Forum Topic

Friday 18 July 2008 12:03:32 am

The situation... A large facility has control room ESD buttons that are hard wired to a TMR safety system in the control room and then transmitted peer to peer to over a TUV approved safety network to TMR systems in the field to execute unit shutdown logic. The failure mode of the communications link is deterministic and the field TMR systems could be configured to trip or to not trip on communication failure. If the buttons were hardwired directly to the field devices I would expect the switches to be wired failsafe i.e. broken wire = trip. Similarly, first thoughts would imply that the trip outputs should be configured to go to the tripped state on detected communications failure. The problem is that communication failure would cause multiple units to trip, which in itself could create a hazardous situation. Communication failure is monitored and alarmed. The DCS provides an alternative means of tripping the plant by sending the trip request to the SIS over a serial link to each remote TMR. Is it reasonable under these conditions to not trip on SIS communications failure?

Tuesday 26 August 2008 9:21:14 am

I cannot give you a yes or no answer on this but you can certainly work out a safety case that argues in that direction. But what you should really do is a proper risk analysis taking into account not only safety but also cost of a trip.

If a communication failure leads to trips which are too costly (and dangerous in themselves) then you should figure out what the spurious trip level of this communication failure is. This in the end will help you decide how to configure your outputs or whether you should improve the reliability of your communcation.