- Specification of Safety Instrumented
Loops
- Specification based on the hazard
analysis
Safety functions, immediate safety
states, process safety time (PST)
Structure of each safety instrumented
loop
Independent control and protective
structure of the plant automation
Interacting of plant subsystems
Consider a safety shutdown while
the process is in start up or controlled shutdown down.
Specification of organisational
measures (operation , inspection)
Hazards to be covered by full /
major responsibility of the plant operator
- Suitable Ex-protection
Overvoltage, surge and other EMC protection
- Observe the conditions of use
specified by the manufacturer
Example: Monitored threshold limits
and leakage current of the digital I/O modules
Electrical insulation provided by
the I/O moduls
Specified environmental stress conditions
- Current loop principle (de-energized
to trip, 4-20mA)
Signals should be dynamic, to the
extend possible
- Configuration of Safety Instrumented
System
- Communication
- Safety-related communication
is currently only supported between systems of the same
family - vendor-independent safety
bus specifications are currently under certification
Communication with other non-safety-related
systems can be made safe only by
additional measures in the application
program
Access control for external communication
partners
(Examples: Engineering work station
and DCS)
- Communication adds to the safety-related
reaction time
Specify and configure time limit for
the monitoring of the communication
Unfavourable communication structures
and parameters may reduce the plant availability
- Application Programming
- Program based on logic diagrams
or cause + effect matrices only
- Program with the delivered safety
engineering tools only
(if no safety engineering tools exist,
each path must be fully tested)
- Avoid instruction lists / mnemonics
Use function block diagrams, cause
+ effect matrix or sequential function charts
- Use proven-in-use or pre-tested
function blocks
Maintain a library of such blocks
- Keep the reaction time of the
application program constant
Test of the maximum system reaction
time to all external events
- Test the re-start after power
failure in all operating modes
- Check modifications always with
the certified revision comparator
- Check during commissioning that
the compiled configuration loaded in the safety instrumented system and
the configuration theoretically checked previously are equal
- Operation and Modifiations
- Safety relevant fault reactions
which only lead to signalling are only permitted under supervised operation.
(Operator must have enough information
and time to react)
- Maintenance Override requires
(operator-specified) guidelines
Plant operator must nevertheless receive
sufficient information about the safety status of the plant
see the Document "Maintenance
Override"
- Hazards associated with on-line
modifications
On-line modifications reduce safety
by its nature. Full functional testing should be done at simulators or at
a similar plant.
- Timing restriction after degradation
- The generic standards ( IEC 61508
and DIN 19250 in companion with DIN 0801) don't give exact figures or guidelines
for a system, when a fault has been detected in the system, and the system
strucure has been degraded as a result of that fault.
- For ESD applications, where the
AK system according to the DIN 19250 is used, only supervised operation
should be possible after reaching a single channel mode of operation. Online
repair is possible. If not repaired, single channel operation is possible
with the following maximum timing :
- in AK 5 : shutdown after a
maximum of 72 hours of supervised operation in single channel mode
- in AK 6 : shutdown
after a maximum of 1 hour of supervised operation in single channel
mode
