Understanding safety functions: Pressure or temperature

This post is part of a series on safety-related parameters described in ISO 13849-1 [1]. In this post, I will discuss pressure or temperature parameters and the implications when these process variables become safety-related parameters.

If you are interested in taking a functional safety course based on ISO 13849-1, see the “Courses” section at the end of this post!

ISO 13849 is not intended for anyone designing or manufacturing process control systems like those used in chemical manufacturing and refining. You need the IEC 61511 series [2], the ISA 84 [3] series of standards for those applications, or one of the other process industry standards. I am not a process industry expert, so I will not address those kinds of applications, only pressure and temperature in the context of machinery.

TL;DR

Pressure and temperature are important safety-related parameters. The two parameters are closely linked in systems where gases or vapours are present, with the behaviour of the gas or vapour governed by the combined gas laws. The temperature is also critical in mechanical systems that can overheat, like motors or bearings. Monitoring temperature or pressure requires the correct selection of instruments. Analogue instruments provide better fault detection opportunities because out-of-range values indicate instrument or interconnection failure, e.g., a broken wire or open connector contact. The correct integration of the analogue data via the safety-related software in the system is key to meeting the PL_r requirements of the safety function.

The diagnostics provided by the safety module or PLC are essential to Category 2, 3 or 4 architectures.

Contents

Pressure or temperature

Where a process pressure or temperature is related to safety, the control functions for those process variables become safety functions. A quick review of the basic physics of ideal gases is needed to understand why this becomes so important.

Ideal gas laws

Early research into the physics of gasses yielded several laws describing the basic characteristics of gasses. You will recall the fundamental laws that relate to pressure, volume and temperature of a given mass of an ideal gas.

Boyle’s Law

The first is Boyle’s Law, relating pressure and volume at a constant temperature [4].

P \propto \frac{1}{V}\\
and \therefore \\
PV=k

If a given mass of a gas is compressed, the pressure will increase as the volume decreases. You can see how this works in the animation below.

Charles’ law

Charles’ Law gives the relationship between volume and temperature [6].

V \propto T\\
and \therefore \\
\frac{V}{T}=k

So if the temperature increases, then the volume must also increase.

Gay-Lussac’s Law

Gay-Lussac’s Law states that the pressure of a given mass of gas varies directly with the gas’s absolute temperature when the volume is kept constant [8].

P \propto T\\
and \therefore \\
\frac{P}{T}=k

So, for any fixed mass of an ideal gas, at constant pressure, an increase in temperature will cause an increase in volume.

Combined gas law

Boyle’s, Charles’ and Gay-Lussac’s Laws can be combined into a single formula that represents the behaviour of compressed air in a pneumatic system [9, Eq. 1.19].

\frac{P_1V_1}{T_1}=\frac{P_2V_2}{T_2}

Since pressure vessels used in machines, e.g., pneumatic accumulators and other kinds of process-related tanks, are usually a fixed volume, the maximum pressure the vessel can withstand is proportional to the strength of the vessel walls, including the welded seams and any fittings and flanges that may be attached to the vessel to couple it into the pressure system. I will not review pressure vessel design here, as that is an engineering specialty, and I am not qualified to discuss it. The ASME Boiler and Pressure Vessel Code take up a bookcase. In the EU, the Simple Pressure Vessels Directive and the Pressure Equipment Directive apply.

Apart from accumulators, pneumatic and hydraulic components work similarly, but their design and volume usually offset any explosion risks. ⚠️ Usually. There are exceptions! ⚠️

Pressure-related safety functions

Often, the requirement is to ensure that an over-pressure condition is not created in a pressure vessel; however, ensuring that the supply pressure for a lubricant or a feedstock is maintained at a set pressure could be just as important.

The first step is to define the critical pressure that must be maintained. This could be a static pressure, or it could be a pressure range. If a pressure range is important, it’s possible to have either the same or different responses to an out-of-range condition.

Performance Level considerations

Depending on the PL that needs to be met by design, you may be able to use a single pressure sensor (Categories B, 1 or 2), or you may need redundant sensors (Categories 3 & 4). The instrument’s characteristics to measure the pressure must be selected to match the measurement requirements. These characteristics will include the range, resolution, precision, accuracy and sampling rate. These characteristics will determine if you can measure the pressure correctly and how quickly the instrument will respond to changes in the process temperature. If the pressure vessel is subjected to frequent surges or high-frequency pressure oscillations, you may need to use different measuring techniques to get a usable signal.

Sensing pneumatic pressure

According to the Lessons In Industrial Instrumentation textbook [11], the three basic forms of mechanical sensors used to detect pressure are

• bellows
• diaphragm
• Bourdon tube

These mechanical elements are coupled to electrical or electronic systems using one of the available sensing technologies. There are several technologies available, including:

• Variable Capacitance (Capacitive)
• Piezoresistive (Strain Gauge)
• Potentiometric
• Piezoelectric 
• Variable Reluctance
• Mechanical Resonant 
• Optical
• Others

The choice of the technology best suited to the application must be based on the application’s requirements and the devices’ capability, availability, and cost. If you are interested in learning more about continuous pressure measurement techniques, I highly recommend reading Chapter 19 in Lessons in Industrial Instrumentation [11]. This excellent textbook is provided free of charge on the Control Automation website.

As [11, Ch. 12] discusses, purely pneumatic instruments have many more problems than electrical or electronic instruments. Electronic instruments are much more common in new machinery than legacy systems where pneumatic instruments were installed when those systems were new.

Digital vs. analogue pressure sensors

Pressure limit conditions can be sensed using pressure sensors that only have a switching function, i.e., the sensor is only on or off, based on the pressure reaching the set limit. While this seems functional, the problem is that they are very hard to test. Since the contacts or output device will be open or in a high-impedance state, there is no way to determine if the sensor is functional without deliberately exercising it by allowing the pressure to rise until the switch operates or fails to operate when it should. This could be quite dangerous and might also negatively impact the process.

Instead, analogue sensors can be used. In this case, a pressure transducer and a transmitter are used to convert the pressure to a 4-20 mA current signal. Two analogue instruments provide separate sensing of the pressure condition, and any significant difference between the sensors is considered a fault. Using sensors built by two manufacturers could provide diversity, or two different sensing technologies could be used to avoid common-cause failures.

The signals from the redundant pressure instruments are compared in the safety PLC logic to determine whether the trigger for the safety function has been met.

Using this technique with redundant analogue sensors proves that the sensors are working continuously since any failure will result in a loss of signal or an out-of-range signal from the transmitter. Testing is continuous since the analogue sensor and transmitter will produce a 4-20 mA signal to the safety PLC.

In process plant control systems, more than double redundancy is more common, with three or four individual sensors used to measure the same process variable. These sensors are then connected to a “voting function” that determines whether an alarm condition has been met. This approach is very rare in non-process industry machinery.

Fault conditions

The control function activated by an out-of-range condition is dictated by the potential consequences of over- or under-pressure conditions. Understanding why the pressure control function has safety implications is key to understanding what needs to happen when the pressure is incorrect.

If the pressure being monitored is that of a pressure vessel rather than another part of the pressure system, the effect on the vessel’s mechanical integrity must be considered. Elevated pressure may also bring elevated temperature, and the potential for equipment damage or fire and explosion could be real. Nothing says that temperature and pressure would need to be simultaneously monitored; however, in safety-critical applications, especially where the characteristics of the contained fluid are complex, it may make sense to monitor both variables.

Just the fact that you are monitoring pressure may indicate that you are dealing with potentially catastrophic failure modes. Analyzing the system using an FMEA or other techniques is advisable [12].

Safety function diagnostics

The system diagnostics (Category 2, 3, and 4) will need to detect faults in the temperature sensor itself, e.g., thermocouple, RTD, etc. and the instrument.

Depending on the required response to an out-of-range condition, the safety function might start a pump or compressor to increase the pressure, open a relief valve to lower the pressure, and set an alarm to inform the operator about the condition. The safety function might generate a safety-related stop in processes where this is acceptable.

Safety requirement specification

Careful definition of the safety function in the safety requirement specification is critical to getting the design of the system hardware and software right.

This excellent article provides more guidance on the selection of industrial pressure measurement instruments.

Temperature-related safety functions

The temperature could be a stand-alone variable controlled by the machine or be linked to pressure. If you recall the post about the response time of safety functions, a machine that uses hydraulics in a cold environment might need heaters in the hydraulic fluid reservoir to ensure that the hydraulic actuators’ response time falls in the expected range by design. Otherwise, the safeguarding devices might be too close to the hazard to be effective. The temperature safety function would be used to prevent starting of the machine until the hydraulic fluid reaches the correct temperature.

Performance Level considerations

Depending on the PL that needs to be met by design, you may be able to use a single temperature sensor (Categories B, 1 or 2), or you may need redundant sensors (Categories 3 & 4). The instrument’s characteristics used to measure the temperature must be selected to match the measurement requirements. These characteristics will include the range, resolution, precision, accuracy and sampling rate. The characteristics of the instrument will determine if you can measure the temperature correctly and how quickly the instrument will respond to changes in the process temperature. Processes with rapid temperature fluctuations may need special measurement techniques to develop usable signals.

Sensing temperature

There are several techniques used to sense temperature. The simple bimetallic strip can open and close switch contacts, as in simple electromechanical thermostats. However, bimetallic strips have shortcomings that make them less useful for sensing equipment and process temperatures. Other techniques are better suited to providing continuous temperature data. These techniques include:

• Thermocouples
• “Filled-bulb” sensors
• Thermistors and Resistance Temperature Detectors (RTDs)
• Non-contact Temperature Sensors

Thermocouples are probably the most common temperature sensors in industrial machinery, but RTDs are also quite common. As with pressure instruments, selecting the type of temperature sensor for an application must be based on the device’s capability, availability, and cost.

If you are interested in learning more about the various temperature sensing technologies, I highly recommend reading Chapter 21 in Lessons in Industrial Instrumentation [10]. This excellent textbook is available for free on the Control Automation website.

You can learn more about industrial temperature measurement in this excellent article.

Digital vs. analogue temperature sensors

Temperature limit conditions can be sensed using temperature switches that are only on or off, based on the temperature reaching the set limit. Like switching pressure sensors, this behaviour can be useful in some applications. However, these sensors are very hard to test, making them poorly suited for safety applications except in limited applications. Since the contacts or output device will be open or in a high-impedance state, there is no way to determine if the sensor is functional without deliberately exercising it by allowing the temperature to rise until the switch operates or fails to operate when it should. This could be quite dangerous and might also negatively impact the process.

Instead, analogue temperature sensors can be used. In this case, a temperature sensor and a transmitter are used to convert the pressure to a 4-20 mA current signal. Two analogue instruments provide separate temperature sensing of the same point in the machine, and any significant difference between the sensors is considered a fault. Using sensors built by two manufacturers could provide the necessary diversity, or two different sensing technologies could be used to avoid common-cause failures.

Using this technique with redundant analogue sensors proves that the sensors are working continuously since any failure will result in a loss of signal or an out-of-range signal from the transmitter. Testing is continuous since the analogue sensor and transmitter will produce a continuous analogue signal to the safety PLC.

In process plant control systems, more than simple redundancy is more common, with three or four individual sensors used to measure the same process variable. These sensors are then connected to a “voting function” that determines whether an alarm condition has been met. This approach is very rare in non-process industry machinery.

Fault conditions

The control function activated by an out-of-range condition is dictated by the results of over- or under-temperature conditions. Understanding why the temperature control function has safety implications is key to understanding what needs to happen when the temperature is incorrect. If the temperature being monitored is that of a pressure vessel, then the effect on the vessel’s internal pressure must be considered. Nothing says that temperature and pressure would need to be simultaneously monitored since it is possible to calculate the pressure change; however, in safety-critical applications, especially where the characteristics of the contained fluid are complex, it may make sense to monitor both variables.

For contained fluids where the process operates at temperatures where a state change is likely to occur, the temperature may be a critical safety-related variable. This is especially true if the lower explosive limit of the vapour/gas collecting above the fluid might be reached.

Safety function diagnostics

The system diagnostics (Categories 2, 3, and 4) will need to detect faults in the pressure sensor and the instrument. Depending on the required response to an out-of-range condition, the safety function might start a heater or a cooling system, open a relief valve to keep the pressure within a safe range, and set an alarm so the operator knows about the condition. The safety function might generate a safety-related stop in processes where this is acceptable.

Safety requirement specification

As with pressure-related safety functions, careful definition of the temperature safety function in the safety requirement specification is critical to getting the design of the hardware and software right.

Courses

If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:

• with a review of machinery risk assessment
• developing the Safety Requirement Specifications
• analyzing your design
• developing the validation documentation, and
• developing the validation test procedure

This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.

References

[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO). 2015.

[2] Functional safety – Safety instrumented systems for the process industry sector – ALL PARTS, IEC 61511 SER. International Electrotechnical Commission (IEC). 2022.

[3] Functional Safety: Safety Instrumented Systems For The Process Industry Sector – Part 1: Framework, Definitions, System, Hardware And Software Requirements, ANSI/ISA 84.00.01. International Society of Automation (ISA). 2004.

[4] “Boyle’s law – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Boyle’s_law. [Accessed: 09- Sep- 2022].

[5] NASA Glenn Research Center, Boyles Law animated. 2010.

[6] “Charles’s law – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Charles’s_law. [Accessed: 09- Sep- 2022].

[7] NASA Glenn Research Center, Charles and Gay-Lussac’s Law animated. 2008.

[8] “Gay-Lussac’s law – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Gay-Lussac’s_law. [Accessed: 09- Sep- 2022].

[9] A. Parr, Hydraulics and pneumatics, 3rd ed. Oxford: Butterworth-Heinemann, 2011.

[10] W. Deppert and K. Stoll, Cutting costs with pneumatics, 1st ed. Würzburg: Vogel Verlag, 1988.

[11] T. R. Kuphaldt, “Lessons in Industrial Instrumentation”, control.com, 2019. [Online]. Available: https://control.com/textbook/. [Accessed: 13-Sep-2022]

[12] “Failure mode and effects analysis – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 09- Sep- 2022].

[13] “Pressure measurement – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Pressure_measurement. [Accessed: 13-Sep-2022].

© 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.