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

Fire and Gas Detection and Mitigation Systems

Pressure Transmitter cerabar S PMC 731/631 cerabar S PMP 731/635 with ma output signal

Introduction. Additional information. Additional instructions for IEC compliant devices. Measurement made easy

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

Safety Manual. XNX TM Universal Transmitter. Table of Contents SIL 2 Certificates Overview Safety Parameters

Safety Manual. XNXTM Universal Transmitter. Fault Diagnostic Time Interval Proof Test Proof Testing Procedure

Measurement of Safety Integrity of E/E/PES according to IEC61508

Differential Pressure Transmitter deltabar S PMD 230/235 deltabar S FMD 230/630/633 with ma output signal

Session Ten Achieving Compliance in Hardware Fault Tolerance

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

SAFETY MANUAL. Multispectrum IR Flame Detector X3301

Cerabar S PMC71, PMP71, PMP75

SAFETY MANUAL. PointWatch Eclipse Infrared Hydrocarbon Gas Detector Safety Certified Model PIRECL

SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

SAFETY MANUAL. Intelligent Sensors for H 2 S Gas Applications

Deltapilot S FMB70. Functional Safety Manual. Level and Pressure Measurement with Output Signal ma

Technical Manual for the Manual Alarm Call Point BG

Tech days Edmonton. Next Level Instrumentation. Products Solutions Services. By Ing. Rob Vermeulen, Bec

High Integrity Pressure Protection System

Rosemount 2140:SIS Level Detector

Pressure Transmitter cerabar M PMC 41/45 cerabar M PMP 41/45/46/48 with Output Signal ma/hart

Gammapilot M FMG60. Functional safety manual. Radiometric measurement technology Maximum point level detection

Options for Developing a Compliant PLC-based BMS

ProcessMaster FEP300, FEP500 HygienicMaster FEH300, FEH500 Electromagnetic Flowmeter

IEC Functional Safety Assessment

Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Safety Instrumented Systems The Smart Approach

The Next Generation Machine Protection System

Failure Modes, Effects and Diagnostic Analysis

Assessment of the Safety Integrity of Electrical Protection Systems in the Petrochemical Industry

SAFETY MANUAL. X2200 UV, X9800 IR, X5200 UVIR SIL 2 Certified Flame Detectors

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

Functional safety according to IEC / IEC Important user information. Major changes in IEC nd Edition

FUNCTIONAL SAFETY IN FIRE PROTECTION SYSTEM E-BOOK

SAFETY CERTIFIED MODEL FP-700 COMBUSTIBLE GAS DETECTOR

Mechanics issn Transport issue 1, 2009 Communications article 0342

FUNCTIONAL SAFETY MANUAL

Addressing Challenges in HIPPS Design and Implementation

FUNCTIONAL SAFETY MANUAL. Gassonic Observer-H and Observer-i Ultrasonic Gas Leak Detector

2015 Functional Safety Training & Workshops

SAFETY MANUAL. FL4000H and FL4000 Multi-Spectral Infrared Flame Detectors

HAWK Measurement Systems Pty. Ltd. Centurion CGR Series Safety Manual

The SIL Concept in the process industry International standards IEC 61508/ 61511

Functional Safety Manual Oil Leak Detector NAR300 System

Emergency shutdown systems. Procedures for bypassing ESD s

SITRANS. Temperature transmitter Functional safety for SITRANS TW. Introduction. General safety instructions 2. Device-specific safety instructions

Implementing Safety Instrumented Burner Management Systems: Challenges and Opportunities

How E+H instrumentation can improve process safety

IEC Functional Safety Assessment

Functional Safety Manual June pointek CLS500/LC500

SAFETY INTEGRITY LEVEL MANUAL. IEC and IEC XP95 and Discovery SIL Approved Product Range

Report Nr

SIPART. Electropneumatic positioner Functional safety for SIPART PS2. Introduction. General safety instructions 2. Device-specific safety instructions

Transcription:

Proof Testing Level Instruments Partial proof testing of level instruments can save millions of dollars while maintaining required safety ratings By Bill Sholette, Level Product Business Manager Endress+Hauser and Craig McIntyre, Chemical Industry Manager Endress+Hauser Safety Instrumented Systems (SIS) are designed to prevent or mitigate hazardous events to ensure human safety, prevent damage to facilities, and protect the environment. It is important to understand the associated cost with Safety Instrumented Systems and the requirements for maintaining the appropriate functional safety level. Level instruments, both switches and transmitters (Figure 1), are certified to a Safety Integrity Level (SIL) based on their reliability, testing and certifications. Safety Integrity Levels range from SIL1 (low risk) to SIL4 (very high risk). For level instruments, one major safety function is the ability to detect an overfill condition in a tank or vessel. If a level instrument fails, a tank may overflow, allowing hazardous fluids into the environment. Figure 1: Typical level switch, installed near top of a tank to detect possible overfill conditions. To perform a full proof test often requires removing level switch.

Proof Testing An important part of validating the safety function in a level instrument is the requirement for regular proof testing. This testing confirms the integrity of the level measurement portion of the loop and ensures the average Probability of Failure on Demand (PFD Average) is within acceptable limits. Without testing, this PFD value will increase to a point where the instrument no longer meets the specified SIL requirements for the SIS. There are two levels of testing: a Full Proof Test and a Partial Proof Test. A full proof test returns the PFD Average back to or close to the instrument s original targeted PFD Average. A partial proof test brings the instrument s PFD Average back to a percentage of the original PFD Average. A full proof test can be accomplished in two ways. In the first method, the level in the vessel can be raised to the activation point of the instrument being tested, providing functional proof that it still works. The danger of this approach is that if the instrument is a critical high (CH) or high high (HH) level sensor for overfill prevention, and it does not activate during the test, a spill is likely. The American Petroleum Institute (API), in its recommended practices for overfill prevention in above ground storage tanks (API2350), therefore prohibits testing that raises the level to an unsafe condition. Also, AP12350-2012 recommends following IEC 61511 methodology in new overfill prevention systems. The second approach to full proof testing is to remove the instrument from the vessel for testing in a simulated vessel using material from the process (Figure 2). There are several considerations with this approach. Figure 2: In a bucket test, a level switch is removed from the vessel and immersed in material from the process to test that it switches properly. First, the process may need to be taken offline, which may interrupt the overall production process. There will be manpower required to run the test, and there may also be safety issues with exposing personnel to the process or to the environment. Finally, the process material used for the test must be disposed. It is important to understand that not all level switches can be tested in this manner. Some technologies such as capacitance rely on the reference to ground geometry inside the vessel. Removing the instrument from the vessel for testing will not represent the installed state and will not be a valid test. The third method is in-situ Partial Proof Testing, where the level switch or transmitter is exercised to ensure that it has no internal problems and all functions are operating properly. In Partial Proof Testing, the level instrument remains installed, and testing is done through a function test. Figure 3 illustrates the three proof testing methods. 2

Figure 3: The three types of proof testing for level switches. Partial Proof Testing A partial proof test is used to validate the integrity and reliability of the SIS sensor subsystem. A partial proof test detects a percentage of potential failures. As such, it does not fully return the PFD to the instrument s original state. After a given time interval, a full proof test must be performed to return the instrument to its original PFD (Figure 4). The appropriate use of partial proof testing can lead to justification of extended full proof test intervals. Figure 4: Partial proof testing of a switch with Partial Proof Test Coverage of 90%. At 90%, a Full Proof Test is required (in this case) at 3 years to keep within SIL3 functionality.

There are four categories of failures: Safe Detected Failures (λ SD ) A failure that is not dangerous but is detected by the electronics fault monitoring. Example: a short circuit on the 4 to 20mA output, where current exceeds 20mA causes a high level alarm condition. Safe Undetected Failures (λ SU ) A failure that is not dangerous but is not detected by the electronics fault monitoring. Example: A failure leads to an 8mA current which is equal to the alarm current. Dangerous Detected Failures (λ DD ) A failure that is dangerous but is detected by the electronics fault monitoring. Example: A broken diaphragm in a pressure transmitter. The broken diaphragm could result in a valid measured value but internal diagnostics detects failure and provides an alarm. Dangerous Undetected Failures (λ DU ) - A failure that is dangerous but is not detected by the electronics fault monitoring. Example: The current signal freezes between 4 and 20mA, so no warning or safety function is available. When conducting a proof test, we are not concerned with Safe Detected Failures, Safe Undetected Failures, and Dangerous Detected failures (Figure 5). These failures are either safe failures or are failures that are detected by the internal diagnostic monitoring function. The total percentage of these equals the Safe Failure Fraction (SFF). Figure 5: Safe Failure Fraction and the remaining Dangerous Undetected failures 4

A proof test (Partial or Full) addresses the Dangerous Undetected Failures. This is accomplished by providing a functional test of the instrument. That is, the initiation of a proof test exercises the instrument by causing the instrument to perform its intended function. For example, a proof test of an overfill prevention point level switch will cause the unit to output a high level alarm as it would in an actual high level event. By exercising the output of the instrument, a percentage of the dangerous undetected failures are exercised. If a Dangerous Undetected Failure is present, it will be exposed by the proof test. For example, if the overfill prevention switch has experienced a dangerous undetected failure, it will not provide the high level alarm that is expected resulting in a Failed proof test. A failed proof test requires examination of the instrument for repair or replacement. The percentage coverage attained with a Partial Proof Test is dependent on the percentage of dangerous undetected failures that are covered by the test. This percentage is determined by testing and evaluation of the instrument and results in a percentage of Proof Test Coverage (PTC). A full proof test is designed to simulate the function of the instrument as close as possible to an actual event. For example, when the material level in an application of an overfill prevention point level switch is raised to a point where the switch changes state from normal to alarm. The full proof test comes as close as possible to an actual event, which approaches 100% Proof Test Coverage. The advantage to a partial proof test is that it can often be done in-situ, meaning that the test can be performed without removing the instrument from the process. This eliminates much of the cost and safety concerns associated with removing the instrument for a full proof test. However, the accumulating PFD over time can cause the level instrument to move out of its specified SIL, requiring a full proof test. For example, the sensor in Figure 4 was found to require a full proof test about every three years. Statistically, the chance of an instrument failure increases over time. The longer an instrument is installed in an application without performing its intended function, the more likely a failure will occur. For example, a High High level switch used for overfill prevention is mounted above the High Level switch used for stop fill indication. Ideally, the level never exceeds the High Level stop fill switch. A High High overfill prevention switch could go for years without seeing level. The longer the instrument is idle, the higher the possibility of Failure On Demand (PFD). This causes a drift from the original SIL level toward a lower SIL level (SIL3 to SIL2), requiring a proof test to return the instrument function to the original SIL level. The specific procedures described below for partial proof testing apply only to Endress+Hauser instruments and are provided as examples. Partial proof tests vary among instrument manufacturers who offer SIL products, but most major instrument manufacturers have procedures for proof testing. Overfill protection in a tank or vessel is usually accomplished with level switches or level transmitters, and each instrument has a means of performing partial proof testing. Level Switch Testing In many critical safety installations, two level switches (i.e., 2oo2) must be used to meet SIL3 requirements. If one switch fails, probability of failure calculations assume that the other switch will continue to operate properly (called Homogeneous Redundancy), thus fulfilling SIL3 requirements. Another solution is to use a single level switch (i.e., 1oo1) that is SIL3 certified. This reduces the amount of maintenance and required full proof testing. The single level switch requires periodic partial proof testing to ensure that it meets SIL3 requirements throughout its life span, and uses built-in diagnostics to identify operational problems. The Liquiphant FTL8X point level measurement system can be used to meet SIL3 requirements as it continuously self-

monitors the tuning fork frequency and the operation of the electronics. A shift in frequency would indicate possible damage or corrosion to the fork assembly. The continuous monitoring also checks the function of the electronic unit and the piezo drive, and checks for shorts or breaks in the wiring. Whenever the switch is powered up or when a button is pushed to initiate an in-situ partial proof test the unit goes through a test sequence. During the test sequence the switch reduces the frequency to the drive coils, vibrates the fork at a reduced frequency and reports the reduced frequency. It also initiates a change in the output state which triggers any control elements in the loop such as valves, pumps, interlocks, etc. Therefore, the entire unit and its associated automaton system components are tested, not just the output contacts. This, along with internal circuit redundancy, high diagnostics coverage and high SFF provides a level switch that meets SIL3 in a single instrument. The optional Endress+Hauser Nivotester Model FTL825 is a receiver that the FTL8X Liquiphant attaches to. It has a push button to perform the partial proof test (Figure 6). The Nivotester monitors diagnostics and a continuous live signal that is modulated on the 4-20mAdc current signal being generated by the Liquiphant, which allows Endress+Hauser to attain a SIL3 rating with one switch. Nivotester diagnostics can be programmed into a Safety PLC; however, the Liquiphant and Nivotester package provides a complete SIL3 Switch. Figure 6: A partial proof test can be initiated by pushing a button on the Nivotester receiver or on the level switch. The combination of continuous monitoring and in-situ testing provides the diagnostic coverage required to reduce the PFD (Probability of Failure on Demand) to meet and maintain SIL3 service. This partial proof test attains 99% of the PFD. With yearly partial proof testing, the requirement for a full proof test can be extended to twelve years (Figure 7). 6

Figure 7: A 99% partial proof test extends the need for full proof testing out to 12 years. The cost savings realized by performing a full proof test only once every twelve years is substantial. Consider that bringing a process down, performing the full proof test, and restarting the process takes approximately 10 hours. A conservative estimate might be $10,000 per hour in lost production, plus $1,500 for manpower and disposal of material. Compared to an instrument that requires a full proof test each year, this translates into a savings of $101,500 per year and $1,218,000 over the twelve year cycle. When multiplied by the number of level switches in a facility, this becomes a substantial savings. Level Transmitters Unlike level switches, level transmitters are rarely rated SIL3. The Endress+Hauser FMP5X Levelflex Guided Wave Radar level transmitter, for example, is rated to SIL2 as a single device and SIL3 in homogenous redundancy. But like level switches, level transmitters must also undergo proof testing. Procedures for accomplishing this vary from vendor, although full proof testing still involves removing the transmitter from the vessel. However, since many level transmitters operate from the top down such as guided wave radar and ultrasonic transmitters removing and replacing a transmitter may not require a compete process shut down. In-situ partial proof testing can be accomplished with many level transmitters. The Levelflex can perform its in-situ test through FieldCare, an Endress+Hauser software program that helps users perform testing and other instrument calibration and maintenance functions. A high safety setting can be added to a data field in the software program. For example, a user can enter a safety setting to provide an alarm if the level reaches 90% full. In the FieldCare operations menu there is an option for simulation of level. The test is done by simulating a level that is just below the safety setting (89%). At the 89% setting, the safety value is not exceeded and the status should be "Good." The next step is to simulate a level above the safety setting (91%). The simulated value exceeds the safety setting and the status should then indicate an alarm condition. When using FieldCare, screens can be saved as documentation of the successful in-situ test. The entire test is completed without physically changing the process level or interrupting the tank availability, thus saving time and money. This partial proof test provides a 92% Proof Test Coverage, returning the PFD below the SIL2 threshold.

WP01006F/24/EN/01.13 10.13) Applicable Standards In the past, level instruments were designed according to established practice and proven in use. Now the IEC 61508 standard provides a systematic approach for the design and testing of products in safety-related applications. The IEC (International Electrotechnical Commission) defined SIS (Safety Instrumented System) and wrote the standards. Level instruments fall under IEC 61508, which applies to manufacturer and suppliers of SIL (Safety Integrity Level) products. API (American Petroleum Institute) developed the API2350 standard, which provides recommended practices for above ground storage vessels containing petroleum products. The NFPA (National Fire Protection Association) also publishes recommended practices for storage of hazardous flammable chemicals. The entire life cycle starting from the development of the safety devices including maintenance by the end-user is taken into account. SIL2-capable devices are certified by the manufacturer and may be evaluated or certified by a third party, such as TÜV or EXIDA. Manufacturers can have their IEC 61508 design capabilities certified by a third party. SIL3-capable devices are typically certified by a third party. Under IEC 61511 (ANSI/ISA 84.00.01 in the U.S.) the lifecycle of the safety system must be managed and documented by the end user. However, manufacturers can provide products with capabilities that make these tasks simpler and easier, while also reducing compliance costs. ANSI/ISA 2350-2012 references implementation of IEC 61511. IEC 61511 is being adopted as a standards-based good engineering practice method, displacing older and organizationspecific approaches. Summary Many manufactures provide SIL-rated level instruments, but end user testing procedures for maintaining SIL ratings over the life of the instruments vary significantly from one manufacturer to the next. The end user is ultimately responsible for ensuring that partial and full proof tests are conducted to maintain the SIL rating of level instruments, but selection of the right instrument can ease compliance. Bill Sholette is the Level Products Business Manager for Endress+Hauser in the Northeast. Bill has been involved in level measurement for the past 33 years in virtually all aspects of process level measurement instrumentation - from manufacturing and sales, to his present position in product management. He is currently responsible for level products in Northeast United States. Bill attended Villanova University and has certification in management and marketing. Craig McIntyre Is the chemical industry manager for Endress+Hauser in Greenwood, IN. Other positions he has held with Endress+Hauser over the past 17 years include level product manager, communications product manager and business development manager. He previously was director of marketing for an Emerson Electric subsidiary. Craig holds a BA in Physics from Greenville College and an MBA from the Keller Graduate School of Management. Endress+Hauser, Inc. 2350 Endress Place Greenwood, IN 46143 Tel: 317-535-7138 Sales: 888-ENDRESS (888-363-7377) Service: 800-642-8737 Fax: 317-535-8498 inquiry@us.endress.com www.us.endress.com 8

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback