I have a storage tank with a level transmitter dedicated to ESD system. I'm going to use High/high alarm of the transmitter to shut the inlet pumps down as well as Low/low alarm to trip the tank outlet pumps. On the other hand, there is a requirement in the project safeguarding philosophy that in case of failure of an ESD transmitter, only one safety instrumented function can be failed.

Considering the fact that LL and HH alarms can not occur simultaneously, is the above mentioned configuration correct or not?

Please advise.
Thanks.

 

Amin... One possible scenario follows:

If instrument's contacts are "held-closed" when monitored condition is 'Normal', then for a common-mode failure, such as loss of power, the resultant output-action will certainly be confusing!

Regards, Phil Corso

 

It appears there are two possible actions that can be taken; to shutdown or energize the inlet pumps and the same with the outlet pumps.

It is assumed that when the level is within acceptable limits that some other control function is managing pump speeds for both inlet and outlet pumping.

In the case of a HH alarm it assumes that either the inlet pumps are running at full and the action is to shut them down or that the outlet pumps are failing to operate sufficiently and should be energised to full flow. Of the two functions, if there is a failure it might be assumed that the discharge pumps have failed leaving only control of the inlet pumps as a possible response. This will not deactivate the alarm since it only stops more fluid entering. The alarm will only de-energise f the fluid level falls which presumably depends on the discharge pumps operating, even at reduced performance.
Much depends on the expected or possible failure modes. Similar consideration may be given to the LL alarms.

Thus for HH the priority action may be to shut down the inlet pumps and a LL alarm, to shutdown the outlet pumps.

 

JMW,

Thanks for your explanation.

The tank level is controlled by DCS via a level control loop (DP-cell level transmitter + Level control valve). Another level transmitter serves as safety instrument generates two causes LALL and LAHH in ESD.
The main concern is the failure of this transmitter. I will loose two shutdowns in this case. I don't know whether it is necessary to use two separate Level transmitters for LL and HH alarm or not.

 

It is very interesting case. I suggest you to perform HAZOP study. You will find the answer based on risk, consequence and safe guard you have.

Personally, I choose to provide 2 separate transmitters. If one of the transmitters was faulty, it won't disturb to another trip function.
It is clear mentioned as a requirement in your project safeguarding philosophy.