Q: Can you remotely control a liquified petroleum gas (LPG) fractionation process from a centralized control center? The distance is 400 kilometers. If not, what are the high-risk reasons that necessitate having a local control room at the site of the fractionation process?
A: My question is, how will your proposed system be protected from cyber attacks? Do you plan to use the Internet for your remote control? If your answer is yes, my advice is don't do it. The reason is hacking and cyber attacks.
Today, the only reason cyber attacks are not yet more widely used is because of fear of retaliation. Yet, they're already used both in cyber warfare (exemplified by the Israeli attack on Iran's centrifuges) and also in industry, such as the hacker attack this year on the Onslow Water Authority in North Carolina, and one could go on (Figure 1).
In my view, the bad guys are just as smart as the good ones, and they can not only spread misinformation and psychologically manipulate people, but they could turn our nuclear power plants into atomic bombs, sink unmanned oil drilling platforms, or attack the electric grid, and they probably will, or will at least try. Some vendors might say that their firewall is perfect, but I say that no firewall or proprietary protocol provides full protection. Murphy's Law still applies in this digital age. My view is that control software should never touch the Internet. Some might say that placing independent barriers and protections around a SCADA systems will keep communication paths secure, but I wouldn't try it. In my view, remote operation through the Internet is asking for trouble, and the same holds for all linking of plant operations networks with the Internet.
A: Controlling remotely in a secured way is possible and distance is not a bar. You need to consider the following:
- You must have standalone control and safeguarding systems installed locally to control and safeguard the process. All the field Instrumentation shall be hardwired to the system with proper segregation.
- You must specify failsafe condition of final control elements.
- You should have a remote, web-based client for monitoring the whole process. Remember to take care of cybersecurity requirements—this will be a Level 4 system.
- You can govern and alter setpoints remotely, and start up the facility.
I hope the above explains the basic concept.
Deputy manager C&I, Petrofac International
A: Yes, it should be possible to control remotely. On one of my projects, we have a remote gas platform about 25 km into the sea. It's remotely controlled by a centralized control room on land about 25 km away. Connectivity is redundant, fiber-optic cables backed up by a redundant, line-of-sight microwave link. However:
- All required DCS/ESD/FGS hardware are mounted locally on the platform. Hence the response time for control and shutdown is not dependent on distance. The ESD system is rated SIL3.
- There's a small local control room with a couple of screens, which is used for startups and also in case of disruption in all remote communications (fiber-optic and microwave). So far, this hasn't happened.
- Although designed for unmanned operations, the platform is manned day and night for operations and maintenance, but control is from the remote control room.
With the above architecture and safeguards, we didn't find distance an issue. Your mentioned distance is higher and process is faster; but that should not matter if at least some of the measures listed above are considered. I also suggest you carry out a Hazop to discuss all possible scenarios arising out of this architecture.
Harvindar Singh Gambhir
JIO CoE – Instrumentation, controls and automation, Navi Mumbai
A: Our MIGbox series gives solution of local control (within device) and remote monitoring and operational control via our cloud platform. Geography is "history" now. We can easily do control from anywhere on earth (with a couple of seconds latency in some worst cases, and maybe four hours or so latency from Mars).
A: To me, the risk of remotely controlling assets is cyber.
Joe Weiss PE, CISM, CRISC
ISA Fellow, IEEE Senior Member,
Managing Director ISA99
Applied Control Solutions, LLC
Q: I work as a product manager for Emerson. In the column on custody transfer, you stated that the DP flow turndown on liquid service is 3:1 to 4:1, and does not have the ability to compensate for discharge coefficient. Rosemount’s 3051SMV with Ultra for Flow dynamically compensates for changes in discharge coefficient 22 times per second, and is capable of ±1% of mass flow measurement over a 14:1 turndown on flow.
A: My column discussed standard DP cells—you are right that smart ones provide 200:1 ΔP or 14:1 flow rangeability.
Concerning discharge coefficient compensation, which is provided to correct for gas expansion, and concerning thermal expansion factors in the DP mass flow equation, it should be emphasized that the value of natural gas is a function of its composition and heating value, and pressure and/or temperature don't detect either of them, no matter how often the calculation is performed.
In addition, the DP cell doesn't measure mass flow (nor volumetric flow); it measures the square root of the pressure differential across a flow element. Also, the DP cell is only one component in the flow detection loop, and therefore it's misleading to imply that the DP accuracy and the flow measurement accuracy are the same. They are not. The flow measurement error is the sum of all other loop component errors, including installation ones.
You say your flow measurement error is ±1% without stating ±1% of what. If you are claiming a ±1% AR (actual reading) accuracy at minimum flow (full flow divided by 14), then you're claiming that your detector's full scale flow accuracy is 1/14 = ±0.071% FS. If that's what you claim, that means that in terms of ΔP, you're claiming an accuracy of ½00 = ±0.005% FS, which is obviously unrealistic.
On the other hand, if your ±1% flow accuracy claim refers to ±1% FS, that error at minimum flow corresponds to an error of ±14% AR, which makes the measurement useless.
A: Regarding the use of DP flowmeters for custody transfer, my advice has always been, don’t. Aside from the fact that DP flowmeters were never intended for measuring mass flow, there's the frequent error of installation and wear of the orifice, which doesn't maintain a sharp edge.
For the ISA CAP course, I teach that an orifice/DP flowmeter is great for control purposes, since even when incorrect, it is consistently incorrect and highly useful for flow control. I've even used orifice/DP for measuring steam flow in an energy/mass balance situation on a paper machine, but that's far from custody transfer.
However, even with pressure and temperature compensation, it just isn't accurate enough for custody transfer. I recommend a Coriolis flowmeter, or for some liquids in a low-flow situation, a positive displacement pump. In class, I use an example of meter accuracy vs. tank level measurement for custody transfer. Only a Coriolis flowmeter can rival the accuracy of custody transfer through tank level measurement.
ISA Life Fellow