Hydrocarbon Processing Copying and distributing are prohibited without permission of the publisher
Email a friend
  • Please enter a maximum of 5 recipients. Use ; to separate more than one email address.



Automation-related lessons learned from March 11 disasters in Japan

10.01.2011  |  Kai, Shin,  ARC Advisory Group, 

Keywords: [process control] [safety systems] [automation] [instrument control] [safety] [nuclear] [nuclear plant]

On July 22, four months after the unprecedented earthquake and tsunami struck the Pacific Coast side of eastern Japan, Japanese engineers from various process and other industries gathered in Tokyo to participate in a series of panel discussions entitled, “What automation should learn from the 3/11 disasters.” The panels, held as a session at ARC Advisory Group’s 2011 Japan Forum in Tokyo, were jointly organized by ARC and the Society of Instrument and Control Engineers (SICE). The goal of the participating engineers was to review their own notions of safety and control systems in an objective manner. Not surprisingly, much of the discussion focused on the inadequacies of the process control and protective systems installed at the Fukushima nuclear power plant. However, in most cases, the same lessons learned can also be applied to critical operations in hydrocarbon processing industry (HPI) plants.

‘Reinvent ourselves from scratch.’ Among the 200 attendees at the ARC Tokyo Forum were end-user engineers, integrators and contractors, automation suppliers, consultants and researchers. Many of the plant-level engineers would not have been able to attend if ARC had held the event one month earlier.

Akira Nagashima, co-chairman of the SICE 50th anniversary project steering committee and moderator of the panel, opened the discussion by summarizing its purpose: “I think there is a serious task we engineers must address before we think about how to rebuild Japan. Yes, the triggering event of this crisis was a 9.0-scale super earthquake; but we must admit that we engineers had underestimated the power of Mother Nature, and thereby allowed a runaway chain reaction of accidents. The vulnerability of the artifacts and technologies we ourselves introduced made this crisis worse ... All engineers, whether involved in addressing this crisis or not, must stop and rethink what we have taken for granted. I believe this is a rare opportunity to review our own mindset and behaviors and reinvent ourselves from scratch.”

Protective control meets human beings. The first panelist, Toshiaki Itoh, formerly of Mitsubishi Chemical and current SICE Fellow, took the approach of discussing the entire plant system operations. He analyzed the causes of the troubles in the Fukushima nuclear power plant from the viewpoint of instrument control engineering. Then, he pointed to irregularities of the accident by showing that fundamental protective control could not be enabled by ordinary steps or procedures. Because the tsunami washed out auxiliary power supply units and cooling systems abruptly, the risk level had not increased sequentially in Fukushima. “By its nature, current protective control is not enough to cope with such unpredictable events,” he said.

From homogeneous to heterogeneous. Presenting the control system suppliers’ viewpoint, the second panelist, Chiaki Itoh, Yokogawa Electric, started his presentation with the premise that “science, or technology, is not almighty.” He explained the evolution of control systems since the introduction of digital controllers in the late 1970s. The need to allocate computing resources flexibly and avoid the risk of system downtime spurred the growth of system decentralization in the early 1980s. At the same time, the need for nonstop control system operations led to the profusion of redundant systems through the ’80s. System suppliers have continued to develop redundancy architectures, from duplex systems with redundant communications to the highly advanced controller architectures in which redundant CPU modules monitor each other continuously.

In addition, the industry nurtured a hierarchical safety system that stops plant operation in an orderly manner to minimize damage in an emergency. The safety system operates independent of the control system, which is designed to operate a plant in a stable manner.

But, according to Mr. Itoh, the limitations of both current redundant architectures and safety systems have been revealed. “We all saw the limitations of redundant architecture in an open system, in the troubles at the Fukushima nuclear power plant. We also faced the limitations of safety systems, because stopping the system is complicated and not safe, as was shown in the case of the nuclear plant.”

Itoh turned his remarks toward the common engineering of redundancy. “We must note that most redundancy technologies, including the ones used in heavy process industries, are more or less the same in nature.” He continued, “A typical plant control system is installed in an enclosure that has redundant power supplies sitting side by side. The prevalence of this design approach indicates that the safety mechanisms we have in mind will be effective only to the extent that they prevent accidents caused by the potential failure of the engineered product themselves.” He suggested that, “We now need to pursue a structural switch in redundant architecture, from homogeneous to heterogeneous, and need to add diversified technologies such as wireless communication systems and various kinds of sensors to measure open systems.”

These panel discussions were the first of their kind following the March 11 earthquake and tsunami. Attendees agreed that, while natural disasters cannot be avoided, it would be a shame if we can’t learn and gain important insights from them. HP

The author 

Shin Kai, Director of Research at ARC Advisory Group Japan, has over 25 years of experience writing about and covering the industry for leading publications in Japan including Control Engineering, Asia Electronics Industry and others. He was based in New York during most of 1990s covering the electronics industry for Dempa Publications. Mr. Kai has BA and MA degrees from Sophia University, Tokyo.  




Have your say
  • All comments are subject to editorial review.
    All fields are compulsory.

Abdul Rahman Bin Braik
10.29.2011

Very good analysis .Thanks Mokhtar

Carlos Bomfim
10.23.2011

Good analysis, I believe. One point is: the revision needed is that of the design premises. Since the control and safety system shall be robust facing its own local of installations failure they should be rethought, not only in the sense of its intrinsic failure, but including the possibility of the loss of the building or part of the installation where they are installed. Using this way a new set of premises will arise, including the lessons learned from the accident.

Tim McCord
10.19.2011

This subject of this article lies at the core automation debate (how much is too much), thats been going on for many years between field operations, engineering, and process control.
The industry push towards greater levels of RMC / PLC automation, should take heed of these tough lessons. These systems have an important place, optimizing processes during normal operations. The importance of comprehensive process training for field operations, and maintaining capabilities to quickly override these overlapping systems in an emergency cannot be understated. Maintaining the right standards of the human factor is of critical importance. Field operations should never have to fight these systems for control in an emergency situation, where a small time delay can mean the difference between maintaining control & loss of control. Historically speaking: it usually takes some kind of preventable disaster, for industry to learn how far is too far with automation.

Bhadresh Mehta
10.18.2011

I agree PLC and other controls must control in field and not dependent on main control panel. There should be decentralised controls, only indication and bypass goes to central control panel. This will reduce cost of installation, number of operators, confusion on alarm and emergency. All controls have Hart Protocol which is easy and economical to convert to ethernet and also wireless control is possibel with Hart Protocol and suitable for intrinsic -explosion proof wiring and controls. Ethernet controls can use synchronus switching and increase redundancy. I used at coal based power plants. Wireless controls were found good for remote areas. We should think decentralised controls and wireless as redundancy.

K.S.B.Murukesh
10.18.2011

Absolutely right analysis. Why not think about Satalite Control using stowaway sensors to control the Stand by Nanotechnological batteries?

Bhadresh Mehta
10.18.2011

I worked as Electrical and Controls Engineer with Sargent Lundy and others for BWR and PWR nuclear power plants. We always design power to motors and instruments for redundancy coming from different sources - one panel in South and other from West. Two distinct seperate sources and located physically seperate from each other. How come this was not observed in Japan?

Related articles

FEATURED EVENT

GasPro North America

Sign-up for the Free Daily HP Enewsletter!

Boxscore Database

A searchable database of project activity in the global hydrocarbon processing industry

Poll

Should the US allow exports of crude oil? (At present, US companies can export refined products derived from crude but not the raw crude itself.)


67%

33%




View previous results

Popular Searches

Please read our Term and Conditions and Privacy Policy before using the site. All material subject to strictly enforced copyright laws.
© 2014 Hydrocarbon Processing. © 2014 Gulf Publishing Company.