Chapter 10

Process Controls

Process control plays an important role in how a plant process upset can be controlled and subsequent
emergency actions executed. Without adequate and reliable process controls, an unexpected process
occurrence cannot be monitored, controlled and eliminated. Process controls can range from simple manual
actions to computer logic controllers, remote fiom the required action point, with supplemental
instrumentation feedback systems. These systems should be designed such as to minimize the need to
activate secondary safety devices. The process principles, margins allowed, reliability and the means of
process control are mechanisms of inherent safety that will influence the risk level at a facility.

Human Observation
The most utilized and reliable process control in the petroleum and related industries is human observation
and surveillance. Local pressure and level gages along with control room instrumentation are provided so
that human observation and actions can occur to maintain the proper process conditions. First stage process
alanns are provided to alert operators to conditions that they may not have already noticed. Typically when
secondary alarm stages are reached, computer control systems employed to automatically implement
remedial actions to the process.

Instrumentation and Automation

Automation and control of processing equipment by highly sophisticated computer control systems is
becoming the standard at most hydrocarbon facilities. Automatic control provides for closer control of the
process operating conditions and therefore increased efficiencies. Increased efficiencies allow higher
production outputs. Automation is also thought to reduce operator manpower requirements. However
other personnel are still needed to inspect and maintain the automatic controlling system. All process
control systems should be monitored by operators and have the capability for backup control or override
commands by human operators.

Whatever method is used, there should be a clear design philosophy for the basic process control system
(BPCS) employed at a facility that is consistent throughout each process and throughout the facility.
Consistency in application will avoid human factor errors by operators. The philosophy should cover
measurements, displays, alarms, control loops, protective systems, interlocks, special valves (e.g., PSV,

111
112 Handbook of Fire and Explosion Protection

check valves, EIVs, etc.), failure modes, and controller mechanisms (i.e., PLC's). The reliability of the
system should also be specified. If a process feature demonstrates that a major consequence has the
possibility of occurring, (as identified by the risk analysis, i.e., HAZOP, What-If Reviews), additional
independent layers of protection (ILPs), such as instrumentation and control systems should be provided.
These features should be of high integrity, so that the Safety Integrity Level (SIL) is improved. Some
commonly referred to systems are identified as high integrity protective systems (HIPS) or triple modular
redundant (TMR) .

The alarm systems should have a philosophy that relates to the input data - number, types, degree of alarm,
and displays and priorities. The information load on the operator has to be constantly taken into
consideration, e.g., the distinction between alarms and status signals versus operator action that needs to be
initiated.

Control loops should have a fail safe function as much as practical limits will allow

Most electronic technology systems use digital electronics in conjunction with microcomputer technology to
allow the instrumentation user to calibrate and troubleshoot the instrumentation from either a local or
remote location. This capability is commonly referred to as "Smart" electronic technology.

Electronic Process Control

The state of the art in process control for hydrocarbon process systems is computer microprocessors or
commonly referred to as PLCs (ProgrammableLogic Controllers). A distributed digital instrumentation and
control system supplements the overall process management system (PLC) design. Programmable electronic
systems are commonly used for most control systems, safety functions, supervisory control and data
acquisition systems (SCADA). These systems may consist of a distribute control system (DCS),
programmable logic controllers (PLC), personal computers and remoter terminals, or combinations over a
communication network.

A distributed control system @CS) caters for centralized control but allows sectionalized local control
centers with a clearly defined hierarchy. Operator interaction is provided with real-time video display panels
instead of traditional metering instruments and status lights. The DCS fimctionally and physically segregates
the process controls for systems or areas at separate locations or areas within a building. This segregation
prevents damages or downtime to a portion of a the system affecting the entire facility or operation, just as
the physical components are isolated and segregated for risk protection measures. Typically segregated
DCS controls are provided with their own shelters commonly referred to as Process Interface Buildings
(PIB) or Satellite Instrumentation Houses (SEI). Protection and location of these installations should be
chosen carefully and similar risk analyses chosen since impacts to their operations are just as critical to the
process as a main control room would be.

When the electronic control is specified the following features should be critically examined:

1. The availability of the system to function upon demand.

2 . The selection of compatible components.
3 . Failure modes of the components in the systems and impact on system control
4. Design and reliability of utility supplies.
5 . Control and integrity of software commands.
6 . Capabilities for remote input, monitoring and control.
 Process Controls 113

Changes in display status should signifl changes in functional status rather than simply indicate a control has
been activated, for example, a lighted VALVE CLOSED indicator should signifl that the valve is actually
closed, not that the VALVE CLOSED control has been activated.
There is no standard or specification within the industry which specifies the dual redundancy for PLCs used
for process control functions. The requirement for control system redundancy is primarily a function of the
desired availability or demand of the process control system. Most control sytem availability percentages are
in the range of 99 to 99.9%. Depending on the type of PLC system configuration defined, availability
generally improves in relation to the amount of redundancy added to the various system components, but
does not necessarily improve system reliability.

Most published literature cites the MTBF for a PLC central processor between 10,000 and 20,000 hours
(Le. 1.2 to 2.4 yrs.), the MTBF of Input and Output(V0) interfaces is between 30,000 and 50,000 hours and
the MTBF of Input and Output (VO) hardware is between 70,000 and 150,000 hours. For the worst case
MTBF for the control system is the PLC-CPU or 1.2 years. This represents an availability of 99.76%
assuming a mean time to repair the unit of 24 hours. If a dual CPU-PLC configuration were provided with
the CPU in a running backup mode, using single VOs, the MTBF would almost double, but the overall
system availability improves only slightly to 99.88%. Completly dual PLCs with dual I/O and CPUs in a
1 0 0 2 or 2 0 0 2 voting arrangement are seldom used for normal process control systems but are instead used
for certain safety systems where availability, failsafe and fault tolerant attributes are desired. Complete dual
PLCs tend to be more complex and maintenance intensive.

Process System Instrumentation and Alarms

Suggested control and instrumentation for the management of process components are shown in API Rp
14C which is still relatively the standard within the industry. All process control systems are usually
reviewed by a Process Hazard Analysis, which will deem if the provided mechanism area is adequate to
prevent a catastrophic incident.

For high risk processes, dual level alarms level instrumentation (e.g., highhigh, low/low, etc.) and automatic
process control (PLC, DCS, etc.) and shutdown, that is backed up by human supervision should always be
considered. Where alarm indications are used they should provided such that an acknowledgment is
required by an operator. Alarm indications should be arranged so their is a hierarchy of information and
alarm status so that control operator do not become inundated with a multitude of alarm indications. If such
an arrangement exists, he may not be able to immediately discriminate critical alarms from non-critical
alarms. Operators sometimes have to make decisions under highly stresshl situations with conflicting
information. It is therefore imperative to keep major alarms for catastrophic emergencies as simple and
direct as possible.

Any critical safety related control function should be protected from impairment from an accidental event
that would render the device unable to fulfill its function.

Transfer and Storage Controls

The highest process concerns for storage locations and transfer operations is the possibility of a tank or
vessel rupture or implosion and overflow, These usually occur when during dynamic operations are
ongoing.

All tanks should be furnished with level gaging instrumentation. Preferably the optimum design is one that
provides an alarm before high overflow levels are reached and also shut off fill lines when the optimum
fill level is reached to prevent overflow or rupture.

Although not 100% reliable, check valves are usually installed in most piping systems to prevent backflow in
114 Handbook of Fire and Explosion Protection

the event of line rupture or segmental depressuring. Storage vessels or tanks recieving products from
pipelines or automatic transfer systems are normally required to be fitted with high level alarms which may
trip shutoff devices.

Burner Management Systems

Fired heaters are extensively used in the oil and gas industry to process the raw materials into usable
products in a variety of processes. Fuel gas is normally used to fire the units which heat process fluids.
Control of the burner system is critical in order to avoid firebox explosions and uncontrolled heater fires
due to malfunctions and deterioration of the heat transfer tubes. Microprocessor computers are used to
manage and control the burner system.
 Process Controls 115

Bibliography

1. American Petroleum Institute (API), RP 14F. Recommended Practice for Design and Installation of Electrical
Systems for Offshore Production Platforms, Third Edition, API, Washington, D.C. 1991.

2. American Petroleum Institute, (API) RP 540, Electrical Installations in Petroleum Processing Plants, Third Edition,
API, Washington, D.C., 1991.

3. American Petroleum Institute (API), RP 55 1. Process Management Instrumentation, First Edition, API, Washington,
D.C. 1993.

4. Center for Chemical Process Safety (CCPS), Guidelines for Design for Process Safety, American Institute of
Chemical Engineers (AIChE), New York, NY, 1993.

5. Fisher, T. G., Alarm and Interlock Systems, Instrument Society of America, (ISA), Durham, NC, 1984.