Maintain level instrument safety; understand the associated costs
By Bill Sholette, Level Products Business Manager – Northeast, and Craig McIntyre, Chemical Industry Manager, Endress+Hauser
Validating level-instrument safety function requires regular proof-testing. Testing confirms integrity of the level-measurement loop portion and maintains average probability of failure on demand (PFD average) within acceptable limits. Without testing, this value will increase to a point where the instrument no longer meets SIL requirements.
Safety-instrumented systems (SIS) prevent or mitigate hazardous events to ensure safety, prevent facility damage and protect the environment. Level instruments, both switches and transmitters (Figure 1), are certified to a safety-integrity level (SIL) based on their reliability, testing and certifications. These range from low-risk SIL1 to very high-risk SIL4.
For level instruments, one major safety function is detecting overfill conditions. As is obvious, if a level instrument fails, a tank may overflow.
There are two levels of testing. A full-proof test returns the PFD average back to, or close to, the original targeted PFD average. A partial-proof test brings the PFD average back to a percentage of the original.
A full-proof test can be done two ways. In the first, vessel level is raised to the instrument activation point, for functional proof that it still works. The danger is that if the instrument is a critical high (CH) or high high (HH) level sensor for overfill prevention, and it does not activate during the test, a spill is likely!
The American Petroleum Institute (API), in its recommended practices for overfill prevention in above-ground storage tanks (API2350), therefore prohibits testing that raises the level to an unsafe condition. AP12350-2012 also recommends following IEC 61511 methodology in new overfill prevention systems.
The other way
A second approach to full-proof testing removes the instrument from the vessel for testing in a simulated vessel using process materials (Figure 2). There are several considerations. First, the process may need to be taken offline, interrupting production. Manpower is required to run the test, and safety issues may arise with exposing personnel to the process. Finally, process material used for testing must be disposed.
Understand not all level switches can be tested in this manner. Some technologies rely on the reference-to-ground geometry inside the vessel. Removing the instrument will not represent the installed state and will not be a valid test.
The third method is in-situ partial-proof testing, where the level switch or transmitter is “exercised” to ensure that it has no internal problems and all functions are operating properly. In partial-proof testing, the level instrument stays in place for a function test.
A partial-proof test validates integrity and reliability of the SIS sensor subsystem and detects a percentage of potential failures. As such, it does not fully return the PFD to the instrument’s original state. After a given time interval, a full-proof test must be performed (Figure 3). Appropriate use of partial-proof testing justifies extended full-proof test intervals.
There are four categories of failures:
Safe Detected Failures – not dangerous, but detected by the electronics fault monitoring; e.g., a short circuit on the 4 to 20mA output, where current exceeds 20mA, causing a high-level alarm condition.
Safe Undetected Failures – not dangerous, but not detected by the electronics fault monitoring; e.g., a failure leads to an 8mA current which is equal to the alarm current.
Dangerous Detected Failures – dangerous, but detected by the electronics fault monitoring; e.g., a broken diaphragm in a pressure transmitter. The broken diaphragm could result in a valid measured value but internal diagnostics detects failure and provides an alarm.
Dangerous Undetected Failures – dangerous, and not detected by the electronics fault monitoring; e.g., current signal “freezes” between 4 and 20mA, so no warning or safety function is available.
When conducting a proof test, we are not concerned with safe-detected failures, safe-undetected failures or dangerous-detected failures (Figure 4). The total percentage of these equals the Safe Failure Fraction (SFF).
A proof test — partial or full — addresses the dangerous undetected failures. This is done by an instrument functional test. That is, the initiation of a proof test “exercises” the instrument by causing the instrument to perform its intended function. By exercising the output of the instrument, a percentage of the dangerous undetected failures are exercised.
If a dangerous-undetected failure is present, it is exposed by the proof test. For example, if the overfill prevention switch has failed, it won’t emit the high-level alarm expected in a “failed” proof test. A failed proof test requires examination of the instrument for repair or replacement.
The percentage coverage attained with a partial-proof test depends on the percentage of dangerous undetected failures covered by the test. This is done by testing the instrument and results in a percentage of Proof Test Coverage (PTC).
Overfill protection in a tank or vessel is usually accomplished with level switches or level transmitters, and each instrument has a means of performing partial-proof testing. The specific procedures described below for partial-proof testing apply only to Endress+Hauser instruments and are examples. Partial-proof tests vary among instrument manufacturers.
In many critical safety installations, two level switches (i.e., 2oo2) must be used to meet SIL3 requirements. If one switch fails, probability of failure calculations assume that the other switch will continue to operate properly. This is called homogenous redundancy and fulfills SIL3 requirements.
Another solution is use of a single level switch (i.e., 1oo1) that is SIL3 certified. This reduces maintenance and required full-proof testing. The single level switch requires periodic partial-proof testing to ensure that it meets SIL3 requirements throughout its life span, and uses built-in diagnostics to identify operational problems.
For example, the Liquiphant FTL8X point level measurement system can meet SIL3 requirements as it continuously self-monitors tuning-fork frequency and electronics operation. A shift in frequency would indicate possible fork-assembly damage or corrosion. Continuous monitoring also checks the electronic unit and piezo drive and checks for wiring shorts or breaks.
Whenever the switch is powered up — or when an in-situ partial-proof test is initiated — the unit goes through a test sequence. The switch reduces the frequency to the drive coils, vibrates the fork at a reduced frequency and reports the reduced frequency. It also initiates a change in the output state which triggers any loop control elements.
Therefore, the entire unit and associated automation system components are tested, not just the output contacts. This, along with internal circuit redundancy, high diagnostics coverage and high SFF, provides a level switch that meets SIL3 in a single instrument.
Pushbutton for test
The optional Endress+Hauser Nivotester Model FTL825 is a receiver that the FTL8X Liquiphant attaches to. It has a push button to perform the partial-proof test. The Nivotester monitors diagnostics and a continuous live signal that is modulated on the 4-20mA dc current signal being generated by the Liquiphant, which allows attaining a SIL3 rating with one switch.
Diagnostics can be programmed into a Safety PLC; however, the package provides a complete SIL3 Switch.
The combination of continuous monitoring and in-situ testing provides the diagnostic coverage required to reduce the PFD (Probability of Failure on Demand) to meet and maintain SIL3 service.
This partial-proof test attains 99% of the PFD. With yearly partial-proof testing, the requirement for a full-proof test can be extended to 12 years (Figure 5).
The cost savings realized by performing a full-proof test only once every 12 years is substantial. Consider that bringing a process down, performing the full-proof test and restarting the process takes approximately 10 hours. A conservative estimate might be $10,000 per hour in lost production, plus $1,500 for manpower and disposal of material.
Compared to an instrument that requires a full-proof test each year, this translates into a savings of $101,500 per year and $1,218,000 over the 12-year cycle. When multiplied by the number of level switches in a facility, this becomes a substantial savings.
Unlike level switches, level transmitters are rarely rated SIL3. But like level switches, level transmitters must also undergo proof testing. Procedures vary, although full-proof testing still involves removing the transmitter. Since many level transmitters operate from the top down — such as guided wave radar and ultrasonic transmitters — removing and replacing a transmitter may not require a shutdown.
In-situ partial-proof testing can be accomplished with many level transmitters.
The International Electrotechnical Commission’s IEC 61508 standard is a systematic approach for product design and testing in safety-related applications. Level instruments fall under IEC 61508, which applies to manufacturer and suppliers of SIL (Safety Integrity Level) products.
API developed the API2350 standard, which includes recommended practices for above-ground storage vessels containing petroleum products. The NFPA (National Fire Protection Association) also publishes recommended practices for storage of hazardous flammable chemicals.
SIL2-capable devices are certified by the manufacturer and may be evaluated or certified by a third party, such as TÜV or EXIDA. IEC 61508 design capabilities can be certified by a third party. SIL3-capable devices are typically certified by a third party.
Under IEC 61511 (ANSI/ISA 84.00.01 in the U.S.) the lifecycle of the safety system must be managed and documented by the end- user. However, manufacturers can provide products with capabilities that make these tasks simpler and easier, while also reducing compliance costs. ANSI/ISA 2350-2012 references implementation of IEC 61511.
IEC 61511 is being adopted as a standards-based good engineering practice method, displacing older and organization-specific approaches.
End-user testing procedures for maintaining SIL ratings over the life of the instruments vary significantly from one manufacturer to the next. The end-user is ultimately responsible for ensuring the SIL rating of level instruments, but selecting the right instrument eases compliance.