What’s Keeping Process Analyzer Engineers Up at Night?

NeSSI, Alarms, Wireless, Security and Safety—for a Start

Share Print Related RSS

 



See a list of references at ControlGlobal.com/0802_nichols.html

 

By Gary D. Nichols, PE

Analyzer engineers’ and technicians’ jobs are not just about installing and maintaining process analyzer systems. A survey of recent literature show that other issues also require our time and attention. (See ControlGlobal.com/0802_nichols.html for a list of references.)

The New Sample System Iniative (NeSSI) is probably the most immediate current issue that analyzer engineers and analyzer technicians have to address. We are likely to have less of a leadership role, but definitely will participate in and contribute to discussions about alarm management, wireless communications, security and SIS/SIL decisions at the corporate and plant levels.

NeSSI

NeSSI has been available for several years, but is now beginning to find a home, or homes, in process plants. NeSSI is a modular method for assembling sample conditioning systems, especially complex one. NeSSI has been likened to children’s Lego blocks because of the size of some of the modules and the way they are assembled.

When implemented, NeSSI is reported to have shrunk the sample conditioning system footprint by 50% (for an offgas analyzer system installation), with accompanying reduced maintenance. The footprint for an optical measurement system was reportedly reduced to 1.6 in. x 7.75 in; the original footprint was not revealed, but few are the sample handling systems that do not require considerable more space.

The ISA/ANSI standard that was promulgated several years ago provided the base dimensions for the devices (valves, meters, tube fittings, etc.) that would be integrated into the NeSSI system. Since that time, well-known firms such as Swagelok, Parker and Circor have been proponents of NeSSI systems; more and more suppliers are adopting sample conditioning system components and analyzer components to fit the NeSSI standard.

We already tacitly identified one reason for NeSSI not being implemented earlier: Suppliers needed time to adapt their manufacturing to meet the NeSSI standard. They also needed time to design sample conditioning system components to accommodate unusual tubing geometries, sealing systems to accommodate corrosive samples and  a customer education system to let users know of NeSSI’s availability and benefits.

But other reasons may have played a part in potential NeSSI users’ decision to stick with conventional sample conditioning systems. Conventional components have an established track record. NeSSI components for some applications might not have been available. Analyzer engineers and technicians may have been looking for the ideal application for NeSSI to ensure that it would demonstrate distinct benefits when first implemented. Finally, analyzer system integrators and other in the analyzer community may not have been familiar with the NeSSI components and systems.

Alarm Management

“The essence of alarm management is to supply operators with enough information to prevent abnormal situations, and to prevent abnormal situations from escalating into unpreventable situations,” says a recent article on the subject. That is a nice theory, or “alarm strategy,” but why is it necessary to develop the theory, and how can the theory be implemented?

Though analyzer engineers and technicians are not likely to drive alarm management, we need to be aware of the ongoing process of alarm management and be prepared to understand and influence the process.
First we must answer, “Why has alarm management become an issue?” With the proliferation of microprocessors, DCSs, PLCs, PCs and other easy and inexpensive ways to add alarms, almost “for free,” to the myriad operator responsibilities, it is almost a given that there might come a time when operators became overwhelmed with alarms at the expense of acknowledging and responding to them and to the potential neglect of other operator responsibilities (3,4).

This affects analyzers because most modern analyzers come from the factory equipped not only with the analytical measurement, but with analyzer condition alarms which signal that the analyzer is malfunctioning in various combinations or ways or indicate that the analyzer is deliberately out of service for maintenance. This can lead to alarm proliferation.

The current philosophy is to configure an alarm only when operator action is needed and clearly identified.  For analyzers, this can mean to (1) obtain agreement between the analyzer technician and the operator as to the criticality of the alarm, (2) alarm only the analyzer signals that are immediately critical to safety, loss prevention, and the environment, (3) and perhaps to “daisy chain” alarms that do not justify individual alarms.

Readers who must know more about alarm management are encouraged to consult the referenced articles, the EEMUA document (5), and other articles, standards, and recommended practices on the subject, and to become active in their site’s or corporation’s alarm management committee or group.

Wireless

Wireless control systems communications is one of the leading topics of 2007; in retrospect, it would seem inevitable that process industries which progressed from pneumatics to 4-20 mAdc to field buses in a few years would eventually want to go wireless as the broadcast bands became available and technology became feasible.  Actually, wireless telephony grew from the aerospace and defense industries in the 1950s and 1960s (6). 

A discussion whether to implement wireless, or where, is not a subject that analyzer engineers and technicians are likely to be asked to lead.  But it is certainly a subject where we are likely to be asked to weigh in.   This author has not witnessed a lot of discussion or technology about wireless communications with analyzers, but it is not difficult to imagine its implementations for the future.

Though wireless is still too vulnerable to security and reliability uncertainties to be used for critical closed control loops, it can still be used for less critical applications.  Wireless broadcast bands are licensed (by FCC for exclusive use) and unlicensed (free access).  One would first think that the licensed would be more secure from accidental or intentional intrusion, but with “frequency hopping”, unlicensed bands have advantages of:  (1) no cost, (2) no time, (3) no licensing hassle, (4) many suppliers, and (5) lower start-up costs (7).

Security

Control system security efforts are not likely to be led by analyzer engineers and technicians, but there is little doubt that analyzer systems are touched by security issues and that analyzer personnel must be familiar at all times with corporate and site control systems security measures.  The 2001 terrorist attacks on the US certainly heightened security awareness, but even before that, the author saw intensified security within  analyzer systems deployment.  This intensification was evident with locked analyzer shelters, enclosures, and cabinets.

Because most analyzer systems are complex integrations of chemical, electronic, and mechanical devices, most analyzer folks quickly grew protective of “their” analyzer installations being susceptible to tampering, littering from unrelated maintenance waste, pilferage of spare parts and manuals, use of analyzer areas for break periods (unauthorized or not), and other activities unrelated to or detrimental to analyzer work.  Therefore, analyzer shelters, enclosures, and cabinets were quickly locked to “outsiders”, with keys being available only to analyzer, operations, and safety/security personnel.

After the terrorist attacks, control systems generally received security scrutiny because control system tampering was believed to potentially lead to greater loss of life than financial system hacking.  In the wake of this concern, all but “need to be there” personnel were denied entry to DCS rack rooms, PLCs, some PCs, and consoles.  The belief was that with enough information, critical controls and trips could be overridden by hackers with much resulting destruction.

The “Top Ten Vulnerabilities” to control systems was recently published (8).  Though we will neither reproduce them nor discuss them in detail here; the general rules appear to be to isolate control systems (including analyzer system computer hardware and software) as completely as possible by eliminating shared hardware and software, eliminating dial-up connections, erecting firewalls, “stress testing” control system security and eliminating unsecured wireless connections.  See (9) for additional security tips.

SIS/SIL

Safety Instrumented System (SIS) and Safety Integrity Level (SIL) (ANSI/ISA-S84.00.01-2004, IEC 61511 Modified) refers to the system for handling critical trips.  The part of the control system related to production, quality, and financial issues  is the trip system related to “normal” operations.  The SIS is for handling “critical trips” is for personnel protection, process loss prevention, and environmental protection.  The SIS and the normal control system should be physically separate, so that if the normal system (DCS, PLC, PC, etc.) fails, the SIS will immediately take over and shut the process down in a safe and orderly fashion to avert disaster.  (IEC 61508 should also be consulted.)

The SIL defines the level of performance needed to achieve a safety objective.  SIL 1, SIL 2, and SIL 3 designate the probabilities of failure on demand (PFD); the higher the SIL number, the better the safety performance (10).  The SILs are associated with the following architectures:

  • SIL 1 – One-out-of-one.  Single sensor, single logic solver, single final control element.
  • SIL 2 – May include redundancy for sensor, logic solver, and/or final control element.
  • SIL 3 – At least double redundant sensor, logic solver, and final control element.
  • SIL 4 – Sufficiently high severity to be used largely in transportation, nuclear, and aerospace industries.  SIL 4 is not normally used in the process industries.

Analyzer personnel are not likely to lead the SIL determination effort, but we need to be ready to participate in and constructively contribute to the SIL sessions.  One source suggested holding the SIL meeting after the HAZOP while the P&ID information is still fresh on everyone’s mind; combining the meetings risks diluting the efforts for both (11).

Gary D. Nichols is  control systems engineer at Jacobs Engineering Group. He can be reached at gary.nichols@jacobs.com.

 



See a list of references at ControlGlobal.com/0802_nichols.html

 

Share Print Reprints Permissions

What are your comments?

Join the discussion today. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments