01_OV-235-01-Overview

EMERSON Process ManagementPower and Water Solutions

Copyrighted Material / Duplication Prohibited

Ovation Safety Instrumented System (SIS) OverviewOvation Safety Instrumented System (SIS) Overview

Course OV 236 – Rev 2 – 01/02/2010 Copyrighted Material / Duplication Prohibited

1 - 2


ObjectiveObjectiveUpon completion of this module, you will be able to define

• Basic Process Control System

• Safety Instrumented System

• Safety Instrumented Function

• Ovation SIS hardware architecture

• Ovation SIS software architecture

• Ovation SIS capacities

• Ovation SIS building blocks

• Project procedures



Part-1Safety Instrumented System (SIS) Basics

Part-1Safety Instrumented System (SIS) Basics


1 - 4


Behavior of a processBehavior of a process

BPCS (HMI & Alarm Handling)

BPCS(Process Control)

SIS (SIFs)

Process

Valuenormal behaviour

Trip level alarmPreventPrevent

MitigateMitigate

Active protection

(example: Relief valve, rupture disk)

Passive protection(example: bund)

Emergency responsex x

Incident

operator

interventionprocess alarm


1 - 5


Why BPCS?Why BPCS?

A Basic Process Control System (BPCS) compares the process values continuously against Operator set points and regulates final control element to maintain those set points.

Ovation Automation System is a BPCS.It regulates the process to maintain desired:

• Quality

• Rate of production

• Cost of production


1 - 6


Why SIS?Why SIS?To Reduce RISK so as to:

• take the process to the Safe State at the shortest possible time (ESD)

• allow process to go ahead when per missives and interlocks are through (BMS)

• mitigate the risk if the incidence happens in the plant (FGS)


1 - 7


A Safety Instrumented Function (SIF) is a combination of sensors, Logic Solver and final elements with a specified safety integrity level that detects an out of limit condition and brings the process to a functionally safe state.

SIF1, monitors a high pressure condition and closes the solenoid valve to stop catalyst flow to avoid a hazardous event.

Various “Functions”Various “Functions”

Control Function

Safety Function

Safety Instrumented Function


1 - 8


TerminologyTerminology

BPCS: Basic Process Control System – A DCS. Intention is to control the QUALITY of the product by process control.

SIF: Safety Instrumented Function – A smallest building block of a SIS. Many SIFs make a SIS.

SIS: Safety Instrumented System – Intention is to reduce RISK to acceptable level by prevention and/or mitigation.

IL: Integrity Level – The level of risk reduction (Targeted / achieved) SIL: Safety Integrity Level EIL: Environmental Integrity Level CIL: Commercial Integrity Level

When more than one ILs are applicable, highest one is qualifying IL.


1 - 9


Safety Instrumented Function (SIF)Safety Instrumented Function (SIF)


1 - 10


Safety Instrumented Systems (SIS)Safety Instrumented Systems (SIS)A Safety Instrumented System (SIS) consists of sensors, Logic Solvers executing SIFs and final control elements. A SIS will typically execute multiple SIFs. The example below consists of a SIS executing SIF1 for high pressure and SIF2 for high temperature.


1 - 11


Failure – The main concernFailure – The main concern• Why things fail?

− When Stress is more than strength, things fail!

• Why stress can be more than the strength?

− Natural calamities :: Random Failures

− Man made mistakes :: Systematic Failures

• Modes of failure

− Safe / Dangerous

− Detected / undetected

• Behavior of failures

− On demand

− Average


1 - 12


Failure rates – a basic measureFailure rates – a basic measure• Failure record of the device (element of SIF): No of devices :: No. of hours of

operation :: No of devices failed. This will help to determine Failure rate of the device.

− Failures / Year ()

• is not a constant, but it changes with time. of a new system is minimal and as it ages, it rises exponentially. In other words, probability of failure increases with time.

• We can find an average of probability of failure over a period of time – Pavg.

• Failures are of two types – Safe and Dangerous.

• What matters is dangerous failures, which put the process in dangerous states.

• Also probability of dangerous failure matters the most when the system is required to do it’s intended job than it is idle or not in demand.

• Hence, the term Probability of failure in demand (average) of a SIF is of key importance in Safety engineering.


1 - 13


Safety Integrity Level (SIL)Safety Integrity Level (SIL)Each SIF is designed to meet a Safety Integrity Level (SIL). A SIL is determined by a target risk reduction shown in the right column of the table below.

Various qualitative or quantitative methods can be used to calculate the target risk reduction which is a combination of likelihood and consequence of an event.

Safety Integrity Level (SIL)Target average Probability of

Failure on Demand (Demand Mode of Operation) Target Risk Reduction

4 > 10-5 to <10-4 >10,000 to <100,000

3 > 10-4 to <10-3 >1,000 to <10,000

2 > 10-3 to <10-2 >100 to <1,000

1 > 10-2 to <10-1 >10 to <100


1 - 14


Safety Integrity Level (SIL)Safety Integrity Level (SIL)To ensure a SIF will perform on demand, the combination of the sensors, Logic Solver and final elements together must meet a Probability of Failure on Demand (PFD).

Assuming that a target risk reduction of SIL3 is required, then the failure rates of the instruments and Logic Solver combined must fall within the PFD of > 10-4 to <10-3.

Safety Integrity Level (SIL)Target average Probability of

Failure on Demand (Demand Mode of Operation) Target Risk Reduction

4 > 10-5 to <10-4 >10,000 to <100,000

3 > 10-4 to <10-3 >1,000 to <10,000

2 > 10-3 to <10-2 >100 to <1,000

1 > 10-2 to <10-1 >10 to <100


1 - 15


SIF – SIS - SILSIF – SIS - SIL

Be particular about the usage of these acronyms!

• Many SIFs can make a SIS

• A SIF has a SIL but SIS does not have a SIL

• Customers ask for a SIL rated system – a misnomer

• SIL is not a constant!


1 - 16


BPCS – SIS IntegrationBPCS – SIS IntegrationData is often passed between a BPCS and the SIS for coordination and interlocking. The BPCS and SIS are typically from different vendors which can make the integration effort extensive.


1 - 17


OrientationOrientation

Knowing the basic requirements of the Safety Engineering, the system training is required by the following:

• The Design Group (End Customer, EPC, Safety consultant)

• The Safety Engineering Group (Vendor – Marketing, Proposals & Sales, Engineering)

• The Operations and Maintenance Group (O&M of End Customer)

Every phase of the Life Cycle can call upon in-depth study of the every subject, however further training is intended for the understanding of the Safety Instrumented System Hardware requirements and implementation requirements and techniques as required by the Operations and Maintenance Group of Marafiq at Yanbu-II.


1 - 18


A Safety System componentsA Safety System componentsSafety Critical components:

• SIL rated Field Instruments and Equipment and interface devices.

• SIL rated Logic Solver(s)

• SIL rated interface devices and accessories

• Qualified hardware design

• Qualified programming tools and components

• Dedicated and certified communication channel

Non-safety critical components:

• Interface to DCS

• HMI and HMI builder tools

• Interface to third party systems

• Other supporting functions



Part-2Ovation SIS SystemPart-2Ovation SIS System


1 - 20


Emerson’s Control and Safety systemsEmerson’s Control and Safety systems

RS-3 DCS

DeltaV DCS

DeltaV SIS

WDPF DCS

Ovation DCS

Ovation SIS

Standalone DCS Standalone SIS ICSS

Third Party Safety System


1 - 21


Ovation SIS ArchitectureOvation SIS Architecture


1 - 22


Ovation SIS - HardwareOvation SIS - Hardware

Hardware components:

• Safety Logic Solvers

• Safety Data Server with Power Supply

• SIS Net repeater / SIS Net extender

• Power Supplies and diodes

• Interface devices – Safety Relay; Safety Barrier

• SIS LAN Switches

• SIS Routers

• Dedicated Ovation controller


1 - 23


Ovation SIS – Safety Logic Solver(SLS)Ovation SIS – Safety Logic Solver(SLS)

Read Inputs Resolve and execute

Safety Logic Deliver Outputs Universal IOs – 16 per

SLS Redundant

configuration


1 - 24


Ovation SIS – Safety Data Server (SDS)Ovation SIS – Safety Data Server (SDS)

Load the Logic Solvers

Communicate with the DCS system

Provide Diagnostic information

Execute non-critical safety functions like Alarm and Graphics tasks


1 - 25


Ovation SIS – SISNet repeaterOvation SIS – SISNet repeater

Provide as a dedicated communication device between Logic solvers

Provide to extend the Safety network

Handle Safety critical communication protocol


1 - 26


Ovation SIS – Capacity ChartOvation SIS – Capacity Chart


1 - 27


SIS I/O – Hardwired IOsSIS I/O – Hardwired IOsEach Logic Solver has 16 I/O channels. The channels are universal

• Analog Inputs

• HART Analog Inputs

• HART Two-state Outputs

• Discrete Inputs

• Discrete Outputs

SLS 1508

SIF1

+--

Ch1…....…Ch16

SLS 1508

SIFX

SLS 1508

SIFX

Ch1…....Ch16

+--


1 - 28


SIS I/O – Soft IOs - Secure ParametersSIS I/O – Soft IOs - Secure ParametersOvation Logic Solvers communicate with each other using peer to peer communications through secure parameters and secure parameter references. All Logic Solvers under the same controller can read any secure parameters on the Local Peer to Peer. Each Logic Solver has 16 High-density secure parameters that can be broadcast on the Local Peer to Peer.

SLS 1508

SIF1

SLS 1508

SIFX

Secure Parameter Secure Parameter Reference

Local Peer to Peer


1 - 29


SISNet Repeaters and SISNetworkSISNet Repeaters and SISNetworkSISNet Repeaters provide communication between Logic Solvers that are attached to different controllers for Remote Peer to Peer communications. Only Boolean data can be transferred between SIS modules on different controllers and a total of sixteen Booleans can be broadcast by a Logic Solver.

SLS 1508 SLS 1508

SLS 1508 SLS 1508


1 - 30


SIS LANSIS LANSIS LAN is configured of SIS Data Servers (SDSs). The Switch is uplinked to the router. Refer to typical SIS architecture shown on next page.

Components of SIS Network include

• Ovation Controller OCR1100

− For dedicated traffic and secondary functions

• SIS Data Server SDS

− Main communication gateway to Ovation LAN

• SIS Logic Solver SLS1508

• CISCO Switch IE3000

− Forms a SIS LAN

• CISCO Routers R2801

− Interface between Ovation and SISLAN


1 - 31


Ovation SIS Network Architecture Ovation SIS Network Architecture

Note: All components are present in Redundant Configuration.



Ovation ApplicationsOvation Applications


1 - 33


Integrated Yet Separate…!Integrated Yet Separate…!

The BPCS and SIS systems share :

• Common Database

• Common Applications

• Common Network and devices for Non-safety Critical traffic

• Dedicated Network and devices for Safety Critical traffic

Next slides show the common environment already existing for the Ovation BPCS.


1 - 34


Ovation SIS - ApplicationsOvation SIS - ApplicationsMain Applications:

Developer Studio

Control Builder

Other Ovation Applications


1 - 35


SIS - ApplicationsSIS - Applications


1 - 36




1 - 37




1 - 38




1 - 39


Ovation SIS AlarmOvation SIS AlarmAll SIS signals can be identified using a special characterization called as “S “ in the alarm window. Please refer to the AY column in the alarm window as shown on next page. Pre-trip and trip alarms are notified by the same colors as in Ovation DCS. Ovation SIS has alarms for

• Sensor pre-trip thresholds

• Sensor trip thresholds

• Voter Alarm

• SOE Alarm

• Trip Alarm


1 - 40


Ovation Alarm WindowOvation Alarm Window


1 - 41


Ovation SIS User Rights Ovation SIS User Rights Specific user rights are allocated for SIS functions. Details below shows how the Ovation SIS roles are categorized for different users.

•Operator

SIS-Allow test Mode on-off

• SIS Engineer

SIS - Allow test Mode on-off

SIS – Enable control functions

SIS – Enable Tuning functions

SIS – Enable Enter Value

Note: Any change in the SIS control function in the future is not allowed and in case if there is any mandatory reason to make change, then it is expected from the person to follow the proper procedure/channel and inform the right person before making any change.

If the change is considered to be relevant then the right person will be allocated this task and the changes will be made. Changes in the logic, ranges, loading SLS, loading OCR is not permitted.


1 - 42


Engineering / Operator RolesEngineering / Operator Roles


1 - 43


Trends & Historical reviewsTrends & Historical reviewsAll SIS signals are available on the Historical alarms, trends, reviews and its past values can be viewed for easy analysis. Operator can view data in graphical form or in data form.


1 - 44


Sequence of Events (SOE)Sequence of Events (SOE)SOE is a feature available on an Historian which shows timestamp for events that occur in the process.

Operator can make use of SOE to analyze the different causes which caused a trip along with the timestamps.

Further information given from the SOE can be used by Operational personnel to further investigate on a trip and to avoid such occurrence in the future.

SOE shows

• Date

• Time

• Point Name

• Description

• State (Normal/Trip)


1 - 45


SOE WindowSOE Window

Fig. Shows a sample on how SOE are recorded onto the historian and is available on all Operator workstation which can be utilized for analysing past values and for other important reason. SOE together with SIS Master Trip First – Out will help maintenance people to easily judge the root cause of failure and to avoid such failure in the future.


1 - 46


Graphics OverviewGraphics OverviewGraphics offers,

• First Out

• Thresholds, Voting logics

• Bypasses status

• Acknowledge alarms

• Trip Status for all protection signals

• Delays

• Conditions to Activate Protections


1 - 47


Graphics WindowGraphics Window


1 - 48


SIS DiagnosticsSIS DiagnosticsAlthough there is no Diagnostic application available for SIS, we usually show Diagnostics on Graphics which shows all SIS related components, their status and hardware errors.

Diagnostics page offers the following Information

• Logic Solver (SLS) CRC

• SIS Network Architecture

• Switch Diagnostics, Port Status, Power ON-OFF

• Ovation Controller (OCR) Status and Mode

• Logic Solver (SLS) Status (Active/Standby)

• Channel Configuration (Click on the resp. Logic Solver and a pop-up window appears showing the Channel Configuration for that SLS)

• SIS Data Server (SDS) Status – Active/Standby Mode


1 - 49


Diagnostic WindowDiagnostic Window



Ovation SIS ComponentsOvation SIS Components


1 - 51


OW331_47.pdf


1 - 52


SIS Function BlocksSIS Function BlocksIO Logic Functions Timing Special Connectors

LSAI LSAND LSBFI LSOFFD LSAVTR SIS connector algorithm table

LSDI LSNAND LSBFO LSOND LSDVTR GSECPARAMREF

LSDO LSNDE LSCMP LSTP LSCEM NONSECPARAM

LSDVC LSNOR LSLIM LSRET LSSEQ SECPARAM

LSNOT LSBDE LSSTD SECPARAMREF

LSOR LSALM LSCALC

LSPDE LSMID

LSRS

LSSR

LSXNOR

LSXOR

IO Logic Functions Timing Special Connectors






LSOR LSALM LSCALC

LSPDE LSMID

LSRS

LSSR

LSXNOR

LSXOR







LSOR LSALM LSCALC

LSPDE LSMID

LSRS

LSSR

LSXNOR

LSXOR







LSOR LSALM LSCALC

LSPDE LSMID

LSRS

LSSR

LSXNOR

LSXOR







LSOR LSALM LSCALC

LSPDE LSMID

LSRS

LSSR

LSXNOR

LSXOR







LSOR LSALM LSCALC

LSPDE LSMID

LSRS

LSSR

LSXNOR

LSXOR


1 - 53


SIS Algorithm Palette - IOSIS Algorithm Palette - IO

• Analog Input – Accepts a single analog signal from an I/O channel and makes it available to other algorithms.

• Digital Valve Controller – Similar to a digital output algorithm, however it drives a two-state analog output channel connected to a Fisher Controls DVC6000. Contains parameters for partial stroke testing.

• Digital Input – Accepts a single digital input from a two-state field device and makes the processed physical input available to other algorithms.

• Digital Output – Drives an output channel to a solenoid or other final element using a 24VDC channel.


1 - 54


SIS Algorithm Palette - LogicSIS Algorithm Palette - Logic• Calculation Logic – Evaluates an expression you define in

structured text including mathematical functions, logical operators, constants, and parameter references.

• Comparator – Compares a digital value with a compare value 1 and sets a LT, GT, EQ, or NEQ output. Additionally, a compare value 2 can be used to determine if the value is in range INRGE.

• Limit – Limits an input value between a high and low limit. A limit indicator signals whether the value was limited high or low.

• Middle Signal Select – Selects a middle value input from multiple analog inputs. When there is an even number of inputs, the average of the middle two are used as the output. As many as 16 inputs may be used.


1 - 55


SIS Algorithm Palette - LogicSIS Algorithm Palette - Logic• Alarm – Performs alarm detection on an analog input you

specify.

• Bi-directional Edge Trigger – Generates a True(1) digital output when the digital input makes a False-to-True transition or a True-to-False transition.

• Boolean Fan In – Generates a digital output based on a binary weighted input (up to 16 inputs), and first out trapping.

• Boolean Fan Out – Decodes a binary weighted input into as many as 16 bits.

• Logical And – Performs an AND function on as many as 16 inputs.


1 - 56


SIS Algorithm Palette - LogicSIS Algorithm Palette - Logic• Logical XOR – Performs an exclusive OR function on 2 digital

inputs.

• Neg-directional Edge Trigger – Generates a True (1) digital output when the digital input makes a negative (True-to-False) transition.

• Pos-directional Edge Trigger – Generates a True (1) digital output when the digital input makes a positive False-to-True transition.

• Reset Set Flip Flop – Generates a digital output value based on NOR logic of the reset and set inputs.

• Set Reset Flip Flop – Generates a digital output value based on NAND logic of the set and reset inputs.


1 - 57


SIS Algorithm Palette - TimersSIS Algorithm Palette - Timers• Off Delay – Delays the transfer of a False(0) digital input

value to the output by a specified time.

• On Delay – Delays the transfer of a True(1) digital input value to the output by a specified time.

• Retentive Timer – Generates a True(1) digital output after the input has been True for a specified time period.

• Timed Pulse – Generates a True(1) digital output for a specified time duration when the input makes a positive (False-to-True) transition.


1 - 58


SIS Algorithm Palette – Special FunctionsSIS Algorithm Palette – Special Functions• Analog Voter – Monitors as many as 16 Analog Inputs and

initiates a safety procedure if a predetermined number of inputs vote to trip.

• Digital Voter – Monitors as many as 16 digital Inputs and initiates a safety procedure if a predetermined number of inputs vote to trip.

• Cause Effect Matrix – Associated 16 inputs (Causes) with 16 outputs (Effects) to control one or more final elements.

• State Transition Diagram – Employs a state machine to determine the algorithm’s state based on the state of inputs and active transitions.

• Step Sequencer – Defines as many as 16 states, and as many as 16 output values may be defined in each state. May automatically increment and decrement through the states.


1 - 59


SIS Algorithm Palette - ConnectorsSIS Algorithm Palette - Connectors• External Input Point – Reads data from outside the current sheet, but within

the same SIS Module.

• External Output Point – Writes data to a point, which can be referred by some other control sheet, within the same module

• Secparam – Sends Boolean data to other SIS modules.

• Secparamref – Receives Boolean data from other SIS modules from within the same SIS Node.

• Gsecparamref - Receives Boolean data from other SIS modules from an external SIS Node.

• Nonsecparam - Receives non safety critical boolean data from other SIS modules or BPCS control sheets/tasks.


1 - 60


SIS TreeSIS TreeDatabase Point Database

Network Analog Points

Unit Digital Points

Drop Module Points

Device Node Points

SISLAN SDS

SDS SLS

Control Module

Control Sheet

Secure Parameters


1 - 61


Most generic SIS Functions - ESDMost generic SIS Functions - ESD

Emergency Shutdown Function:

1. Acquisition and conditioning

2. Trip Voting

3. Trip resolution

4. Drive Output


1 - 62


Most generic SIS Functions - ESDMost generic SIS Functions - ESD

AI

AI

AI

DI

DI

SPR

NSPR

AVTR

DVTR

CEM DO

DVC

RST

SP

E1 E2 E3

C1 X

C2 X

C3 X X X

C4 X

Logic 1 = Normal


1 - 63


Most generic SIS Functions - BMSMost generic SIS Functions - BMS

1

Tripped

2

Ready

Reset

3

Air On

Fan On FB

Fan Off FB

4

Prepare Purging

Start PB

5 Purging

Purge Conditions FB

6 Prepare Ignition

Purge Time Over

7

Ignition

Ignition Conditions FB

8

Post Ignition

Safety Time Over

9

Burner On

Post Ignition Time Over

10Close Valves

Stop PB

Stop PBStop PBStop PBStop PBStop PB

11Open Vent

Valves Close FB

Vent Open FB

From

all States

Trip


1 - 64


Ovation SIS – Sequence executionOvation SIS – Sequence execution

An Excel template is available to support such an approach and to document the functional requirements.

State Transition Diagram

State Transition Diagram

OutputsOutputs

TripsTrips

TransitionsTransitions


1 - 65


Secure Write MechanismSecure Write MechanismA Secure Write Mechanism, TUV-certified software, allows you to change the value of a writeable parameter in a Logic Solver. This significantly reduces the risk of an unintentional change to the Logic Solver by the following means:

• Does not accept the type of change message that is sent to a Control Module.

• Only accepts a new pair of change messages, command and confirm

• Only accepts configuration changes if the SLS 1508 is unlocked

• Integrity checks include, checking for error corruption and a two minute timeout between the command and confirm in all applications except Ovation Operate Run where the timeout is 1 minute.

Secure Write Mechanism

SLS 1508

Bypass


1 - 66


Standalone SIS project implementation - OutlineStandalone SIS project implementation - Outline

• Separate SIS Database at Engineering Centre

• Database server is created and Ovation SIS installed with licenses

• For multiple units power project, it is convenient to work on the single unit and then multiply

• Create the SIS tree and organize the devices around the database server

• Implement the One-burner-One-Unit project

• Test and verify the functions along with the Graphics

• Integrate with BPCS

• Multiply for other burners and other units

• FAT

• Commissioning and startup

• SAT


1 - 67


Steps to construct a Safety ProjectSteps to construct a Safety Project• Receive Customer Inputs

• Compare IO and Logic and clear the queries

• Freeze the IO List and Logic to 90%

• Create the Database server

• Estimate Logic solvers and SDS – Go for HW design – Freeze BOM

• IO Allocation to SIFs

• Conceptual Design – HW and SW – Customer approval

• Start HW Detail Design

• Start Prototype making for Control modules, Graphics for typical unit

• Complete Implementation of modules and Graphics

• Generate Internal test plans

• Generate FAT Plans – Get Customer approvals

• Internal testing and verification

• Integration with BPCS and verification


1 - 68


SummarySummary• Basic Process Control System

• Safety Instrumented System

• Safety Instrumented Function

• Ovation SIS hardware architecture

• Ovation SIS software architecture

• Ovation SIS capacities

• Ovation SIS building blocks

• Project procedures

Documents

01_OV-235-01-Overview