Temperature is the most measured value in process engineering and therefore suited to the detection of hazardous conditions in plants so that corrective measures can be taken at an early stage. If there are no design or logistic measures that can be taken to prevent a hazard, the temperature measuring point must be designed in accordance with the standards of functional safety for process technology.
What do the standards say for thermometers?
The IEC 61508 standard describes the requirements for SIL devices, for example:
* Eliminate device faults, as far as possible.
* Detect unavoidable faults, if possible.
* Report the detected faults.
Here, it is worth looking at the EN/IEC 61508-4 standard, which says that a SIL classification is only possible when the device is in a position to carry out an evaluation. The standard also shows that the sensor itself (RTD or TC) cannot be evaluated, because the sensor lies outside the limits of the defined system.
A temperature sensor without a transmitter is not able to evaluate its own performance. In effect, a thermometer is only a piece of wire (RTD = a thin platinum wire or TC = two different wires). How can a piece of wire generate an evaluation on its own performance?
Therefore, SIL-classified temperature sensors do not exist. Also, an electronic temperature transmitter without a connected sensor has no useful function. As a consequence, the evaluation of a temperature measuring point can only be made by a combination of sensor and transmitter.
Possible faults in temperature sensors
During the safety-relevant evaluation, four different fault types can be distinguished:
1. (s = safe) Safe faults have no direct influence on the result of a measurement.
2. (d = dangerous) Dangerous faults distort the result or lead to an immediate failure.
3. (d = detectable) Detectable faults can be detected by means of the connected evaluation electronics.
4. (u = undetectable) Undetectable faults cannot be detected at all or only with the help of external auxiliary tools.
An overload may lead to a break in the input conduits or to the failure of a sensor element, which can easily be detected by the connected temperature transmitter. A sensor break is therefore a dangerous but detectable fault for which the abbreviation λdd is used.
Progressive changes in the sensor element are caused by mechanical or thermal overload and also by chemical attack. A temperature transmitter cannot distinguish whether a change in the measured value has been caused by a change in temperature or by a fault. So for this reason, drift is a dangerous and undetectable fault λdu. (The value of λdu has special relevance for the SIL evaluation.)
Specific fault possibilities on resistance thermometers
A short circuit in the sensor, the connecting cable or the plug of a resistance thermometer can be relatively easily detected by a transmitter. Thus, this is a dangerous but detectable fault λdd. If the contact resistance in a 2-wire circuit increases, the indicated value increases as well. This is the reason why this fault is stated as λdd. If only one conduit resistance or contact resistance in a 3-wire circuit changes, an error to a higher or lower value is possible. This is also given as λdd. In a 4-wire circuit, all influences of the connecting conduits, terminals and connectors are compensated. All resistance changes are detected as non-dangerous but undetectable faults, λsu. In a safety-relevant evaluation, this method of connection is rated the highest.
Specific fault possibilities on thermocouples
A short circuit in the connecting cable or in the plug cannot be distinguished from the condition ‘plant is off, internal and external temperatures are the same’. For this reason, this is an especially dangerous and non-detectable fault, λdu. In a thermocouple, all the influences of connecting cables, connection terminals and connectors are compensated. All resistance changes are therefore detected as non-dangerous but undetectable faults, λsu.
Failure probability in thermometers
SIL thermometers are favoured for use in harsh conditions. High temperatures, aggressive, toxic or flammable media and vibrations make the conditions more severe. The statistical probability of failure is indicated as the number of Failure in Time (FIT) units. One FIT unit denotes one expected fault during a sample of one billion hours of operation of all instruments of one specific version in use in the field. Vibrations often occur in process engineering applications since pumps, compressors and wind have an impact on nearly every plant. In technical literature, these conditions are called a ‘high stress environment’.
Theoretical values for the expected fault frequencies
The use of 4-wire resistance thermometers may reduce the frequency of dangerous undetectable faults to a minimum.
Determination of the SIL classification of a thermometer with transmitter
To determine the SIL classification of a thermometer and transmitter, the fault probability and the percentage of safe faults are calculated. The sum of the fault probability of transmitter and sensor are specified in the formula indicated in the standard: eg, for 3-wire Wika Pt100 sensor (real stress) λdu = 60 FIT and for a T32.1S transmitter λdu = 14 FIT therefore λdu = 74 FIT for the combination.
For a calibration interval of two years, the SIL classifications in the following table can be obtained: (PFD = probability of failure on demand, SFF = safe failure fraction).
Recommendation to the user
The instrumentation of temperature measuring points in safety-critical applications up to 600°C should be carried out using 4-wire Pt100 sensors and modern SIL-certified temperature transmitters. To detect the sensor drift, the thermometer should be mounted in a thermowell in order that it can be properly calibrated at regular intervals.
| Tel: | +27 11 621 0000 |
| Email: | [email protected] |
| www: | www.wika.co.za |
| Articles: | More information and articles about WIKA Instruments |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version