On July 22, four months after the unprecedented earthquake and tsunami struck the Pacific Coast side of eastern Japan, Japanese engineers from various process and other industries gathered in Tokyo to participate in a series of panel discussions entitled, “What automation should learn from the 3/11 disasters.” The panels, held as a session at ARC Advisory Group’s 2011 Japan Forum in Tokyo, were jointly organized by ARC and the Society of Instrument and Control Engineers (SICE). The goal of the participating engineers was to review their own notions of safety and control systems in an objective manner. Not surprisingly, much of the discussion focused on the inadequacies of the process control and protective systems installed at the Fukushima nuclear power plant. However, in most cases, the same lessons learned can also be applied to critical operations in hydrocarbon processing industry (HPI) plants.

‘Reinvent ourselves from scratch.’ Among the 200 attendees at the ARC Tokyo Forum were end-user engineers, integrators and contractors, automation suppliers, consultants and researchers. Many of the plant-level engineers would not have been able to attend if ARC had held the event one month earlier.

Akira Nagashima, co-chairman of the SICE 50th anniversary project steering committee and moderator of the panel, opened the discussion by summarizing its purpose: “I think there is a serious task we engineers must address before we think about how to rebuild Japan. Yes, the triggering event of this crisis was a 9.0-scale super earthquake; but we must admit that we engineers had underestimated the power of Mother Nature, and thereby allowed a runaway chain reaction of accidents. The vulnerability of the artifacts and technologies we ourselves introduced made this crisis worse ... All engineers, whether involved in addressing this crisis or not, must stop and rethink what we have taken for granted. I believe this is a rare opportunity to review our own mindset and behaviors and reinvent ourselves from scratch.”

Protective control meets human beings. The first panelist, Toshiaki Itoh, formerly of Mitsubishi Chemical and current SICE Fellow, took the approach of discussing the entire plant system operations. He analyzed the causes of the troubles in the Fukushima nuclear power plant from the viewpoint of instrument control engineering. Then, he pointed to irregularities of the accident by showing that fundamental protective control could not be enabled by ordinary steps or procedures. Because the tsunami washed out auxiliary power supply units and cooling systems abruptly, the risk level had not increased sequentially in Fukushima. “By its nature, current protective control is not enough to cope with such unpredictable events,” he said.

From homogeneous to heterogeneous. Presenting the control system suppliers’ viewpoint, the second panelist, Chiaki Itoh, Yokogawa Electric, started his presentation with the premise that “science, or technology, is not almighty.” He explained the evolution of control systems since the introduction of digital controllers in the late 1970s. The need to allocate computing resources flexibly and avoid the risk of system downtime spurred the growth of system decentralization in the early 1980s. At the same time, the need for nonstop control system operations led to the profusion of redundant systems through the ’80s. System suppliers have continued to develop redundancy architectures, from duplex systems with redundant communications to the highly advanced controller architectures in which redundant CPU modules monitor each other continuously.

In addition, the industry nurtured a hierarchical safety system that stops plant operation in an orderly manner to minimize damage in an emergency. The safety system operates independent of the control system, which is designed to operate a plant in a stable manner.

But, according to Mr. Itoh, the limitations of both current redundant architectures and safety systems have been revealed. “We all saw the limitations of redundant architecture in an open system, in the troubles at the Fukushima nuclear power plant. We also faced the limitations of safety systems, because stopping the system is complicated and not safe, as was shown in the case of the nuclear plant.”

Itoh turned his remarks toward the common engineering of redundancy. “We must note that most redundancy technologies, including the ones used in heavy process industries, are more or less the same in nature.” He continued, “A typical plant control system is installed in an enclosure that has redundant power supplies sitting side by side. The prevalence of this design approach indicates that the safety mechanisms we have in mind will be effective only to the extent that they prevent accidents caused by the potential failure of the engineered product themselves.” He suggested that, “We now need to pursue a structural switch in redundant architecture, from homogeneous to heterogeneous, and need to add diversified technologies such as wireless communication systems and various kinds of sensors to measure open systems.”

These panel discussions were the first of their kind following the March 11 earthquake and tsunami. Attendees agreed that, while natural disasters cannot be avoided, it would be a shame if we can’t learn and gain important insights from them. HP