This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Using HART To Improve Safe Failure Fraction (SFF) in Protective Measures

Author : Peter Russell, Manager, Evaluation International

14 June 2010

Evaluation International (EI) is a technology club for large scale users of instruments for measurement and control. In the 2009-10 EI Evaluation Programme, there was a project on the evaluation of the Moore Industries HIM (HART Interface Module) working in conjunction with the Yokogawa EJX pressure transmitter.

Yokogawa EJX110A pressure transmitter and Moore Industries HIM (HART Interface Module)
Yokogawa EJX110A pressure transmitter and Moore Industries HIM (HART Interface Module)

The evaluation was requested by Sellafield Ltd. and was of interest to other EI members. After competitive tendering the work was awarded to SP in Sweden and the project went ahead with the full cooperation of Moore Industries and Yokogawa.

Many EI members wish to comply with international safety Standard IEC 61508- Electrical, electronic and programmable electronic systems in safety applications. That standard requires that instruments used in Protective Measures are proved suitable for use.

EI Members wished to show, by the use of simulation testing (and other reliability data not part of this testing), that the combination of a Moore Industries HIM converter, a Moore Industries STA (Safety Trip Alarm) trip-amplifier and a Yokogawa EJX110A pressure transmitter would be suitable for use up to Safety Integrity Level 2 (SIL2).

The key to this is the use of diagnostics via HART.

The HIM, STA and the EJX110A are purpose-built process instruments. EJX and STA are designed to comply (by differing methods) with IEC61508 at typically SILs 1 and 2. They both contain firmware. Therefore extended testing is just one part of a suitable method of underwriting safety claims made about the combination.

Overall objective of the test

The overall objective of the test programme was to –

Determine that the combination is reliable in use, thus helping establish a low PFD (probability of failure on demand) for the combination.

Determine that known/foreseeable faults were revealed/diagnosed or/and cause the HIM, STA and/or the EJX to ‘fail-safe.’

Outside the scope of the Test House, members also have access to QA data and in-service history data. These data will be used with the results from this test to establish that the combination is suitable for use in Protective Measures.

Typical functionality

The EJX110 is a modern ‘smart’ differential pressure transmitter used in various applications such as flow, level and pressure measurement. It features very comprehensive internal diagnostics. Its output signal is

* 4 to 20mA analogue signal. The analogue output can only be assigned to the actual measured variable (i.e. the differential pressure); and

* HART signal. The HART signal can carry a variety of data, these include the differential pressure, the static pressure, various status and various diagnostics.

Moore Industries STA (Safety Trip Alarm)
Moore Industries STA (Safety Trip Alarm)

The HIM is a modern ‘smart’ signal processor used in various applications such as deriving discrete switch points from the analogue or HART signals.

Its outputs can be configured to be two off analogue 4 to 20mA outputs and two off discrete (relay clean-contact) outputs.

Both the above can be assigned to various data on the incoming EJX110 HART signal.

In the ‘brand-new’ STA, a 4 to 20mA dc signal passes through the trip-amplifier. Inside the trip-amplifier it is monitored to give three off outputs (channels). The channels act in the following way.

Channel 1 will either de-energise or energise (user selectable) a relay if the signal is above or below a value set by a front panel adjustment.

Channel 2 will either de-energise or energise (user selectable) a relay if the signal is above or below a value set by a front panel adjustment.

Channel 3 will de-energise a relay if the trip-amplifier power supply is lost or will de-energise the relay if the input is below 3.8mA or above 20.5mA (NAMUR NE43).

Thus, the combination of the EJX110 diagnostics and the HIM’s ability to act upon those diagnostics, together with the STA functions offer the potential for very comprehensive, powerful and convenient use in Protective Measures (i.e. functional safety applications).

Imagine that the EJX110 is measuring a safety critical process pressure.  Above a (for example) high pressure the STA trips a process to the safe state.

However; imagine that the EJX110 itself became faulty and unable to measure the process pressure correctly. The loop may now be compromised. The EJX110 will reveal such diagnostics on the HART signal and the HIM would be able to trip the process to the safe state. The ‘Safe Failure Fraction’ (SFF) of the whole loop is thus high.

Tests important to EI

‘Adverse effect’ is not detecting a high pressure or revealing adverse diagnostics correctly within 10 seconds.

The objective of the majority of the EI tests is to determine that the combination works reliably, even in the presence of known/foreseeable faults.

EI seek to prove reliable working; during

* Basic Functionality (i.e. normal working);
* Various Static Pressures;
* Power blackouts;
* Power brownouts;
* RFI;
* Fast transient measurements (often called fleeting alarms);
* Effects of Additional/Status bytes;
* Effect of Configuration Bit Changed;
* Statistical testing;
* Rogue Data writes from the HIM to the EJX;
* Accidental mis-configuration.

The testing was done during 2009 at SP Labs in Sweden.
The testing was done during 2009 at SP Labs in Sweden.

In essence, the combination must always

* Detect genuine high pressure or adverse diagnostics and give correct response;
* Where detection is compromised, be fail-safe;
* Resist outside interference from a small selection of environmental sources; or if it cannot resist them, it must fail-safe;
* Not allow erroneous operation or reconfiguration but fail-safe in such events.
*
 However; there is no requirement that the combination be completely ‘fool-proof’, the expectation is that the combination would be designed, installed, commissioned, and maintained by qualified staff.

Conclusions

All three instruments performed exactly as the manufacturers data sheets specified. The EJX110 output various diagnostic information over HART and the HIM was able to read and act upon that data. The EJX, HIM and STA formed a very reliable monitoring and trip circuit.

The use of such HART diagnostics offers the opportunity for instrument loops to achieve very low PFDs and high SFFs. EI Members will continue to investigate their use in applications on their plants.


Evaluation International

Evaluation International (EI) is a technology club for large scale users of instruments for measurement and control. EI works with sister organisations in France (EXERA) and The Netherlands (WIB) to represent almost 100 major instrument user companies worldwide. In the UK, the present membership is oriented towards the energy and defence industries with members including AWE, BAE Systems, BP, British Energy, Magnox, Rolls-Royce, Sellafield Ltd and URENCO ChemPlants. Instrument manufacturers are not eligible for membership of EI but are usually pleased to loan equipment for evaluation and sometimes part-fund the projects although the independence of the evaluation is strictly maintained.

EI's work is driven by its members' requirements for independent and sometimes unusual instrument evaluations. The EI Manager arranges and project manages independent evaluations of instruments as required by members or groups of members. Evaluation work is carried out by accredited laboratories and university departments including the Technical Research Institute of Sweden (SP). SP's involvement in EI's work is related to 15 Swedish companies being members of EI but is dependent on SP's reputation as the National Metrology Institute of Sweden. Evaluation work in the UK is carried out by national laboratories such as NPL, TUV-NEL and NWML as well as SIRA and university departments at Cranfield and Cambridge.

Increasingly, EI members have interests in software evaluations, IEC 61508 compliance and SIL ratings and this type of work has been carried out for EI members by specialist companies such as Cygnet Solutions Ltd.

EI, WIB and EXERA together produce about 50 reports per year of which about two thirds are concerned with the evaluation of specific instruments. The remainder are more general surveys and selection guides. EI members will receive all 50 reports as the principal benefit of membership. Members are also able to search a confidential database of about 1500 reports and this facility is increasingly used for legacy work. For example, one member has just requested copies of 75 flow meter reports going back to the 1980s.

The EI membership annual subscription is less than the cost of a single typical instrument evaluation.

For more information on Evaluation International, click here: www.evaluation-international.com


Contact Details and Archive...

Most Viewed Articles...

Print this page | E-mail this page