SlideShare a Scribd company logo

Evolution of protective systems in petro chem

Glen Alleman
Glen Alleman

Electrical protective or emergency shutdown systems are utilized throughout the petrochemical industry for safety and to avoid severe environmental and/or economic events. Requirements fur these critical systems are that they work every time, on demand, and do not initiate nuisance events. These requirements were difficult to achieve in most early systems but the systems have improved over the years. Emergency shutdown system design has been unregulated in the U.S., but new standards will require strict guidelines for design, application, docllmentation, and software testing and control.

1 of 6
Download to read offline
Ev luti n f Pr tective tr •ystems int ch icai Industry Robert S. Adamski Exxon Chemical Company Electrical protective oremergency shutdown systems are utilized throughout the petrochemical in- dustry for safety and to avoid se- vere environmental and/or economic events. Requirements fur these critical systems are that they work every time, on demand, and do ...ot initiate nuisance events. These requirements were difficult to achieve in most early systems but the systems have im- proved over the years. Emergency shutdown system design has been unregulated in the U.S., but new standards will require strict guidelines for design, application, docllmentation, and software testing and control. The evolution of protective sys- tems was driven by the use of solid-state devices and later by the use ofintegrated circuits with programmable (software) capa- bilities. The demand for higher availability (reliability) has fur- ther moved the industry from sin- gle PLCs to programmable minicomputers with complex software. This new generation of protective systems utilizes hard- ware/firmware/and software in "triple modular redundant" (TMR) fault tolerant systems. INTRODUCTION The term "protective systems" can refer to many different defini- tions and applications, some of which can be confusing. 1'.fpical names in the industry are: safety shutdown systems, critical instru- mentation, emergency shutdown systems, safety critical systems, interlock systems, etc. Although names and applications may dif- fer, a common requirement can be found in most. The most appropriate defini- tion this author has found that ap- plies to protective systems in the petrochemical industry is stated in the Health and Safety Docu- ment published in the U. K.; i. e., 1 ' Protective System: A system de- signed to respond to conditions in the plant which may be hazard- ous in themselves or, if no action was taken, could eventually give rise to a hazard, and to generate the c'Orrect outputs to mitigate the hazardous consequences or pre- vent the hazard." [1] Requirements of protective sys- tems that until recently were diffi- cult to achieve are: (A) the protective system must work every time, as designed, on de- mand, or 11 zero defects," (2) and (B) it must not initiate erroneous outputs or inputs. This paper will attempt to trace the evolution of these systems ISSN 0019-0578/91/04/0027/6/$2.50 ©ISA 1991 from simple electromechanical re- lays with single field devices to triple modular redundant (TMR) fault tolerant systerr.s with multi- ple field devices. The evolution is being driven for two reasons: (A) safety and (B) economic. Lately another concern has appeared on the scene from outside the indus- try, and that is environmental im- pact. This last item has developed into a powerful incentive that will not only force many companies to re-evaluate and replace existing protective systems but will also place new, tougher availability re- quirementson these systems. DESIGN GUIDELINES/ REQUIREMENTS/STANDARDS In the USA, insurance under- writers have set requirements for protective systems in selected ap- plications such as NFPA for burner management. Industry standards are not available for most applications, but many com- panies such as Exxon have written mandatory engineering standards for protective systems to ensure that safety, environmental, and economic requirements are met. Europe is far ahead of the U.S. in protective sys,em standards, which in some countries are legal requirements. Documents such as Health and Safety Executive VOLUME 30 •NUMBER 4 • 1991 27
SAFETY SYSTEMS Europe is far ahead of the U.S. in protective system standards, which in some countries are legal require- ments. (HSE), TUV, and DIN 19250 are available for use. Both sides of the ocean have recognized that changing technol- ogies and safety requirements have demanded new standards. The Instrument Society of Amer- ica (ISA) has formed a committee called SP84, and the European community has formed a commit- tee called IEC SC65A. This author feels that the IEC document will become the worldwide industry standard. These standards will not come easy, for there are many issues to discuss (e.g., classificationsofhaz- ards, reliability calculations on hardware and software, applica- tions programming, systems maintenance, etc.). One of the most difficult issues in the indus- try today is control of application software changes and variables embedded in the program (e.g., set points, alarm values, etc.). Those of us utilizing protective systems have been forced to de- sign some control, but it will be a challenge to agree on standard procedurt:~. 1932) are an example. Relay sys- tems were the industry standard until the 1960s when the first solid-state (transistor) switching and logic devices became popular as relay replacements in the auto- mobile industry. Solid-state tech- nology was a real boon to complex sequence control appli- cations, but what about protective systems? It was known that tran- sistors, diodes, and especially triacs had an unpredictable failure mode; that is, they could fail 11 high" or 11 low" in about a 50-50 split [3]. Fail safe requirements in a protective system using hard- wired solid-state devices could only be achieved by redundancy. Systems utilizing dual (2/2) or tri- ple (2/3) redundancy were pro- duced by manufacturers to meet fail-safe requirements. In Europe, fail-safe systems were certified by third parties, e.g., TUV in accor- dance with legislative standards (VDE) [4]. When Texas Instruments in- vented the integrated circuit (IC) in 1958 [5), it paved the way for microcomputers or microproces- ---------~~-------- - ~ ~ ---~ -. -. "!,. Those of us utilizing protective systems have been forced to de~ign some control, but it will be a chal- lenge to agree on standard procedures. HISTORY sors. Hard-wired based relays and solid-state logic could be coded in Standards were not used, and software (programmed) and exe- seldom, if ever, were reliability cute functions through the micro- calculations performed on sys- processor (CPU). Those devices terns designed before 1980. Most became known as programmable early protective systems were de- logic controllers (PLCs). Utiliza- signed, installed, and maintained tion of PLCs is well known in the by an electrical group utilizing manufacturing business, espe- simple switches and relays. Early cially in the automobile industry. railroad switching systems (circa Some off-the-shelf units can be 28 ISA TRANSACTIONS purchased for as low as $250. 11 As with hard-wired solid-state mod- ules, the end user learned the hard way that CPUs and 1/0 modules have unpredictable failure modes. Applying those devices in protec- tive systems will automatically lead to unsafe situations." [6] Like solid-state devices, PLCs had to incorporate redundancy and vot- ing schemes to achieve fail-safe re- quirements. Dual 2/2 PLCs using off-the-shelf devices configured in a redundant scheme were speci- fied by many engineers for critical protective systems. This move- ment for protective system appli- cations was a mistake, in the opinion of this author. Not only was there a concern for safety, but the dual configuration was re- sponsible for many nuisance ''trips." Fail-to-safe incidents be- came unacceptable to many users. Some users are dismantling their dual PLCs and replacing them with conventional relay or solid- state logic. Protective system applications became more complex, dictating a need for programmable micropro- cessor technology, but so was the demand for higher availability on these systems. As mentioned above, safety, environmental, and economic requirements were di- rectly responsible for high de- mands of availabiiity =99.98% (1-H/D). In the middle 1980s, attempts were made by manufacturers to provide fault tolerant systems to meet high availability require- ments. Most, if not all of these sys- tems, when tested by some users (Exxon), were found to be unac- ceptable for fault tolerant applica- tions. Today at least two manufacturers produce a fault tol- erant, triple modular redundant (TMR) machine. Both of these de- vices have been tested and one is being utilized extensively. We an- ticipate many more manufactur- ers, especially from Europe, will enter the protective system mar-
ket. These new devices look and "feel" like PLCs, but they are actu- ally minicomputers with power- ful control capabilities. Experienced PLC programmers are impressed by the potential of this new technology but also un- derstand that misapplication, or poor design, can create some seri- ous safety and economic events. There has been a tendency to in- clude other control functions than just protective system tasks. Other functions without good documen- tation and planning can cause confusion and violate the com- plete i~~lation requirements of the pmiecbve system. We anticipate new standards will require, and advise on, controls for applica- tions programming and docu- mentation to reduce potential risks. RELAY·BASED SYSTEMS As mentioned above, relay sys- tems, as indicate~. in Figure 1, were the first protective systems installed and are still considered to be the most reliable because of their high 98% predictable failure mode (3, 101. Indeed, there are still relay-based systems being in- stalled today. In some industries, however, a 2% unpredictable fail- ure mode is not acceptable. Relay systems are easy to un- derstand for simple applications, but, if high functionality is re- quired, complexity grows very rapidly [4]. Below are some disad- vantages of relay use: 1. They arc not necessarily fail-safe because - a relay contact can stick be- cause of dirt building up or because of induction signal build-up; - the spring can break; - the contacts can bum in; - the contact fingers can break. EVOLUTION OF PROTECTIVE SYSTEMS IN PETROCHEMICAL INDUSTRY ....---------- 120 voe----------UPS SlllllDl"A"' S11111ttH"C" SD •••••••••• ,• Figure 1-AHard-Wired Relay Unit 2. They take a lot of panel space (addition of timers takes more space). 3. They require a controlled environment for contact in- tegrity unless relays are hermetically sealed. 4. It is necessary to standard- ize on coil and contact volt- age to avoid mishaps. 5. The organization of relay use by areas is necessary for ease of maintenance. 6. Complex relay systems are difficult to troubleshoot and maintain. 7. Documentation can be very busy and complex. 8. Modifications are difficult. 9. Since most systems are fail- safe, relays remain ener- gized and hot, lowering theirMTBF. 10. Only digital 1/0 can be used with such systems. In summary, it should be noted again that despite the disadvan- tages listed above, relays are_ ~till considered to be the most reliable system, provided the power source is also reliable. llEllUNIWfl' SCllDOCS LATCHINC HARD-WIRED,SOLID-STATE LOGIC-BASEDSYSTEMS The evaluation of hard-wired solid-state logic systems, as indi- cated by Fig. 2, brought the pro- tective system design, application, and maintenance inio the world of instrumentatior,. Solid-state tech- nology became the first replace- ment of relay systems with a much smaller footprint. The major flaw in using these electronic de- vices is that unlike a relay, which in 98% of the cases can be pre- dicted to fai1 in the safe direction, solid-state devices have more of a 50-50 split [3]. The following are some pros and cons of solid-state systems: 1. They have limited diagnos- tics, using LEDs. 2. There is no flexibility for logic modification without backplane wiring. 3. They are easy to test and troubleshoot. 4. Most hardware is obsolete, and it is difficult to obtain spare or replacement parts. 5. Only digital 1/0 is used. VOLUME 30 0 NUMBER 4 • 1991 29
SAFETY SYSTEMS ---es! ---g RA , 20 voe .--------....._ ---6 ---g RB ===a --Re ... aw .· SOLID STATE LOGIC Figure 2-A Solld-State Unit 6. They have proven to be very reliable in a 2/3 vot- ing configuration. 7. Their documentation is easier to read. It is obvious that, because ofthe high and unpredictable failure rate of solid-state devices, they could not be used in protective systems unless some redundacy could be employed. Redundant protective systems were installed in plants throughout the world with two-out-of-three (2oo3) or two-out-of-two (2oo2) voting logic. REDUNDANT PLC SYSTEMS A block diagram for a redun- dant PLC is shown by Fig. 3. This author feels that there are more misapplications of redundant PLCs than any other technology used for protective systems. The Europeans were not as ambitious as the U.S. in utilizing these sys- tems because most of their stan- dards would prohibit nonfail-safe configurations. Those systems de- signed to be fail-safe had very 30 ISA TRANSACTIONS poor MTBFs and availability numbers. The following are some other issues relating to redundant PLCs: 1. They have proven to be re- liable on energize-to-trip protective systems. 2. Analog and digital 1/0 are available for use. 3. Set points are easy to change. TERMINATION TERMINATION Figure 3-Dual Processor Slngle 1/0 FaultTolerant Approach 4. They have better diagnos- tics than hard-wired logic. 5. A communication bus can be used with them. 6. The reliability would not be high on a deenergize-to- trip system. 7. The question is: "Which processor is correct, A or B?" 8. The switchover between processors is not smooth. 9. Program verification in processors A and B is a problem. 10. Duplicate 1/0 is necessary for the processors. 11. They have a larger foot- print. 12. Troubl~shooting such sys- tems is difficult. 13. Program changes are risky to make. 14. Service is risky. FAULTTOLERANTTMR TECHNOLOGY A block diagram is shown in Fig. 4 of a "triple modular redun- dant" (TMR) fault tolerant system with 2-out of-3 voting logic. Definitions of fault tolerant technology can be found in a lim- ited number of papers published by manufacturers (2, 8, & 9]. The following are some re- quirements of this technology: 1. A single fault in the system must not create erroneous inputs or outputs, nor shall it prevent the system from functioning as designed. 2. Any fault must be alarmed and indicate the location of occurrence. 3. Any single fault must be re- pairableon-line without in- terruption in operation. Note that a requirement is that not only must the protective sys- tem tolerate a fault, it must alarm
Figure4-TMR 2-out-3 Voting Fault Tolerant Control that fault! It's obvious that if an undetected fault occurs, it could remain in the system until a sec- ond fault occurs that could fail the system to safe (erroneous shut- down) or danger (prevent a sht't- down when needed). Neither condition is desirable. There are two approaches to the design of a fault tolerant sys- tem, and although no manufac- turer can claim to be 100% reliable for either design, their systems can be categorized as either IDFI' or SIFf. IDFr is a hardware-im- p!emented fault tolerance system, and SIFT is a software-imple- mented fault tolerance system. Both of these systems have been tested by the Exxon team. The primary features that de- fine the HIFr system are as fol- lows: 1. It utilizes integrated cir- cuits for fault diagnostics. 2. The processing time is about 3 ms/1000 elements of logic. 3. It uses simple software. 4. A 3-2-0 mode of operation (fail-safe) is used. 5. Typically, it has 10 kilobytes of ROM. EVOLUTION OF PROTECTIVE SYSTEMS IN PETROCHEMICAL INDUSTRY The primary features that de- fine the SIFT system are as fol- lows: 1. It utilizes software for fault diagnostics. 2. The fault diagnostics speed is a function of scan time; e.g., 100-200 maximum. 3. The processing time is 1.7 ms/1000 elements of logic. 4. It requires complex soft- ware. 5. A 3-2-1-0 mode of opera- tion is used. The 3-2-0 mode must be pro- grammed. 6. Typically, it has 100 kilobytes of ROM. With respect to the HIIT sys- tem, some advantages and disad- vantages are noted. The advantages include: • fast scan time if you need it (dm/sec.); • simple software; and • the single-ended input cards can be utilized for critical and noncritical inputs. The disadvantages include: • no on-line hot spare; • fault tolerant inputs must be hard-wired; • limited field experience; • diagnostics for TMR mustbe user-written (therefore, it runs on the applications level.); and • some single points offailure. The SIFT system also has a number of advantages and disad- vantages, which include: • a hot-on-line spare available forl/0; • detailed diagnostic informa- tion; • good field experience; • isolation of main processors; • system level diagnostics; and • simplex modules can be mixed with TMR modules in same system. The disadvantages include: • software and firmware changes are coming too often; • complex software is re- quired; and • upgrades from an early ver- sion to later versions can be expensive. CONCLUSION At this point, it would appear · the so-called SIFT system is a bet- terapproach for protectivesystem applications. Extensive diagnos- tics with latent fault detection and ability for on-line repair may be two good reasons for the selection of a SIFT system. These two re- quirements are also significant factors for achieving high avail- ability. In summary, the features that recommend a TMR fault tolerant systemare: • fault tolerant =high avail- ability =99.98%; • on-line service =low MTBR =high availability; • good quality = high system MTBF >100 y~ars; • easy integration to DCS via a network module; • good programming tools, e.g., expressions, functions; • extensive TMRdiagnostics; • user friendly; • small footprint; • good communications via networks; and • excellent documentation ca- pability. REFERENCES 1. ''Programmable Electronic Systems and Safety-Re- lated Applications," Health and Safety Executive, U.K., 1987. VOLUME 30 GI NUMBER 4 GI 1991 31
SAFETY SYSTEMS 2. Crosby, Phillip B., Quality Without Tears, McGraw- Hill, NY, 1984. 3. Balls, Basil W., et al., Design Principles for Safety Systems, Industrial Control Services, Inc., Houston, Texas. 4. "Electrical Equipment for Furnaces," DIN VOE 57116, 1979. 5. Understanding Solid-State Electronics, Texas Instru- ments Learning Center, 1972. 32 ISA TRANSACTIONS 6. Hinssen, Henk, "Safety Shutdowns-Application Aspects," European Honeywell Users Group Meeting, Cagliari, June, 1989. 7. Fredrickson, Tony, Compar- ison of Fault Tolerant Con- trollers Used in Safety Applications, Triconex Corp. 8. Smith, Steve, Triple Redun- dant Fault Tolerance: A Hardware Implemented Ap- proach, Triplex, 1988. 9. Alleman, Glen B., Fault Tol- erant System Reliability in the Presence of Imperfect Di- agnostic Coverage, Triconex Corp., 1989. 10. "Reliability Analysis of the Relay Logic for a Burner Control and Safety System in a Boiler Installation," Safety and Reliability Di- rectorate, United Kingdom Atomic Energy Authority, SRS/ASG/ 31610/2, De- cember, 1988.

More Related Content

Evolution of protective systems in petro chem

  • 1. Ev luti n f Pr tective tr •ystems int ch icai Industry Robert S. Adamski Exxon Chemical Company Electrical protective oremergency shutdown systems are utilized throughout the petrochemical in- dustry for safety and to avoid se- vere environmental and/or economic events. Requirements fur these critical systems are that they work every time, on demand, and do ...ot initiate nuisance events. These requirements were difficult to achieve in most early systems but the systems have im- proved over the years. Emergency shutdown system design has been unregulated in the U.S., but new standards will require strict guidelines for design, application, docllmentation, and software testing and control. The evolution of protective sys- tems was driven by the use of solid-state devices and later by the use ofintegrated circuits with programmable (software) capa- bilities. The demand for higher availability (reliability) has fur- ther moved the industry from sin- gle PLCs to programmable minicomputers with complex software. This new generation of protective systems utilizes hard- ware/firmware/and software in "triple modular redundant" (TMR) fault tolerant systems. INTRODUCTION The term "protective systems" can refer to many different defini- tions and applications, some of which can be confusing. 1'.fpical names in the industry are: safety shutdown systems, critical instru- mentation, emergency shutdown systems, safety critical systems, interlock systems, etc. Although names and applications may dif- fer, a common requirement can be found in most. The most appropriate defini- tion this author has found that ap- plies to protective systems in the petrochemical industry is stated in the Health and Safety Docu- ment published in the U. K.; i. e., 1 ' Protective System: A system de- signed to respond to conditions in the plant which may be hazard- ous in themselves or, if no action was taken, could eventually give rise to a hazard, and to generate the c'Orrect outputs to mitigate the hazardous consequences or pre- vent the hazard." [1] Requirements of protective sys- tems that until recently were diffi- cult to achieve are: (A) the protective system must work every time, as designed, on de- mand, or 11 zero defects," (2) and (B) it must not initiate erroneous outputs or inputs. This paper will attempt to trace the evolution of these systems ISSN 0019-0578/91/04/0027/6/$2.50 ©ISA 1991 from simple electromechanical re- lays with single field devices to triple modular redundant (TMR) fault tolerant systerr.s with multi- ple field devices. The evolution is being driven for two reasons: (A) safety and (B) economic. Lately another concern has appeared on the scene from outside the indus- try, and that is environmental im- pact. This last item has developed into a powerful incentive that will not only force many companies to re-evaluate and replace existing protective systems but will also place new, tougher availability re- quirementson these systems. DESIGN GUIDELINES/ REQUIREMENTS/STANDARDS In the USA, insurance under- writers have set requirements for protective systems in selected ap- plications such as NFPA for burner management. Industry standards are not available for most applications, but many com- panies such as Exxon have written mandatory engineering standards for protective systems to ensure that safety, environmental, and economic requirements are met. Europe is far ahead of the U.S. in protective sys,em standards, which in some countries are legal requirements. Documents such as Health and Safety Executive VOLUME 30 •NUMBER 4 • 1991 27
  • 2. SAFETY SYSTEMS Europe is far ahead of the U.S. in protective system standards, which in some countries are legal require- ments. (HSE), TUV, and DIN 19250 are available for use. Both sides of the ocean have recognized that changing technol- ogies and safety requirements have demanded new standards. The Instrument Society of Amer- ica (ISA) has formed a committee called SP84, and the European community has formed a commit- tee called IEC SC65A. This author feels that the IEC document will become the worldwide industry standard. These standards will not come easy, for there are many issues to discuss (e.g., classificationsofhaz- ards, reliability calculations on hardware and software, applica- tions programming, systems maintenance, etc.). One of the most difficult issues in the indus- try today is control of application software changes and variables embedded in the program (e.g., set points, alarm values, etc.). Those of us utilizing protective systems have been forced to de- sign some control, but it will be a challenge to agree on standard procedurt:~. 1932) are an example. Relay sys- tems were the industry standard until the 1960s when the first solid-state (transistor) switching and logic devices became popular as relay replacements in the auto- mobile industry. Solid-state tech- nology was a real boon to complex sequence control appli- cations, but what about protective systems? It was known that tran- sistors, diodes, and especially triacs had an unpredictable failure mode; that is, they could fail 11 high" or 11 low" in about a 50-50 split [3]. Fail safe requirements in a protective system using hard- wired solid-state devices could only be achieved by redundancy. Systems utilizing dual (2/2) or tri- ple (2/3) redundancy were pro- duced by manufacturers to meet fail-safe requirements. In Europe, fail-safe systems were certified by third parties, e.g., TUV in accor- dance with legislative standards (VDE) [4]. When Texas Instruments in- vented the integrated circuit (IC) in 1958 [5), it paved the way for microcomputers or microproces- ---------~~-------- - ~ ~ ---~ -. -. "!,. Those of us utilizing protective systems have been forced to de~ign some control, but it will be a chal- lenge to agree on standard procedures. HISTORY sors. Hard-wired based relays and solid-state logic could be coded in Standards were not used, and software (programmed) and exe- seldom, if ever, were reliability cute functions through the micro- calculations performed on sys- processor (CPU). Those devices terns designed before 1980. Most became known as programmable early protective systems were de- logic controllers (PLCs). Utiliza- signed, installed, and maintained tion of PLCs is well known in the by an electrical group utilizing manufacturing business, espe- simple switches and relays. Early cially in the automobile industry. railroad switching systems (circa Some off-the-shelf units can be 28 ISA TRANSACTIONS purchased for as low as $250. 11 As with hard-wired solid-state mod- ules, the end user learned the hard way that CPUs and 1/0 modules have unpredictable failure modes. Applying those devices in protec- tive systems will automatically lead to unsafe situations." [6] Like solid-state devices, PLCs had to incorporate redundancy and vot- ing schemes to achieve fail-safe re- quirements. Dual 2/2 PLCs using off-the-shelf devices configured in a redundant scheme were speci- fied by many engineers for critical protective systems. This move- ment for protective system appli- cations was a mistake, in the opinion of this author. Not only was there a concern for safety, but the dual configuration was re- sponsible for many nuisance ''trips." Fail-to-safe incidents be- came unacceptable to many users. Some users are dismantling their dual PLCs and replacing them with conventional relay or solid- state logic. Protective system applications became more complex, dictating a need for programmable micropro- cessor technology, but so was the demand for higher availability on these systems. As mentioned above, safety, environmental, and economic requirements were di- rectly responsible for high de- mands of availabiiity =99.98% (1-H/D). In the middle 1980s, attempts were made by manufacturers to provide fault tolerant systems to meet high availability require- ments. Most, if not all of these sys- tems, when tested by some users (Exxon), were found to be unac- ceptable for fault tolerant applica- tions. Today at least two manufacturers produce a fault tol- erant, triple modular redundant (TMR) machine. Both of these de- vices have been tested and one is being utilized extensively. We an- ticipate many more manufactur- ers, especially from Europe, will enter the protective system mar-
  • 3. ket. These new devices look and "feel" like PLCs, but they are actu- ally minicomputers with power- ful control capabilities. Experienced PLC programmers are impressed by the potential of this new technology but also un- derstand that misapplication, or poor design, can create some seri- ous safety and economic events. There has been a tendency to in- clude other control functions than just protective system tasks. Other functions without good documen- tation and planning can cause confusion and violate the com- plete i~~lation requirements of the pmiecbve system. We anticipate new standards will require, and advise on, controls for applica- tions programming and docu- mentation to reduce potential risks. RELAY·BASED SYSTEMS As mentioned above, relay sys- tems, as indicate~. in Figure 1, were the first protective systems installed and are still considered to be the most reliable because of their high 98% predictable failure mode (3, 101. Indeed, there are still relay-based systems being in- stalled today. In some industries, however, a 2% unpredictable fail- ure mode is not acceptable. Relay systems are easy to un- derstand for simple applications, but, if high functionality is re- quired, complexity grows very rapidly [4]. Below are some disad- vantages of relay use: 1. They arc not necessarily fail-safe because - a relay contact can stick be- cause of dirt building up or because of induction signal build-up; - the spring can break; - the contacts can bum in; - the contact fingers can break. EVOLUTION OF PROTECTIVE SYSTEMS IN PETROCHEMICAL INDUSTRY ....---------- 120 voe----------UPS SlllllDl"A"' S11111ttH"C" SD •••••••••• ,• Figure 1-AHard-Wired Relay Unit 2. They take a lot of panel space (addition of timers takes more space). 3. They require a controlled environment for contact in- tegrity unless relays are hermetically sealed. 4. It is necessary to standard- ize on coil and contact volt- age to avoid mishaps. 5. The organization of relay use by areas is necessary for ease of maintenance. 6. Complex relay systems are difficult to troubleshoot and maintain. 7. Documentation can be very busy and complex. 8. Modifications are difficult. 9. Since most systems are fail- safe, relays remain ener- gized and hot, lowering theirMTBF. 10. Only digital 1/0 can be used with such systems. In summary, it should be noted again that despite the disadvan- tages listed above, relays are_ ~till considered to be the most reliable system, provided the power source is also reliable. llEllUNIWfl' SCllDOCS LATCHINC HARD-WIRED,SOLID-STATE LOGIC-BASEDSYSTEMS The evaluation of hard-wired solid-state logic systems, as indi- cated by Fig. 2, brought the pro- tective system design, application, and maintenance inio the world of instrumentatior,. Solid-state tech- nology became the first replace- ment of relay systems with a much smaller footprint. The major flaw in using these electronic de- vices is that unlike a relay, which in 98% of the cases can be pre- dicted to fai1 in the safe direction, solid-state devices have more of a 50-50 split [3]. The following are some pros and cons of solid-state systems: 1. They have limited diagnos- tics, using LEDs. 2. There is no flexibility for logic modification without backplane wiring. 3. They are easy to test and troubleshoot. 4. Most hardware is obsolete, and it is difficult to obtain spare or replacement parts. 5. Only digital 1/0 is used. VOLUME 30 0 NUMBER 4 • 1991 29
  • 4. SAFETY SYSTEMS ---es! ---g RA , 20 voe .--------....._ ---6 ---g RB ===a --Re ... aw .· SOLID STATE LOGIC Figure 2-A Solld-State Unit 6. They have proven to be very reliable in a 2/3 vot- ing configuration. 7. Their documentation is easier to read. It is obvious that, because ofthe high and unpredictable failure rate of solid-state devices, they could not be used in protective systems unless some redundacy could be employed. Redundant protective systems were installed in plants throughout the world with two-out-of-three (2oo3) or two-out-of-two (2oo2) voting logic. REDUNDANT PLC SYSTEMS A block diagram for a redun- dant PLC is shown by Fig. 3. This author feels that there are more misapplications of redundant PLCs than any other technology used for protective systems. The Europeans were not as ambitious as the U.S. in utilizing these sys- tems because most of their stan- dards would prohibit nonfail-safe configurations. Those systems de- signed to be fail-safe had very 30 ISA TRANSACTIONS poor MTBFs and availability numbers. The following are some other issues relating to redundant PLCs: 1. They have proven to be re- liable on energize-to-trip protective systems. 2. Analog and digital 1/0 are available for use. 3. Set points are easy to change. TERMINATION TERMINATION Figure 3-Dual Processor Slngle 1/0 FaultTolerant Approach 4. They have better diagnos- tics than hard-wired logic. 5. A communication bus can be used with them. 6. The reliability would not be high on a deenergize-to- trip system. 7. The question is: "Which processor is correct, A or B?" 8. The switchover between processors is not smooth. 9. Program verification in processors A and B is a problem. 10. Duplicate 1/0 is necessary for the processors. 11. They have a larger foot- print. 12. Troubl~shooting such sys- tems is difficult. 13. Program changes are risky to make. 14. Service is risky. FAULTTOLERANTTMR TECHNOLOGY A block diagram is shown in Fig. 4 of a "triple modular redun- dant" (TMR) fault tolerant system with 2-out of-3 voting logic. Definitions of fault tolerant technology can be found in a lim- ited number of papers published by manufacturers (2, 8, & 9]. The following are some re- quirements of this technology: 1. A single fault in the system must not create erroneous inputs or outputs, nor shall it prevent the system from functioning as designed. 2. Any fault must be alarmed and indicate the location of occurrence. 3. Any single fault must be re- pairableon-line without in- terruption in operation. Note that a requirement is that not only must the protective sys- tem tolerate a fault, it must alarm
  • 5. Figure4-TMR 2-out-3 Voting Fault Tolerant Control that fault! It's obvious that if an undetected fault occurs, it could remain in the system until a sec- ond fault occurs that could fail the system to safe (erroneous shut- down) or danger (prevent a sht't- down when needed). Neither condition is desirable. There are two approaches to the design of a fault tolerant sys- tem, and although no manufac- turer can claim to be 100% reliable for either design, their systems can be categorized as either IDFI' or SIFf. IDFr is a hardware-im- p!emented fault tolerance system, and SIFT is a software-imple- mented fault tolerance system. Both of these systems have been tested by the Exxon team. The primary features that de- fine the HIFr system are as fol- lows: 1. It utilizes integrated cir- cuits for fault diagnostics. 2. The processing time is about 3 ms/1000 elements of logic. 3. It uses simple software. 4. A 3-2-0 mode of operation (fail-safe) is used. 5. Typically, it has 10 kilobytes of ROM. EVOLUTION OF PROTECTIVE SYSTEMS IN PETROCHEMICAL INDUSTRY The primary features that de- fine the SIFT system are as fol- lows: 1. It utilizes software for fault diagnostics. 2. The fault diagnostics speed is a function of scan time; e.g., 100-200 maximum. 3. The processing time is 1.7 ms/1000 elements of logic. 4. It requires complex soft- ware. 5. A 3-2-1-0 mode of opera- tion is used. The 3-2-0 mode must be pro- grammed. 6. Typically, it has 100 kilobytes of ROM. With respect to the HIIT sys- tem, some advantages and disad- vantages are noted. The advantages include: • fast scan time if you need it (dm/sec.); • simple software; and • the single-ended input cards can be utilized for critical and noncritical inputs. The disadvantages include: • no on-line hot spare; • fault tolerant inputs must be hard-wired; • limited field experience; • diagnostics for TMR mustbe user-written (therefore, it runs on the applications level.); and • some single points offailure. The SIFT system also has a number of advantages and disad- vantages, which include: • a hot-on-line spare available forl/0; • detailed diagnostic informa- tion; • good field experience; • isolation of main processors; • system level diagnostics; and • simplex modules can be mixed with TMR modules in same system. The disadvantages include: • software and firmware changes are coming too often; • complex software is re- quired; and • upgrades from an early ver- sion to later versions can be expensive. CONCLUSION At this point, it would appear · the so-called SIFT system is a bet- terapproach for protectivesystem applications. Extensive diagnos- tics with latent fault detection and ability for on-line repair may be two good reasons for the selection of a SIFT system. These two re- quirements are also significant factors for achieving high avail- ability. In summary, the features that recommend a TMR fault tolerant systemare: • fault tolerant =high avail- ability =99.98%; • on-line service =low MTBR =high availability; • good quality = high system MTBF >100 y~ars; • easy integration to DCS via a network module; • good programming tools, e.g., expressions, functions; • extensive TMRdiagnostics; • user friendly; • small footprint; • good communications via networks; and • excellent documentation ca- pability. REFERENCES 1. ''Programmable Electronic Systems and Safety-Re- lated Applications," Health and Safety Executive, U.K., 1987. VOLUME 30 GI NUMBER 4 GI 1991 31
  • 6. SAFETY SYSTEMS 2. Crosby, Phillip B., Quality Without Tears, McGraw- Hill, NY, 1984. 3. Balls, Basil W., et al., Design Principles for Safety Systems, Industrial Control Services, Inc., Houston, Texas. 4. "Electrical Equipment for Furnaces," DIN VOE 57116, 1979. 5. Understanding Solid-State Electronics, Texas Instru- ments Learning Center, 1972. 32 ISA TRANSACTIONS 6. Hinssen, Henk, "Safety Shutdowns-Application Aspects," European Honeywell Users Group Meeting, Cagliari, June, 1989. 7. Fredrickson, Tony, Compar- ison of Fault Tolerant Con- trollers Used in Safety Applications, Triconex Corp. 8. Smith, Steve, Triple Redun- dant Fault Tolerance: A Hardware Implemented Ap- proach, Triplex, 1988. 9. Alleman, Glen B., Fault Tol- erant System Reliability in the Presence of Imperfect Di- agnostic Coverage, Triconex Corp., 1989. 10. "Reliability Analysis of the Relay Logic for a Burner Control and Safety System in a Boiler Installation," Safety and Reliability Di- rectorate, United Kingdom Atomic Energy Authority, SRS/ASG/ 31610/2, De- cember, 1988.