Safety Considerations Guide for Trident v2 Systems - TUV ...

More documents

Recommendations

Info

10 Chapter 1 Safety Concepts Developing an SIS Using the Safety Life Cycle 1 Develop a safety requirement specification (SRS). An SRS consists of safety functional requirements and safety integrity requirements. An SRS can be a collection of documents or information. Safety functional requirements specify the logic and actions to be performed by an SIS and the process conditions under which actions are initiated. These requirements include such items as consideration for manual shutdown, loss of energy source, etc. Safety integrity requirements specify a SIL and the performance required for executing SIS functions. Safety integrity requirements include: • Required SIL for each safety function • Requirements for diagnostics • Requirements for maintenance and testing • Reliability requirements if the spurious trips are hazardous 2 Develop the conceptual design, making sure to: • Define the SIS architecture to ensure the SIL is met (for example, voting 1oo1, 1oo2, 2oo2, 2oo3). • Define the logic solver to meet the highest SIL (if different SIL levels are required in a single logic solver). • Select a functional test interval to achieve the SIL. • Verify the conceptual design against the SRS. 3 Develop a detailed SIS design including: • General requirements • SIS logic solver • Field devices • Interfaces • Energy sources • System environment • Application logic requirements • Maintenance or testing requirements Some key ANSI/ISA S84.01 requirements are: • The logic solver shall be separated from the basic process control system (BPCS). • Sensors for the SIS shall be separated from the sensors for the BPCS. • The logic system vendor shall provide MTBF data and the covert failure listing, including the frequency of occurrence of identified covert failures. Note Triconex controllers do not contain undiagnosed dangerous faults that are statistically significant. Safety Considerations Guide for Trident v2 Systems
Hazard and Risk Analysis 11 • Each individual field device shall have its own dedicated wiring to the system I/O. Using a field bus is not allowed! • A control valve from the BPCS shall not be used as a single final element for SIL capability 3. • The operator interface may not be allowed to change the SIS application software. • Maintenance overrides shall not be used as a part of application software or operating procedures. • When online testing is required, test facilities shall be an integral part of the SIS design. 4 Develop a pre-start-up acceptance test procedure that provides a fully functional test of the SIS to verify conformance with the SRS. 5 Before startup, establish operational and maintenance procedures to ensure that the SIS functions comply with the SRS throughout the SIS operational life, including: • Training • Documentation • Operating procedures • Maintenance program • Testing and preventive maintenance • Functional testing • Documentation of functional testing 6 Before start-up, complete a safety review. 7 Define procedures for the following: • Start-up • Operations • Maintenance, including administrative controls and written procedures that ensure safety if a process is hazardous while an SIS function is being bypassed • Training that complies with national regulations (such as OSHA 29 CFR 1910.119) • Functional testing to detect covert faults that prevent the SIS from operating according to the SRS • SIS testing, including sensors, logic solver, and final elements (such as shutdown valves, motors, etc.) 8 Follow management of change (MOC) procedures to ensure that no unauthorized changes are made to an application, as mandated by OSHA 29 CFR 1910.119. 9 Decommission an SIS before its permanent retirement from active service, to ensure proper review. Safety Considerations Guide for Trident v2 Systems
Page 1 and 2: Trident v2 Systems Safety Considera
Page 3 and 4: Contents Preface vii Summary of Sec
Page 5 and 6: Contents v Partitioned Processes. .
Page 7 and 8: Preface This guide provides informa
Page 9 and 10: • All other requests are handled
Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
Page 13 and 14: Protection Layers Methods that prov
Page 15 and 16: Hazard and Risk Analysis Hazard and
Page 17 and 18: Sample SIL Calculation Hazard and R
Page 19: Safety Life Cycle Model Hazard and
Page 23 and 24: CAN/CSA-C22.2 No. 61010-1-04 Safety
Page 25 and 26: 2 Application Guidelines Overview 1
Page 27 and 28: General Guidelines This section des
Page 29 and 30: General Guidelines 19 Safety Measur
Page 31 and 32: Emergency Shutdown Systems The safe
Page 33 and 34: Safety-Shutdown Guidelines for Tric
Page 35 and 36: Guidelines for Triconex Controllers
Page 43 and 44: 3 Fault Management Overview 34 Syst
Page 45 and 46: System Diagnostics System Diagnosti
Page 47 and 48: Operating Modes Each input or outpu
Page 49 and 50: Analog Output (AO) Modules Module D
Page 51 and 52: Calculation for Diagnostic Fault Re
Page 53 and 54: External Communication Module Diagn
Page 55 and 56: 4 Application Development Developme
Page 57 and 58: Array Index Errors Infinite Loops D
Page 59 and 60: Setting Scan Time 49 application. T
Page 61 and 62: Sample Safety-Shutdown Programs Sam
Page 63 and 64: Sample Safety-Shutdown Programs 53
Page 65 and 66: When Some I/O Modules Are Safety-Cr
Page 67 and 68: Sample Safety-Shutdown Programs 57
Page 69 and 70: Partitioned Processes Sample Safety
Page 71 and 72:
Alarm Usage Alarm Usage 61 To imple
Page 73 and 74:
A Triconex Peer-to-Peer Communicati
Page 75 and 76:
Data Transfer Time Data Transfer Ti
Page 77 and 78:
Data Transfer Time 67 A typical dat
Page 79 and 80:
Examples of Peer-to-Peer Applicatio
Page 81 and 82:
B HART Communication Overview 72 HA
Page 83 and 84:
2008-04-01 Automation, Software and
Page 85 and 86:
2008-04-01 HART Position Paper from
Page 87 and 88:
2008-04-01 A possible impact to the
Page 89 and 90:
2008-04-01 HART Position Paper from
Page 91 and 92:
C Safety-Critical Function Blocks O
Page 93 and 94:
SYS_CRITICAL_IO Accumulates the sta
Page 95 and 96:
Library Trident and Tri-GP (TRDLIB)
Page 97 and 98:
END_IF ; PREVIOUS_RESET := RESET ;
Page 99 and 100:
Output Parameters (continued) Name
Page 101 and 102:
SYS_SHUTDOWN 91 * the safety system
Page 103 and 104:
ALARM_DISABLED_POINTS := MPX.POINTS
Page 105 and 106:
Example For shutdown examples, see
Page 107 and 108:
A abbreviations, list of viii actua
Page 109 and 110:
message errors, external communicat
Page 112:
Invensys Operations Management 5601
show all

Safety Considerations Guide for Trident v2 Systems - TUV ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?