WHICH TECHNOLOGY TO CHOOSE


CERTIFIED vs. PROVEN-IN-USE

A common question asked by many owner/operators is whether they should use certified or proven-in-use devices in their SISs. ANSI/ISA 84.00.01-2004 in no way mandates the use of certified components in a SIS. Some manufactures provide "proven-in-use" or "SIL suitable" components that are not certified to IEC 61508. Manufacturers that supply proven-in-use components are required to provide quality programs, demonstrate acceptable performance levels in similar environments and prove a volume of experience.

The primary advantage of using certified devices is the ease of access to failure rate data (FITs) collected by an independent third party. If considering a "proven-in-use" or "SIL suitable" device, vendor's field return data is often used to provide failure rate data, but this data does not accurately represent total device failures and is not independently analyzed. For example, what about devices that failed but were not returned to the manufacturer? Data collected by a certified, independent third party allows owner/operators the ability to quickly calculate required performance level (SIL) of their SIFs with reliable and tested data.

Owner/operators can elect to install non-certified components, referred to as "proven-in-use" or "SIL suitable" in their SISs. This information is often available in facility maintenance records, vendor field return data and third-party databases. Non-certified component failure rate data is often inaccurate. Manufacturers use field return data to calculate product failure rates, but this data is dependent on customer returns. Further, facility maintenance records are not always up to date with device failure information unless an automated Maintenance Software Management System is installed. Use caution when considering devices that do not have independent third-party failure rate data.

 

TRANSMITTER vs. SWITCH

You should consider installing both transmitters and switches in SISs. Transmitters are usually the first component considered in SISs due to the increased diagnostics, field indication, lower failure rates, and improved accuracy and repeatability. But thought should be given to include redundant and diverse technologies to avoid common cause failures in a system. Transmitters require power to operate and only provide control through a PLC or DCS.

What happens if you lose power? What happens if the PLC or DCS fail? What happens if the transmitter electronics fails? In this case, a mechanical switch will continue to operate and protect in the event a hazardous situation develops. By installing redundant devices, risk is reduced by avoiding common cause failures.

NUISANCE TRIPS

Nuisance trips are referred to as safe failures in SISs. Mean time to failure (MTTFspurious) is the term used in SIS calculations to determine when a device will suffer a safe failure. Safe failures occur when a device fails in a way in which the owner/operator is aware of the failure, typically an alarm or warning via the PLC or DCS. Safe failures are a nuisance to owner/operators and have economic consequences of lost production and downtime.

After a shutdown, it is required that manual action be taken by the owner/operator to reset the system - it is not allowed to be restarted automatically. The best way to avoid these nuisance trips is through sensor channel voting in a PLC or DCS. Voting logic compares device channels and determines the action required.

SIS Solutions - United Electric Controls

 

COMMUNICATION & DIAGNOSTICS

Component signals are commonly sent and received through a PLC or DCS. ANSI/ISA 84.00.01-2004 recommends that field devices be write-protected in the PLC or DCS to avoid the risk of making changes to a device outside the Safety Requirement Specification. Bi-lateral communication, such as HART or Foundation Fieldbus, is important in BPCS devices but is not useful in SIS. In fact, increasing cyber security threats highlights the importance of requiring devices be write-protected in the event device safety variables are manipulated during an attack. When installing SIS sensors, bi-lateral communication is not necessary and only adds additional and unnecessary cost while increasing the risk of tampering.