Forum Topic

Freitag, 18. Juli 2008 00:03:32

The situation... A large facility has control room ESD buttons that are hard wired to a TMR safety system in the control room and then transmitted peer to peer to over a TUV approved safety network to TMR systems in the field to execute unit shutdown logic. The failure mode of the communications link is deterministic and the field TMR systems could be configured to trip or to not trip on communication failure. If the buttons were hardwired directly to the field devices I would expect the switches to be wired failsafe i.e. broken wire = trip. Similarly, first thoughts would imply that the trip outputs should be configured to go to the tripped state on detected communications failure. The problem is that communication failure would cause multiple units to trip, which in itself could create a hazardous situation. Communication failure is monitored and alarmed. The DCS provides an alternative means of tripping the plant by sending the trip request to the SIS over a serial link to each remote TMR. Is it reasonable under these conditions to not trip on SIS communications failure?

Dienstag, 26. August 2008 09:21:14

I cannot give you a yes or no answer on this but you can certainly work out a safety case that argues in that direction. But what you should really do is a proper risk analysis taking into account not only safety but also cost of a trip.

If a communication failure leads to trips which are too costly (and dangerous in themselves) then you should figure out what the spurious trip level of this communication failure is. This in the end will help you decide how to configure your outputs or whether you should improve the reliability of your communcation.

Sonntag, 09. November 2008 19:31:39

If we are not following the recommendations of the SIL Study for example in the SIL Study it was identified that in order to maintain the SIL Level of the several SIFs we need to perform the functional proof testing of the these SIFs thrice a year but in actual we are carrying out functional proof testing once a year or few SIFs are being tested once in two year then what impact this will have on the original SIL rating of these SIFs calculated at the designing phase of the plant? can i say that these SIFs are no more SIL-rated as we are not following the recommendations of the SIL Study hence compromising on integrity of these SIFs.

Also, let me know once the plant is commissioned and in service for number of years then would it be important and necessary to re-calculate the SIL rating of all Safety Instrumented Functions ( SIFs) based on the reliability and failure rate data of the particular plant whose SIL rating is being re-calculated. Please let me know

Mittwoch, 12. November 2008 15:41:29

Hi, The answer to the first question is yes according to the standard. The proof test interval is a safety attribute. If you do not follow it you officially are not compliant.

Second question. Not many companies do this. I would only do it if my assumption made during the design do not reflect what I have today. In other words if I assume that my valve fails once per 5 years and suddenly it turns out that it fails once per year, well that is a significant change in my assumption. I might have to check the PFD calculation to see if it has a safety impact.

Hope this helps.