May 2007 Archives

John Egnew, a training consultant and instructor in Emerson's Educational Services has posted another tip in his series of looptips. John's looptip #12 is entitled Don't Throw Away a Good Thing.

In it, he references how a positioner used on a control valve in a fast-acting loop may actually make the loop more unstable or difficult to control. The likely culprit may be too high of a loop gain. An example of this type of loop might be a fast fluid flow application.

If this is the case, the solution is having the travel feedback signal from the positioner be the inner loop of a cascaded loop. The inner loop of cascade control must be faster than the outer loop.

He also offers specific recommendations whether your loop is running under electronic or pneumatic control.

I hope these tips along with some of the wisdom conveyed by Terry Blevins and Greg McMillan over on the ModelingAndControl.com blog help you tackle some of these situations which can impact the performance of your process.

For complex processes like gasification units in the Oil Sands region of Northern Alberta, Canada, how do you handle the integration of complex sequences which involve both the safety instrumented system (SIS) and control system (BPCS--basic process control system in safety-speak)?

This was the subject of a recent paper given by Dean Taggart, a professional engineer and certified functional safety expert (CFSE) in Emerson's Calgary-based Hydrocarbon and Energy Industry Center. Dean gave this paper along with members from Spartan Controls and the oil and gas producer, OPTI Canada.

The team gave the paper, Integration of Complex Sequences using DeltaV (presentation), at the 2007 AIChE Spring National meeting. Dean and the team quite comprehensively covered the areas of process and safety requirements and their technical concerns, and applying an implementation framework to this project.

With this post, I'll zero in on the decisions of what should be within the span of the SIS and BPCS. As the team states, it's clear what initially goes into the SIS:

Normally the process is designed in a Front End Engineering Design (FEED) phase, where vessels, pumps, piping, and instrumentation are proposed. The process goes through a HAZOP process, with the intent of identifying hazards. As these are considered, either through a PHA, LOPA, or Risk Analysis, SIL targets are determined and requirements for SIS are established [hyperlinks added to help with acronyms].

For complex processes, the SIS may be involved in the startup or stopping sequences, like in the burner management system on a gasification reactor. Normally the process of burner management involves closing off the feeds and the burner goes off. But for a gasification reactor, under high pressure and temperature, the vessel must evacuate the asphaltene quickly or it will harden and plug up the feed lines. A shutdown sequence is required to depressurize and cool down in a non-damaging way.

The choice the project team faced was either to perform all of the startup and shutdown sequences in the SIS or split them between the SIS and BPCS. The issue with splitting the sequence is increased configuration complexity, data mapping, communications diagnostics and handshaking logic required. And some common methods for this communication like MODBUS/serial communications and OPC, the communications throughput has to be carefully designed and tested. A bigger concerned stated in the paper:

In order to work properly, the BPCS and SIS would have to have "parallel" sequences which would need to be synchronized very tightly with each other. In the event that communications was lost during a startup or shutdown, each would have to execute separate and parallel actions. Since the actions may need to be modified based on process conditions, this adds even more complexity.

For this project, the team used the DeltaV system and DeltaV SIS and ran the sequence in the DeltaV SIS. The paper describes a simpler approach:

Under normal circumstances, the SIS runs the sequence, can override the BPCS when required, and can examine the health of the BPCS. The BPCS only performs process control, listens to the SIS for overrides, and can examine the health of the SIS. If communications is lost, the SIS can take the appropriate action (perhaps abort a startup, execute a shutdown, or may do nothing at all if in normal operation). In this case, the BPCS may continue to execute process control on some loops, and for others they may automatically be set to override or manual mode. The flexibility is there, and there is little concern over loss of communication.

If you have a project with hazardous areas with control system and SIS requirements, this paper is an excellent resource for an approach to think through the design process.

In our continuing series of screencasts, I'm trying to give examples of how advanced diagnostics in Foundation fieldbus devices can be used in control strategies to avoid abnormal situations and potential losses in production.

Emerson's Rune Reppenhagen shows in this quick 2 minute, 47 second screencast, how an advanced model predictive control strategy in a DeltaV controller automatically recognizes a failure diagnostic in a temperature transmitter and switches the mode of control over to a manual state.

At the same time, this diagnostic alerts the operator of the situation, and the AMS Device Manager software shows the condition of the transmitter so it can be quickly repaired.

By using the advanced diagnostics from these intelligent field devices in the control and advanced control strategies, conditions which impact the availability and quality of the process can be avoided.

As announced at the Digital Bond blog and noted on the Sound Off! blog, the DeltaV controller is included in the first group of controllers certified by Wurldtech's Achilles Controller Certification. The purpose of this program:

The Achilles Certification Program was developed by Wurldtech and its partners to provide a benchmark for the certification of secure industrial controllers. The program is designed to assess the overall security of industrial controllers and certify that they meet a comprehensive set of requirements and conformance. The certification process presents device manufactures with an independently verified result from which to communicate their product security to customers, while providing the operators of control systems the most complete, accurate, and trustworthy information possible on the security of their deployed products.

I caught up with Emerson's Bob Huba who has worked closely with Wurldtech in gaining certification for this important cyber-security effort. You may recall Bob from prior posts on the topic of cyber-security.

Bob feels this certification is important for process manufacturers. By doing device testing to an accepted set of test suites and test parameters, an automation engineer can have a higher degree of comfort that automation controller solutions have the robustness to survive network level cyber attacks.

Emerson customers have told Bob that one real benefit of this testing is that it gives them the "breathing room" to better plan the installation of security updates and new anti-virus signatures. Knowing the controllers can survive a security incident will greatly reduce the risk involved in having to schedule these patching tasks around process activities rather than always immediately deploying the updates.

Over time, Bob expects device testing and certification to become an even bigger part of the industry cyber-security and system robustness solutions. In fact, he just returned from a two day meeting of the newly forming Control System Security Certification Organization (CSSCO) in Houston.

At this meeting, the group defined as part of their mission:

to decrease the time, cost and risk of developing, acquiring, and deploying control systems by establishing an industry-based program to... facilitate the independent testing and certification of control system products to a defined set of control system security standards.

Bob noted that support for the CSSCO has been growing since several major asset owners proposed the initial idea of such an organization about two years ago. It has recently come under the auspices of the ISA organization. They are helping to develop this into a full standards organization. Bob suggests that if you are interested in this effort to look for more information coming out on this in the upcoming weeks.

Personally, he would like to see as broad a process manufacturer representation in this group as possible. To this end, Bob plans to invite members of the DeltaV community of users to consider participation in this effort. For those members who happen upon this post, feel free to contact Bob.

In an earlier post, I discussed maintaining compliance of hazardous area certified equipment, from a paper given by Emerson safety consultant, Bob Baker.

At the recent AIChE Spring National Meeting Process Plant Safety Symposium, Bob gave an updated paper, Safety & Regulatory Compliance of Reconditioned Equipment (presentation).

He sums up the pressures that process manufacturers face:

Responding to challenges of seemingly unending reductions in capital and maintenance budgets, the process industry has increasingly turned toward the purchase of lower cost, recycled equipment including salvaged control valves and instrumentation.

The market for salvaged and reconditioned control valves expanded from onshore and offshore oil and gas producers in the early 1990s to onshore chemical, petrochemical and refiners today due in large part to declining maintenance budgets and financial pressure on small, locally engineered capital projects.

Unless appropriate equipment purchase specifications are specified and followed, exposure to potentially significant safety risks may occur when using salvaged, new-surplus, refurbished, or remanufactured equipment (considered "reconditioned" equipment):

Although it equipment may be acceptable from a functional perspective, depending on equipment age, repair history, application severity and other factors, such "reconditioned" equipment may be out of compliance with safety standards, or with manufacturer's specifications as originally designed to applicable industry codes, for safe use in hazardous locations.

One of the U.S. Occupational Health and Safety Administration (OSHA)-accredited Nationally Recognized Testing Laboratory (NRTL) is FM Approvals. The paper notes that FM Approvals' position for reconditioned and new-surplus instruments for use in hazardous locations:

It is FM Approvals' position that only the original manufacturer of the Approved product or an FM Approved remanufacturer whose facilities are part of the FM Approvals follow-up audit program, can remanufacture a product and reissue the FM Approvals certification mark. Any suggestion, practice or inference to the contrary is wrong and must cease... Any salvaged, remanufactured or new surplus electrical instrument cannot be labeled or relabeled as FM Approved for use in a classified hazardous location unless the refurbishing/new surplus supplier entity is audited and approved by FM Approvals, LLC, for that specific type of instrument.

FM Approvals presented the issues, challenges, and its position at several safety symposiums in late 2006 and early 2007.

Bob offers this recommendation for process manufacturers:

Vendor qualification and technical awareness is critical, requiring initial education of all plant personnel associated with the specification, purchase, inspection or repair of reconditioned and new-surplus equipment. Further, ever-changing organizational structure and new personnel requires a sustained education program, including ongoing emphasis at safety meetings. End user issuance of specific corporate policy and guidance could be an effective method to appropriately emphasize and establish requirements for purchasing reconditioned equipment.

Regulatory organizations such as OSHA and EPA typically put the burden of sustaining compliance to safety and regulatory requirements on the end user.

If you are using or considering using "reconditioned" instrumentation in hazardous locations or "reconditioned" control valves in applications within your plant's Process Safety Management (PSM) program, make sure to read the entire paper. Bob provides suggestions for vendor qualification requirements, suggests work processes, and describes the applicable standards.

Let's close this week by pointing to a new Advanced Control Survey at the ARC Advisory Group site. The actual survey is here.

Their purpose?

The purpose of this survey is to develop an understanding of how process manufacturers around the world are using advanced process control (APC) to create a sustainable competitive advantage.

We discuss what Emerson's experts do in optimizing processes with APC technologies from time to time, so I'm keenly interested in the results of this survey.

You're eligible if you're a process manufacturer and you work with process control. The promise is 20 minutes of your time and:

By taking this survey, you will gain insight into how users are looking to extend APC applications and related infrastructure within their organization. Those who complete the survey will receive a FREE copy of the results.

I didn't see a cutoff date, but if you meet their criteria and have 20 minutes, give it a go.

Update: Right now, the survey is expected to be open until June 15.

For those of you challenged with the vagaries of pH control, I wanted to make sure you had seen the news of an upcoming pH Control web seminar, arranged by ISA, featuring ModelingAndControl.com's Greg McMillan. The web seminar covers the root causes of poor performance in pH control systems.

In a recent post, Greg describes how he plans to share his experiences:

I spent a lot of time on pH startups. I found most of the key design concepts needed for success where not discussed anywhere, For example, the normal dip tube design for reagent injection is disastrous and the mixing and valve resolution requirements are exceptional. I discovered how I could reduce the number of stages of neutralization, offer inexpensive alternatives to the classical neutralization vessel, and decide when signal characterization could help or hurt your control objectives.

Unlike his recently released free eBook, this May 16 web seminar (2:00pm - 3:30pm Eastern U.S. Time) does have a cost. It's $195 (USD) for ISA members and $225 (USD) for non-members. If you're not the lone person in your organization who struggles with pH control, Greg suggests:

The seminar is much more cost effective if the registrant connects in a conference room with a computer projector.

If you can't make this event, Greg has also published a book on this topic, Advanced pH Measurement and Control, 3rd Edition.

People from across the world come up this blog and get some great questions from time to time. The most recent example is questions about safety instrumented systems (SIS) and the IEC 61511 standards. I thought I'd run them by two experienced Emerson safety experts, Len Laskowski in the Refining and Chemical industry center and Stephane Boily in the Hydrocarbon and Energy industry center.

As safety professionals incorporate these performance-based international safety standards, I thought sharing their answers with you might help your safety planning efforts. Len answers the four questions and Stephane adds his thoughts looking at the SIS installation components.

What are the standards that define the best rules for installation of field equipment of a SIF/SIS, on site?

IEC 61511 or ISA-S84-2003 (which is really the same thing, plus a grandfather clause) are intended for application in the process industry. They do the best job of defining what one needs to be concerned with for field instruments. The guidance may be considered somewhat minimal but the critical safety issues are there. Whatever would make a good installation for the basic process control system (BPCS) is a good installation for the SIS also. However, some different issues need to be recognized. First, the instruments need to be reliable. One measurement, referred to as "proven in use" means reliability data must be available for safety integrity level (SIL) calculations. If not then SIL-rated instruments are an option. Next one must consider fault tolerance requirements for the Safety Instrumented Function (SIF). This is a function of the SIL level for each SIF in the SIS. There will of course always be the need to make sure the instruments are calibrated routinely and tested per the proof test requirement. If this is online then the engineer needs to make sure that those facilities plus the ability to do maintenance is designed into the project. Typically sensors need their own root valve and final control elements may need bypasses or means for partial stroke testing.

The routing of the individual cables of transmitter that is in a 2oo3 voting system--the same route, different routes?

Some reliability engineers would want to try to convince you that a different route is required. While everyone would like a diverse routing from a common mode point of view, (a fire, dropped crane load, chemical spill could destroy all the cables in the same tray, etc.) it is many times impractical to route differently. One deciding factor is availability. If high availability is require diverse routine is a good idea, but again not mandatory. Some companies may have internal standards on this subject. The other factor is whether or not the SIS fails safe. If a loss of a cable, causes the System to have a spurious safe trip the system is safe, but you have to deal with the cost of the spurious trip. If the SIF is energized-to-trip, one needs to look at separate routing. Also, end of line monitoring etc.

Can I install the three field devices in battery or in different places to avoid, common failure, e.g., vibration, risk of fire?

Field instruments are designed for the outdoor industrial environment. Utilize them correctly for their application. If it is a bad installation for the BPCS it is bad for the SIS also. While many SIS logic solvers have been industrially hardened to operate in a broad range of environmental conditions with numerous successful applications, it just stands to reason that putting them in environmentally controlled areas will improve potential reliability plus the ability to do maintenance.

Yes one must always be careful with respect to common mode. Common mode can wiped out the reliability gains of redundancy. That is why it is required to do SIL Calculations to verify that the common mode effect is not so strong that it renders the SIF ineffective.

Must I use the normal practices of engineering or do rules or recommendation exist for the installation of field equipment for the SIF/SIS?

One has to ask whose normal practices?? If we mean industry best normal practices the answer is yes again but one needs to follow the entire IEC-61511 Life Cycle to determine what that really means for each project. What is an acceptable solution for one plant may not work for another. The questions you ask really points out that to safely design a plant, the project needs to execute the IEC61511 Safety Life Cycle. Hazards are identified early in the project and solutions are designed around those hazards. The questions you asked should all be covered in the Safety Requirements Specification (SRS). There are 27 questions that cover the topics you have asked and more, much more. Inexperienced engineers may not be aware of this list of questions that define an IEC61511 SRS. This is why you should work with experienced organizations. A study done by the Health and Safety Executive in the UK has shown that the majority of problems with SIS systems today are actually specified into the project. (Or shall we say not specified into the project, one does not know what one does not know.) Failure to execute the life cycle activities early and properly can have serious safety, schedule and cost implications on a project.

Stephane adds these thoughts on the installation components:

Sensor-To reduce common mode each sensor should have a separate process connection. There have been some good arguments made with regards to using different technologies in order to reduce common mode but one must look at practicality vs. benefits and risk reduction. Also, although the use of diverse technologies can reduce common cause it will not eliminate it completely.

Transmitters-For sensors integrated (or separate) with the transmitter, the geographical locations of the voted transmitters should be away from each other to the extent possible (so that in the event of a fire--all transmitters are not affected--as an example!)

Junction Boxes-Separate JBs for each transmitter / 2 core cable is preferred.

Multicore Cables-If separate JBs not possible, run each transmitter pair in separate multicore cables to the control room.

Cable Trays-Run the multicore cables in separate trays which have separate routes to the control room when practical. Availability would be the determining factor.

Safety Logic Solver-Each transmitter signal could be connected to separate SLS, on separate carriers. This would slightly compromise on the PFD value however and could also make the SIF configuration more complicated, but reduces common cause. SLS installed in two different cabinets in different control rooms would be even better! However common sense needs to be used and practicality. Same logic could be used for the output signals.

The extent to which one would go in segregating will depend on ALARP - As low as reasonably practicable (here 'low' refers to the risks involved). The Risk Reduction Factor (RRF) of the SIF and how much of the risk is the engineer / company ready to absorb, will dictate the decision. The common cause calculator (based on such segregation) is given in IEC 61508-6, Table D.5.

Here is another in my series of screencasts, this time showing how an automation system uses predictive maintenance diagnostics to switchover a pump before it fails.

Emerson's DeltaV product manager, Randy Balentine, shows in this 2 minute, 43 second screencast a redundant pair of pump-motor trains. These pump-motor trains are being monitored with CSI 9210 Machinery Health Transmitters.

Randy shows a situation where one of the transmitters communicates excessive vibration via Foundation fieldbus digital communications to a DeltaV system. One of the DeltaV control modules receives the diagnostic alert, performs the logic to switchover to the backup pump-motor train, and notifies the operator of the problem so that it can be addressed.

By incorporating these predictive diagnostics into the control strategy, the switchover can happen before a failure causes a loss of production. Based on the severity of the diagnostic information reported by the smart Foundation fieldbus transmitter, the actions can range from notification of the operators to control actions performed by the control strategy.

At the recent Interphex Pharmaceutical Manufacturing Conference, Emerson's Todd Ham presented on the subject of automating fermentation. Todd acknowledged that Christie Deitz, whom we've featured in several other posts, had a large hand in the development of this presentation and work on the project discussed.

The presentation discussed a recent project done on a large-scale, multi-product biopharmaceutical complex. This project was so successful it recently won the Facility of the Year Award Winner in Project Execution. One of the keys to success was a clear design philosophy established up front. Elements of this philosophy included:

• Fully automated
• Paperless, dock-to-dock using electronic records, operator handheld devices, and barcode scanning
• Consistency for operators based on industry standards like ISA-88 (S88), ISA-95 (S95), and digital bus technologies
• Focus on fermentation as a key process area for the project

A key to success in the project was the close working relationship between the manufacturer and the Emerson Life Sciences project team on the up front requirements and design, and the subsequent module-level and integration-level testing.

The upfront design considered not only the fermentation and recovery processes, but also the full automation required for paperless operations. This design included recipe-level batch control, warehouse management, electronic signatures, and a complete electronic batch record, including the manual processes. These manufacturing processes included material management, container management, filter management and sampling.

The project team applied the S88 standard to control modules looking to identify the common modules and instances for things like motors and valves. At the S88 equipment module level, the team created project wide module templates, area specific module templates, and unique, one-time use equipment modules.

The sampling system and sparger control are examples of project-wide templates. Fermentation agitator control and dissolved oxygen control are examples of area-specific equipment modules. Transfer panels and valve assemblies are examples of unique equipment modules.

At the S88 unit level, the team designed classes and instances based on physical similarity and phases that they use such as batch media, inoculate, ferment, etc. This led to various unit classes for fermentation vessels including seed fermenters, production fermenters, and feed vessels.

From a recipe standpoint, the design grouped phases into operations, then grouped operations into unit procedures, and finally grouped unit procedures into procedures, all again following the S88 standard.

Todd shared some lessons learned from the team. With regard to the modular design approach, the team learned to keep process units the same as much as possible. With similar units, it is also important to make sure the operations are also as uniform as possible. The team cautioned about the overuse of aliases, which reference pieces of physical equipment like valves and motors, in phase logic. By not overusing aliases, but rather relying on equipment modules to handle physical differences, the phase logic could be generically written to handle multiple pieces of similar equipment like process tanks.

Other lessons learned were to plan for the extra documentation required for high levels of modularity and dock-to-dock automation. Like other members of the Life Sciences team have counseled in earlier posts, time spent upfront in planning and testing saves a lot of project backend effort.

The benefits of a complete electronic batch record vs. a paper-based process in terms of faster release of products are pretty clear. It's important to assemble the project team and begin the planning and design early to prepare for the additional effort commensurate with the increased automation required for a successful project.

A concern I've written about in this blog's education category is that much knowledge in control theory and automation practices is disappearing as our "baby boom" generation begins to retire.

We are constantly trying new approaches to capture and present the knowledge for current and future automation professionals to discover. An example of this includes Terry Blevins and Greg McMillan's ModelingAndControl.com blog.

Another example is the Process Control Insights area on the EasyDeltaV.com site which features application notes, lectures, and links to books written by Greg McMillan.

Greg just announced another project on which our team has been working again in the spirit of sharing the knowledge. Of one of his no-longer-in-print books, he wrote:

A Funny Thing Happened on the Way to Control Room is my favorite because it presented detailed results of solving tough process control problems in a creative way to help open minds to new possibilities and concepts. This book is out of print but thanks to Deborah Franke at Emerson Process Management, it can be viewed for free in its electronic form... [emphasis added]

This was a case of the publisher turning the copyright over to Greg after the book had been out of print for some time. Instead of collecting dust in a box somewhere, Deb Franke worked with Greg and led the effort to get the book published in the Process Control Insights area of the website.

Over time, we hope to add more works for current and future automation professionals to discover.