Professional Documents
Culture Documents
SIS ESD Specifications
SIS ESD Specifications
Page1/21
1. INTRODUCTION................................................................................................................3
1.1 SCOPE OF WORK........................................................................................................................3 1.2 SYSTEM STRUCTURE.................................................................................................................3
Page2/21
1.
INTRODUCTION
This Specification covers design features, construction features, materials of construction and performance for a system based on the Safety Instrumented System (SIS).
1.1
1.1.1
SCOPE OF WORK
The vendor of the system will be responsible for the complete design, manufacturing programming and configuration of the system. The system offered shall be completely assembled, wired and tested. It will be the vendors responsibility to ensure that the design and construction of the equipment is suitable for the service conditions stated in this specification and in accordance with the specifications, codes and standards referred to. The selection of all materials, accessories and methods of fabrication shall be the responsibility of the Vendor and shall be carried out in accordance with good engineering practice. This shall also include materials not specifically covered by this specification, but which are necessary to complete the scope of supply of the equipment.
1.1.2
1.1.3
1.2
1.2.1
SYSTEM STRUCTURE
The SIS shall be integrated tightly with the DCS system. SIS and DCS controllers shall be form the same manufacturer. The SIS controllers shall be directly connected with the DCS data highway without any external gateway station. Engineering station is required in the specific areas of the system configuration diagram. Fiber optic cables shall be used as a part of SIS interconnection for outdoor use. The SIS shall also communicate with other systems as follows: Distributed Control System (DCS), by means of redundant network. Fire and Gas System (FGS), by means of hardwired I/O Machine Monitoring System (MMS), where applicable, by means of hardwired I/O
1.2.2
1.2.3 1.2.4
Page3/21
Compressor Control System (CCS), where applicable, by means of hardwired I/O Turbines Control System (TCS), where applicable, by means of hard wired I/O
2.
ABBREVIATIONS
Abbreviations DCS ESD HMI MOS SIL SIS SOE TV UPS Description Distributed Control System Emergency Shutdown Human Machine Interface Maintenance Override Switch Safety Integrity Level Safety Instrumented System Sequence of Event Technishcher Uberwachungs-Verein Uninterruptible power supply
3.
Electromagnetic Compatibility (EMC) shall be in accordance with EN610006-2/4 and EN61000-3-2/3 The vendor shall prove and guarantee quality assurance procedures for the complete hardware equipment and software programs according to the international standards ISO 9001 and ISO 9000-3.
Page4/21
The latest edition of standards and codes, including addenda, supplements and revisions thereto shall always apply.
4. 4.1
4.2
4.2.1
ELECTRICAL REQUIREMENTS
Power Supply System cabinets will be powered by UPS feeders into each system. V %, Hz % two parallel
All other supply voltages required by the system shall be system internally generated voltages. System internal distribution of power will be within the scope of the SIS. Power for the operation of solenoid valves (preferably EEx d solenoid valves) is 24VDC, and shall be fed from SIS. Ex i signal separation shall be fed by SIS. The UPS will NOT be within the scope of the SIS. 4.2.2 Grounding All enclosures shall be provided with 2 insulated and isolated earth bars. Each shall have a minimum of 30 termination points. Screens of signal cables will be grounded on one side only, in the marshalling cabinet. Screens inside the SIS shall be connected to the insulated earth bars.
Page5/21
4.3
4.3.1
4.3.2 4.3.3
4.3.4
4.4
4.4.1 4.4.2
Page6/21
Additional spare
spare
10% but not less than 10% one card of each type
Page7/21
Page8/21
4.5
4.6
SYSTEM AVAILABILITY
The system shall be reliable enough to have an availability of at least 99.999% in the fault tolerant configuration.
4.7
4.7.1 4.7.2
TIME SYNCRONIZATION
All the necessary components to synchronize GPS time shall be provided. The time deference between components shall be up to 1ms within a domain and up to 5ms over the domains.
5. 5.1
5.2
5.2.1
CERTIFICATION
The system shall be designed by trained engineers working within an auditable Functional Safety Management system in the vendors organization certified by reputable bodies like TV to be in compliance to IEC 61511. At the FAT it shall be demonstrated that the system comply with the Safety Requirement Specifications supplied together with this specification.
5.2.2
Page9/21
5.2.3
The following components as a minimum of a PLC used as SIS system shall be certified for use in a SIL 3 application by TV according to IEC61508 Parts 17. central processor unit I/O modules internal communication components system software (firmware) type and use of programming equipment
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
Page10/21
5.3.9
closed contact circuits for all input signals in healthy condition or active signals in case of proximity or analogue signals fail-safe input and output modules for SIS functions, self testing, i.e. cyclically tested by an internal device integrated into each module.
Due care and attention in design shall facilitate interchangeability of equipment and ease of maintenance.
5.4
5.4.1
INPUT/OUTPUT MODULES
I/O modules shall have a density of no more than 16 channels per module, to minimize effect of card failure. All SIS field I/O modules shall have galvanic isolation of the field into the system. Each I/O module shall have a healthy or ready LED display to indicate any fault on the module. This prevents a field I/O fault from damaging more than one I/O module.
5.4.2 5.4.3
5.4.4 5.4.5
Input and Output shall be configured in separate generic cards and not mixed. I/O modules shall be powered in such a way that damage on one module does not have any influence on other modules. Signal inputs/outputs shall be short circuit proof. Intrinsically safe signals which shall not be powered by the system, but have a separate external power supply (e.g. magnetic flow meters, analyzers, solenoid valves) shall be provided with certified signal isolators. The standard I/O cables termination boards should accommodate these signal isolators, and there should not be a need for separate boards for the isolators.
5.4.6
5.4.7
Analogue inputs from classified areas as well as outputs to classified areas shall be designed intrinsically safe. Certified signal isolators or isolating power supplies shall be used to obtain electric isolation of inputs and outputs. Where connected to fail safe input and output modules, they shall be of fail safe design.
Page11/21
5.4.8
All analogue inputs shall be standard 4 to 20 mA or 1-5V (1-10V) signals from the field. Analogue input modules allow 0-25mA or 0-30V input. Most of them shall be powered by the analogue Input module of the SIS system. All transmitters and field contacts shall be connected to the SIS by 2conductor circuits.
5.4.9
All analogue input and output modules shall indicate failure of the module in case of open circuit or loss of transmitter.
5.4.10 Analogue input shall be applicable for 1-23mA or 0.1-11V to detect abnormality of transmitter. 5.4.11 For signal conditioning preferably modules of the same make as for the DCS shall be employed. The final choice of manufacturer and type shall depend on the selected supplier of the DCS. 5.4.12 All digital inputs shall be signals from proximity switches or potential free contacts. 5.4.13 For both Energize and De-energize to trip, line monitoring for all Digital Inputs shall be provided to monitor for stuck-on problems by setting for each input. It shall be possible to differentiate between short-circuit and open-circuit in details of line-fault messages. 5.4.14 For both Energize and De-energize to trip, line monitoring for all Digital Outputs shall be provided to monitor for stuck-on problems by setting for each output. It shall be possible to differentiate between short-circuit and opencircuit in details of line-fault messages. 5.4.15 Digital input signals shall not be wired into Analog Input modules for line monitoring. 5.4.16 Digital output modules shall be 24 V DC / 48V DC / 120V AC type capable of driving up to 2A / 0.6A / 0.5A. If solenoid valves or other actuators of higher voltage or amperage are used, the respective digital outputs shall be a potential free contact via a fail safe TV certified relay.
5.5
5.5.1
SAFETY/CONTROL BUS
The safety bus refers to the communication link between multiple SIS safety controllers that are applied as SIS systems and shall comply with the following tasks under system specific requirements:
Page12/21
5.5.2
Safety Communication for transmission of safety critical data between safety controllers Communication between safety controllers and the engineering station, for maintenance and monitoring, downloading of application, testing Safety communication by peer to peer and multicast
The SIS shall be a dedicated system integrated to the DCS via a common Safety/Control bus of minimum speed 10Mbps.
5.6
5.6.1
DCS COMMUNICATION
It shall be possible for the safety bus to be used for control such that it is used for communication to the DCS. This link shall be redundant and failure of one link shall have no effect on the ability of the safety system to perform its intended protective function. The SIS shall be integrated to the DCS communication bus which shall make it possible to have all important data from the SIS system available at the operator interface or HMI of the DCS so that the operation of the SIS system can be observed by the DCS operator without use of any dedicated SIS operator console. It shall be possible to transmit the following information to the standard HMI of the DCS: all analogue values, if applicable threshold values set for analogue signals, if applicable trip conditions status of binary input signals status of binary output signals to solenoid valves events in the order of their occurrence with time stamp with a resolution of 1ms. all process alarms to the HMI of the integrated DCS all System Diagnostic Alarms to the HMI of the integrated DCS. all events system status to the extent, that the operator in the control room is able to see which card is failing and the type of failure, system info like security level, number of forced I/Os, cycle time, program version etc.
5.6.2
5.6.3
5.6.4
Page13/21
5.6.5
Operational interventions shall be carried out from the HMI via password-secured override blocks certified by TUV or by separate switches on the operators console. The HMI of DCS sitting on the safety bus shall be certified to be interference free by TV. It is not allowed to have the DCS write into the SIS even though SIS data can be read by the DCS. The DCS shall be able to extract SIS data by means of calling common tagnames without the need for logical implementation of tags on both sides. It shall be possible to configure at the HMI, tag plates, trending, graphics etc., using safety data by tag name access to the SIS. Under no circumstances should a failure of the communication link defeat the functions of the SIS and/or cause a nuisance trip.
5.6.6
5.6.7
5.6.8
5.7
5.7.1
5.7.2
5.7.3
5.8
5.8.1
REDUNDANCY
Sensing devices and I/Os shall be non redundant, dual redundant or triple redundant according to the safety class integrity requirements as defined by the safety requirement specifications. To increase the availability of the plant the SIS system hardware modules including CPU and Input and Output modules shall be of a dual redundant type. Internal bus modules and power supply units shall be dual redundant. Module redundancy for CPU and IO shall be provided for fault tolerance. Redundant modules shall be powered up in a standby mode, where the standby modules are continuously tested.
5.8.2
5.8.3
Page14/21
5.8.4
The integrated safety/control bus to the DCS shall be of redundant design to increase availability of status information of the SIS input/output signals for the operator. The bus connecting input/output modules shall be of redundant design. The switch over time from active side to standby side shall be up to 100ms for CPU and up to 500ms for IO. When exchanging CPU or IO module, configuration shall be copied automatically between redundant modules.
5.8.5 5.8.6
5.8.7
5.9
5.9.1
CABINET DESIGN
Cabinets shall be of stable construction, totally enclosed with side walls, roof, front and rear doors. The inside shall be suitably divided into compartments for system components and cables. Cable clamps, supports and adequate cable connection stress relief shall be provided. Cable entry shall be from the bottom. Cabinets for the installation within the air conditioned control or switching room building shall have protection IP 20 as minimum. Cabinets shall have inside lights, which are switched on/off by door switches. Vendor shall provide failure alarms for all cabinet fans and power units.
5.9.2
Cabinets shall have one power socket each for power level (circuit breaker/ banana socket). Input and output signals will be connected either to instruments/sensors in cabinets (Electronic Room) or to field junction boxes via multicore cables. Marshalling cabinets will be provided for the signal assortment. Component mounting in cabinets shall be such, that signal cables can easily be disconnected for testing purposes. Doors shall open fully (180) and be equipped with key-lockable door handles (common key for all cabinets). Cabinets shall be provided with suitable lifting rings and pallets to allow for transportation by crane or forklift. Cabling between system components which need to be dismantled after final factory inspection and reassembled on site shall have plugs on both sides.
5.9.3
5.9.4
5.9.5
5.9.6
Page15/21
5.9.7
All terminals, sockets and wiring shall be clearly identified in strict accordance to the system documentation. Dimensions and weight of all system components shall be submitted.
5.9.8
5.10
CYCLE TIMES
Processing of the system functions is cyclic. Cycle times shall not exceed 300 milliseconds for SIS, in order to be able to meet the fault reaction time.
5.11
MAINTENANCE OVERRIDES
5.11.1 It shall be possible to initiate an override on SIS inputs (hereinafter called MOSOVR) from the HMI via the safety/control bus. This function must be TV certified and have adequate password security protection. 5.11.2 In addition, a hardwired MOS-ENABLE keyswitch shall be provided on the panel. Only when the MOS-ENABLE switch is in the enable position, it shall the MOS-OVR be accepted in the protection logics in the SIS. Because the MOS-ENABLE switch is hardwired, the operator has the possibility to deactivate any override when the communication link fails. 5.11.3 In case the communication bus fails, the override shall remain as they were before the failure and when the link is re-established there shall be no change in status. 5.11.4 MOS shall not be applied to: - Manual ESD - RESET pushbutton, keyswitches - All outputs
5.12
ENGINEERING STATION
5.12.1 The engineering station serves for the configuration and maintenance of the PLC used for the SIS and as indication of functions of the system self diagnostic. 5.12.2 The following PC specification shall be complied as minimum. CPU Main memory : Core2 Duo 2.13 GHz : 2GB
Page16/21
Hard disk Display resolution Video memory Monitor Serial port Parallel port Ethernet port Extension slot CD-ROM drive FDD OS
: 20 GB available user disk space : 1280 1024 : 128 MB : 17 inches : One RS-232C port (when using a UPS) : One port (when using a printer) : One port : One PCI slot : One : One 3.5-inch drive : Windows Vista Business Edition SP1
5.12.3 It shall also be used as a monitoring station for maintenance purpose. Furthermore, it shall be possible to read live SIS failure diagnostics on the programming unit to the extent that system failures will have detailed error messages annunciated on the engineering station. The engineering station shall also indicate the current status of the SIS in areas of cycle time, database version, number of I/Os being forced, security level, percentage CPU idle time etc.
5.13
AUXILIARY CONSOLE
5.13.1 Vendor shall supply auxiliary console including ESD button, switch with lockout, manual reset switch, selection switch etc. 5.13.2 ESD button, switch with lockout, manual reset switch, selection switch etc. shall be connected by means of hardwired I/Os to SIS cabinet.
6. 6.1
6.1.1
6.1.2
Page17/21
6.1.3
serious injury to people damage to the environment major loss or damage to assets
All safety relevant interlocking shall be carried out by the SIS, which shall be designed as Programmable Logic Controllers of fail-safe design i.e. Deenergize-to-trip. The HMI of the DCS shall be able to extract alarms, events and system maintenance info from the SIS, via the common bus. Communication between different SIS systems (hereinafter referred to as safety communication) shall be certified for safety critical application by TV. Both the HMI and DCS shall be certified by TV to have no effect on the SIS or safety communication, which is carried out on the same bus.
6.1.4
6.1.5
All signals to be handled in the SIS are estimated in a HAZOP STUDY and classified and listed in a separate Safety Requirement Specifications. The system shall comply with the following tasks under real time conditions: Read in of transmitted measuring signals from the field Generate threshold values of incoming analogue values Perform binary logic control and sequence control functions Execute permanent self-diagnostic functions List events in the order of their occurrence with time stamp with a resolution of 1 millisecond or better. Send all process alarms to the HMI of the integrated DCS Send all System Diagnostic Alarms to the HMI of the integrated DCS. Send all events to the HMI of the DCS Allow the HMI to read SIS system status to the extent, that the operator in the control room is able to identify which module is failing and the type of failure, system info like security level, number of forced I/Os, cycle time, program version etc.
6.1.6
6.2
6.2.1
Page18/21
6.2.2
Time stamping of alarm and events shall be performed within the host system and transferred to the DCS. The SER alarms and/or events shall be incorporated into common alarm summaries on the Operator console. Display of DCS alarms and/or events shall be merged with SER alarms and/or events in one window. SER data shall be battery back up for 6 months.
6.2.3
6.2.4
6.2.5
6.3
6.3.1
CONFIGURATION SOFTWARE
The engineering station shall be provided with all tools that are necessary for the configuration and programming of the system. The function of configuration/programming is clearly differentiated from the function of normal operation and may be entered into only with special authorization. Specified threshold values formed within the system may only be changed in the configuration function. In the configuration/programming function, it shall be possible to force inputs or outputs for test purposes. It shall be possible to do offline testing of a configuration on the engineering station without the SIS controllers. It shall be possible to notify the implicit error in programming. It shall be possible to notify the differences between the modified program and the former one. The self-documentation feature shall allow comprehensive printouts of the actually installed database, to include a Table of Content, logic diagrams with detailed service descriptions (up to 36 characters), Constants, IO parameters, Modbus addresses (if any), Alarm priority, and list of program sheets. It shall be possible to execute the unit test for SIS including safety communication and the integration test with DCS on a PC only. It shall be possible to perform a plant operation training system for integrated SIS and DCS on PC environments only.
6.3.2
6.3.3
6.3.4
6.3.5 6.3.6
6.3.7
6.3.8
6.3.9
Page19/21
6.4
6.4.1
ONLINE FUNCTION
It shall be possible to make minor logic changes online to the SIS in operating mode, along guidelines set by TV. It shall be possible to add IO node or IO module by online. It shall be possible to avoid false trips caused by miss programming. SIS shall continue to operate normally its safety function during online download.
6.5
6.5.1
APPLICATION SOFTWARE
The software supplied with the SIS shall comprise the system and application software necessary to operate the SIS and comply with the required tasks to control and monitor the process plant. Standard function blocks or ladder logic or a combination of both shall be used for the development of application software. It shall be possible to derive adjustable threshold values from all analogue input signals. Tasks specified by the Owner, which have to be performed with the aid of special functions or non standard programs etc., have to be indicated. Program sections processing interlocking functions that are not safety relevant shall be clearly separated from program sections employed for safety relevant interlocks. Modifications in one program sections may not affect the other section. Programming language shall be as per IEC 61131-3. Project specific software to be prepared by the vendor shall include: Configuration of the system functions Configuration of the inputs/outputs Implementation of functional diagrams into project specific programs
6.5.2
6.5.3
6.5.4
6.5.5 6.5.6
The preparation of the user software for the functions described above is integral part of the SIS system. 6.5.7 Application software once loaded to the SIS shall be stored and held in the SIS CPU module, indefinitely with flash memory.
Page20/21
6.6
6.6.1
SELF-DIAGNOSTIC FUNCTIONS
The firmware must offer self-diagnostics of all components. It has to guarantee that a failure/breakdown of one system component shall be limited to this component only. On system failure, all output signals must adopt a definite pre selected state. A system failure of one component must not create subsequent system failures of other components or the common bus system. In case of redundant components, the backup component shall take over all functions of the failing component without restrictions on the process. Take over of functions by redundant components have to be recorded as system failure with the exception of regularly recurring changeover of bus components for example. All system failures and/or activities have to be announced on the HMI and recorded on the alarm printer.
6.6.2 6.6.3
6.6.4
6.6.5
6.7
6.7.1
SECURITY
Software configuration shall be secured by password protection to prevent unauthorized access/changes. Separate password security shall be available for Application Programs to avoid unauthorized access/changes. Separate password security shall be available for the SIS controllers to segregate normal operation, maintenance and offline download modes of operation.
6.7.2
6.7.3
Page21/21