Safety instrumented systems

Similar documents
Proof Testing Level Instruments

Liquiphant S, Nivotester FDL60/61, FTL670

Soliphant M with electronic insert FEM52

The evolution of level switches and detectors

100 & 120 Series Pressure and Temperature Switches Safety Manual

United Electric Controls One Series Safety Transmitter Safety Manual

Differential Pressure Transmitter deltabar S PMD 230/235 deltabar S FMD 230/630/633 with ma output signal

Failure Modes, Effects and Diagnostic Analysis

Fire and Gas Detection and Mitigation Systems

Proservo NMS5- / NMS7-

Safety in the process industry

Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Safety Instrumented Systems

Functional Safety Manual Oil Leak Detector NAR300 System

Functional Safety Manual June pointek CLS500/LC500

Dissolved Oxygen Measurement liquisys M COM 223 / 253

Functional safety manual Liquiphant M/S with FEL57 and Nivotester FTL325P

Digital EPIC 2 Safety manual

Is your current safety system compliant to today's safety standard?

Certification Report of the ST3000 Pressure Transmitter

SAFETY MANUAL. Intelligent Sensors for H 2 S Gas Applications

Introduction. Additional information. Additional instructions for IEC compliant devices. Measurement made easy

Vibracon LVL-A* Level limit switch for liquids, compact design

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

Functional Safety Solutions

Ultrasonic Level Measurement nivopuls FDU 10 S

Products Solutions Services. Safety by Design. Ask questions, get answers! Slide 1 06/15/2017. Ngo

USER APPROVAL OF SAFETY INSTRUMENTED SYSTEM DEVICES

FUNCTIONAL SAFETY MANUAL

SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

FMEDA Report. Failure Modes, Effects and Diagnostic Analysis. KFD0-CS-Ex*.54* and KFD0-CS-Ex*.56* Project: X7300

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

PROCESS AUTOMATION PRECISE VALUES LEVEL MEASUREMENT TECHNOLOGY

Pressure Transmitter cerabar S PMC 731/631 cerabar S PMP 731/635 with ma output signal

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Australian Standard. Functional safety Safety instrumented systems for the process industry sector

Mobrey Magnetic Level Switches

FUNCTIONAL SAFETY OF ELECTRICAL INSTALLATIONS IN INDUSTRIAL PLANTS BY OTTO WALCH

IEC61511 Standard Overview

Failure Modes, Effects and Diagnostic Analysis

Instruction Manual September 2010 SITRANS LVL200S

Certification Report of the ST 3000 Pressure Transmitter with HART 6

The agri-motive safety performance integrity level Or how do you call it?

Failure Modes, Effects and Diagnostic Analysis

430128A. B-Series Flow Meter SIL Safety Manual

FUNCTIONAL SAFETY MANUAL. Gassonic Observer-H and Observer-i Ultrasonic Gas Leak Detector

Session Four Functional safety: the next edition of IEC Mirek Generowicz Engineering Manager, I&E Systems Pty Ltd

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

SITRANS. Temperature transmitter Functional safety for SITRANS TW. Introduction. General safety instructions 2. Device-specific safety instructions

Measurement of Safety Integrity of E/E/PES according to IEC61508

Simply reliable: Process safety from Endress+Hauser

E C H O T E L C O N T A C T U L T R A S O U N D

Applying Buncefield Recommendations and IEC61508 and IEC Standards to Fuel Storage Sites

The SIL Concept in the process industry International standards IEC 61508/ 61511

Failure Modes, Effects and Diagnostic Analysis

Integrated but separate

SAFETY MANUAL. FL4000H and FL4000 Multi-Spectral Infrared Flame Detectors

INTERNATIONAL STANDARD

HAWK Measurement Systems Pty. Ltd. Centurion CGR Series Safety Manual

IEC Functional Safety Assessment

OPTISWITCH 5300 C. Handbook. Vibrating Level Switch. - two-wire With SIL qualification

The Liquiphant family Point level detection in liquids using the vibronic measuring principle

HIPPS High Integrity Pressure Protection System

Siemens Process Automation End-user Summit- 2011

Only a safe plant is economical

ProcessMaster FEP300, FEP500 HygienicMaster FEH300, FEH500 Electromagnetic Flowmeter

Rosemount Functional Safety Manual. Manual Supplement , Rev AF March 2015

Instruction Manual September 2010 SITRANS LVL200S

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S Rønde Denmark

FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

ADIPEC 2013 Technical Conference Manuscript

Addressing Challenges in HIPPS Design and Implementation

FUNCTIONAL SAFETY MANUAL

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

Operating Instructions 11/2016

Failure Modes, Effects and Diagnostic Analysis

Changes in IEC Ed 2

PRIMATECH WHITE PAPER CHANGES IN THE SECOND EDITION OF IEC 61511: A PROCESS SAFETY PERSPECTIVE

SLG 700 SmartLine Level Transmitters Guided Wave Radar Safety Manual 34-SL Revision 4.0 December 2017

SAFETY MANUAL. Electrochemical Gas Detector GT3000 Series Includes Transmitter (GTX) with H 2 S or O 2 Sensor Module (GTS)

Safety Transmitter / Logic Solver Hybrids. Standards Certification Education & Training Publishing Conferences & Exhibits

AVOID CATASTROPHIC SITUATIONS: EXPERT FIRE AND GAS CONSULTANCY OPTIMIZES SAFETY

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Failure Modes, Effects and Diagnostic Analysis

HIPPS High Integrity Pressure Protection System

Safety Manual. XNX TM Universal Transmitter. Table of Contents SIL 2 Certificates Overview Safety Parameters

Process Automation. Sensors and Systems: Level Sensors Level Switches Overfill Prevention Pressure Sensors Temperature Sensors

Report Nr

Tech days Edmonton. Next Level Instrumentation. Products Solutions Services. By Ing. Rob Vermeulen, Bec

Functional Safety: the Next Edition of IEC 61511

AVOID CATASTROPHIC SITUATIONS: EXPERT FIRE AND GAS CONSULTANCY OPTIMIZES SAFETY

Pressure Transmitter cerabar M PMC 41/45 cerabar M PMP 41/45/46/48 with Output Signal ma/hart

ACCURATE FAILURE METRICS FOR MECHANICAL INSTRUMENTS IN SAFETY APPLICATIONS

Numerical Standards Listing

STT850 and STT750 SmartLine Temperature Transmitter HART Communications Options Safety Manual 34-TT Revision 4 September 2017

Technical Manual for the Manual Alarm Call Point BG

Quick Start Manual July pointek CLS100

PPA Michaël GROSSI - FSCE PR electronics

High Integrity Pressure Protection System

ABB MEASUREMENT & ANALY TICS DATA SHEET. RS85 Vibrating fork level switch

Transcription:

Safety instrumented systems SIL2 / SIL3 rated vibronic point level measurement devices for overfill protection Typical tank farm Liquid level limit detection switch Liquiphant Chemical plant A white paper by Endress+Hasuer, Inc Dr. Christoph A. Rompf Product Manager Level Measurement Endress+Hauser GmbH + Co. KG D-79690 Maulburg, Germany Key words Point Level Measurement, Tuning Fork Systems, Vibronic Systems, Level Switches, Safety Integrity Level, SIL, IEC 61508, ANSI/ISA-S84.01 Abstract Safety instrumented systems (SIS) that are rated according to the Safety Integrity Levels (SIL) are gaining importance in the process industry. In this presentation, vibronic point level measurement devices that are used in highly reliable overfill protection systems, will be discussed. Starting from the basics of how these tuning fork systems work, the construction principle will be illustrated. With regard to high functional safety, focus will be placed on the self monitoring capability of vibronic systems and the PFM (Pulse Frequency Modulation) technology used for signal transmission from the sensor to the switching amplifier. The combination of these capabilities has led to a SIL2 / SIL3 rating of these sensors for overfill protection systems according to the international standard IEC 61508 / 61511. The probability of failure on demand (PFD) requirements according to IEC 61508 fulfilled by these systems are identical to the corresponding American standard ANSI/ISA-S84.01 Introduction Liquids are handled in all process facilities. This includes tank farms, food plants, chemical or pharmaceutical production sites and water and wastewater facilities. Some of these liquids are toxic, flammable, reactive or cause explosive gases which could cause risks for the environment or personnel. An operator of a facility or a plant has to assure that these dangerous liquids are kept in the appropriate pipes, tanks and vessels. In particular, overspilling of a tank has to be avoided during filling processes. Copyright 2003 ISA - The Instrumentation, Systems, and Automation Society. All rights reserved.

Local laws, government regulations, pollution control agencies or insurance companies require preventive measures be in place to inhibit tank overruns as depicted in Figure 1, (A) especially during unattended automated filling process (1). Regardless of the federal and state regulations of any country, automated filling process always requires a high level alarm that causes an automatic flow shut-off to prevent an overfill. The reliability and the degree of functional safety of this overfill protection system is related to the potential danger of the liquid and the surrounding plant or facility. Overfill protection systems An overfill protection system is designed to stop product flow during delivery before the tank becomes full and begins releasing liquid into the environment. As a general rule, such a system consists of a high level sensor, a logic solver and a final element that shuts off the flow into the tank. Figure 1 (B) shows an example of such a system. It consists of a vibronic point level measurement device, an appropriate power supply and a switch amplifier unit in the control room. A Programmable Logic Controller (PLC) or Distributed Control System (DCS) based logic solver and a supply pipe shut off valve completes the system. Failure evaluation with regard to functional safety The combination of these components has to fulfill the high functional safety demands that are defined in ANSI/ISA-S84.01 (2) or IEC 61508 (3) and IEC 61511 (4). High functional safety means that these components either have to work reliably or give an alarm whenever the protection system has to be maintained. Thus, different types of failures must be defined when a safety system is discussed. Fig. 1 (A) Overfilling a tank without overfill protection (B) Tank with overfill protection system consisting of: (B1) a vibronic high level sensor (B2) a power supply and switch amplifier (B3) a Programmable Logic Controller (PLC) or Distributed Control System (DCS) (B4) a shut off valve Dangerous failures In comparison to general failures, failures that lead to a malfunction and are not detected and announced automatically are dangerous. In the case of an overfill protection system, that means an operator would still rely on the system, and in case of a demand, the system would fail. To track down these Dangerous Failures and to quantify the likelihood of a dangerous failure on demand, a Failure Mode, Effect and Diagnostics Analysis (FMEDA) is done. The guidelines for this are written in the IEC standards 61508 (3) / IEC 61511 (4) and ANSI/ISA-S84.01 (2). Using these guidelines, a Probability of a Dangerous Failure on Demand (PFD) can be calculated. According to the different Safety Integrity Levels (SIL1 thru SIL4), the probability of a Dangerous Failure can not exceed given values. The exact values are given in IEC 61508 (3) / IEC 61511 (4) and ANSI/ISA- S84.02 (2). In general, the components of an overfill protection system are purchased from different suppliers. To make the determination of an SIL classification manageable, the safety considerations can be divided into the different components. For that process, the PFD values have to be split into different components. A general recommendation is to weight the PFD value 35% on the sensor system, 15% on the logic solver and 50% on the final element (Figure 2). Finally, the whole system has to be reviewed. Not only statistical failures need to be accounted for, but also dangerous systematical failures have to be avoided. General failures In general, a system or device is characterized by its Mean Time Between Failure (MTBF). That number represents an average lifetime value for the system or device and includes all failures. With regard to a functional safety classification, not all failures are relevant. Failures that are detected by the system and can be announced by an alarm do not lead to critical situations. Fig. 2 Distribution of PFD (Probability of Failure on Demand) values on the components of an overfill protection system 2

Sensors for Overfill Protection Systems According to this recommendation, only the sensor for the overfill protection systems shall be discussed and the means to achieve a high functional safety will be presented. Point level measurement devices Point level measuring devices for liquids are used in all process facilities. Numerous measurement technologies are available for these kinds of applications (e.g. float switches, vibration limit switches, ultrasonic gap switches, capacitive or conductive limit switches). When considering high functional safety, a measurement method has to be chosen that has low PFD values and will have no systematical failures during operation. A thorough investigation of the measurement sensor s systematical failures has to be done or the know-how gained from a large number of applications has to be considered and a proven in use evaluation has to be done. Vibronic point level measurement devices Vibronic measurement devices or tuning fork systems fulfill the highest demands with regard to safety and reliability. The main advantage of vibronic point level measurement devices (over float switches, etc.) with regard to functional safety, is that they use an active measurement principle. The device is kept in vibration continuously and is always monitored by an evaluation electronics. A sensor failure is detected immediately in almost all cases and dangerous failures are avoided. In addition, vibronic measurement devices meet the requirements of almost all point level applications for liquids (5), (6). A vibronic device is independent of the installation position. The same device can be mounted from the top, side or bottom. State of the art devices are designed for a broad application band-width where no calibration of the sensor is necessary. This sensor is independent of process influences (e.g. pressure, temperature, etc.), independent of material characteristics (e.g. conductivity, dielectric constant, viscosity, etc.) and independent of gas bubbles, foam and solids (dirt soiling) in the process liquid. These systems are gaining acceptance as a standard solution for level limit detection in all industries and are known to work properly in a wide range of applications. Functional safety data can be determined from this high number of installed units and proven in use evaluations can be made. As an example, the tuning fork system Liquiphant distributed by Endress+Hauser has been installed in more than 1.5 million applications. The product and application know-how created by that amount of installations has led to a sensor design that is optimized for overfill protection systems and meets the SIL2 level in a 1oo1 (one out of one) and SIL3 level in a 1oo2 (one out of two) or 2oo3 (two out of three) installation architecture. Operation principle of a vibration limit switch Mechanically excitable systems are used as vibration limit switches - usually oscillating forks with two tines. These tines are excited by a piezo drive that converts electrical energy into mechanical energy. A second piezo acts as a receiver, reconverting the mechanical energy into an electric signal. This electrical signal is amplified, phase shifted, amplified a second time and fed to the piezo drive. Thus, an electro mechanic loop is set up that acts as a basic wave excitation and always causes the tines to oscillate with their resonance frequency. The setup of this basic wave excitation is shown in Figure 3 (A). Liquid surrounding the tines extends the mass of the resonance system. The frequency is reduced when the tines are immersed in a liquid. Evaluation electronics monitor this frequency shift. Below a certain frequency, the sensor reports the covered condition to the evaluation electronics which indicates - the switch point. Typical characteristics showing the dependence of the resonance frequency of the depth of immersion is depicted in Figure 3 (B). A switch hysteresis of approximately 30 Hz is used between the activation and deactivation point (f and E f ) to reduce A sensitivity to state changes. This corresponds to a hysteresis of the switch point of approximately 0.1. Furthermore, a time delay of approximately 1 second prevents a strong dependence on turbulent currents and waves on the surface of the measured liquid. Corrosion In general, corrosion of a sensor is a critical consideration in the application of point level measurement devices for overfill protection. If improperly managed, corrosion often leads to the state of a dangerous failure. The safe operation of a passive sensor can not be ensured because detection of corrosion is not possible. In contrast, a sensor with a high functional safety has to operate properly, even if it is partly corroded, or the failure of the function has to be reported to the control system. Vibronic point level measurement devices meet this demand. Figure 3 (B) shows the behavior of a tuning fork device under corrosive conditions. Corrosion of the tines causes a loss of mass, thus the frequency is increased. Reaching a certain level resonance frequency level, a fault alarm is transmitted indicating the point level switch must be replaced. Fig. 3 Vibronic measurement devices: (A) basic wave excitation, (B) frequency immersion characteristics 3

Typical construction Vibration limit switches are usually designed in a modular fashion so that any process connection, housing and electronic version can be combined in accordance with customer requirements. Figure 4 depicts the basic design. The oscillating fork with its piezoelectric drive is attached to the process connection and the housing adapter via an extension tube. The housing for the electronic insert is mounted on top of this arrangement and contains the power supply, the electronic components of the basic wave excitation as well as the frequency evaluation system and the output interface. Fig. 4 Typical construction of a vibronic point level measurement device Transmission via Pulse Frequency Modulation (PFM) An important functional safety topic is the transmission method used between the sensor and the control room. Three sensor states have to be transmitted: sensor is uncovered, sensor is covered and sensor fault alarm. Often, an 8 / 16 ma output level switch is connected directly to a 4 to 20 ma input. As depicted in Figure 5 (A), 8 ma and 16 ma represent the covered and uncovered sensor situation. A current of 3.6 ma indicates a sensor fault signal, e.g. when the sensor is corroded or an electronic failure occurs. A current based transmission is safe as long as the set up is not affected by environmental conditions. Corrosion at the contacts can lead to an increase of the wire resistance and water or humidity on the contacts may create a parallel resistance. Both can have an influence on the current and might lead to an uncertain or dangerous transmission condition. In comparison to this 8 / 16 ma transmission, the Pulse Frequency Modulation (PFM) shown in Figure 5 (B) represents a higher safety standard of transmission via a two-wire line. Here a bias current of 10 ma is superimposed by current pulses. In this case, the repetition rate of the pulses and not the current value corresponds to the sensor condition. 50 Hz corresponds to the covered condition, 150 Hz the uncovered condition and faults are coded with 0 Hz. Fig. 5 Two wire methods for point level measuremet: (A) 8 / 16 ma transmission, (B) PFM transmission Fig. 6 Block circuit diagram of a sensor and power supply / switch amplifier using PFM transmission The block circuit diagram of a PFM sensor electronic insert and a power supply / switch amplifier is shown in Figure 6. Apart from the basic wave excitation, it consists of a digital signal processing unit and the electronic interface. It codes the covered, uncovered as well as the alarm message in an output signal and forwards it to the power supply / switch amplifier unit. In addition, the level switch operating power is derived from the 10 ma bias current. A calibration EEPROM is integrated into the sensor assembly, in which specific data, such as the exact frequency in air, covered frequency in liquids of 0.5 and 0.7 g/cm 3 and further specific data are stored during the manufacturing process. Thus it is possible to exchange the electronic inserts to be assured that every sensor unit is equally able to process the measurement values of all tuning forks precisely without any additional calibration required. Finally, the power supply / switch amplifier unit in the control room transforms the pulse frequency signal from the electronic interface into a relay output. The output relays are switched in accordance with the allocation 50Hz/150Hz; covered/ uncovered, or zero Hz; error. In addition, the transmission line is continuously monitored for line shorts and breakage. Constant monitoring is guaranteed from the sensor tines to the output of the power supply / switch amplifier. 4

Applications with extremely high safety requirements demand error-proof systems which operate in safe conditions in spite of any type of breakdown. Regular inspection and verification of the system is required to ensure safety. As a guideline, the overfill protection sensor system has to be function tested regularly (e.g. once a year) to meet SIL qualifications. Normally, this has to be done by dismantling the sensor and testing it in a liquid or by filling the tank to the sensor point. This is both expensive and risky, especially when a dangerous liquid is pumped up to the maximum tank level. Self-check push button Devices that use PFM transmission technology and have an internal test generator for the manual verification are allowed to be tested by a push button. In this case, the push button disconnects the wire to the sensor. After this voltage interruption, the sensor is shortly operated in the self-testing mode once the voltage has been reconnected, until it automatically switches to the operating mode. As shown in Figure 6, in a self-testing mode, the frequency of the test generator, instead of the frequency of the basic wave excitation is connnected to the downstream circuit. The correct interpretation of the uncovered, covered and error frequencies which might occur (e.g. corrosion) is verified. This ensures the proper functioning of the measuring system from the tuning fork frequency input to the power supply / switch amplifier unit. In addition, the manual function test permits the verification of the response of associated system components, e.g. the sequential control of a shut-off valve or a visual or acoustic alarm. Concluding remarks The vibronic point level measurement principle described in this article using PFM transmission between sensor and power supply / switch amplifier in the control room depicts the highest end of sensor systems for overfill protection. In this system, the integrated test generator activated by a push button in the control room provides a comfortable means for the periodic function test required with safety systems. In comparison to other point level measurement principles, this test does not only evaluate the function of the sensor, but checks the permanent self check that continuously monitors the frequency of the tuning fork sensor. All these means have culminated in a vibronic sensor that is SIL3 rated in 1oo2 or 2oo3 installation architectures by the German TUV (Technischer Ueberwachungs Verein). However, the sensor is only one part of a complete overfill protection system. The final element, e.g. a shut down valve, is as important as the sensor to prevent an unwanted release of liquid in the environment. Due to a high fraction of mechanical parts in these devices, instruments with a similar high functional safety can be provided only in a very high price segment. Therefore, other means are often taken into consideration to improve the safety of vessels containing highly hazardous liquids. In consequence, an inexpensive sensor with a lower functional safety can be chosen. In this case, vibronic point level measurement devices with integrated relay output can be used. These also use highly proven in use components, but go without a separate power supply / switch repeater. References 1. WHG Germany: Zulassungsgrundsaetze für Ueberfuellsicherungen (ZG-Ues / May 1999) Wasserhaushaltsgesetz 19 2. ISA (1996), ANSI/ISA-84.01-1996: Application of Safety Instrumented Systems for the Process Industries, Reasearch Triangle Park, NC: The Instrumentation, Systems and Automation Society 3. IEC (1998), IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems, Parts 1-7, Geneva: International Electrotechnical Commission 4. IEC (2002), IEC 61511, Functional Safety Instrumented Systems for the Process Industry Sector, Parts 1-3, (Draft in Progress), Geneva: International Electrotechnical Commission 5. Rompf, Christoph, Characteristics of Universal Limit Switches for Liquids, What is new in process engineering, Melbourne, September 2000, p. 60-70 6. Rompf, Christoph, Anforderungen an universelle Grenzachalter für Flüssigkeiten tm-technisches Messen; Sensoren, Geräte, Systeme, May 2000, p. 220-227 5

USA Canada Mexico 01.04/SCUSA Endress+Hauser, Inc. 2350 Endress Place Greenwood, IN 46143 Tel. 317-535-7138 Sales 888-ENDRESS Service 800-642-8737 Fax 317-535-8498 inquiry@us.endress.com www.us.endress.com Endress+Hauser Canada Ltd. 1440 Graham s Lane Unit 1, Burlington ON, L7S 1W3 Tel. 905-681-9292 800-668-3199 Fax 905-681-9444 www.ca.endress.com Endress+Hauser Paseo del Pedregal No. 610 Col. Jardines del Pedregal 01900, Mexico D.F. MEXICO Tel. 525-568-2405 Fax 525-568-7459 PK 008/24/ae/01.04 AE/INDD 2.0

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback