Institute of Measurement and Control Functional Safety Conference 2016
Challenges in Achieving Safety Instrumented Function Response Time for a Fast-Acting Process
Page 9
Operations and Maintenance
In addition to verifying the response time of the loop under demand conditions, for fast-acting processes,
it is also important to consider the operation of the SIF throughout its lifetime. This includes diagnostics,
response on failure of a device in the loop and periodic testing of the loop. The following are
recommendations considered during the design of the example SIF to address operability and
maintainability issues.
Diagnostics
Device failures can occur within the lifetime of the SIF. The response to alarms and failures for fast-
acting loops should be carefully considered and defined within the design stage of the project to ensure
the SIF is robust in the presence of a failure.
As is typical for safety loops, all devices should be configured to fail to a safe position. For initiators, this
would mean to fail-to-trip-state (as opposed to failing in the opposite state and alarm). The logic solver
should be capable of receiving diagnostics from devices and provide alarms when there is a device or
internal fault. The logic solver should also have self-diagnostics to raise an alarm when there is an internal
failure. The frequency of processor timing faults should be considered and included in PFD calculations.
When possible, voting or installed spares should be considered to increase the tolerance of the loop to a
hardware fault and to provide sufficient time for repairing the failed device. Discrepancy alarms can also
be used to indicate instrument drift errors or that a device has failed.
The IEC 61511-1 (2016) 11.3.1, requires that on detection of a dangerous fault on a SIF, compensating
measures or a specific action should be taken to achieve or maintain a safe state. To determine the
appropriate response, the hardware fault tolerance and demand mode should be considered. A fast-acting
process, depending on the process safety time, may be considered a continuous process. The time between
the normal state and the trip state should be considered in defining the response to failure alarms and in
evaluating whether the operator would have sufficient time to respond to a diagnostic alarm. Other
methods of monitoring the system such as an equivalent control loop should also be considered.
If it is deemed that there is sufficient time for the operator to act and take corrective action, then
diagnostic alarms for fast-acting loops should be configured as high priority alarms and consideration
should be made for setting any pre-alarms also as high priority.
In the example, the final proposed solution of a level trip used bubbler liquid level type measurement
based on existing level technology and physical constraints of the vessel. Although the transmitters were
designed in a 2oo3 configuration, the purge flow was regulated by a single device on each leg. It followed
that a single device failure could lead to inaccuracies in the readings. To increase the robustness of the
design, flow switches were added to the purge flow regulators to provide diagnostics. The failure modes
of the regulators and impact on the SIF were reviewed. Common mode failures between this and other
monitoring devices were evaluated to determine the available monitoring. The appropriate action to be
taken on detection of regulator failure was examined and discussed. In addition to this, the devices
selected to provide the diagnostics were high integrity devices, which would ensure the robustness of the
diagnostics itself.
The result was that, by use of level measurement instead of temperature measurement, the process
provided some margin for operator response because the level would not change as rapidly as the