Emerson’s Maruti Dey, a technical consultant with expertise in safety instrumented systems (SIS), gave an Emerson Exchange presentation, How to Avoid Shooting Yourself in the Foot with Your SIS? In the presentation, Maruti described using SIS transmitters in a dual-purpose role–for safety functions and with the basic process control system (BPCS) control strategies.
In a recent project that Emerson implemented for a refinery, there were many cases where safety instrumented functions (SIFs) were specified that had BPCS control loops operating off the same process variable.
A key objective was to make use of the SIS transmitters to improve the reliability of the control system and to reduce demands on the safety system. Also, they wanted to avoid using four transmitters per process variable – three for the SIF and the other for the control system PID control loop, without impacting their ability to meet their safety integrity and process availability requirements.
One option considered was to wire three transmitters to DeltaV SIS and to share the process variables (PVs) with DeltaV for PID control. The control loop would use the middle of three data points, increasing reliability by having multiple transmitters to rely on and keeping the control valve action to a minimum. Most of the loops have pressure, flow, and level controllers for small volumes. In order to keep up with the fast process dynamics, these controllers run every half second.
For this project, the team was on an earlier version of DeltaV and DeltaV SIS, so this middle select approach could not be used due to data communications latency between the SIS and BPCS. In version 11, the I/O update rate was increased to 100 msec from the SIS logic solver to the BPCS controller and so this would be an option. For this project, another option was considered.
A second option was to use three transmitters (two SIS and one BPCS) for generation of deviation alarming. For the safety function, it was found that using a 2oo2D (two out of two, with diagnostics coverage) field device architecture could meet the safety integrity and the availability requirements, reducing the total transmitter count from four to three.
The integrated control and safety system would be configured to compare the SIS PV data against the PV from the BPCS transmitter. If the deviation between the SIS transmitters and the BPCS transmitter exceeded 10%, the BPCS PID loop would be forced into manual mode (see slide 25). This transition to manual mode would prevent the controller from driving the control valve too far open or closed and would cause an alarm so the operator could assess the situation and take appropriate action.
This solution was straightforward since the DeltaV and DeltaV SIS systems are integrated in such a way that SIS data can be used in BPCS controls without having to map data between the systems via MODBUS or OPC communications methods. In order to maintain physical separation and independence that is required by IEC 61511, DeltaV and DeltaV SIS have physically separate power supplies, communication channels, hardware, and real-time operating systems. However functions such as configuration, operations, maintenance, asset management, training, and alarm handling can be shared between the BPCS and SIS.
It sounds like Maruti and the team developed a creative solution that improved the reliability of the control system, reduced demands on the safety system, resulted in fewer transmitters, and provided backup transmitters for the PID control loop.