There is so much to celebrate this week – Christmas, Hanukkah, Kwanzaa, Solstice or simply the imminent New Year. We, at IDC, would like to wish you everything of the best for the remainder of this year. We hope you find some time for a well-earned break before a prosperous 2010. (My wife and I kicked off the holiday season amongst the vines and alongside the surf in the south western corner of Western Australia - where the Great Southern and Indian Oceans meet).
I am very grateful for your wonderful support over the past four years. We now have 120,000 engineers and technicians throughout the world receiving this newsletter.
Here is one last, but brief comment for 2009, on a sometimes vexing, but very interesting topic.
Energize to Trip
Being from a traditional industrial automation background, I have always believed that de-energize to trip is the name of the game. One only needs to think of the emergency stop push button for a motor. The idea is that if the emergency push button is pressed or the associated control cable is broken, then the motor will be de-energized. No “if’s or buts”. Zero power! And thus safe!
But our Safety Controls guru (read his many books and articles), Dave Macdonald, gently chided me on Friday on the topic of de-energize to trip. His discussion below outlines another important option. From a simply intuitive point of view, as he pointed out patiently, when there is a failure, de-energize to trip is certainly not an option for a Jumbo 747, with 500 passengers on-board, 32,000 feet up in the sky.
Why, then, do we bother to learn about de-energize or energize to trip? Knowing the difference and their applications are vital, however, particularly with technology changes and the importance of keeping up with current best practice in the engineering world. So read on. What follows is a tight little tutorial which Dave has written with some vigour:
Safety instrumented systems protect a vast range of processes and machines against hazardous conditions. They perform safety instrumented functions (SIFs) intended to bring the operations to a safe state. The traditional and well proven approach to designing the circuits and device arrangements for any SIF is to adopt inherently fail-safe design principles which lead to a predominance of “safe failure” modes over the undesirable “dangerous failure” modes.
The principle of “de-energize to trip” (or DTT) ensures that for most devices the loss of circuit integrity through wire breaks or dry contacts or the loss of motive power in actuators should lead to the “safe state” of the process as soon as the fault occurs, even though the process itself was not in a hazardous condition at the time. For example, if you break the connection to a solenoid valve on an air-to-open spring loaded shut off valve it will snap shut; annoying the boss, but not risking any lives! These “spurious trips” are accepted as the price of fail-safe design unless the hazards or the financial losses created by spurious trips exceed the benefits to safety integrity. Then most designers will resort to redundancy for availability (“2 out of 2” or “2 out of 3” voting) if costs are justified for the application.
However, there are some cases where DTT principles are difficult to implement or justify. Energize-to-trip or ETT principles may then be more appropriate, despite their apparent risk of failure due to undetected circuit breaks or power failures. Fire and gas protection systems on offshore installations or in public buildings are one example where circuit breaks would lead to sudden deluges that would be just as hazardous as a fire. Situations where large numbers of Emergency Stops are used, such as for aircraft refueling points, may also justify ETT techniques because of the risk of frequent circuit breakages in the field, resulting in too many spurious trips.
Energize to trip is not as silly as it may seem because in modern SIS practice the two biggest drawbacks of ETT can be easily overcome. Line monitoring by low-power pulsing allows for continuous detection of circuit continuity on both input and output channels - giving alarm and response actions as soon as circuit failure occurs. No-break power systems have greater capacity than ever before and an important point to note about ETT systems is that they consume far less power if the inputs and outputs are de-energized most of the time. Hence battery back-up duration is greatly extended over continuously energized DTT designs; another reason for their use in fire and gas systems.
No-one would expect to build a relay-based logic solver stage on ETT principles, but this issue falls away as the majority of SIS logic solvers are now based on safety-certified PLCs which in turn bring greater diagnostic capabilities for sensing malfunctions and circuit breaks in the input and output field devices. IEC standard 61511 (Functional safety – Safety instrumented systems for the process industry sector) does not preclude the use of ETT principles where the user decides that this is justified, but does not offer any significant advice on the subject.
The technical obstacles to using ETT methods, therefore, have fallen away, but the basic principle of simplicity dictates that DTT principles are always going to be the first choice until a practical obstacle or a severe cost penalty arises.
Thanks very much, Dave, for an excellent article. Most appreciated. Any feedback will be published.
Preferably not, but as John Galbraith, the famous economist, remarked ruefully:
“If all else fails, immortality can always be assured by spectacular error”.
Yours in engineering learning