We’ve done our best to compile the most relevant and frequently asked questions about our company and the products we sell, but if you still can’t find the answer to your question here please feel free to contact us (info@R2.ca) and we’ll be more than happy to help.
SIL, or Safety Integrity Level, is a metric used to quantify the reliability of a Safety Instrumented Function (SIF). In other words, the SIL is a calculation of the probability that a safety system will perform its intended task, such as stopping the electrolysis process, when a dangerous event occurs. SIL is directly related to risk reduction. For example, SIL2 corresponds to a risk reduction factor between 100 and 1000 of the probability that an event will not be prevented.
The SIL is established by following the requirements in the IEC 61508 standard Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems. This standard dictates the complete development lifecycle for Safety Instrumented Functions as well as how hardware and software must be designed and qualified.
A PLC based voltage monitoring system will provide coarse indication of the cell voltages for real-time monitoring. The readings are usually not filtered leading to various spikes and high noise. The accuracy is generally in the order of ±0.025VDC to ±0.1VDC. The readings are not stable enough to allow the use of safety limits to automatically shutdown the electrolyser power source in case of dangerous situations. It is, to summarize, “just a monitoring system”.
The EMOS® SIL2 Safety system on the other hand is the most advanced cell voltage monitoring system available on the market. The different electronic units have been designed expressly for the bi-polar membrane electrolyser operation. The accuracy is stable at ±0.0015V over the whole temperature range. This accuracy and stability allows for 2 very important functions:
- Precise characterisation of each of the individual elements.
- Use of tight safety limits with automatic shutdown in case of hazards without false trips.
An EDI Voltage Monitoring System (or BVMS) provides the minimum level of protection only when the electrolyser is at stable full load. Protection is not available during load changes where problems are most likely to occur. For more information see “SIL2 Safety System vs. Deviation Voltage Monitoring System”.
The EMOS® SIL2 Safety System is based on individual cell voltage measurement. If any of the individual cell voltages behave dangerously, the electrolyzer power supply is automatically stopped to prevent an accident. The trip levels are calculated in real-time to provide the right level of protection at any point during operation.
The EMOS® SIL2 Safety System provides adequate level of protection at any point of operation; unlike and EDI or BVMS. For more information see “SIL2 Safety System vs. Deviation Voltage Monitoring System”.
Dangerous events can occur at any load. With a fixed limit, protection may only be optimal when the electrolyser is operating at full load.
When working at lower loads, events may result in voltage variations that never reach the fixed trip limits. In these cases, irreversible component damage may occur. By using trip limits that adapt to the electrolyser operating conditions, the process is always kept in a safe operating range.
When R2 designed the EMOS® SIL2 Safety System, the first step was to make a list of everything that could go wrong in an electrolyzer; we then looked at statistics and have defined how often each of these events are likely to happen. Next, we designed a system with the capability to protect the electrolyzer against the consequences of such events. In other words, some situations, like a short circuit between 2 cells or a membrane tear during operation, could cause the cell voltage to go low, not high. These situations could lead to serious fires and/or explosions. This is why the LOLO trip limit is required.
The EMOS® SIL2 Safety System has been developed expressly for the monitoring of electrolyzers. It was designed from the experience gained by monitoring over 70 000 electrolysis cells. It is only through this expertise that a system can be designed and built to reliably provide safety without generating false trips.
For example, measurement correlations are made in real time in the MODA to detect when a cell voltage measurement wire breaks in order to warn of a wiring problem instead of generating a false trip.
The SFOCOM, the logic solver located in the SILCAM, is responsible for collecting the voltage values from the MODA and calculating if they are within the safe operating range of the electrolyzer. If one or more of these measured voltages are found to be outside the safe operating range, the SFOCOM will open a dry contact, indicating to the plant Emergency Shutdown System that the process should be stopped.
The EMOS® SIL2 Safety System is OPC compatible. It can therefore exchange information with other systems that are also OPC compatible such as a DCS.
OPC is an industry standard communication protocol that enables systems designed by different manufacturers to communicate through a common interface.
The MODA precision is ±1.5 mV; this holds true for the operating temperature range found in cell rooms all over the world. This precision is essential when taking measurements that will subsequently be used to characterize component performance and aging: the basis for establishing performance based maintenance strategies.
Acquisition speed, scan rate, sampling frequency, etc. … may mean different things in different applications. The EMOS® SIL2 Safety System is composed of several building blocks and each one works at a speed that is optimized for the task it needs to perform. The following flowchart shows how the speed translates from the data acquisition module to the human machine interface.
As part of the SIL2 design and qualification process, a complete failure mode & effect analysis (FMEA) was performed on the system in order to achieve the highest possible reliability. The resulting design was then validated using stringent environmental testing methods.
R2’s latest generation architecture has been in service since 2007 with thousands of units deployed worldwide in a variety of harsh industrial environments. Millions of hours of operational experience have been accumulated and its analysis shows failure rates to be extremely low, even when compared to what was expected from the calculations.
All units go through strict quality control and are systematically subjected to thermal cycling to ensure the highest quality assembly.
The EMOS® Pinhole Detector is an extension of the EMOS® SIL2 Safety System which detects and classifies cell membrane pinholes according to their severity: small, medium, and severe. The pinhole detection is automatically performed during start-up and shutdown periods using single cell voltage behavior and an estimate of each cell current efficiency. A unique, patented algorithm is used to quantify the back migration of caustic soda from the cathodic to the anodic compartment of the cell. The pinhole severity level is calculated using a configurable conversion table.
The trip limits automatically adjust according to the electrolyzer operating load. These limits take into account the thermal boundaries within which the cell components can be operated safely without suffering irreversible damage. Adjusting limits individually would not provide much benefit, other than slightly delaying maintenance, since it could only be used either to reduce the limit below what is already safe or push it out closer to the dangerous operating zone. Additionally, there would be between 100 to 200 levels per electrolyzer to manage. This would not prove to be practical and could potentially introduce errors that would compromise safety.