This article describes general specifications and minimum requirements for the design of logic solvers constituting safety instrumented system (SIS). This document shall be read in conjunction with SES-X03-G01.
2. SIS References
Reference is made in this article to the following documents.
X01-E01 Control System Design Criteria
X03-G01 Safety Instrumented Systems Implementation Guidelines
X05-E01 Process Control Cabling and Wiring
International Electrotechnical Commission (IEC)
IEC-61000-4-2 EMC Electrostatic discharge immunity tests
IEC-61000-4-3 EMC Radiated, radio frequency, electromagnetic field immunity tests
IEC-61000-4-4 EMC Electrical fast transient-burst immunity tests
IEC-61000-4-5 EMC Surge immunity test
IEC-61000-4-6 EMC Immunity to conducted disturbances, induced by radio-frequency fields
61508 Functional safety of electrical/electronic/programmable electronic safety-related systems
61511 Functional safety – Safety instrumented systems for the process industry sector
61131-3 Programming Languages
The International Society for Automation (ISA)
71.04 Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants
3. SIS Definitions
Availability. It represents the statistical probability that the safety instrumented system is operational and can respond properly to an initiating event at some instant in time.
Availability Target, (AT) is commonly used as a design criteria for systems. Availability = 1-PFD
Certifying Authority. An agency, such as TUV (Technischer Uberwachungs-Verein (German for Technical Supervisory Association)), that performs safety and inspection testing on equipment that includes safety instrumented systems.
Diagnostic Coverage (IEC-61508-4). The fraction of dangerous failures detected by automatic on-line diagnostic tests. The fraction of dangerous failures is computed by using the dangerous failure rates associated with the detected dangerous failures divided by the total rate of dangerous failures. DC = λDd / λDtotal. Diagnostic coverage does not include any faults detected by proof tests.
Dangerous Failure (IEC 61508). Failure of an element and/or subsystem that plays a part in implementing the safety function that:
a. prevents a safety function from operating when required (demand mode) or causes a safety function to fail (continuous mode) such that the EUC is put into a hazardous or potentially hazardous state; or
b. decreases the probability that the safety function operates correctly when required Fail-Safe. Designed to return to a safe condition in the event of a failure or malfunction.
Final Element (IEC-61511-1). Part of a safety instrumented system which implements the physical action necessary to achieve a safe state. Examples are valves, switch gear, motors including their auxiliary elements such as solenoid valves and actuator if involved in safety function.
Initiating Event (Process demand). A process condition or event that requires the protective system to bring the process or equipment to its safe state.
Initiator. A device, such as a sensor or pushbutton, which causes the safety instrumented system to bring the process or equipment to its safe state.
Logic Solver. A component or group of components that receives inputs from sensors, performs a predetermined decision-making function, causes final elements to assume a safe position, and provides alarms.
Process Safety Time (IEC 61508). Period of time between a failure, that has the potential to give rise to a hazardous event, occurring in the equipment under control (EUC) or EUC control system and the time by which action has to be completed in the EUC to prevent the hazardous event occurring.
Probability of Failure on Demand (PFD). A value that indicates the probability of a safety instrumented system failing to respond to an initiating event.
Reliability. Probability that the system or component will perform its intended function for a specified period of time.
Reset. A function that controls the action of the safety interlock when an interlock trip function returns to the normal state.
Response Time. The elapsed time between an input initiation and the change of state of an output, which is directly controlled by that input in the application program. This time is typically function of input / output filtering and the application program scan period. For the individual SIF or overall SIS, the final element response should also be included.
Safe Failure (IEC 61508). Failure of an element and/or subsystem and/or system that plays a part in implementing the safety function that:
a. results in the spurious operation of the safety function to put the EUC (or part thereof) into a safe state or maintain a safe state; or
b. increases the probability of the spurious operation of the safety function to put the EUC (or part thereof) into a safe state or maintain a safe state
Safe Failure Fraction (SFF) (IEC 61508). Property of a safety related element that is defined by the ratio of the average failure rates of safe plus dangerous detected failures and safe plus dangerous failures. This ratio is represented by the following equation:
SFF = (λS avg + λ Dd avg) / (λS Avg + λDd avg + λDu avg)
when the failure rates are based on constant failure rates the equation can be simplified to:
SFF = (λS + λ Dd) / (λS + λDd + λDu), where
λS: Safe failure rate
λD: Calculated dangerous failure rate detected by diagnostic tests
λDd: Dangerous failure rate detected by diagnostic tests
λDu: Dangerous failure rate undetected
Safety Function (IEC-61511-1). Function to be implemented by SIS, other technology safety related system or external risk reduction facilities, which is intended to achieve or maintain a process safe state with respect to a specific hazardous event.
Safety Interlock. A system or function that detects an out-of-limits (abnormal) condition or improper sequence and brings it to a safe condition. A safety interlock operates automatically; no operator action is involved.
Safety Instrumented Function (SIF) (IEC-61511-1). It is the safety function with a specified safety integrity level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function.
Safety Instrumented System (SIS) (IEC-61511-1). Instrumented system used to implement one or more safety instrumented functions. An SIS is composed of any combination of sensors, logic solvers and final elements to implement one or more SIFs.
Safety Integrity Level (SIL). SIL is a discrete level for specifying the safety integrity requirements of the SIFs to be allocated to the SIS. The SIL of an SIF is a means of quantifying the relative reduction in risk associated with that SIF or SIS.
It is a numerical means of quantifying the design requirements of an SIS in terms of PFD and availability as shown in table below for demand mode.
Scan Period. Time in which CPU of the controller executes the configured safety logic functions.
Sensor (IEC-61511-1). Device or combination of devices, which measure the process condition. Examples are transmitters, transducers, process switches, position switches, etc.
Self Diagnostic. Capability of an electronic system to monitor its own status and indicate faults that occur within the device.
Spurious Trip. A trip of the process by the safety instrumented system for reasons not associated with a problem in the process. This is a detected safe failure referred to as nuisance or false trip. Allowable spurious trip rates (STR) are design criteria for safety instrumented system redundancy requirements or a measure of the system reliability.
Watchdog Timer. A component that causes a programmable electronic device to go to a predetermined state if it is idle or looping endlessly. Watchdog timers can be internal or external to the programmable electronic device.
Abbreviations and Acronyms
EMI Electromagnetic Interference
EUC Equipment Under Control
MTBF Mean Time between Failures
MTTR Mean Time to Repair
4. Safety Instrumented Systems Logic Solver SIS Specification
4.1 Logic Solver
4.1.1 In this document “logic solver” shall be used for a PLC with following features as a minimum:
Fail-safe, fault tolerant, equipped with self-test and self-diagnostics,
TUV SIL 3 certified, manufactured in conformance with IEC 61508 requirements.
4.1.2 However the design with following methodology of logic solvers shall require SABIC approval.
Pneumatic logic, e.g. pneumatic relays.
Electrical logic, e.g. electromechanical relays.
Electronic logic, e.g. solid-state devices. This includes special purpose equipment designed and supplied to perform specific interlock functions.
4.1.3 General design guidelines shall comply with SES-X01-E01.
4.1.4 Any conflict(s) between this standard, SES and industry standards, engineering drawings,
and contract documents shall be resolved at the discretion of SABIC
4.2 Technology
The system shall be made up of manufacturer’s standard hardware, firmware, and software that can be configured to meet stated requirements.
4.3 System Lifecycle and Expandability
4.3.1 Vendor shall provide support from design through installed life of the system.
4.3.2 Vendor shall also advise expected length of time system components (hardware, software) that will be manufactured and supported. SABIC expects a minimum of 10 years support from the time of purchase order date, and that the vendor has a local office with sufficient staff able to respond to the needs of the plant.
4.3.3 During the warranty period vendor shall ensure to inform SABIC about the future upgrades. However, FAT shall be carried out with the latest proven version at the time of hardware freeze.
4.3.4 The system shall be modular in design providing flexibility to economically implement small projects, but scalable for expansions and major projects.
4.3.5 It shall be possible to add and remove I/O modules and perform application program modifications online, without shutting down or degrading any safety function of SIS.
4.4 Software Licensing, Certificates, and Upgrade
4.4.1 Vendor shall provide the license certificates of each component of the system.
4.4.2 Application program shall not require rewriting of any safety function during the upgrade of system software.
4.4.3 Vendor shall include in their proposal, the TUV certificate together with relevant documents such as reports and TUV exceptions.
5. Functionality
5.1 General
5.1.1 In general, each logic solver is composed of CPU, I/O modules, communication module, diagnosis module, power supply modules, etc. These components may vary according to the design of different vendors.
5.1.2 Logic solver response time shall be suitable to the requirements of the process safety time. Logic solver response time shall be subject to SABIC approval.
5.1.3 Logic solver shall be in any of the following configurations with the minimum SFF of 90 percent:
a. 1oo2 Redundant
b. 2oo3 Redundant
c. 2oo4 Redundant
5.2 Redundancy
5.2.1 Logic solver shall be able to comply with the redundancy requirements of SES-X03-G01.
5.2.2 In case of failure or malfunction, system shall automatically transfer to redundant modules to continue all required functions and shall generate an appropriate alarm message. Single point failure anywhere in the logic solver shall not degrade or result into the loss of any safety function.
5.2.3 The vendor should advise the standard time of switch-over to transfer all functions between redundant components. This shall never be longer than the process safety time.
5.2.4 All kinds of software packages required for the redundancy of the whole system shall be supplied with appropriate licenses and hardware.
6. Hardware Specification
6.1 Central Processor Unit (CPU)
6.1.1 CPU can be formed of single or multiple processors and modules.
6.1.2 CPU with all required modules shall be redundant.
6.1.3 Removal of a faulty CPU or relevant module and its replacement shall not require a shutdown or powering off of the system.
6.1.4 CPU shall be capable of executing both predefined and user defined safety functions.
6.1.5 CPU shall be provided with online diagnostics and failure reporting.
6.1.6 CPU shall be able to communicate with other CPUs in the system.
6.1.7 CPU shall contain the program in either in flash RAM or rechargeable battery backed up RAM for minimum 2 days for all memory contents. Alarm indication shall be provided to alert operating personnel on failure of the battery backup unit.
6.1.8 Each CPU and communication modules shall be furnished with LED status indicators to indicate correct operation and error conditions of that module.
6.1.9 As a minimum, the following status indications or their equivalents shall be provided on the CPU:
a. Fault conditions within the CPU
b. Communications status
c. Force status
d. Status of I/O
6.1.10 Whenever required by project specification, CPU modules shall be suitable to Class G3 harsh environment as per ISA 71.04.
6.1.11 A mode-select hardware or software switch shall be provided to prevent memory modification from any outside source.
6.2 I/O Modules
6.2.1 General
a. Interface to the process shall be through microprocessor-based local or remote I/O modules.
b. I/O modules shall be 24 Vdc. Alternative voltage shall require SABIC approval.
c. All I/O modules used in safety logic shall be redundant.
d. Electrical isolations shall be provided with all I/O modules.
e. Insertion or removal of redundant I/O module shall not interrupt the operation of the system and it shall not require powering down of either CPU module. Additionally,
removal from their chassis shall be possible without disturbing external field wiring. It is preferable that field I/O wiring shall be connected to remote or external termination panels.
f. I/O modules shall be provided with LED status indicators on the front of the module.
g. DI and DO modules shall be provided with individual channel LED status indicator.
h. I/O modules shall have configurable fail-safe features.
i. Whenever required by project specification, the modules shall be suitable to Class G3 harsh environment as per ISA 71.04.
j. I/O modules shall be capable of being arranged in any location within a chassis. However, mechanical coding shall be provided to protect against the insertion of wrong
module during replacement.
k. Interposing relays shall be installed for interfacing with electrical systems. Where required free-wheeling diodes and status LED shall be provided
6.2.2 Analog Inputs
a. Analog Input modules shall be able to receive and convert analog signals such as 4-20 mA dc or 1-5 Vdc and provide power to field devices.
b. Analog Inputs powered by external 24 Vdc system power shall be current limiting.
c. The system shall be capable of receiving 4-20 mA signals from externally powered devices, e.g. 4-wire device.
6.2.3 Analog Outputs
a. Analog output module shall be used with SABIC approval.
b. However, analog output modules shall not be used for controlling the process.
c. Analog output module shall be 4-20 mA dc analog signals with current limiting.
6.2.4 Digital Inputs
a. Digital Input modules shall be able to receive dry contact or powered input rated 24 Vdc.
b. Standard operating ranges for digital inputs shall comply with IEC-61131-2 requirements.
6.2.5 Digital Outputs
a. Digital Output modules shall be comply with IEC 61131-2 requirements.
b. Solid state outputs shall be 24 V dc @ 100 mA.
c. Relay Contact outputs shall be 24 V dc @ 1 Amp.
d. Each output shall be protected type and short-circuit-proof as per IEC-61131-2 requirements.
6.3 Networks
6.3.1 Redundant and TUV SIL 3 approved networks, that can provide extended communication without degrading any safety function or performance, shall be available for connectivity of all the components of the logic solvers.
6.3.2 Failure of one processor or network shall immediately switch over the communication to the other processor or network without any interruption and shall be transparent with alarms to the operator console.
6.3.3 Failure of any device on the network shall affect neither the communication nor any function of the system.
6.3.4 Removal of a faulty component from network shall not require powering down of the system and shall not degrade any safety function.
6.3.5 Refer to SES-X05-E01 for network cable installation requirements.
6.4 Interfaces
6.4.1 The logic solver shall support multiple ports for interfacing with other external devices to establish engineering, bypass, SOE, and safety alarm functionalities.
6.4.2 Redundant interface with control system shall be as per industrial standards, i.e. serial interface, OPC, Modbus-RTU, Modbus-TCP, etc.
6.4.3 Cables connection and disconnection shall be done without interrupting system operation or safety function.
6.5 Power Supply Units
6.5.1 All components of logic solver shall be provided with redundant power supplies capable of being powered from two independent sources.
6.5.2 The vendor shall provide redundant power supply modules for supplying power to the chassis of CPUs, I/O modules and other components associated to the logic solver.
6.5.3 Each power supply in a redundant configuration shall share load in healthy condition and shall be capable of supplying full load.
6.5.4 An alarm indication shall be provided to alert operating personnel on failure of power supply modules.
6.5.5 The number of different power supplies and voltage levels in a single logic solver shall be minimized.
6.6 Workstations
6.6.1 Independent workstations shall be provided for various applications such as engineering, bypass, SOE, etc. However, combination of these applications shall require SABIC approval.
6.6.2 Workstations shall be provided with,
a. COTS PC hardware platform of latest available and proven configuration
b. 21 inch high resolution LCD or LED monitor,
c. Keyboard, Mouse, etc,
d. Integral hard disk
e. CD-RW/DVD-RW drive
6.6.3 Each monitor shall have minimum 1280×1024 resolutions, and true color (32 bit).
6.6.4 All workstations shall be provided with sufficient on board memory. Memory shall be sized to ensure the specified function with provision of future expansion.
6.6.5 Failure of any workstations shall not affect other parts of the system. It shall be possible to replace defective workstation without affecting the integrity of the system.
6.6.6 All workstations shall be provided with protection to access by unauthorized personnel.
6.7 Printers
The required numbers and types of printers shall be as per project specifications.
6.8 Cabinets and Panels Specification
Refer to SES-X01-E01 for details and descriptions of logic solver cabinets and power distribution panels.
6.9 Wiring and Cabling
Refer to SES-X05-E01 for details.
6.10 Equipment Noise and Electromagnetic Compatibility (EMC)
6.10.1 The noise level for all equipment shall be limited to 60 dBA.
6.10.2 The system shall comply with the following test levels as a minimum.
Table I – Interference Immunity Tests
7. Software Specifications
7.1 General
7.1.1 System software shall integrate seamlessly with the system hardware, be easy to configure and reconfigure by non-specialist personnel and shall be considered as part of the system for availability calculations.
7.1.2 It shall consist of application program software, utility software and embedded software. It shall be configured as per safety need of the plant and associated process.
7.1.3 All tags shall be available to use for any logic function, without knowledge of their physical address location.
7.1.4 The software shall be menu driven and user friendly with help function.
7.1.5 The authorized user shall have the ability to:
a. Execute functions related to safety interlocks, such as reset, bypass, override, taking inline, etc. from appropriate displays/stations/locations as per project requirement.
b. Perform database and application program modification. The running application program or any function of the system shall not be affected or degraded by this
procedure.
c. Download the modified application program by following the vendor specific procedures.
7.1.6 It shall be possible to execute online changes in application program by adding or deleting functional blocks, changing set-points, changing event recording configuration and download.
7.1.7 System shall have a revision control scheme to track changes in the application software.
7.1.8 The system software shall be capable of displaying the configured interlocks and real time numerical and status data, etc. in a graphical fashion.
7.2 Program Development Elements
7.2.1 The system shall be capable of supporting the latest IEC 61131-3 programming languages to develop the application program.
7.2.2 Application program shall be dedicated to process safety. It shall not be used to perform any process control function without SABIC approval.
7.2.3 Application program shall be implemented in one or combination of any of the following programming languages:
a. Function Block Diagram
b. Sequential Function Chart
c. Ladder Diagram
7.2.4 Programming shall provide the user with the capability to combine predefined, application specific library functions with its own functions.
7.2.5 Depending on the programming language, following instructions or elements shall be provided as a minimum by the vendor:
a. Logic Functions: AND, OR, XOR, Flip-Flop, etc
b. Comparison Elements: Less Than, Greater Than, Equals, Less Than or Equal, Greater Than or Equal, Not Equal, Relational Contacts.
c. Math Instructions:
i. Add, Assign, Divide, Multiply, Square root, Subtract.
ii. Logic programming to provide integer math instructions for above functions.
iii. Real or floating point arithmetic and functions to convert analog input to real (floating point) numbers.
d. Timer and Counter Elements: Count up, Count down, Time Up, Time Down, (with accumulator, preset and time-base sub-elements).
e. Relay Contact Elements: N.O., N.C., Transition, Pulses
f. Relay Coil Elements; Standard, Latch, Unlatch
g. Specific function blocks to handle a wide variety of devices requiring multiple input/output channels and states, e.g. 1oo2, 2oo3, Reset, etc.
7.2.6 All configurations and modifications shall follow validation procedures. Means shall be provided to prevent invalid configuration changes and any invalid configuration data shall be flagged and displayed.
7.3 Diagnostics
7.3.1 Logic solver shall be fully equipped with automatic self-testing and self-diagnostic software as a standard and shall not require any additional software.
7.3.2 System and modules shall be continuously checked against errors, and faults shall be identified within the specified time as per process requirement.
7.3.3 System diagnostics and self-tests shall be a proven integral part of the standard system and shall be completely transparent to the user when the application is implemented.
7.3.4 The self-diagnostics and self-tests shall run periodically and shall provide sufficient diagnostic coverage function within the logic solver so that, during the required operational life time of the system, periodic testing of the logic hardware and firmware is not required.
7.3.5 Problems like delay, looping, hanging, stuck on, stuck off, etc in logic execution shall be identified and, acted accordingly to the predefined safe failure action and reported.
7.3.6 The continuous online self-diagnostic software shall monitor the state of all the components and communication cables.
7.3.7 Self-testing shall include the following as a minimum:
a. Error detection in serial and parallel communications.
b. An internal watchdog timer to detect halted or looping state of processors execution and application programs. It shall include execution time tracking and synchronization checks of parallel signal channels.
c. A set of instructions executed at each functional cycle to exercise active system components, including the processor.
d. Periodic memory check.
e. Check of each signal line of a parallel bus, before a read or write operation to an input or output component.
f. Detection of the removal of, or any defect in, any logic unit, communication module, processor, I/O module, or power supply.
g. Check of the logic solving ability, including a test that exercises active system components including the processors. This test shall be run prior to each logic cycle.
h. A set of power-up initialization and communications checks.
i. Power supply faults including battery back-up monitoring and output voltage verification
7.4 Database Management
7.4.1 Database development shall be user friendly and employ fill in the blank type screens.
7.4.2 The system should provide a step by step guide for completing the information required to generate the database.
7.4.3 The system shall be able to test for syntax errors and run test programs for actual operation.
7.4.4 It shall be possible to upload or download the database from and to the engineering station and export to MS Access or Excel.
7.4.5 Where ever applicable, tagname shall have an associated engineering unit and shall be standardized across the project.
7.4.6 The system shall support unique tagname with a combination of alpha numerical characters and descriptor.
7.5 Utility Software
7.5.1 The system software shall be provided with utility software, which shall have following features as minimum:
a. Ability to search the database and application program and provide information
b. Provide a cross-reference listing containing tagname, tag descriptor, point type, and hardware address
c. Print, and save to any media, and restore
7.6 Document Production
7.6.1 The system shall support self-documentation, including printed organizational summaries, in a convenient manner.
7.6.2 The project design shall include documentation in a form that can be easily updated by the plant.
7.6.3 Tabular data in a common form, such as spreadsheet or database formats, is requested.
7.6.4 Logics/interlocks sheets with all detailed information shall be possible to save on fixed or auxiliary memory devices with version number, date, time, etc. for all configured safety loops.
7.6.5 System shall be capable to produce printout of all these information through the attached printer with engineering station.
7.6.6 As a minimum, the following documents shall be generated:
a. A program listing.
b. A system configuration.
c. Applications program related logic diagrams.
d. A cross-referenced list of equipment tag numbers and program use locations.
e. I/O list consist of all data table files, words, and bit assignment used throughout the programs containing the alias address, symbolic or tag name.
f. Fault History
g. On-Line Data Changes
h. Input/Output Forcing
8. System Performance
8.1 System Availability
8.1.1 The TUV certified logic solver with a redundant, fault tolerant 1oo2 or 2oo3 or 2oo4 configuration, shall have minimum 99.99 percent availability with maximum 8 hours MTTR.
8.1.2 Single point component failure shall not result into the degradation in functionality and performance of the logic solver.
8.2 System Reliability
8.2.1 Vendor shall provide a listing of all failure modes of the logic solver and the impact of such failure on the system performance.
8.2.2 The MTBF numbers for the overall system and critical modules shall be provided.
9. Documentation
9.1 General
9.1.1 Refer to SES-X01-E01 for descriptions and details.
9.1.2 Additionally, documentation shall include the following:
a. Architecture of the system configuration complete with all workstations, and other components of the SIS, operator interface facilities, and interfaces to external devices, etc.
b. Connection and interconnection diagrams for troubleshooting and maintenance
c. Logic diagrams including initiators, final elements, and the relationship between them, test and maintenance facilities
d. Listing of the application program, including comment statements
e. List of input and output connections with equipment tag name and physical address
f. All the data utilized in PFDavg calculations including hardware fault tolerance (HFT), spurious trip rate (STR), proof-test interval, etc
g. Safety manual of the logic solver
10. FAT and SAT
10.1 General
10.1.1 Refer to SES-X01-E01 for descriptions and details.
10.1.2 In addition, IEC-61511 recommendations shall be followed.