0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
71 visualizzazioni12 pagine
This paper will outline a "best practice" approach to the selection of "sensors" for SIS applications that meet the requirements of IEC 61511 (ISA 84.00.01-2004) Lifecycle Costs include Capital Expenditures (CaPEX), operating and / or Maintenance Expenditures (MAINTEX) many companies will use sensors specified for basic process control on SIS that will require costly proven-in-use documentation programs.
This paper will outline a "best practice" approach to the selection of "sensors" for SIS applications that meet the requirements of IEC 61511 (ISA 84.00.01-2004) Lifecycle Costs include Capital Expenditures (CaPEX), operating and / or Maintenance Expenditures (MAINTEX) many companies will use sensors specified for basic process control on SIS that will require costly proven-in-use documentation programs.
This paper will outline a "best practice" approach to the selection of "sensors" for SIS applications that meet the requirements of IEC 61511 (ISA 84.00.01-2004) Lifecycle Costs include Capital Expenditures (CaPEX), operating and / or Maintenance Expenditures (MAINTEX) many companies will use sensors specified for basic process control on SIS that will require costly proven-in-use documentation programs.
Timothy J. Layer Director Global Quality, Reliability & Safety Emerson Process Management Rosemount Division Chanhassen, MN 55317 USA
Key Words:
Safety, Sensors, Designed per IEC 61508, Prior-Use, Lifecycle Costs (CaPEX, OpEX, MAINTEX)
Abstract:
The international standard for safety instrumented systems for the process control sector IEC 61511 was published in 2003 and details the lifecycle requirements for Safety Instrumented Systems (SIS). The ISA Standard 84.01- 1996 will migrate to the IEC 61511 standard under the name ISA 84.00.01 2004. New technologies are now available that will allow designers to select sensors that meet safety requirements in compliance with these new standards while reducing overall lifecycle costs. This paper will outline a Best Practice approach to the selection of sensors for SIS applications that meet the requirements of IEC 61511 / ISA 84.00.01-2004 while minimizing lifecycle costs.
Introduction:
This paper will discuss a best practice approach to the selection of sensors for SIS applications that meet IEC 61511 (ISA 84.00.01-2004) requirements while minimizing life cycle costs. Lifecycle costs include Capital Expenditures (CaPEX), Operating Expenditures (OpEX), and Maintenance Expenditures (MAINTEX). New safety certified instrument technologies have been developed for SIS applications that in many cases will ensure adequate safety but add significant capital, operating and/or maintenance expenditures. Second, in many cases safety engineers inadvertently over-design the SIS architecture that increases capital costs. Third, many companies will use sensors specified for basic process control on SIS that will require costly proven-in-use documentation programs increasing maintenance costs. A best practice approach is to select sensors that meet the safety requirements without the need for prior-use programs while delivering reliable field performance resulting in decreased lifecycle costs. Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org New International Standards add value for process sector operating plants
In 2003, a new SIS standard was published under the title IEC 61511. This standard was developed by end-users representing an international consortium from over 20 countries including the United States. The purpose of this standard was to develop a single set of requirements that would address the entire SIS lifecycle (identification, design, installation, operating & maintenance and decommissioning) specific for the process sector while meeting the requirements of the global process industry. The standard is organized into three parts:
IEC 61511-1 Requirements IEC 61511-2 Informative guidance on meeting the requirements IEC 61511-3 Informative examples of different methodologies to assist in the determination of the Safety Integrated Levels
This standard offers significant value to operators and integrators in the process industry. Since most global standard committees and/or authorities are expected to adopt this standard for their specific countries, companies can now develop standardized processes for safety instrumented systems that will meet most all global requirements. Second, the standard follows the life-cycle approach that assists users in ensuring SIS are designed to meet the operating plants safety instrumented function (SIF) requirements and complete the intended safety function from conception through decommissioning.
IEC 61511 was developed under the framework of IEC 61508. While IEC 61508 was developed for any industry sector, and also address the requirements for manufacturers of safety components used on SIS. IEC 61511 was developed specifically for the process sector and outlines the requirements for end-users and integrators only.
IEC61513 Nuclear Sector IEC61511 Process Sector IEC62061 Machinery Sector Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org IEC 61511 lists the requirements for end-users and integrators. This standard requires manufacturers and suppliers of equipment used in SIS applications to follow the requirements outlined in IEC 61508 Section 2 (Hardware/System) and Section 3 (Software). This is a very important distinction. IEC 61511 states;
IEC 61511-1, Scope (b): (This Standard) applies when equipment meets the requirements of IEC 61508, or of Section 11.5 of IEC 61511 (Prior-Use or Proven in Use) is integrated into an overall system that is to be used for process sector applications but does not apply to manufacturers wishing to claim that devices are suitable for use in SIS for the process sector.
IEC 61511-1, Scope (d): (This Standard) applies when application software is developed . but does not apply to manufacturers, SIS designers, integrators, and users that develop embedded software.
IEC 61511 clearly states that manufacturers of equipment used on SIS must follow the requirements of IEC 61508 Section 2 and 3 unless the end-user has met the requirements of Section 11.5 Prior-Use. Note, manufacturers cannot make a claim to meet Prior-Use per this standard, this is the responsibility of the end-user. Manufacturers would need to follow the Prior-Use requirements of IEC 61508.
Figure 1
Requirements for Sensors used in Safety Instrumented Systems
IEC 61511 documents specific requirements for sensors used in SIS. In summary, there are two options end-users have for the selection of Sensors and Final Control Elements for SIS:
Select devices designed per the requirements of IEC 61508 Section 2 and 3 Select devices based upon Prior-Use (also referred to as Proven-in-Use) IEC 61511 Process Sector Safety Instrumented Systems Manufacturers & Suppliers of Devices IEC61508 Sections 2&3 Safety Instrumented Systems Designers, Integrators & Users IEC61511 Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org These requirements apply regardless of the sensor technology preferred. The standard recognizes the advantages to increased safety by requiring the use of Safety Designed Instruments and IEC 61508 Section 2 (Hardware) and Section 3 (Software) is an excellent standard to apply. The standard also recognized potential issues with using Safety Designed Instruments including;
Lack of manufacturers offering devices designed per IEC 61508 Lack of known reliability of new designs leading to the potential increase spurious trip rates Operating plants may have many years experience using existing instrumentation in SIS
To address these issues, the standard allows end-users a second option. The option is to establish Prior-Use (also referred to as Proven-in-Use).
Figure 2
Sensors Selected Designed per IEC 61508 Sections 2 and 3
Sensors that are designed per IEC 61508 define a field instrument design that meets the hardware, system and software requirements detailed in IEC 61508 Sections 2 and 3. The standard uses the Safety Integrated Level (SIL) table and applies it to the instrument system design as a measure of the device safety level. The typical approach manufacturers use to comply with IEC 61508 is as follows:
Develops safety requirements and safety requirements specification Design instrument architecture and hardware per the rules of Section 2 Design, verify, validate and control software and systems per the rules of Section 3 to the desired SIL level (level of device safety) Complete fault insertion testing to verify diagnostics Implements design control processes for management of change Requirements for the Selection of Sensors per IEC 61511 Select Sensors based on Prior Use IEC 61511 Section 11.5 Select Sensors based on Designed per IEC 61508 IEC 61508 Sections 2 and 3 Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org Implements manufacturing controls to ensure safety of device is not degraded Completes a Failure Mode Effect Diagnostic Analysis (FMEDA) to determine the failure rates, safe failure fraction (SFF) and probability of failure on demand (PFD) Detail the device proof-test requirement for the specified PFD Contracts with a Notified Body for a third party review of the design requirements, hardware, software, system and design controls Notified Body issues a third party certification and report Manufacturer supplies a Safety Manual documenting for the end-user proper use of the product in SIS.
Notified Bodies include TUVit-Augsburg, Germany; TUV Automotive-Munich Germany, Factory Mutual, USA; and many others. In certain cases, manufacturers will use industry experts to assist in meeting the requirements. These experts, such as EXIDA or Risknowledgy, are not notified bodies but have expertise in meeting IEC 61508 requirements and will complete specific activities such as completing FMEDA and developing the safety requirements. There is significant value to end-users in specifying designed per IEC 61508 sensors for SIS.
Allows simple compliance to IEC 61511, supplier is responsible for documenting the safety level of the device Assurance that the failure rate data and PFD values are valid and correct Assurance that the instrument design meets good engineering practice for SIS applications defined in international standard IEC 61508 (especially important for minimizing systemic software failures) Assurance that the manufacturer has processes for management of change over the product life-cycle A Safety Manual and Certification Reports are available for proper implementation into an SIS
Although Design per IEC 61508 add value for SIS designers, extreme caution must be used before specifying these sensors. Specific issues important to selecting sensors include:
Safety review and certification does not mean a Reliability review was completed safe does not mean reliable. Therefore a thorough review of the failure rates should be completed to ensure the potential for spurious trips is reduced Designs per IEC 61508 are reviewed as white paper analysis with no requirements for operating experience. Using untested, unproven devices in SIS application carries very high risk. Users should gain experience with the devices before installing on SIS applications Failure rate data supplied by manufacturers DOES NOT INCLUDE the failure rates of the process interface. This is very important when selecting sensors. A high Safe Failure Fraction (means a low % of potential dangerous failures Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org from the sensor) will not include dangerous failures such as line plugging, line freezing, slugs in lines, or gas permeation Read the certification statements and the safety manual carefully many designs require significant proof testing or have severe limitations on their use for the safety certification to be valid
Sensors Selected Based Upon Prior-Use
The international committees that developed IEC 61508 and IEC 61511 recognized that users could develop other criteria for certifying SIS loop components. Therefore, a Prior-Use (also referred to as Proven-in-Use) clause was included. The Prior-Use clause allows users a methodology to accept Sensors and Control Elements that were not designed per IEC 61508 Section 2 and 3 for SIS applications.
The Prior-Use clause of IEC 61511 states the following: IEC 61511-1, Section 11.5.3.1: Appropriate evidence shall be available that the components and sub-systems are suitable for use in the safety instrumented system.
The appropriate evidence for Sensors must be a documented case that includes (Reference IEC 61511-1, Section 11.5.3.2):
Consideration of the manufacturers quality, management and configuration management systems Adequate identification and specification of the components or sub- systems Demonstration of the performance of the components or sub-systems in similar operating profiles and physical environments;
To meet these requirements, the standard allows users to document operating experience from Basic Process Control applications as well as SIS applications. However, the standard does require that the operating experience be the same conditions as the planned use in SIS and that the data collected have statistical significance. In addition, only the end-user can establish prior-use per IEC 61511 suppliers cannot make this claim.
Establishing Prior-Use for sensors has many advantages for the end-user. First, this ensures that the Sensors selected have a known reliability. This will reduce the potential for spurious trips and the cost for failed sensor replacements. Second, the selected sensors are already well understood by the designers and maintenance technicians. Installation practices for SIS applications can be the same as those for Basic Process Control applications, no training is required for maintenance personnel and spare part inventory can be Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org leveraged. Third, the failure history of the sensors typically will also include failures of the process interface. This is why IEC 61511 only allows the End- User to establish prior-use, not manufacturers or suppliers.
Although Prior-Use offers some advantages for end users, there are many hidden costs and risks.
End user must maintain documentation on sensor operating hours, environments and failure rates (MAINTEX) Increased risk of systemic failures due to software since manufacturer software development will likely not meet IEC 61508 Section 3 levels of quality (OpEX) Management of change affect on Prior-Use. Manufacturers continue to make changes on Sensors due to part obsolescence, added features or cost reductions. These changes impact the Prior-use documentation and may need to start the clock over in terms of operating experience (CaPEX, MAINTEX)
In summary, IEC 61511 allows end-users to select Sensors for SIS based on Designed per IEC 61508 or Prior-Use. There are advantages and disadvantages to either approach. Either approach alone will meet the safety requirements but in each case lifecycle costs can be negatively affected. The Best Practice approach is one that combines both Designed per IEC 61508 with the elements of Prior-Use.
Best Practice Approach to the Selection of Sensors for SIS
The best practice approach for the selection of sensors for SIS is to select sensors designed per IEC 61508 Section 2 and 3 AND require the same sensor and reliability as specified and used in Basic Process Control.
This approach adds significant value for end-users:
Ensures compliance with IEC 61511 with all required documentation supplied by manufacturer Minimizes the potential systemic software failures since the software will be designed and certified to IEC 61508 Section 3 requirements Minimizes the potential for spurious trips since the reliability will be similar to the devices used in BPCS Safety is enhanced and costs reduced by Leveraging all training of personnel (Design and Maintenance) Costs are reduced by leverage inventory costs for spare/replacements Allows use of standardized installation practices for both Basic Process Control and SIS installations improving safety and costs
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org In terms of lifecycle costs, here are the end user benefits for implementing this practice:
CaPEX Savings:
IEC 61511-1 has specific requirements for SIS for minimum fault tolerance based upon the SIS Safety Integrated Level (SIL). Fault Tolerance is defined as the ability of a functional unit to continue to perform a required safety function in the presence of a fault. Designers typically meet this fault tolerance requirement through the use of redundant sensors inputting into a logic solver combined with voting logic. The standard sets a minimum fault tolerance and then allows the designer to adjust the final fault tolerance based upon the sensors selected and the process conditions.
Table 1 represents the minimum required fault tolerance based upon the SIS SIL referenced in IEC 61511. IEC 61511 requires a minimum fault tolerance but allows the user to reduce the fault tolerance by 1 if;
Sensor was justified under Prior-Use Senor was designed per IEC 61508 Section 2/3 (by using the fault tolerance tables of IEC 61508 Section 2) And - If SMART sensors are used, sensor must allow device parameter changes only (no changes to firmware) and have write protection (either via hardware or software)
The standard next requires the designer to review any process interface affects that could lead to a dangerous failure condition. For sensors, these would include line plugging, freezing, gas permeation, etc. If any dangerous failure potentials exist, the fault tolerance must again be increased by 1. Table 1 summarizes the fault tolerance decision tree. Adjustment 1 refers to the reduction in fault tolerance allowed by using sensors based on Prior-Use of IEC 61508 certified. Adjustment 2 refers to the increase in fault tolerance required if any dangerous failure modes exist in the process interface.
Adjustment 1 reduce FT by 1 if End-user has Prior-Use or supplier has designed per IEC 61508 Adjustment 2 increase the FT by 1 if dangerous failure modes are possible in the process interface (e.g. process line plugging)
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org By using IEC 61508 devices with proven use, the user can take advantage of decreased fault tolerance if no dangerous failures exist in the process interface. The result is CaPEX savings for the user since one less sensor is required to meet the fault tolerance.
Minimum Fault Tolerance for SIL 3 IEC 61508/Prior Use for SIL 3 (Use three sensors) (Reduce to two sensors)
OpEX Savings:
Using IEC 61508 designed sensor platforms with proven use on the basic process control delivers OpEX savings in two ways. First, these sensors will have proven reliability that can lower potential spurious trip rates that will improve plant availability. Second, by requiring IEC 61508 designed devices the end-user is not required to establish a Prior-Use program saving significant overhead costs. Poor reliable sensors used in SIS can negatively impact plant availability. Spurious trips are typically caused by faulty signals received from the sensor. Many designers will attempt to reduce the spurious trip rate by increasing redundancy. However, this approach will increase CaPEX. The best approach is to maintain minimum redundancy with reduction in potential spurious trip rates. This can best be achieved by using the same reliable sensor platforms on Basic Process Control and SIS.
MAINTEX Savings:
There are numerous MAINTEX savings users can take advantage of by requiring the same sensor platforms for both Basic Process Control and SIS when the platform can be design per IEC 61508.
Elimination of Prior-Use Operating Experience Tracking and Documentation:
Prior-Use requires the user to document the operating experience of the SIS sensors through the entire sensor lifecycle. This can be very expensive and time consuming. By using sensors designed per IEC 61508, none of this work is required. The largest risk for the end-user when using Prior-Use sensors is the management of change. Manufacturers continually change product designs in response to part obsolescence, design enhancements or cost reductions. These Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org changes will impact the Prior-Use data and in many cases will require the user to start the clock over in documenting operating experience. IEC 61508 designs require maintenance throughout the product lifecycle and thus manufacturers are responsible for the documentation and certifications.
Reduced Proof Tests:
Users are required to determine and document SIS loop proof tests. As part of these tests, the loop components also must be verified. For sensors, this is typically completed by a field calibration once every 12 months. New SMART transmitters typically extend required calibration intervals to up to 10 years. By leveraging the same devices, sensor proof test intervals can be extended saving field calibration costs.
Leverage Inventory and Technician Training Costs:
Using the same platform for basic process control and SIS allows the users to take advantage of the inventory already on hand. If a new sensor is specified for SIS, the user must carry the inventory costs of the new sensors as well as the basic process control sensor. Using the same sensor platforms not only saves costs for the design and maintenance team training but also increases safety by reducing the likelihood of systematic failures caused by technician errors
Other Considerations for Selecting Sensors for SIS
There are other considerations a designer of SIS should review when making a selection of a specific Sensor type and manufacturer. There are other papers written on this topic so it will be covered in only a high level. (See Reference 4). The main considerations when selecting Sensors for any process application but of special importance in SIS:
Use of Process Industry Grade SMART Transmitters over Other Technologies
Process sector grade Pressure and Temperature Transmitters are the best sensor type for SIS applications. These devices are designed for high reliability in process grade applications and environments, have good installed performance and response times, and have a short Mean-Time-to-Restoration (MTTR). SMART transmitters also deliver a continuous electronic signal and therefore can be detected by SIS logic solvers if no signal is received or if internal transmitter alarms are initiated. Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org Common Cause Design Strength:
When selecting a supplier for SIS sensors the designer should consider common cause design strength. Similar to reliability, common cause design strength requires the supplier to design a sensor that will deliver a high quality and accurate signal for the sensors entire installed life. Some designs are simply better than others. Selecting a device that meets the requirements based upon a white paper analysis or from testing in laboratory conditions does not ensure high performance in field conditions.
Installed Performance and Response Time
All sensors will be supplied with manufacturers claim of performance and response time to initiate a signal. These are important specifications for the SIS designer. Many sensors may have performance impacts in harsh environments that impact the devices ability to initiate a safe signal. The response time of the sensor must also be known such that the SIS designer can ensure the entire SIS can complete the safety function in the allotted safety time.
Installation Practices:
Proper design and installation of the sensor is critical to ensure safety. For example, process related affects on the sensor, such as process line plugging, corrosion or gas permeation, can all lead to a dangerous failure condition of the sensor. Proper installation practices can reduce or eliminate these systematic affects.
Summary and Conclusions:
New international standards for SIS are now available. These standards require users to select sensors either based on Designed per IEC 61508 or based upon Prior-Use. Although either method will meet the safety requirements, both can lead to increased lifecycle costs. A Best Practice approach is to use a combination of these options. Specify SIS sensors that meet IEC 61508 Section 2 and 3 while requiring proven reliability. To ensure your SIS sensor supplier can meet this practice, the following lists the requirements users should impose on your suppliers:
Specify IEC 61508 certification with evidence of reliability either through demonstrated testing or field experience Require third party certification of IEC 61508 compliance Supplier should impose no additional installation, commissioning, or testing requirements for using the sensor on SIS than required for basic process control Supply Failure Rate, PFD with required proof test intervals and spurious trip rate derived from a Failure Modes Effect Diagnostic Analysis (FMEDA) Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org Supply reliability test data and operating performance data Ensure management of change practices are in place such that any changes to the sensor will not affect the IEC 61508 design through the sensor lifetime
Suppliers meeting these requirements will allow you to implement the Best Practice for selecting sensors for SIS. A practice that ensures the safety requirements are met while minimizing lifecycle costs.
References:
1. IEC 61511 (2003) Functional safety: Safety Instrumented Systems for the process industry sector Part 1 2. dISA 84.00.01 (2004) Functional safety: Safety Instrumented Systems for the process industry sector Part 1(USA version of IEC 61511) 3. IEC 61508 (1997-2000) Functional safety of electrical/electronic/ programmable electronic safety-related systems 4. Measurement Best Practices for Safety Instrumented Systems, May 2003, Menezes and Brown 5. Guidelines for Safe Automation of Chemical Processes, published by the Center for Chemical Process Safety of the AICHE
Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org