Generic pressure transmitter in SIL determination

R

Thread Starter

Ricardo Almarza

Dear sirs,

Could you clarify the sentence "generic pressure transmitter" in SIL determination. What does this mean?? May I specify a normal pressure transmitter?? or should be SIL certified??

Thanks a lot
 
Hi Mr.Ricardo Almarza,

Get different answers with different SIL selection techniques..

Which would you rather do, spend a few minutes using a simple qualitative technique and implement a safety integrity level (SIL) 3 design (with very high life-cycle costs), or spend a few more minutes in the up-front requirements using a more quantitative technique and end up implementing a SIL 1 design (with much lower life-cycle costs)? Here's how you can make the most of your SIL determination.

Safety instrumented system (SIS) standards (ANSI/ISA 84, IEC 61508, and 61511) cover several techniques to determine safety integrity levels--the performance required of safety instrumented functions. The three-dimensional risk matrix (associated with North America) and the risk graph (associated with Europe) are two qualitative methods. Layer of protection analysis (LOPA) is a semiquantitative technique. It involves identifying hazardous events, determining initiating event frequencies, establishing tolerable levels of risk, and analyzing each independent safety layer to see if you can reach the overall level of risk. If not, you will need to add either additional safety layers, or strengthen existing layers.

Experience has shown that the different techniques can yield significantly different answers. The qualitative techniques can result in overly pessimistic answers, such as false high-integrity level requirements. This is usually due to the difficulty of " these techniques to incorporate risk criteria. More quantitative techniques (which you can more easily calibrate to incorporate risk criteria) can yield significantly lower requirements.

Therefore, spending a little more time in the up-front system requirements analysis using more quantitative techniques can result in (1) a more realistic (and possibly lower) system performance requirement, and (2) considerable economic savings in the design, installation, and maintenance of the system.

Take the sample case of a valve spuriously closing--resulting in pipeline overpressure and possible rupture. A valve in a pipeline application was recently modified from a motor-operated valve to a pneumatically controlled, solenoid-operated, spring-loaded, fail-safe (closed) valve. If this valve were to spuriously close, it would create an overpressure in a portion of the pipeline, resulting in a possible pipeline rupture and vapor cloud, with a potential for an explosion and fatalities. A proposed safety system called for a safety transmitter, logic box, and safety valve that would shut in a portion of the pipeline to prevent the over-pressure condition.

As an exercise, the three-dimensional risk matrix, risk graph, and LOPA helped to determine what the differences in integrity level recommendations, if any, might be. You will find the methods described (and diagrams) in the standards themselves.
 
R

Ricardo Almarza

Dear sir
Thanks a lot for your answer, but my doubt was raised badly, in fact the SIL obtained for the loop (SIF) was SIL 1, in this case composed by:

- iniciator: votation 1oo1, a *generic* level transmitter (LT-030)

- logic solver: a certified SIL 3 PLC

- actuator: XY-54 solenoid SIL3 (installed in a *generic* pneumatic XV-54 ball valve)

Now... it comes the real world, to specify the data sheet for the generic level transmitter (LT-030) and the generic ball pneumatic valve. Are both *regular instruments ?? *Or are they some special kind of instruments to acomplish some special items like MTTF, MTBF, PFD and some one?? For the ball valve data sheet, I think is easy... just to specify a SIL 3 solenoid..but what about the word "generic"??As you can see my problem is to specify the data sheet for "generic" instrument. The item mentioned above was obtained from a specific software like Exida or SilSolver.

Thanks in advance for you help.

**
*Ricardo Almarza*

*Antes de imprimir* pense em seu
PROJECTUS Consultoria Ltda.
Gerente de Instrumentação e Elétrica
compromisso com o *Meio Ambiente*

Email: ricardo.almarza [at] projectus.com.br
 
Ricardo,

You might be better giving us more details/better context to judge the use of these words and what the meaning is. SIL determination is usually referenced to process related events that have an associated hazard that is realised if they occur. Unless the initiating event is a control system related event or you are considering the PT as an element in a layer of protection the use of "generic PT" seems out of context.

In general if you have a safety function that requires the use of an instrument - first select an instrument that measures the appropriate variable over an appropriate range in the environment to be encountered in service. If you then have a choice of a "certified" device versus non-certifed examine it as a possibe improvement but be slightly sceptical of maufacturer's claims. Your application requirements may make the difference between the certified instrument being more suitable or perhaps not. Do not choose a device just because it is certified.

Hope this helps
David
 
Ricardo,

The generic in this case I think refers to failure rate and failure mode data that are typical of the kind of device that was selected so it is not special in any way.

As I said previously (it seems our posts crossed in the ether:)) select the right instrument for the job from a measurement/control point of view rather than a certified device. You should be able to find out what the assumptions were by the software tool with respect to failure data and make sure that the device you select equals or betters the parameters assumed. If the device is certified great, but it doesn't have to be. Also make sure you document your assumptions and get them checked.

Regards
David
 
M
Hi Guys,

Im facing similar scenario as Ricardo had. Our automation guys did a SIL study and the SIL reports yield few loops to be clasified as SIL1. I tried to check availability of SIL 1 rated transmitters and MOVs, etc. and found that they can be certified SIL 2 or 3, there's no SIL 1.

So my question is do we need a SIL 2 rated instruments for the SIL1 loop?

I checked IEC61511, and some statements give me a clue that I can actually use a lower SIL rated field devices to satisfy a higher SIL. It means that if I have SIL 1 Loop, I can actually use a non SIL trasnmitters and MOVs, subject to some conditions. But those conditions I do not quite understand fully. Can you also please validate my understanding and in what conditions (if my understanding is correct) can I use non SIL instruments in SIL 1 loop. Thanks in advance.

Marlon
 
Marlon,

> So my question is do we need a SIL 2 rated instruments for the SIL1 loop? <

Short answer is no.
As i said you do not need to use SIL certified devices for safety functions. And - you should not rely upon certified instruments to guarantee that you have met your obligations under 61508/61511. What matters most are the characteristics of the application for the instrument.

If you use a SIL2 certified device in a function with a SIL1 requirement it may perform adequately or not. Check the failure rates/modesand certificate and verify assumptions.

> It means that if I have SIL 1 Loop, I can actually use a non SIL trasnmitters and MOVs, <

See answer above.

> subject to some conditions. But those conditions I do not quite understand fully. <

If you don't understand the the conditions get somebody who does understand them and learn from them. Its hard to do that through a forum.

> Can you also please validate my understanding and in what conditions (if my understanding is correct) can I use non-SIL instruments in SIL 1 loop <

See first answer above. Consider the PFD requirements imposed upon the instrumentation and look at failure modes/rates, system fault responses etc. in the context of those requirements and the application. SIL cert or no SIL cert what is acceptable for one SIL1 function may not be acceptable for another SIL1 function.

Sorry if the above is a little vague but without understanding of the application and systems its a hard to be very specific.

DaveMH
 
M
Hi DaveMH,

Thanks for your reply.

Now I realize that SIL is not a simple stuff. What I actually did is I sent a query to our Automation and they too have to forward it to a SIL expert to do the SIL calculation in order to arrive at proper SIL rating of the field instruments.

Thanks again,
Marlon
 
A
Interesting these SIL loop calculations. How to think you are safe by multiplying a string of numbers! We recently had an "expert" SIL company check the SIL levels on a new Burner Management system. They confirmed it met the SIL level. I was surprised as no account had been taken of any of the boiler trips. Drum level, high steam temperature etc.

How did we manage before this "fashion engineering" provided the opportunity for consultants to make many dollars based on fear.

Before 61508/11 S84 we designed safety systems on the basis of "Good Engineering Practise". These calculations are a useful guide but do not think you can use them in defending your decision in court.

I am also amazed at why the engineering population use generic equipment, make up PLC's, waste company time in developing software. Buy tried and tested systems and be productive in maintaining them as well as improving plant performance. Who is going to look after all this Generic stuff when you leave?
 
M
Dear Ricardo,

I believe the word generic pressure transmitter is the same as Conventional (normal as you call) pressure transmitter (ie,no SIL certification required). as you might know when you are dealing with SIL requirement of a safety loop (comprising sensors,Logic solver and final element), you may achieve it through using some non SIL elements of the loop provided that the overall PFDav, (low demand) or Failure rate /hr (continuous )of the loop meets the SIL required. as an example use of two redundant pressure transmitter (in 1 0 0 2, or 2 0 02) will affect both availability and reliability of the loop. Most of the time engineers would think that a SIL integrity is only used for Logic solvers eg. safety PLC's. but allocation of SIL integrity of the SIS which consist of the whole loop is more meaningful when result of risk analysis mandates use of a safety loop with certain SIL number. I hope this might be of help although I am responding to your request very late.

Good Luck
M.sadra
 
I know that I am also late on this topic.

But it was also a question for me whether to use a generic transmitter in a SIF or not.

According to IEC 61511-1 clause 11.5.2.1; components selected for a SIS (SIL 1 to SIL 3) shall be either proven in use or they shall be in accordance with IEC 61508-2 and IEC 61508-3. Since It is not easy to classify an instrument as proven in use (see 11.5.3 of IEC 61511-1), I think we cannot use uncertified instrument in a SIF.

Kind regards,
Amir
 
A

Asok Kumar Hait

Adding lately my thoughts and experience on this interesting topic:

No, for a SIL loop you don't need a safety certified transmitter or final element. What we need for each component in the loop is a reliable failure rate data.

But how to get a reliable failure rate data? Few years back also we had used generic failure rate data from OREDA or SINTEF data base. But that is generic data and no more acceptable now a days by the independent 3rd party who will do the SIL verification when the design is complete.

For the PLC you need to use a safety certified PLC from reliability point of view and certified failure rate, diagnostic coverage etc. data are easily available.

Refer to IEC 61511 clause 11.5.2.1 for a quick view of what is required for any component or subsystem in the safety loop.
For the sensors/transmitters normally a 3rd party certified failure rate data as IEC 61508 Type B device is easily available now a days. This is sufficient. You don't need a safety certified transmitter. If the transmitter PFD do not fulfill your safety loop requirement you can easily increase the PFD by using more than one transmitter in a 2ooN voting configuration.

For the valves, actuators and solenoid valves also now a days most of the Vendors are providing certified failure rate data for the particular make and model no. You can easily get a Type A valve or actuator to meet your SIL requirement. You don't need a SIL certified valve or actuator.

But the problem is on the valve control circuit. There are small small components in the valve pneumatic/hydraulic control circuits e.g. check valve, pilot valve, flow restrictor - if these components fail, the SDV can also fail. The reliable failure rate data for all these components meeting the requirements of IEC 61508 or 61511 requirements are not easily available. Few projects we faced this problem and then we had to appoint independent 3rd party to undertake detailed analysis of these components as per IEC 61508/61511 and provide certified failure rate data. To avoid this problem in our future projects now we have decided that all the SDVs will be purchased with SIL certificate for the complete assembly e.g. valve, actuator, solenoid and control circuit components. This will cause some additional cost upfront but will avoid unnecessary problems and delay at a later stage.
 
B
When thinking about this, bare in mind the following ...

- any laboratory-based safety assessment has to make assumptions about the application where the equipment will actually be used - any atmospheric contaminants, vibrations, extreme temperature swings, ... can affect the probability of failure.

- even with the best equipment in the world. failures WILL occur if it is not properly selected for the operating conditions, installed, and maintained.

A few years ago we were asked to provide a client with MTBF data on a boiler that was a new design. My boss squashed the discussion when he told the client he'd be able to reply when he had 20 years of operating data. Any prediction is just that - all that matters is what happens in real life. The best reliability data you can have is what you obtain from your own operation, under your process conditions and with your maintenance scheduling, staff training, etc. Remember that under IEC 61511, the actual operation has to be monitored to check that the assumptions made in the design stage are actually met is practice.

One of the biggest pitfalls I can see with the idea of documenting reliability is that technically ignorant bean-counters can claim that, with the high-reliability equipment that has been installed, there is no need for maintenance.
 
Top