Can I Use The Same Instrument for Boiler Protection and Boiler Control?

G

Thread Starter

Glenn

Hi all,

If I have 3 level transmitters used for drum level, can I use them for both control of the drum level and boiler trip (on high/low level).

I thought that this was fully compliant if you ran the transmitters first into the safety system and then into the DCS.

If this is a violation of 61511 or 61508 does anyone know which chapter it would apply to.

Thanks in advance.
Glenn
 
You should not use the same sensing elements and / or final elements for a trip as are used for control of the same system or function. The reason is independence and points of failure.
Refer to Section 11.2.10 of 61511.
Section 11.2.4 Note 2 may also be relevant.

In this case it would depend on how you're using the 3 level transmitters.

If you are using 1 for level control and 1 out of 2 for (1oo2) for the trip then it's allowable under 61508 / 61511. If your trip is 2 out of 3 (2oo3) (using all of the sensors), then the answer is generally no because your trip will not be independent of the control function ie a failure of the sensing device(s) could cause a control system deviation, the safety function for which relies on a sensor that has failed.

You may find an argument that says if it's a low SIL SIF (eg SIL 1) you could justify your way around this. I'd ask why you have 3 sensors in the first place if the SIL is that low.
 
Good reply

Could you please explain that is this mandatory requirement by IEC 61508/61511 to use switches for tripping or not.

Actually one of boiler manufacturer providing transmitters for drum level trip securities. Previously the boilers has one transmitter for controlling & three separate switches for tripping. I know that controlling & tripping should be separate sensing devices.
Question is "which is the better solution for boiler drum level security & is this mention in IEC standard?
 
The reason transmitters are preferred is primarily diagnostic coverage. The majority of failure cases for switches are undetected (ie you won't know until you either test it or really need it) and how often do you really want to test these switches?
You have a much greater chance of catching a failed transmitter (out of range alarms, discrepancy alarms, calibration actions etc).

I don't know that the standard says "don't use switches", but it has a lot to say on diagnostic coverage. Diagnostic coverage is used in validating the design of the safety system and also in determining test intervals etc.

As a side note you can also tell the degree of exceedence with a transmitter ie did it go just over the limit or did it go waaaaaaaaaaaaaaay over.

If you have any choice, use a transmitter. Your customer standards may also mandate their use.

Reasons not to are primarily to do with space or access restrictions. If the only real objection is the (relatively minor) cost differential, you may want to find somewhere else to work. Preferably up wind.
 
the IEC codes outline an evaluation procedure that includes risk assessments, etc., beyond the minimum requirements.

The Boiler and Pressure vessel codes and the Fire Protection tell you the minimum requirements for fail safe.

In the case of drum levels, your safety interlocks are critical, and may require independent hard wire protection in addition to your transmitter, DCS controls,and interlocks.
 
Top