Emerson’s Janka O’Brien, with support from MC Chow, teamed up with Robert Ancrum, the SIS Technical Authority for a major Midwestern U.S. refiner, to tell a story of a control system and SIS modernization project. Their abstract:
This session is to discuss DCS replacement projects on two near identical FCC units. One was done in the traditional non-integrated approach for a DCS and SIS, the other was done using an integrated approach with DeltaV and DeltaV SIS CHARMS. Traditional SIS design thinking often prevents integrated solutions from being implemented for fear of common mode design issues as well as the potential violation of SIS independence. An integrated solution offers reliable primary and secondary SIS actions. This paper covers an end users view regarding DCS/SIS integration and separation.
The team opened up introducing primary and secondary actions:
- SIS/DCS separation is fine if all you care about are the SIL rated (Primary) safety functions (SIF’s).
- For a refinery, most units require additional (Secondary) process control DCS functions to protect the unit and allow for easy and quick startup following a SIF trip.
- Failure of the required process control functions can cause a significant economic lose after a SIF trip.
- In reality, both primary and secondary actions on a SIF trip are important to the economics of a refinery.
They explained that part of the reasons that there is not more emphasis on secondary actions is that LOPA scenarios often underplay economic loss by a factor of 10 or more. Part of the reasons that there is not more emphasis on secondary actions is that LOPA scenarios often underplay economic loss by a factor of 10 or more.
It is not unusual to see an economic loss of in the tenths of thousands of dollars in a layer of protection analysis (LOPA) case which when it does happen can end up costing in the tens of millions of dollars.
They defined integrated versus separated basic process control systems and safety instrumented systems:
- Separation – Physical separation between SIS and DCS in separate cabinets and racks and rely on traditional I/O and/or independent MODBUS to communicate.
- Integration – Physical separation, but SIS and DCS in the same cabinets and racks or on the same process control network. If designed correctly SIS hardware and software are independent of the DCS hardware and software.
Integrated SIS and DCS can provide the same level of safety functions up to SIL 3. For refineries, SIL1 and SIL 2 functions are more typical. What differentiates integrated or separated SIS and DCS is the ability to design, build, test, maintain and manage the commercial secondary actions. Integration has the benefits of lowering your lifecycle costs as one vendor supports and maintains both the SIS and DCS platforms.
If you accept the fact that non-safety secondary actions are important, should they be done in the SIS or DCS? Putting them in the SIS makes them more available due to the increased availability of the SIS but requires considerable more software testing as on line changes can be very challenging. Secondary actions often require process control functions that cannot be done in the SIS. Putting them in the DCS makes changes easier to manage as secondary actions can be a moving target.
Whether you place the non-safety secondary actions in the SIS or DCS, software testing for primary and secondary actions must be equally rigorous. Rigorous testing of secondary actions is often overlooked and is a common reason for economic loss on a SIS trip. Closed loop simulators are invaluable for testing SIS primary and secondary actions. Better to catch any holes on the simulator than in real life.
A project comparison was done with a DeltaV system and a non-Emerson safety logic solver compared with an integrated solution with DeltaV and DeltaV SIS. DeltaV SIS communicates using HART protocol to diagnose faults before they cause spurious trips. With the DeltaV SIS CHARMs, spare space is increased and cross-marshalling wires and panels are eliminated.
After analysis, the integrated solution was chosen and the following business results were documented:
- Reduction in project costs by 38%
- Improvement of project schedule by 2 months by eliminating extra factory acceptance tests (FATs)
- Increase of the spare space by 10%
- Reducing PM costs by 15%
- Future reduction in SIS lifecycle costs, as DeltaV SIS already established on site.
- Improvement in hardware and software support as Emerson has large support in the region where other suppliers did not
- Allowance for future expansions and changes while eliminating traditional system re-work and re-design.