One topic in the process industries is known by various names: Fail Safe, ETT, DTT, Deenergize-to-Trip, and Energize-to-Trip. These terms refer to different ways of physically moving a final element in a Safety Instrumented System to its safe state. This concept is also applicable to sensor subsystems as well as final element subsystems.
The process industries generally prefer a Deenergize-to-Trip system, which means that when power is removed, the final element will move to its safe state using a safe stored energy mechanism, such as a spring. The signal energy, e.g., pneumatic air pressure, is used to maintain the normal process condition, and cutting off the power triggers the spring action, bringing the process to a safe state.
While Deenergize-to-Trip is the most common and preferred approach, it’s essential to consider other factors. Energized-to-Trip systems, where the Safety Instrumented System (SIS) power drives the final element into the safe condition, can be suitable in certain situations, particularly when nuisance shutdowns can be detrimental.
Register for this webinar on Wednesday 27Sept2023 10:00am EDT (UTC -4.00) at the bottom of the page.
It’s important to note that in IEC 61511 “Energize” and “Deenergize” imply electricity, but they encompass any motive force used to drive SIS subsystems, such as electrical, electronic, pneumatic, or hydraulic systems.
Regarding the Safety Requirement Specifications (SRS), clause ten states that you must document requirements related to Energized or Deenergized-to-Trip for each SIS device.
While IEC 61511 allows Energize-to-Trip systems, the requirements in 11.2.11 contain three essential attributes we look for in Energize-to-Trip systems.
- **Alarm upon Loss of Power**: Detecting loss of power depends on the type of system. For electronic or electrical signals, voltage measurement suffices. In pneumatics or hydraulics, you can use pressure switches or transmitters to measure power sources and trigger an associated alarm. Typically, these alarms are directed to the basic process control system, and the response is to send maintenance to fix the issue. However, when receiving such an alarm, you must once again consider compensating measures as per 11.3 and ensure proper documentation.
- **Circuit Integrity Detection**: This attribute can be challenging unless your PLC has built-in circuit integrity monitoring. In this case, configuring the system through the maintenance and engineering interface is straightforward. If not, you can add devices to inject and detect current in the line to verify circuit continuity. However, this approach may cause compatibility issues and requires careful design.
- **Alternate or Backup Power Supply**: Though it is no longer a strict requirement as of the 2016 version of IEC 61511, it’s recommended to have an alternate power supply. For electrical systems, this might involve a spare power supply system or a separate electrical feed for the SIS. Pneumatic or hydraulic systems might incorporate a spare compressor or a volume bottle for additional air or fluid. While not mandatory, the standard advises implementing backup power supplies for added safety.
Remember that ensuring the success of Energize-to-Trip systems involves meeting these key attributes and complying with the relevant standards and requirements. Proper implementation and documentation are critical to maintaining a robust and reliable Safety Instrumented System.