Removal of Hardware ESD, Independent of Safety Logic Solver

Similar documents
Safe & available...vigilant!

Point Level Transmitters. Pointek CLS200 (Standard) Functional Safety Manual 02/2015. Milltronics

Safety manual. This safety manual is valid for the following product versions: Version No. V1R0

Mobrey Hydratect 2462

Using smart field devices to improve safety system performance

T72 - Process Safety and Safety Instrumented Systems

Safety Instrumented Systems: Can They Be Integrated But Separate?

FUNCTIONAL SAFETY CERTIFICATE

2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000

Executive summary. by Michel Bonnet, Maximilien Laforge, and Jean-Baptiste Samuel

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

COMMON CAUSE AND COMMON SENSE

Safety Instrumented System (SIS)

Functional Safety Processes and SIL Requirements

The ApplicATion of SIL. Position Paper of

An Urgent Bulletin from CSA Group

Failure Modes, Effects and Diagnostic Analysis

MANUAL Functional Safety

DeltaV SIS TM. Logic Solver. DeltaV SIS Logic Solver. Introduction. DeltaV SIS Product Data Sheet. World s first smart SIS Logic Solver

ida Certification Services IEC Functional Safety Assessment Project: Masoneilan Smart Valve Interface, SVI II ESD Customer: GE Energy

The evolution of the cookbook

Failure Modes, Effects and Diagnostic Analysis

Functional safety manual RB223

Safety Considerations Guide

Hardware Safety Integrity. Hardware Safety Design Life-Cycle

IQ Pro SIL option TÜV Certified for use in SIL 2 & 3 applications

Type Switching repeater. Safety manual

Intelligent Valve Controller NDX. Safety Manual

Report. Certificate Z Rev. 00. SIMATIC Safety System

ED17: Architectures for Process Safety Applications

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

T57 - Process Safety and Critical Control What Solution Best Meets Your Needs?

Operating instructions Evaluation system for flow sensors VS / / 2013

Operating instructions AS-i SmartLine module AC3200 AC /00 06/2016

Rosemount Functional Safety Manual. Manual Supplement , Rev AG March 2015

Operating instructions AC010S Compact AS-i E-STOP safety module

FUNCTIONAL SAFETY CERTIFICATE

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

Configurable Network Paging Console. Product Instructions. Model: X-NPMI

ControlLogix SIL2 System Configuration

SIS Operation & Maintenance 15 minutes

Commissioning and safety manual SIL2

Product Specifications

Using ControlLogix in SIL 2 Applications

1. Introduction. 2. Design. Safety and Emergency Stop Circuit Design Standard. Safety and Emergency Stop Circuit Design Standard.

Products Solutions Services. Functional Safety. How to determine a Safety integrity Level (SIL 1,2 or 3)

Report. Certificate Z SIMATIC S7 F/FH Systems

Soliphant M with electronic insert FEM54

1. Summary. 2. Contacts. Safety Controls Guidelines. Table of Contents

BuildingName The Description of the Project P DOCUMENTS

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

ALP UPS FEATURES & ADVANTAGES

Failure Modes, Effects and Diagnostic Analysis

MAINTENANCE MANUAL. EDACS REDUNDANT POWER SUPPLY SYSTEM 350A1441P1 and P2 POWER MODULE CHASSIS 350A1441P3, P4, AND P5 POWER MODULES TABLE OF CONTENTS

AS-i Safety Relay Output Module with Diagnostic Slave

Tank terminal demonstrates the electrically operated solution for Emergency Shutdown Valves

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S

D5090S INSTRUCTION MANUAL. D A SIL 3 Relay Output Module for NE Load. DIN-Rail and Termination Board, Model D5090S

Chloride CROSS Rack 16 A, 32 A and 63 A

MicroNet TMR Control System

INSTRUCTION MANUAL. Universal AC Input Switching Power Supply 24 Vdc Output DIN-Rail Models PSD1000, PSD1000F PSD PSD1000F

Low voltage switchgear and controlgear functional safety aspects

PSR-PC50. SIL 3 coupling relay for safety-related switch on. Data sheet. 1 Description

(1986; Rev. 1989) Molded Case Circuit Breakers and Molded Case Switches. (1985; Rev. 1988) Enclosures for Electrical Equipment (1000 Volts Maximum)

MANUAL Functional Safety

GE Intelligent Platforms PAC8000 RTU

DEMONSTRATION OF INDEPENDENCE

Safety Manager. Safety Manual. EP-SM.MAN.6283 Issue February Release 151

Proline Prowirl 72, 73

Applications of Programmable Logic Controllers DG31 34

Safety Manager. Safety Manual. EP-SM.MAN.6283 Issue June Release 145

to 12a Added Standard and Electrical requirements for UL table 1.1

SAFETY RELAY YRB-4EML-31S MAIN FEATURES

FMEDA and Prior-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

PFH and PFDavg Data for Trusted TMR System

Line reactors SINAMICS. SINAMICS G120P Line reactors. Safety information 1. General. Mechanical installation 3. Electrical installation 4

HI HIPS Logic Solver (2oo3)

MFA-0801 & MFA-1201 D-M-E Smart Series Low Voltage Temperature Control System. User s Manual. D-M-E Company

Instruction book IQAN-LSL. Publ no HY /UK Edition 0301

Original operating instructions Safety relay with relay outputs G1501S / / 2016

D1093S INSTRUCTION MANUAL. D SIL 3 Relay Output Module with Line and Load diagnostics. DIN-Rail Model D1093S

Safety manual for Fisher FIELDVUE DVC6200 SIS Digital Valve Controller, Position Monitor, and LCP200 Local Control Panel

Version 5.53 TECHNICAL REFERENCE GUIDE

HART Temperature Transmitter for up to SIL 2 applications

GSM SECURITY AND CONTROL SYSTEM ESIM021

MANUFACTURING TECHNICAL INSTRUCTIONS - SAFETY. Subject: Control Reliability for Machinery & Equipment

Application Note. AC500-S Usage of AC500 Digital Standard I/Os in Functional Safety Applications up to PL c (ISO )

SAFETY MANUAL SIL Switch Amplifier

Original operating instructions Safety relay with relay outputs with and without delay G1502S / / 2016

OPTISWITCH 5300C. Safety Manual. Vibrating Level Switch. Relay (2 x SPDT) With SIL qualification

Electrical Actuators

COMBINED PROCESS CONTROL SYSTEMS AND SAFETY INSTRUMENTED SYSTEMS (SIS) DEMONSTRATION OF INDEPENDENCE

AS-i Safety Relay Output Module with Diagnostic Slave

White Paper. The Tricon Turbine Control System

DeltaV SIS Conditioning Components

Electrical Actuators

Product Family: Electro Mechanical Relays Number: AN-LC-008

Transcription:

Removal of Hardware ESD, Independent of Safety Logic Solver by Sam Roy Executive summary This is a discussion to remove independent hardware based Emergency Shutdown for Logic Solver as identified in ANSI/ISA-84.00.01-2004, IEC 61511-1 Section 11.2.8. 06-02-2014

Introduction This is a discussion to remove independent hardware based Emergency Shutdown for logic Solver as identified in ANSI/ISA-84.00.01-2004, IEC 61511-1 Section 11.2.8 Manual means (for example, emergency stop push button), independent of the logic solver, shall be provided to actuate the SIS final elements unless otherwise directed by the safety requirement specification. Premise for removal: A. SIS is implemented per ANSI/ISA-84.00.01-2004, IEC 61511 performance based safety standards, in conjunction with owner s SIS implementation guidelines. B. The Logic Solver is designed with hardware fault tolerance and performance capabilities to meet/exceed the most stringent Safety Integrity Level (SIL) implemented in the Logic Solver. C. The Logic Solver provides diagnostics alarms for hardware and software failure, allowing opportunity to take corrective steps and on-line repair to avoid Logic Solver inadvertent failure. D. The Safety Requirement Specification (SRS) identifies the basis for removal of Emergency Shutdown (ESD) independent of the Logic Solver. Given these as a starting point: Is it practical to implement and maintain hardware Emergency Shutdown (ESD) switch/master Trip Relay (MTR) setup that is more safely available than the Logic Solver, and can be used effectively? Objective ESD switch/mtr Setup Remove independent hardware ESD switch/mtr setup for safety Logic Solver. ESD switch/mtr setup can be found in different styles. These are based on company standard and project requirements. Typical ESD switch/mtr setup may consist of: Hardware: A. Redundant ESD switches 2oo2 configuration, each switch with 1oo2 contacts, 120v AC power, energized to trip, actuates shunt trip breaker to remove redundant power supplies from Logic Solver CPU and all I/O modules. B. Singled ESD switch, key lock, with 2oo2 contacts, 24v DC Power, de-energized to trip, actuate 2oo2 safety relays to remove power from required output boards. C. ESD switch/mtr may affect multiple Logic Solvers within a process unit. D. Some cases alarm and/or indications for circuit availability, relay failure, etc is included. Notes: A. Removal of redundant power supplies (pull the plug) on an operating Logic Solver is not recommended by the manufacturer. In general this function is not tested during Factory Acceptance Test (FAT) or during Site Acceptance Test (SAT). B. Similarly argument applies for removal of redundant 24v DC power supplies from output boards. C. Actuation of hardware ESD switches/mtr is based on operator judgment call; that places multiple SIF to Fail-Safe state concurrently; which by itself could cause additional safety hazard. Summary Removal of independent hardware based on ESD switch/mtr for Logic Solver is based on: A. Functional Safety Management B. Safety Instrumented Function (SIF) mode C. Allocation of Logic Solver D. Logic Solver hardware qualification Schneider Electric White Paper Rev2 Page 2

E. Application Program to address all operational modes F. Avoidance of common cause, common mode failure G. Logic Solver failure detection and Mean Time To Restore (MTTR) H. MOC to maintain Logic Solver integrity I. Logic Solver re-validation at Turn-a-Round This discussion is focused on Logic Solver design and integration activities, Stage 2 deliverable (Figure 8, ANSI/ISA- 84.00.01-2004, or IEC 61511-1) to meet above objective. Considerations to Remove Hardware ESD switch/mtr setup To remove hardware ESD switch/ MTR setup; the Logic Solver shall be selected, configured, Application Program developed, and integrated per ANSI/ISA-84.00.01-2004, IEC 61511-1 in conjunction with the owner SIS implementation guidelines. This discussion includes items related to Triconex safety Logic Solvers. Similar items may be considered for other Logic Solvers. Individual projects may require additional items to be resolved. Functional Safety Management FSM for project implementation to include: A. Personnel competency in Logic Solver selection, hardware / software design and integration, including ability to realize faults and common cause, common mode issues that may lead to inadvertent failure. B. Independent Review to ensure Logic Solver configuration, Application Program development, Integration, Pre-FAT, FAT manual development and execution are in compliance with Sec. 11.0, 12.0 and 13.0, and meets project specific Safety Requirement Specification (SRS). C. Based on complexity of the application the Independent Review may be internal to the project team, or independent reviewer as identified in project Safety Plan per Sec. 5.2.4, 5.2.6.1, 7.0. Hardware ESD Switch/MTR Removal Applicability Applicable for: Non-SIF items Low Demand mode SIF with: Automatic diagnostics execution (sensor, final element) once per Logic Solver scan Proof Test Interval (TI) is determined to meet SIL and TI is << Demand Interval (DI). Hardware ESD Switch on Operator Station connected to Logic Solver I/O for each major process equipment such as furnace, compressor, reactor, drier, etc. Fault tolerant multiplexer has to be considered if Operator Station is away from process units. Soft manual trip switch on operator screen for each SIF HIPP SIF designed based on Low Demand mode Same as above requirements Hardware ESD Switch through Logic Solver I/O for each HIPP High Demand SIF: (may be considered) Automatic Diagnostics execution, and Dangerous Detect alarm is to initiate Fail- Safe state. TI is determined to meet PFH or half the DI whichever is lower. Hardware ESD Switch through Logic Solver I/O for each High Demand SIF Schneider Electric White Paper Rev2 Page 3

Logic Solver Allocation Following items are to be considered: A. Process oriented and redundant train separation. B. Process sustainability / flare handling capability in case of any single Logic Solver inadvertent failure. C. Each major turbo compressor Integrated Machinery Protection System (IMPS) implemented in independent Logic Solver. D. Number of furnaces (or process heaters) integrated in a single Logic Solver to be based on flare handling capacity and/or sustainability of related compressor in case of Logic Solver inadvertent failure. E. Within single Logic Solver I/O separation based on major process equipment F. SIF I/O allocation per sub-system fault tolerance setup. G. Process or sub-system functions not considered as SIS in PHA/LOPA work process shall not be included in Logic Solver Application Program. H. Partial Stroke Test execution function and valve performance is to be part of DCS and Asset Management System. I. Safety Function Prevention and Mitigation are in independent Logic Solver. J. Fire / Gas detection is in independent Logic Solver. Logic Solver Hardware Qualifications Selections and implementation to include: A. IEC 61508 compliant, SIL-3 (or worst case SIL) applicability. B. Proven In Use, plant experience in similar application. C. Logic Solver PFDavg calculation; provided by the manufacturer. D. Mean Time To Fail Safe (MTTFS) calculation; provided by the manufacturer. Schneider Electric White Paper Rev2 Page 4

E. Logic Solver CPU hardware failure from designed features to degraded mode to be tolerated for fixed time (based on criticality of the application) after which placing equipment to Fail-Safe state shall be in effect. F. Detected failures for Logic Solver hardware and software are to be restored within 24 hrs. G. Logic Solver environmental alarm that could lead to multiple SIF attaining fail-safe state concurrently shall be resolved with appropriate priority. Qualitative Steps for Application Program Development Application Program development to include: A. Follow Logic Solver manufacturer manual and Safety Application Guidelines. B. Maintain KISS principle and include SIS functions only. C. User comprehensible and configured for maintainability through the safety lifecycle of the SIS. D. Organize program segments based on major process equipment and logical sequence as applicable. E. Within each Application Program organized functions, with ample comments and functional description. F. Develop Application Program with Function Blocks and sequences. Function Blocks (Proven In Use, New, Modified) are to be approved by the owner prior to Application Program development. G. Modified or new Function Blocks are to be functionally tested prior to Application Program development. H. SIF function shall not depend on non-sif execution. Provide identifiable separation between SIF and non-sif functions. I. Where final element is shared by SIF and non-sif functions; place final element in SIF section. J. SIF to be programmed for de-energized to trip. K. Follow Names, Tags, Descriptions, Annotation, Alias, etc. similar to existing programs in the plant. L. Include time delays, deadband as applicable to avoid spurious trip or nuisance alarms, yet meet safety function requirements. M. Include sensor diagnostics features and maintenance bypass for proof test and repair. N. Include final element failure alarm; comparison between Logic Solver commands Vs final element status. Bypass for final element (if required) shall require specific evaluation for functional safety. O. Include Trip First-out, Reset permissive and individual Reset for each final element. P. Include required operator interface and alarm. Only value added operator interface shall be included. Q. Operator interface command to Logic Solver shall be through momentary signal, Logic Solver to confirm command status. R. Provide Watch Dog Timer for Application Program execution. Logic Solver Integration A. Follow manufacturer manual and safety guidelines for Logic Solver integration. Utilize Proven-In-Use methodology. B. Provide EMI protection for Logic Solver cabinet internals. C. Provide redundant 120v AC / 24V DC Power Supply units with on-line repairable setup. D. Include appropriate fuse degradation for Field Termination Panels. Schneider Electric White Paper Rev2 Page 5

E. Provide hardware failure priority alarms: CPU failure, I/O Module failure Logic Solver common trouble 120v AC, 24v DC Power loss to Logic Solver Application Program Scan Time Exceed Peer To Peer Communication failure Logic Solver / Operator Station communication failure Cabinet Fan failure, Cabinet Hi Temp Avoidance of Environmental Stress Failure Avoid extreme environmental conditions that could lead to multiple SIF activation concurrently. Include following features for RIE where SIS cabinetry are in operation. A. Location, elevation, cable entrance, lightning protection, AC high voltage transformer location, etc. are designed to maintain SIS integrity. B. Provide Safety ground and Electronic Reference Ground (Master Reference Ground) per Logic Solver Safety Manual. C. Provide separation between SIS and DCS cabinets. D. Provide redundant 120v AC Uninterruptable Power Supply (UPS) for Logic Solver and cabinetry items. E. Provide Unclassified Electrical Zone with temperature and humidity controlled atmosphere to meet Logic Solver requirement. F. Provide RIE fire detection / protection G. Provide alarms for: 120v AC Power sources failure RIE pressurization loss High Smoke Loss of HVAC Fire protection system failure or On High RIE temperature Others A. Logic Solver maintenance and MOC requirements are not addressed herein. B. Logic Solver Re-validation during Turn-a-Round is not included herein. SRS Project Safety Requirement Specification (SRS) shall include above items in details to support SIS implementation. Schneider Electric White Paper Rev2 Page 6

Abbreviations Acronym CPU DCS EMI ESD FAT Hi HIPP HVAC I/O KISS LOPA LS MTTFS MTTR MTR PHA SIF SIL SIS SRS Temp. TI TMR UPS 2oo3 Explanation Central Processing Unit Distributed Control System Electro Magnetic Interference Emergency Shutdown Factory Acceptance Test High High Integrity Pressure Protection Heating Ventilation Air Conditioning Input / Output Keep It Simple and Straight Layer of Protection Analysis Logic Solver Mean Time To Failure Spurious Mean Time To Restore Master Trip Relay Process Hazard Analysis Safety Instrumented Function Safety Integrity Level Safety Instrumented System Safety Requirement Specification Temperature Test Interval Triple Modular Redundancy Uninterrupted Power Supply Two out of Three About the author Sam Roy is a Consulting Application Engineer at Schneider Electric, Safety Lifecycle Engineering Group, Webster, Texas. Responsibilities include delivering Analysis phase of SIS Safety Lifecycle tasks. He has over 35years of Process Controls, ESD and Automation experience. He worked at Union Carbide, subsidiary of Dow Chemical Company for 29 years. Since 1993, he has been involved in the development of SIS projects and SIS best practices. He is a Professional Engineer of Texas with TÜV Functional Safety Expert Certification. Schneider Electric White Paper Rev2 Page 7 2014 Schneider Electric. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback