Safety instrumented systems - Endress+Hauser · Safety instrumented systems ... liquid into the...

6
Safety instrumented systems SIL2 / SIL3 rated vibronic point level measurement devices for overfill protection Liquid level limit detection switch Liquiphant A white paper by Endress+Hasuer, Inc Dr. Christoph A . Rompf Product Manager Level Measurement Endress+Hauser GmbH + Co. KG D-79690 Maulburg, Germany Key words Point Level Measurement, Tuning Fork Systems, Vibronic Systems, Level Switches, Safety Integrity Level, SIL, IEC 61508, ANSI/ISA-S84.01 Abstract Safety instrumented systems (SIS) that are rated according to the Safety Integrity Lev- els (SIL) are gaining importance in the pro- cess industry. In this presentation, vibronic point level measurement devices that are used in highly reliable overfill protection systems, will be discussed. Starting from the basics of how these tuning fork systems work, the construction principle will be illustrated. With regard to high functional safety, focus will be placed on the self monitoring capability of vibronic systems and the PFM (Pulse Frequency Modulation) technology used for signal transmission from the sensor to the switching amplifier. The combination of these capabilities has led to a SIL2 / SIL3 rating of these sensors for overfill protection systems according to the international standard IEC 61508 / 61511. The probability of failure on demand (PFD) requirements according to IEC 61508 fulfilled by these systems are identical to the corresponding American standard ANSI/ISA-S84.01 Introduction Liquids are handled in all process facili- ties. This includes tank farms, food plants, chemical or pharmaceutical production sites and water and wastewater facilities. Some of these liquids are toxic, flammable, reac- tive or cause explosive gases which could cause risks for the environment or person- nel. An operator of a facility or a plant has to assure that these dangerous liquids are kept in the appropriate pipes, tanks and ves- sels. In particular, overspilling of a tank has to be avoided during filling processes. © Copyright 2003 ISA - The Instrumentation, Systems, and Automation Society. All rights reserved. Typical tank farm Chemical plant

Transcript of Safety instrumented systems - Endress+Hauser · Safety instrumented systems ... liquid into the...

Safety instrumented systemsSIL2 / SIL3 rated vibronic point level measurementdevices for overfill protection

Liquid level limitdetection switchLiquiphant

A white paper by Endress+Hasuer, Inc

Dr. Christoph A . RompfProduct Manager Level MeasurementEndress+Hauser GmbH + Co. KGD-79690 Maulburg, Germany

Key words

Point Level Measurement, Tuning Fork Systems, Vibronic Systems, Level Switches, Safety Integrity Level, SIL, IEC 61508, ANSI/ISA-S84.01

Abstract

Safety instrumented systems (SIS) that are rated according to the Safety Integrity Lev-els (SIL) are gaining importance in the pro-cess industry. In this presentation, vibronic point level measurement devices that are used in highly reliable overfill protection systems, will be discussed. Starting from the basics of how these tuning fork systems work, the construction principle will be illustrated. With regard to high functional safety, focus will be placed on the self monitoring capability of vibronic systems and the PFM (Pulse Frequency Modulation) technology used for signal transmission from the sensor to the switching amplifier.

The combination of these capabilities has led to a SIL2 / SIL3 rating of these sensors for overfill protection systems according to the international standard IEC 61508 / 61511. The probability of failure on demand (PFD) requirements according to

IEC 61508 fulfilled by these systems are identical to the corresponding American standard ANSI/ISA-S84.01

Introduction

Liquids are handled in all process facili-ties. This includes tank farms, food plants, chemical or pharmaceutical production sites and water and wastewater facilities. Some of these liquids are toxic, flammable, reac-tive or cause explosive gases which could cause risks for the environment or person-nel. An operator of a facility or a plant has to assure that these dangerous liquids are kept in the appropriate pipes, tanks and ves-sels. In particular, overspilling of a tank has to be avoided during filling processes.

© Copyright 2003 ISA - The Instrumentation, Systems, and Automation Society. All rights reserved.

Typical tank farm Chemical plant

2

Local laws, government regulations,pollution control agencies or insurance companies require preventive measures be in place to inhibit tank overruns as depicted in Figure 1, (A) especially during unattended automated filling process (1). Regardless of the federal and state regula-tions of any country, automated filling process always requires a high level alarm that causes an automatic flow shut-off to prevent an overfill. The reliability and the degree of functional safety of this overfill protection system is related to the potential danger of the liquid and the surrounding plant or facility.

Overfill protection systems

An overfill protection system is designed to stop product flow during delivery before the tank becomes full and begins releasing liquid into the environment. As a general rule, such a system consists of a high level sensor, a logic solver and a final element that shuts off the flow into the tank.Figure 1 (B) shows an example of such a system. It consists of a vibronic point level measurement device, an appropriate power supply and a switch amplifier unit in the control room. A Programmable Logic Con-troller (PLC) or Distributed Control System (DCS) based logic solver and a supply pipe shut off valve completes the system.

Failure evaluation with regard tofunctional safety

The combination of these components has to fulfill the high functional safety demands that are defined in ANSI/ISA-S84.01 (2) orIEC 61508 (3) and IEC 61511 (4). High functional safety means that these compo-nents either have to work reliably or give an alarm whenever the protection system has to be maintained. Thus, different types of failures must be defined when a safety system is discussed.

General failures

In general, a system or device is character-ized by its “Mean Time Between Failure” (MTBF). That number represents an aver-age lifetime value for the system or device and includes all failures. With regard to a functional safety classification, not allfailures are relevant. Failures that are de-tected by the system and can be announced by an alarm do not lead to criticalsituations.

Fig. 1(A) Overfilling a tank without overfill protection(B) Tank with overfill protection system consisting of:

(B1) a vibronic high level sensor(B2) a power supply and switch amplifier(B3) a Programmable Logic Controller (PLC) or Distributed Control System (DCS)(B4) a shut off valve

Dangerous failures

In comparison to general failures, failures that lead to a malfunction and are not detected and announced automatically are dangerous. In the case of an overfill protection system, that means an operator would still rely on the system, and in case of a demand, the system would fail. To track down these “Dangerous Failures” and to quantify the likelihood of a dangerous failure on demand, a “Failure Mode, Effect and Diagnostics Analysis” (FMEDA) is done. The guidelines for this are written in the IEC standards 61508 (3) / IEC 61511 (4) and ANSI/ISA-S84.01 (2). Using these guidelines, a “Probability of a Danger-ous Failure on Demand” (PFD) can be calculated.

According to the different Safety Integrity Levels (SIL1 thru SIL4), the probability of a Dangerous Failure can not exceed given values. The exact values are given in IEC 61508 (3) / IEC 61511 (4) and ANSI/ISA-S84.02 (2).

In general, the components of an overfill protection system are purchased from different suppliers. To make the determina-tion of an SIL classification manageable, the safety considerations can be divided into the different components. For that process, the PFD values have to be split into different components. A general recommendation is to weight the PFD value 35% on the sensor system, 15% on the logic solver and 50% on the final element (Figure 2). Finally, the whole system has to be reviewed. Not only statistical failures need to be accounted for, but also dangerous systematical failures have to be avoided.

Fig. 2Distribution of PFD (Probability of Failure on Demand) values on the components ofan overfill protection system

3

According to this recommendation, only the sensor for the overfill protection systems shall be discussed and the means to achieve a high functional safety will be presented.

Point level measurement devices

Point level measuring devices for liquids are used in all process facilities. Numerous measurement technologies are available for these kinds of applications (e.g. float switches, vibration limit switches, ultra-sonic gap switches, capacitive or conductive limit switches). When considering high functional safety, a measurement method has to be chosen that has low PFD values and will have no systematical failures dur-ing operation. A thorough investigation of the measurement sensor’s systematical failures has to be done or the know-how gained from a large number of applications has to be considered and a “proven in use” evaluation has to be done.

Vibronic point level measurement devices

Vibronic measurement devices or “tuning fork systems” fulfill the highest demands with regard to safety and reliability. The main advantage of vibronic point level measurement devices (over float switches, etc.) with regard to functional safety, is that they use an active measurement principle. The device is kept in vibration continuously and is always monitored by an evaluation electronics. A sensor failure is detected im-mediately in almost all cases and dangerous failures are avoided.

In addition, vibronic measurement devices meet the requirements of almost all point level applications for liquids (5), (6). A vibronic device is independent of the installation position. The same device can be mounted from the top, side or bottom. State of the art devices are designed for a broad application band-width where no calibration of the sensor is necessary. This sensor is independent of process influ-ences (e.g. pressure, temperature, etc.), independent of material characteristics (e.g. conductivity, dielectric constant, viscosity, etc.) and independent of gas bubbles, foam and solids (dirt soiling) in the process liquid.

Sensors for Overfill Protection Systems

These systems are gaining acceptance as a standard solution for level limit detection in all industries and are known to work properly in a wide range of applications. Functional safety data can be determined from this high number of installed units and “proven in use” evaluations can be made.

As an example, the tuning fork system“Liquiphant” distributed by Endress+Hauser has been installed in more than 1.5 million applications. The product and application know-how created by that amount of installations has led to a sensor design that is optimized for overfill protec-tion systems and meets the SIL2 level in a1oo1 (one out of one) and SIL3 level in a1oo2 (one out of two) or 2oo3 (two out of three) installation architecture.

Operation principle of a vibration limit switch

Mechanically excitable systems are used as vibration limit switches - usually oscil-lating forks with two tines. These tines are excited by a piezo drive that converts electrical energy into mechanical energy. A second piezo acts as a receiver, reconvert-ing the mechanical energy into an electric signal. This electrical signal is amplified, phase shifted, amplified a second time and fed to the piezo drive. Thus, an electro mechanic loop is set up that acts as a basic wave excitation and always causes the tines to oscillate with their resonance frequency. The setup of this basic wave excitation is shown in Figure 3 (A).

Liquid surrounding the tines extends the mass of the resonance system. The frequency is reduced when the tines are immersed in a liquid.

Evaluation electronics monitor this fre-quency shift. Below a certain frequency, the sensor reports the covered condition to the evaluation electronics which indicates - the “switch point”. Typical characteristics showing the dependence of the resonance frequency of the depth of immersion is depicted in Figure 3 (B).

A switch hysteresis of approximately 30 Hz is used between the activation and deactivation point (fEdeactivation point (fEdeactivation point (f and fA and fA and f ) to reduce sensitivity to state changes. This corre-sponds to a hysteresis of the switch point of approximately 0.1“. Furthermore, a time delay of approximately 1 second prevents a strong dependence on turbulent currents and waves on the surface of the measured liquid.

Corrosion

In general, corrosion of a sensor is a critical consideration in the application of point level measurement devices for overfill protection. If improperly managed, corro-sion often leads to the state of a dangerous failure. The safe operation of a passive sen-sor can not be ensured because detection of corrosion is not possible.

In contrast, a sensor with a high functional safety has to operate properly, even if it is partly corroded, or the failure of the function has to be reported to the control system. Vibronic point level measurement devices meet this demand. Figure 3 (B) shows the behavior of a tuning fork device under corrosive conditions. Corrosion of the tines causes a loss of mass, thus the frequency is increased. Reaching a certain level resonance frequency level, a fault alarm is transmitted indicating the point level switch must be replaced.

Fig. 3Vibronic measurement devices: (A) basic wave excitation, (B) frequency immersion characteristics

4

Typical construction

Vibration limit switches are usually designed in a modular fashion so that any process connection, housing and electronic version can be combined in accordance with customer requirements. Figure 4 depicts the basic design. The oscillating fork with its piezoelectric drive is attached to the process connection and the housing adapter via an extension tube. The housing for the electronic insert is mounted on top of this arrangement and contains the power supply, the electronic components of the basic wave excitation as well as the frequency evaluation system and the output interface.

Transmission via Pulse Frequency Modulation (PFM)

An important functional safety topic is the transmission method used between the sensor and the control room. Three sensor states have to be transmitted: sensor is uncovered, sensor is covered and sensor fault alarm. Often, an 8 / 16 mA output level switch is connected directly to a 4 to 20 mA input. As depicted in Figure 5 (A), 8 mA and 16 mA represent the covered and uncovered sensor situation. A current of 3.6 mA indicates a sensor fault signal, e.g. when the sensor is corroded or an electronic failure occurs.

A current based transmission is safe as long as the set up is not affected by envi-ronmental conditions. Corrosion at the contacts can lead to an increase of the wire resistance and water or humidity on the contacts may create a parallel resistance. Both can have an influence on the current and might lead to an uncertain or danger-ous transmission condition.

In comparison to this 8 / 16 mA transmis-sion, the Pulse Frequency Modulation (PFM) shown in Figure 5 (B) represents a higher safety standard of transmission via a two-wire line. Here a bias current of 10 mA is superimposed by current pulses. In this case, the repetition rate of the pulses and not the current value corresponds to the sensor condition. 50 Hz corresponds to the covered condition, 150 Hz the uncovered condition and faults are coded with 0 Hz.

Fig. 4Typical construction of a vibronic point level measurement device

Fig. 5Two wire methods for point level measuremet: (A) 8 / 16 mA transmission, (B) PFM transmission

Fig. 6Block circuit diagram of a sensor and power supply / switch amplifier using PFM transmission

The block circuit diagram of a PFM sen-sor electronic insert and a power supply / switch amplifier is shown in Figure 6. Apart from the basic wave excitation, it consists of a digital signal processing unit and the electronic interface. It codes the covered, uncovered as well as the alarm message in an output signal and forwards it to the power supply / switch amplifier unit. In addition, the level switch operat-ing power is derived from the 10 mA bias current.

A calibration EEPROM is integrated into the sensor assembly, in which specific data, such as the exact frequency in air, covered frequency in liquids of 0.5 and 0.7 g/cm3

and further specific data are stored during the manufacturing process.

Thus it is possible to exchange the electronic inserts to be assured that every sensor unit is equally able to process the measurement values of all tuning forks precisely without any additional calibration required.

Finally, the power supply / switch amplifier unit in the control room transforms the pulse frequency signal from the electronic interface into a relay output. The output relays are switched in accordance with the allocation 50Hz/150Hz; covered/uncovered, or zero Hz; error. In addi-tion, the transmission line is continuously monitored for line shorts and breakage. Constant monitoring is guaranteed from the sensor tines to the output of the power supply / switch amplifier.

5

Applications with extremely high safety requirements demand error-proof systems which operate in safe conditions in spite of any type of breakdown. Regular inspection and verification of the system is required to ensure safety.

As a guideline, the overfill protection sensor system has to be function tested regularly (e.g. once a year) to meet SIL qualifications. Normally, this has to be done by disman-tling the sensor and testing it in a liquid or by filling the tank to the sensor point. This is both expensive and risky, especially when a “dangerous” liquid is pumped up to the maximum tank level.

Self-check push button

Devices that use PFM transmission technol-ogy and have an internal test generator for the manual verification are allowed to be tested by a push button. In this case, the push button disconnects the wire to the sensor. After this voltage interruption, the sensor is shortly operated in the self-testing mode once the voltage has been recon-nected, until it automatically switches to the operating mode.As shown in Figure 6, in a self-testing mode, the frequency of the test generator, instead of the frequency of the basic wave excitation is connnected to the downstream circuit. The correct interpretation of the uncovered, covered and error frequencies which might occur (e.g. corrosion) is veri-fied. This ensures the proper functioning of the measuring system from the tuning fork frequency input to the power supply / switch amplifier unit. In addition, the manual function test permits the verifica-tion of the response of associated system components, e.g. the sequential control of a shut-off valve or a visual or acoustic alarm.

Concluding remarks

The vibronic point level measurement principle described in this article using PFM transmission between sensor and power supply / switch amplifier in the control room depicts the highest end of sensor sys-tems for overfill protection. In this system, the integrated test generator activated by a push button in the control room provides a comfortable means for the periodic function test required with safety systems. In com-parison to other point level measurement principles, this test does not only evaluate the function of the sensor, but checks the permanent self check that continuously monitors the frequency of the tuning fork sensor. All these means have culminated in a vibronic sensor that is SIL3 rated in 1oo2 or 2oo3 installation architectures by the German TUV (Technischer Ueberwachungs Verein).

However, the sensor is only one part of a complete overfill protection system. The final element, e.g. a shut down valve, is as important as the sensor to prevent an unwanted release of liquid in the environ-ment. Due to a high fraction of mechanical parts in these devices, instruments with a similar high functional safety can be provided only in a very high price segment. Therefore, other means are often taken into consideration to improve the safety of vessels containing highly hazardous liquids. In consequence, an inexpensive sensor with a lower functional safety can be chosen. In this case, vibronic point level measurement devices with integrated relay output can be used. These also use highly “proven in use” components , but go without aseparate power supply / switch repeater.

References

1. WHG Germany: Zulassungsgrundsaetze für Ueberfuellsicherungen (ZG-Ues / May 1999)Wasserhaushaltsgesetz § 19

2. ISA (1996), ANSI/ISA-84.01-1996: Application of Safety Instrumented Systems for the Process Industries,Reasearch Triangle Park, NC: The Instrumentation, Systems and Automation Society

3. IEC (1998), IEC 61508, Functional Safety of Electrical/Electronic/Programmable ElectronicSafety-related Systems, Parts 1-7, Geneva: International Electrotechnical Commission

4. IEC (2002), IEC 61511, Functional Safety Instrumented Systems for the Process Industry Sector,Parts 1-3, (Draft in Progress), Geneva: International Electrotechnical Commission

5. Rompf, Christoph, “Characteristics of Universal Limit Switches for Liquids”,What is new in process engineeringWhat is new in process engineering, Melbourne, September 2000, p. 60-70

6. Rompf, Christoph, “Anforderungen an universelle Grenzachalter für Flüssigkeiten”tm-Technisches Messen; Sensoren, Geräte, Systeme, May 2000, p. 220-227

USA

Endress+Hauser, Inc.2350 Endress PlaceGreenwood, IN 46143Tel. 317-535-7138Sales 888-ENDRESSService 800-642-8737Fax [email protected]

Canada

Endress+HauserCanada Ltd.1440 Graham‘s LaneUnit 1, BurlingtonON, L7S 1W3Tel. 905-681-9292800-668-3199Fax 905-681-9444www.ca.endress.com

Mexico

Endress+HauserPaseo del Pedregal No. 610Col. Jardines del Pedregal01900, Mexico D.F.MEXICOTel. 525-568-2405Fax 525-568-7459

01.04/SCUSA

PK 008/24/ae/01.04AE/INDD 2.0