Oil refineries, chemical manufacturing and processing plants and other facilities have established relatively sophisticated safety systems that include shut-off valves, automated valve controllers that will cause the valve to move from a steady-state or safe processing position (whether it be open or closed) to an emergency shutdown position. These emergency shutdown valves and controllers must be tested periodically to assure that they will be operable and responsive to emergency electronic signals, that they can physically move from the steady-state process position to a shutdown position, and that this movement can be accomplished without the application of forces beyond a predetermined range.
The prior art has developed hardwired electronic communication systems, including fiber optic systems, that rely on the transmission of electrically-generated signals. These prior art hardwired networks convey the safety demand signal from a safety logic solver (“SLS”) to an emergency shutdown valve or controller. Thus, if a break or failure were to occur in a circuit due to a fire, explosion, falling piece of equipment, corrosion on a terminal block, or the like, the process would either suffer an unnecessary shutdown or be exposed to risk of a safety demand without means of providing the required isolation and communications with valve controllers and alarm devices (“field process devices”).
As used herein, the term “demand signal” means a characteristic signal that indicates a predetermined dangerous condition that warrants shutting down all or a predetermined portion of the process. Due to the limitations of the prior art communication systems, a degraded or failed signal transmission could lead to a “false alarm,” whereby a demand signal would be generated, creating a nuisance trip or shutdown of the process. As used herein, the term “true demand signal” means a characteristic signal that reflects a dangerous condition such as overheating, a pump failure, a blocked flow line or some other dangerous condition directly related to the industrial process, for which an emergency shutdown is warranted.
The Safety Integrity Level (“SIL”) defines the risk reduction target for a particular Safety Instrumented Function (“SIF”) or emergency shutdown (“ESD”) loop. SIL1 relates to a risk reduction of 10, SIL2 to a risk reduction of 100 and SIL3 relates to a risk reduction target of 1000. The required risk reduction is defined during the Quantitative Risk Assessment (“QRA”) study of the process and involves the application of corporate risk criteria that define the tolerance for risk. The inverse of the risk reduction target is the Probability of Failure on Demand (“PFD”). The PFD is an important factor used to quantitatively verify the ability of a given SIF to meet the process safety requirements. This calculation is performed using dangerous failure rates assigned to each device that makes up the SIF together with prescribed test intervals and coverage factors for each device. The PFD is used by a system designer, together with the dangerous fault tolerant architecture requirements for each SIL defined in EC 61511 and the process safety time to configure the field process devices in a way that satisfies the safety requirements.
Due to the complexity of the safety instrumented systems of the prior art, the occurrence of faults and defects that cause an unnecessary shutdown of some or all of the systems is not uncommon. The safety systems of the prior art rely on “on/off” logic that does not permit a fault to be separately distinguished from a true demand signal. Therefore, using prior art protocols, the system must always decide whether to “fail-safe” and possibly experience unwanted nuisance trips or to “fail-steady” and risk an undetected dangerous failure or condition developing in the industrial process that would prevent operation of the safety function when a real emergency occurs.
A major deficiency in the prior art systems is the lack of a method that will trip the process on true demand signal only. Trip-on-demand only systems utilize redundant and diverse communications and embedded logic in safety critical field devices to recognize and trip only on true demand signal and to fail-steady when internal failures of the device or the communications network are detected.
As used herein, the term “field devices” includes sensors and final elements. Final elements include pumps, valves, valve actuators and the like. Sensors include switches and transmitters for monitoring a wide variety of variables, including, but not limited to, valve position, torque, level, temperature, pressure, flow, power consumption, and pH. As used herein, the term “communication faults” means conditions ranging from a complete failure to errors and degradations of the signal that prevent a determination of the true condition of the signal-generating source.
This description employs other terminology that is well known in the process safety instrument field. The preferred hardwired system is known as the Fieldbus Foundation-Safety Instrumented System (“FF-SIS”). The installation of hardwired field instrumentation connected on a one-to-one basis with SLS input/output channels is costly. The use of the safety certified FF-SIS communications protocol provides a multi-drop architecture that reduces installation costs of safety instrumented systems. Field devices of the prior art include very limited device self-diagnostics and definable failure states. Conventionally designed systems lack the ability to distinguish between a true demand signal and a communications fault at the field device level, and must therefore use an “on/off” approach where the process is shut down in response to a true demand signal or a fault in the field wiring, when the system receives an indication (whether true or false) that a signal has changed states.
Because FF-SIS devices share a common hardwired multi-dropped communications segment, there is the potential for an increase in uninitiated or nuisance process shutdowns (“trips”). Safety certification of the FF-SIS multi-drop communications for safety instrumented systems assumes that upon loss of communications between the SLS and the field devices, the relevant final elements will respond by taking the process to the fail-safe state. While this procedure is “safe,” operators of major oil/gas processing facilities object to the productivity losses that occur with process shutdowns due to communications errors or self-diagnosed device faults. The new FF-SIS protocol does allow configuration of the final elements to “fail-steady” and initiate an alarm at the SLS level, but falls short of providing a completely redundant and diverse alternative communications path to verify the SLS shutdown command or report loss of communications to neighboring field sensors and final elements.
It is the conventional design practice of the prior art to connect field devices (i.e., sensors and final elements) to an SLS or certified programmable logic controller via hardwired networks on a one-to-one basis. Benefits of FF-SIS include a significant reduction of the installed cost of safety instrumentation due to multi-drop wiring, improved capabilities of each field device to detect potentially dangerous internal failures (“device self-diagnostics”), and the ability to communicate detected faults directly to the SLS (“field device-logic solver integration”).
With conventional systems, field device faults are only detected during scheduled “proof testing,” typically scheduled at quarterly or annual intervals. The field devices of the prior art cannot perform self-diagnostics at the field level and communicate their respective “health” or operational status back to the SLS over a safety certified communications network.
It would therefore be desirable to provide an improved safety instrumented system, whereby device failures are communicated to the SLS in “real time” so that corrective action can be taken, avoiding false tripping and the associated economic costs that come with process disruptions.