Interlock/Alarm sequence

[controlnovice]

I've inherited a system where each analog input (AI) signal has HiHi, Hi, Lo, LoLo Alarm and HiHi, Hi, Lo, LoLo Interlock.

The interlock points are used elsewhere in the code to force outputs (usually), for example, to force a valve closed.

The alarm points are for visual or audible indication to the operator.

Which should come first?

For example, on filling a tank with an inlet valve:

Do we want the inlet valve to be closed via the Hi Level Interlock first, say at 85% level (which would be above our operating point)? Then the Hi Level Alarm set at 90% to notify the operator just in case something didn't work.

Or do we alarm the operator first at Hi Level Alarm 85% for him to take action, then Hi Level Interlock if the level still rises?





______________________________________________________________________________
This is normally the space where people post something insightful.

 

[dcasto]

If you set the alarm at 90% and the lock at 85%, you should not get an alarm, so why have it.

Typically, you set the alarm first, then the interlock second. The alarm allows operator intervention and maybe avoid an interlock of process shutdown.

I could possibilly see a place where you'd shut first, ask questions later, it would be a slow moving process point that can easily be manually shutdown if all else fails.

 

[Ashereng]

I usually have the alarm first, than action.

Sometimes, you can have the alarm and action at the same point.

Usually, alarm first.

"Do not worry about your problems with mathematics, I assure you mine are far greater."
Albert Einstein
Have you read FAQ731-376 to make the best use of Eng-Tips Forums?

 

[JLSeagull]

Both dcasto and Ashereng reflect the normal industry practices. Take a level level measurement application where the normal level is 50%. This is typically controlled by the "basic process control system". This is often a PID algorithm that throttles a control valve on the discharge of a pump. As the level increases or decreases to a point outside the desired range then activate an alarm. This alerts the operator that things are happening thus permitting some operator intervention or awareness. As the level further rises or falls a system with shutdown interlocks performs interlock actions. High level ofthe trips a valve on the inlet. Low level often trips a pump from the bottom to the next process equipment.

Many variations exist. Some systems start and stop multiple pumps instead of throttling a valve. Some may adjust the speed of a variable speed drive that adjusts the pump motor.

 

[JLSeagull]

See thread830-204210 regarding interlocks in control systems engineering.

The question nearly provides the answer. Hazardous processes require greater reliability than mundane processes. A water handling system may not require multiple systems.

Some controversy exists regarding whether or not OSHA 29 CFR 1910.119 requires segregation of basic process control from safety shutdown for various applications. I suggest that the process safety management of highly hazardous chemicals requires separate systems.

Regardless of whether or not it is an OSHA requirement it is a good practices. Let’s look at the example in the tread referenced above where a level level measurement application where the normal level is 50%. This is typically controlled by the "basic process control system". This is often a PID algorithm that throttles a control valve on the discharge of a pump. As the level increases or decreases to a point outside the desired range then activate an alarm. This alerts the operator that things are happening thus permitting some operator intervention or awareness. This much of the action is taken within the basic process control system such as the DCS. However, as the process deviates beyond this point, whatever was supposed to happen isn’t controlling the process within the limits. Perhaps something was set to manual. Perhaps the breaker tripped on a pump so that the level continues to rise; or the pump is selected to hand so that it continues to run as the level continues to fall. Although typically not a “Bill Gates” type system, perhaps the microprocessor in the DCS controller locked up.

As the level further rises or falls a separate system with shutdown interlocks performs interlock actions. Upon increasing level above the alarm value the high level often trips a valve on the inlet. Perhaps it trips an upstream pump instead. In either case a different system is used. Low level often trips a pump from the bottom to the next process equipment. A separate system requires separate level measurement, preferably using a different measurement technology. The reason for the separate system is to avoid common mode failure. Whatever didn’t work with the DCS should not cause the same problem for the safety shutdown system.

 

[JLSeagull]

Ooops! Reference thread698-204278 in measurement; and control and forgive the duplicate post.

 

[controlnovice]

Maybe I'm not using the correct terminology or nomenclature.

I quess I thought that we would want to force the valve closed first, as part of the DCS logic, if it got to a certain level (in the tank level example).

Is that considered a control/operating point, and not an interlock?

Once the valve closed and the level continued to rise, then the operator would be notified via alarm.

It seems in the days of Alarm Management, we would want to control first, then alarm.

______________________________________________________________________________
This is normally the space where people post something insightful.

 

[JLSeagull]

If closing a valve to control a high level then the valve must be on the inlet. One can use binary logic to force an on/off valve closed; or use a PID algorithm to throttle the valve; or both - all within the DCS logic.

In earlier times it was common to use a control valve to throttle and a solenoid on the air to the actuator to close the valve regardless what the PID output. For segregation between the DCS and SIS I recommend two valves - one controlled by the DCS and on by the SIS.

Two levels of alarms are normal. If the desigh is for the level to run between 35% and 65% the DCS logic could be set at 50% with the gain to close the inlet valve at 65% and full open at 35%. The pre- alarms alert the operator after the valve should be closed if the level continued to rise above the operator action point such as 70%.

Others can address alarm management. The concept is to help to operator prioritize her actions as an upset progresses.

 

[dcasto]

You definitely used the wrong words. An interlock is a safety device system that locks out a source of energy, feed, or reactant duing upsets.

You question comes down too. Can I use use 1 transmitter to both control and alarm.

The answer is both no and yes. The qualification comes from a risk analysis. This a whole topic discussed many times.

 

[controlnovice]

The DCS uses the function block diagrams. The DC block (used to control On/Off valves), has an input parameter labeled 'Interlock', which the configurer is using to set the valve to its fail position.

Several of the 'interlock' commands are set from the AI alarm points, not the interlock points.

______________________________________________________________________________
This is normally the space where people post something insightful.

 

[JLSeagull]

The definition of an interlock deserves to be a new thread. I doubt that any real consensus exists.

One of my clients defines an Interlock as "An automated instrumentation system that performs a discrete action in response to a process variable or physical condition outside a prescribed limit. Interlock may be designed to prevent a safety, environmental, asset protection/mechanical integrity or product quality excursion. All such interlocks, regardless of type shall be designated with a SIL (Specified Integrity Level) of 1, 2, or 3, with SIL 3 being the highest designation within the Enterprise." I don't pretend to have a better definition.