Why combination of Safety System & Process Control System. 8

[Ulon]

Hi all, greeting..

All process is controled and monitored by Process Control System(PCS) often called DCS system. On top of that we got a Safety System to monitor the process condition in a harzardous application/area.

Both can be integrated to work with each other.

If we want to simplified (maybe), why cannot we combine the safety function or proggrame into the DCS? Such as the DCS control the process and maintaining the safety of it's own process?

really glad for any opinion.

 

[gerhardl]

This is about safety philosophy, not about practical possible solutions. As in both handbrake and regular brake on a car, independent from each other.

 

[JLSeagull]

See thread830-204210: Interlock/Alarm sequence regarding interlocks in control systems engineering.

The question nearly provides the answer. Hazardous processes require greater reliability than mundane processes. A water handling system may not require multiple systems.

Some controversy exists regarding whether or not OSHA 29 CFR 1910.119 requires segregation of basic process control from safety shutdown for various applications. I suggest that the process safety management of highly hazardous chemicals requires separate systems.

Regardless of whether or not it is an OSHA requirement it is a good practices. Let’s look at the example in the tread referenced above where a level level measurement application where the normal level is 50%. This is typically controlled by the "basic process control system". This is often a PID algorithm that throttles a control valve on the discharge of a pump. As the level increases or decreases to a point outside the desired range then activate an alarm. This alerts the operator that things are happening thus permitting some operator intervention or awareness. This much of the action is taken within the basic process control system such as the DCS. However, as the process deviates beyond this point, whatever was supposed to happen isn’t controlling the process within the limits. Perhaps something was set to manual. Perhaps the breaker tripped on a pump so that the level continues to rise; or the pump is selected to hand so that it continues to run as the level continues to fall. Although typically not a “Bill Gates” type system, perhaps the microprocessor in the DCS controller locked up.

As the level further rises or falls a separate system with shutdown interlocks performs interlock actions. Upon increasing level above the alarm value the high level often trips a valve on the inlet. Perhaps it trips an upstream pump instead. In either case a different system is used. Low level often trips a pump from the bottom to the next process equipment. A separate system requires separate level measurement, preferably using a different measurement technology. The reason for the separate system is to avoid common mode failure. Whatever didn’t work with the DCS should not cause the same problem for the safety shutdown system.

 

[IRstuff]

To expand a bit on safety philosophy, the objective is to have two REDUNDANT controls on the process. Thus, any single failure in either path will still allow the process to be safely shutdown or otherwise controlled.

This is particularly important in a software controlled process, since any bug in the program or operating system can cause the program to hang or otherwise malfunction, leading to a hazardous or catastrophic condition. In some situations, the safety, or fail-safe, system must be implemented completely in hardware, with no software content to ensure complete independence.

Likewise, if the fail-safe is implemented in software, the general rule is that the program must be coded by a different person, running on a different brand of hardware running with a different brand of operating system. This ensures that systematic errors are not duplicated in the failsafe.

TTFN

FAQ731-376

 

[JLSeagull]

I AM SHOCKED that IRstuff would suggest that the software could have a bug. ;-)

 

[IRstuff]

Well, I have to admit that my background is hardware...


not that I'm biased or anything... ;-)

TTFN

FAQ731-376

 

[dcasto]

Having worked in the pipeline industry and inside chemical plants, I got to see it all. The big plants were buying a single giant DCS system saying it was robust and safe. When lead around you'll see two independant processors, but all the loop control and interlock controls were joined at some point. Wheter that be a cables side by side, or I/O boards in the same cabinet.

At smaller site, they would have a control system manufactured by X and a interlock/ESD made by Y. Some would have made patches so that they could cross monitor, but typically there would be 1 set of HMI's for the ESD and another for Proces Control.

My take was that our pipeline had a true DCS. each pump, valve, and control had its own independant, stand alone, non interconnect, isolate power system distributed controls. All this monitored via 1 set of HMI with 3 redundant CPU's and multiple communication ports with back seperated by 100 miles.

Today, I believe, the CPU/HMI/Software is becomeing very bullet proof. I believ you need to look at the connections from the end devices and the links to the I/O as more of a risk in deciding on the system. Today I try to put stand alone Control/ESD on each major portion of a plant. Each Compressor has its own PLC that can survive and make its self safe. The master control can over write and harmonize multiple of the slave stations.

Just another philosphy to look at, may not fit all.

 

[Blackcountryman]

Even if the case can be made for having the same hardware used for the main control & the safety system. One factor to consider would be the cost of engineering the system.

If both functions are in the same system I believe you would have to design the whole system to the higher level. So if under IEC 61508 the safety integrity level was two (SIL2) and the whole systems has to be designed and documented to this level. Somewhere I recall seeing software costing £100 pounds for a normal control system would cost £1,000 at SIL2. This would soon swallow any savings on hardware. This would level of additional cost would continue throughout the life cycle.

 

[Ulon]

Thanks a lot guys..

this is one of the best replied I've had.

gerharld-->put the basic philosophy and conclude it all.

JLSeagull-->Elaborate it with example

IRStuff--> Give the software & hardware view.

Dcasto--> operational scenarion

Balckyard country man--> turn it into financial view..

Just a complete opinion that wraps it all..

You guys are great, thanks.