The Practice of Safe Sensing

15 April 2009

Safety-certified sensors promise to cut costs and boost performance. But the tradeoffs must be carefully considered.

A loading bay for Shell petroleum products in the U.K. makes use of safety-certified mass flowmeters. Photo courtesy of Endress+Hauser.
A loading bay for Shell petroleum products in the U.K. makes use of safety-certified mass flowmeters. Photo courtesy of Endress+Hauser.

Today, sensors can be certified by third parties to meet safety integrity levels, or SIL, designations found in IEC 61508. One positive result of this is the potential to use fewer sensors without compromising safety, leading to a decrease in wiring and installation costs. Another positive effect is the potential for improved process control, largely due to increasingly intelligent sensors.

“Certified products deliver higher design quality,” asserts William Goble, principal partner and co-founder of exida, ( a company that offers functional safety training, technical support, and expertise. This better design is due not to success but rather to failure, he notes. “Nearly half of the products that attempt certification fail on the first try. Only when the design process is improved and diagnostics are added do they pass.”

His company’s data show that the number of certified sensors has exploded in recent years, with the cumulative total of such devices moving from five in 2003 to eight in 2005 and 24 in 2007. There have been indications that vendors are converting, or will soon convert, entire future sensor lines to certified products. Goble notes that taking full advantage of such sensors will require that systems be configured correctly.

For example, running diagnostics in certified sensors may send the reading out of range. An incorrectly configured controller will interpret this as a fault, shutting down the process unnecessarily. A better approach would be to implement a hold-last-value strategy, with action taken only if a reading stays out of range for longer than a specified time.


Siemens was one of the first companies to offer a certified sensor. Louis DiNapoli, an application engineering and technical support manager for the Siemens process instrumentation unit that makes safety certified sensors, notes several ways these sensors differ from non-certified equivalents.

For example, they often contain two microprocessors, from different vendors, which are based on different technology and implementations. Each microprocessor takes input from the transducer and the results of the two different calculations can then be compared, with similar results ensuring that the microprocessors are performing correctly. Another failsafe feature of the new sensors includes the ability to force the sensor via software to a predetermined level, such as 80% of full scale. This result can then be measured and compared to what’s expected, providing another indication that the sensor is working correctly.

A key point to be aware of regarding these features is that they do not function to ensure a correct sensor reading. They also don’t prevent a failure.

But, notes Mr. DiNapoli, that’s not what a safety-certified sensor is designed to achieve. “You don’t care that it fails. You care that it fails in a known fashion,” he says. What is transmitted in the case of sensor failure is a known, pre-determined quantity, allowing that failure to be detected. Of course, the system has to be configured not only to detect the fault but also not act on the value, since it is the result of a failure.

Safety-certified mass flowmeters are used in the oil and gas industry. Photo courtesy of Endress+Hauser
Safety-certified mass flowmeters are used in the oil and gas industry. Photo courtesy of Endress+Hauser

While internal computations and values transmitted to the outside world are checked, sensor systems may have only one transducer in them. This is where it is most difficult to assure reliable operation, in part because there’s only one process measurement. Since there is nothing to provide a check or reference, assurance has to be inferred.

However, increasing intelligence, along with some sophisticated algorithms, may make such indirect checking easier to do so. For example, sensors can have registers that count every time the pressure goes above one of three set points. One of those points could be the process design maximum. From those counts, a simple histogram could reveal important information, such as the process being above design maximum pressure a majority of the time. These types of results may indicate a design flaw or a control system isn’t working well.


Gerold Klotz-Engmann, head of the department of technical safety for Endress+Hauser’s German sales center, says all new product designs will meet the IEC 61508 standard. Achieving that requires self diagnostics so that passive internal component faults can be spotted, along with steps to ensure there are no software glitches or problems.

System architecture determines how many compliant sensors should be used in an application. For example, if a SIL 2 level is required, then the situation is relatively simple, he says. “Normally a single channel architecture with a SIL 2 compliant sensor is sufficient.”

Things get more complicated if a higher level of safety is required. Then it may be necessary to use two or three sensors, with the sensors voting to arrive at a consensus measurement. The advantage of the three sensor arrangement is increased safety and greater availability, since the trio will continue to provide information even if one or two sensors fail.

Carl Sonoda, marketing manager for field instrument solutions at the Yokogawa Electric Corporation of Tokyo, says the company’s first certified sensor appeared in 2003. Today, Yokogawa has a series of temperature sensors, pressure transmitters, and multivariable transmitters, all safety-rated and designed to achieve a SIL 2 or 3 performance.

The best practice for a safety loop design, he notes, is to use multiple transmitters, with each voting. Adding to redundancy costs are the number of devices, wiring, post-installation testing, and ongoing maintenance.

A safety-certified transmitter helps keep a pharmaceutical process running smoothly and safely. Photo courtesy of Siemens AG
A safety-certified transmitter helps keep a pharmaceutical process running smoothly and safely. Photo courtesy of Siemens AG

A safety-rated device can help reduce the number of sensors required and thereby cut such expenses. “Our IEC SIL 2/3 certified transmitter can provide functionality so that it is possible to use one safety transmitter instead of two standard transmitters,” he says.


The question about how many sensors to use isn’t clear cut. Dale Perry, pressure marketing manager for Rosemount, notes that using fewer sensors is a mixed blessing. Fewer sensors increase the possibility of a false alarm, which carries a cost since it might shut down a process needlessly. Thus, the total outlay of any solution will have to be carefully considered. The correct answer about how to implement a sensor strategy will depend upon many factors in addition to installation and commissioning costs.

Rosemount’s history with safety certified sensors parallels that of other manufacturers. Initially, safety certified products were unique, and they faced a distinctive requirement in that they had to meet the applicable standard. Over time, incorporating the features needed for certification into standard devices became a company best practice. This evolution explains why the price differential between standard and safety-rated sensors has diminished significantly.

However, it may never disappear entirely. A certified device carries extra expenses, not all of which can be found in hardware or software. At Rosemount, for example, Mr. Perry says incoming orders are checked to ensure that all options ordered with the device are within the safety certification scope.

Also, a copy of the product safety certificate, a document listing the certified failure modes, effects, and diagnostic analysis (FMEDA), as well as the device serial number and failure data are shipped with each transmitter. Doing so provides required documentation.

The same intelligence that makes sensors safer increasingly supplies other capabilities, he says. Users demand predictive diagnostics beyond the sensor. They want this functionality because more insight into a process helps prevent abnormal, and potentially unprofitable or dangerous, situations. These demands could lead to changes in safety-rated sensors, says Mr. Perry. “We see these advanced process diagnostics, as well as loop diagnostics, being included in future safety certified products.”

—Hank Hogan for Control Engineering

Contact Details and Archive...

Related Articles...

Print this page | E-mail this page