CG1105_CovStry
CG1105_CovStry
CG1105_CovStry
CG1105_CovStry
CG1105_CovStry

Distributed Safety Arrives

May 2, 2011
Just Like Distributed Control, Distributed Safety Is Coming Soon to a Process Plant Near You, Maybe Your Own
In the beginning, all control was distributed in the field near each particular process. Much of this control was manual, with islands of pneumatic-based automation. Then came the inaptly named "distributed control system," which was, in fact, centralized automation in the control room and its environs via monolithic centralized controllers and accompanying I/O.
About the Author
Dan Hebert, PE is Senior Technical Editor for CONTROL, Control Design, and Industrial Networking magazines. He began his career at Putman Media as a Field Editor in 1995 and joined the company on a full-time basis in 2000.

Check Control Global on Google+

But smart instruments, local valve controllers, digital fieldbus networks and other new technologies moved control out into the field—closer to the processes and often to field-based operations personnel. This resulted in the current architecture of most process automation systems, namely, distributed control with automation and operator interfaces applied as needed in the control room and throughout the plant.

Process safety systems are following much the same path: first distributed, or often non-existent systems; then centralized via triple-modular-redundant safety controllers and local I/O; and now distributed via SIL-rated safety networks connected to safety-rated intelligent I/O, and via ever smarter and often redundant instruments and controllers.

Distributed safety is relatively new, and in the present litigious climate, many end users are reluctant to discuss safety systems. But the process safety market is growing rapidly, say analysts at Frost & Sullivan in its recent "Strategic Analysis of the European Process Safety Market" study. It predicts that Europe's process safety market will grow from just over $459 million in 2010 to more than $632 million by 2016. Part of this growth will come from distributed safety systems because they provide advantages over centralized safety.

Even process plants that don't directly purchase and implement distributed safety systems often find their facilities abound with the same in the form of process skids and packaging machines purchased from OEMs. These often have their own safety controls and at least some limited operator interface (see "Stealth Distributed Safety" in this article.)

Stealth Distributed Safety

You may think your process plant doesn't use distributed safety because your safety system consists of one main safety controller with hardwired I/O. But in most process plants, including maybe your own, distributed safety systems sneak in and abound in the form of process skids, compressors, packaging machines and other subsystems purchased from OEMs.

Distributed safety systems on these skids and machines are implemented in one of two ways; first, with local automation systems designed, installed and commissioned by the OEM; second, via an existing process plant safety system, often via distributed safety in the form of distributed safety controllers or via remote, safety-rated intelligent I/O connected back to the main safety controller by a safety-rated bus.

In the second case, the skid or machine is typically purchased from the OEM without an installed automation system. The process plant receives some type of written description of the skid or machine's operation, and this information is used to design not only the safety system, but also the entire automation system.

In the first and more common case, the skid or machine is purchased with its own automation and safety systems, and these systems are networked to the plant's existing systems. For example, Gram Equipment (www.gram-equipment.com), Vojens, Denmark, a manufacturer of equipment used for industrial ice cream production, employs a Rockwell Automation GuardLogix controller to implement its safety system.

"Our machines are linked to the plant's EtherNet/IP network to allow online access for the end user," says Morten Zornow, electrical engineer at Gram Equipment. "Data exchange between the GuardLogix controller and the plant server is very limited. Normally our machine is running as a stand-alone machine with its own safety system."

All personnel safety functions are controlled by the GuardLogix controller," he says. "This means overall emergency stop functions, as well as safe access to specific zones guarded by safety doors. Besides the normal double-circuit emergency stop buttons, we are also using safety switches with locks connected to doors into the working area. Dangerous actuators, such as pneumatic driven knives, are activated directly from safety outputs to ensure de-energizing the actuator in safe-off state."

The GuardLogix controller communicates to the remote safety I/O via CIP Safety. This safety protocol is identical whether it runs over DeviceNet or EtherNet/IP.

In this and other cases, process plants are often best served by relying on the OEM's intimate knowledge of its own machines and process skids. This knowledge will typically allow the OEM to provide the best overall safety solution, one that's been proven across many applications and that's located close to the process.

In some instances, these skids and machines are purchased without automation, and instead are controlled by the plant's existing automation system. But even then, some safety-related control and limited operator interface are often retained to ensure safe local operation and shutdown in the event of failure of the main automation system.

Many of the advantages of distributed safety are similar to those realized with distributed control. Chief among them are independent operation and safe shutdown in the event of failure of the main automation system.
The components of safety systems in process plants are also similar to those used in distributed control. Some areas in process plants are potentially more dangerous than others, and these areas make particularly good candidates for distributed safety systems.

Taking Safety Underground

Marcus Hedlund, control engineer at Borealis AB (www.borealisgroup.com) in Stenungsund Cracker, Sweden, installed a Honeywell Safety Manager (SM) system in an underground mining cavern (Figure 1).

"Borealis installed a SM in the control building with distributed remote safety-rated I/O close to the cavern, roughly 1.5 km away," explains Hedlund. "The main benefit is that all safety functions can be programmed in one environment. Minimizing the number of systems involved is important since most of the challenges in an installation are in the interface between systems."

The Borealis application used distributed smart safety I/O communicating over Honeywell's (http://hpsweb.honeywell.com) SIL 3-rated SafeNet communication network via a redundant fiber-optic link. Another aspect of distributed safety was the local operator interface.

"There is a view-only operator station in the instrumentation room close to the cavern. This is mainly used for instrument technicians and electricians when performing troubleshooting. The main operator station is in the main control building, and only keyboard/video/mouse signals are communicated to the remote location. This simplifies maintenance, but it's also for safety reasons. Other local operator interface input consists of a few pushbuttons for emergency stop and reset," adds Hedlund.

"With full integration of the SM in the Experion DCS system, the safety functions are very clearly presented to the operators. This helps the operators a lot in troubleshooting, since safety is now out of the black box," says Hedlund.

Erik de Groot, marketing manager for safety systems at Honeywell, adds, "Everything can be programmed with the same functions. This greatly simplifies engineering, since many control and safety functions have I/O in both locations, such as alarms and overrides in the control room and transmitters and command signals in the remote location."

Another major advantage of distributed safety is easier future expansion. "Remote I/O installations are more scalable than cabled installations. Cable installations are normally done with 25% spare capacity, whereas a remote I/O installation can have virtually unlimited spare capacity simply by adding remote I/O modules," concludes de Groot.

Mine safety
Figure 1. Distributed safety systems are a particularly good fit for remote subsystems installed far from the central control room, as at this underground mining cavern.

Simplifying Distributed Safety

In many cases, simpler is better and more reliable, particularly when implementing a critical function such as safety. "Most centralized safety PLCs or DCSes cover multiple process units and, in some cases, an entire facility," says Angela Summers, president of SIS-Tech Solutions (www.sis-tech.com).

"In such a system, central system performance impacts multiple units, and its operation and maintenance can be a constraint for process turnarounds. In many cases, a distributed safety system can be less complex, easier to implement and maintain, and significantly more cost-effective," adds Summers.

At Valero's (www.valero.com) refinery in Memphis, Tenn., SIS-Tech installed a Diamond-SIS distributed safety system on a distillate hydrotreater unit to monitor four scenarios involving low level and flow that could lead to overpressure of equipment within the unit.

"Each hazard was addressed with its own Diamond-SIS safety system, all operating independently of each other and of any other automation system," explains Summers. "Standard communication protocols were used to transmit information from each safety system to the control room, so the overall system functioned in an integrated fashion from the operators' perspective, as they could receive process and diagnostics alarms and take action on the system using the operator console."

Each independent Diamond-SIS uses analog trip modules that receive discrete and/or analog inputs and generate digital contact outputs to de-energize final elements, such as solenoids or motor control circuits. "A Diamond-SIS has significantly less common-cause failure potential compared to centralized PLCs or DCSes," says Summers. "With distributed SISes, each function is operated, inspected, maintained and tested independently, and the performance of each SIS impacts only the equipment it's designed specifically to protect."

Eddie Brawner, I/E supervisor at Calcasieu Refining (www.calcasieurefining.com) in Lake Charles, La., agrees that simplicity is a benefit. Calcasieu Refining needed to replace an obsolete and non-compliant heater protection system for its stabilizer unit, and at the same time meet both the SIS standard, ANSI/ISA84.00.01-2004 and the National Fire Protection Association Standard NFPA 86.

Calcasieu installed a SIS-Tech system on the burner management system (BMS) for the stabilizer unit heater. "One of the major benefits of a SIS-Tech system is the time savings on install and start-up due to the simple design and layout of the BMS panel. The roll-over from the old system to the new was outstanding because it was essentially plug-and-play. The operators like the ease of use of the heater light-off process, and the clear and local information on any shutdowns caused by the BMS."

The BMS Panel interfaces with the Calcasieu Refining control system via hard-wired discrete and analog I/O.

Distributed Safety with Trip Modules

Moore Industries (www.miinet.com) offers distributed safety solutions using safety-rated trip modules. These SIL-rated modules are typically used to provide on/off control, warn of unwanted process conditions and provide emergency shutdown. They accept a signal input from transmitters (such as 4-20mA or 1-5V), sensors including RTDs and thermocouples, and other monitoring and control instruments.

Rob Stockham, general manager of Moore Industries-Europe, says Moore has installed hundreds of distributed safety systems. "A recent requirement was to replace obsolete analog limit alarm trips mounted in custom racks in a U.K. polymer plant," says Stockham. "Fast trip response was required due to exothermic reaction in polymer processing, and the trip response time needed to be comparable to the existing analog safety trip system."

Stockham raises an interesting point, namely that older systems with hard-wired discrete and analog I/O could provide extremely fast response times, particularly as compared to modern, centralized safety systems that use I/O connected via digital networks.

A method for coping with the relatively slow speed of these modern centralized safety systems is to distribute the safety, in this case with local trip modules. "Digital firmware-based instrumentation has longer response times due to processing firmware and input signal filtering to deal with noise coming into the instrument from the environment," Stockham explains. "The overall response time of digital is slightly slower, usually about one second, from input signal change to output reaction."

Moore Industries software engineers amended the firmware on the company's SPA2 Site-Programmable Alarm to produce a "fast response" option to match the performance of their customer's obsolete analog system.

Distributed Safety Makes Sense for Modules

The major automation vendors are at the forefront of distributed safety systems. Honeywell has the Safety Manager (SM) system, while Emerson Process Management (www.emersonprocess.com) offers the DeltaV SIS (Figure 2), and most of the other major automation vendors offer various versions of distributed safety.

Safety controllers and i/o everywhere

Figure 2. Distributed safety systems allow process plants to locate safety controllers, safety I/O and operator interface panels throughout their facilities.

Kim Conner, DeltaV SIS program manager, says Emerson has installed more than 170 DeltaV SIS systems with a distributed architecture. As Emerson has installed over 700 DeltaV SIS systems in total, the distributed architecture versions represents a significant percentage. "A number of the projects where DeltaV SIS was implemented in a distributed manner were greenfield projects. As an example, a floating production, storage and offloading (FPSO) marine application was constructed in modules. Each module, or section of the FPSO, was constructed separately—sometimes in different parts of the world. Having a distributed safety system enabled instrumentation in each module to have the wiring to the distributed DeltaV SIS logic solvers completed and tested during the module construction."

Dealing with a new safety concept isn't always easy, says de Groot, "The biggest challenge in relation to distributed safety is agreement of all involved on disciplines in the safety strategy to be used," he says. "In other words, what will be the safest and most reliable approach in relation to the safety distribution? This is a balance that needs to be discussed, as it will impact the safety requirements, availability requirements, technology and company philosophy."

Offshore projects seem to lend themselves to distributed safety. Emerson has done several, as has Honeywell. "For a customer in Vietnam, we deployed our remote universal safe I/O on an offshore platform," de Groot says. "The platform will be positioned at sea, and production should start in the fourth quarter. The system has 28 redundant I/O modules divided over two Safety Managers."

Richard McKormick, president of systems integrator Mick Automation, Levis, Quebec, Canada, likes the idea of distributed safety. "I think this is the future, mainly because of equipment cost reductions. Centralized safety systems are quite expensive."

As for acceptance by the industry, he thinks as the number of implementations increase, distributed safety will become more recognized. In fact, McKormick is getting ready to tackle such a system himself. "What we're planning to use for now is remote I/O for the safety system, such as Honeywell Safety Manager, with configurable I/O like Emerson's Delta V soft marshalling. So it will become distributed, but not at the processor level like a safety network implies."

In many ways, distributed safety is still in early stages, much like distributed control in the 1990s. But like distributed control, distributed safety promises to become more widespread as more end users realize its advantages, as suppliers respond with appropriate products, and as regulatory agencies adopt and approve related safety standards.

Dan Hebert is Control's senior technical editor.