Practice Safe Sensing

With process safety and sensors, sometimes garbage in equals more than garbage out. Because these devices measure pressure, temperature, flow, level, and other process parameters, they play a pivotal role in determining a process unit’s output. A wrong reading can produce waste or create a catastrophe that costs lives and makes national news.

11/01/2008


With process safety and sensors, sometimes garbage in equals more than garbage out. Because these devices measure pressure, temperature, flow, level, and other process parameters, they play a pivotal role in determining a process unit’s output. A wrong reading can produce waste or create a catastrophe that costs lives and makes national news.

Now, thanks to advances in technology, sensor systems have greater intelligence and therefore more diagnostic capabilities. Today, sensors can be certified by third parties to meet safety integrity levels, or SIL, designations found in IEC 61508. One positive result of this is the potential to use fewer sensors without compromising safety, leading to a decrease in wiring and installation costs. Another positive effect is the potential for improved process control, largely due to increasingly intelligent sensors.

“Certified products deliver higher design quality,” asserts William Goble, principal partner and co-founder of exida, a company that offers functional safety training, technical support, and expertise from its North American headquarters in Sellersville, PA. (The company’s European base is in Fischbachau, Germany.) This better design is due not to success but rather to failure, notes Goble. “Nearly half of the products that attempt certification fail on the first try. Only when the design process is improved and diagnostics are added do they pass.”

Goble’s data shows that the number of certified sensors has exploded in recent years, with the cumulative total of such devices moving from five in 2003 to eight in 2005 and 24 in 2007. There have been indications that vendors are converting, or will soon convert, entire future sensor lines to certified products. Goble notes that taking full advantage of such sensors will require that systems be configured correctly. For example, running diagnostics in certified sensors may send the reading out of range. An incorrectly configured controller will interpret this as a fault, shutting down the process unnecessarily. A better approach would be to implement a hold-last-value strategy, with action taken only if a reading stays out of range for longer than a specified time.

A loading bay for Shell petroleum products in the U.K. makes use of safety-certified mass flowmeters. Courtesy Endress+Hauser.

A loading bay for Shell petroleum products in the U.K. makes use of safety-certified mass flowmeters. Courtesy Endress+Hauser.

Known failures

One of the first companies to offer a certified sensor was bought a few years ago by Siemens Energy and Automation (SEA). Louis DiNapoli is application engineering and technical support manager for the SEA process instrumentation unit that makes safety certified sensors. DiNapoli says that these sensors differ from non-certified equivalents.

For example, they often contain two microprocessors, from different vendors, which are based on different technology and implementations. Each microprocessor takes input from the transducer, the unit that translates the physical parameter into an electrical output. The results of the two different calculations can then be compared, with similar results ensuring that the microprocessors are performing correctly. Another failsafe feature of the new sensors includes the ability to force the sensor via software to a predetermined level, such as 80% of full scale. This result can then be measured and compared to what’s expected, providing another indication that the sensor is working correctly.

A key point to be aware of regarding these features is that they do not function to ensure a correct sensor reading. They also don’t prevent a failure. But, notes DiNapoli, that’s not what a safety-certified sensor is designed to achieve. “You don’t care that it fails. You care that it fails in a known fashion,” he says. What is transmitted in the case of sensor failure is a known, pre-determined quantity, allowing that failure to be detected. Of course, the system has to be configured not only to detect the fault but also not act on the value, since it is the result of a failure.

While internal computations and values transmitted to the outside world are checked, sensor systems may have only one transducer in them. This front end of the entire chain, says DiNapoli, turns out to be the area where it is most difficult to assure reliable operation, in part because there’s only one process measurement. Since there’s nothing to provide a check or reference, assurance has to be inferred.

However, increasing intelligence, along with some sophisticated algorithms, may make such indirect checking easier to do so. Five years ago, sensor packages were relatively dumb. Today, they’re much more intelligent and provide information that helps ensure safe operation as well as improve the process.

For example, sensors can have registers that count every time the pressure goes above one of three set points. One of those points could be the process design maximum. From those counts, a simple histogram could reveal important information, such as the process being above design maximum pressure a majority of the time. These types of results may indicate a design flaw or a control system isn’t working well, says DiNapoli.

Another company with a long history in safety-rated sensors is Endress+Hauser of Reinach, Switzerland. The company has local sales centers and representatives, with the U.S. headquarters in Greenwood, IN. Endress+Hauser also partners with Rockwell Automation.

Safety-certified mass flowmeters are used in the oil and gas industry. Courtesy Endress+Hauser

Safety-certified mass flowmeters are used in the oil and gas industry. Courtesy Endress+Hauser

Gerold Klotz-Engmann is head of department technical safety for the company’s German sales center. He notes that the company designs products to conform to IEC 61508; all new product designs will meet this standard. Achieving that requires self diagnostics so that passive internal component faults can be spotted, along with steps to ensure no software glitches or problems.

Nearly all company products have undergone third party assessment and can be used in SIL 2 or SIL 3 safety instrumented systems. The system architecture determines how many compliant sensors should be used. For example, if a SIL 2 level is required, then the situation is relatively simple, says Klotz-Engmann. “Normally a single channel architecture with a SIL 2 compliant sensor is sufficient.” Things get more complicated if a higher level of safety is required, he adds. Then it may be necessary to use two or three sensors, with the sensors voting to arrive at a consensus measurement. The advantage of the three sensor arrangement is increased safety and greater availability, since the trio will continue to provide information even if one or two sensors fail.

Carl Sonoda, marketing manager for field instrument solutions at the Yokogawa Electric Corporation of Tokyo, says the company’s first certified sensor appeared in 2003. Today, Yokogawa has a series of temperature sensors, pressure transmitters, and multivariable transmitters, all safety-rated and designed to achieve a SIL 2 or 3 performance.

The best practice for a safety loop design, he notes, is to use multiple transmitters, with each voting. Adding to redundancy costs are the number of devices, wiring, post-installation testing, and ongoing maintenance.

A safety-rated device can help reduce the number of sensors required and thereby cut such expenses. “Our IEC SIL 2/3 certified transmitter can provide functionality so that it’s possible to use one safety transmitter instead of two standard transmitters,” says Sonoda.

Deployment choice: many or few

The question about how many sensors to use isn’t clear cut. Dale Perry, pressure marketing manager for the Chanhassen, MN-based Rosemount division of Emerson Process Management, notes that using fewer sensors is a mixed blessing. Fewer sensors increase the possibility of a false alarm, which carries a cost since it might shut down a process needlessly. Thus, the total outlay of any solution will have to be carefully considered. The correct answer about how to implement a sensor strategy will depend upon many factors in addition to installation and commissioning costs.

A safety-certified transmitter helps keep a pharmaceutical process running smoothly and safely. Courtesy Siemens Energy and Automation

A safety-certified transmitter helps keep a pharmaceutical process running smoothly and safely. Courtesy Siemens Energy and Automation

Rosemount’s history with safety certified sensors parallels that of other manufacturers. Initially, safety certified products were unique, and they faced a distinctive requirement in that they had to meet the applicable standard. Over time, incorporating the features needed for certification into standard devices became a company best practice. This evolution explains why the price differential between standard and safety-rated sensors has diminished significantly.

However, it may never disappear entirely. A certified device carries extra expenses, not all of which can be found in hardware or software. At Rosemount, for example, Perry says incoming orders are checked to ensure that all options ordered with the device are within the safety certification scope.

Also, a copy of the product safety certificate, a document listing the certified failure modes, effects, and diagnostic analysis (FMEDA), as well as the device serial number and failure data are shipped with each transmitter. Doing so provides required documentation says Perry. The same intelligence that makes sensors safer increasingly supplies other capabilities, he says. Users demand predictive diagnostics beyond the sensor. They want this functionality because more insight into a process helps prevent abnormal, and potentially unprofitable or dangerous, situations. These demands could lead to changes in safety-rated sensors, says Perry. “We see these advanced process diagnostics, as well as loop diagnostics, being included in future safety certified products.”

Year

Cumulative total

Source: Control Engineering and exida

1996

1

1997

1

1998

2

1999

2

2000

2

2001

4

2002

4

2003

5

2004

7

2005

8

2006

12

2007

24






No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Leaders Under 40 program features outstanding young people who are making a difference in manufacturing. View the 2013 Leaders here.
The new control room: It's got all the bells and whistles - and alarms, too; Remote maintenance; Specifying VFDs
2014 forecast issue: To serve and to manufacture - Veterans will bring skill and discipline to the plant floor if we can find a way to get them there.
2013 Top Plant: Lincoln Electric Company, Cleveland, Ohio
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Bring focus to PLC programming: 5 things to avoid in putting your system together; Managing the DCS upgrade; PLM upgrade: a step-by-step approach
Balancing the bagging triangle; PID tuning improves process efficiency; Standardizing control room HMIs
Commissioning electrical systems in mission critical facilities; Anticipating the Smart Grid; Mitigating arc flash hazards in medium-voltage switchgear; Comparing generator sizing software

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.