Redundancy / discrete systems in modern DCS systems

[c2sco]

I'm a chemical engineer in England, involved with safety integrity assessments for chemical plants. I'm struggling with understanding the meaning of multiplicity, or redundancy, inside modern DCS systems, which is often relevent to these assessments.

We work to BS EN 61511 / BS EN 61508, where we are instructed never to give the BPCS (Basic Process Control System) a PFD of less then 0.1. This is to allow for possible common cause failures, eg if we had a level controller and a separate level alarm both passing through a DCS, we cannot regard the alarm as a layer of protection when considering the consequences of failure of the controller. However I have found assessments done by professional EPC contractors which effectively allows this. When I challenged them, they claimed that the DCS was in several discrete modules, and that they were confident that the two systems passed through different modules and were therefore independent and so the assessment was correct.

I'm very dubious about this, but I have no real experience of how such DCS systems are actually built. I'm conscious that if we have a system consisting (eg) of 2 input elements, a logic solver, and 2 output elements, then if the PFD of the logic solver is (say) 2 orders of magnitude less then the other elements, then since it is the main or only cause of common mode failure, then the opportunity for common cause failure is very low. However, as I understand it, the Standards prohibit this.

Can anyone shed any light on this for me please?

Thanks

Stuart

 

[PLCMentor]

Stuart,
Unfortunately I dont understand much of the terminology that you have included. You may want to keep in mind that you are posting this to a bunch of controls people that understand controls, but not (I would guess) some of the standards you refer to. I would suggest rewording your question in terms that anyone might understand - dont assume. For instance, what is PFD? Also you may have difficulty with this particular forum as this is listed as devoted to PLC's. There are differences though they are becoming hard to see.

Now I will try to take a stab at what I do understand. You mention a level controller and what I would assume is a discrete alarm. I would see no redundancy offered here. I guess the alarm may allow some indication of loss of the controller. If you had a level transmitter and a discrete level sensor, then you may argue some level of redundancy.

Give me more info and I will try to provide more info.

Russell

Russell White, P.E.
Automation Technologies, Inc.

http://www.AutomationNC.com

Automation Training

http://www.PLCMentor.com

 

[c2sco]

Russell,

Thanks for your reply. I did look through the various forums and thought this was my best bet! Maybe not, but if you are happy to try, so am I.

PFD=probability of failure on demand, ie (say) the level gets higher than the trip point. PFD= probability that the system of level transmitter, logic solver and final element (say a valve controlling the liquid flow into the tank) fails to work, causing an overflow or damage to the tank.

The standards mentioned have US equivalents - I'll try to find out their numbers. However they basically dictate how such safety systems should be assessed for required reliability (PFD) and designed to meet this (SIL, safety integrity level, requirement.) As I haven't a clue what goes on inside the black box we process engineers refer to as the "DCS" (distributed control system) which I believe is often a PLC, I cannot penetrate past the jargon.

I need to understand whether they are pulling the wool over my eyes when they say that despite both passing through the DCS, the level control and level alarm mentioned in my example are independent. The standards seem to give the edict "They are not independent and neither cannot be relied on if the other fails" which seems harsh if aplied without judgement. However common cause failure is a real problem and independent means independent - failure of one cannot cause the other to fail if we are relying on both to achieve a safety reliability target. In a typical case under dispute, is clear that there is redundancy in the sensor (there are 2), and in the means of stopping the flow (an automatic valve, and an operator who will go and close a different, manual valve). However the DCS which controls the automatic valve in response to the first sensor, and controls the alarm in response to the second sensor, appears to me (and the Standards) as a single item hence cause for common failure, whereas my instrument engineer colleauges (who don't understand the standards) claim there are 2 discrete pathways so they are independent. Clearly we can't say in general if they are right or telling porkies, I just want to know if typical DCS systems such as sold by Yokogawa etc can be claimed to have independent pathways.

Thanks for persevering!

Stuart
Regards,
Stuart

 

[ScottyUK]

PLCmentor,

The standards EN 61508 and EN 61511 are pretty common outside of the US. They're both related to safety instrumented systems, and this probably isn't a bad place to post the question as the PLC manufacturers introduce safety PLCs like A-B's GuardLogix. Maybe forum830 would have been a better choice but most people who read that one will also read this one so it doesn't really matter.

c2sco,

If the DCS manufacturer is proposing that alarms are handled by one redundant controller and the control or trip function by another separate redundant controller with neither relying on data broadcast by the other then a case could be made that they were 'independent'. If they use information broadcast across the data highway then it's much a less sound argument. If you're trying to ensure compliance with the two standards then it might be a little harder as most DCS platforms don't have SIL ratings.

A DCS and a PLC network are similar on the surface but there are definite differences. There's plenty discussion in other threads - try the search function. A PLC and a logic solver are also similar in fucntion but internally are quite different.

In your position I'd be seriously thinking about hiring some professional assistance, either to provide training for your own engineers or in the form of a consultant to sort this problem out for you.


----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[PLCMentor]

Wow, sounds like a interesting issue to sort out. I think on the surface of it all, I would have to agree with you. I understand your system in question to have a single controller that is receiving multiple, possibly redundant, signals. However, multiple signals coming into a single controller would have a positive affect on reliability. Most controllers out there today are pretty solid. Your failure would most likely be in the field - in all likelyhood due to some human error, weather, other event. Scotty brings up another good point about the data highway. If there is a single highway between controllers or even between the controller and multiple operator interfaces, that could be a point of possible failure also - though again rare. I also agree with Scotty about possibly finding a local controls guru to help sort it out.

Scotty: I actually meant (dont want to get kicked off) that there are other forums on the web that might be better suited to answer this. Some that are dedicated to controls. I did not see the controls systems forum. I will have to check that out.

Russell White, P.E.
Automation Technologies, Inc.

http://www.AutomationNC.com

Automation Training

http://www.PLCMentor.com

 

[ScottyUK]

No danger of you being kicked off... reckon I'd be way higher on the list of candidates anyway!



----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[c2sco]

Thanks for your replies. What you are saying all sounds in agreement with what I thought. I don't know anything about data highways - but I can imagine. I seem to remember being told about various protocols for LANs many years ago which involved packets of data being sent around - I guess the risk is that one faulty transmitter might corrupt it hence messing up other good data, ie common mode failure. Yes, I will seek further assistance through searches here. I've sought training courses but most are aimed at system programmers and designers, whereas I only need the right superficial level knowledge to know whether to accept the argument or to stand my ground! At least knowing some jargon I can sound as if I know! Equally I'll look to finding a consultant who can enlighten me.
Many thanks
Stuart

 

[ScottyUK]

We had a crash course in SIL (no, that wasn't the official title ] ) from a company called ProSalus in the UK. It was informative, can't remember how expensive it was - probably not cheap. The presenter was knowledgable and the notes were ok.

Siemens published some really good notes on SIL and the like. Obviously biased toward their own products but sufficiently generic to be useful, it was titled "Safety Instrumented System Manual" and I can't remember where I got mine from - a conference I suspect. Definitely worth getting hold of if you can tease one out of a supplier.


----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[c2sco]

Thanks, I've sent an e-mail to Siemens, see what transpires.

Curiously, Prosalus turn out to be a company whose office is about 10 miles from my father's house in Teesside, so I'll contact them and maybe get some customised help if I can call in some time. I don't really need a course, maybe a 1:1 with an expert for an hour or two will answer my questions.

Stuart

 

[ScottyUK]

Are you on Teesside too? Which site? I used to work at the old Enron station near Wilton.


----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[c2sco]

No, I live in Chester. I lived in Normanby until I was 18, Dad now lives in New Marske. I worked for ICI for 20 years in mid Cheshire and Runcorn, spending some time on project work at Wilton in the 90s. Since leaving ICI in 1998 I have done a few months' work for Invista (sadly plant now closing) and SembCorp at Wilton. I work for myself now. How about you?

 

[ScottyUK]

Geordie by by birth, lived on Tyneside until '96 then had a couple of years in The Smoke until I realised that the best job I've ever had couldn't make up for having to live there, then 10 years in Smogland with Enron and successor companies. Now back on Tyneside working for well-known engineering consultant to the power industry. Living about halfway between Sedgefield and Stockton and commuting because of the state of the housing market - prices down and no buyers.

Things look bleak for Wilton - as well as Invista I heard on the bush telegraph that Dow's E.O. plant is closing or being mothballed, then Croda will inevitably follow when its feeder plant stops production. Lot of jobs at stake.


----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[matthewm1965]

Stuart,
I think this is the Siemens book that ScottyUK is referring to. I have found it to have some very useful references in there, despite its bias to Siemens products.

http://support.automation.siemens.com/WW/view/en/28813929

ScottyUK,
Didn’t Enron become NEL, then Carron Engineering? If so, I have worked with a couple of lads from there. I went for an interview there a few weeks before NEL went bust. Luckily I didn’t get the job.
Teesside is in a sorry state at the moment, up until three weeks ago, I was working at Wynyard Park, just down the road from where you live. At Christmas, we had a 17 strong team of E&I guys. When I left 3 weeks ago there were only 2 left.
I have had to take a short term contract overseas due to lack of local opportunities. Lets hope things pick up in the area.
Matt

 

[c2sco]

Matt, Many thanks, it looks interesting. At 365 pages it's going to take a while to digest!
Wilton / Billingham is a crying shame (as is most of British manufacturing industry). When ICI built it, it was a great complex, as was Runcorn, and we were proud to be part of one of the world's greatest chemical companies. I was very bitter and blamed ICI management for many years for causing the demise by selling out on bulk chemicals and buying a whole pile from Unilever by borrowing heavily. But they way things have gone in the last 20 years with Joe Public increasingly demanding cheap goods which they import from countries with low standards, less pollution and higher safety standards from industry here, it was only a matter of time I think. I'm coming to the end of my career and am glad to be getting out, but I believe unless something good comes out of the current financial turmoil, which it might, then a lot of the UK, and indeed world, future looks bleak.
The EO plant of course used to be ICI, and I did some efficiency studies there and on the surfactant plants about 20 years ago.
I'm doing some work for Simon Carves - once another great British company, now owned by Indians, who are stripping it of talent and opportunity and moving it to India, leaving the UK office to sink or swim in a reducing market place. Most of their work is for middle east companies. They recently built a bioethanol plant at Wilton, but we'll have to keep our fingers crossed it survives given the politics and downturn.
At least the nuclear industry is coming along, so long as the nimbys don't get their way and the politics don't make it too late before the lights go out.
Sorry to be downbeat, perhaps we should talk the country up rather than down, but the downwards momentum of the chemical industry at least is frightening.
I hope your overseas contract goes well for you.
Stuart