how to avoid shooting yourself in the foot with your sis?
DESCRIPTION
Presented by Emerson's Maruti Dey at the 2010 Emerson Exchange in San Antonio, Texas.TRANSCRIPT
How to Avoid Shooting Yourself in the Foot with
Your SIS?
How to Avoid Shooting Yourself in the Foot with
Your SIS?Maruti Dey – Technical Consultant
PresentersPresenters
Maruti Dey
Conceptual DesignConceptual Design
Using the SIS transmitters for dual-purpose applications:
– Use in Safety Functions (SIS Voting)– Use for integrating with BPCS process control scheme
This is possible due to common DeltaV HMI and software configuration platform for both SIS and BPCS.
IntroductionIntroduction
You can minimize the risk of creating a safety demand (SIS or PSV) from BPCS single loop failures (driving control valve too far open or closed) with
– the use of well-designed instrumentation– deviation alarming– backup PID loop control.
Problems / ChallengesProblems / Challenges
A number of hazards have been identified where failure of the BPCS loop would cause the control valve to close, creating a safety demand. SIFs were added to address these hazards.
A review of the SIFs determined that demands created by the BPCS transmitter failure could be eliminated/reduced by utilizing the 2oo2D SIS transmitters to detect the failure of the BPCS loop and place the control loop in a safe mode.
DeltaV SIS Architecture - SeparateDeltaV SIS Architecture - Separate
In the SIS system, the power supplies, communication channels, hardware, and real-time operating systems are completely independent of the BPCS.
DeltaV SIS Architecture - IntegratedDeltaV SIS Architecture - Integrated
Overhead functions such as configuration, operations, maintenance, asset management, training, alarm handling can be shared between the BPCS and SIS.
DeltaV SIS ArchitectureDeltaV SIS Architecture
Integrated but separate architecture allows BPCS/SIS controls on DeltaV control network.
Same engineering, maintenance, & operations environment
No serial communication because controls integrated within DeltaV.– No need for extensive data mapping– No handshaking logic that is common in disparate solutions
Original Design – Use of 3 SIS TransmittersOriginal Design – Use of 3 SIS Transmitters
Original Design – Middle of 3 data pointsOriginal Design – Middle of 3 data points
Original Design – Middle of 3 data pointsOriginal Design – Middle of 3 data points
The original SIS design was 2oo3, and it was assumed middle of 3 PV data would be transferred from the SIS to the BPCS controller, across the redundant control network. The use of middle of 3 SIS data points helps prevent bad data being provided to the controller and filters the data to keep control valve action to a minimum. However, there is a data latency issue, caused by the data transfer from the SIS to the BPCS.
Data Latency issuesData Latency issues
This causes the data to be transferred in a non-synchronous manner, with varying time delays.
PID Control LoopsPID Control Loops
Most of the loops have pressure, flow, and level controllers for small volumes. In order to keep up with the fast process dynamics, these controllers run every half second. Using asynchronous data would result in poor quality control, so this situation was deemed unacceptable.
Faster I/O Update Speeds – DeltaV11.3Faster I/O Update Speeds – DeltaV11.3
For time it takes for I/O data to be read by the DeltaV Controller on the control side:
– V10 or lower: one update per second
– V11.3: DeltaV SIS will allow one update per 100 milliseconds
Consequently, SIS update speeds in V11.3 may eliminate data latency issues.
SIS / BPCS ConfigurationSIS / BPCS Configuration
In order to keep 2oo3 voting on the SIS, and good quality control, installation of a 4th transmitter would be required. The team viewed this design as excessive. The compromise was to land one of these transmitters directly on the BPCS, and dedicate it for control. 2oo2D was considered adequate coverage for any SIF up to SIL2.
Designs Considered – Option 1Designs Considered – Option 1
Use 2oo3 voting on SIS transmitters with no BPCS transmitters
Resolution: Not considered due to data latency caused by data transfer from SIS to BPCS.
Designs Considered – Option 2Designs Considered – Option 2
Use 3 SIS Transmitters for 2oo3 voting and 1 BPCS transmitter for PID control
Resolution: Team viewed this design (4 transmitters) as excessive.
Designs Considered – Option 3Designs Considered – Option 3
Use 2oo2D for SIS voting AND 1 BPCS transmitter for PID control
Resolution: This achieved goals of using BPCS transmitter for PID control with option to use valid SIS transmitters for backup PID control if necessary.
Minimizing DCS Single Instrument Failures and Safety DemandMinimizing DCS Single Instrument Failures and Safety Demand
FindingsFindings
It was proposed that the software configuration will prevent the BPCS controller from causing an inadvertent safety demand on the safety system. This will provide the same type of coverage that the Middle of 3 scheme provides, while preserving the 2oo2D design. The software configuration would require the PV data from the SIS is passed to the BPCS for two purposes.
Solution #1 – Deviation AlarmingSolution #1 – Deviation Alarming
Use the SIS PV data to calculate deviations between the 3 transmitters. If the deviation between the SIS transmitters and the BPCS transmitter becomes large, we will force the BPCS controller into MANUAL. This will function as the alternative protection to Middle of 3 data configuration.
Solution #2 – Backup PID ControlSolution #2 – Backup PID Control
The SIS PV data will be available to be used for the BPCS controller, as backup data source. When the deviation alarming forces the BPCS controller to MANUAL, the board operator can select which SIS signal he can control with, until the BPCS transmitter can be repaired.
Potential Process RisksPotential Process Risks
Transitioning from manual to auto on a new transmitter selection may introduce a bump if PV tracking is not used (ex: level controls).
Selection of faulty transmitter which appears healthy could introduce a process bump.
Should transmitter selection require supervisor access in order to ensure proper process risk management?
Software LogicSoftware Logic
The deviation calculations are used to trip the controller to MANUAL when a large deviation is detected for any transmitter selection. This transition to MANUAL will prevent the controller from driving the control valve too far open or closed, and will be alarmed so the operator can assess the situation and take appropriate action.
Software ConfigurationSoftware Configuration
Software Configuration – Case 1 to ManualSoftware Configuration – Case 1 to Manual
If BPCS transmitter is selected AND there is a deviation between SIS1 and BPCS AND there is a deviation between SIS2 and BPCS, then controller is placed in MANUAL.
Solution may now be to control with one of the SIS transmitters until the BPCS transmitter is fixed.
Software Configuration – Case 2 to ManualSoftware Configuration – Case 2 to Manual
If BPCS transmitters is not selected (Ex: OOS) AND there is a deviation between SIS1 and SIS2 transmitters, then controller is placed in MANUAL.
Since both BPCS and SIS transmitters may not be reliable, then this loop will have to be controlled manually by the Operator.
Future considerations – DeltaV 11.3Future considerations – DeltaV 11.3
With data latency issues eliminated with DeltaV Version 11.3, do you eliminate the need for using BPCS transmitters for PID loop control?
QuestionsQuestions
Thank you.
?