Computer control chemical plant – design and … and loss...COMPUTER CONTROL CHEMICAL PLANT -...

I.CHEM.E. SYMPOSIUM SERIES NO. 110

COMPUTER CONTROL CHEMICAL PLANT - DESIGN AND ASSESSMENT FRAMEWORK

J Pearson; J Brazendale*

ABSTRACT Computer-controlled equipment (referred to in this paper as Programmable Electronic Systems - PESs), is becoming increasingly important to the competitiveness of many industries as they offer many advantages such as reduced cost, higher quality, greater efficiency and profitability. They also provide the opportunity to improve safety in the working environment and are a means of preventing or mitigating the effects of a major chemical plant accident.

The paper will describe a procedure for both the assessment and design of PESs which provide safety functions in the chemical process industries. Incidents where failure of a control or protection system was an important contributory factor will be described.

1 INTRODUCTION

In the economic climate of today there is increasing commercial pressure on industry to automate equipment, plant and machinery. Computer controlled processes are becoming increasingly important in the quest for higher productivity, greater efficiency and profitability. In particular the chemical industry needs to adopt the high technology control systems in order to combat capital, fuel and feed-stock costs. Computers offer potential advantages in safety by providing closer supervision and better information of the process; by monitoring critical parameters and, when circumstances warrant it, initiating and carrying out a safe shutdown.

Computers or "programmable electronic systems" (PES) when applied to process control have a significant role to play in the prevention of a major chemical accident. The sophistication and flexibility of PES however, call for great discipline and attention to detail in all stages from conception to operation if they are to be successfully and safely employed. The UK Safety Regulatory Authority, the Health and Safety Executive (HSE) published guidelines in June 1987 entitled "Programmable electronic systems in safety related

* Health and Safety Executive Technology Division Magdalen House Stanley Precinct Bootle L20 3QZ

195


applications"1. These guidelines set out principles to be followed in the design and assessment of such systems. This paper considers the guidelines in the design and assessment of computer control systems for chemical plants and discusses the role of computers in preventing major chemical accidents. A summary of the guidelines and Fundamental Design Principles is given in Appendix I.

2 POTENTIAL HAZARDS

A number of incidents have occurred on chemical plants involving Programmable control systems. These incidents, described in Section 3, have highlighted a number of failure mechanisms relevant to the application of PES to plant control.

When PES were first used in chemical plant control in the early 1960's there were difficulties such as programming in machine code or assembler language, memories were slow and there were failures of electronic components such as germanium transistors due to air conditioning breakdowns and overheating. Spurious and unpredictable operation was sometimes caused by electrical interference in the harsh environment of the chemical plant. There were also problems associated with the "direct digital control" concept of an entire plant controlled by a single centralised computer in which failure of the computer or its peripherals caused total loss of control. These early problems have been overcome by several developments in equipment and system design and higher standards of immunity from electrical interference.

Whatever type of control system architecture is adopted there are two types of failure which must be addressed in both the design and subsequent assessment. These are:-

Random Hardware Failures - such as electronic component failure which may be aggravated by environmental stress factors. It is impossible to predict exactly when a system will fail due to this type of breakdown but it is possible to use probabilistic techniques to predict the failure frequency and take suitable precautions against random failure by providing a backup or redundant systems to reduce the accident frequency.

Systematic Failures - which are failures caused by errors in design, manufacture, installation or operation. Because it is not possible to test a system under all combinations of operating conditions, faults may remain hidden until a particular set of circumstances arise and then the system breaks down. The three most important types of error which lead to systematic failures are specification errors, equipment errors and software errors. Unlike random hardware failures, redundancy of systems is not effective against all systematic failures. For example, in the case of a specification or software error both redundant systems may fail in the same way.

The consequences of PES failure depend on the configuration and the application but may include loss or maloperation of the following:-

- Management information - Operator information or control

Automatic control Indication and alarm systems

- Protection and shutdown systems.

196


Where PES are used to control processes involving hazardous materials the failure of the PES could lead to a major chemical accident.

3 ACCIDENTS INVOLVING COMPUTERS AND DESIGN CONSIDERATIONS

To demonstrate the principles of the PES guidelines in Appendix I the following incidents involving PESs are described.

Incident No. 1 (human error and design deficiency).

A reactor ruptured due to an exothermic reaction when the operations were not performed in the correct sequence following a plant shutdown.

In this incident the contributory events included

- the operators not appreciating the significance of alarms

incorrect settings of interlock parameters

misinterpretation of instrument readings

failure of essential services

the over-riding of a computer interlock intended to prevent the next stage of a batch reaction.

This latter action at the particular stage in the process resulted in a violent runaway exothermic reaction which lead to rupture of a vessel and considerable damage.

There are many lessons to be learnt from this incident not least of which is the fact that the operators had access to software to defeat a safety interlock.

The advantages to be gained from implementing interlocks via the PES in terms of complexity and flexibility should not be restricted but the hazard assessment procedure and the framework established for PES in safety applications or other equally effective measures should be strictly followed and the need for an operator to defeat an interlock should be critically examined.

Incident No. 2 (human error and poor operating procedure)

A maintenance engineer used the computer to close a valve for maintenance. (This is contrary to all good isolation principles). The software included a safety interlock to prevent simultaneous closing of this valve and another valve. A conflict arose between the two requirements in the software when one of the interlocked valves was already closed. This caused the valve under maintenance to open causing loss of containment. This incident is typical of several caused by poor isolation procedures and the misunderstanding of the operating constraints built in to the software.

Incident No. 3 (electrical interference and computer error)

Electrical interference in the form of high voltage spikes caused a computer to malfunction whilst the standby computer was out of service and caused corrupted output signals to be transmitted to the contol valves. The valves opened and caused the release of a large quantity of toxic materials.

197


Electrical interference immunity requirements are now well established and process control equipment should comply with suitable immunity test levels (Ref 2). Correct installation should include attention to segregation, adequate screening, and supression of interference which may cause permanent damage or transient effects as in this example. It should be noted also that electrical interference can be a common cause failure mode in that it can cause the simultaneous failure of two or more systems in a redundancy configuration.

Incident No. 4 software errors

A release of toxic gas occoured because of two uncorrected errors in the software. One software error caused a vessel to be pressurised which vented to an absorption system. The other software error independently caused another vessel to be over charged forming a liquor lock in the scrubbing column. This combination of circumstances caused the release of a toxic gas.

The underlying cause of this incident was inadequate understanding and poor communication between programmers and chemical engineers. Guidelines on avoiding software errors is given in Appendix I.

Incident No. 5(hardware faults)

The sequence of events that lead to the rupture of a gas line and release of toxic gases in this incident included a hardware fault which had laid dormant having no effect for several years following commissioning. An unused logic input on a pulse output interface circuit had not been grounded during commissioning and an induced voltage appeared on the input to present a logic 1 instead 0. This resulted in an incorrect address being given and an output device followed instructions intended for a different device. These instructions had no effect except in the particular circumstances at the time of this incident when a number of valves opened incorrectly and resulted in the accident.

The need for grounding of unused inputs is emphasised to prevent induced voltages and subsequent maloperation of computer systems.

This incident and others highlight the fact that faults in both hardware and software may not be revealed for a considerable time after commissioning and are usually brought to light in unusual or unexpected circumstances. In a recent reference in a computer journal, problems in an air traffic control computer were attributed to a software error that remained undiscovered for fifteen years. This demonstrates that where safety is dependent on more than one system, for example where a control system is backed up by a shut down system in which a failure may not be revealed, the proof-testing of safety systems is vital.

The above incidents emphasize the fact that PES are complex, provide many opportunities for error, and are prone to systematic and random failures. Because of this back up systems, for alarms and trips using redundant and/or diverse systems must be provided where appropriate. The principle of the HSE document in that the total configuration of safety systems should be adequate for the degree of risk (Figure 2). The three principle characteristics of Configuration, Reliability and Quality together should provide an adequate level of safety integrity to prevent the types of incdients described above.

198


4 Human Factors

Many incidents involving PESs seem to contain a large element of human error. Why should this be? One reason is that computers are only as intelligent as the software and unfortunately, many software engineers are not sufficiently aware of:-

1) The operating characteristics of the process, particularly in emergencies.

2) Human factors.

Consequently, software programs are written on the assumption that machines and processes will always work perfectly and that operators perform like perfect machines. In the past, with manual control of 'slow' processes, the skill and intelligence of the operator often prevented many incidents occurring. With automation, the operator has been removed from day to day contact with the system and in addition, processes have become much quicker, leaving less time for corrective action. It is ironic, perhaps, that the coming of automated systems has shown how much we have under-estimated the role of the operator and the human factor issues involved in it.

The PES Guidelines (1) encourage the use of a systems approach to identify hazards and risks, and that includes consideration of the human factor and the potential for human error. The human factors discipline emphasises the need to take account of the capabilities and limitations of humans when designing man/machine systems. At a systems level, this means allocating functions to men, machines or both, in a way that optimises the performance and safety of both.

A good example of system optimisation that has some relevance to the control of large-scale chemical plant is quoted by Swain 6. An initial design for a missile fire control system made it fully automatic - but with the operator acting as an emergency back-up. The operator would be expected to act in the event of malfunction of certain automatic equipment to prevent severe damage to the equipment or loss of the missile. The system therefore included displays showing the status of various missile fire control functions. However, it was found that if the operator did not continuously follow the displays, it would take that person from several seconds to even several minutes to determine what to do; and yet the original design assumed that the operator would act almost immediately in an emergency.

It is a well-known principle of human factors that people are poor monitors and that there is a limited span of effectiveness for situations in which the person plays a relatively passive role.

It was decided, therefore, to re-design the system to have some manual functions, even though these functions could be performed automatically with more speed and greater reliability. However, the resultant man/machine mix was considered to be more effective overall.

Although at first sight one can say that human error in monitoring was the reason for the re-design, it could be argued that as the designers were not sufficiently competent to remove the man entirely from the system, it was, in fact, man's superior ability over computers to adapt to unforeseen situations and to reason inductively (as opposed to a computer's deductive logic) that

199


was really the function required of the man in the system. The re-design, therefore, enhanced the operator's potential to carry out that function by actively involving him in the system. This point is made because it is important to consider both the strengths and weaknesses of humans when allocating functions.

The optimisation of the man/machine system must not only consider performance, but such factors as operability, reliability and safety - and all at a reasonably practicable cost. Not an easy task, but one that can't be done at all unless detailed examinations of human factor issues take place.

Having designed the system to optimise the relationship between roan and machine, such matters as selection, training, organisational structures, procedures and monitoring systems should be considered. This will ensure that the right man with the appropriate blend of skills and experience is allocated to the job and that amongst other corporate goals safety is given its proper place. Human factors have much to offer in there areas, but it is not the purpose of this paper to go into them here.

Computer systems, because of their inherent characteristics, are particularly sensitive to human error, and therefore, to ensure a high level of safety a detailed examination of human factor issues needs to be carried out with the objective of optimising the man/machine mix. By doing so, we are putting into practice the old addage that the most valuable resource of a company is the people who work within it.

5 Regulations and Standards - current position

The underlying legal requirement for plant safety is the Health and Safety at Work Act 1974 Section 2 which requires that a plant is 'safe' so far as is reasonably practicable. In the EEC the "Seveso" Directive on major hazards has been enacted. Following this directive the UK has implemented the CIMAH (Control of Industrial Major Accident Hazards) Regulations which require, for certain high inventory sites, safety cases to be submitted to HSE. HSE expect safety cases to identify and assess any events involving PES failure, in addition to conventional control and instrumentation systems, which could lead to a major incident or accident.

Following on from the publication of the HSE guidelines in June 1987. Bell and Robertson 7, gives a useful overview of the guidelines and Jones s, considers the guidelines as applied to the process industries. In recognition of the potential problems of PES's bodies such as the Nordic Council of Ministers * the CEC collaborative Project on PES 8 and the TUV 9

have published or are actively pursuing guidelines for PES in safety applications.

Of particular importance in the context of international standardisation was the setting up of a working group under the auspicies of the Advisory Committee on Safety (ACOS) of the International Electrotechnical Commission (IEC) to look into the functional safety of PES's and develop an IEC publication on that topic. The IEC committee of action endorsed the ACOS decision at their meeting in Prague in July 1987.

Within the IEC work is progressing on a number of topics which will have to be closely co-ordinated with the work on the functional safety of PES's. In particular:-

200


(i) Safety related software (IEC/SC65A/WG9) (ii) Evaluation of system properties (IEC/SC65A/WG8) (iii) User guidelines for programmable controllers (IEC/SC65A/WG6) (iv) Electrical interference (IEC/TC65/WG4)

6 CONCLUSIONS

There are advantages to be gained by computer control for chemical plants -in efficiency, quality and safety. It would be a serious set back to these developments if a major accident were to happen on a computer controlled chemical plant where the computer contributed in some way to the accident. The design and assessment framework described in the HSE publication should allow technical developments to proceed, to exploit the advantages of computer control, whilst ensuring that good standards of safety are adopted.

It is hoped that the framework of the HSE Publication will encourage the increasing adoption of high technology control systems within industry and in particular the chemicals and associated industries. The framework will permit such developments while maintaining confidence in the integrity of computer control and improving safety levels which will lead to the prevention of major accidents.

7 Way Forward

HSE believes that the framework described in section 2 above provides a flexible approach to solving the safety problems of PESs. However if we are to move forward in a positive way then a number of further steps are required:-

7.1 Training

There is a shortage of process engineers who are skilled in control engineering and risk analysis techniques. The Institution of Chemical Engineers has already recognised this problem and has a number of courses in the above areas in its short course programme.

There is need for improved education and training courses, including those that cover safety and reliability engineering, in both industry and in universities.

7.2 Application Specific Guidance and Standards

Different sections of industry have different applications for the use of PESs; and the chemical industry is no exception, and even within industrial sectors there are differing needs. For example The problems of batch processing are clearly different to say a continuous refining unit. HSE is already discussing industry standards with UK trade associations, professional institutions and other similar bodies. The international nature of this conference should encourage the development of European and International standards in this area.

7.3 Harnessing new technology

The inexorable drive for more powerful and reliable computing systems throughout industry and commerce is undoubtedly having a spin off in safety. To mention a few:-

201


1. Expert systems hold the promise of giving the
plant operator and manager fast and authoratative advice on fault handling procedures under emergency conditions. They are also being used to solve difficult control problems.
2. Automated tools for testing certain features of software are now becoming available. Not only do they reduce the effort involved in producing software thereby aiding efficiency but they also have the capability of carrying out sophisticated logical analysis - thereby identifying inconsistencies in the computer program. Although not the "final" solutions such techniques can give more confidence about the safety of software.

3. Intelligent sensors - sensors with inbuilt logic and signal processing capabilities are now quite common. As well as aiding efficiency they can also reduce human error in calibration and testing procedures.

4. Research and development It is important that industry keep abreast of and actively support these developments as HSE believes that the new technology presents many opportunities to improve safety. HSE's extensive research programme includes many projects concerned with the application of new technology to control systems.

HSE would be interested to hear your views on research needs and priorities in the area of PES systems as applied to the chemical industry.

References

1. "Programmable electronic systems in safety related applications" part 1 "An Introductory guide" Part 2 "General Technical Guidelines". Health and Safety Executive, HMSO.

2. IEC 801 1984 "Electromagnetic Compatibility for industrial-process measurement and control equipment". Parts 1, 2 and 3.

3. "Guidelines for the documentation of software in industrial computer systems" 1985. The Institution of Electrical Engineers, Savoy Place, London.

4. NORDIC Document. "Personal safety in microprocessor control systems" Nordisk Ministerreal, Kobenhavn 1987 ISBN 87 7303 1054.

5. P G Jones "Safety Considerations in the Use of PES for the control of Chemical Plant" a paper based on an invited lecture given to CHISA 87, PRAGUE, Sept 1987 available from HSE Library, Bootle.

6 Swain D.A, "Relative Advantages of People and Machines in Process Industries".

7 Bell and Robertson: "Guidelines on Programmable Electronic Systems" IEE Colloqium 9 June 1987.

202


8 European Collaborative Project on the Assessment of ProgrammableElectronic Systems; Anderson 0; Bell R; Meffert K; Vautrin TP. Journal ofOccupational Accidents, Vol 9 (1987) pp 123 - 135.

9 Microcomputers as an aid to Safety Techniques: TUV Reinland (FGR)document; Translation available from HSE Library, Bootle.

203


APPENDIX I

COMPUTER CONTROLLED CHEMICAL PLANT - SAFETY FRAMEWORK PRINCIPLES

The HSE publication (1) outlines an assessment procedure for safety related programmable electronic systems. And sets out a number of fundamental design principles. The assessment procedure summarised in figure 1 is a logical procedure used to determine what level of safety integrity is required for PES. The design principles can then be applied in order to achieve that level of integrity. The emphasis is placed on the integrity of the PES within the total safety philosophy of the plant considering for example control systems, pressure relief systems, bursting discs and other preventative measures including the mechanical containment integrity.

ASSESSMENT PROCEDURE

Step 1 hazard analysis

This is the logical identification of the possible sources of danger and the chains of events leading to them. There are several well established techniques for hazard analysis in the chemical industry. The essential feature is that the analysis is well documented with all possible event sequences considered.

Step 2 identification of safety related PES

The hazard analysis will have identified the components or systems where failure may lead to a dangerous condition. This step involves the decision as to whether or not the PES is safety related. If the other safety systems provide an adequate level of safety in any foreseeable eventuality including failure of the PES then the PES is not safety related and falls outside the scope of the documents.

Step 3 safety integrity criteria

The objective of this step is to establish standards for the PES based on numerical criteria or national standards and codes of practice and sound engineering practice.

There are very few examples of nationally or internationally agreed numerical safety criteria for the safety of plant and so most major companies have developed their own numerical criteria based on natural risks or statistics such as the fatal accident frequency rate (FAFR). Where no quantitative guidelines are established the objectives should be to ensure that the use of PES does not lead to a reduction in safety when compared to a conventional system. Comparison with existing plant may not always be possible however since PES are often used in new applications.

Step 4 Design or Steps Assessment of safety related PES

In this step the design of the existing or proposed PES control plant should be analysed. The depth of analysis will depend on the risk associated with the plant and for higher risk situations a detailed safety integrity study including quantitative reliability studies would be appropriate. The procedures for carrying out a detailed assessment are given in the HSE guidelines. The fundamental design principles or

204


characteristics of a safety related PES i.e. configuration, reliability and quality are given later.

Step 6 Review

The safety integrity achieved by the design should be compared with that established for the application. Modifications will need to be made for any weak links found by the analysis. The whole design and assessment procedure may be iterative in nature in that modifications and reviews may be carried out several times until the design and safety review team are satisfied.

FUNDAMENTAL DESIGN PRINCIPLES

The three fundamental characteristics of a design to achieve precautions against both systematic and random failures are as follows:-

Configuration

This refers to the arrangement of all the safety related systems both PES and others that together ensure adequate and safety control and protection for the plant. A typical configuration for a major chemical plant is shown in figure 2. It will be noted that the operator is included in certain safety related systems.

For configuration to satisfy the design principles:

a) the combined number of PES and non-PES safety related systems which are capable, independently, of maintaining the plant in a safe state, or of bringing the plant to a safe state when required, should not be less than the number of conventional systems which have provided conventional safety integrity; and

b) no failure of a single channel of programmable electronics hardware should cause a dangerous mode of failure of the total configuration of safety related systems. It should be recognised that systematic hardware failures may affect all identical designs of programmable electronics; and

c) faults within the software associated with a single channel of programmable electronics should not cause a dangerous mode of failure of the total configuration of safety related systems. It should be assumed that a software fault will affect all identical software.

NOTE Systematic failures may affect similar designs of hardware or software in the same way and hence the need for diversity of hardware and/or software where required to guard against such failures.

RELIABILITY

Reliability relates to the equipment reliability in the fail to danger mode. The fundamental design principle is that the reliability must at least be as good as conventional systems used in the same application. To achieve this an assessment will need to be undertaken of the reliability of the PES including sensors and actuators. Qualitative assessments based on recognised equipment standards may be adequate for relatively low risk plants whereas a quantitative analysis may be more suitable for a high risk situation.

205


OVERALL QUALITY

This relates to all unquantifiable aspects of the total safety system philosophy from the statement of functional requirements to the manufacture, commissioning, operation and maintenance of the PES control and protection systems of the plant. Within this characteristic the two paramount concerns are:

a) the safety requirements specification for the PES and b) its software quality.

Both these aspects need upmost care in preparation and documentation. The communication and interpretation of requirements and the implementation of these correctly into software is an area where there is the greatest opportunity for error and subsequent system failure.

General Design recommendations to avoid software errors:

1. A through understanding of the process and computer control functions by the programmers is essential. A formal safety requirement specification should ensure this.

2. Software for Safety-Related P.E.S. should be accompanied by adequate documentation (Ref 3). The software should be designed to accommodate the inevitable changes in requirements. It should be designed, written, validated and tested according to a strictly controlled quality plan. Quality control procedures should be applied to each phase in the production of software.

3. Software changes are often a cause of maloperation which may lead to an accident therefore modification procedures need to be established and followed strictly. The software change procedures will need to be assessed themselves and suitable for the circumstances of the application. The level of authority necessary for software changes should be established and strictly observed. Security of access maybe restricted by software or hardware measures as appropriate.

4. Software changes should be reviewed in the same way as any other plant modification to ensure that the safety level of the plant is not reduced. This review should include process, chemical, mechanical, and control engineers as appropriate so that the full implications of any change are fully understood.

206


207


208

Computer control chemical plant – design and … and loss...COMPUTER CONTROL CHEMICAL PLANT -...

Documents

Transcript of Computer control chemical plant – design and … and loss...COMPUTER CONTROL CHEMICAL PLANT -...