In this brief series, I’ve described three industrial incidents that demonstrate the potential cascading effects that failing to consider the human factor and to ensure equipment reliability can have. What can we learn from incidents such as these?

Before you depend -- and act -- on the “fail safe” controls, you must thoroughly analyze the failure modes in any alarm, interlock or shutdown chain for loss of protection.
Photo courtesy of Eurotherm


In this brief series, I’ve described three industrial incidents that demonstrate the potential cascading effects that failing to consider thehuman factorand to ensureequipment reliabilitycan have. What can we learn from incidents such as these? I continue my series on hazards to people and plants with a continuing look at how your controls, sensors and alarms can help.

Auxiliary Alarms on Controllers

Besides the control output, a controller can have extra relay or logic outputs that can be configured as high, low, deviation high, deviation low or deviation band alarms. Note that deviation is from the working setpoint. The usual convention is to have the relay or logic signal drop out in the alarm condition. This usually is defined as “fail-safe” because open-circuit relay contacts and broken wires would give a false alarm, reckoned to be preferable to an unrevealed alarm that the opposite logic would suffer.

However, before you depend -- and act -- on the term “fail safe,” you must thoroughly analyze the failure modes in any alarm, interlock or shutdown chain for loss of protection. For serious overtemperature protection, remember that the controller could fail, so do not depend on the alarm circuit in the controller itself. You would be wise to provide an independent second opinion in the form of a separate alarm instrument or module on its own dedicated sensor.

Rate-of-Change Alarm.There are times when you want to alarm on a fast-moving temperature or any process variable. For example, you may want to anticipate and defeat a large change or a thermal reaction. In these cases, you would specify a rate-of-change alarm and set it in units of degrees per minute.

Load-Break Alarm.With this feature, the controller watches and times any movement of process temperature. At the same time, it notes its command to its power output device (a contactor, for example), and looks for a contradiction. The controller will trigger an alarm in the following cases.
  • The heater contactor is welded closed, ignores the controller’s command to turn off and produces a rise of process temperature.
  • The heater is open circuit, ignoring the controller’s command to deliver heat, so the controller sees that the temperature is falling.
The temperature sensor is pulled away from the process heat and showing say, room temperature, yet the controller, seeing a low unchanging temperature, is commanding full heat. There are other ways to pick up heater problems that do not depend on the time-out of a temperature change.

Solid-State Relay (SSR) Monitoring.Some solid-state relays use the controller’s turn-on logic signal wires to carry back a pulse-coded signal to the controller that represents heater current. The controller can then pick up and alarm on two kinds of contradiction of these two signals:
  • The SSR has failed in the short-circuit mode and is passing current in the absence of a turn-on logic signal. In this case, the alarm can be used to kick off a backup contactor.
  • The SSR has failed in the open-circuit mode or the load circuit is broken, so it ignores the turn-on logic signal from the controller. The alarm here would give early warning of loss of process temperature.
Latching and Non-Latching Alarms.A process can go into alarm and out again when the process recovers. This is called a non-latching alarm. You might wire it not just to an audible or visible warning, but to shut off the process and bring it back when the process returns to acceptable.

A latching alarm remains active until it is reset. Use this action if you want it to leave the process shut down until you attend to it.

Trusting the Indications from Your Process

If you are to trust your picture of the plant, you must pick up indications of plant condition directly from the parameter you want to monitor.

You could look at, say, the percentage output display on a controller or its 4 to 20 mA output signal and infer that it is being obeyed by a valve or an SCR unit. Instead, you should be looking at a real heater current or a signal from a position-feedback device on a valve stem. Be aware too that broken or disconnected valve actuator linkages can make a liar of your display. So perhaps you should be monitoring flow.

Also, dangers lurk in mistaking degrees Fahrenheit for degrees Celsius, and in interchanging the various imperial and metric units on your displays. Imported and exported equipment will always pose this threat until the world agrees on a common system.

While the principles covered refer to controllers, a distributed control system (DCS) would be functionally the same but with more comprehensive graphic displays and data analysis.

There is an intermediate stage, where discrete controllers and indicators with communicating capability are integrated into a PC, which becomes the user interface for display and operator manipulation. An advantage here is that the controllers can continue independently to control, protect and indicate in the event that the computer goes off line or hangs up. Some operators feel more in control with this backup and the ability to isolate and exchange controllers and indicators.

The human-machine interface (HMI) is where you can harm yourself and the process by not understanding the meanings of the settings, readings and parameter adjustments that you have to use. They are usually anything but natural and instinctive, and it is possible to find yourself out of your depth and guessing. You have to insist on clear human-machine interfaces and user manuals when you buy equipment.

Further, you have to practice, so that you know the results of any adjustments that you touch, especially those where you can manually override and defeat safety features. I would recommend a strong contribution at the design stage from operators and maintenance staff in respect of plant overviews, detailed displays, control manipulation and response to the unexpected.

Operators’ and engineers’ continuity of experience of a plant or process is vital. This goes, and so does vigilance and safety, when people move on. Do your best to keep them and, in any case, have a familiarization plan for their successors.

Links