Safety and fault tolerance attained in Sicily

Edited by the Engineeringtalk editorial team Feb 4, 2000

A sophisticated multi-functional control system is at the heart of a new Liquid Petroleum Gas (LPG) storage plant coming on stream to replace an existing facility at the Raffineria di Milazzo

A sophisticated multi-functional control system is at the heart of a new Liquid Petroleum Gas (LPG) storage plant coming on stream to replace an existing facility at the Raffineria di Milazzo (Refinery of Millazzo) on the Island of Sicily.

During the design stage the operators realised that the control system architecture would be complex, so an early decision was made to specify a fault tolerant control system certified to T�V AK6.

Following competitive bidding, ICS Triplex was sel ected for an integrated turn-key control and safety solution, and Snamprogretti Sud was appointed as contractor.

"Trusted, our Triple Modular Redundancy (TMR) safety system is fault tolerant," explains Antonio Invernizzi of ICS's Italian office in Milan.

"This means it recognises faults and isolates them while maintaining the system's safety performance at 100 per cent.

Overall availability is therefore higher than with other systems, so that neither productivity nor safety are ever compromised." The operators made an early decision to provide both Emergency Shut Down (ESD) and Fire & Gas (F&G) detection from one system.

"This saved the complications of installing and integrating separate systems for each function," says Invernizzi, "and the resultant 600i/o count is well within Trusted capabilities." Trusted has been certified by T�V to DIN V VDE 0801 RC(AK)6, confirming its suitability for use in emergency shut-down, fire and gas and other critical control applications.

A key benefit of the of the Trusted TMR concept is its exceptional availability which translates to more plant up time and greater production combined with the highest levels of safety.

This is achieved by the fault tolerance of the TMR architecture that identifies and outvotes processor mismatches to keep running safely in the presence of a fault, almost entirely eliminating spurious plant trips.

Trusted employs a hardware implemented, fault tolerant (HIFT) voting system that cuts software complexity.

At Milazzo the ESD/F&G system is connected to a 600i/o Distributed Control System (DCS) and to the Uninteruptable Power Supply (UPS), which was also installed by ICS Triplex.

The control cabinets for all three systems are located in a 'technical room' and they communicate via a co-axial cable network with the remote main control room located 600m away as a safety precaution.

The control room contains supervisory VDUs for the DCS and Trusted ESD F&G system.

It also houses an auxiliary Trusted system run as a hot standby, which communicates with the primary system over a dual fibre optic Ethernet link for extra security.

This has auxiliary consoles based upon manual push buttons and simple alarm indicators, so that they are intuitive and can be used by the operators in an emergency.

The Trusted system also communicates to the refinery fire station, over a kilometre away, where it drives a mimic panel so that fire-fighters have an up to the minute view of the plant's safety status.

The DCS also communicates with a tank gauging system and a motorised valve control station.

As the various users of the system will have different operational requirements, ICS's designers decided that selecting the communications method for various links within the system should be done in conjunction with Milazzo's development team and the relevant 'information users' for each subsystem.

The final configuration that was decided upon includes: a dual serial link between the Trusted ESD/F&G and the DCS; peer-to-peer fibre optics between the primary and secondary Trusted systems; dual fibre for all communications between the technical room and the remote fire station mimic panel; and two serial links to connect the DSC to the tank gauging system and the valve control station.