This action might not be possible to undo. Are you sure you want to continue?
Reference has been made above to the use of steel-wire armouring to
provide mechanical protection for interconnecting cable, and it is
sometimes argued that armouring provides immunity to interference. This
is not totally correct. Although steel-wire armouring does provide some
degree of protection against magnetic fields, its performance as an electro-
static screen is poor. For this reason it is essential to use cable with a
braided (or foil) screen, with or without overall steel-wire armour, for all
Figure 8.8 shows how an armoured, screened cable is used to connect
between the component parts of a system. It also shows how the various
conductors should be connected to earth.
Because it is very difficult to spot missed, duplicated or badly made
earth connections once a cable installation has been completed, it is vital
that work is properly supervised and very carefully checked during the
installation of a system. In this respect, useful assistance is provided in
standards such as BS 6739:1986 'Code of Practice for instrumentation in
process control systems: installation, design and practice'.
8.9 Reliability of systems
Because of the large numbers of electronic components that are manufac-
tured, and because component manufacturers keep good records of failure
rates etc., it is fairly easy to obtain statistical information on reliability that
will provide a good indication of the predicted reliability for any given
system. In practical terms, what really matters is the length of time for
which a system will be capable of remaining in operation over the course
of a year or over its operational lifetime. This is governed by both the relia-
bility of the equipment and the speed with which repairs can be effected.
For example, it would be theoretically possible to construct a very
reliable system by arranging for all functions to be performed by a few
very large-scale integrated (VLSI) circuits connected together without the
Control equipment practice 173
t Overall screen L-__
(braid or tape) I< X
] Steel-wire armour ~.---~
may be used here
J Clean earth busbar in cubicle
(insulated from cubicle frame)
This connection is needed only where
glet'ld does not bOnd armour to earth
_Safety electrical earth]
:rmediate junction box I
Link incoming and
Outer insulation (PVC)
Screen (copper braid)
Irluer insulation (XLPE~
Figure 8.8 Screening and earthing of cables
use of plug-and-socket connectors. Because VLSI devices are inherently
reliable and because connectors are a source of failure such a system would
offer a very high level of reliability. Unfortunately, it would be very
difficult to repair if it did fail.
174 Power-plant control and instrumentation
The reliability of any electronic system can be predicted with a high
level of confidence by referring to statistical data produced by manufac-
turers, independent test laboratories or bodies such as the defence or
nuclear authorities*. Such data can be used to calculate the predicted
failure rate, or mean time between failure (MTBF), of the system and by
using ultra-reliable components and eliminating all less reliable devices, it
should be possible to achieve MTBF rates of perhaps one failure in a
million hours of operation (i.e. one fault in just a over a century of
operation!). However, if a failure did occur in such a system, locating its
source and repairing the fault would be extremely time-consuming. Here,
another statistical calculation is used: the mean time to repair (MTTR).
This figure is based on factors such as the diagnostic tools available to
locate the source of a fault, the availability of spare parts, the work
involved in removing the faulty component and then replacing it.
A useful way of looking at the practical aspects of reliability is to
combine the two factors. This leads to another statistic, the system 'avail-
ability', which is a combination of the MTBF and MTTR
availability = (MTBF x 100)/(MTBF + MTTR).
Using this formula shows that the availability of a system with a MTBF
of 80 000 hours and an eight-hour MTTR is 99.99%. Achieving the mean
time to repair of eight hours is reasonable. This is the time from the fault
occurring, through the process of locating maintenance staff to carry out a
repair, through the fault-finding process, to locating a replacement
component, to installing it and restarting the system. If the diagnostic
tools are very powerful, enabling the location of a fault to be quickly and
easily pin-pointed, and if spare printed-circuit cards are mounted nearby
in the system cabinets, already powered (and therefore warmed up), then
it may be possible to reduce the MTTR and if this is cut to say four hours,
the same system will now offer an availability of 99.995%.
When evaluating the likely reliability of a system, all three of the
above factors should be examined, together, because it may be that a high
level of availability is based on a less reliable configuration but an impos-
sibly short MTTR.
At first glance an availability of 99.98% may appear to be very good,
but if this is based on a four-hour MTTR it implies that the MTBF is
20 000 hours. This means that the system is likely to suffer failures on
about nine occasions over an operational lifespan of 20 years. A system
*For example the Systems Reliability Service Data Bank of the United Kingdom Atomic Energy
Authority, AEA Technology, Thompson House, Birchwood Technology Centre, Risley, Warrington,
CheshireWA3 6AT, UK.
Control equipment practice 175
with the same availability, but with a more realistic eight-hour MTTR
would have a 40 000-hour MTBF, meaning that over the same lifetime,
the system could be expected to fail on about four occasions.
It must be remembered that availability, MTBF and MTTR are all
statistical predictions. Nothing in them will guarantee that a system will
operate without fault for a defined time. (In fact the system may still go
wrong on day 1, though the likelihood then is that it should not go wrong
again for a very long time, although that may seem to be poor consolation
at the time.)
It must also be appreciated that it is not realistically possible for these
statistics to be confirmed by measurement. At best, a so-called 'reliability
run' may extend for a few weeks, but this represents only a few hundred
hours of operation, which is a small fraction of a typical MTBF prediction
(which is usually in the order of tens of thousands of hours). A reliability
run will only show up problems where the reliability is seriously deficient.
To realistically evaluate a supplier's predictions, the best that can be
done is to obtain the data on which the calculations have been based and
compare one system with another, while at the same time asking whether
any assumptions that have been made are reasonable. Beyond that, the
designer should look at what is likely to happen when the chips are down.
8.9.1 Analysing the effects of failure
In the course of designing a control loop careful thought must be applied
to the effects of failure of any component. If any risk can be posed by such
a failure, precautions must be taken to limit its effects. Such considerations
must be applied to transmitters, process switches and actuators, as well as
to the DCS itself. It will usually be necessary to have the design confirmed
by some form of risk-assessment procedure such as a HAZOP (hazards
and operability study) .
The HAZOP procedure has traditionally been applied by considering
the results of failure of each and every item on the plant. One of the
approaches that is adopted is for a team from each discipline to look at
each item and ask a series of questions such as, for a valve: what happens if
it opens, shuts or locks in position? Otherwise, the questions may be aimed
at assessing the effects of more or less pressure or temperature on the
device in question. The HAZOP procedure is very specialised, and the
audit of the plant is usually conducted during the design stages of the
project by a team of process engineers, control engineers and others, the
whole being co-ordinated by a specialist organisation.
The emergence of programmable systems has raised several questions
as to the validity of this type of study. For example, a traditional HAZOP
176 Power-plant control and instrumentation
may lead to the conclusion that if one valve fails to open the situation
may be dealt with by the opening of another valve or by the tripping of a
pump (either action being initiated by the human operator or by a safety
interlock system). However, with a programmable system it may be
necessary to consider the possibility of a failure in the DCS causing
multiple failures to occur at the same instant, while at the same time any
corrective action that the operator may wish to take, and the protective
systems themselves, are disabled or seriously impaired. Such questions
have recently been addressed, and the matter must be considered in the
light of the new guidelines .
The following provides an overview of some of the sat~ty-related
matters that will need to be considered during the design procedure.
This action might not be possible to undo. Are you sure you want to continue?