Industrial Internet of Things in safety applications
Safety on the Internet? Maybe not yet, but there are ways IIoT applications can supplement a safety instrumented system
By Mark Menezes, PE
The Internet of Things (IoT) leverages low-cost, low-power microprocessors and radios with the Internet to improve the usability, safety, and energy efficiency of common objects in homes and offices. The Industrial Internet of Things (IIoT) can bring the same benefits, while meeting industrial expectations of security and reliability. This article reviews how users in process industries are applying IIoT to improve plant safety. Manufacturers are still a long way from using IIoT to support safety instrumented functions (SIFs) directly in plants handling hazardous products, but it is practical to use the IIoT to help ensure the SIFs can do their job.
Basic safety: Layers of protection
There are many best practices for measurements in safety instrumented system (SIS) applications driven by safety standards and collected industry experience. Safety engineers understand how measurements can be extremely safe under laboratory test conditions referenced in typical failure modes, effects and diagnostic analysis (FMEDA) reports, but they can become unsafe when exposed to real-world conditions. Some of the elevated safety risk is due to interface failures. Other risk factors are caused by increased error and drift under installed conditions. Examples users are advised to consider include:
- impulse line plugging or freezing
- slow sensor or capillary response due to cold temperature
- temperature sensor coating
- signal noise or spiking due to electrical interference
- power supply brownouts
- drift of transmitter due to change in ambient temperature
- zero shift of pressure sensor due to overpressure shock
- erosion or coating of primary flow element
- process fluid density change in level measurement
Of greatest concern are common-cause issues that can affect multiple devices set up to serve as redundant backups for each other. If a common cause could possibly affect all the redundant devices at the same time, it is best to develop a solution based on these three "Ds:"
Design: Improve the device or installation practice to minimize the impact on the measurement from the common cause. For example, avoid a slow response for a pressure transmitter due to a cold capillary or impulse line by using a thermally optimized two-oil diaphragm-capillary system transmitter that can be installed directly at the hot process.
Diversity: Select a backup technology that has different characteristics than the primary technology, so the backup does not suffer from the same common cause. For example, when a differential pressure (DP) transmitter is used as the primary level measuring instrument for a boiler drum, it will suffer significant error when liquid density and drum pressure fluctuate. A second DP transmitter will suffer the same problem, so the backup should use a different technology, such as guided-wave radar (GWR). At higher drum pressures, GWR can use dynamic vapor compensation to correct for these conditions.
Diagnostics: Use a diagnostic capability that forces the output to a safe condition if it detects that the measurement is not reliable. If the diagnostic can predict that the measurement is degrading-and maintenance can be alerted in advance-the diagnostic helps operators avoid the problem, which improves reliability as well as safety.
These approaches minimize common-cause risks and improve the overall integrity of SIS measurements. Use the same approaches in the basic process control system (BPCS), because improved operation reduces the demand on the SIS.
All the systems working together to protect a plant, its people, and the community should be built using a concept of layers of protection, so no single failure can cause a catastrophe. During the design process, a layer of protection analysis (LOPA) examines how all the elements work together, so weak areas can be avoided.
The layers are separated into two main categories (figure 1). While the BPCS and SIS minimize the risk of a failure, the layers beyond the SIS minimize the cost and impact to the plant, personnel, and community of a failure that has already occurred. Unfortunately, while failures of devices needed for physical protection or plant emergency response are common, users typically only discover these failures during occasional manual inspections, or when the equipment does not respond in a true emergency. This is where IIoT can help. Pervasive sensing technology, using secure and reliable wireless communication supported by advanced analytics, can replace manual inspections with continuous online monitoring. The benefits are significantly better process safety and reliability, lower cost, and less risk from manual inspections.
Figure 1. With a multiple layer of protection strategy, the first layers are designed to minimize the risk of a safety incident happening. Subsequent layers are designed to reduce the effects once the incident happens, avoiding catastrophe.
Let's look at some examples of where IIoT extensions can strengthen safety applications.
Physical protection layers:
- acoustic monitoring of pressure-relief valves
- pressure monitoring of rupture discs
- ultrasonic monitoring of pipe thickness
- acoustic and temperature monitoring of steam traps
- temperature and partial discharge monitoring of electrical switchgear
Plant emergency response layers:
- temperature and position monitoring of eyewash and safety showers
A pressure-relief valve (PRV) is designed to open when the process pressure approaches the safe limits of the process equipment or piping, releasing excess fluid, typically to the flare. It should only open if both the BPCS and SIS have failed to keep the process within safe limits, so it is set at a pressure just below where the equipment could rupture. A PRV should be a last resort, because excess flaring causes process loss, safety risks, and environmental impacts, usually resulting in penalties. Although the PRV should close itself after the pressure returns to a safe condition, it is common for dirt in the process fluid to prevent it from fully reseating, leading to small ongoing leaks that are difficult to detect. Because PRVs are simple mechanical devices, there are no internal electronic elements capable of providing diagnostic functions. However, new acoustic instruments can be clamped onto the pipe downstream of the PRV to identify a full release immediately, as well as ongoing leaks from incomplete valve seating. PRVs often simmer, releasing small amounts of product before pressure reaches the full release point. An alert operator can use an acoustic instrument to detect simmering, possibly early enough to adjust the process and avoid the release entirely.
Users in hydrocarbon and chemical plants with toxic or hazardous fluids often install a rupture disc just upstream of the PRV (figure 2). The rupture disc is a positive barrier to eliminate the risk of PRV leakage. Where the process contains a corrosive fluid, only the rupture disc is normally wetted, so it is the only part that needs to be made from an expensive, corrosion-resistant metal, while a less expensive material can be used for the PRV. Unfortunately, this approach creates another risk. If a small pinhole leak develops in the rupture disc, any leaked fluid is trapped between the rupture disc and the PRV. This creates a pressurized space between the disc and the PRV, so the disk is pressurized from both sides. Now, instead of bursting at the design pressure, the disc will not burst until the rising process pressure can overcome the backpressure.
Under these conditions, the effective burst pressure increases substantially and may exceed the safe design limit of the process, risking an uncontrolled and potentially catastrophic release to the environment. To prevent this, ASME recommends installing a pressure gauge or instrument between the rupture disc and the PRV to monitor the pressure in the space between the devices. Given that these are typically located in physically inaccessible, hazardous, or toxic environments, wireless pressure gauges are an excellent choice.
Figure 2. ASME UG-127 requires users to monitor the space between the rupture disc and the PRV to ensure no back pressure.
Users in the hydrocarbon processing industries understand the sources of corrosion and erosion in their processes and where they tend to have the greatest detrimental effect. Engineers carefully design piping and other mechanical systems to last at least until the next scheduled outage, but in the meantime, they monitor corrosion and erosion hot spots-such as the outside elbows of pipes-at least annually or far more often. Unfortunately, the rate of metal loss of a given asset is not easy to predict and can vary widely day to day, due to changes in flow rate, fluid composition, temperature, pressure, use of corrosion inhibitors, and other factors. Faster-than-expected metal loss can lead to a catastrophic loss of containment over a relatively short period, even weeks or months.
Figure 3. Ultrasonic metal thickness instruments can be mounted on the outside of pipes or vessel walls to measure any metal loss due to erosion or corrosion.
A better approach is online monitoring with nonintrusive sensors clamped to the outside of the pipe or vessel (figure 3). These sensors use ultrasonic technology to continuously measure metal thickness. Extrapolation of the historical trend then determines the rate of metal loss and predicts time to failure. Although a small number of wall-thickness sensors can provide immediate safety and labor benefits from the reduced need for manually inspecting hot spots, the real payback comes when a network of these sensors works with other new and existing devices and expert software. The complete network can include inline coupon-based corrosion/erosion sensors, surface and fluid temperatures, pH, flow, and other variables. Comprehensive, plantwide visibility and prediction of metal loss reduces the risk of a rupture, while allowing the plant to operate more profitably without increasing safety risk:
- extended shutdown intervals
- reduced use of corrosion-inhibiting chemicals
- increased throughput of lower-cost but more corrosive/erosive feedstocks, such as the "opportunity crudes" available to refineries
Steam traps serve two purposes. First, they ensure steam used for process or space heating is free of condensate and noncondensable gases. Second, they ensure live steam is not returned into the condensate system. Steam traps are mechanical, and most plants try to inspect them at least annually, looking for failures. Malfunctions can have various effects that lead to ongoing wasted energy, reduced production, or worse. In an application where steam is used for freeze protection, a leaky steam trap can lead to a piping system freeze, causing downtime and risks to safety. A cold trap allows accumulation of condensate in the piping system, which can cause a water hammer-the unexpected release of high-pressure steam and condensate with a shockwave capable of causing death, severe injury, or extensive property damage."
As with PRVs, steam traps are mechanical devices and have no internal electronic elements capable of providing diagnostic functions. However, acoustic monitoring devices (figure 4), can be clamped onto the pipe upstream of the steam trap to identify any malfunction. This data tells maintenance exactly which steam trap needs attention, reducing energy cost, improving process throughput, and reducing the risk of freezing. Fixing a cold trap might even prevent a catastrophic piping system failure.
Figure 4. Acoustic monitors can identify common steam trap failure modes and report them to maintenance.
Failures of the electrical switchgear can cause process downtime, fires, or explosions. To identify equipment entering the early stages of failure, most plants periodically inspect critical switchgear. Typical testing includes thermal imaging to identify hot spots and partial discharge testing to pinpoint insulation breakdown. Such testing requires inspection windows and must be carried out by trained technicians using specialized equipment, but it still exposes personnel to safety risk. An improved approach is to continuously measure and trend temperatures of suspected hot spots using noncontacting temperature sensors and partial discharge using ultrasonic acoustic sensors (figure 5).
Figure 5. Sensors can be added to electrical switchgear to monitor the condition continuously, reducing the need for inspections.
Eyewash stations and safety showers
To ensure personnel safety, plants should have appropriate numbers of safety showers and eyewash stations distributed through production areas. Of course, their mere presence is not enough, plants must make sure they are all functional and able to deliver clean water at a correct temperature. Moreover, alarms should report any emergency situations to the control room (ANSI Z358.1-2009). Flow and temperature sensors on the water lines and proximity switches (figure 6) on the valves can send the status of these devices wirelessly to the control room. If a worker activates a valve on any station, the control room can dispatch first responders immediately.
Figure 6. Wireless monitoring of flow and activation switches, along with water temperature monitoring, can improve personnel safety with minimal effort.
WirelessHART and analytics
To maximize the safety and reliability benefits, the devices described so far should be monitored continuously from a central location. Although they can be connected via traditional point-to-point wiring, a much more cost-effective approach is to use standards-based wireless technology, such as WirelessHART. This eliminates the need for additional junction boxes, cable trays, control system terminations, and I/O cards. WirelessHART uses a self-organizing mesh network for equal-to-wired data reliability. It is protected by multitiered, always-on security.
Ideally, the equipment supplier should provide not just devices, but analytical software (figure 7) to interpret the signals from existing wired and new wireless devices and advise operators and maintenance technicians only if action needs to be taken. The system can even describe the nature of the problem and recommend corrective actions to keep the plant safe and reliable.
Figure 7. Data from monitoring devices needs to be analyzed and clearly presented to become useful information able to guide decision making.
Maximize plant safety
Plant designers often think of instrumentation in the context of dedicated systems such as the SIS and the BPCS. But any company looking to maximize plant safety should go beyond these systems by instrumenting additional layers of protection, including physical protection and plant emergency response. New IIoT technology makes this easier and more cost effective than ever.