We discuss key insights for Industrial Control Systems retrofits on thermal power generators
By Bill Ray and Craig Nicholson
Who Checks the Checkers
We have all read of the recent tragedy in the aerospace industry where an apparent innocuous control algorithm addition resulted in a tragic loss of life. While the investigation is still underway, it appears organizationally, the manufacturer deemed the additional sensors and software were satisfactory, posed no imminent risk and so insignificant, their presence was not even worth mentioning to the pilots. The root cause investigation will identify what and how this came about, at some point a team or individual, by action or inaction, made the decision on the criticality and impact the sensors and software on the airworthiness of the airplane. In hindsight, what appears as such an obvious failure now, flowed through organizational checks and balances without notice.
Familiarity Brings Complacency
A good portion of engineering effort is based on utilizing engineering assumptions validated through prior experience to build current applications. Building on past success saves time and can minimize much of the testing and perceived risk of a new design. Starting a design from “scratch” or “clean sheet of paper”, by the nature of it, likely requires more extensive engineering oversight and testing to support the engineering theories and practices. Alternatively, if the design can be deemed as an evolution, incremental product change or non-critical, the level of oversight and heightened sensitivity begins to wane. The closer to the prior proven design or practice, the more complacency around the risk review.
“The closer to the prior proven design or practice, the more complacency around the risk review”
Questions Are Good
Given the mechanical, aerodynamic and thermodynamic similarities of land based and aircraft turbines, the control systems share much of the same philosophy in architecture and practices; reliance on sensors, programmable operating systems and redundant sensors or software voting logic for safety. These basic building blocks have been used effectively for years. However, what seemingly small change can have horrific results? Could changing a sensor supplier or adding a software security patch change reliability or performance? As you look at the highly regulated transportation industry verses the less regulated power and industrial sectors, does oversight decline? Vetting control modifications or retrofits for correct design practices and with rigorous testing for effects of operator inputs and device failures or even natural disasters (such as floods or earthquakes) greatly improves reliability, system performance and security.
Don’t Lose The X
Typical digital control systems of today have a ten to fifteen year life span. The technology and supplier evolve at such a pace where obsolescence in control maintainability far outpaces the lifespan of the supported turbine. Virtually every turbine will have at least one complete controls retrofit and numerous patches and enhancement during its lifetime. These control changes will be based on the engineering building blocks of prior changes. Success lies in the details. If the prior, “similar to” retrofit is not truly a duplicate, and there’s rarely, if ever, a true duplicate, there is a possibility of overlooking the “vital X” between success and failure.
Change The Family Tree
Equipment Owners must protect themselves during design, acceptance test, installation and commissioning. Protection comes in the form of a competent third party challenging the tendency for complacency during supplier internal process reviews along with a thorough procurement specification that requires site inventory of the existing system and devices, design reviews and factory acceptance testing. Having a competent third party reviewing and proposing challenging questions during design and implementation, can avoid the need for a painful root cause evaluation later.
For additional discussion