Institute of Measurement and Control Functional Safety Conference 2016

Challenges in Achieving Safety Instrumented Function Response Time for a Fast-Acting Process

Page 9

Operations and Maintenance

In addition to verifying the response time of the loop under demand conditions, for fast-acting processes,

it is also important to consider the operation of the SIF throughout its lifetime. This includes diagnostics,

response on failure of a device in the loop and periodic testing of the loop. The following are

recommendations considered during the design of the example SIF to address operability and

maintainability issues.

Diagnostics

Device failures can occur within the lifetime of the SIF. The response to alarms and failures for fast-

acting loops should be carefully considered and defined within the design stage of the project to ensure

the SIF is robust in the presence of a failure.

As is typical for safety loops, all devices should be configured to fail to a safe position. For initiators, this

would mean to fail-to-trip-state (as opposed to failing in the opposite state and alarm). The logic solver

should be capable of receiving diagnostics from devices and provide alarms when there is a device or

internal fault. The logic solver should also have self-diagnostics to raise an alarm when there is an internal

failure. The frequency of processor timing faults should be considered and included in PFD calculations.

When possible, voting or installed spares should be considered to increase the tolerance of the loop to a

hardware fault and to provide sufficient time for repairing the failed device. Discrepancy alarms can also

be used to indicate instrument drift errors or that a device has failed.

The IEC 61511-1 (2016) 11.3.1, requires that on detection of a dangerous fault on a SIF, compensating

measures or a specific action should be taken to achieve or maintain a safe state. To determine the

appropriate response, the hardware fault tolerance and demand mode should be considered. A fast-acting

process, depending on the process safety time, may be considered a continuous process. The time between

the normal state and the trip state should be considered in defining the response to failure alarms and in

evaluating whether the operator would have sufficient time to respond to a diagnostic alarm. Other

methods of monitoring the system such as an equivalent control loop should also be considered.

If it is deemed that there is sufficient time for the operator to act and take corrective action, then

diagnostic alarms for fast-acting loops should be configured as high priority alarms and consideration

should be made for setting any pre-alarms also as high priority.

In the example, the final proposed solution of a level trip used bubbler liquid level type measurement

based on existing level technology and physical constraints of the vessel. Although the transmitters were

designed in a 2oo3 configuration, the purge flow was regulated by a single device on each leg. It followed

that a single device failure could lead to inaccuracies in the readings. To increase the robustness of the

design, flow switches were added to the purge flow regulators to provide diagnostics. The failure modes

of the regulators and impact on the SIF were reviewed. Common mode failures between this and other

monitoring devices were evaluated to determine the available monitoring. The appropriate action to be

taken on detection of regulator failure was examined and discussed. In addition to this, the devices

selected to provide the diagnostics were high integrity devices, which would ensure the robustness of the

diagnostics itself.

The result was that, by use of level measurement instead of temperature measurement, the process

provided some margin for operator response because the level would not change as rapidly as the