The other rule dictated by common sense is that the fewer the number of components between the sensor and the actuated device, the safer the ESD system. Therefore, the new level detector signals should be hardwired directly to the PLC. Naturally, you should also hardwire the DCS outputs to the PLC, so that shutdown will be initiated whenever abnormal level conditions are detected by either sensor.
If you find that a particular standard disagrees with the above two points, it is the standard that should be revised, not the design. In other words, I would keep using the existing level sensors and, in addition, install backup level detectors on each tank. This way, safety will be improved, because each of the level measurements will be redundant, and the cost of adding these backup sensors is small relative to the cost of the project.
I would install non-contacting, radar-type level detectors as the new sensors, and would hardwire them directly to the PLC. I would do that because, this way, we are always measuring the actual level, regardless of the "swelling" that occurs whenever the vapor space pressure drops or the LPG temperature rises. I would install a single, frequency- modulated carrier wave (FMCW) type radar transmitter on the top of each spherical LPG tank and wire it to the PLC, and would continue using the existing level transmitters through the DCS as a backup in the redundant ESD.
I do not know what type level transmitters you have now, but if they are the differential pressure (d/p) type, they do not correct for swelling variations or density changes. They measure weight, not volume. Therefore, if in addition to EDS, you also want to provide weight-based inventory management, weighing is recommended because the radar readings can't be directly used for that purpose.
A: If your goal is to separate the existing S/D systems to comply with IEC 61511/ISA 84-2005 with all these additions of proposed components, keep in mind your risk tolerance levels and company policy. I expect it is in line with industry practices to meet the highest level of safety integrity levels.
Points to keep in mind:
- It is not a good idea to use existing analog transmitters, signals or share them due to common-mode failures, handicapped testing and nuisance trips.
- Using switches in place of independent digital transmitters with self-diagnostic features will limit the availability numbers if you plan to use quantitative methods to validate your design, test frequency and completeness of testing to meet the SIL levels selected. Safety instrumented functions (SIFs), as you well know, depend on calculations based on mean time between failures of components. Published data tables indicate switches at 15 years; digital transmitters at 50 years: smart valves at 100 years; and digital logic solvers at 10,000 years.
- In general, SIF failures are rated at transmitters <40%; logic solvers <10%; and the big contributors, final control elements at <50%. There is no published data regarding human error and wiring mistakes.
- In general, tank farm areas located far from operating areas are considered to be SIL 1 or SIL 0 or SIL-a, depending on the product stored.
- You can eliminate all switches by installing two independent, reliable transmitters with deviation alarms inputting to the DCS and SIS. That kind of system can share to meet SIL 0 requirements, including trip designs.
- The trend nowadays is to avoid islands of PLC operations dedicated to hydraulic systems, alarms and S/Ds. PLCs per se contribute to common-mode failures if they are not triple-redundant systems. It is easier to integrate the systems in DCS, and the standard gives you that flexibility—if you use the right transmitters, test procedures and completeness of testing to meet availability numbers.
- Keep in mind that simple systems with minimum components that are tested frequently are better than complex systems that are not tested, leading owners to face covert failures unforeseen at the time of design.
Many of us here join Béla in complimenting your youth revolution to bring the country to the digital age.
A: The answer to your question, based on the fact that the transmitters are being used as a part of a safety system is, "maybe." You need to do a probability-of-failure analysis and determine what, if any, SIL rating the transmitters can have, and whether they should be used in a safety system at all.
There's no real reason, other than conformance to standards, that you can't do what you want to do—but you're opening yourself to point failures in your control system and safety system simultaneously. I'm a cautious person, and I prefer the "belt and suspenders" approach. I'd put in new transmitters just for the redundancy that provides. The cost of doing so is miniscule in comparison to the cost of the current project, or God forbid, the cost of the damage an overfilled LPG storage vessel could cause.
A: I understand the narrative description to indicate that Mr. Fattah has two limited-range transmitters, one for low-level safety and one for high-level. With a limited range, there is little value or need for correction for change in density.
The general tone of the discussion seems to be that they intend to improve the safety of the system. Adding new limited range transmitters for high and low levels would further reduce the dangers. It all depends on the "value of the measurements." A safety analysis should indicate if the required SIL is satisfied and possibly indicate the need for additional measurements.
There may also be a need for inventory management. For this, a wide-range transmitter based on weight and thus, value, is usually desired.
I believe that inventory control and physical level interlock are measurements that are best separated. Use all the measurements in managing the system, but do not compromise measurement robustness in order to save a few parts.