Sensors in Safety Control Systems


Sensors include their connection to the process, both of which should be adequately reliable. A measure of their reliability is used in confirming the integrity level of the protective system. This measure should take into account the proportion of failures of the sensor and its process connection which are failures to danger.

Dangerous failures can be minimised by a number of measures such as:

  • Use of measurement which is as direct as possible, (e.g. pneumercators provide an inferred level measurement but actually measure back pressure against a head and are sensitive to changes in density due to temperature variations within the process, and to balance gas flow, upon which they are dependant);
  • Control of isolation or bleed valves to prevent uncoupling from the process between proof tests or monitoring such that their operation causes a trip;
  • Use of good engineering practice and well proven techniques for process connections and sample lines to prevent blockage, hydraulic locking, sensing delays etc.;
  • Use of analogue devices (transmitters) rather than digital (switches);
  • Use of positively actuated switches operating in a positive mode together with idle current (de-energise to trip);
  • Appropriate measures to protect against the effects of the process on the process connection or sensor, such as vibration, corrosion, and erosion;
  • Monitoring of protective system process variable measurement (PV) and comparison against the equivalent control system PV either by the operator or the control system.

Guidance on process connection is provided in BS 6739 British Standard Code of practice for instrumentation in process control systems: Installation design and practice.

Proof testing procedures should clearly set out how sensors are reinstated and how such reinstatement is verified after proof testing.

Maintenance procedures should define how sensors/transmitters are calibrated with traceability back to national reference standards by use of calibrated test equipment.

Other matters which will need to have been considered are:

  • Cross sensitivities of analysers to other fluids which might be present in the process;
  • Reliability of sampling systems;
  • Protection against systematic failures on programmable sensors/analysers. The measures taken will depend on the level of variability and track record of the software. ‘Smart’ transmitters with limited variability software which are extensively proven in use may require no additional measures other than those related to control of operation, maintenance, and modification, whereas bespoke software for an on-line analyser may require a defence in depth against systematic failures (BS IEC 61508 Part 3);
  • Signal conditioning (e.g. filtering) and which may affect the sensor response times;
  • Degradation of measurement signals (distance between sensor and transmitter may be important);
  • Accuracy, repeatability, hysteresis and common mode effects (e.g. effects of gauge pressure or temperature on differential pressure measurement);
  • Integrity of process connections and sensors for containment (sample or impulse lines, instrument pockets are often a weak link in process containment measures).

Use of ‘SMART’ instruments requires adequate diagnostic coverage and fault tolerance (see architectural constraints in IEC 61508 Part 2), and measures to protect against systematic failures (software design/integration, inadvertent re-ranging during maintenance). Measures may include use of equipment in non-smart mode (analogue signal output, no remote setting) and equipment of stable design for which there is an extensive record of reliability under similar circumstances.