×
INTELLIGENT WORK FORUMS
FOR ENGINEERING PROFESSIONALS

Log In

Come Join Us!

Are you an
Engineering professional?
Join Eng-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Eng-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Redundancy / discrete systems in modern DCS systems

Redundancy / discrete systems in modern DCS systems

Redundancy / discrete systems in modern DCS systems

(OP)
I'm a chemical engineer in England, involved with safety integrity assessments for chemical plants. I'm struggling with understanding the meaning of multiplicity, or redundancy, inside modern DCS systems, which is often relevent to these assessments.

We work to BS EN 61511 / BS EN 61508, where we are instructed never to give the BPCS (Basic Process Control System) a PFD of less then 0.1. This is to allow for possible common cause failures, eg if we had a level controller and a separate level alarm both passing through a DCS, we cannot regard the alarm as a layer of protection when considering the consequences of failure of the controller. However I have found assessments done by professional EPC contractors which effectively allows this. When I challenged them, they claimed that the DCS was in several discrete modules, and that they were confident that the two systems passed through different modules and were therefore independent and so the assessment was correct.

I'm very dubious about this, but I have no real experience of how such DCS systems are actually built. I'm conscious that if we have a system consisting (eg) of 2 input elements, a logic solver, and 2 output elements, then if the PFD of the logic solver is (say) 2 orders of magnitude less then the other elements, then since it is the main or only cause of common mode failure, then the opportunity for common cause failure is very low. However, as I understand it, the Standards prohibit this.

Can anyone shed any light on this for me please?

Thanks

Stuart

RE: Redundancy / discrete systems in modern DCS systems

Stuart,
Unfortunately I dont understand much of the terminology that you have included.  You may want to keep in mind that you are posting this to a bunch of controls people that understand controls, but not (I would guess) some of the standards you refer to.  I would suggest rewording your question in terms that anyone might understand - dont assume.  For instance, what is PFD?  Also you may have difficulty with this particular forum as this is listed as devoted to PLC's.  There are differences though they are becoming hard to see.

Now I will try to take a stab at what I do understand.  You mention a level controller and what I would assume is a discrete alarm.  I would see no redundancy offered here. I guess the alarm may allow some indication of loss of the controller.  If you had a level transmitter and a discrete level sensor, then you may argue some level of redundancy.

Give me more info and I will try to provide more info.

Russell  

Russell White, P.E.
Automation Technologies, Inc.
www.AutomationNC.com

Automation Training
www.PLCMentor.com

RE: Redundancy / discrete systems in modern DCS systems

(OP)
Russell,

Thanks for your reply. I did look through the various forums and thought this was my best bet! Maybe not, but if you are happy to try, so am I.

PFD=probability of failure on demand, ie (say) the level gets higher than the trip point. PFD= probability that the system of level transmitter, logic solver and final element (say a valve controlling the liquid flow into the tank) fails to work, causing an overflow or damage to the tank.

The standards mentioned have US equivalents - I'll try to find out their numbers. However they basically dictate how such safety systems should be assessed for required reliability (PFD) and designed to meet this (SIL, safety integrity level, requirement.) As I haven't a clue what goes on inside the black box we process engineers refer to as the "DCS" (distributed control system) which I believe is often a PLC, I cannot penetrate past the jargon.

I need to understand whether they are pulling the wool over my eyes when they say that despite both passing through the DCS, the level control and level alarm mentioned in my example are independent. The standards seem to give the edict "They are not independent and neither cannot be relied on if the other fails" which seems harsh if aplied without judgement. However common cause failure is a real problem and independent means independent - failure of one cannot cause the other to fail if we are relying on both to achieve a safety reliability target. In a typical case under dispute, is clear that there is redundancy in the sensor (there are 2), and in the means of stopping the flow (an automatic valve, and an operator who will go and close a different, manual valve). However the DCS which controls the automatic valve in response to the first sensor, and controls the alarm in response to the second sensor, appears to me (and the Standards) as a single item hence cause for common failure, whereas my instrument engineer colleauges (who don't understand the standards) claim there are 2 discrete pathways so they are independent. Clearly we can't say in general if they are right or telling porkies, I just want to know if typical DCS systems such as sold by Yokogawa etc can be claimed to have independent pathways.

Thanks for persevering!

Stuart
Regards,
Stuart

RE: Redundancy / discrete systems in modern DCS systems

PLCmentor,

The standards EN 61508 and EN 61511 are pretty common outside of the US. They're both related to safety instrumented systems, and this probably isn't a bad place to post the question as the PLC manufacturers introduce safety PLCs like A-B's GuardLogix. Maybe forum830: Control Systems engineering would have been a better choice but most people who read that one will also read this one so it doesn't really matter.

c2sco,

If the DCS manufacturer is proposing that alarms are handled by one redundant controller and the control or trip function by another separate redundant controller with neither relying on data broadcast by the other then a case could be made that they were 'independent'. If they use information broadcast across the data highway then it's much a less sound argument. If you're trying to ensure compliance with the two standards then it might be a little harder as most DCS platforms don't have SIL ratings.

A DCS and a PLC network are similar on the surface but there are definite differences. There's plenty discussion in other threads - try the search function. A PLC and a logic solver are also similar in fucntion but internally are quite different.

In your position I'd be seriously thinking about hiring some professional assistance, either to provide training for your own engineers or in the form of a consultant to sort this problem out for you.
  

----------------------------------
  
If we learn from our mistakes I'm getting a great education!
 

RE: Redundancy / discrete systems in modern DCS systems

Wow, sounds like a interesting issue to sort out.  I think on the surface of it all, I would have to agree with you.  I understand your system in question to have a single controller that is receiving multiple, possibly redundant, signals.  However, multiple signals coming into a single controller would have a positive affect on reliability.  Most controllers out there today are pretty solid.  Your failure would most likely be in the field - in all likelyhood due to some human error, weather, other event.  Scotty brings up another good point about the data highway.  If there is a single highway between controllers or even between the controller and multiple operator interfaces, that could be a point of possible failure also - though again rare.  I also agree with Scotty about possibly finding a local controls guru to help sort it out.

Scotty:  I actually meant (dont want to get kicked off) that there are other forums on the web that might be better suited to answer this.  Some that are dedicated to controls.  I did not see the controls systems forum.  I will have to check that out.

Russell White, P.E.
Automation Technologies, Inc.
www.AutomationNC.com

Automation Training
www.PLCMentor.com

RE: Redundancy / discrete systems in modern DCS systems

No danger of you being kicked off... reckon I'd be way higher on the list of candidates anyway!
 
 

----------------------------------
  
If we learn from our mistakes I'm getting a great education!
 

RE: Redundancy / discrete systems in modern DCS systems

(OP)
Thanks for your replies. What you are saying all sounds in agreement with what I thought. I don't know anything about data highways - but I can imagine. I seem to remember being told about various protocols for LANs many years ago which involved packets of data being sent around - I guess the risk is that one faulty transmitter might corrupt it hence messing up other good data, ie common mode failure. Yes, I will seek further assistance through searches here. I've sought training courses but most are aimed at system programmers and designers, whereas I only need the right superficial level knowledge to know whether to accept the argument or to stand my ground! At least knowing some jargon I can sound as if I know! Equally I'll look to finding a consultant who can enlighten me.
Many thanks
Stuart

RE: Redundancy / discrete systems in modern DCS systems

We had a crash course in SIL (no, that wasn't the official title smile] ) from a company called ProSalus in the UK. It was informative, can't remember how expensive it was - probably not cheap. The presenter was knowledgable and the notes were ok.

Siemens published some really good notes on SIL and the like. Obviously biased toward their own products but sufficiently generic to be useful, it was titled "Safety Instrumented System Manual" and I can't remember where I got mine from - a conference I suspect. Definitely worth getting hold of if you can tease one out of a supplier.
  

----------------------------------
  
If we learn from our mistakes I'm getting a great education!
 

RE: Redundancy / discrete systems in modern DCS systems

(OP)
Thanks, I've sent an e-mail to Siemens, see what transpires.

Curiously, Prosalus turn out to be a company whose office is about 10 miles from my father's house in Teesside, so I'll contact them and maybe get some customised help if I can call in some time. I don't really need a course, maybe a 1:1 with an expert for an hour or two will answer my questions.

Stuart
 

RE: Redundancy / discrete systems in modern DCS systems

Are you on Teesside too? Which site? I used to work at the old Enron station near Wilton.
  

----------------------------------
  
If we learn from our mistakes I'm getting a great education!
 

RE: Redundancy / discrete systems in modern DCS systems

(OP)
No, I live in Chester. I lived in Normanby until I was 18, Dad now lives in New Marske. I worked for ICI for 20 years in mid Cheshire and Runcorn, spending some time on project work at Wilton in the 90s. Since leaving ICI in 1998 I have done a few months' work for Invista (sadly plant now closing) and SembCorp at Wilton. I work for myself now. How about you?

RE: Redundancy / discrete systems in modern DCS systems

Geordie by by birth, lived on Tyneside until '96 then had a couple of years in The Smoke until I realised that the best job I've ever had couldn't make up for having to live there, then 10 years in Smogland with Enron and successor companies. Now back on Tyneside working for well-known engineering consultant to the power industry. Living about halfway between Sedgefield and Stockton and commuting because of the state of the housing market - prices down and no buyers.

Things look bleak for Wilton - as well as Invista I heard on the bush telegraph that Dow's E.O. plant is closing or being mothballed, then Croda will inevitably follow when its feeder plant stops production. Lot of jobs at stake.
  

----------------------------------
  
If we learn from our mistakes I'm getting a great education!
 

RE: Redundancy / discrete systems in modern DCS systems

Stuart,
I think this is the Siemens book that ScottyUK is referring to.  I have found it to have some very useful references in there, despite its bias to Siemens products.

http://support.automation.siemens.com/WW/view/en/28813929

ScottyUK,
Didn't Enron become NEL, then Carron Engineering?  If so, I have worked with a couple of lads from there.  I went for an interview there a few weeks before NEL went bust.  Luckily I didn't get the job.
Teesside is in a sorry state at the moment, up until three weeks ago, I was working at Wynyard Park, just down the road from where you live.  At Christmas, we had a 17 strong team of E&I guys.  When I left 3 weeks ago there were only 2 left.
I have had to take a short term contract overseas due to lack of local opportunities.  Lets hope things pick up in the area.
Matt
 

RE: Redundancy / discrete systems in modern DCS systems

(OP)
Matt, Many thanks, it looks interesting. At 365 pages it's going to take a while to digest!
Wilton / Billingham is a crying shame (as is most of British manufacturing industry). When ICI built it, it was a great complex, as was Runcorn, and we were proud to be part of one of the world's greatest chemical companies. I was very bitter and blamed ICI management for many years for causing the demise by selling out on bulk chemicals and buying a whole pile from Unilever by borrowing heavily. But they way things have gone in the last 20 years with Joe Public increasingly demanding cheap goods which they import from countries with low standards, less pollution and higher safety standards from industry here, it was only a matter of time I think. I'm coming to the end of my career and am glad to be getting out, but I believe unless something good comes out of the current financial turmoil, which it might, then a lot of the UK, and indeed world, future looks bleak.
The EO plant of course used to be ICI, and I did some efficiency studies there and on the surfactant plants about 20 years ago.
I'm doing some work for Simon Carves - once another great British company, now owned by Indians, who are stripping it of talent and opportunity and moving it to India, leaving the UK office to sink or swim in a reducing market place. Most of their work is for middle east companies. They recently built a bioethanol plant at Wilton, but we'll have to keep our fingers crossed it survives given the politics and downturn.
At least the nuclear industry is coming along, so long as the nimbys don't get their way and the politics don't make it too late before the lights go out.
Sorry to be downbeat, perhaps we should talk the country up rather than down, but the downwards momentum of the chemical industry at least is frightening.
I hope your overseas contract goes well for you.
Stuart

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Eng-Tips Forums free from inappropriate posts.
The Eng-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Eng-Tips forums is a member-only feature.

Click Here to join Eng-Tips and talk with other members!


Resources