Emerson’s Mike Boudreaux pointed me to a great blog post by exida’s Principal Partner, Dr. William Goble. The post, I Don’t Want No D*** Diagnostics! describes how automatic diagnostics in a safety-rated transmitter led to a false trip, much to the displeasure of the impacted control engineer and plant staff.
Dr. Goble describes the incident:
The transmitter diagnostics were annunciated by sending the analog current out of range. In this case, the current went to 3.6 milliamps. The problem was that the logic solver was configured for a low trip and did not recognize out of range signals as a diagnostic alarm. It interpreted the signal as a trip condition. The safety instrumented function (SIF) worked perfectly. It did the job for which it was programmed.
…how could anyone not want a product that can tell them when it fails? The answer: When the system is programmed to trip on a diagnostic and trips are NOT WANTED!
He also points out that:
…there are those who demand that every diagnostic alarm cause a trip. “It is the safest thing to do,” I have heard. But is it?
Dr. Goble concludes:
Please be careful when you design a SIF. Take full advantage of new product features like diagnostics that significantly improve safety. But be careful that you understand how the products work and design the parts of the system to play well with other.
In an earlier post, Using HART Diagnostics in Safety Instrumented Systems, we discussed how these diagnostics can be used to provide early warning before a safety trip is initiated.
Mike provided his thoughts in a comment on Dr. Goble’s post [hyperlinks added]:
Regarding your point about tripping on diagnostic detection of a failed device, IEC 61511-1, section 11.3 provides guidance for providing “continued safe operation of the process while the faulty part is repaired.” Why shut down the process if you can detect a failure and safely repair it online? False trips can actually negatively impact safety and tripping the process very often is not “the safest thing to do” because you go from normal operation to transient operating states.
According to a study referenced in a Chemical Processing article, Tame Your Transient Operations, “A typical refining or petrochemical facility will spend less than 10% of its time in transient operations — yet 50+% of process safety incidents occur during these operations. Deficiencies in procedures and employee training often are cited as root causes of these incidents. The increased reliability and extended turnaround intervals of plants result in less familiarity with tasks outside of normal operations. So, while it’s critically important to follow procedures during transient operations, a high percentage of procedural violations are found to occur during them.”
Are you using diagnostics in your safety instrumented functions and if so, are they configured to trip or inform?