Redundancy / discrete systems in modern DCS systems
Redundancy / discrete systems in modern DCS systems
(OP)
I'm a chemical engineer in England, involved with safety integrity assessments for chemical plants. I'm struggling with understanding the meaning of multiplicity, or redundancy, inside modern DCS systems, which is often relevent to these assessments.
We work to BS EN 61511 / BS EN 61508, where we are instructed never to give the BPCS (Basic Process Control System) a PFD of less then 0.1. This is to allow for possible common cause failures, eg if we had a level controller and a separate level alarm both passing through a DCS, we cannot regard the alarm as a layer of protection when considering the consequences of failure of the controller. However I have found assessments done by professional EPC contractors which effectively allows this. When I challenged them, they claimed that the DCS was in several discrete modules, and that they were confident that the two systems passed through different modules and were therefore independent and so the assessment was correct.
I'm very dubious about this, but I have no real experience of how such DCS systems are actually built. I'm conscious that if we have a system consisting (eg) of 2 input elements, a logic solver, and 2 output elements, then if the PFD of the logic solver is (say) 2 orders of magnitude less then the other elements, then since it is the main or only cause of common mode failure, then the opportunity for common cause failure is very low. However, as I understand it, the Standards prohibit this.
Can anyone shed any light on this for me please?
Thanks
Stuart
We work to BS EN 61511 / BS EN 61508, where we are instructed never to give the BPCS (Basic Process Control System) a PFD of less then 0.1. This is to allow for possible common cause failures, eg if we had a level controller and a separate level alarm both passing through a DCS, we cannot regard the alarm as a layer of protection when considering the consequences of failure of the controller. However I have found assessments done by professional EPC contractors which effectively allows this. When I challenged them, they claimed that the DCS was in several discrete modules, and that they were confident that the two systems passed through different modules and were therefore independent and so the assessment was correct.
I'm very dubious about this, but I have no real experience of how such DCS systems are actually built. I'm conscious that if we have a system consisting (eg) of 2 input elements, a logic solver, and 2 output elements, then if the PFD of the logic solver is (say) 2 orders of magnitude less then the other elements, then since it is the main or only cause of common mode failure, then the opportunity for common cause failure is very low. However, as I understand it, the Standards prohibit this.
Can anyone shed any light on this for me please?
Thanks
Stuart





RE: Redundancy / discrete systems in modern DCS systems
Unfortunately I dont understand much of the terminology that you have included. You may want to keep in mind that you are posting this to a bunch of controls people that understand controls, but not (I would guess) some of the standards you refer to. I would suggest rewording your question in terms that anyone might understand - dont assume. For instance, what is PFD? Also you may have difficulty with this particular forum as this is listed as devoted to PLC's. There are differences though they are becoming hard to see.
Now I will try to take a stab at what I do understand. You mention a level controller and what I would assume is a discrete alarm. I would see no redundancy offered here. I guess the alarm may allow some indication of loss of the controller. If you had a level transmitter and a discrete level sensor, then you may argue some level of redundancy.
Give me more info and I will try to provide more info.
Russell
Russell White, P.E.
Automation Technologies, Inc.
www.AutomationNC.com
Automation Training
www.PLCMentor.com
RE: Redundancy / discrete systems in modern DCS systems
Thanks for your reply. I did look through the various forums and thought this was my best bet! Maybe not, but if you are happy to try, so am I.
PFD=probability of failure on demand, ie (say) the level gets higher than the trip point. PFD= probability that the system of level transmitter, logic solver and final element (say a valve controlling the liquid flow into the tank) fails to work, causing an overflow or damage to the tank.
The standards mentioned have US equivalents - I'll try to find out their numbers. However they basically dictate how such safety systems should be assessed for required reliability (PFD) and designed to meet this (SIL, safety integrity level, requirement.) As I haven't a clue what goes on inside the black box we process engineers refer to as the "DCS" (distributed control system) which I believe is often a PLC, I cannot penetrate past the jargon.
I need to understand whether they are pulling the wool over my eyes when they say that despite both passing through the DCS, the level control and level alarm mentioned in my example are independent. The standards seem to give the edict "They are not independent and neither cannot be relied on if the other fails" which seems harsh if aplied without judgement. However common cause failure is a real problem and independent means independent - failure of one cannot cause the other to fail if we are relying on both to achieve a safety reliability target. In a typical case under dispute, is clear that there is redundancy in the sensor (there are 2), and in the means of stopping the flow (an automatic valve, and an operator who will go and close a different, manual valve). However the DCS which controls the automatic valve in response to the first sensor, and controls the alarm in response to the second sensor, appears to me (and the Standards) as a single item hence cause for common failure, whereas my instrument engineer colleauges (who don't understand the standards) claim there are 2 discrete pathways so they are independent. Clearly we can't say in general if they are right or telling porkies, I just want to know if typical DCS systems such as sold by Yokogawa etc can be claimed to have independent pathways.
Thanks for persevering!
Stuart
Regards,
Stuart
RE: Redundancy / discrete systems in modern DCS systems
The standards EN 61508 and EN 61511 are pretty common outside of the US. They're both related to safety instrumented systems, and this probably isn't a bad place to post the question as the PLC manufacturers introduce safety PLCs like A-B's GuardLogix. Maybe forum830: Control Systems engineering would have been a better choice but most people who read that one will also read this one so it doesn't really matter.
c2sco,
If the DCS manufacturer is proposing that alarms are handled by one redundant controller and the control or trip function by another separate redundant controller with neither relying on data broadcast by the other then a case could be made that they were 'independent'. If they use information broadcast across the data highway then it's much a less sound argument. If you're trying to ensure compliance with the two standards then it might be a little harder as most DCS platforms don't have SIL ratings.
A DCS and a PLC network are similar on the surface but there are definite differences. There's plenty discussion in other threads - try the search function. A PLC and a logic solver are also similar in fucntion but internally are quite different.
In your position I'd be seriously thinking about hiring some professional assistance, either to provide training for your own engineers or in the form of a consultant to sort this problem out for you.
----------------------------------
If we learn from our mistakes I'm getting a great education!
RE: Redundancy / discrete systems in modern DCS systems
Scotty: I actually meant (dont want to get kicked off) that there are other forums on the web that might be better suited to answer this. Some that are dedicated to controls. I did not see the controls systems forum. I will have to check that out.
Russell White, P.E.
Automation Technologies, Inc.
www.AutomationNC.com
Automation Training
www.PLCMentor.com
RE: Redundancy / discrete systems in modern DCS systems
----------------------------------
If we learn from our mistakes I'm getting a great education!
RE: Redundancy / discrete systems in modern DCS systems
Many thanks
Stuart
RE: Redundancy / discrete systems in modern DCS systems
Siemens published some really good notes on SIL and the like. Obviously biased toward their own products but sufficiently generic to be useful, it was titled "Safety Instrumented System Manual" and I can't remember where I got mine from - a conference I suspect. Definitely worth getting hold of if you can tease one out of a supplier.
----------------------------------
If we learn from our mistakes I'm getting a great education!
RE: Redundancy / discrete systems in modern DCS systems
Curiously, Prosalus turn out to be a company whose office is about 10 miles from my father's house in Teesside, so I'll contact them and maybe get some customised help if I can call in some time. I don't really need a course, maybe a 1:1 with an expert for an hour or two will answer my questions.
Stuart
RE: Redundancy / discrete systems in modern DCS systems
----------------------------------
If we learn from our mistakes I'm getting a great education!
RE: Redundancy / discrete systems in modern DCS systems
RE: Redundancy / discrete systems in modern DCS systems
Things look bleak for Wilton - as well as Invista I heard on the bush telegraph that Dow's E.O. plant is closing or being mothballed, then Croda will inevitably follow when its feeder plant stops production. Lot of jobs at stake.
----------------------------------
If we learn from our mistakes I'm getting a great education!
RE: Redundancy / discrete systems in modern DCS systems
I think this is the Siemens book that ScottyUK is referring to. I have found it to have some very useful references in there, despite its bias to Siemens products.
http://
ScottyUK,
Didn't Enron become NEL, then Carron Engineering? If so, I have worked with a couple of lads from there. I went for an interview there a few weeks before NEL went bust. Luckily I didn't get the job.
Teesside is in a sorry state at the moment, up until three weeks ago, I was working at Wynyard Park, just down the road from where you live. At Christmas, we had a 17 strong team of E&I guys. When I left 3 weeks ago there were only 2 left.
I have had to take a short term contract overseas due to lack of local opportunities. Lets hope things pick up in the area.
Matt
RE: Redundancy / discrete systems in modern DCS systems
Wilton / Billingham is a crying shame (as is most of British manufacturing industry). When ICI built it, it was a great complex, as was Runcorn, and we were proud to be part of one of the world's greatest chemical companies. I was very bitter and blamed ICI management for many years for causing the demise by selling out on bulk chemicals and buying a whole pile from Unilever by borrowing heavily. But they way things have gone in the last 20 years with Joe Public increasingly demanding cheap goods which they import from countries with low standards, less pollution and higher safety standards from industry here, it was only a matter of time I think. I'm coming to the end of my career and am glad to be getting out, but I believe unless something good comes out of the current financial turmoil, which it might, then a lot of the UK, and indeed world, future looks bleak.
The EO plant of course used to be ICI, and I did some efficiency studies there and on the surfactant plants about 20 years ago.
I'm doing some work for Simon Carves - once another great British company, now owned by Indians, who are stripping it of talent and opportunity and moving it to India, leaving the UK office to sink or swim in a reducing market place. Most of their work is for middle east companies. They recently built a bioethanol plant at Wilton, but we'll have to keep our fingers crossed it survives given the politics and downturn.
At least the nuclear industry is coming along, so long as the nimbys don't get their way and the politics don't make it too late before the lights go out.
Sorry to be downbeat, perhaps we should talk the country up rather than down, but the downwards momentum of the chemical industry at least is frightening.
I hope your overseas contract goes well for you.
Stuart