ISA EXPO 2005

Chicago, USA. 25-27 October 2005.

contents

IEC 61511: OVERCOMING DIFFICULTIES IN ATTAINING SIL3 IN SHUTDOWN VALVE LOOPS

C.R.Raju, Superintending Engineer (Instrumentation), ONGC India. 2. Problem Identification. ABSTRACT The advent of IEC 61511 has been a good start in improving availability and reliability of Safety Instrumented Loops. Unlike earlier standards like ANSI/ISA S84 and API 14 C, IEC 61511 facilitates mandatory performance based analysis of safety-instrumented functions based on failure data. It is observed that failure rates of shutdown valves have been extremely high compared to other elements of safety-instrumented loop. Increasing the number of valves in a loop also will drastically affect availability, maintainability, space and cost. Objective of this paper is to improve safe availability of shutdown valves by employing complete stroking instead of partial stroking, increasing diagnostic coverage by using continuous position monitoring instead of limit switches, eliminating the air regulator and selecting the of proper communication protocol. Some buffering capacity in process is also suggested to facilitate full stroking instead of partial stroking. It is envisaged that SIL 3 level with single shutdown valve in a safety instrumented loop can be achieved with these modifications. 1. Introduction: Process and manufacturing plants are equipped with Emergency Shutdown Systems (ESD) to shut down the plant in case of abnormalities. Earlier prescriptive codes like ANSI/ISA S84 and API 14 C. failed to deliver high safe availability of ESD systems that is required in various process and manufacturing industries since those standards did not stipulate any conditions for performance after installation. International Electro-technical Commission (IEC) later introduced performance based IEC 61508 and IEC 61511 codes which are mandatory in nature. These codes mandate certifications by authorized agencies for safety products that are ultimately performance based. In general IEC 61508 deals with certification of Electrical/ Electronic/ Electronic Programmable Systems. IEC 61511 deals with field implementation of E/E/EPS in ESD systems. #P132 C.R.Raju IEC 61511 describes rules and methods to achieve Safety Integrity Levels (SIL) required for different industries. These methods require performance-based data for each item of Safety Instrumented System (SIS) loops specific to process conditions and installation methods. Accurate data for each elements of an SIS loop to document Probability of Failure on Demand 5 (PFD) in the order of 10 and frequency of dangerous failures to perform the safety instrumented function per hour in the order of 9 10 as per IEC code requirements, have been extremely difficult to obtain. However it is estimated that shutdown valves contribute up to 50% to Probability of Failure on Demand (PFD) of a Safety Instrumented System (SIS) loop. Intention of this paper is to explore possibilities of improving DC (Diagnostic Coverage), PFD and SFF (Safe Failure Fraction) of shutdown valves (SDV). 2. Voting with multiple SDVs. Installation of multiple SDVs in the process line wired from different output cards of a safety certified Programmable Logic Controller (PLC) is a solution prescribed by codes. This may not yield expected results due to poor PFD, SFF and DC figures of normal SDVs. Installation of multiple shutdown valves as per IEC 61511 also has practical difficulties like increase in maintenance, drastic increase in cost, increase in space requirement and reduced availability. 3. Solution DC, PFD and SFF of shutdown valve and in effect of the entire SIS loop can be increased considerably by some changes in shutdown valve (SDV) construction and SIS loop design. Some modification in process also can contribute to these improvements. Objective of this paper is to achieve SIL level of 3 or more for a SIS loop with single shutdown valve using an improved valve-stroking method with minimal cost, space, and maintenance impacts. Page 1 of 1

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

ISA EXPO 2005

Chicago, USA. 25-27 October 2005.

3.1. Continuous Monitoring of Valve Position. Conventional shutdown valves are equipped with dual position switches. One switch is used for open position indication and another switch is used for close position indication. One more pair of cable is used for solenoid valve. By introducing continuous monitoring following can be achieved. Precision potentiometers, current transmitters, LVDTs, RVDTs are available for this purpose. i. Single pair can replace dual pair of cables. Otherwise a redundant communication link with power carrying capacity can replace three pairs of cable used in conventional SDVs. ii. Smart features of transmitters increase diagnostic coverage. can 3.4. Elimination regulator. of Instrument air filter

Various designers are eliminating safety barriers to increase SIL levels of SIS loops. This is due to higher failure rates and non-availability of certified barriers. Instrument air regulators also may be eliminated from SIS loop in this same fashion. If instrument air filter regulators are eliminated, installation of instrument air pressure transmitters in every shutdown valve also can be avoided. Instrument air filter regulators also contribute considerably to failures. Instrument air filter regulator on pneumatic shutdown valves can be eliminated if actuators of identical or higher instrument air rating are used. Elimination of regulators may require redundant PSVs (Pressure safety valve) on the instrument air header. Filters also can be avoided if proper filtering is done in the air compressor itself. Water in instrument air lines can be avoided by using proper piping and tubing geometry so that water will be drained through instrument air header/ volume bottle auto drains. Strainers may be used in place of filter regulator if piping scale like objects are to be blocked. Strainers do not have higher failure rates. 3.5. Full stroking of SDV instead of partial stroking. Most of the SDVs in process plants can be tested for full stroke to verify signature of parameters during operation. By increasing buffering capacity in the process, this can be achieved in most cases. For example capacity of suction tank may be increased to facilitate closure of the discharge valve of a pump for fraction of time. Increased size of suction tank and recycling can avoid suction starvation. Provision should be provided stop the test, if valve signature do not follow healthy path. 3.6 Communication Protocol. A Multi Variable Transmitter (MVT) with solenoid driving capacity is envisaged for mounting on SDVs. Two solenoid valves may be required in some cases. Communication protocol between I/O card and shutdown solenoid valve should have following features. Page 2 of 2

iii. Continuous position monitoring can be used for signature verification of shutdown valves during valve stroking. 3.2. Monitoring of upstream and down stream pressure. All valve-stroking products primarily use the signature of down stream and upstream pressure for health comparison. Other parameters like flow, levels etc. also substituted for pressure if pressure transmitters are not available. In some processes valid upstream and downstream parameter may not be available for signature comparison. Upstream and downstream tappings itself may be made in shutdown valves as a standard like tappings available in flow meter spools. These tappings will be used only if valid transmitters are not available in the piping. These upstream and downstream pressures are to be transmitted along with valve position. 3.3. Monitoring of Instrument air pressure. Monitoring of instrument air pressure in the case of pneumatic actuator and supply voltage/frequency in the case of electric actuators are necessary for accurate signature tracing. Provision for installing an additional pressure transmitter/sensor to monitor instrument air pressure is to be provided in the shutdown valve assembly itself. This pressure is also to be monitored during full/partial stroking for this purpose. #P132 C.R.Raju

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

ISA EXPO 2005

Chicago, USA. 25-27 October 2005.

MVT

4
s

3
2

1. 2. 3.

Open Position switch Close Position switch s - Solenoid valve

Conventional Shutdown valve Instrumentation

1. 2. 3. 4. 5. 6.

Process line Impulse line Electrical cable Dual redundant communication

Upstream Pressure Sensor Downstream Pressure Sensor Position Sensor Instrument air pressure Sensor s Solenoid valve MVT Multivariable transmitter with dual redundant communication and solenoid driver

Proposed Shutdown valve Instrumentation

a. Protocol should be dual redundant with redundancy in output card, cabling and electronics mounted on shutdown valve. b. Protocol should be one to one protocol. Multiple nodes will have limitations in power carrying capacity, data speed, maintainability etc. c. Protocol should be synchronous. This will increase diagnostic coverage. d. Protocol should have power carrying capacity to carry sufficient power to operate solenoid valve. It should have capacity to carry power to multiple solenoids if multiple solenoids are used for the SDV. e. Protocol should be fast enough to suit Process Safety Time (PST) requirement of the loop. f. Protocol should contain process and diagnostic data with suitable resolution. Normally 4 analogue signals are to be sent to ESD PLC in each packet.

g. Output card of ESD PLC should have capability to collect all analogue values and diagnostic data. h. ESD PLC should have fast scanning time to suit PST of the SIS loop. i. All diagnostic algorithms may be programmed in ESD PLC or output card. Diagnostic modules and additional hardware in field may be avoided. Most of the existing and emerging communication protocols have some limitations for these purposes. This situation may be corrected when power carrying capability and other features are integrated into emerging standards like Foundation Field bus and industrial Ethernet. HART protocol may lack speed and redundancy. RS-232/RS-485 based communication protocols also may lack power-carrying capability and have limitations in speed.

#P132 C.R.Raju

Page 3 of 3 Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

ISA EXPO 2005

Chicago, USA. 25-27 October 2005.

4. Summary. Foundation Fieldbus H1 may lack proper redundancy now. Foundation Fieldbus HSE and industrial Ethernets are yet to come to field instrumentation. These have superb redundancy and speed but lack power carrying capability now. Actuator Sensor Interface (ASI) protocol is a specialized protocol for actuators. It may lack data speed, support to SIL 3 ESD PLCs and MVT capability for this purpose. Achieving SIL 3 levels in single shutdown valve can be achieved by continuous monitoring of valve position, monitoring of upstream and downstream pressure, monitoring of instrument air pressure, using full stroking instead of partial stroking and using suitable ESD PLC with suitable MVT and communication protocol. Non-availability of MVTs with suitable communication protocol and ESD PLC with these capabilities may hinder the attainment of these objectives.

5. Bibliography. 1. 2. 3. 4. 5. 6. 7. Functional safety of electrical/electronic/programmable electronic safety-related systems, International Electro technical Commission, standard 61508, 1999. Functional safety - Safety instrumented systems for the process industry sector, International Electro technical Commission, standard 61511, 2003. Application of Safety Instrumented Systems for the Process Industries, International Society for Measurement and Control, ANSI/ISA S84.01, 1996. 5200E valve position transmitter catalog- Rotork. www.rotork.com FieldQ valve actuator catalog Emerson Process Management. www.emersonprocess.com IEC 61511 Developing process sector standard, Bill Black Blacksafe Consulting Ltd. UK. OLF Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities of on the Norwegian Continental shelf Rev. no. 01 The Norwegian Oil Industry Association. TYCO MORIN Partial Stroke Test Device (PSTD) catalog - www.tycovalves.com. Smart Valve Monitoring (SVM) catalog Drallim Industries Limited, UK. Modbus Sensor Communication Module Catalog ww.modicon.com ASI protocol www.as-interface.com HART Communication Foundation www.hartcomm.org

8. 9. 10. 11. 12.

About the author: Author is an instrumentation and control engineer working with Oil & Natural Gas Corporation of India since 16 years. Prime areas of interest are industrial safety, Instrumentation & control, Computers and History. 614, Vasudhara Bhavan, ONGC, Bandra (E), Mumbai India 400 051. (O) 91 22 265 99614 (C) 91 93243 59 669 Email: crraju@ongc.net

#P132 C.R.Raju

Page 4 of 4 Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org