SlideShare a Scribd company logo

Fault detection consequence

Download as PPT, PDF
Mahbub Rashid, profile picture
Mahbub Rashid

1) The document discusses fault detection, consequence prevention, and control of defeat for critical systems. It provides information on designing redundancy, diagnostics, and fault tolerance to ensure systems can still function even if a component fails. 2) When taking a critical safety device out of service for maintenance, a formal Control of Defeat process is required to provide alternate protection and notify all relevant parties of the change. 3) Failure to follow proper Control of Defeat procedures when disabling a critical safety device, such as switching off a collision warning system without plans for alternate protection, can have severe consequences like loss of life if an incident occurs.

Engineering
1 of 51
Downloaded 45 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Fault Detection, Consequence Prevention, and Control of Defeat “To find fault is easy; to do better may be difficult” -- Plutarch Harry J. Toups LSU Department of Chemical Engineering with significant material from SACHE 2003 Workshop presentation by Max Hohenberger (ExxonMobil)
2/52 Fault Detection / Consequence Prevention
Fault Detection / Consequence Prevention • Fault – The partial or total failure of a device. • Detection – The ability to recognize the functional ability of a device. • Consequence – Something produced by a cause or following from a set of conditions. • Prevention – The ability to overcome an undesirable outcome from a given set of conditions or circumstances. 3/52
Why are We Interested? • We want Fault Tolerance • Fault Tolerance – The extent to which a process or system will continue to operate at a defined performance level even though one or more of its components are malfunctioning. • Why? 4/52 Safety Reliability
Fault Recognition • Whether it’s … – the temperature input to a reactor trip system – the elevator controls on a Boeing 747, or – the safety shutdown for a high pressure boiler, • You can’t address what you don’t know is broken. 5/52
Fault Detection – Designed In • Deviation Alarm – Value of the sensor is automatically compared with redundant sensors for validity checking – If the difference exceeds a preset tolerance, an alarm is triggered. • Diagnostics – Real-time artificial intelligence that compares current status bits for conformance with pre-defined rules. – Alarms are generated whenever the rules are violated. 6/52
Failure Modes and Design • Fail-Action (Fail-Safe) – If a fault occurs or the energy source is lost, the protective system initiates the protective action. Also known as a de-energize-to-trip design. • Fail-No-Action (Fail-to-Danger) – If a fault occurs or the energy source is lost, the protective system will not be able to take the desired protective action. Also known as an energize-to-trip design. 7/52
Fault Detection – Designed In •• Testing – Simulated process demand conditions are imposed on the system to verify functionality & find any hidden faults. – Provisions are made in the design to facilitate on-line testing as much as possible. – If a fault is detected, repairs are made ASAP to restore full protective functionality. – In cases where repairs cannot be readily accomplished, alternate protection is placed in service or operations are taken Cto aO stabNle, saTfe sRtate OuntilL the reopaifrs caDn beE maFde.EAT 8/52
Fault Tolerance – Designed In • Redundancy – The ability to tolerate faults is enhanced by the use of multiple components. This includes such things as redundant sensors/logic solvers/output devices. • Multiple Sensors – Multiple input devices which can be used for voting/validity checking/median value selection. • Independent Technologies – Use of different sensor/ output types to avoid common cause failure modes. 9/52
Fault Tolerance – Designed In • Triple Modular Redundant (TMR) – Three independent Programmable Logic Controllers (PLC) used in a (2-out-of-3) voting arrangement such that the loss of any single processor (or any component) will not result in loss of the protective function, nor in an unnecessary trip • Redundant Outputs – Two or more final elements, each independently capable of providing the desired protective function, used in tandem with each other. 10/52
Fault Tolerance – Standards • Safety Instrument System (SIS) – The instrumentation or controls that are responsible for bringing a process to a safe state in the event of a failure. • Safety Integrity Level (SIL) – A statistical representation of the availability of a Safety Instrument System (SIS) at the time of a process demand. 11/52
Safety Integrity Level – SIL • Average probability-to-fail-on-demand (PFDavg) – A statistical measurement of how likely it is that a process, system, or device will be operating and ready to serve the function for which it is intended. System PFDavg Sensors PFDavg Valves PFDavg Controller PFDavg = + + 0.000309 0.000256 0.0000333 0.00002 12/52 = + + • Meets SIL 3 specification (less than 0.001)
Fault Tolerance – TMR System 13/52 • NO single point of failure • Very high Safety Integrity Level (SIL) • Comprehensive diagnostics and online repair • MTTF can exceed 1000 years!
Fault Tolerance – Designed In • Fault tolerant designs to avoid common cause failures for multiple I/O and logic solvers: – Use of separate taps for multiple sensors – Use of multiple power sources – Distribution of I/O to prevent single card failure from impacting all I/O related to a single function – Use of redundant/distributed wiring paths – Environmental controls for moisture, lightning, etc – Rigorous factory acceptance and site use testing. 14/52
Fault Tolerance – TMR System Typical Architecture Model 15/52
Fault Tolerance • Simplex System (single input/single logic solver/ single output) – A single fault results in the loss of protection and/or unnecessary shutdown. • Redundant System (multiple inputs/multiple processors/multiple outputs) – A single fault will result in an immediate alarm but will not result in loss of protection nor in an unnecessary shutdown. 16/52
Fault Tolerance • Fault Tolerant Designs/Methods: – Use of analog transmitters versus switches – Use of sealed capillary transmitters versus wet-leg 17/52 sensors – Positive feedback on output circuits – Slight time delay on most trip inputs – Fireproofing on critical actuators/circuits to give increased operating time before failure in the event of a fire
Typical TMR Applications • Emergency Shutdown Systems • Burner Management Systems • Fire and Gas Systems • Critical Turbomachinery Control • Railway Switching • Semiconductor Life Safety Systems • Nuclear Safety Systems 18/52
Fault Tolerance / Consequence Prevention • Interactive training of operations/maintenance personnel on protective system operation • Simulated emergency training, both initial and refresher. • Evergreen review of protective system adequacy based on unit changes, performance history, unit manning, etc. • Design verification through both qualitative and quantitative review exercises. 19/52
Fault Response • Covert Faults – Hidden or non-self revealing faults. – Since there is no fault detection, there is no fault response. – This could result in a fail-to-danger situation. – Such a fault would normally only be found during periodic manual testing w/o smart diagnostics. 20/52
Fault Response • Overt Faults/Simplex system – Obvious or self-revealing faults – Overt faults in simplex systems normally result in an unnecessary shutdown. – The majority of protective system designs are fail-safe, so the process goes to the safe state upon a single overt fault condition. 21/52
22/52 Fault Response • Overt Faults/Redundant Systems – Normal result of a single overt fault is an alarm with a degradation from a 2-o-o-3 voting system to a 1-o-o-2 voting system – Any subsequent fault would result in the designed protective system action – The protective system may take additional precautionary action to minimize the consequences of any further faults as shown on the following slide.
Fault Response • Overt Faults/Redundant Systems: (continued) – Upon fault detection, the system may take one of a number of options, depending on fault and potential consequence: • Continue at full production rates with alarm only • Gracefully decrease process to lower rates • Implement a total process shutdown. – Upon fault detection, a COD would be implemented, alternate protection put in place, and repair would be implemented ASAP to restore functionality and reliability. 23/52
Next Level of Improvements • Improved alarm suppression to prevent the major alarm flood associated with a rapidly degrading process situation: – Safety Critical alarms always remain active – Operations Critical alarms temporarily suppressed by conscious operator action. – Operations Important alarms automatically suppressed until sufficient process stability returns. 24/52
Humorous Alarm Flood Example 25/52
Next Level of Improvements • Improved diagnostic capabilities for sensors, logic solvers, and final elements – This includes process condition sensing, such as for lead line fouling, icing, valve sticking, etc. – Additional / advanced use of artificial intelligence would be one possibility for further enhancements in this area. 26/52
Next Level of Improvements • Improved on-line, self-testing capability of sensors and final elements: – Testing needs to be non-disruptive to process but sufficient to be representative of device capability – Automatically initiated (time or condition based) and self-documenting 27/52
Next Level of Improvements • Guidelines/standards around the use of spread spectrum radio equipment for critical system applications – Remote applications – Eliminate ground loop / ground plane issues – Immune to interference – Natural path to redundancy 28/52
Next Level of Improvements Where are faults occurring in protective systems? 29/52 Sensor 40% Final Element 55% Logic Solver 5%
Next Level of Improvements Where is the lion’s share of research in reliability/diagnostics/base innovations being seen? 30/52 Sensor 25% Final Element 15% Logic Solver 60%
31/52 Control of Defeat
Definition of a Critical Device* • A Critical Device is the last line of defense against, or would be used to mitigate the consequences of, a significant undesirable process incident • Consequence include the following: – An uncontrolled, major loss of containment of a toxic or highly flammable material – Likely result in severe personal injuries, illness or death – Present immediate risk to plant personnel, the community, or the environment * Critical means a Safety/Health/Environ. Critical 32/52
Examples of Critical Devices • Pressure relief valves in safety service • Emergency Shutdown Systems and associated measurement and action components 33/52
Control of Defeat (COD) • When a S/H/E Critical Device is taken out of on-line service for any reason, defeating its ability to perform its intended function, a formal Control of Defeat (COD) must be implemented to ensure that: – Suitable alternate protection is provided – All potentially impacted parties are fully informed for the entire duration of the Defeat – The device is properly returned to service following the outage 34/52
Why Properly Use Control of Defeat? 35/52 Same Exact Unit Without Proper Use of COD With Proper COD Usage
Prerequisites for Defeating • A Critical Device should only be Defeated if it is necessary to prevent a greater risk or to perform a Test/PM/Repair of the Device. • A Critical Device should not be Defeated if: – Suitable alternate protection cannot be provided – The unit is in an upset condition (current condition is not stable or outside of defined normal operating window; i.e, starting up, shutting down, running a controlled test, etc.). 36/52
COD Documentation • One of the benefits of the full, complete use of COD documentation is that it serves as a checklist to help people think through: – Potential safety implications of taking a Critical Device out of full, on-line service – The viability/manageability of the planned alternate protection – The importance of returning the Critical Device properly to on-line service in a timely fashion 37/52
Initial Defeat • A Defeat during the first shift out-of-service is called the Initial Defeat • It must be approved by the Operations 1st- Line Supervisor (FLS) and posted in a prominent, known location • It must be communicated to the 2nd-Line Supervisor (SLS) 38/52
Extended Defeat • If a Critical Device Defeat is in place longer than the first shift, the FLS must approve Extended Defeat and inform the affected personnel • Each/every succeeding oncoming shift FLS must inform their team of the Defeat • If the Defeat lasts more than 7 days, the SLS must approve Long-Term Defeat and notify upper management 39/52
Long-Term Defeat • If the Defeat of a Critical Device lasts longer than 7 days, a Long-Term Defeat Plan must implemented. This plan must include: – The reason for the extension – Any additional precautions – Any additional communications needs – The projected length of the extension 40/52
COD Documentation • All COD’s, regardless of length, require full and proper completion of the following: – Date/Time Defeated – Device/System Defeated – Reason for the Defeat – Defeat Plan – Notification of all affected parties – Approval by the appropriate level – Notification of the appropriate higher level – Proper lineup/return to service sign-off – COD closeout sign-off 41/52
COD Compliance Issues • Omission of or improper completion of one/more of the requirements listed previously; e.g., inadequate alternate protection or failure to sign/initial • Failure to use a Control of Defeat when taking a Critical Device out of full, on-line service for Testing/PM/Repair/etc. • Failure to properly return a Critical Device to on-line service 42/52
Alternate Protection Plan • How a process demand will be mitigated while a Critical Device is Defeated • The alternate protection needs to be written in sufficient detail so that operations backfill can adequately execute the plan • In many cases, the initiator will not be available for consultation as her/his shift is finished 43/52
Is a COD Needed for This Work? • A low level alarm is going to be tested by actually lowering the vessel level. NO – The level device is always available for an actual process demand. 44/52
Is a COD Needed for This Work? • A low level alarm is going to be tested by blocking the instrument line to the vessel and bleeding the line to simulated a low level YES – While the instrument is blocked out from the vessel, the level alarm is not available for an actual process demand, therefore alternate protection is needed 45/52
Is a COD Needed for This Work? • It’s only going to take 2 minutes to do the test, and it takes longer than that to fill out the COD. A caution note on a procedure is sufficient to manage the risk. YES – Even though the intended outage is only 2 minutes, the testing could be interrupted by a unit upset, the weather, etc., alternate protection may be inadequate, it’s more likely that the device may not be returned to service 46/52
Is a COD Needed for This Work? • The assistant operator is working with the instrument tech, and they are both in radio contact with the Operations Center YES – While radio contact might be an integral part of the alternate protection, a COD ensures that all other potentially impacted parties are informed, alternate protection is used, and the Critical Device is returned to on-line service when the activity is completed 47/52
Is a COD Needed for This Work? • A Critical Device is found broken and needs to be repaired. The device will be out of service until repairs are completed YES – Regardless of how long the repairs will take (even if during the same shift as discovered), a COD should be initiated once a Critical Device is discovered to be incapable of providing the required protection. It must stay in force until the Critical Device is returned to full, on-line service 48/52
Real Life COD Failure Example • “The (collision warning) system was not working at the time …” – Roger Gaberelle, a spokesman for Swiss air traffic controllers. • “Swiss air traffic controllers said on Wednesday an automatic collision warning system had been switched off for maintenance when two jets crashed into each other over Germany, killing 71 people.” – Reuters (July 2002) 50/52
51/52 C OD Failure Example
Control of Defeat Knowledge 52/52 Make Sure You Have It ... Before You Really Need It!

More Related Content

PPTX
Basics of process fault detection and diagnostics
Rahul Dey
 
PPT
Diagnostic process
Hezzy Burton
 
PDF
CBM Fault Detection by Carl Byington
Carl Byington
 
PDF
Reliability and clock synchronization
Sri Manakula Vinayagar Engineering College
 
PDF
Dependable Systems - Structure-Based Dependabiilty Modeling (6/16)
Peter Tröger
 
PPTX
FAILURE MODE EFFECT ANALYSIS
ANOOPA NARAYANAN
 
PPTX
Failure Mode Effect Analysis - FMEA
Sasidharan Manivannan
 
PDF
SRE Tools
Gurbakash Phonsa
 
Basics of process fault detection and diagnostics
Rahul Dey
 
Diagnostic process
Hezzy Burton
 
CBM Fault Detection by Carl Byington
Carl Byington
 
Reliability and clock synchronization
Sri Manakula Vinayagar Engineering College
 
Dependable Systems - Structure-Based Dependabiilty Modeling (6/16)
Peter Tröger
 
FAILURE MODE EFFECT ANALYSIS
ANOOPA NARAYANAN
 
Failure Mode Effect Analysis - FMEA
Sasidharan Manivannan
 
SRE Tools
Gurbakash Phonsa
 

What's hot (20)

PDF
Smart Maintenance engineering
Michel Mafumba
 
PPTX
Advanced HRA Studies
Anand Kumar
 
PDF
Testing Autonomous Cars for Feature Interaction Failures using Many-Objective...
Lionel Briand
 
PPTX
Dft (design for testability)
shaik sharief
 
PDF
Exploring Failure Transparency and the Limits of Generic Recovery
Miro Cupak
 
PDF
Chapter 4 - Defect Management
Neeraj Kumar Singh
 
PDF
Dependable Systems - Hardware Dependability with Diagnosis (13/16)
Peter Tröger
 
PPTX
Tug Ot Prez 2010 050510
Deb Ahlgren
 
PPTX
types of testing in software engineering
preetikapri1
 
PDF
Decision Support for Security-Control Identification Using Machine Learning
Lionel Briand
 
PDF
Faultdec
Joydeb Roy Chowdhury
 
PPTX
Review journal CA pRNG with global loop non-uniform rule control
daraaulia Feryando
 
PDF
Metamorphic Security Testing for Web Systems
Lionel Briand
 
PDF
Failure mode effect_analysis_fmea
Jitesh Gaurav
 
PPT
Pascual Imec06
Rodrigo Pascual
 
PDF
Review Paper on Recovery of Data during Software Fault
AM Publications
 
PDF
Open-Source Security Management and Vulnerability Impact Assessment
Priyanka Aash
 
PDF
IRJET- Intrusion Detection based on J48 Algorithm
IRJET Journal
 
DOCX
A Document to become an Effective Tester
Arunkumar Nehru KS
 
PDF
100 most popular software testing terms
apurvaorama
 
Smart Maintenance engineering
Michel Mafumba
 
Advanced HRA Studies
Anand Kumar
 
Testing Autonomous Cars for Feature Interaction Failures using Many-Objective...
Lionel Briand
 
Dft (design for testability)
shaik sharief
 
Exploring Failure Transparency and the Limits of Generic Recovery
Miro Cupak
 
Chapter 4 - Defect Management
Neeraj Kumar Singh
 
Dependable Systems - Hardware Dependability with Diagnosis (13/16)
Peter Tröger
 
Tug Ot Prez 2010 050510
Deb Ahlgren
 
types of testing in software engineering
preetikapri1
 
Decision Support for Security-Control Identification Using Machine Learning
Lionel Briand
 
Faultdec
Joydeb Roy Chowdhury
 
Review journal CA pRNG with global loop non-uniform rule control
daraaulia Feryando
 
Metamorphic Security Testing for Web Systems
Lionel Briand
 
Failure mode effect_analysis_fmea
Jitesh Gaurav
 
Pascual Imec06
Rodrigo Pascual
 
Review Paper on Recovery of Data during Software Fault
AM Publications
 
Open-Source Security Management and Vulnerability Impact Assessment
Priyanka Aash
 
IRJET- Intrusion Detection based on J48 Algorithm
IRJET Journal
 
A Document to become an Effective Tester
Arunkumar Nehru KS
 
100 most popular software testing terms
apurvaorama
 
Ad

Similar to Fault detection consequence (20)

PPT
fault-dectecting oil and gas process safety
Okeke Livinus
 
PPT
Safety system
jafarhosseini123
 
PPTX
Functional safety by FMEA/FTA
mehmor
 
PPTX
Domino Effect and Analysis | Gaurav Singh Rajput
Gaurav Singh Rajput
 
PDF
Risk management and business protection with Coding Standardization & Static ...
Itris Automation Square
 
PPTX
Domino Effect and Analysis | Relaibility Analysis | Unavailability Analysis
Gaurav Singh Rajput
 
PPT
Chapter- Five fault powers poin lecture
borchala1
 
PPT
2011-05-02 - VU Amsterdam - Testing safety critical systems
Jaap van Ekris
 
PDF
The watchdog is a main component in the protection scheme
Edouard Murat
 
PPT
Basics of railway principles
Shiv Mohan CEng, PMP, PGDBA ,MIRSE,MIEEE,MIET
 
PPTX
Fault tolerance techniques
ECEDepartmentJSREC
 
PDF
2016-04-28 - VU Amsterdam - testing safety critical systems
Jaap van Ekris
 
PDF
DCS_Check-Out_and_Operator_Training_with_HYSYS_Dynamics_White_v1.3.pdf
Okeke Livinus
 
PPTX
Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Jaap van Ekris
 
PDF
Null Feb 13
Sundar N
 
PDF
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
null The Open Security Community
 
PPTX
Safety System Modularity
Fasiul Alam
 
PPTX
Contigency analysis and security system taking different cases
fekadewalle
 
PDF
Why SIL3 (ENG)
ie-net ingenieursvereniging vzw
 
PDF
basicsofrailwayprinciples-141015122937-conversion-gate02.pdf
Anoop Mishra
 
fault-dectecting oil and gas process safety
Okeke Livinus
 
Safety system
jafarhosseini123
 
Functional safety by FMEA/FTA
mehmor
 
Domino Effect and Analysis | Gaurav Singh Rajput
Gaurav Singh Rajput
 
Risk management and business protection with Coding Standardization & Static ...
Itris Automation Square
 
Domino Effect and Analysis | Relaibility Analysis | Unavailability Analysis
Gaurav Singh Rajput
 
Chapter- Five fault powers poin lecture
borchala1
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
Jaap van Ekris
 
The watchdog is a main component in the protection scheme
Edouard Murat
 
Basics of railway principles
Shiv Mohan CEng, PMP, PGDBA ,MIRSE,MIEEE,MIET
 
Fault tolerance techniques
ECEDepartmentJSREC
 
2016-04-28 - VU Amsterdam - testing safety critical systems
Jaap van Ekris
 
DCS_Check-Out_and_Operator_Training_with_HYSYS_Dynamics_White_v1.3.pdf
Okeke Livinus
 
Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Jaap van Ekris
 
Null Feb 13
Sundar N
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
null The Open Security Community
 
Safety System Modularity
Fasiul Alam
 
Contigency analysis and security system taking different cases
fekadewalle
 
Why SIL3 (ENG)
ie-net ingenieursvereniging vzw
 
basicsofrailwayprinciples-141015122937-conversion-gate02.pdf
Anoop Mishra
 
Ad

Recently uploaded (20)

PPT
introduction to datamining and warehousing
ssuser4ab3a2
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPTX
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPT
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PDF
composite construction of structures.pdf
AinieButt1
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
introduction to datamining and warehousing
ssuser4ab3a2
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
composite construction of structures.pdf
AinieButt1
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 

Fault detection consequence

  • 1. Fault Detection, Consequence Prevention, and Control of Defeat “To find fault is easy; to do better may be difficult” -- Plutarch Harry J. Toups LSU Department of Chemical Engineering with significant material from SACHE 2003 Workshop presentation by Max Hohenberger (ExxonMobil)
  • 2. 2/52 Fault Detection / Consequence Prevention
  • 3. Fault Detection / Consequence Prevention • Fault – The partial or total failure of a device. • Detection – The ability to recognize the functional ability of a device. • Consequence – Something produced by a cause or following from a set of conditions. • Prevention – The ability to overcome an undesirable outcome from a given set of conditions or circumstances. 3/52
  • 4. Why are We Interested? • We want Fault Tolerance • Fault Tolerance – The extent to which a process or system will continue to operate at a defined performance level even though one or more of its components are malfunctioning. • Why? 4/52 Safety Reliability
  • 5. Fault Recognition • Whether it’s … – the temperature input to a reactor trip system – the elevator controls on a Boeing 747, or – the safety shutdown for a high pressure boiler, • You can’t address what you don’t know is broken. 5/52
  • 6. Fault Detection – Designed In • Deviation Alarm – Value of the sensor is automatically compared with redundant sensors for validity checking – If the difference exceeds a preset tolerance, an alarm is triggered. • Diagnostics – Real-time artificial intelligence that compares current status bits for conformance with pre-defined rules. – Alarms are generated whenever the rules are violated. 6/52
  • 7. Failure Modes and Design • Fail-Action (Fail-Safe) – If a fault occurs or the energy source is lost, the protective system initiates the protective action. Also known as a de-energize-to-trip design. • Fail-No-Action (Fail-to-Danger) – If a fault occurs or the energy source is lost, the protective system will not be able to take the desired protective action. Also known as an energize-to-trip design. 7/52
  • 8. Fault Detection – Designed In •• Testing – Simulated process demand conditions are imposed on the system to verify functionality & find any hidden faults. – Provisions are made in the design to facilitate on-line testing as much as possible. – If a fault is detected, repairs are made ASAP to restore full protective functionality. – In cases where repairs cannot be readily accomplished, alternate protection is placed in service or operations are taken Cto aO stabNle, saTfe sRtate OuntilL the reopaifrs caDn beE maFde.EAT 8/52
  • 9. Fault Tolerance – Designed In • Redundancy – The ability to tolerate faults is enhanced by the use of multiple components. This includes such things as redundant sensors/logic solvers/output devices. • Multiple Sensors – Multiple input devices which can be used for voting/validity checking/median value selection. • Independent Technologies – Use of different sensor/ output types to avoid common cause failure modes. 9/52
  • 10. Fault Tolerance – Designed In • Triple Modular Redundant (TMR) – Three independent Programmable Logic Controllers (PLC) used in a (2-out-of-3) voting arrangement such that the loss of any single processor (or any component) will not result in loss of the protective function, nor in an unnecessary trip • Redundant Outputs – Two or more final elements, each independently capable of providing the desired protective function, used in tandem with each other. 10/52
  • 11. Fault Tolerance – Standards • Safety Instrument System (SIS) – The instrumentation or controls that are responsible for bringing a process to a safe state in the event of a failure. • Safety Integrity Level (SIL) – A statistical representation of the availability of a Safety Instrument System (SIS) at the time of a process demand. 11/52
  • 12. Safety Integrity Level – SIL • Average probability-to-fail-on-demand (PFDavg) – A statistical measurement of how likely it is that a process, system, or device will be operating and ready to serve the function for which it is intended. System PFDavg Sensors PFDavg Valves PFDavg Controller PFDavg = + + 0.000309 0.000256 0.0000333 0.00002 12/52 = + + • Meets SIL 3 specification (less than 0.001)
  • 13. Fault Tolerance – TMR System 13/52 • NO single point of failure • Very high Safety Integrity Level (SIL) • Comprehensive diagnostics and online repair • MTTF can exceed 1000 years!
  • 14. Fault Tolerance – Designed In • Fault tolerant designs to avoid common cause failures for multiple I/O and logic solvers: – Use of separate taps for multiple sensors – Use of multiple power sources – Distribution of I/O to prevent single card failure from impacting all I/O related to a single function – Use of redundant/distributed wiring paths – Environmental controls for moisture, lightning, etc – Rigorous factory acceptance and site use testing. 14/52
  • 15. Fault Tolerance – TMR System Typical Architecture Model 15/52
  • 16. Fault Tolerance • Simplex System (single input/single logic solver/ single output) – A single fault results in the loss of protection and/or unnecessary shutdown. • Redundant System (multiple inputs/multiple processors/multiple outputs) – A single fault will result in an immediate alarm but will not result in loss of protection nor in an unnecessary shutdown. 16/52
  • 17. Fault Tolerance • Fault Tolerant Designs/Methods: – Use of analog transmitters versus switches – Use of sealed capillary transmitters versus wet-leg 17/52 sensors – Positive feedback on output circuits – Slight time delay on most trip inputs – Fireproofing on critical actuators/circuits to give increased operating time before failure in the event of a fire
  • 18. Typical TMR Applications • Emergency Shutdown Systems • Burner Management Systems • Fire and Gas Systems • Critical Turbomachinery Control • Railway Switching • Semiconductor Life Safety Systems • Nuclear Safety Systems 18/52
  • 19. Fault Tolerance / Consequence Prevention • Interactive training of operations/maintenance personnel on protective system operation • Simulated emergency training, both initial and refresher. • Evergreen review of protective system adequacy based on unit changes, performance history, unit manning, etc. • Design verification through both qualitative and quantitative review exercises. 19/52
  • 20. Fault Response • Covert Faults – Hidden or non-self revealing faults. – Since there is no fault detection, there is no fault response. – This could result in a fail-to-danger situation. – Such a fault would normally only be found during periodic manual testing w/o smart diagnostics. 20/52
  • 21. Fault Response • Overt Faults/Simplex system – Obvious or self-revealing faults – Overt faults in simplex systems normally result in an unnecessary shutdown. – The majority of protective system designs are fail-safe, so the process goes to the safe state upon a single overt fault condition. 21/52
  • 22. 22/52 Fault Response • Overt Faults/Redundant Systems – Normal result of a single overt fault is an alarm with a degradation from a 2-o-o-3 voting system to a 1-o-o-2 voting system – Any subsequent fault would result in the designed protective system action – The protective system may take additional precautionary action to minimize the consequences of any further faults as shown on the following slide.
  • 23. Fault Response • Overt Faults/Redundant Systems: (continued) – Upon fault detection, the system may take one of a number of options, depending on fault and potential consequence: • Continue at full production rates with alarm only • Gracefully decrease process to lower rates • Implement a total process shutdown. – Upon fault detection, a COD would be implemented, alternate protection put in place, and repair would be implemented ASAP to restore functionality and reliability. 23/52
  • 24. Next Level of Improvements • Improved alarm suppression to prevent the major alarm flood associated with a rapidly degrading process situation: – Safety Critical alarms always remain active – Operations Critical alarms temporarily suppressed by conscious operator action. – Operations Important alarms automatically suppressed until sufficient process stability returns. 24/52
  • 25. Humorous Alarm Flood Example 25/52
  • 26. Next Level of Improvements • Improved diagnostic capabilities for sensors, logic solvers, and final elements – This includes process condition sensing, such as for lead line fouling, icing, valve sticking, etc. – Additional / advanced use of artificial intelligence would be one possibility for further enhancements in this area. 26/52
  • 27. Next Level of Improvements • Improved on-line, self-testing capability of sensors and final elements: – Testing needs to be non-disruptive to process but sufficient to be representative of device capability – Automatically initiated (time or condition based) and self-documenting 27/52
  • 28. Next Level of Improvements • Guidelines/standards around the use of spread spectrum radio equipment for critical system applications – Remote applications – Eliminate ground loop / ground plane issues – Immune to interference – Natural path to redundancy 28/52
  • 29. Next Level of Improvements Where are faults occurring in protective systems? 29/52 Sensor 40% Final Element 55% Logic Solver 5%
  • 30. Next Level of Improvements Where is the lion’s share of research in reliability/diagnostics/base innovations being seen? 30/52 Sensor 25% Final Element 15% Logic Solver 60%
  • 32. Definition of a Critical Device* • A Critical Device is the last line of defense against, or would be used to mitigate the consequences of, a significant undesirable process incident • Consequence include the following: – An uncontrolled, major loss of containment of a toxic or highly flammable material – Likely result in severe personal injuries, illness or death – Present immediate risk to plant personnel, the community, or the environment * Critical means a Safety/Health/Environ. Critical 32/52
  • 33. Examples of Critical Devices • Pressure relief valves in safety service • Emergency Shutdown Systems and associated measurement and action components 33/52
  • 34. Control of Defeat (COD) • When a S/H/E Critical Device is taken out of on-line service for any reason, defeating its ability to perform its intended function, a formal Control of Defeat (COD) must be implemented to ensure that: – Suitable alternate protection is provided – All potentially impacted parties are fully informed for the entire duration of the Defeat – The device is properly returned to service following the outage 34/52
  • 35. Why Properly Use Control of Defeat? 35/52 Same Exact Unit Without Proper Use of COD With Proper COD Usage
  • 36. Prerequisites for Defeating • A Critical Device should only be Defeated if it is necessary to prevent a greater risk or to perform a Test/PM/Repair of the Device. • A Critical Device should not be Defeated if: – Suitable alternate protection cannot be provided – The unit is in an upset condition (current condition is not stable or outside of defined normal operating window; i.e, starting up, shutting down, running a controlled test, etc.). 36/52
  • 37. COD Documentation • One of the benefits of the full, complete use of COD documentation is that it serves as a checklist to help people think through: – Potential safety implications of taking a Critical Device out of full, on-line service – The viability/manageability of the planned alternate protection – The importance of returning the Critical Device properly to on-line service in a timely fashion 37/52
  • 38. Initial Defeat • A Defeat during the first shift out-of-service is called the Initial Defeat • It must be approved by the Operations 1st- Line Supervisor (FLS) and posted in a prominent, known location • It must be communicated to the 2nd-Line Supervisor (SLS) 38/52
  • 39. Extended Defeat • If a Critical Device Defeat is in place longer than the first shift, the FLS must approve Extended Defeat and inform the affected personnel • Each/every succeeding oncoming shift FLS must inform their team of the Defeat • If the Defeat lasts more than 7 days, the SLS must approve Long-Term Defeat and notify upper management 39/52
  • 40. Long-Term Defeat • If the Defeat of a Critical Device lasts longer than 7 days, a Long-Term Defeat Plan must implemented. This plan must include: – The reason for the extension – Any additional precautions – Any additional communications needs – The projected length of the extension 40/52
  • 41. COD Documentation • All COD’s, regardless of length, require full and proper completion of the following: – Date/Time Defeated – Device/System Defeated – Reason for the Defeat – Defeat Plan – Notification of all affected parties – Approval by the appropriate level – Notification of the appropriate higher level – Proper lineup/return to service sign-off – COD closeout sign-off 41/52
  • 42. COD Compliance Issues • Omission of or improper completion of one/more of the requirements listed previously; e.g., inadequate alternate protection or failure to sign/initial • Failure to use a Control of Defeat when taking a Critical Device out of full, on-line service for Testing/PM/Repair/etc. • Failure to properly return a Critical Device to on-line service 42/52
  • 43. Alternate Protection Plan • How a process demand will be mitigated while a Critical Device is Defeated • The alternate protection needs to be written in sufficient detail so that operations backfill can adequately execute the plan • In many cases, the initiator will not be available for consultation as her/his shift is finished 43/52
  • 44. Is a COD Needed for This Work? • A low level alarm is going to be tested by actually lowering the vessel level. NO – The level device is always available for an actual process demand. 44/52
  • 45. Is a COD Needed for This Work? • A low level alarm is going to be tested by blocking the instrument line to the vessel and bleeding the line to simulated a low level YES – While the instrument is blocked out from the vessel, the level alarm is not available for an actual process demand, therefore alternate protection is needed 45/52
  • 46. Is a COD Needed for This Work? • It’s only going to take 2 minutes to do the test, and it takes longer than that to fill out the COD. A caution note on a procedure is sufficient to manage the risk. YES – Even though the intended outage is only 2 minutes, the testing could be interrupted by a unit upset, the weather, etc., alternate protection may be inadequate, it’s more likely that the device may not be returned to service 46/52
  • 47. Is a COD Needed for This Work? • The assistant operator is working with the instrument tech, and they are both in radio contact with the Operations Center YES – While radio contact might be an integral part of the alternate protection, a COD ensures that all other potentially impacted parties are informed, alternate protection is used, and the Critical Device is returned to on-line service when the activity is completed 47/52
  • 48. Is a COD Needed for This Work? • A Critical Device is found broken and needs to be repaired. The device will be out of service until repairs are completed YES – Regardless of how long the repairs will take (even if during the same shift as discovered), a COD should be initiated once a Critical Device is discovered to be incapable of providing the required protection. It must stay in force until the Critical Device is returned to full, on-line service 48/52
  • 49. Real Life COD Failure Example • “The (collision warning) system was not working at the time …” – Roger Gaberelle, a spokesman for Swiss air traffic controllers. • “Swiss air traffic controllers said on Wednesday an automatic collision warning system had been switched off for maintenance when two jets crashed into each other over Germany, killing 71 people.” – Reuters (July 2002) 50/52
  • 50. 51/52 C OD Failure Example
  • 51. Control of Defeat Knowledge 52/52 Make Sure You Have It ... Before You Really Need It!

Editor's Notes

  • #3: ## * * 07/16/96
  • #4: ## * * 07/16/96
  • #5: ## * * 07/16/96
  • #6: ## * * 07/16/96
  • #7: ## * * 07/16/96
  • #8: ## * * 07/16/96
  • #9: ## * * 07/16/96
  • #10: ## * * 07/16/96
  • #11: ## * * 07/16/96
  • #12: ## * * 07/16/96
  • #13: ## * * 07/16/96
  • #14: ## * * 07/16/96
  • #15: ## * * 07/16/96
  • #16: ## * * 07/16/96
  • #17: ## * * 07/16/96
  • #18: ## * * 07/16/96
  • #19: ## * * 07/16/96
  • #20: ## * * 07/16/96
  • #21: ## * * 07/16/96
  • #22: ## * * 07/16/96
  • #23: ## * * 07/16/96
  • #24: ## * * 07/16/96
  • #25: ## * * 07/16/96
  • #27: ## * * 07/16/96
  • #28: ## * * 07/16/96
  • #29: ## * * 07/16/96
  • #30: ## * * 07/16/96
  • #31: ## * * 07/16/96
  • #32: ## * * 07/16/96
  • #51: ## * * 07/16/96
  • #52: ## * * 07/16/96