Distributed Control / Safety Instrumented Systems / Intrinsic Safety

Distributed Safety Arrives

Just Like Distributed Control, Distributed Safety Is Coming Soon to a Process Plant Near You, Maybe Your Own

By Dan Hebert

May 2011 CoverIn the beginning, all control was distributed in the field near each particular process. Much of this control was manual, with islands of pneumatic-based automation. Then came the inaptly named "distributed control system," which was, in fact, centralized automation in the control room and its environs via monolithic centralized controllers and accompanying I/O.

But smart instruments, local valve controllers, digital fieldbus networks and other new technologies moved control out into the field—closer to the processes and often to field-based operations personnel. This resulted in the current architecture of most process automation systems, namely, distributed control with automation and operator interfaces applied as needed in the control room and throughout the plant.

Process safety systems are following much the same path: first distributed, or often non-existent systems; then centralized via triple-modular-redundant safety controllers and local I/O; and now distributed via SIL-rated safety networks connected to safety-rated intelligent I/O, and via ever smarter and often redundant instruments and controllers.

Distributed safety is relatively new, and in the present litigious climate, many end users are reluctant to discuss safety systems. But the process safety market is growing rapidly, say analysts at Frost & Sullivan in its recent "Strategic Analysis of the European Process Safety Market" study. It predicts that Europe's process safety market will grow from just over $459 million in 2010 to more than $632 million by 2016. Part of this growth will come from distributed safety systems because they provide advantages over centralized safety.

Even process plants that don't directly purchase and implement distributed safety systems often find their facilities abound with the same in the form of process skids and packaging machines purchased from OEMs. These often have their own safety controls and at least some limited operator interface (see "Stealth Distributed Safety" in this article.)

In some instances, these skids and machines are purchased without automation, and instead are controlled by the plant's existing automation system. But even then, some safety-related control and limited operator interface are often retained to ensure safe local operation and shutdown in the event of failure of the main automation system.

Many of the advantages of distributed safety are similar to those realized with distributed control. Chief among them are independent operation and safe shutdown in the event of failure of the main automation system.
The components of safety systems in process plants are also similar to those used in distributed control. Some areas in process plants are potentially more dangerous than others, and these areas make particularly good candidates for distributed safety systems.

Taking Safety Underground

Marcus Hedlund, control engineer at Borealis AB (www.borealisgroup.com) in Stenungsund Cracker, Sweden, installed a Honeywell Safety Manager (SM) system in an underground mining cavern (Figure 1).

"Borealis installed a SM in the control building with distributed remote safety-rated I/O close to the cavern, roughly 1.5 km away," explains Hedlund. "The main benefit is that all safety functions can be programmed in one environment. Minimizing the number of systems involved is important since most of the challenges in an installation are in the interface between systems."

The Borealis application used distributed smart safety I/O communicating over Honeywell's (http://hpsweb.honeywell.com) SIL 3-rated SafeNet communication network via a redundant fiber-optic link. Another aspect of distributed safety was the local operator interface.

"There is a view-only operator station in the instrumentation room close to the cavern. This is mainly used for instrument technicians and electricians when performing troubleshooting. The main operator station is in the main control building, and only keyboard/video/mouse signals are communicated to the remote location. This simplifies maintenance, but it's also for safety reasons. Other local operator interface input consists of a few pushbuttons for emergency stop and reset," adds Hedlund.

"With full integration of the SM in the Experion DCS system, the safety functions are very clearly presented to the operators. This helps the operators a lot in troubleshooting, since safety is now out of the black box," says Hedlund.

Erik de Groot, marketing manager for safety systems at Honeywell, adds, "Everything can be programmed with the same functions. This greatly simplifies engineering, since many control and safety functions have I/O in both locations, such as alarms and overrides in the control room and transmitters and command signals in the remote location."

Another major advantage of distributed safety is easier future expansion. "Remote I/O installations are more scalable than cabled installations. Cable installations are normally done with 25% spare capacity, whereas a remote I/O installation can have virtually unlimited spare capacity simply by adding remote I/O modules," concludes de Groot.

Simplifying Distributed Safety

In many cases, simpler is better and more reliable, particularly when implementing a critical function such as safety. "Most centralized safety PLCs or DCSes cover multiple process units and, in some cases, an entire facility," says Angela Summers, president of SIS-Tech Solutions (www.sis-tech.com).

"In such a system, central system performance impacts multiple units, and its operation and maintenance can be a constraint for process turnarounds. In many cases, a distributed safety system can be less complex, easier to implement and maintain, and significantly more cost-effective," adds Summers.

At Valero's (www.valero.com) refinery in Memphis, Tenn., SIS-Tech installed a Diamond-SIS distributed safety system on a distillate hydrotreater unit to monitor four scenarios involving low level and flow that could lead to overpressure of equipment within the unit.

"Each hazard was addressed with its own Diamond-SIS safety system, all operating independently of each other and of any other automation system," explains Summers. "Standard communication protocols were used to transmit information from each safety system to the control room, so the overall system functioned in an integrated fashion from the operators' perspective, as they could receive process and diagnostics alarms and take action on the system using the operator console."

Each independent Diamond-SIS uses analog trip modules that receive discrete and/or analog inputs and generate digital contact outputs to de-energize final elements, such as solenoids or motor control circuits. "A Diamond-SIS has significantly less common-cause failure potential compared to centralized PLCs or DCSes," says Summers. "With distributed SISes, each function is operated, inspected, maintained and tested independently, and the performance of each SIS impacts only the equipment it's designed specifically to protect."

Eddie Brawner, I/E supervisor at Calcasieu Refining (www.calcasieurefining.com) in Lake Charles, La., agrees that simplicity is a benefit. Calcasieu Refining needed to replace an obsolete and non-compliant heater protection system for its stabilizer unit, and at the same time meet both the SIS standard, ANSI/ISA84.00.01-2004 and the National Fire Protection Association Standard NFPA 86.

Calcasieu installed a SIS-Tech system on the burner management system (BMS) for the stabilizer unit heater. "One of the major benefits of a SIS-Tech system is the time savings on install and start-up due to the simple design and layout of the BMS panel. The roll-over from the old system to the new was outstanding because it was essentially plug-and-play. The operators like the ease of use of the heater light-off process, and the clear and local information on any shutdowns caused by the BMS."

The BMS Panel interfaces with the Calcasieu Refining control system via hard-wired discrete and analog I/O.

Distributed Safety with Trip Modules

Moore Industries (www.miinet.com) offers distributed safety solutions using safety-rated trip modules. These SIL-rated modules are typically used to provide on/off control, warn of unwanted process conditions and provide emergency shutdown. They accept a signal input from transmitters (such as 4-20mA or 1-5V), sensors including RTDs and thermocouples, and other monitoring and control instruments.

Rob Stockham, general manager of Moore Industries-Europe, says Moore has installed hundreds of distributed safety systems. "A recent requirement was to replace obsolete analog limit alarm trips mounted in custom racks in a U.K. polymer plant," says Stockham. "Fast trip response was required due to exothermic reaction in polymer processing, and the trip response time needed to be comparable to the existing analog safety trip system."

Stockham raises an interesting point, namely that older systems with hard-wired discrete and analog I/O could provide extremely fast response times, particularly as compared to modern, centralized safety systems that use I/O connected via digital networks.

A method for coping with the relatively slow speed of these modern centralized safety systems is to distribute the safety, in this case with local trip modules. "Digital firmware-based instrumentation has longer response times due to processing firmware and input signal filtering to deal with noise coming into the instrument from the environment," Stockham explains. "The overall response time of digital is slightly slower, usually about one second, from input signal change to output reaction."

Moore Industries software engineers amended the firmware on the company's SPA2 Site-Programmable Alarm to produce a "fast response" option to match the performance of their customer's obsolete analog system.

Distributed Safety Makes Sense for Modules

The major automation vendors are at the forefront of distributed safety systems. Honeywell has the Safety Manager (SM) system, while Emerson Process Management (www.emersonprocess.com) offers the DeltaV SIS (Figure 2), and most of the other major automation vendors offer various versions of distributed safety.

Kim Conner, DeltaV SIS program manager, says Emerson has installed more than 170 DeltaV SIS systems with a distributed architecture. As Emerson has installed over 700 DeltaV SIS systems in total, the distributed architecture versions represents a significant percentage. "A number of the projects where DeltaV SIS was implemented in a distributed manner were greenfield projects. As an example, a floating production, storage and offloading (FPSO) marine application was constructed in modules. Each module, or section of the FPSO, was constructed separately—sometimes in different parts of the world. Having a distributed safety system enabled instrumentation in each module to have the wiring to the distributed DeltaV SIS logic solvers completed and tested during the module construction."

Dealing with a new safety concept isn't always easy, says de Groot, "The biggest challenge in relation to distributed safety is agreement of all involved on disciplines in the safety strategy to be used," he says. "In other words, what will be the safest and most reliable approach in relation to the safety distribution? This is a balance that needs to be discussed, as it will impact the safety requirements, availability requirements, technology and company philosophy."

Offshore projects seem to lend themselves to distributed safety. Emerson has done several, as has Honeywell. "For a customer in Vietnam, we deployed our remote universal safe I/O on an offshore platform," de Groot says. "The platform will be positioned at sea, and production should start in the fourth quarter. The system has 28 redundant I/O modules divided over two Safety Managers."

Richard McKormick, president of systems integrator Mick Automation, Levis, Quebec, Canada, likes the idea of distributed safety. "I think this is the future, mainly because of equipment cost reductions. Centralized safety systems are quite expensive."

As for acceptance by the industry, he thinks as the number of implementations increase, distributed safety will become more recognized. In fact, McKormick is getting ready to tackle such a system himself. "What we're planning to use for now is remote I/O for the safety system, such as Honeywell Safety Manager, with configurable I/O like Emerson's Delta V soft marshalling. So it will become distributed, but not at the processor level like a safety network implies."

In many ways, distributed safety is still in early stages, much like distributed control in the 1990s. But like distributed control, distributed safety promises to become more widespread as more end users realize its advantages, as suppliers respond with appropriate products, and as regulatory agencies adopt and approve related safety standards.


Dan Hebert is Control's senior technical editor.