Q: We have four liquified petroleum gas (LPG) spherical tanks complete with low-level transmitters connected to the shutdown system to stop the outlet pumps in case of low level, and high-level transmitters providing high level alarm. The following modifications are planned:
- Installation of a new shutdown valve at the inlet of each tank to be closed in case of high level and in case of common planned shutdown (PSD) or emergency shutdown (ESD).
- Installation of new shutdown valves at the outlet of each tank, which will be closed in case of low level in the corresponding tank and in case of common PSD or ESD.
- Installation of a new shutoff valves in the vapor line of each tank. The vapor lines will be connected together to equalize the pressure in the vapor spaces of the four tanks.
- Installation of a new standalone hydraulic control system complete with a dedicated PLC system to manage the operation of the new shutdown system.
- A serial interface between the new PLC and the existing DCS which presently monitors the operation.
- A hardwired interface between the existing ESD/F&G system and the new hydraulic/PLC system.
Now my question is this: Is it allowed from the standard point of view to use the existing level transmitters to control the inlet and outlet shutdown valves? In other words, is it allowed to convert the existing analog level signals from the existing ESD system into digital, and send them as digital input into the new PLC system, or do we have to install new dedicated transmitters?
Ragab Abdel Fattah
A: Firstly, congratulations to all of you for getting rid of the dictatorship in Egypt, and taking your nation's future into your own hands by successfully conducting a free election.
The question you ask is very familiar. I come across it on many projects when users are converting from a semi-manual mode of operation, such as yours, where the DCS automatically stops the outlet pumps on low level, but on high level, it provides no automatic action, only monitors, leaving the closing of valves to the operators or to an automatic control system serving emergency shutdown (ESD). Your choice of operating the new shutoff valves by a separate PLC is a logical one, and your plan to hardwire the PLC to the sensors is the correct one. Given the state of the art and reliability of wireless transmission, I recommend using wireless only for monitoring, but not for control and certainly not for ESD purposes.
Your question concerning the reuse of the existing level detectors and the safest method for interfacing the existing DCS with the new PLC is also often asked. On some projects, I found people getting in trouble by relying on standards, instead of trusting their common sense. In my view, you should always follow your common sense.
Concerning the reuse of existing level detectors, the common sense answer is that using two sensors is better than one! Detecting the occurrence of an unsafe condition by redundant sensors improves safety if either will trigger the ESD action. Naturally, if only one of the two sensors signaled abnormal level and triggered an ESD, then, before the operation is restarted, both sensors should be recalibrated. In other words, the safety integrity level (SIL) of a redundant-sensor-based system is always better than a single-sensor-based one if the above approach is used. Therefore, on the one hand, you should continue using the existing detectors, and, on the other, you should install another set of backup sensors.
The other rule dictated by common sense is that the fewer the number of components between the sensor and the actuated device, the safer the ESD system. Therefore, the new level detector signals should be hardwired directly to the PLC. Naturally, you should also hardwire the DCS outputs to the PLC, so that shutdown will be initiated whenever abnormal level conditions are detected by either sensor.
If you find that a particular standard disagrees with the above two points, it is the standard that should be revised, not the design. In other words, I would keep using the existing level sensors and, in addition, install backup level detectors on each tank. This way, safety will be improved, because each of the level measurements will be redundant, and the cost of adding these backup sensors is small relative to the cost of the project.
I would install non-contacting, radar-type level detectors as the new sensors, and would hardwire them directly to the PLC. I would do that because, this way, we are always measuring the actual level, regardless of the "swelling" that occurs whenever the vapor space pressure drops or the LPG temperature rises. I would install a single, frequency- modulated carrier wave (FMCW) type radar transmitter on the top of each spherical LPG tank and wire it to the PLC, and would continue using the existing level transmitters through the DCS as a backup in the redundant ESD.
I do not know what type level transmitters you have now, but if they are the differential pressure (d/p) type, they do not correct for swelling variations or density changes. They measure weight, not volume. Therefore, if in addition to EDS, you also want to provide weight-based inventory management, weighing is recommended because the radar readings can't be directly used for that purpose.
A: If your goal is to separate the existing S/D systems to comply with IEC 61511/ISA 84-2005 with all these additions of proposed components, keep in mind your risk tolerance levels and company policy. I expect it is in line with industry practices to meet the highest level of safety integrity levels.
Points to keep in mind:
- It is not a good idea to use existing analog transmitters, signals or share them due to common-mode failures, handicapped testing and nuisance trips.
- Using switches in place of independent digital transmitters with self-diagnostic features will limit the availability numbers if you plan to use quantitative methods to validate your design, test frequency and completeness of testing to meet the SIL levels selected. Safety instrumented functions (SIFs), as you well know, depend on calculations based on mean time between failures of components. Published data tables indicate switches at 15 years; digital transmitters at 50 years: smart valves at 100 years; and digital logic solvers at 10,000 years.
- In general, SIF failures are rated at transmitters <40%; logic solvers <10%; and the big contributors, final control elements at <50%. There is no published data regarding human error and wiring mistakes.
- In general, tank farm areas located far from operating areas are considered to be SIL 1 or SIL 0 or SIL-a, depending on the product stored.
- You can eliminate all switches by installing two independent, reliable transmitters with deviation alarms inputting to the DCS and SIS. That kind of system can share to meet SIL 0 requirements, including trip designs.
- The trend nowadays is to avoid islands of PLC operations dedicated to hydraulic systems, alarms and S/Ds. PLCs per se contribute to common-mode failures if they are not triple-redundant systems. It is easier to integrate the systems in DCS, and the standard gives you that flexibility—if you use the right transmitters, test procedures and completeness of testing to meet availability numbers.
- Keep in mind that simple systems with minimum components that are tested frequently are better than complex systems that are not tested, leading owners to face covert failures unforeseen at the time of design.
Many of us here join Béla in complimenting your youth revolution to bring the country to the digital age.
A: The answer to your question, based on the fact that the transmitters are being used as a part of a safety system is, "maybe." You need to do a probability-of-failure analysis and determine what, if any, SIL rating the transmitters can have, and whether they should be used in a safety system at all.
There's no real reason, other than conformance to standards, that you can't do what you want to do—but you're opening yourself to point failures in your control system and safety system simultaneously. I'm a cautious person, and I prefer the "belt and suspenders" approach. I'd put in new transmitters just for the redundancy that provides. The cost of doing so is miniscule in comparison to the cost of the current project, or God forbid, the cost of the damage an overfilled LPG storage vessel could cause.
A: I understand the narrative description to indicate that Mr. Fattah has two limited-range transmitters, one for low-level safety and one for high-level. With a limited range, there is little value or need for correction for change in density.
The general tone of the discussion seems to be that they intend to improve the safety of the system. Adding new limited range transmitters for high and low levels would further reduce the dangers. It all depends on the "value of the measurements." A safety analysis should indicate if the required SIL is satisfied and possibly indicate the need for additional measurements.
There may also be a need for inventory management. For this, a wide-range transmitter based on weight and thus, value, is usually desired.
I believe that inventory control and physical level interlock are measurements that are best separated. Use all the measurements in managing the system, but do not compromise measurement robustness in order to save a few parts.