Q: Orifice Sharing with SIS and BPCS
- What is the maximum number of taps that can be placed on an orifice flange?
- I have an orifice flow element and want to connect two differential pressure (DP) transmitters to it, one to serve basic process control system (BPCS); the other, the emergency shutdown safety instrumented system (SIS). Is there any problem with doing this?
- Please also advise if I can connect two DP transmitters to the same orifice flange, using them to provide a SIS system with backup (1oo2). Is there any problem with doing this?
A1: Before answering your specific question, let me make some general observations about sharing the same instrument to serve both normal operation and safety control systems. In this area, SIS standards are confusing and often contradictory. IEC 61511-1, clause 11.2.4 states that the BPCS shall be separate and independent from the SIS to “the extent that” the functional integrity of the SIS is not compromised.
The qualification “to the extent that” destroys the clarity of this requirement and allows for the interpretation that the standard does not always require physical separation. Yet another clause (clause 9.5.2) does seem to require such separation “unless the failure rate is sufficiently small.”
Again, this qualification adds further ambiguity, as it assumes that the failure rate is known, when in most cases it is not. So what is the user to do? Well, we users should understand that such vagueness is not necessarily accidental, but is intended to allow the user to reduce costs. This is unfortunate because in high risk life-safety applications, cost should not be a factor. Therefore, in such cases, override safety control (OSC) should be used instead of SIS.
Now, coming to your specific question, SIS does not give clear-cut rules on component sharing. As you will see from the answers, some experts interpret SIS as allowing the sharing of both the pressure taps and the DP transmitter. Others feel that only the sharing of the pressure taps is allowed, while still others interpret SIS as if it allows the sharing of only the orifice and requires separate taps and transmitters. Remember that these are the answers of highly experienced process control experts.
SIS says that components can be shared as long as the sharing cannot interfere with the proper operation of the safety instrumented function (SIF) loop. This suggests that it is up to the user to decide if a component can or can not be shared. (One might ask: What is the value of a standard that does not tell you what to do?) So how does one make sure that sharing “will not interfere” with the proper operation of the SIF loop? One interpretation is to look at the proposed control system and ask: Will the SIF be able to shut down the process even if the BPCS failed? If the answer is yes (using this interpretation), sharing is allowed.
Because in your case if the BPCS transmitter (Figure 1) were shared and it failed, the SIS would not be able to shut down the process, one should add another DP transmitter on the other side of the orifice flange to serve the SIS loop. Some might consider this as providing 1oo2 backup. Yet, as you will see from the answers that follow, different expert users will reach different conclusions.
My own recommendation (regardless how people interpret SIS) is that, if the process fluid is clean and the pressure taps are not shared, so that mechanical damage or plugging of the lead line connecting the BPCS transmitter cannot affect the operation of the SIF transmitter, the sharing of the orifice plate is OK.
On the other hand, if the process is a critical one and life-safety is involved, overrule safety control (OSC), where no sharing of even the sensing element is allowed, should be applied because damage to the orifice plate itself would affect both loops. Therefore, in that case I would use complete separation, such as using a Coriolis meter in addition to the orifice.
A2: This is a prime example of what you were talking about in the article [Lessons Learned, Nov. 2014, http://www.controlglobal.com/articles/2014/sis-standards-by-committee/]. The standard is so unwieldy it makes finding answers to any question regarding basic design an epic search. It is interesting that I spoke to three SIS experts in my office and received three slightly different answers and interpretations.