- 20

06 1
0 6



TM

10year

Y
N

R
N
I V A
E R S

A supplement to PLANT
ControlENGINEERING
Engineering
and Control Engineering magazines
PLANT ENGINEERING magazines
 ✓
GET IT DONE
for less...

...with Do more ®

Power at an affordable price.

The Do-more H2 series PLCs combine our industry-
proven I/O hardware with a next-generation controller  FREE software - with simulator!
to provide exceptional power and performance at a
great price. The popular H2-DM1E CPU, available for
 FREE 30 days online training
$399, comes with:  FREE technical support
• (1) USB port for programming, (1) full-duplex serial port,  FREE shipping (orders over $49)
(1) Ethernet port
• Several communication protocols including Modbus RTU,
ASCII, Modbus TCP and EtherNet/IP
• Over 1M bytes total memory Get more than you paid for
(includes program, data and documentation)
www.automationdirect.com/Do-more-PLCs
• Support for up to 256 I/O in one base, and thousands more
with optional Ethernet-connected I/O
• Powerful instruction set featuring easy-to-configure math,
trending and motion

orePLC
o-m s
1
D

Made in

YEAR USA

Order Today, Ships Today!

* See our Web site for details and restrictions. © Copyright 2015 AutomationDirect, Cumming, GA USA. All rights reserved. 1-800-633-0405 the #1 value in automation
 Low-cost Linear Motion
Actuator assemblies, sliding components and accessories

NEW! SureMotion® Linear Slides and Actuators

Get reliable linear motion components at low prices with the award-winning
customer service and support you expect from AutomationDirect! Our new line
of linear motion products is designed to provide smooth, precise and durable
linear actuation. With supreme versatility and low maintenance, these affordable,
motor-ready actuators can meet both your linear motion and budget requirements.

NEW!

Starting at: Starting at: Starting at:

$789.00 $1,129.00 $2,399.00
LAVL-60T06LP2 LACP-16T06LP5 LARSD2-08T12BP2C

Value Line Linear Actuator Compact Linear Actuator Twin Round Shaft Actuator
Low-cost, versatile linear slide Self-contained linear slide actuator Continuously-supported round
actuator with hard-coated designed for light loads in harsh rail slide with ball screw actuation
aluminum guide shafts. Unit or wet conditions in a very small provides a very robust precision
can be mounted horizontally, package. linear motion.
vertically, or inverted without
• Compact design • High-accuracy ball screw
loss of load capacity.
• Stainless steel lead screw • Continuously-supported guide rails
• Max load capacity: 110 lb
• Max load capacity: 125 lb • Max load capacity: 920 lb
• Max speed: 15 in/sec
• Max speed: 20 in/sec • Max speed: 6 in/sec
• Travel: 6, 12, 18, 24 inches
• Travel: 6, 12, 24, 36 inches • Travel: 12, 24 inches
• Ready for NEMA 17 motor
• Ready for NEMA 17 motor • Ready for NEMA 23 motor

Linear Slide Components

Round-shaft sliding elements can be
combined with other elements to build
a huge variety of machine mechanisms.
Available in both continuously- and
end-supported shafts. Research, price, buy at:
• Linear ball bearings
www.automationdirect.com/
• High-quality clear anodized
aluminum blocks motion-control
Starting at: • Carbon-steel shafts
$269.00
LARSA1-08L12C

Extensive Video Series

on Linear Motion:
http://go2adc.com/lm

Order Today, Ships Today!

* See our Web site for details and restrictions. © Copyright 2016 AutomationDirect, Cumming, GA USA. All rights reserved. 1-800-633-0405 the #1 value in automation
 }
1. Developing ideas
2. Drafting concepts
3. Implementing solutions More freedom and space for your ideas.

4. Manufacturing machines
5. Ensuring productivity

With increasing engineering tasks and ever shorter time frames, it’s
good to know you have a drive and automation specialist at your side
who can make many of these tasks easy for you. We work with you
through the entire development process of your machine – from initial
ideas all the way to after-sales, from the control system all the way to
the drive shaft. Come discover the future of engineering with us, and
you will find more freedom to explore what really counts – your ideas.
To learn more, visit www.Lenze.com or come see us at:
PACK EXPO in Chicago, November 6-9, 2016 at Booth N-5125 As easy as that.
Contents
A6 Wireless remote monitoring improves
performance, reliability
Wireless monitoring is helping users solve problems by integrating
new and existing technologies across a common infrastructure to
get data into the hands of those who need it—securely.

A12 Creating SIF validation procedures A6

Implementing safety system validation as part of the safety lifecycle
is defined by IEC 61511 and ANSI/ISA-S84.01. Here’s how it’s done.

A19 Taking advantage of VFD software

Although VFD manufacturers have made many advances in terms of
ease of use, some users still find programming and monitoring with a
2-inch display tedious. This is where VFD programming and monitoring
software comes into play.

A19
C OMMENT
Of wireless technology, process safety, and VFD software

S
ince the early 2000s, wireless technology
has been working its way into industrial
facilities. And during the last decade, the
use of industrial wireless sensor networks
has been growing rapidly in the process indus-
tries, which is the topic of the cover story
in this issue of AppliedAutomation.
06
0 6
According to the author, “Many
2
procedures. He writes, “The validation process
puts the SIF under a microscope, dissects it, and
looks for all the ways in which it could fail. Each
of those possibilities must be examined and
tested, one by one, element by element. Proof
tests are conducted at prescribed intervals
- 20 to detect undetected dangerous failures
1
that could prevent the SIF from

Jack Smith



users across these industries TM

Editor have found that wireless moni-
toring technologies provide new
ways to improve the performance
A
working in the future.”
Most articles about variable
frequency drives (VFDs) talk
10year about efficiency and how to get

N
R
N

and reliability of their operations.” I V

E R S
I would be remiss in mentioning
process automation without touching on
process safety, which brings me to the second
feature in this issue. The distinction between a
safety integrated system (SIS) and safety inte-
grated functions (SIFs) is that SIFs perform spe-
cific system functions within the SIS. The author
explains the process for creating SIF validation
A the most from motion control technolo-
gy. The third article in this issue looks at
VFDs from another aspect: software. Making
changes to drives, especially when there are
multiple units to configure, can be simplified by
entering parameters, such as acceleration and
deceleration, only once. In addition, VFD speed,
current, and voltage can be monitored remotely
via a network.

ON THE COVER New types of measurement devices, such as acoustic monitors, allows companies to identify the source and quantity of material being
sent to flares. Courtesy: Emerson Process Management

Applied Automation October 2016 • A5

 C o v e r s t o ry
Wireless remote monitoring
improves performance, reliability
Wireless monitoring is helping users solve problems by integrating new and
existing technologies across a common infrastructure to get data into the hands
of those who need it—securely.
Mike Boudreaux
Emerson Process Management
T
he use of industrial wireless sensor networks
has been growing rapidly in the process indus-
tries during the past decade. During this time,
many stories have been told of successful
implementations in process, reliability, and
energy industries as well as in health, safety,
security, and environmental monitoring applications. Many
users across these industries have found that wireless
monitoring technologies provide new ways to improve the
performance and reliability of their operations.
Figure 1: Once difficult and expensive to monitor, wireless sensor
technology makes tank farm operations easier by making monitor-
ing more cost-effective and easier to implement. All graphics cour-
tesy: Emerson Process Management
A6 • October 2016 Applied Automation
Measure things that couldn’t
be measured before
The cost of wireless sensing networks is
significantly less than wired infrastructure due
to reduced cost of wiring, cable trays, input/output (I/O)
equipment, and associated design, installation, and main-
tenance labor. This reduced cost makes it possible to
implement new applications that previously weren’t finan-
cially justified. For example, tank farm automation projects
are now possible because of cost savings of up to 70%
from reduced infrastructure, design, and labor required for
installation and commissioning (see Figure 1). Wireless
level, temperature, and pressure measurements can be
installed to monitor the materials stored in these tanks,
improving the capability of operations.
Wireless sensing technologies make it possible to
measure processes that could not be measured before.
New sensors, combined with analytics software are being
applied to applications, such as process emissions, steam
trap health, relief valve status, and equipment corrosion
monitoring. Previously, these applications required manual
inspection using handheld equipment or other manual
techniques. With manual inspection, identifying the source
of process gases that are being sent to a flare can be very
difficult. Now, wireless acoustic monitoring allows compa-
nies to identify the source and quantity of material being
sent to flares (see Figure 2).
An electricity and natural gas utility company imple-
mented a wireless network to enable remote monitoring
of outlet gas pressures from four district regulators. The
company required quick installation and the cost of install-
ing wires was prohibitive. By attaching WirelessHART
interface adapters to existing pressure transmitters, it was
able to replace paper chart recorders with digital informa-
tion displayed on screens in the control room and logged
in the historical database. The entire installation was com-
pleted, tested, and tuned in three days.
WirelessHART networks also can enable access to smart
field device diagnostics that are stranded by legacy sys-
tems. Most legacy control systems don’t have I/O hardware
Figure 2: New types of measurement devices, such as acoustic monitors, allows companies to identify the source and quantity of material
being sent to flares.
that is capable of HART digital communications with smart
field devices. Rich diagnostics and sensor data is trapped
in these smart devices with no way for monitoring systems
to connect to them. Previously, end users have dealt with
this by wiring multiplexers, but this approach is complex
and costly to implement. Instead, WirelessHART networks
enable access to diagnostic information through the use of
wireless transmitters installed on smart devices (see Figure
3). For example, control valve diagnostic information can be
accessed remotely by technicians for online diagnostics and
troubleshooting.
Integrate data across information silos
Wireless data shouldn’t stand by itself.
Integrating wired and wireless data into ana-
lytics and visualization applications increases
users’ ability to do more with the data. Wireless
data can be integrated into control systems, data histo-
rians, and software applications where data from other
sources also are available. Before adding wireless mea-
surements, engineers should take inventory of sensor data
that is already installed and add new points to complement
existing measurements.
When the data is integrated, flexible analytics and visu-
alization platforms enable experts to derive insights and
Integrating wired and wireless data into ana-
lytics and visualization applications increases
users’ ability to do more with the data.
actionable information. Subject matter experts have a
more holistic view of data and can make recommendations
based on their education and experience. Purpose-built
software tools can be used to apply physics principles or
empirical models to deepen the level of analysis.
For example, software with first-principle thermodynamic
models can be integrated with a data historian to detect
equipment performance degradation as an early indica-
tion of mechanical problems. An existing heat exchanger
might have flow and process temperature measure-
ments that are used by for temperature control, but would
require additional temperature and pressure sensors to be
installed for performance monitoring. Existing measure-
ments can be combined with new wireless measurements,
where mechanical gauges are replaced with wireless
transmitters. By expanding the data set to include all of the
available measurements, the thermodynamic models can
be used by experts to more accurately detect problems
and proactively recommend actions to be taken.
Applied Automation October 2016 • A7
 C o v e r s t o ry
Figure 3: Wireless networks make it possible to connect wired and
wireless field devices, making data from multiple device interfaces
accessible to many operating applications.
A8 • October 2016 Applied Automation
Land and expand
Often, when end users want to get started
with wireless monitoring, they are not sure
where to start. One approach is to design an
all-reaching wireless sensing infrastructure that can enable
any monitoring application that one might need—reliability,
energy, safety, environmental, and so on. One may design
a network of wireless gateways with optimal placement for
blanket coverage of operational areas and then layer on
applications where needed. This is a great approach if you
have the capital available and can justify the investment.
Just be sure to choose a standards-based technology that
will support a wide variety of measurements and solutions
that you can integrate into the same infrastructure.
However, this scenario is not very common. Many
operating facilities are capital constrained, and there is
a long list of investment opportunities competing for a
fixed amount of funding. This scenario makes it difficult to
allocate a large amount of capital funds for a facility-wide
wireless infrastructure. A more practical approach is to
identify the most important problem to solve with a clear
return on investment that is easy to quantify. Build the
business case for this investment and install a standards-
based wireless infrastructure that enables this specific
problem to be solved.
Plan the wireless network with an eye on the future
and create a design that can be expanded into other
areas. Networks such as a wireless mesh network can
be expanded easily by adding new measurements online
while increasing the reliability and performance of the
overall network. By proving the return on investment of
a specific issue and designing a network with expansion
capabilities, one can install the infrastructure that will
support additional wireless monitoring solutions to be
added at a later time.
Leverage expertise wherever
it’s available
Regardless of the size of the facility, you
are not going to be able to staff deep subject
matter expertise for every domain. Experts aren’t always
available to be physically located where you need them,
when you need them. Rather than bearing the cost and
time required to bring an expert to the site, wireless
monitoring enables data to be collected and sent to the
experts—wherever they are located. This enables more
effective use of experts’ time, and can make it more eco-
nomical to retain these domain experts.
Because remote experts cannot be close to the
equipment, they cannot see, smell, touch, or hear
what is going on. For this reason, more sensor-based
measurements are required. Wireless measurements
make it possible to collect enough data so that they
can make informed decisions without being physically
located at the equipment. For example, mechanical
pressure and temperature gauges can be replaced with
Figure 4: With wireless sensing networks, companies can make the most of expertise from third-party service providers without requiring
an onsite visit for remote monitoring and connected services.
wireless measurements so the measurements can be
monitored remotely.
Bigger companies can leverage expertise across
multiple sites, and sometimes they will invest in cen-
tralized centers of excellence where experts can be
co-located for collaboration. This kind of approach is
becoming more common in oil and gas, power genera-
tion, and mining industries.
Even in these centers of excellence, it doesn’t make
sense to develop deep subject matter expertise in all
areas. Instead, companies will choose to focus exper-
tise on process monitoring and critical equipment and
outsource or partner with external service providers for
monitoring in other areas. For example, a power genera-
tion center of excellence might have chemical engineers
focused on performance monitoring and optimization
for turbines and boilers across a fleet of power plants,
and outsource monitoring of less critical machinery and
valves to a service provider. Experts from a machinery
or valve monitoring service provider can analyze the
equipment data to detect early indicators of mechanical
failures, diagnose the problem, and recommend actions
to be taken to slow down failure propagation and to plan
maintenance and repair. Whether onsite at a center of
excellence or an external service provider, these experts
depend on the measurements coming in from the field.
Using wireless networks to deliver deeper visibility into
the plant enables experts to more effectively contribute
to plant performance and reliability.
Reduce security risks
There are several basic options for deploy-
ing wireless sensing networks in industrial
facilities. One option is to integrate wireless
measurements into your control system. This can be
done with wireless networks embedded in the I/O sub-
system by the control system vendor, or external wireless
networks that can be integrated into the control system
via protocols, such as Modbus, OPC, and EtherNet/IP.
This approach is useful when measurements are needed
for operators to better control the process. Because the
networks are integrated into the control system, they
benefit from the same security safeguards used to pro-
tect the overall control system. To protect the wireless
network, choose a technology that has robust security,
including channel-hopping virtual local area networks,
encrypted communications, message authentication,
white listing, and other security controls.
Another option is to install wireless sensor networks that
are separate and independent from the control system.
This approach can simplify the security requirements for
the monitoring network because it is being implemented in
a way that does not introduce connectivity to the control
system. Many applications don’t require control system
integration because the data isn’t used by operators for
control of the process. Instead, wireless sensor data can
be integrated into software running on the IT networks
where engineers and specialists can more easily access
the information. Then, information can be tied to data
Applied Automation October 2016 • A9
 C o v e r s t o ry
Networks such as a wireless mesh network
can be expanded easily by adding new measure-
ments online while increasing the reliability
and performance of the overall network.
historians or stand-alone application software focused on
solutions such as energy management, environmental
monitoring, and regulatory compliance reporting.
For more specialized applications, it is becoming com-
mon for vendors to offer connected services based on
wireless sensing networks. In this case, the wireless
monitoring networks are owned and operated by the ser-
vice provider and the user pays only a monthly service
subscription fee. Vendors provide services based on
drop-in monitoring networks that are owned, installed, and
operated by the service provider (see Figure 4). These are
connected securely through the user’s existing IT network,
or installed with Internet connectivity via a cellular router.
Appropriate security measures are applied by the vendor,
including firewalls, data encryption, and even physical
security to prevent tampering.
Stand-alone wireless networks that are used for only
measurements, such as acoustics, vibration, and tem-
Engineering is personal.
So is the way you use information.
CFE Media delivers a world of knowledge to you.
Personally.
To do your job better each day,
you need a trusted source of information:
CFE Media — Content for Engineers
CFE Media is home to four of the most trusted names in the business:
provides the latest knowledge on
commercial and institutional facility
delivers a wide array of strategies and construction and management.
solutions to help control system designers
Visit www.csemag.com
create a more efficient process.
Visit www.controleng.com
perature, must be secured for availability, integrity, and
confidentiality. However, if these monitoring networks
connect to critical control equipment, such as control
valves, gas analyzers, or flowmeters, the security
needs will be much higher. Even in this case, secu-
rity technologies, such as data diodes can be used
to ensure separation of the monitoring network from
external threats.
Untethering data
In this time of digital transformation, the companies that
use technology in new ways are the ones that gain a com-
petitive advantage. Merely adding measurement points
through wireless monitoring won’t reset users’ expecta-
tions to achieve new business goals. When users begin
strategically using wireless technology to complement
their wired infrastructure to address previously unsolvable
issues, they can start to advance the performance and reli-
ability of their entire operation.
Mike Boudreaux is the director of connected ser-
vices at Emerson Process Management, Round Rock,
Texas. He has a BS in chemical engineering from the
University Houston and an MBA from the Kellogg School
of Management at Northwestern University.
serves engineering professionals in the oil
and gas industry with expert content on
delivers a plant-floor knowledge and
new technology, products and processes.
expertise to help manufacturers operate
smarter, safer and more efficiently.
Visit www.oilandgaseng.com
Visit www.plantengineering.com
 ONE FOR
ALL

Robots, Servos & Drives,

now Controlled by ONE SOFTWARE
Yaskawa introduces Singular ControlTM: robotics,
servo systems and variable speed drives
working together under one software package.
Singular Control uses the same ladder logic
you’ve used for years, allowing you to develop
new automation without the need for a robot
programmer.

Pick, pack and palletize with new programming

power, superior speed and industry-leading
effectiveness, thanks to an innovation that puts
Yaskawa performance and reliability into more
innovative automation designs than ever before.

Visit us in Chicago at
Pack Expo International
Booth S-2179
For more info:
November 6 - November 9
http://budurl.me/YAI949

YASKAWA AMERICA DRIVES & MOTION DIVISION YASKAWA.COM 1-800-YASKAWA

 Process safety
Creating SIF validation procedures
Implementing safety system validation as part of the safety lifecycle is defined
by Iec 61511 and aNsI/Isa-s84.01. Here’s how it’s done.
Scott Hayes, PE
M a v e r i c k Te c h n o l o g i e s
A
process safety system comprises many
individual safety instrumented functions
(SIFs) designed to move a plant or process
unit to a safe state when something goes
wrong. These functions should happen
automatically—following a specific plan—
when an undesired condition arises.
For example, a steam-heated reactor will be equipped
with a pressure sensor able to determine if it has moved
beyond its safe operating range. The SIF will have a trip
point where the controller (the SIF’s logic solver), will do
something specific to remediate the situation. In this case,
it opens a relief valve to keep pressure in the reactor
from going any higher and might cut off steam flow. This
action, or perhaps actions, happen automatically when
the pressure reaches the prescribed setpoint following the
plan designed by safety engineers to avoid any possibil-
ity of the reactor or its associated piping exploding (see
“Designing a SIF”).
While a process is being designed, particularly one
where products are flammable or toxic, safety specialists
study it carefully to determine all the areas where things
could go wrong. For example, what if this valve sticks?
What if the reactor gets too hot? Could this tank overflow?
Then, safety specialists imagine what kinds of havoc or
damage these situations could cause if realized, and the
likelihood of a problem actually developing.
If they believe the consequences of the specific problem
occurring are beyond what the company is willing to risk,
safety specialists design a remedy and create a SIF to
carry it out. In a complex unit, there can be hundreds of
individual SIFs. The hazards they cover may overlap, cre-
ating multiple layers of protection. Therefore, if one fails or
proves to be inadequate, another remains to avoid a more
drastic escalation.
Each SIF is assigned a safety integrity level (SIL),
which in basic terms is its importance in the larger risk-
reduction picture. Every SIF is important, but some are
more so. Those with high SIL ratings are especially criti-
cal, and the remedy has to provide a major reduction in
the probability that the event will happen. Those with low
SIL ratings may have smaller consequences, or there
A12 • October 2016 Applied Automation
may be other mechanisms that are capable of solving the
problem, so the degree of risk reduction would be less.
(See editor’s note.)
Safety specialists design the SIFs and then oversee
their installation and maintenance for as long as the plant
is in operation. This safety lifecycle (SLC) concept ties
together all the steps in implementing a complete safety
system, or one SIF. It follows three main phases: analy-
sis, realization, and maintenance. It begins with the initial
analysis of the process and hazard identification, and then
moves to developing a mechanism to protect against the
event, including installation and ongoing support.
The role of the safety specialist in this context cannot
be overemphasized. The suggestions for designing and
implementing safety functions offered here should be
left to qualified safety specialists. While it is important to
understand how these things work, implementing them
yourself if you don’t have the proper training is not a good
idea and could potentially be disastrous. To apply a com-
mon expression, don’t try this at home.
Will it work?
After a SIF is installed, it must be validated to verify its
operation. Validation must follow specific procedures to
ensure it is trustworthy, with all steps documented. The
validation process puts the SIF under a microscope, dis-
sects it, and looks for all the ways in which it could fail.
Each of those possibilities must be examined and tested,
one by one, element by element. Proof tests are con-
ducted at prescribed intervals to detect undetected dan-
gerous failures that could prevent the SIF from working in
the future. Sensors, logic solvers, and final elements can
be tested seperatly at different intervals, or the entire SIF
can be proof tested at once. Eventually, the specific SIF
or the complete safety system may be decommissioned
with a given process unit or entire plant, bringing an end
to its lifecycle.
The term “validation” is critical. There are many kinds
of tests and checks performed when a unit is being con-
structed or upgraded. Terms such as software verification,
loop checks, proof tests, factory acceptance test, and
others can be used for other things. But a safety system
validation must follow a specific approach spelled out in an
applicable standard and must be documented in a specific
way. Other tests also may be just as specific, but typically
they may have different objectives.
Figure 1: This hypothetical process mixes two feedstocks while
being heated. The final product exits from the top of the vessel
to provide sufficient residence time in the reactor. This unit could
have several possible SIFs related to level, pressure, temperature,
and possibly an agitator malfunction. The example discussed
relates to pressure, so a SIF designed to open a relief valve is
illustrated. Courtesy: Maverick Technologies
A step in the safety lifecycle
Validation of a SIF is only one step in the larger SLC,
but it is critical. Figure 1 shows a hypothetical example
of a typical SIF applied to a continuous process. In this
example, two liquid feedstocks are pumped into a reac-
tor, and then heated and agitated so they form a new
compound that flows out of the reactor near the top.
Temperature, pressure, and level are measured with TT01,
PT01, and LT01 respectively.
The hazard analysis warns of a possible overpressure
incident if the output flow is obstructed, thus the designers
specify a SIF capable of creating a second outlet to allow
some of the contents to pass to a holding tank. This may
not be the only SIF connected with the reactor. There could
be another SIF designed to shut off the steam to the heater
if the temperature becomes too high, or feedstock inputs
might be cut off if the level in the reactor gets too high.
Under normal operating conditions, the basic process
control system (BPCS) keeps these parameters on an
even keel. For this example, it probably would do a good
job more than 99.99% of the time. Unfortunately, in the
real world, things can and do go wrong. The steam con-
trol valve might stick or the pump extracting the product
from the reactor may fail. In those cases, the BPCS can’t
always address the situation, and the SIF must step in
and do its job.
Many potential variables
While reviewing the hypothetical process, the choices the
SIF designer must make include:
n The type of pressure instrument to use
n Pressure instrument location
n Valve response time after trip
n Pipe and valve sizes sufficient for pressure relief
n Trip pressure setting
n Self-resetting versus non-self-resetting loop
n The information that should be sent to the BPCS.
When these parameters are set, the equipment can be
installed and is ready for validation. This is the moment of
truth when everything must work, despite every attempt
by those doing the testing to make it fail. Given its critical
nature, validation must be a careful and well-thought-out
process in compliance with relevant standards, and it must
be fully documented. Performing the series of tests required
might be a complex process and involve a variety of other
plant personnel, as exemplified by these typical steps:
1. Identify all pieces of equipment or systems con-
nected to the SIF under test. Obviously, the safety devices
themselves are included, but there may be others involved
tangentially. The SIF equipment must function indepen-
dently, but performing the test may require bypassing
another system, disabling an alarm, or changing an ele-
ment of the process.
2. Involve all of the departments and people who will be
participating or are affected by the process and get their
input. The primary areas to include are operations, main-
tenance, process control, and process safety. But never
underestimate the number of individuals who might feel
they should be involved. Ask for input and assistance as
needed because the test will invariably affect other areas,
especially operations and maintenance.
3. Create the testing process and put it in writing.
Because the test must be documented, it must follow a spe-
cific procedure. IEC 61511 and ISA 84 specify the general
steps the test must include, so make sure it follows those
recommendations. Each step should indicate the desired
outcome, following the potential failure modes identified
by the system designers. The SIL rating may come into
play because a SIF with a high SIL rating may need more
extensive testing than one with a low SIL. The procedure
also must be practical within the plant context, so it must be
selected carefully. In most companies, a basic procedural
Applied Automation October 2016 • A13
 PROCESS SAFETY
template can be set up and adjusted for each situation, so it
won’t be necessary to start from scratch for every SIF.
4. Determine and document advance preparations of
the equipment necessary to perform the test, along with
any unusual equipment to have on hand, such as a stop-
watch. If a pipe must be drained or the liquid in a tank
moved to a specific level, these requirements must be
noted. If step 2 was executed correctly, this will be easier.
5. Communicate the testing instructions. Be specific as
to who needs to be where, what they need to be doing,
and when their activities must take place. Again, coopera-
tion and success in this step depends on step 2. Some
tests will address the SIF as a unit, while others will exam-
ine individual components.
6. Specify in detail which variables must be recorded
during the tests. What value did the pressure instrument
actually display? How long did it take for the actuator
to respond to the signal? Did it respond as quickly as
it needs to in actual service? This where the stopwatch
might come in handy. If the response time is too fast for a
stopwatch, some other mechanism might need to be used,
such as an event or alarm log on a software program con-
nected to the process.
Designing a SIF
A
safety-instrumented function (SIF) is a simple pro-
cess, sometimes called a safety loop, designed to
perform a single function. It consists of three ele-
ments: a sensor, logic solver, and actuator. Conceptually,
it is a control loop, but it has a discrete on-off function.
For example, consider an oil terminal that transfers
petroleum products from a pipeline to a storage tank. The
control system is supposed to stop operators from over-
filling the tank, but if it does not function properly, liquid
can get too high and flow out of the tank vents. Given
the hazards that a situation such as this creates, a SIF is
added as a layer of protection (see Figure 2). There is a
level sensor sending its data to a logic solver, a safety-
rated controller capable of reading the level variable from
the sensor, which is programmed to trip and open a relay
to shut down the pump motor when it reaches a specific
value. In this case, the actuator stops the oil flow before it
spills. It might also close the inlet valve for the tank. This
loop is not designed to regulate level. It just stops the
transfer when the level reaches its programmed trip point.
The most critical aspect of the SIF is its ability to func-
tion independently. It must be entirely self-contained, not
A14 • October 2016 Applied Automation
7. Communicate instructions for return-to-service after
the test is complete.
8. This test may be performed only once, but because
there is potential for the SIF to be updated or otherwise
modified, the procedure should include a revision history.
Simulating danger
SIFs are designed to respond to problems, often poten-
tially major incidents. When a safety function is activated,
it is because the BPCS can’t cope with a malfunction or
other upset—these are not trivial matters. Validating a
SIF should involve, as closely as possible, creating the
problem so there is no doubt that the SIF can respond
appropriately. Nonetheless, there will always be push-
back from operations to the suggestion of over-pressuriz-
ing a massive reactor or overheating a tank of product to
make sure a safety sensor reads the problem correctly.
In the real world, even when working with something
as critical as a safety system, some allowance will need
to be made in the name of practicality. Here, in order
from best to still acceptable, are the typical ways in which
SIFs are validated:
1. Manipulate the process safely and carefully to create
the hazardous conditions. Obviously, this provides the most
conclusive test. But it generally involves the most drastic
process disruptions, with some manipulations worse than
depending on help from a human operator or any other
part of the control system. The question one might ask is
why this complex system can’t be replaced with a much
cheaper level switch wired in series with the pump. The
answer is it can, but the level switch does not provide
the same assurances of functionality. If it gets jammed or
moving parts rust or corrode, it might not operate during
an emergency. Yes, it can be tested, but this requires an
operator to perform the test, and it might not give a clear
indication of its condition.
The more elaborate safety loop approach is able to send
information to the control system to indicate it is functioning
correctly. It can send its level measurement to show it has
a correct reading and also verify the logic solver is working.
The trip point can also be changed, but this should be done
only according to procedures for modifying a SIF. If the sen-
sor goes dead or any other component fails, the logic solver
can send an alarm to the control system. The logic solver
also can be programmed to test itself at prescribed inter-
vals, opening the valve to verify it is not stuck. These diag-
nostic functions provide a much higher level of confidence
and assures the SIF’s ability to do its job when called upon.
others. Raising the level in a tank might not be as bad as
over-pressurizing a reactor, but this approach is usually
hard to sell to management and it happens the least.
2. Isolate and manipulate the sensor. If one can’t over-
pressurize the reactor, an alternative is to remove the sen-
sor device and create similar conditions on a smaller scale.
Perhaps a pressure instrument can be connected to a com-
pressed air line, or a thermocouple can be placed into a hot
bath. If this can be done in a practical way, it is almost as
good as method No. 1 and usually much easier.
3. Use a simulated sensor. Uncouple the actual sen-
sor from the transmitter and use a simulator to provide a
dummy input to the safety instrument(s). The most com-
mon example of this is disconnecting a thermocouple and
using a thermocouple simulator.
4. Use a calibrator. Put the transmitter into simulation
mode and generate a trip signal. This is the least real-
istic, but it is certainly the easiest. As a result, it is also
unfortunately the most common approach.
Regardless of which approach is selected, it should be
written into the procedure.
The tests described so far are aimed primarily at the
sensor. In most cases, SIFs are looking for excursions
into undesirable temperature or pressure, but level also is
common to avoid overflows and spills.
The other parts of the SIF—the logic solver and final
control element (FCE) or actuator—are just as important
and must be checked individually and thoroughly. During
the actual field validation, it is important to include a
series of individual checks for these devices as well. For
the logic solver:
n Confirm all inputs and outputs are functional
n Confirm programming and other software to ensure all
setpoints and other configurations are correct
n If a voting scheme is used, connections to all the sen-
sors must be verified, although checking every possible
combination is probably not necessary.
Just as it may be necessary to avoid disrupting the pro-
cess to test the sensor, testing the FCE can also cause
disruptions. Opening a relief valve or repeatedly shutting
down a major piece of machinery, such as a pump or com-
pressor, as part of the validation is not a good idea. As
with checking the sensor, some allowance may have to be
made for the sake of practicality.
For large equipment, it is likely possible to disconnect or
bypass where the FCE interfaces with the equipment so
that it is possible to see it operate without actually shut-
ting down the device. Similarly, the compressed air supply
Figure 2: The logic solver is the brain of the safety loop, and it has a
very simple function. It reads the process value from the sensor (LT), and
when the value crosses the threshold, it executes its task. Normally it is
a discrete on-off function, opening or closing a valve, starting or stop-
ping some piece of equipment. Depending on the nature of the process,
it may have a delay built in, waiting for some period of time between
the value crossing the threshold and responding, to avoid tripping when
the change is a brief transient. Some safety loops are self-resetting,
resuming normal operation automatically when the variable returns to
its normal range. Courtesy: Maverick Technologies
to a valve actuator can be disabled so it will not move,
although the actuator can still be verified.
Having said that, no test is complete without seeing the
final operation work fully at least once. If there must be
intermediate tests, a good procedure is to make the final
operation happen on the first and last tests. If doing it twice
is too many, then it should be done on the final test. This
allows the final element to be left as it is tested instead of
relying on the reconnection of such a critical device.
A SIF designed well and tested thoroughly should perform
reliably in an emergency and not cause nuisance trips. The
validation process is a critical step in the larger SLC. When
executed by a qualified and experienced safety engineer, a
plant should be confident of its ability to operate safely to pro-
tect plant personnel, the environment, and the equipment.
Scott Hayes is a control systems engineer at Maverick
Technologies. Maverick Technologies is a CFE Media
content partner, CSIA Level 1 member, the Control
Engineering System Integrator of the Year in 2011,
and was inducted into the Control Engineering System
Integrator Hall of Fame in 2012.
Editor’s notE: The process of determining SIL ratings is
complex and beyond the scope of this discussion. For more
information about SIL ratings, safety instrumented systems,
and safety instrumented functions, read Control Engineering
Magazine’s “Real World Engineering” blog at
www.controleng.com/blogs/real-world-engineering, written
by engineers at Maverick Technologies.—JS
Applied Automation October 2016 • A15
 PROCESS SAFETY

Avoiding nuisance trips from SIFs

W
ithin a process manufacturing context, safety to equipment. When the problem is fixed, the unit can
incidents can take many forms. Some are be restarted, but critical time has been lost.
small and an occurrence could create a minor Now, imagine the same situation where a unit tripped
chemical spill. Others are huge and could result in a and went into shutdown mode because there was a
fire or explosion with thousands of gallons of petroleum malfunction in one of the safety sensors. The SIF went
products. In the same way, the actions a specific safety into action because the pressure sensor mistakenly
instrumented function (SIF) takes reported a problem when none
to correct a problem and avoid To avoid nuisance trips with actually existed. If it’s a small
escalation can take various forms. problem with a small result, such
critical SIFs, some plants install
A relief valve may be opened to situations are called nuisance
release pressure in a tank for a redundant sensors to prevent a trips. However, if it’s a big event,
small problem. However, for a seri- critical system from going into the result is almost as disruptive
ous situation, the action the SIF as an actual emergency.
takes can be hugely disruptive. If shutdown unnecessarily. These Obviously, a plant wants its
a major incident is underway, a approaches use voting schemes SIFs to do their jobs. Reliable
drastic action may be appropriate, SIFs need to act when an actual
such as effectively shutting down to force the redundant problem is developing—but only
an entire process unit. To avoid sensors to act as a group. when an actual problem is devel-
a catastrophe, such actions are oping. To avoid nuisance trips
absolutely necessary, but they cost enormous amounts with critical SIFs, some plants install redundant sensors
of money and disrupt production even if the process to prevent a critical system from going into shutdown
shuts down exactly as it is supposed to with no damage unnecessarily. These approaches use voting schemes

SIS SIS SIS SIS

1oo1 1oo2
SIS
SIS SIS

2oo2

SIS SIS SIS

VOTING
2oo3 SIS
2oo3 voting

Figure 3: If a sensor malfunctions and/or opens, there is still a path for power to reach the intended equipment. In addition, two sensors
must report the same problem simultaneously for the SIF to act. This 2oo3 scheme reduces the likelihood of a nuisance trip. However,
there are other voting schemes used in various applications. It should be noted that other arrangements, such as 1oo2, won’t work
because the failure of one device still trips the system. Also, 2oo2 has its quirks for the opposite reason. If one sensor fails “on,” the
SIF can’t perform its function. Both kinds of failures are possible. When a system can’t do its function, it’s called “failure on demand.”
Courtesy: CFE Media

A16 • October 2016 Applied Automation

to force the redundant sensors to act as a group. A In many respects, the antithesis of redundancy is com-
common method is to use three sensors monitoring the mon cause—a situation where the same problem affects
same process variable. For the sake of this oversimpli- all the sensors the same way. The kind of malfunction
fied example, imagine the application is a large pipe- a 2oo3 voting scheme is trying to avoid is a simple
line compressor, which is not easy to shut down and mechanical, electrical, or electronic failure. It assumes
restart. Nonetheless, in an emergency it is critical for it the cause is unique, and affects only one of the multiple
to be shut down to avoid over- units. That concept is fine as far
pressurizing the line. To avoid In many respects, the antithesis of as it goes, but in many cases,
unnecessary trips, the safety failures are caused by some-
redundancy is common cause—a
engineer installs a group of thing in the process. Say for the
three pressure sensors to moni- situation where the same problem sake of argument, imagine some
tor its output. catalyst beads have escaped
affects all the sensors the same
Why multiple sensors? If the their holder in a reactor and
pressure exceeds the trip point, way. The kind of malfunction a 2oo3 become entrained in the process
the sensor is supposed to open fluid. They are carried through
voting scheme is trying to avoid is
the circuit causing the com- the piping and collect at vari-
pressor to shut down. To avoid a simple mechanical, electrical, or ous points. If they obstruct an
unnecessary trips caused by element in the piping where the
electronic failure. It assumes the
a sensor failure, the individual sensors are, they might affect all
devices are wired as shown in cause is unique, and affects only the safety sensors in the same
Figure 3. Each is effectively way. So whether there is one or
a DPST switch, and they are
one of the multiple units. That con- five, they will likely all suffer the
wired in series with the com- cept is fine as far as it goes, but in same problem.
pressor as shown. If one of Prudent investors don’t put
the sensors malfunctions and
many cases, failures are caused by all their money in one kind of
opens, there is still a path for something in the process. investment because a single
power to reach the compressor. problem can affect all of it. They
If any two or all three sensors open, power is cut off. diversify their investments to avoid a financial common-
Two sensors have to report the same problem simulta- cause disruption. In the same way, clever safety system
neously for the SIF to act and shut down the process. designers avoid using one type of sensor or sensor tech-
This is called a 2oo3 (two out of three) scheme, and it nology in redundant systems. Different sensor technolo-
reduces the likelihood of a nuisance trip because two gies—even if they are monitoring the same process vari-
devices have to fail at the same time to cause a trip. able—can be selected with an eye toward their charac-
There are other voting schemes used in various applica- teristics in specific situations. The assumption is not that
tions, but 2oo3 is common because of its simplicity and one technology is better than another so much as having
effectiveness. different operating characteristics.
So far, the example deals only with the sensor, but Using a mix of measuring technologies or even mount-
it can be extended to other parts of the SIF. In the real ing options can create a situation where it is much harder
world, these systems can be far more elaborate, using for a single cause to fool multiple different devices. Of
different forms of redundancy within the logic solver and course, if one safety sensor does trip, maintenance
networks. Any part of a SIF can malfunction, so it is criti- should be alerted to deal with the problem, whether
cal to ensure every part of the system is appropriately caused by a basic electrical or mechanical failure, or
protected. The actual functionality of a sophisticated some problem within the process. Any safety sensor
safety system can simulate redundancy even where it is action should be taken seriously, whatever its cause.
not practical to have multiple sensors. —J. Smith

Applied Automation October 2016 • A17

Solutions
Supporting Engineers In-Person,
Offering High-Value Content
In-Print and Online
For more than 66 years, PLANT ENGINEERING has helped
plant engineers, plant managers, maintenance supervisors
and manufacturing leaders understand how to make their
operations run more efficiently and effectively. Today’s
changing manufacturing landscape offers new ways to
deliver that knowledge:

Salary Survey: The Plant Engineering Salary Survey is the industry

standard. Beyond just what plant managers earn, the survey also
shows what they think and how they meet today’s
manufacturing challenges.

PlantEngineering.com: The engineer’s most popular Website for

up-to-the-minute information and onsite collection of knowledge—
offering important industry information in all multi-media formats—
the latest top stories, webcasts, podcasts, blogs, and videos.

Honoring Manufacturing: Plant Engineering has three unique

programs to recognize excellence in manufacturing:
► Leaders Under 40 recognizes the next generation
in manufacturing
► Top Plant honors manufacturing excellence in all phase of
production and operations.
► Product of the Year lets our readers choose the best in
manufacturing innovation.

Webcasts: Plant Engineering’s successful Webcast series bring the top

industry experts together to discuss the key issues facing plant
managers and examine the best practices and strategies to improve
operational efficiency.

eNewsletters: Focused on specific areas of interest, Plant Engineering’s

electronic newsletters deliver news and information on the latest trends
in manufacturing. Our weekly Plant Mail delivers news and insights,
while our monthly newsletters Hotwire; Maintenance Connection;
Energy Management; Product and MediaShowcase and Safety
and Security look at strategic ways to improve operations.

Subscribe today at
www.PlantEngineering.com/subscribe
 VFD programming

Taking advantage of VFD software

although VFD manufacturers have made many advances in terms of ease of use,
some users still find programming and monitoring with a 2-inch display tedious.
This is where VFD programming and monitoring software comes into play.

Steven Peterson much easier. Each device and equipment manufacturer

Ya s k a w a A m e r i c a I n c . has its own set of parameters, monitors, and factory

V
ariable frequency drives (VFDs) have been
around for decades now. During their infan-
cy, programming involved moving jumper
blocks and adjusting potentiometers. As time
passed, technology evolved (see Figure 1).
Although seven-segment light-emitting diode
(LED) keypads began to emerge, programming and moni-
toring was easier but still somewhat cryptic. Eventually,
full-text liquid-crystal display (LCD) keypads became the
norm. These keypads feature multiple lines of text that
can be displayed in many languages. Navigation is intui-
tive and the display can be customized to display the
most useful parameters. Although VFD manufacturers
have made many advances in terms of ease of use, some
users still find programming and monitoring with a 2-inch
display tedious. This is where VFD programming and
monitoring software comes into play.
Making programming easier
The benefits of using VFD software can make start-
ups, programming, monitoring, and even troubleshooting
defaults. When working with more than one device on
a daily basis, any tool that will eliminate the need for
remembering these functions, parameters, and values
makes a big difference.
VFD software allows users to search through all
parameters and monitors with an active search func-
tion. Instead of remembering that parameter “C1-01” is
the acceleration time and hunting through the keypad or
technical manual to find this, searching for “acceleration”
in the search bar will display the matching parameter.
Changing the aforementioned acceleration time is equally
easy. Simply clicking on the parameter, entering the new
value, and then clicking “Write” changes the parameter
nearly instantaneously. There is no more need for multiple
keystrokes on the keypad. This function is great for chang-
ing one parameter at a time. But what about changing
multiple parameters at once to make commissioning and
startups as efficient as possible?
VFD startup can be streamlined by using what some
software programs call an “application wizard,” which
takes the guesswork out of VFD application program-
ming. Typically, the wizard asks for information, such as
control method, duty, motor data, and control sources.

2S
Selects accel/decal time range
Switch
Accel/ (0.2 to 1,800 seconds)
decel
time ACC DEC
setting Accel/decal times independently
Potentiometer adjustable within the time range
selected by 2S

Figure 1: In the 1990s, selector a selector switch and potentiometers were

used for setting acceleration and deceleration times of variable frequency
drives (VFDs) (above). Around 2007, a full-text liquid crystal display (LCD)
keypad was used to make adjustments to VFD acceleration and decelera-
tion times (right). All graphics courtesy: Yaskawa America Inc.

Applied Automation October 2016 • A19

 VFD programming

The most common

method for connecting

a VFD to a PC is with

a universal serial bus

(USB) connection.

automation and motion-control equip-

ment, VFD programming software that
includes an offline mode can be used
as a preparation tool by setting up
Figure 2: A status panel displays the digital I/O terminal status
an offline project with all of the parameter settings pro-
including fault history with important values such as frequency, grammed ahead of time. When it is time to program the
voltage, current, and dc bus level. VFD, simply connect it and write the program. This can
greatly reduce startup times and can make engineers
In addition, digital inputs/outputs (I/O), speed limits, and look even more like experts in the field.
auto-restarts can be configured.
The key benefit of the wizard is that users do not need Local and remote monitoring
to think too much about which of the more than 1,000 The most common method for connecting a VFD to a
available parameters. On average, most VFD applica- PC is with a universal serial bus (USB) connection. This
tions consist of less than 20 modified parameters. Most is the quickest and easiest method because it is consid-
of them are addressed when using the wizard. After ered to be plug-and-play. This local VFD connection is
selecting the proper parameter settings in the wizard, the great for quick programming and monitoring. But what
changes are written to the drive in one final step. about connecting to a drive over long distances, such
as on the other side of a manufacturing facility, college
Back it up campus, or even the other side of the country?
Writing all of the parameters on the cab-
inet door with a marker is no longer nec-
essary. Parameter sets can be saved and
stored indefinitely on a PC as a backup.
These parameter sets are called projects.
Users can save as many projects on the
PC as the hard drive will allow. It’s a good
idea to make a project containing a hand-
ful of useful go-to parameters. Project
files can be shared with colleagues easily.
In some VFD software packages, there
are “share” and “export” buttons sprinkled
throughout the program. These are conve-
nient for sharing a list of parameters with
customers and colleagues or when seek-
ing technical assistance from the VFD
manufacturer.

Be prepared
Preparation is one of the most impor-
tant steps to take when operating in the
field. For example, if a system integrator Figure 3: A monitor panel can display user-selected signals, such as analog gauges,
is contracted to provide VFDs with other sliding scale, trend, or an LED-style panel. Signal levels are displayed in real time.

A20 • October 2016 Applied Automation

 No matter what your social networking preference is,
there’s a way for you to connect with Plant Engineering!

Make the connection now...

www.plantengineering.com/connect/social-media.html
 VFD programming

After selecting a VFD

and connection, the
functions and features
are available through
the software even
though the drive may
be physically located
elsewhere.

Many VFDs include a network-

ing option. The drive can be con-
figured with an interface, such as
an EtherNet/IP card, which allows
software to connect to the VFD on Figure 4: The trender displays user selectable signals on a real-time graph.
the network. A “scan drive” func-
tion will scan the local network for any VFDs that may
be connected. After selecting a VFD and connection, the
functions and features are available through the software occurred when the VFD faulted. Think of the fault trace
even though the drive may be physically located else-
where. This can save many programming hours as well
as the time it takes to walk back and forth across long
distances to get to the VFD.
For VFDs installed in remote or rural locations,
an Ethernet/IP or cellular connection module can be
installed. This module can connect the VFD to the
cloud, which allows for programming, monitoring, and
VFD status notifications to be emailed or texted. In
many cases, the software on these modules supports
smartphone connections. This feature is rapidly becom-
ing the industry standard for remote monitoring and pro-
gramming applications.
Monitoring
VFDs are no longer limited to providing only speed,
current, and voltage monitors. I/O status, torque refer-
ence, power consumption, analog signal levels, and fault
history, and so on can be monitored as well. Access to
these monitors allows users to be detectives by piec-
ing together values/parameters from the monitor feature
when troubleshooting operation issues or faults.
These aforementioned monitors can be displayed in
numerous formats. A status panel displays the digital I/O
terminal status. Up to eight additional monitors can be
selected to be displayed in the monitor pane, whereas
the keypad can display only three at a given time (see
Figure 2). Also available in the status panel is the ability Yaskawa America Inc., Waukegan, Ill.
to view the 10 most recent faults under the “fault history”
tab. Take advantage of the “fault trace” to pursue what
as a snapshot of what the VFD was doing when the fault
occurred. Important values, such as frequency, voltage,
current, and dc bus level are recorded.
Another easy-to-read monitor display is the “monitor
panel.” The monitor panel can display up to four different
monitors selected by the user. Signal levels can be dis-
played on a simulated analog gauge, sliding scale, trend,
or LED-style panel. All levels and values are displayed
in real time, allowing key insight into the VFD’s current
operation (see Figure 3).
The final monitoring tool is the “trender.” The trender
tool consists of six selectable signals that display real-
time signal level on a graph (see Figure 4). The trends
can be recorded in the VFD software and saved for
future reference or for sharing with others. Edge trig-
gering is possible for any of the six signals by specify-
ing a trigger level and selecting if the trigger should
occur on the rising or falling edge. Trends also can be
exported as comma-separated-variable data for use in
Microsoft Excel.
The industrial automation industry strives to minimize
downtime. It depends on fast and reliable commissioning
of new equipment, and a constant flow of monitored data
from that equipment. VFD software is a necessary tool to
ensure these criteria are met.
Steven Peterson is a technical training associate at

A22 • October 2016 Applied Automation

 Control Freak?
If you like being in control, then
SEW-EURODRIVE is your perfect
partner! We put you in charge of
every move with our gearmotors
and electronics. No headaches, no
whining, and virtually no maintenance.
You build it and we move it…simple!

Don’t you wish all partners were this

easy…?

seweurodrive.com | 864-439-7537
Less means more!

Focused on the essentials: the new i500

Slim design, scalable functionality, and extremely user-friendly.
The groundbreaking i500 is size-optimized and allows for zero-
clearance mounting, saving valuable cabinet space. And thanks
to the innovative interface options, it’s easy to commission in
minimal time. The best thing of all is that the modular structure
adapts to different production configurations in no time at all.
Less does mean more!
To learn more, visit www.Lenze.com or come see us at:
PACK EXPO in Chicago, November 6-9, 2016 at Booth N-5125 As easy as that.