Jens Wedege Petersen has little room for error in his work at DONG Energy’s Nybro Gas Treatment Plant on the western coast of Jutland. He and his fellow operators at Denmark’s only natural gas refinery must respond quickly and decisively to incidents as they occur to prevent them from blooming into dangerous situations. They must also be prepared, should it become necessary, to activate the emergency shutdown (ESD) system to shut off the gas supply and vacate the gas already in the plant.
Their task has only become more complex over time due to a series of expansions to handle the increasing amounts of gas being extracted from the seabed. The plant now processes between 16 million and 25 million tons of natural gas that arrives daily by pipeline from the North Sea. Besides regulating the pressure and quantity of the gas, the plant is also responsible for its quality, removing liquids, sulphur, and other contaminants. And it does many of these tasks just a few hundred meters from the main road to a popular beach and to summer homes along the coast.
For these reasons, management decided that it would be prudent to do more than simply upgrade the ESD system. It also decided to integrate the plant’s safety system with process control at the same time in order to improve the operators’ visibility into the plant and their reaction time. Hence, the Nybro facility is now among the growing number of plants taking advantage of the various means that automation vendors have developed for integrating safety with process control.
At Nybro, the old mechanical ESD system was based on relays, which the operators were supposed to actuate with pushbuttons. Not only was there was a need for a new and modern system, but management also wanted to eliminate “the human factor” that is always a potential source of error, especially during a stressful and chaotic emergency.
For the upgrade, Nybro installed a System 800xA from ABB (www.abb.com), the Swedish automation and power supplier. The backbone of the new ESD system is eight AC 800M High Integrity controllers, which are rated for safety integrity levels (SILs) 2 and 3 and connected by a double, redundant fiber optic ring. Besides giving communications an alternate route to get around any interruptions that might occur, this new system is also integrated with the existing process control system from Honeywell Process Systems (www.honeywell.com/ps).
The integration allows Petersen and the other operators to monitor the EDS system from the central control system without having to use separate monitors and user interfaces. This ability helps them to make monitoring valves and other devices connected to the ESD system a part of their daily routines. Not only can they ensure that the valves are positioned correctly, but they can also monitor the frequent partial tests, as well as the annual full-scale test, that are performed on the system.
“In addition, we have the option to manually open and close the different valves—for example, where we need to isolate sections for repair work or simply to close down sub-plants or sectors,” notes Erik Delf, Nybro’s technical coordinator.
Implementing the new system also lets the company update various subsystems, such as the ultraviolet detectors that the system had previously used to detect heat, flames, gas, and smoke. The UV detectors were not integrated into the old emergency shutdown system. “Today, we use IR [infrared] detectors, which are far more reliable and faster, and which have now been integrated into the ESD system,” reports Petersen.
Vendors point out that this and other kinds of integration offer a number of benefits. For example, the cabling and networking are usually simpler and, therefore, cheaper to install. Moreover, when the safety controller is just another node—one separated in its own domain—on the process control network, it can reduce engineering costs for configuring the interface by as much as 95 percent, according to the Tokyo-based safety team at Yokogawa Corp. (www.yokogawa.com/us).
Although lower cost from using common components is often a reason given for integrating safety and control, visibility can be a more important justification, according to Luis Duran, ABB’s business development manager for safety systems. When coupled with the ability to act, this visibility can help operators to coordinate effective responses to developing problems much sooner than would otherwise be possible. “Integrated control and safety systems just simplify that,” says Duran.
Support from standards
No single technical advancement can receive credit for making this kind of integration and its benefits possible. Instead, the credit goes to steady, incremental improvements like more robust components and communications protocols, according to Allan Rentcome, director of engineering for process safety at Milwaukee-based Rockwell Automation (www.rockwellautomation.com). “The cost of hardware has also been reduced, and the core components in both safety and control architectures are beginning to share a common technology,” he adds.
He also points to IEC 61508 and 61511, the two main functional safety standards promulgated about a decade ago by the International Electrotechnical Commission (www.iec.ch) in Geneva. Although these standards specify that safety and control should be independent from one another, they permit integration as long as all common components are classified and treated as safety components. “If there are going to be two platforms that are integrated and common, then you must also consider things like risk-reduction factors and common-cause failure modes,” says Rentcome. “You must take some measures allowed by the standards in order to claim the right levels of safety protection. “
In fact, many of the revisions found in the second edition of IEC 61508 released in 2010 deal with accounting for common-cause failures between control and safety. “The emphasis is on understanding the risk factors for using the same control platform for both safety and control,” says Rentcome. “I also see some clarification around how to decide the levels of protection.”
This protection must include securing networks that are handling both safety and control data. This has become an issue because an increasing number of users are flattening their network architectures so they can consolidate the monitoring data and alarms onto fewer human-machine interfaces (HMIs) to lower their information-technology costs. “To accommodate safety data around interlocks and peer-to-peer communications between safety nodes, these flattened integrated architectures will often separate the systems with virtual LANs [local area networks],” says Steve Elliot, Triconex product director at Invensys Operations Management (www.iom.invensys.com) of Plano, Texas.
Meanwhile, standards and protocols have also evolved to help users to design and build secure networks. The International Society of Automation (ISA, www.isa.org) in Research Triangle Park, NC, for example, has developed ISA99 Series for Industrial Automation and Control Systems Security. Another example is OPC Unified Architecture, the latest edition of OPC from the OPC Foundation (www.opcfoundation.com) of Scottsdale, Ariz. “OPC UA has encryption algorithms and certificate passing, which gives protocols used by the HMI the ability to contain those security layers that they didn’t before,” notes Elliot.
Just what is integration?
The flexibility found in the functional standards allows users to go about integration in a variety of ways, depending upon how they define the term “integration.” The various understandings of the term fall into three general categories, according to Charles Fialkowski, process safety manager at Siemens Industry Inc. (www.usa.siemens.com/industry) of Spring House, Pa. Hence, he describes three basic strategies for integration: interfaced, integrated, and common.
The interfaced strategy relies on control and safety systems provided by different automation vendors in order to guard against common-mode failures. An integrator links the two disparate systems together so that they can share data and the operators can monitor both systems from the same HMI, as Petersen and his colleagues are doing at Nybro. Besides having different hardware and software, the two systems also tend to be programmed with separate tools.
“The benefit is complete diversity and separation of the two systems,” explains Fialkowski. “If there were some type of environmental, systematic, or random failure, it probably wouldn’t affect both systems.”
In the second strategy—the one that Fialkowski calls “integrated”—the same automation vendor provides both the control and the safety systems. Constructing the systems with equipment from the same manufacturer usually permits much tighter integration and streamlines the sharing of data between the two systems. “They sit on the same communications bus,” notes Fialkowski. “They don’t need to have gateways developed for them.” Because these automation vendors typically offer the same engineering tools to configure both of their systems, users need to learn only one programming language.
Another advantage is that safety and control systems using this approach are cheaper to maintain. Although the two systems remain physically separate and independent from each other, they are not different makes, as they are in the interfaced approach. They usually contain common components, such as communications, control, and I/O modules. Consequently, users need not keep on hand the extra resources necessary for maintaining two systems. The downside, of course, is that the potential for common-mode failure is greater.
This potential is even greater for the third strategy, the common one, because the approach uses the same hardware and environment for both control and safety, rather than relying on separate and dedicated units. Here, the separation between control and safety data required by the functional safety standards occurs in the software. Architects of these systems create different levels of access, each requiring its own password. The advantage to this approach is that it requires buying and maintaining even less equipment than the integrated strategy. “It, however, concerns some people because it puts too much responsibility on one platform or system,” notes Fialkowski.
Because the common approach provides less protection against these kinds of risks, it usually finds application on simple applications or on processes that have low risk associated with them. Refineries and other plants that have complex, high-risk processes tend to steer away from this approach. Either they will stick with the interfaced strategy, or if they are looking for greater cost efficiencies, they will adopt the integrated approach.
Of the three strategies, the interfaced one is probably the most prevalent in the process industries today, mainly because much of the installed base dates back to the days before integration was deemed to be acceptable. Fialkowski, however, has been noticing a shift from the interfaced strategy to the integrated approach as more users attempt to reap the economies gained through “sole sourcing.”
Sharing data
An example is Borealis AB, a manufacturer of plastics and base chemicals in Stenungsund, Sweden. A subsidiary of the Vienna-based Borealis Group, the company asked Honeywell to integrate a boiler in the Stenungsund plant at the operational level, rather than at the hardware level. “I still think of the implementation as an integrated one,” says Marcus Hedlund, expert process control and APC network leader for technical development of hydrocarbons. “We, for example, are running the alarms in the same system, so it’s unknown to the operator where an alarm originates.” They cannot tell whether it is coming from the safety or control system.
This strategy appealed to Hedlund and his team because their main concern was operator effectiveness. They wanted to avoid burdening the operators with the complexity that safety standards typically introduce into the architecture of the overall system. They believe that, when operators are concerned less with the intricacies of safety and control systems themselves, they can focus more on process optimization.
Since the company upgraded the boiler, the operators have not been aware of whether they are dealing with the safety system or the distributed control system. “And startup is much more of a ‘fire and forget’ process compared to older installations,” notes Hedlund. Besides decreasing start-up time, it also makes a lot of troubleshooting information available to operators and instrument technicians should anything go wrong.
The strategy has cost advantages, too. For example, by using Honeywell to provide both the ESD system and the DCS, Borealis was able to avoid the implementation problems that usually occur in the interface between disparate systems. “The use of remote I/O for safety and control has also saved a lot of cost for cables,” says Hedlund. “The new fiber network required can be used both for the DCS and the ESD, as well as the operator stations.”
Even though safety and control is integrated at the operational level, care must be taken in the design phase to specify the right instruments for each system. Where safety and control use the same input, double instruments and signals are needed. This is not always obvious when the P&IDs [piping and instrumentation diagrams] are designed.
According to Erik de Groot, marketing manager for safety system at Honeywell Process Solutions, another tip to keep in mind when configuring systems that are integrated operationally in this way is to pay attention to the naming convention up front. He says that Honeywell’s integrated system contains standard builds as predefined functions in the HMI. “It comes down to making the right choices in the naming convention and how you want to set up the ESD and control systems,” he says.
>> Keep Track of Current Safety Trends: In this video presentation at the Automation Conference in May 2012, current trends related to IEC 61511 are explained and how to implement safety is discussed. Visit http://bit.ly/awvid090