Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

High Availability Pneumatics

Automation West 2006Long Beach, CA

2

• Speaker:Joseph BonelliSenior Project EngineerAutomated Systems DivisionFesto CorporationJoseph.bonelli@us.festo.com

Presenter

3

High Availability Pneumatics

• How You Can Get Improved Reliability for:

– Your Safety Instrumented System Final Elements

– Your BPCS “Mission Critical” Process Control Valves

– Your Machine Safety Interlocks

4

Why we use a SIS

• Obvious reasons to implement a SIS architecture include:– Preventing unacceptable hazards

– Loss of life– Environmental disaster– Catastrophic loss of capital equipment

• Less Obvious reasons to implement a similar approach in a BPCS or Machine Interlock include:– Preventing a costly process upset from a spurious trip event

– Critical process upset – but still a safe condition– Excessive unplanned maintenance – Complete loss of batch in bio-pharma or chemical processing

– Preventing a hazardous machine condition:– Physical hazard of moving parts– Chemical incompatibility in Semiconductor Equipment

5

Simple SIS Example

From ISA Technical Papers – Accurate Failure Metrics for Mechanical Instruments, By DR. William Goble

6

SIS Basic Terms

• SIS – Safety Instrumented System

• SIL – Safety Integrity Level

• PFD – Percent Failure on Demand

• RRF – Risk Reduction Factor

• DTT – De-energize To Trip, also ETT

• PST – Partial Stroke Testing

• MTTFST – Mean Time To Fail, Spurious Trip

7

Relationship of SIL, PFD and RRF

• Definitions of SILs for Low Demand Mode from BS EN 61508 (Approx less than 1 demand per year)

• SIL Range of Average PFD Range of RRF

• 4 10-5 ≤ PFD < 10-4 100,000 ≥ RRF >10,000• 3 10-4 ≤ PFD < 10-3 10,000 ≥ RRF >1,000• 2 10-3 ≤ PFD < 10-2 1,000 ≥ RRF > 100• 1 10-2 ≤ PFD < 10-1 100 ≥ RRF > 10

• Definitions of SILs for High Demand / Continuous Mode from BS EN 61508 (Approx more than 1 demand per year)

• SIL Range of λ (failures per hour) ~ Range of MTTF (years)• 4 10-9 ≤ λ < 10-8 100,000 ≥ MTTF >10,000• 3 10-8 ≤ λ < 10-7 10,000 ≥ MTTF >1,000• 2 10-7 ≤ λ < 10-6 1,000 ≥ MTTF > 100• 1 10-6 ≤ λ < 10-5 100 ≥ MTTF > 10

8

What are the Main Detractors from Achieving a High SIL Rating?

From ISA Technical Papers – Accurate Failure Metrics for Mechanical Instruments, By DR. William Goble

9

What then are the main failure mechanismsof the final elements?

• For the Actuator:– Excessive Friction – valve locked– Undetected blockage of seating area – cannot seal– Leaking seals – cannot seal– Broken internal mechanical part – spring, stem, etc.

• For the Solenoid:– Electrical Coil Failure – releases actuator in DTT– Failure to shift – fails to move spool, Monday Morning Effect– Unacceptable leakage – typically releases actuator in DTT

• Monday Morning Effect is the most difficult to predict.

10

For the Actuator we have the following

From ISA Technical Papers – Accurate Failure Metrics for Mechanical Instruments, By DR. William Goble

11

Partial Stroke Testing vastly decreases PFD for the Valve and Actuator

From ISA Technical Papers – Accurate Failure Metrics for Mechanical Instruments, By DR. William Goble

This is because the failure mechanisms are almost all wear related and they would be detected during a Partial

Stroke Test. Is this true for solenoids?

12

Does PST significantly reduce the PFD for a Solenoid?

• Yes and No– It is reduced, but not in a significant way because the failure

mechanisms of a solenoid are not easily detected during a PST. Coil failures (spurious trips) are undetectable.

– One reason is because the solenoid in a SIS final element is typically under continuous duty, where the actuator is under almost no duty –being held in place by the solenoid.

• Would you expect to decrease the PFD of a light bulb by quickly cycling the power then returning it to continuous duty for the rest of the week?

13

Some Partial Stroke Methods

• An integrated unit - Digital Process Valve Controller– Uses proportional pressure control to move valve, provides feedback –

calls for independent SIS control solenoid for critical applications.

• Blocking of actuator and trip solenoid– Manual testing method, requires PCV to be “jumped out” temporarily

disabling SIS Loop function. Labor intensive and prone to errors in procedure and potential for permanent disabling of loop if left in place.

• See “Final Element Testing A Way Forward” by Derek Essam –available from the ISA technical papers section at ISA.org– This method is data intensive and the testing apparatus is not clearly

defined, it appears to be stroke feedback with a pressure transducer.

14

SIS Loop with PST Example

From Moore Industries – “Increasing Valve Reliability, By Bud Adler

15

All three methods still rely on the Solenoid to be an integral part of the SIS loop

• This leads to an unacceptable SPURIOUS TRIP Rate (MTTFST)– eg. Light Bulb Analogy – which is NOT increased by the PST.

• Even doubling up the number of final elements does not increase the MTTFST – it actually goes down, getting worse, but at least it increases your SIL rating!

• An increased SIL rating with a vastly increased spurious shut-down and batch scrap rate is an unacceptable cost to your company

• Try to go sell your management on an “upgrade” to the safety of the system that will double your down time frequency!

16

Dang You Just Sold me on PSTNow What?

• Relax, you still need PST – for the Actuator and Process Valve Body

• One process company is trying to gather historical data (10 years worth) that will qualify a digital valve controller for SIL3 without the use of a back-up solenoid to avoid the MTTFST problem.

– They are doing this by installing the DVC to work alone on all SIL3 valves in an entire facility.

– BUT it is NOT located in the US!! Why? – because the US Safety team would not even let them try! – That’s why.

17

Wait A Minute

So…In order to achieve my SIL….AND… have an acceptable MTTFSTfor my process productivity goals…..

• I have to wait 10 years to see if someone else’s process plant (in another country) does not explode?!?!

or….

Maybe through another method just discussed in the ISA panel discussion “Advances in Safe Operations of Control Valves”immediately preceding this tutorial

or……….

18

Simply Plan on the Solenoid FAILINGAnd VOTE it OUT of Your SIS Loop

• Voting techniques for all simple (on/off) logical elements are similar in scope

• They are NOT all similar in method

• All use simple logical elements such as AND, OR, NOR

• Some electrical based techniques REQUIRE detecting faults as an integral part of the logic (IF fault, THEN action)

• Pneumatic Logic based techniques do NOT require detecting faultsas an integral part of the logic. They are a logic solver based directly in the motive force driving the actuator itself.

• NOT all methods are costly solutions…………..

19

Examples of Voting

• 1oo1 – No voting, stands for One out of One

• 1oo1HS – 1 out of 1 Hot Swap mode, detect fail, switch to stand-by solenoid – essentially detected parallel arrangement.

• 1oo2 – One solenoid can fail open, one returns to safe, also only one can fail closed – Spurious Trip prone. Series arrangement.

• 2oo2 – Both solenoids must de-energize to shut-down, most reliable but most hazardous, barely SIL1. Parallel arrangement.

• 2oo3 – 2 of 3 solenoids must fail dangerously for a PFD event to occur – also 2 of 3 must fail safe (closed, coil burn-out) to cause a spurious event

• XooYD – Any voting technique that uses detection methods for the failure mechanisms

20

From Triconex Corporation – “Solenoid Configurations: Selecting the Best Architecture for Your Application”, By Dr. Angela Summers and Bryan Zachary

21

2oo2 and 2oo3 Excels at MTTF Spurious

From Triconex Corporation – “Solenoid Configurations: Selecting the Best Architecture for Your Application”, By Dr. Angela Summers and Bryan Zachary

22

Why 2oo3 is Not a Higher SIL than 1oo2?

• Because there are more components TO fail, even though it can withstand one of them doing so.

• This essentially makes them on equal safety footing from a “Fail Hazardous” stand point.

• Again – 2oo3 is Ten Times the MTTFSP – 77 vs. 7.5 Yrs –

• 2oo3 is Ten Times the Process Availability of 1oo2

23

How Does Detecting Failures Help?

• Detecting failures helps improve both PFD and Spurious Trip results across the board for all voting techniques.

• Voting and detecting techniques are also relevant and help to achieve a higher SIL when used with Transmitters and other Input Devices.

• It assumes you actually DO Something about it!

24

There are Significant DifferencesBetween Voting Implementation Methods

• Electrical Based Methods

• Pneumatic Based Methods

25

Electrical Based Methods

• Uses PLC or Relay Logic to implement voting scheme.

• Requires P/I for detection of faults.

• Requires I/P to implement logic – IF fault, THEN action type arrangement.

• Susceptible to electrical common cause failures.

• Must consider the pressure switch as failure mechanism of the logic. This requires expensive robust components to make the system reliable.

• Susceptible to operator tampering of logic program.

• Integration of many components from many manufacturers requires use of cabinet based system to protect wiring and non IP 65 rated components.

26

Pneumatic Logic Based Systems

• Logic and Motive force for the actuator are the same medium. Does not require I/P or P/I for logic to function.

• In modern systems, logic is “burned in” to solid circuit path. Not susceptible to user tampering.

• Logic still functions regardless of common electrical faults.

• Only uses pressure switches for monitoring state, not state activation so less expensive solutions can be used.

• Requires the logical elements to be Monday Morning Effect Free.

• If they are not MME free then they are LESS reliable than electrical based logic solvers.

27

Pneumatic based logic systems arebased on six principles that make themmore reliable than electrical based ones• Use of Monday Morning Effect FREE patented tadpole seals for logical

elements provides reliable motion after YEARS of spool immobilization.

• The solenoid seals and other mechanical parts benefit from PST in the same way the actuator does.

• The capacity to store energy for the circuit locally by an inexpensive mass storage means prevents against plant-wide instrument air loss.

• Lack of detection requirement means the logic can be implemented without increasing the I/O count of the SIS or DCS.

• Pneumatic systems allow for hot-swappable and redundant electrical I/O elements WITHOUT affecting the logic solving capability.

• Pneumatic systems allow for hot-swappable and redundant pneumatic I/O elements WITHOUT affecting the logic solving capability.

28

What Does it All Mean?

• The Final Element is made up of the PCV, the Actuator and the Solenoid – and in some cases a Proportional Position Controller and Feedback

– PST is required to increase availability of the PCV and the Actuator

– Voting with or without Detection is required to increase the availability for the Solenoid

– Voting or a SIL rated Transmitter should be used for the inputs

– Because of the failure mechanisms – there is NO SUCH THING as a SIL rated individual solenoid, and there probably never will be.

– Pneumatic based logic voting systems are capable of a higher availability than electrical based ones with less complexity andcost.

29

O.K. Who Has Voting Solenoids and How Can I Use Them With the PST Devices Available?

• Triconex has an electrical based 2oo3D Solenoid System

• Festo has a pneumatic based 2oo3, 2oo3D Solenoid System both Hot-Swap Repair

• ASCO has an electrical based 2oo2D and 1oo1HS Solenoid System

• A talented systems designer could develop a custom voting system for their own needs.

• Other companies may offer a similar product.

• Is 2oo3D better than 2oo2D or 1oo1HS for SIL and Availability?

• Well, Yes, of Course it is!

30

Preferred PST Device and Solenoid Voting System Integration Method

31

Possible PST Device and Solenoid Voting System Integration Method

32

Hey! What about my BPCS and MachineSafety Needs, I want the UPTIME and Safety too

• It is probably too expensive to use High Availability solenoids on all process valves, and definitely so for all machine functions

• Selected Process valves can be driven with High Availability Solenoids that use Voting techniques– No Detection generally required because no SIL required– This reduces Voting cost and/or does not increase PCS input count.

• Which ones??– Batch process change-over valves, purge, chamber cleans– Any valves installed by the end-user to integrate skid mounted

equipment provided by a wide variety of OEMs where a failure needs to be contained from contaminating the entire batch

• Critical machine functions can be pneumatically interlocked for Safety reasons.

• Critical machine functions can be backed up with many simple OR function blocks increasing uptime and increasing MTBR

33

Added Benefits Available to the BPCS

• Festo High Availability System can use the following Fieldbus technologies Interchangeably in place of discrete control:

– DeviceNet - Interbus– Profibus DP - Honeywell SDS– CANopen - AS-Interface

• The Festo System’s IP65 rating allows it to be mounted directly to the actuator it controls with minimal space impact. This allows easy retrofit – No cabinet needed.

• ASCO and Triconex cabinet based systems meet the protection class of the cabinet and may vary. They install anywhere a 24”x24” cabinet will fit.

• ASCO and Triconex may or may not offer a Fieldbus technology. There is nothing preventing that implementation – it is based on the offerings of the third party PLC used.

• Without Detection or On-line testing Festo is still 2oo3 Voting level of availability through pneumatic logic ALONE and would not add to the PCS input list.

• Without External Detection ASCO and Triconex would internally detect and use internal electrical control – Adding to the failure mechanisms, but they would also not add to the PCS input list.

34

Pneumatic based High Availability PneumaticsOffers An Order of Magnitude Above The Rest!

100Greater than 99.99% UPTIME with Zero Process Interruption – High SIL 3

0% BYPASS of the Safety Function During Repair – Can be performed while the process is RUNNING.

A Single Integrated Component – Mounts Directly to Actuator, No Bulky Cabinet to protect sensitive electronics.

Single Fault Tolerant, Detected for Process Enable (1oo2D)

Remote Automatic On-Line Testing - 2oo2D With Demand Sense Test Disable and “Test Active”Verification

DUAL FAULT TOLERANT for Emergency Shut-Down Mode – Twice 2oo3D!

– TWO Independent Pairs of 2oo2D Process Fail-Safe Loops (DTT) EACH Disable the Enable Solenoids Regardless of Their State!

– BOTH 2oo2D Shutdown Loops Must Fail and THEN an Enable Solenoid Must Remain Stuck ON for the ESV to Remain Open

Pneumatic Logic is an Amazing ORDER OF MAGNITUDE Higher Fail-Safe than Electrical logic

% Hot-Swappable for Solenoids and Pressure Switches

35

QUESTIONS?

Thank you for attending

High Availability Pneumatics

Automation West 2006