Overview of Control System Design

Overview of Control System Design

1. Safety. It is imperative that industrial plants operate safely so as to promote the well-being of people and equipment within the plant and in the nearby communities. Thus, plant safety is always the most important control objective and is the subject of Section 10.5.
2. Environmental Regulations. Industrial plants must comply with environmental regulations concerning the discharge of gases, liquids, and solids beyond the plant boundaries.
3. Product Specifications and Production Rate. In order to be profitable, a plant must make products that meet specifications concerning product quality and production rate.
4. Economic Plant Operation. It is an economic reality that the plant operation over long periods of time must be profitable. Thus, the control objectives must be consistent with the economic objectives.
5. Stable Plant Operation. The control system should facilitate smooth, stable plant operation without excessive oscillation in key process variables. Thus, it is desirable to have smooth, rapid set-point changes and rapid recovery from plant disturbances such as changes in feed composition.

Operator’s View of Process Control

Pump A pumping oil has tripped - Cause Unknown

You switch to Pump B. That also trips - Cause Unknown

Soon hundreds of alarms are going off – Cause(s) Unknown

With in minutes you have an explosion and a fire. Two people are killed and a few hurt at this point.

It is 10:00 in the night

The plant manager is in Aberdeen, Scotland, and not available

You are on top of an off-shore oil platform in the middle of the North Sea

You are the Shift Supervisor: What do you do?

Process Safety is a Major Concern:
The BIG Ones

Piper Alpha Disaster, Occidental Petroleum Scotland, 1988

Off-shore oil platform explosion

164 people killed

$2 Billion in losses

Union Carbide, Bhopal, India, 1984

 MIC release into atmosphere

 3000-10,000 people killed

 100,000 injured

 $0.5-1.0 Billion in losses

The BIG Ones: More recently….

Mina Al-Ahmedhi Refinery,KPCL,Kuwait, June 2000

Leak led to flammable vapor release and explosion

7 people killed, 50 injured

$400 Million in losses

Petrobras, Brazil, March 2001

Off-shore oil platform explosion

10 people killed, $5 Billion in losses

Platform sank into the Atlantic Ocean

Ammonium Nitrate Explosion in Toulouse - France

21 September 2001

• 31 People Killed

• 2442 Injured

• Losses in Hundreds of millions dollars

Relatively “Minor” Incidents happen more often

Mobil, Torrance, CA explosion & fire, 10/94

Conoco Lake Charles, LA, cat cracker fire, 10/94

Miles chemical plant, Baytown, TX, acid leak, 11/94

Koch, Corpus Christi, TX, separator explosion, 11/94

Mobil, Paulsboro, NJ, chemical releases, 11/94

Terra Industries, Sioux City, IA, explosion, 12/94

Chevron, El Segundo, CA, furnace fire, 1/95

Mobil, Torrance, CA, gasoline spill, 2/95

Unocal, San Francisco, acid overflow/leak, 3/95

Amoco, Cartere, NJ, depot leak/fire, 3/95

Clark, Blue Island, IL, refinery fire/extended closure, 3/95

Ultramar, Wilmington, CA, tank leak/fire, 3/95

Conoco, Ponca City, OK, crude topping unit fire, 3/95

Sun Oil, Philadelphia, gas leak, 4/95

Napp Technologies, Lodi, NJ, explosion & fire, 4/95

Rhone-Poulenc, Philadelphia, granulator explosion and fire, 5/95

Reichhold Chemicals, Grundy Co, IL, rupture/fire/spill, 5/95

BP, Lima and Toledo, OH refinery fires, 5/95

Ultramar, Wilmington, CA, crude unit fire, 6/95

Unocal, San Francisco, naptha tank fire, 6/95

Tosco, San Francisco, crude unit fire, 6/95

Murphy Oil, New Orleans, solvent extraction unit fire, 7/95

Amoco Oil, Texas City, cat cracker explosion & fire, 7/95

Conoco, Ponca City, OK, refinery fire, 7/95

24 incidents: 12 deaths, hundreds hurt, $1B+ losses, $10B+ impact

Source: Honeywell ASM Consortium

AEM Problem: Important and Challenging

$20B+ impact on U.S. economy; $10B impact on petrochemical companies

“A billion here… a billion there…

pretty soon you are talking real money…”

Petrochemical companies have rated AEM their #1 problem

Modern plants are more difficult to control, diagnose and manage

Complex configurations, very large scale

Running process at its limit reduces margin for error

Plant-wide integration makes reasoning difficult

Advanced control puts process in states which operators have difficulty managing in the event of an upset

Fewer experienced operating personnel due to downsizing

Lack of adequate training of operators

Typical Complaints from Operators

Inadequate precision of temporal information (e.g. lack of true alarm order)

Excessive nuisance alarms due to weak conditional alarming capabilities.

Inadequate anticipation of process disturbances

lack of real-time, root-cause analysis (symptom-based alarming)

Lack of distinctions between instrument failures and true process deviations

Poor integration of multiple information and control system components.

Limited capabilities to view interrelated process data.

Lack of adequate tools to measure, track, and access past records of abnormal situations.

Limited or time-consuming access to procedures or operating instructions.

Cumbersome and un-integrated communications between and within plant units.

Need Intelligent Control

1. A very thorough safety review is conducted during the final stage of the process design using techniques such as hazard and operability (HAZOP) studies, failure mode and effect analysis, and fault tree analysis.
2. After plant operation begins, HAZOP studies are conducted on a periodic basis in order to identify and eliminate potential hazards.
3. Many companies require that any proposed plant change or change in operating conditions require formal approval via a Management of Change process that considers the potential impact of the change on the safety, environment, and health of the workers and the nearby communities. Proposed changes may require governmental approval, as occurs for the U.S. pharmaceutical industry, for example.
4. After a serious accident or plant “incident”, a thorough review is conducted to determine its cause and to assess responsibility.

Multiple Protection Layers

•In modern chemical plants, process safety relies on the principle of multiple protection layers (AIChE, 1993b; ISA, 1996). A typical configuration is shown in Figure 10.11.

•Each layer of protection consists of a grouping of equipment and/or human actions. The protection layers are shown in the order of activation that occurs as a plant incident develops.

•In the inner layer, the process design itself provides the first level of protection.

Figure 10.11. Typical layers of protection in a modern chemical plant (CCPS 1993).

•The next two layers consist of the basic process control system (BPCS) augmented with two levels of alarms and operator supervision or intervention.

•An alarm indicates that a measurement has exceeded its specified limits and may require operator action.

•The fourth layer consists of a safety interlock system (SIS) that is also referred to as a safety instrumented system or as an emergency shutdown (ESD) system.

•The SIS automatically takes corrective action when the process and BPCS layers are unable to handle an emergency. For example, the SIS could automatically turn off the reactant pumps after a high temperature alarm occurs for a chemical reactor.

•Relief devices such as rupture discs and relief valves provide physical protection by venting a gas or vapor if over-pressurization occurs.

•As a last resort, dikes are located around process units and storage tanks to contain liquid spills.

•Emergency response plans are used to address emergency situations and to inform the community.

Fig. 10.12 A general block diagram for an alarm system.

Fig. 10.13 Two flow alarm configurations.

Fig. 10.14 Two interlock configurations.

Safety Interlock System (SIS)

•The SIS in Figure 10.11 serves as an emergency back-up system for the BPCS.

•The SIS automatically starts when a critical process variable exceeds specified alarm limits that define the allowable operating region.

•Its initiation results in a drastic action such as starting or stopping a pump or shutting down a process unit.

•Consequently, it is used only as a last resort to prevent injury to people or equipment.

•It is very important that the SIS function independently of the BPCS; otherwise, emergency protection will be unavailable during periods when the BPCS is not operating (e.g., due to a malfunction or power failure).

•Thus, the SIS should be physically separated from the BPCS (AIChE, 1993b) and have its own sensors and actuators.

A Final Thought…

As Rinard (1990) has poignantly noted, “The regulatory control system affects the size of your paycheck; the safety control system affects whether or not you will be around to collect it.”