Asset Management / Intrinsic Safety / Safety Instrumented Systems

When Safety Instrumented Systems Don't Communicate Well with the Rest of the Plant

Troublesome gaps in communication between smart transmitters and older systems can make diagnosing faults a tricky problem.

By John Rezabek

One of three "voting" temperature transmitters connected to the plant's SIS (Safety Instrumented System) indicated a reading 30 degrees less than its two redundant comrades. Voters A, B and C are connected to independent RTD temperature sensors in separate wells to minimize common mode failures, and the three thermowells are within a couple feet of one another in the same process stream. They're also wired to three separate analog input cards, each in a separate chassis of the shutdown system. It's common for voting transmitters in a SIL- (safety integrity level) rated interlock to have a "deviation alarm," just in case no one notices when one of three measurements that should be identical is way off. In our case, 30 degrees was 3% of full scale and not quite enough to trip the "deviation" alarm. But people noticed "one of these things is not like the others," and we were compelled to investigate. Curiously, we acted on our first suspicion―a failing RTD―and wrote a work order for scaffolding to be built so the sensors could be tested and replaced if necessary.

It wasn't till after the scaffolding was up that anyone thought to look at the device's diagnostics in our asset management system (AMS). If we had, we could have saved the facility some not-insignificant time and expense. When we finally looked, we saw the device's HART digital indication was within a degree of what the other transmitters indicated. That's within a tenth of a percent and much less than anyone would quibble with. There was no compelling reason to expect that changing the RTD would have any effect on the error as seen by the safety system. There was clearly something amiss with the 4-20 mA analog output, an investigation that wouldn't need any scaffolding.

See Also: Essentials of Safety Instrumented Systems

What do such episodes of tail chasing, which I think repeat themselves across the process industries, say about our culture? There are two obvious "gaps" where we're weak. One is the lack of any kind of HART or digital integration capability on the part of our 15-year-old shutdown system, which, maybe, could have alerted us to the fact that the analog indication differed significantly from the digital one. This circumstance isn't likely to change, since our heritage analog-only SIS is still reliable, and it appears it will remain well-supported for the foreseeable future. The "deviation" alarm will remain our only useful in-built "diagnostic" for many more years.

Wouldn't end users welcome a path to true digital integration of field devices to their SIS without having to do a wholesale rip and replace of the system?

The other weakness revealed is our reliance on seat-of-the-pants troubleshooting and traditional procedures, while neglecting a wealth of device intelligence afforded through the HART signal. The SIS itself sees only "SCADA" indications; i.e., a 16-bit register (the "digital" conversion of the milliamp signal) devoid of any engineering units, validation or signal quality. But we've installed HART strippers (multiplexers)―others have installed WirelessHART or ISA 100.11 strippers―which should avail us of all of the device's "intelligence.. The asset management system is configured to generate alerts, but the diagnostic coverage of prior-generation devices is less, and even the top shelf "Cadillac" of modern smart temperature transmitters can't compare its pure digital reading to the "converted" analog signal in a legacy DCS or SIS. We assumed the device was "happy," since no alert has ever appeared in the asset management system.

This HART device also reported its analog output―what it thought it was transmitting to the system. After a little scaling we could verify that the milliamps as indicated by the device were correct for the percent of scale. Technicians tested the loop at the transmitter, the field junction box and at the rack room terminations and found no satisfactory explanation why the reading in the SIS was low. We were ready to swap an FTA (field termination assembly), suspecting a faulty dropping resistor, when we decided to switch "B" and "C" in the field junction box. B's reading was fine on C's channel; so it wasn't the wiring or FTA. Quickly surmising the transmitter had a fault, we installed a new one for "C," after which the curious deviation went away.

It's challenging to work on SIS instrumentation when the plant is operation, so the need to close the "low information" gaps by utilization of device intelligence is amplified. And wouldn't end users welcome a path to true digital integration of field devices to their SIS without having to do a wholesale rip and replace of the system?