1. Field of the Invention
This invention relates to regulatory control systems and safety shutdown systems and methods for monitoring and controlling field devices used with commercial and industrial processes, and in particular to systems and methods for improved coordination between control and safety systems.
2. Description of Related Art
In designing automated process control systems for commercial and industrial processes such as chemical plants, petrochemical facilities, manufacturing factories, and the like, the conventional practice is to maintain redundant topologies, with a safety shutdown system that is independent from the plant's regulatory control system. This practice is rooted in the belief that keeping two completely separate systems reduces the risk of a single failure disabling all automated process controls. In addition, this isolation is often required by applicable standards.
As used herein, the term “field devices” includes sensors and final control elements. Final control elements include pumps, valves, valve actuators and the like. Sensors include switches and transmitters for monitoring a wide variety of variables, including, but not limited to, valve position, torque, level, temperature, pressure, flow rate, power consumption, and pH. Other terminology that is well known to those of ordinary skill in the art of process instrumentation is also used herein.
As used herein, “commercial and industrial processing facilities” include chemical plants, petrochemical facilities, manufacturing factories, or any facility that uses separate safety system field devices and process control field devices.
Thus, a typical facility of the prior art, as shown in FIG. 1, has a safety system 30 (also known as a “safety shutdown system,” “emergency shutdown system”, “ESD,” “ESS,” “safety instrumented system,” or “SIS”) and a process control system 40 (also known as a “regulatory control system”). The safety system 30 includes an independent computer 32 (also known as a “safety logic solver” or “SLS”) in communication with field devices in a plurality of groups 251, 252, 253 . . . 25M (also known as “safety instrumented functions” or “SIFs”) associated with subprocesses operating in the facility. Computer 32 includes a processor, memory and associated computer hardware and software to monitor and control one or more plant subprocesses and to implement the SIFs. The safety system 30 also includes for each of the groups 251, 252, 253 . . . 25M one or more safety system sensors 36 (e.g., heat sensors “HS” and pressure sensors “PS”) and one or more safety system final control elements 38.
The process control system 40 includes a computer 42 (also known as a “distributed control system” or “DCS,” or a “basic process control system” or “BPCS”) in communication with field devices in a plurality of groups 241, 242, 243 . . . 24M associated with subprocesses operating in the facility which correlate with the subprocesses having field devices in groups 251, 252, 253 . . . 25M of the safety system 30. Computer 42 includes a processor, memory and associated computer hardware and software to monitor and control one or more plant subprocesses and to implement the process control functions. The process control system 40 also includes, for each of the groups 241, 242, 243 . . . 24M, one or more process control system sensors 46 (e.g., heat sensors “HS” and pressure sensors “PS”), and one or more process control system final control elements 48. The operating procedures and access passwords are different for the two systems 30 and 40, thereby strengthening separation between them and restricting access to properly trained and authorized personnel.
Conventional design provides for an exchange of information between the central processors of the respective systems, viz, between the safety system computer 32 and the process control system computer 42. For instance, U.S. Pat. No. 6,975,966 and related U.K. Patent Publication GB2445636, assigned to Fisher-Rosemount Systems, Inc. describe a software module that provides a user interface to view various parameters from both a process control system controller and a safety system controller within a plant, with indicators to distinguish whether a signal is from the process control system controller or the safety system controller. Certain alarms can be acted upon from that user interface using the individual functionalities of the discrete process control system controller and a safety system controller.
However, the Fisher-Rosemount system does not contemplate the automatic use of the complementary sensors or final control elements within a safety instrumented function (“SIF”) or regulatory control loop when a device is taken out of service or disabled due to an internal fault. That is, no communications capability exists for the 32 SLS to communicate directly with regulatory control devices 46, 48 at the field level, or for a DCS 42 to communicate directly with field devices 36, 38 of the safety shutdown system 30. Rather, redundancy in a safety shutdown system is achieved in prior art systems by installing multiple sensors to measure a particular process parameter, e.g., flow, pressure, level, or temperature, and installing multiple final control elements to isolate the same process line. Redundancy in a regulatory control system is achieved in the same manner. Each of the redundant set of sensors and final control elements communicates independently to the central processor of its respective system, and in the Fisher-Rosemount systems, the separate communications can be viewed and acted upon from the common user interface; however, no coordination exists between the safety system and the control system.
A common prior art approach uses majority logic decision-making processes when a sensor fails within a safety instrumented function. In a majority logic process, a decision is made as to whether a device should trip or remain steady if a predetermined number of devices fail or provide readings outside of the desired range. For instance, a safety instrumented function utilizing three sensors with an emergency shutdown system can be set at “two out of three” logic, so that if two devices fail or read outside of the desired range, the associated device trips. Other levels of decision logic are commonly used, e.g., “one out of one,” “one out of two,” “one out of three,” “one out of four,” “two out of two,” “two out of three,” “two out of four,” “three out of three,” or the like. The selection of the level of decision logic depends on the criticality of the system, reliability requirements, and the associated risks. Accordingly, for example, in a “two out of three” decision logic structure, if two out of the three sensors provide a reading that shows that the process is out of range, then the safety instrumented function will initiate a command to trip, i.e., shutdown. Such decision logic based on the remaining sensors will either impact the reliability of the plant or result in unnecessary trips for the plant.
Another common prior art approach in the implementation of safety systems includes use of redundant final elements, such as emergency shutdown valves, to perform a shutdown for a plant or part of a plant. If one or more of the valves within a safety instrumented function are at fault, then the safety instrumented function and safety logic solver can elect to shutdown the associated system with that safety instrumented function through the remaining healthy valves as a precautionary measure.
A further problem in conventional commercial and industrial processes relates to the routine maintenance of the independent systems. Self-diagnostics has previously been limited to collecting information from the physical device as symptoms of a potential problem. Conventional approaches rely on a human and an external software package to diagnose the extent of the problem and to decide whether a device should be removed from service. Equipment maintenance and tracking systems, such as software systems commercially available from SAP AG of Walldorf, Germany, generates work orders for functional testing at predetermined intervals so that every field device is periodically tested. In many cases, the end testing is very time-consuming, requiring manually performed maintenance checks to detect device failures and to alert operations personnel of the disabled state of a device. Furthermore, large-scale plants can have over 10,000 safety-related data points. Accordingly, conventional diagnostic and maintenance methods require substantial human presence in the field or plant environment to perform these routine functional checks and calibrations, thereby increasing the exposure of the human operators to a hazardous environment. This also increases the potential for human error that could damage field devices, leaving them unable to perform their intended function. Manual functional testing may only be performed quarterly, semiannually, or annually, resulting in outages that can remain undetected for upwards of several months.
Furthermore, the equipment maintenance and tracking systems of the prior art are typically managed independently from other systems such as the safety system 30 and the process control system 40. Accordingly, if an operation other than the work order-prescribed functional testing requires a field device to be tested, repaired or replaced, this information is not considered in the conventional equipment maintenance and tracking systems.
Therefore, a need exists for improved efficiencies in commercial and industrial processes, while still maintaining excellent reliability and separation of functionality including process control systems and safety systems.
Accordingly, it is an object of the present invention to maintain redundant topologies between a safety system and a process control system, while providing a system, apparatus and methods for increased and improved coordination between an emergency shutdown system and a process control system in the event of failure of one or more related field devices.
It is another object of the present invention to incorporate enhanced diagnostics capabilities into such systems.
It is further object of the present invention to provide means to achieve efficiencies in the management of what is often a vast number of field devices in a typical commercial and industrial processing facilities.