How to Avoid Shooting Yourself in the Foot with

Your SIS?

How to Avoid Shooting Yourself in the Foot with

Your SIS?Maruti Dey – Technical Consultant

PresentersPresenters

Maruti Dey

Conceptual DesignConceptual Design

Using the SIS transmitters for dual-purpose applications:

– Use in Safety Functions (SIS Voting)– Use for integrating with BPCS process control scheme

This is possible due to common DeltaV HMI and software configuration platform for both SIS and BPCS.

IntroductionIntroduction

You can minimize the risk of creating a safety demand (SIS or PSV) from BPCS single loop failures (driving control valve too far open or closed) with

– the use of well-designed instrumentation– deviation alarming– backup PID loop control.

Problems / ChallengesProblems / Challenges

A number of hazards have been identified where failure of the BPCS loop would cause the control valve to close, creating a safety demand. SIFs were added to address these hazards.

A review of the SIFs determined that demands created by the BPCS transmitter failure could be eliminated/reduced by utilizing the 2oo2D SIS transmitters to detect the failure of the BPCS loop and place the control loop in a safe mode.

DeltaV SIS Architecture - SeparateDeltaV SIS Architecture - Separate

In the SIS system, the power supplies, communication channels, hardware, and real-time operating systems are completely independent of the BPCS.

DeltaV SIS Architecture - IntegratedDeltaV SIS Architecture - Integrated

Overhead functions such as configuration, operations, maintenance, asset management, training, alarm handling can be shared between the BPCS and SIS.

DeltaV SIS ArchitectureDeltaV SIS Architecture

Integrated but separate architecture allows BPCS/SIS controls on DeltaV control network.

Same engineering, maintenance, & operations environment

No serial communication because controls integrated within DeltaV.– No need for extensive data mapping– No handshaking logic that is common in disparate solutions

Original Design – Use of 3 SIS TransmittersOriginal Design – Use of 3 SIS Transmitters

Original Design – Middle of 3 data pointsOriginal Design – Middle of 3 data points

Original Design – Middle of 3 data pointsOriginal Design – Middle of 3 data points

The original SIS design was 2oo3, and it was assumed middle of 3 PV data would be transferred from the SIS to the BPCS controller, across the redundant control network. The use of middle of 3 SIS data points helps prevent bad data being provided to the controller and filters the data to keep control valve action to a minimum. However, there is a data latency issue, caused by the data transfer from the SIS to the BPCS.

Data Latency issuesData Latency issues

This causes the data to be transferred in a non-synchronous manner, with varying time delays.

PID Control LoopsPID Control Loops

Most of the loops have pressure, flow, and level controllers for small volumes. In order to keep up with the fast process dynamics, these controllers run every half second. Using asynchronous data would result in poor quality control, so this situation was deemed unacceptable.

Faster I/O Update Speeds – DeltaV11.3Faster I/O Update Speeds – DeltaV11.3

For time it takes for I/O data to be read by the DeltaV Controller on the control side:

– V10 or lower: one update per second

– V11.3: DeltaV SIS will allow one update per 100 milliseconds

Consequently, SIS update speeds in V11.3 may eliminate data latency issues.

SIS / BPCS ConfigurationSIS / BPCS Configuration

In order to keep 2oo3 voting on the SIS, and good quality control, installation of a 4th transmitter would be required. The team viewed this design as excessive. The compromise was to land one of these transmitters directly on the BPCS, and dedicate it for control. 2oo2D was considered adequate coverage for any SIF up to SIL2.

Designs Considered – Option 1Designs Considered – Option 1

Use 2oo3 voting on SIS transmitters with no BPCS transmitters

Resolution: Not considered due to data latency caused by data transfer from SIS to BPCS.

Designs Considered – Option 2Designs Considered – Option 2

Use 3 SIS Transmitters for 2oo3 voting and 1 BPCS transmitter for PID control

Resolution: Team viewed this design (4 transmitters) as excessive.

Designs Considered – Option 3Designs Considered – Option 3

Use 2oo2D for SIS voting AND 1 BPCS transmitter for PID control

Resolution: This achieved goals of using BPCS transmitter for PID control with option to use valid SIS transmitters for backup PID control if necessary.

Minimizing DCS Single Instrument Failures and Safety DemandMinimizing DCS Single Instrument Failures and Safety Demand

FindingsFindings

It was proposed that the software configuration will prevent the BPCS controller from causing an inadvertent safety demand on the safety system. This will provide the same type of coverage that the Middle of 3 scheme provides, while preserving the 2oo2D design. The software configuration would require the PV data from the SIS is passed to the BPCS for two purposes.

Solution #1 – Deviation AlarmingSolution #1 – Deviation Alarming

Use the SIS PV data to calculate deviations between the 3 transmitters. If the deviation between the SIS transmitters and the BPCS transmitter becomes large, we will force the BPCS controller into MANUAL. This will function as the alternative protection to Middle of 3 data configuration.

Solution #2 – Backup PID ControlSolution #2 – Backup PID Control

The SIS PV data will be available to be used for the BPCS controller, as backup data source. When the deviation alarming forces the BPCS controller to MANUAL, the board operator can select which SIS signal he can control with, until the BPCS transmitter can be repaired.

Potential Process RisksPotential Process Risks

Transitioning from manual to auto on a new transmitter selection may introduce a bump if PV tracking is not used (ex: level controls).

Selection of faulty transmitter which appears healthy could introduce a process bump.

Should transmitter selection require supervisor access in order to ensure proper process risk management?

Software LogicSoftware Logic

The deviation calculations are used to trip the controller to MANUAL when a large deviation is detected for any transmitter selection. This transition to MANUAL will prevent the controller from driving the control valve too far open or closed, and will be alarmed so the operator can assess the situation and take appropriate action.

Software ConfigurationSoftware Configuration

Software Configuration – Case 1 to ManualSoftware Configuration – Case 1 to Manual

If BPCS transmitter is selected AND there is a deviation between SIS1 and BPCS AND there is a deviation between SIS2 and BPCS, then controller is placed in MANUAL.

Solution may now be to control with one of the SIS transmitters until the BPCS transmitter is fixed.

Software Configuration – Case 2 to ManualSoftware Configuration – Case 2 to Manual

If BPCS transmitters is not selected (Ex: OOS) AND there is a deviation between SIS1 and SIS2 transmitters, then controller is placed in MANUAL.

Since both BPCS and SIS transmitters may not be reliable, then this loop will have to be controlled manually by the Operator.

Future considerations – DeltaV 11.3Future considerations – DeltaV 11.3

With data latency issues eliminated with DeltaV Version 11.3, do you eliminate the need for using BPCS transmitters for PID loop control?

QuestionsQuestions

Thank you.

?