De-Energize vs. Energize to Trip

AGill..., The acceptable 'fail-safe' position of our process operation is the valves are supposed to open when the hazard is present (i.e. opening the valves would mitigate this hazard). As such (i.e. and if I understand DTT vs. ETT circuitry design properly), a loss of power in a DTT circuit would cause those valves to open. In an ETT circuit, applying power would cause the valves to open.

So, if we used a DTT circuit, we would have to build-in the necessary redundancies to ensure that a power outage (and in our case, loss of building compressed air to the valves as well) would not open the valves. Why? Because the loss of these utilities (i.e. power, air) during normal process operation would basically result in lost production/significant downtime for us. The valves only must open if the process parameter that I mentioned before exceeded a certain threshold (i.e. when the hazard started to become present).

In an ETT circuit design, it sounds like a power outage would pose certain difficulties. Even if the outage caused all process equipment & field devices to go to their 'fail-safe' position (i.e. to shut down all material transfer and stop any process heating), the SIL 1 safety interlock might still be needed because the hazard could still potentially introduce itself into the process operation under these 'fail-safe' conditions (even though the risk of this happening is low).

Concerning the power/compressed air redundancies that I mentioned above for a DTT circuit design, I'm wondering if the cost of putting these additional redundancies into the DTT circuit would be offset by the cost of putting in the end of line monitoring to ensure circuit integrity in an ETT design. Any thoughts from the group? Would those costs be comparable?

mk42..., Sounds like you have a lot of experience with DTT's in machine safety. Any experience/guidance with using DTT's in process safety applications?
 
This discussion illustrate why it's impossible to have fast and hard rule. However, OP is also mixing up mechanical vs electrical failure design. These should be considered separately. ie. A fail-safe valve should be just be just that, fail-safe when mechanical or electrical signal is lost. It doesn't mean that you can't have a ETT circuit also trip that valve.

Let's use two extreme real-life example that breaks simple rules:

1. Your home refrigerator. The way it work would trip a GFCI circuit. So, do you expose certain danger? Yes. But you still put in a regular outlet for a fridge.

2. Power distribution. Designed to withstand short period faults and that fault could be your body. Too bad. But you can't have the city go dark every-time a bird's wing go phase to phase. It's mostly ETT.
 
harryggianakis said:
mk42..., Sounds like you have a lot of experience with DTT's in machine safety. Any experience/guidance with using DTT's in process safety applications?
Click to expand...

Sorry, not much. I have only enough experience to know they are different.

My main point was that I'm willing to bet some/most of the people in the thread had only Machine safety experience, and that most of our opinions mean nothing in a process safety application (like you apparently have).

I don't have any cost estimates, but (to me) if you want to be able to safeguard your production, the power redundancies are probably necessary regardless whether you go DTT or ETT. Your production may need the redundancy itself, and I would think that the safety system would need to be functioning regardless of whether the regular system is available or not.
 
I don't understand the energize-to-trip group's assertion that de-energize to trip will have more nuisance trips. Does the energize-to-trip group actually have an FMEA to back up that assertion? Is it correct?

I would expect both methods to have similar rates of nuisance trips. If the nuisance is caused by a loss of power, an energize-to-trip circuit is still won't work. The only way I see to avoid nuisance trips is not to detect the cause, which means that the circuit is less safe.
 
Loss of power has to be considered for either approach.

You are considering "loss of power" to be a nuisance trip. In other words, your safety circuit must work without regard to normal power availability. ETT does not solve this problem. Certainly it won't take safety action on loss of normal power. However, it is also true that it CAN'T take safety action at all under loss of normal power!

If you need a safety system to work under loss of normal power, then you require another source of power like a UPS for the safety function. The same is true for loss of air. You must maintain the air pressure under power loss if the valve requires air to move to the failure position. You can do this with an accumulator instead of keeping the compressor running.

Bottom line, you have a choice of how your system behaves under loss of normal power. You can simply have everything fail to the safe condition on power loss, which is the approach used most often. Or in your case you can choose to keep some systems with expensive consequences under backup power so they only take action if necessary.

I have worked on a system where we maintained the control system on UPS power for at least 15 minutes to give the emergency generator time to come online. At that time, the operators could take action to save a batch in progress by restarting necessary motors.
 
Great comments & guidance everyone. Thank you!

After thinking about your comments some more, I've realized a couple of key things.

One key thing is that the SIL 1 interlock we're designing for our particular process application cannot actuate when there is a loss of building power during normal processing. If I use a DTT circuit, then I must build in some type of backup power supply (like the UPS that mellis mentioned) to ensure that there is no 'false' or 'nuisance' trip (call it what you like) until the problem is resolved. If I have an ETT circuit, then I also need some type of backup power supply on loss of building power to ensure that the SIL 1 interlock can perform its intended function if the hazard introduces itself into the normal process operation (again, this is unique to our particular process application). So, regardless of whether it is a DTT or ETT circuit, I think I need backup power in both cases.

So, with the additional requirement of end of line monitoring for ETT circuits, wouldn't it make the ETT design more cost prohibitive than the DTT design for our application?
 

Similar Topics

I
RSLogix500 Output will not energize
Hello, I'm new to programming. I'm using RSLogix500 to modify an existing program for a SLC500. My plan was to use one of the existing inputs...
2
Replies
26
Views
2,010
I_Automation
I_Automation
B
Compactlogix Rung true but OTE does not energize
Hey all, I have a wierd problem. I have a compact logix processor the rung condition is true but one input of the rung fluctuates as it...
Replies
5
Views
2,133
AustralIan
A
esp400
Output does not energize
Hi All, I've been programming RSLogix 500 for about 5 years now and I'm just getting into 5000 programming. One of my first projects here where...
Replies
11
Views
3,763
esp400
esp400
M
how to energize the contactor
hello Dear everyone... I am getting 24 VDC output, from mitsubishi FX5UMT/ES PLC...whether it is enough to energize the contactor of 18 A DC Motor
Replies
8
Views
3,245
maheshboobalan
M
V
PLC JSR De-energize
Hi Everyone, I'm writing a program to control 2 motors depending on a switch selector position A or B. In POS A, motor 1 should be running while...
Replies
12
Views
2,865
Mickey
Mickey
Back
Top Bottom