Process industries are increasingly reliant on Instrumentation. Instrumentation used in process control maintains product quality, reduces operating costs and helps to maximize production output by delivering instantaneous and highly accurate readings for adjustment of process parameters. Instrumentation also plays a vital role in ensuring that plants remain safe and meet environment regulations.
When instrumentation fails, the results can be disastrous. The BP Texas City Refinery explosion that led to the death of 15 workers, injuring more than 170 others and costing BP billions in damages was in a large part caused by a failure of the instrument control and protection systems.
So is RCM the best place to analyze instrumentation assets to improve safety and reliability? The uncertainty over this question has led some to remove the instrumentation assets from RCM analysis entirely and develop new methods such as IPF (Instrument Protected Functions). This may seem like a neat & tidy solution to the problem but it can also result in an RCM analysis detached from the process. Our experience has been that instrumentation is as much a part of RCM analysis as rotating equipment and should most definitely be included in the analysis. The question remains then, how should instrumentation be treated in RCM2? Let’s review the elements of the RCM2 process when applied to instruments.
Functions & Functional Failures:
The functional analysis of RCM2 is ideally suited to instrumentation. Each instrument serves a specific purpose and this can be defined in a function statement. Instrumentation typically falls into three functional categories: Process control, protection and indication.
The first category covers process control functions. These may be described as separate function statements or may be embedded within another function as failure modes. For example, the function to supply not less than 100 l/min of water to the process may include failure modes relating to the pump but also the process control device that regulates the pump output. If the facilitator had used a separate function statement to define the control device, this would also be technically correct. In both cases the instrument failure modes must be described and must cause the associated functional failure.
The second category covers instruments providing a protective function. These should be given their own function statements otherwise the function of a protective device, which is not fail-safe, could be missed and its failure not managed properly. This could lead to dire consequences.
The third category of instrumentation function is indication. When the indication is used as input for further action, the indication function should be treated with care. In some cases indicators may perform very essential functions such as enabling the operator to check an oil level or make process adjustments and these should be defined. If however the function is clearly for local indication purposes only, it may be preferable to develop a single function statement to capture all the indicators within that category. For example: to provide accurate local pressure indication.
Failure Modes & Effects:
When it comes to instruments, one thing is certain. There is normally more than one. In fact in a typical process plant there are thousands of instruments. Thankfully the number of instrument types is normally limited to a few manufacturers and models. This makes instrumentation an ideal candidate for templating. Spending time with the instrumentation department to identify the types of instruments they use and developing some failure mode templates is an excellent investment that will save considerable time during the analysis.
The failure effects (at least at the instrument level – not the process) can be included in the template. Defining the local effects of the failure mode may reveal that some failure modes are candidates for proactive maintenance while others are not, allowing an accelerated task selection process. The usual RCM2 guidelines about level of analysis and black boxing apply here so care is needed when developing the templates to get the level right. The RCM2 analysis software tool also makes a huge difference. We prefer to use the Ivara EXP Enterprise software for analysis because of its excellent smart templating capabilities.
Consequence & Task Selection:
Provided the failure effects have been described correctly there should little difficulty in assigning the correct consequence category to the failure mode. Complexity arises with the task evaluation and selection process. The most common types of task applied to instruments are as follows:
- Monitoring process parameters – Condition Monitoring
- Calibration – Injecting an input signal and measuring the output signal. – Scheduled Restoration
- Function test – Failure finding
Monitoring Process Parameters
In some cases it may be possible to check the accuracy of instruments by monitoring the process parameters. Deviations in process outputs may be symptoms of problems with the instrument in the control loop. It is also not uncommon to have multiple instruments reading the same value. One might be part of the control loop while the other is for DCS indication. The challenge is to have in place a system like Ivara EXP which can pick up readings from process historians and automate the trending and alarms to provide timely warning to the technician of calibration problems.
All instruments require calibration, either as a corrective task (when in the failed state) or as a scheduled restoration task. Most process plants have thousands of instruments and managing the calibration work load is a monumental undertaking. The simplest course of action is to set a fixed schedule for calibration of instruments, but this can result in an inflated work load and fails to address problem devices which can fail before the next scheduled calibration. An alternative approach is to develop instrument prioritisation criteria, with those deemed critical enough receiving regular checks and those deemed less critical calibrated less frequently or not at all. Saying that an instrument is more or less critical does not mean that it’s going to fail more or less frequently and so both approaches are sub-optimal.
RCM2 tells us that for calibration to be technically feasible there must be an age at which there is a rapid increase in the conditional probability of failure. The first question is what do we mean by failure? The second question is what is this age? The RCM2 functional failure defines the failed state, but what is the corresponding calibration drift that equates to the failed state? An experienced technician may be able to define the allowable drift for an instrument but many will defer to organizational or other standard tolerance limits. In the absence of any other inputs this is typically what is used.
The second question asks: what is the age? Calibration drift occurs over time. How long it takes to get to the failed state is normally unknown as many external factors can affect the rate of drift and these vary from instrument to instrument. Most manufacturers now provide technical specifications that include details on what the maximum drift of a sensor should be over a given time period. This is not ideal but may be the only information available.
With the failed state and the rate of drift defined from standards, a calibration frequency determined for each instrument type will end up being identical. This clearly falls short of the optimized calibration frequency we are aiming for. The way forward is to trend calibration results so that over time the calibration frequencies can be adjusted based on the reliability of each device. Sensors that are found to be highly stable need not be re-calibrated as often as sensors that tend to drift. To reach this conclusion requires collection and analysis of large quantities of calibration data and a specialist software tools such as Ivara EXP will be needed to enable this process.
Function Tests are failure finding tasks that are unique to protective devices exhibiting hidden failure consequences. Defining an appropriate task to test a hidden function is not difficult but determining the optimal failure finding frequency requires calculation. Accessing reliable MTBF data and targets for unavailability can be problematic.
One of the recent developments in the field of instrumentation is the introduction of the Safety Integrity Level (SIL). SIL is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In RCM2 terminology the SIL level is a measurement of desired unavailability for a Safety Instrumented Function (SIF).
IEC61508 gives the following SIL categories:
The probability of failure on demand (PFD) equates to the FFI “unavailability” figure, and can therefore be used with Mtive to calculate the required failure-finding interval. Most instrument manufacturers now publish failure data for their equipment to comply with SIL standards. Mtive data is available from the SIL data sheets.
The RCM2 method provides a systematic and rigorous treatment of instrumentation allowing for full definition of the maintenance requirements. The introduction of new standards associated with Safety Integrity Levels in no way detracts from the RCM2 process and are in fact complementary.
Process industries heavy reliance on instrumentation naturally leads to a staggering volume of instrument maintenance plans which can be difficult to manage and challenges remain in the area of task frequency optimization and performance monitoring. A technology enabler like Ivara EXP is essential for implementation and optimization of calibration plans and to facilitate advanced condition monitoring of instrument performance.