Transcription
D800027X022December 2008DeltaV Safety Instrumented SystemSafety ManualTM
1996 - 2005 Fisher-Rosemount Systems, Inc. All rights reserved. Unauthorized duplication, in whole or in part,is prohibited.Printed in UKEmerson, Emerson Process Management, the Emerson Process Management Design, DeltaV, the DeltaV design,and PlantWeb are marks of one of the Emerson Process Management group of companies. All other marks areproperty of their respective owners. The contents of this publication are presented for informational purposesonly, and while every effort has been made to ensure their accuracy, they are not to be construed as warranties orguarantees, expressed or implied, regarding the products or services described herein or their use or applicability.All sales are governed by our terms and conditions, which are available on request. We reserve the right to modifyor improve the design or specification of such products at any time without notice.
Contents1 DeltaV SIS Safety Manual. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11.1 Certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Management of Functional Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3 Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.4 Engineering Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.5 Operations and Maintenance Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Product Specifications (Appendix A) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72.1 Failure Rate Data for SIL Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2 Common Cause Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3 Failure Rate Data for Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.4 Response Time Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.5 Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.5.1 Product Life. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.5.2 Environmental Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.5.3 Application Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Required Practices (Appendix B) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153.1 Installation and Site Acceptance Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2 Managing Changes in the DeltaV SIS Runtime System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2.1 Downloading the SLS1508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2.1.1 Functional Testing After the Initial Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2.1.2 Recording CRC Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2.2 Subsequent Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.2.2.1 Downloading to a Running Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.2.2.2 Functional Testing After Download to a Running Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.3 Using the SLS1508 in Fire & Gas and Normally Deenergized Applications. . . . . . . . . . . . . . . . . . . . . . . . . 233.4 Using HART Two-State Output Channels and Digital Valve Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.5 Using Non-Secure Parameter References in SIS Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.5.1 Non-Safety-Critical Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.5.2 Safety-Critical Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Engineering Practices (Appendix C). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294.1 Requiring a Reset Before Outputs Can Become Energized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.2 Configuring the SLS1508 Response to Detected Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304.2.1 Faults Detected on Input Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304.2.1.1 Getting Bad Status into the SIS Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Contentsiii
4.2.1.1.1 Analog Input Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304.2.1.1.2 Discrete Input Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.2.1.2 Using Bad Status in the SIS Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.2.2 Faults Detected on Output Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.3 Using an SIS Module Template to Meet Operator Notification Requirements . . . . . . . . . . . . . . . . . . . . . . . 354.4 Choosing the SLS1508 Scan Rate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.5 Configuration Considerations for Online Downloads and Restarts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.5.1 Online Downloads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.5.2 Restarts After Power Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.6 System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394.6.1 Database Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394.6.2 Configuration Changes After Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.6.3 Uploading Parameter Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Operations and Maintenance Practices (Appendix D) . . . . . . . . . . . . . . . . . . . . .415.1 Bypasses and Other Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415.1.1 Override Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415.1.2 Configuration of Bypasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425.1.3 Operation of Bypasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435.2 Fault Detection, System Response, and Repair Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455.2.1 How DeltaV SIS Annunciates Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.2.2 Evaluating and Responding to Annunciated Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495.2.3 Evaluating Fatal Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.2.4 Maximum Fault Detection Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535.2.5 Fault Detection in SISNet Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.3 Proof Testing the SLS1508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.3.1 Automatic Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555.3.2 Manual Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555.4 Upgrading Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565.5 Making Online Scaling Changes in HART Transmitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57ivDeltaV SIS Safety Manual
1DeltaV SIS Safety ManualThis document contains important information on how DeltaV SIS is to be used in asafety instrumented system to place and/or maintain the equipment under control inan appropriate state when expected to do so. The guidelines in this document must befollowed when using DeltaV SIS in a safety-critical application.To determine whether this document is the most recent revision applicable to aparticular revision of the SLS1508, compare the part number shown on the cover ofthis document to the part numbers shown at the following 1.1CertificationThe information in this document applies to the following hardware and softwarecomponents of DeltaV SIS.Safety RatedSLS1508 hardware module revision 4.xxSLS1508 firmware revision 1.xx.xx.xx crSLS1508 firmware revision 2.xx.xx.xx crSecure Write workstation rHelper.dllValidateExemem.dllSafety RelevantSISNet Repeater hardware moduleSISNet Repeater firmwareSLS1508 simplex termination blockSLS1508 redundant termination blockDeltaV MD Controller hardwareDeltaV MD Controller firmwareDeltaV ExplorerDeltaV Control Studio in SIS module contextInterference-FreeAll other DeltaV hardware, firmware, and softwarecomponents not listed aboveTÜV has certified the SLS1508 hardware and firmware as suitable for use inapplications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC61508. The SIL3 certification applies to both simplex and redundant SLS1508s.Redundancy increases availability, but does not increase safety. Both simplex andredundant SLS1508s provide the hardware fault tolerance and safe failure fraction toDeltaV SIS Safety Manual1
meet SIL3 architectural requirements. In order for your application to satisfy a SIL3requirement, the probability of dangerous failure for the given safety instrumentedfunction must be in the SIL3 range.The SLS1508 is certified for use in both the low demand and high demand mode ofoperation as defined by IEC 61508.Refer to “Product Specifications (Appendix A)” for failure rate and other data to helpyou verify that your safety requirements are being met and for additionalconsiderations for using the SLS1508 in high demand mode.1.2Management of Functional SafetyDeltaV SIS is intended to be used in accordance with a defined safety lifecycle such asthat described in IEC 61511. Emerson Process Management recommends thefollowing additional functional safety management requirements.Competence of Persons - EngineeringAll persons involved in the initial implementation or modification of the applicationsoftware should have appropriate training. Opportunities for training include readingthis manual, reading DeltaV Books Online, and attending a training class taught byEmerson Process Management-certified personnel. Formal training is availablethrough Emerson Process Management Educational Services. For information, cts centers.aspCompetence of Persons - Installation and Hardware MaintenanceAll persons involved in installation and hardware maintenance activities should haveappropriate training. Opportunities for training include reading this manual, readingInstalling Your DeltaV Safety Instrumented System Hardware, reading DeltaV Books Online,and attending a training class taught by Emerson Process Management-certifiedpersonnel. Formal training is available through Emerson Process ManagementEducational Services.Competence of Persons - GeneralAll persons involved in any aspect of DeltaV SIS use, including engineers, operators,supervisors, maintenance personnel, and system administrators, should have trainingin the importance of safety instrumented systems. All persons should have specifictraining in the procedures for which they are responsible. DeltaV systemadministrators must ensure
personnel. Formal training is available through Emerson Process Management Educational Services. Competence of Persons - General All persons involved in any as pect of DeltaV SIS use, including engineers, operators, supervisors, maintenance personnel, and system administrators, should have training in the importance of safety instrumented systems. All pe rsons should have specificFile Size: 1MBPage Count: 62
