Using HART Diagnostics in Safety Instrumented Systems

I read Siemens’ Charles Fialkowski’s latest post, Introducing a non-redundant, redundant SIL 3 solution? about their SIL 3 HART I/O card. He discusses how technology has changed where newer SIL-3 rated safety instrumented systems (SIS):

…don’t require redundancy to achieve high levels of safety. In the past, safety systems required dual, triple or even quadruple redundancy just to achieve high levels of safety.

He points out that advances in technology have allowed diagnostic coverage not possible in earlier SIS designs. He closes his post:

Another common misunderstanding is how these systems address field redundancy (sensors and final control elements). While I can’t speak for the Emerson or Yokogawa system, I do know for a fact that the new Siemens HART analog input module handles redundant field devices just like any dual, triple or quadruple redundant system would.

I thought I’d give the Emerson perspective so I caught up with DeltaV SIS product manager Mike Boudreaux. He first pointed out that DeltaV SIS has HART I/O and the DeltaV SIS logic solvers are SIL3 certified in simplex (non-redundant) mode and have been since DeltaV SIS began shipping in 2005. Other safety instrumented systems also accept HART I/O, but only to pass-through the HART data to asset management systems. DeltaV SIS makes this HART status information available in the logic solver.

Mike noted that only the analog, 4-20mA process variable (PV) is used for the safety instrumented function (SIF). The digital HART PV’s are not accessible for use in SIFs, but the device status provided by the HART digital communications protocol is passed along with an analog input in DeltaV SIS. If a HART transmitter detects a problem, the status for an analog input will become “Bad.” Conditions for a Bad status include earth leakage detection, loss of HART communications, device malfunction and device fixed-loop current to name a few.

This Bad status can be used in the logic solver. For example, in a multi-transmitter SIF, a voter block can be configured to ignore an input value if it is Bad. In accordance with the international safety standard IEC 61511, this capability can be used to provide continued safe operation of the process while the faulty part is repaired. DeltaV SIS will alert operations of this problem so that the device can be maintained in the specified mean time to repair (MTTR). Alternatively, the voter block can be configured to treat a detected failure as a vote to trip, which provides increased safety.

When a HART device detects a problem, an alert is displayed on the DeltaV operator station. SIS faceplates and detail displays for HART devices help operators view and manage HART device alarms.

DeltaV SIS also uses the HART communications protocol to enhance partial stroke testing. It validates the operation of the final control element–the most critical and most likely to fail in a safety instrumented function. The logic solver can generate HART commands to initiate a partial stroke test in a digital valve controller. The operators can initiate partial stroke tests manually from their operator workstations or they can be scheduled to occur automatically based on the specified test interval. The results from these tests are captured and integrated with the system event history. An alarm can be generated if a partial stroke test fails, alerting maintenance that there is a potential problem with a valve.

This diagnostic coverage and information feedback to operations provide process manufacturers better tools for compliance with the IEC 61511 safety lifecycle compliance efforts.

Update: Welcome readers of Gary Mintchell’s Feed Forward blog. Thanks for the shout out, Gary!

Posted Monday, June 9th, 2008 under Abnormal Situation Prevention, Final Control Element, Measurement, Safety.

Leave a Reply