Emerson’s David Sheppard, a certified functional safety expert, passed along a great story of a recent refinery incinerator startup. Over the course of a week, the incinerator was taken down so that the emergency shutdown system (ESD) and process control-related instruments could be cut over. By the end of the week, the loop tests were completed and the safety instrumented system (SIS) proof test procedure was executed that evening. The incinerator was started up under DeltaV basic process control system (BPCS) and DeltaV SIS control the following morning.
Management of change (MOC), part of the IEC 61511 safety lifecycle, plays a large role in these projects. In an article, Can you safely “grandfather” your SIS?, the author highlighted this relationship:
Changes that potentially impact the SIS requirements should be evaluated through a MOC process.
David relayed an incident where there was the need for an emergency MOC to add safety logic to ignore a high, out-of-range instrument. Three pressure transmitters had a range of 0-12 PSI, with the incinerator normally operating at 6 PSI. Any pressure below 0.5 PSI causes a safety trip. The operations team questioned how high the pressure would spike (potentially above 30 PSI) during startup or when the other incinerator was brought online or shutdown.
The team was concerned that the out-of-range transmitters would cause a safety trip condition. The other incinerator was to be taken down for cutover the following month, and if this incinerator were to trip, then the refinery wouldn’t have either one running. This would have really disrupted the refinery’s production–hence it was a very hot topic.
Ultimately, David and the team found that the pressure instruments were calibrated 0-300 PSI. So, the SIS would not trip if the pressure spiked above the transmitter range of 0- 12 PSI. The team was able to pump the three transmitters up to 100 PSI and demonstrate that the smart HART-based transmitter‘s 4-20 mA process variable (PV) sent a saturated value but not a “BAD” value, since they had the channel configured to ignore the PV saturated condition and PV disparity. While the saturated analog PV corresponded to 12.6 PSI, the digital HART value correctly read 100 PSI and an AMS Alert was sent that the PV was saturated.
Using the combined DeltaV SIS, HART transmitter, and AMS Device Manager software, the team was able to demonstrate the system would not trip. This safe but abnormal high condition was detectable. Knowing this fact helped to alleviate the concerns about a major process upset when the next incinerator was to be cut over.
Overall, the team was able to start up on schedule without the need for the emergency MOC. The ability to take advantage of the HART diagnostics in the safety instrumented functions helped the refiner avoid process upsets, maintain the tight cutover schedule, and gain confidence for the upcoming incinerator cutover.