Recent Control & Safety Systems Discussions
Similar Posts
SIF ALERT - Trip consensus in an AVTR or DVTR block
SIF Errors P2P communication problem
SIS TRIP LIMITS
DC TRIPPED Status
Faceplate round up Trip Value
Share

Energize to Trip (ETT) SIFs

For years, the conventional wisdom, related to SIF design, has been that all safety functions should be de-energize to trip (DET), unless there was absolutely no other way to accomplish the goal of the safety function.  I'm curious if that thinking has changed any recently.  I was in a discussion recently concerning ETT circuits.  The point was made that an ETT SIF has the same safety rating as a DET SIF if, the IO cards have supervised circuits, and there is a UPS.  The goal of the ETT function is reducing the spurious trip rate since you do not have power holding the circuit closed.  A large number of spurious trips can be linked to coil burnout on solenoids.  The argument can be made that the process is in it's most un-safe state, during start-up and shut-down, so spurious trips create a safety hazard and should obviously be minimized without  affecting the integrity of the SIF.  I know there are lots of ways to reduce spurious trip rate 2oo2, 2oo3, etc, but just wondering what people are thinking about ETT, since the diagnostics and supervision on TMR I/O has improved over the years.

I can't make myself get comfortable with ETT functions yet, but I'm just curious what others in the industry are doing and thinking.  It is my belief that 99%+ of the SIFs out there are still DET, but I could be wrong.

Alan Weldon

3 Replies

  • Greg Kramer
    I would say the basic premise of DET as a standard still holds. While there have been a number of advances in technology to detect component failures, there are still the issues around whether or not those failures will be resolved in a timely manner. SIL Calculations are done assuming repairs are done within a certain timeframe, and going over those assumptions lowers the protection level offered by the SIF.

    Another issue is that most devices are designed to be fail safe when de-energized, so when a device is used in for ETT, the dangerous failure rates typically go up (i.e. coil burnout for a DET solenoid is a spurious trip, where for ETT, it’s a dangerous undetected failure). These higher failure rates make it more difficult to achieve the SIL target.

    A third issue, the failure rate for motive force (typically electrical power and compressed air) must now be considered into the SIF failure rates as well. This also makes it more difficult to achieve the SIL target,

    Finally, IEC 61511 calls for line fault monitoring on all ETT segments of a SIF. This can add complexity to the design, which increases initial costs (additional hardware) and operating costs (additional testing of each component in the SIF.)

    Within the Refining Community, I would say DET is the norm. The best justification for using ETT that I’ve heard is when a spurious trip causes a separate hazard (i.e. a fire suppression deluge valve opening on an off shore platform).

    Greg

  • Len Laskowski
    First, off I agree with what Greg Kramer has stated.
     
    After 40 years in this business I have seen many changes, sometimes the pendulum swings to far before collective reasoning brings us back to equilibrium.
     
    For batch processes DET (De-Energize to Trip) is a no brainer.  For continuous process like a refinery one needs to think a bit before you jump in. 
     
    First off on continuous units, ETT (Energize to Trip) is a lot easier to work on with the plant running.  We recently did a hot cutover of a BPCS and SIS of a unit while operating.  Basically, we were changing from an ETT to DET architecture for the SIS.  This posed many challenges that had to be worked out ahead of time and addressed so the infrastructure was there to do this online.  Yes we cut it over without a single trip of the unit from the BPCS or SIS, this Takes PLANNING and is not for amateurs!!!!
     
    There are many more ETT applications out there than one would think.  As Greg pointed out the key word is energy; this means basically all the required utilities; electric, compressed air, maybe N2, fire water, cooling water, hydraulic power and even steam maybe needed.  For example if one trips a cat cracker one needs steam to mitigate things. You need to make sure that enough is available.  Same with cooling water that takes pumping which is electricity or steam to drive the pumps.  Big motors are usually ETT that needs to be in the SIL Calculations.  There are just more thing that can go wrong with a ETT system than DET.  The unfortunate truth is that all things die or fail, it is just a matter of time.  Murphy’s law will also tell you this will happen when you need them the most.
     
    What I have been seeing is a bit of comprise.   The top tier clients recognize that one must  identify what is Safety Critical in a SIF. Especially large SIFs which many have dozens of IO.  Emerson has been requiring this for years, while some other engineering firms that are not as involved in doing SIL Calc’s may not recognize the need.  The outputs are divided into different categories, first off Safety Critical  these are the few final elements that make the process safe by acting.  These must be included in the SIL Calcs.  They are almost always DET. ( Murphy’s law)   Now come the secondary actions, these are the actions taken by the SIS that may reduce secondary hazards or but the process in a better state to restart the unit and recover from the trip. Here, the design team has a bit more leeway has to how accomplish this. An example would be stopping feed to a unit with DET on off valves.   This can dead head the pumps which may lead to blowing seals, fire, spills etc.  One may elect to ETT trip those pumps as a secondary action.  Again a spurious trip of one of those pumps could shut down a unit by itself so ETT to a non-Safety Critical final element maybe acceptable.  Of course, this has to be reviewed and determined to be acceptable, but I am seeing companies do this.
     
    In summary, I am seeing DET applied almost exclusively to SIL rated SIFs safety critical final elements. However, some IPLs ( Independent Protection Layers ) or non-safety critical actions maybe still use ETT it needs to be evaluated on a case by case basis.
     
    Len
    Len Laskowski  PE, CFSE, TÜV CFSE
     
  • pseiler

    In reply to Len Laskowski:

    Entirely agree with Greg’s and Len’s responses. In my experience with SIS, virtually all cases of ESD or PSD (SIS applications) are implemented DET. As stated, Fire & Gas (F&G – another SIS application) applications commonly utilize normally de-energized loops for initiation, notification and suppression. In addition, I’ve observed normally de-energized loops applied as a layer of protection in mitigating unconfined, toxic water soluble gas release (i.e. HF or NH3) via water monitors or fixed water sprays.

    Comments/Summary:
    - ESD/PSD almost always DET
    - As per Len, some secondary ESD/PSD actions may be safer deployed as ETT
    - F&G or other mitigation layers “beyond” ESD layer are mostly normally de-energized circuits (energize to act)
    - “Energy” is the issue in “Energize”TT; if you rely on electric, compressed air, maybe N2, fire water, cooling water, hydraulic power, steam…..it may not be there
    - Line monitoring is required in any ETT applications
    - In ETT, “Energy” relied upon should be scrutinized in terms of requirements for redundancy, deployment time and alarming if any issues arise so one can repair within MTTR
    - Frequent testing and comprehensive diagnostics should be deployed
    - Independent means of shutdown/initiation should typically be deployed

    Above all, thoughtful implementation of the IEC61511 safety lifecycle process from PHA/HAZOP, SIL assign, LOPA, SIL calculations (especially) all as input into an SRS that is well written, implemented, and updated/followed for the life of the plant/asset, will capture the above considerations we’ve shared so we may operate both safe and available.

This is the official online community site of the Emerson Global Users Exchange, a forum for the free exchange of non-proprietary information among the global user community of all Emerson Automation Solution's products and services. Our goal is to improve the efficiency and use of automation systems and solutions employed at members’ facilities by sharing our knowledge, experiences, and application information.

User Groups | World Areas | Community Guidelines | Legal Information | Privacy Policy | Contact Community Manager

Website translation provided by Website Translator

© 2015-2022 Emerson Global Users Exchange. All rights reserved.