DeltaV SIS™ Process Safety System Users Guide

(1)

D800033X012 D800033X012 May 2011 May 2011

DeltaV

DeltaV SIS

SIS

™

Process Safety System

Users Guide

(2)

Printed in the Republic of Singapore. Printed in the Republic of Singapore. © Emerson Process Management 1996 -

© Emerson Process Management 1996 - 2011. All rights reserved. For Emerson Process 2011. All rights reserved. For Emerson Process Management trademarks and serviceManagement trademarks and service marks, go to http://www.emersonprocess.com/home/news/resources/marks.pdf. All other marks are property of

marks, go to http://www.emersonprocess.com/home/news/resources/marks.pdf. All other marks are property of their respectivetheir respective owners. The contents of this publication are

owners. The contents of this publication are presented for informational purposes only, and while every effort has bpresented for informational purposes only, and while every effort has b een made toeen made to ensure their accuracy, they are not to be construed as warranties or guarantees, expressed

ensure their accuracy, they are not to be construed as warranties or guarantees, expressed or implied, regarding the products oor implied, regarding the products o rr services described herein or their use or

services described herein or their use or applicabilityapplicability. All sales are governed by ou. All sales are governed by ou r terms and conditions, which are available onr terms and conditions, which are available on request. We reserve the right to modify or improve the design or

request. We reserve the right to modify or improve the design or specification of such products at any specification of such products at any time without notice.time without notice.

Emerson Process Management Emerson Process Management Distribution Ltd. Process Systems and Distribution Ltd. Process Systems and Solutions

Solutions Meridian East Meridian East

Meridian Business Park Meridian Business Park Leicester, LE19 1uX, UK Leicester, LE19 1uX, UK

Emerson a.s. Emerson a.s.

European System and Assembly European System and Assembly Pieštanská 1202/44

Pieštanská 1202/44

Nové Mesto nad Váhom 91528 Nové Mesto nad Váhom 91528

Slovakia Slovakia

Fisher-Rosemount Systems, Inc. – an Fisher-Rosemount Systems, Inc. – an Emerson Process Management company Emerson Process Management company 12301 Research Blvd.

12301 Research Blvd.

Research Park Plaza – Bldg. III Research Park Plaza – Bldg. III Austin, TX 78759

(3)

3.2 Bypasses and Other Overrides . . . .. . . 3030 3.2.1 Override Types 3.2.1 Override Types . . . .. 3030 3.2.2 Configuration of Bypasses 3.2.2 Configuration of Bypasses . . . .. . . 3131 3.2.3 Operation of Bypasses 3.2.3 Operation of Bypasses . . . .. . . 3232 3.3 Making Online Scaling Changes in HART Transmitters . . .

3.3 Making Online Scaling Changes in HART Transmitters . . . .. . . 3434

4

4 Maintenance Maintenance PracticesPractices . . . .37. . . .37

4.1 Fault Detection, System Response, and Repair Procedures . . . . 4.1 Fault Detection, System Response, and Repair Procedures . . . 3737

4.1.1 How DeltaV SIS Annunciates Faults

4.1.1 How DeltaV SIS Annunciates Faults . . . .. . . 3838 4.1.2 Evaluating and Responding to Annunciated Faults

4.1.2 Evaluating and Responding to Annunciated Faults . . . .. . . 4141 4.1.3 Evaluating Fatal Errors

4.1.3 Evaluating Fatal Errors . . . .. . . . 4242 4.1.4 Maximum Fault Detection Time

4.1.4 Maximum Fault Detection Time . . . .. . . 4545 4.1.5 Fault Detection in SISNet Repeaters

4.1.5 Fault Detection in SISNet Repeaters . . . .. . . 4646 4.2 Proof Testing the SLS 1508

4.2 Proof Testing the SLS 1508 . . . .. . . . 4646 4.2.1 Automatic Tests 4.2.1 Automatic Tests . . . .. . . . 4747 4.2.2 Manual Tests 4.2.2 Manual Tests . . . .. . . 4848 4.2.2.1 Simplex SLS 1508 4.2.2.1 Simplex SLS 1508 . . . .. . . 4848 4.2.2.2 Redundant SLS 1508 4.2.2.2 Redundant SLS 1508 . . . .. . . 4848 4.3 Upgrading Firmware 4.3 Upgrading Firmware . . . .. . . 4949

(5)

1

1 D

De

elltta

aV

V S

SIIS

S P

Prro

oc

ce

es

ss

s S

Sa

affe

etty

y S

Sy

ys

stte

em

m U

Us

se

errs

s

Guide

This document contains information and data to sup

This document contains information and data to supplement theplement the DeltaV SIS ProcessDeltaV SIS Process Safety System Safety Manual

Safety System Safety Manual . The sections in this document are referenced in the. The sections in this document are referenced in the DeltaVDeltaV SIS Process Safety System Safety Manual

SIS Process Safety System Safety Manual and provide additional guidelines andand provide additional guidelines and considerations for using DeltaV SIS.

(6)

(7)

2

2 E

En

ng

giin

ne

ee

erriin

ng

g P

Prra

ac

cttiic

ce

es

s

Except where noted, the information in this

Except where noted, the information in this section applies to de-energized to tripsection applies to de-energized to trip applications. In a de-energized to trip application, the safe state for all output channels applications. In a de-energized to trip application, the safe state for all output channels of a given safety instrumented function (SIF)

of a given safety instrumented function (SIF) is off/lowis off/low. This cor. This corresponds to the saferesponds to the safe state of output channels if the SLS 1508 needs

state of output channels if the SLS 1508 needs to remove power in response to ato remove power in response to a dangerous failure being detected by its

dangerous failure being detected by its diagnostics.diagnostics. Energized to tip applications are discussed

Energized to tip applications are discussed in the final section of this chapter. Whenin the final section of this chapter. When the safe state for an SLS 1

the safe state for an SLS 1508 output channel is on/high, the application is energized508 output channel is on/high, the application is energized to trip from the perspective of t

to trip from the perspective of the output channel.he output channel.

2 2..1

1 R

Re

eq

qu

uiirriin

ng

g a

a R

Re

es

se

et

t B

Be

effo

orre

e O

Ou

uttp

pu

utts

s C

Ca

an

n B

Be

ec

co

om

me

e

Energized

The configurer of SIS module

The configurer of SIS module logic determines which conditions allow deenergizedlogic determines which conditions allow deenergized output channels of the SLS 1508 to become energized. It

output channels of the SLS 1508 to become energized. It is generally desirable tois generally desirable to require an operator reset before the equipment

require an operator reset before the equipment under control is allowed to go from aunder control is allowed to go from a shutdown or tripped state to the normal operating state. But in some cases the output shutdown or tripped state to the normal operating state. But in some cases the output channels should be allowed to change from deenergized to energized based

channels should be allowed to change from deenergized to energized based on inputon input channel values without operator intervention, for example, as soon as an

channel values without operator intervention, for example, as soon as an interlockinterlock condition clears. DeltaV SIS function blocks provide an easy way to configure SIS condition clears. DeltaV SIS function blocks provide an easy way to configure SIS module logic to either require or not require an operator reset before a

module logic to either require or not require an operator reset before applicablepplicable output channels can become energized.

output channels can become energized.

There are certain situations where a powered

There are certain situations where a powered SLS 1508 keeps output cSLS 1508 keeps output channelshannels deenergized independent of SIS module logic. When

deenergized independent of SIS module logic. When the SLS 1508 is going the SLS 1508 is going throughthrough power-up testing following a reset or restart, has detected a persistent fatal

power-up testing following a reset or restart, has detected a persistent fatal error, or iserror, or is in an unconfigured state, output channels remain deenergized. Otherwise, SIS module in an unconfigured state, output channels remain deenergized. Otherwise, SIS module logic determines the output channel state.

logic determines the output channel state. The recommended technique for

The recommended technique for requiring an operator reset is trequiring an operator reset is to use the Causeo use the Cause Effect Matrix (LSCEM) function block. It has a REQUIRE_RESETn parameter for Effect Matrix (LSCEM) function block. It has a REQUIRE_RESETn parameter for each extensible EFFECTn output of the block. Each Effect output is wired to one or each extensible EFFECTn output of the block. Each Effect output is wired to one or more output function blocks, which are bound to

(8)

2 2..2

2 C

Co

on

nffiig

gu

urriin

ng

g tth

he

e S

SL

LS

S 1

15

50

08 8 R

Re

es

sp

po

on

ns

se

e tto

o D

De

ette

ec

ctte

ed

d

Faults

2.2.1 Faults Detected on Input Channels

Faults detected by the SLS 1508 on input channels can originate in field

Faults detected by the SLS 1508 on input channels can originate in field devices, fielddevices, field wiring, or in the SLS

wiring, or in the SLS 1508 input circuitry1508 input circuitry. The SLS 1508 responds to . The SLS 1508 responds to faults detectedfaults detected on input channels by integrating Bad status

on input channels by integrating Bad status with the channel value and annunciatingwith the channel value and annunciating the fault. Refer to

the fault. Refer to “Operations Practices” on page 23“Operations Practices” on page 23 for more information on how for more information on how faults are annunciated. The SLS 1508

faults are annunciated. The SLS 1508 does not automatically deenergize outputdoes not automatically deenergize output channels when faults are detected on input channels. SIS module logic must be channels when faults are detected on input channels. SIS module logic must be configured to take action based

configured to take action based on the requirements of the on the requirements of the application. For example,application. For example, you may want to prevent a trip from occurring in the presence of a fault on an

you may want to prevent a trip from occurring in the presence of a fault on an inputinput channel, or cause a trip immediately when a fault is detected, or initially prevent a trip channel, or cause a trip immediately when a fault is detected, or initially prevent a trip yet cause a trip some time la

yet cause a trip some time later if the fault persists. SIS function blocks containter if the fault persists. SIS function blocks contain parameters to facilitate the configuration of these

parameters to facilitate the configuration of these options.options. 2.2.1.1 Getting Bad Status into the SIS Module 2.2.1.1 Getting Bad Status into the SIS Module Y

You have some contou have some control over rol over how Bad status on how Bad status on input channels can get into Sinput channels can get into SISIS modules. Certain input channel parameters and function block parameters impact the modules. Certain input channel parameters and function block parameters impact the detection of faults on input channels and

detection of faults on input channels and whether Bad status becomes whether Bad status becomes available to SISavailable to SIS module logic.

module logic.

2.2.1.1.1 Analog Input Channels 2.2.1.1.1 Analog Input Channels

An analog input chan

An analog input channel always has Bad status when nel always has Bad status when the measured current is outsidethe measured current is outside the sensor failure limits, 0.78 mA (-20.12%) and 22.66 mA (116.6%). The limits can be the sensor failure limits, 0.78 mA (-20.12%) and 22.66 mA (116.6%). The limits can be exceeded due to faults in the

exceeded due to faults in the transmitter, field wiring, or the SLS 1508. You can causetransmitter, field wiring, or the SLS 1508. You can cause the channel to have Bad status when the cur

the channel to have Bad status when the current reaches a value inside the sensorrent reaches a value inside the sensor failure limits.

failure limits.

Changing the NAMUR_ENA channel parameter to True enables NAMUR limit Changing the NAMUR_ENA channel parameter to True enables NAMUR limit detection, which results in Bad status being applied when the current is greater than detection, which results in Bad status being applied when the current is greater than 21.0 mA (106.25%) or less than 3.

21.0 mA (106.25%) or less than 3.6 mA (-2.5%) for four consecutive seconds.6 mA (-2.5%) for four consecutive seconds. When the channel v

When the channel value exceeds the chalue exceeds the channel’annel’s configured Os configured OVERRANGE_PCT orVERRANGE_PCT or UNDERRANGE_PCT value, high-limited or low-limited status is applied to the UNDERRANGE_PCT value, high-limited or low-limited status is applied to the channel. The STATUS_OPTS parameter in the Analog Input (LSAI) function block channel. The STATUS_OPTS parameter in the Analog Input (LSAI) function block has a “Bad

has a “Bad if Limited” option. When the if Limited” option. When the AI block’AI block’s referenced input channel has s referenced input channel has highhigh or low limited status, the block applies Bad status to its PV and OUT parameters if or low limited status, the block applies Bad status to its PV and OUT parameters if thethe option is selected.

(9)

The HART Analog Input c

The HART Analog Input channel’hannel’s HART_ERRORS parameter s HART_ERRORS parameter allows you tallows you to selecto select which HART diagnostic conditions

which HART diagnostic conditions detected in the HART detected in the HART transmitter or by transmitter or by the SLSthe SLS 1508 cause Bad s

1508 cause Bad status to be integrated with the tatus to be integrated with the analog value on the channel (theanalog value on the channel (the FIELD_V

FIELD_VAL_PCT channel parameter). TAL_PCT channel parameter). The default value of he default value of HART_ERRORSHART_ERRORS ignores all HART diagnostic errors, meaning the presence of an

ignores all HART diagnostic errors, meaning the presence of an error condition doeserror condition does not cause Bad status on the

not cause Bad status on the channel. If you deselect “Ignore Field Devicechannel. If you deselect “Ignore Field Device

Malfunction,” for example, the channel has Bad status if the transmitter reports a Malfunction,” for example, the channel has Bad status if the transmitter reports a device malfunction, allowing this HART diagnostic to be inte

device malfunction, allowing this HART diagnostic to be integrated with your SISgrated with your SIS module logic. “What’s This” help on HART_ERRORS explains

module logic. “What’s This” help on HART_ERRORS explains the variousthe various diagnostic conditions available.

diagnostic conditions available.

2.2.1.1.2 Discrete Input

2.2.1.1.2 Discrete Input ChannelsChannels

Faults detected in discrete input circuitry

Faults detected in discrete input circuitry by the SLS 1508 result in Bad status on theby the SLS 1508 result in Bad status on the channel. The SLS 1508 detects

channel. The SLS 1508 detects open and short circuits in field open and short circuits in field wiring if line faultwiring if line fault detection has bee

detection has been enabled on the n enabled on the channel using the LINEFAchannel using the LINEFAULT_DETECTULT_DETECT parameter. When line fault detection is enabled, use a

parameter. When line fault detection is enabled, use a NAMUR sensor or install endNAMUR sensor or install end of line resistors in series and

of line resistors in series and parallel according toparallel according to Installing YInstalling Your DeltaV our DeltaV SIS ProcessSIS Process Safety System Hardware

Safety System Hardware . An open or short detecte. An open or short detected through line fault detection resultsd through line fault detection results in Bad status on the channel.

in Bad status on the channel. Line fault detection is necessar

Line fault detection is necessary when the field switch is nory when the field switch is normally open, that is, whenmally open, that is, when the channel is On to indicate a demand.

the channel is On to indicate a demand.

Line fault detection is recommended when the field switch is normally clos

Line fault detection is recommended when the field switch is normally closed, that is,ed, that is, when the channel is Of

when the channel is Off to indicate a demand. f to indicate a demand. If an open circuit occurIf an open circuit occurs in the fields in the field wiring, it is a safe failur

wiring, it is a safe failure whether or not e whether or not line fault detection has been enabled. But line fault detection has been enabled. But aa short in the field can be a dangerous failure and be undetected, unless line fault short in the field can be a dangerous failure and be undetected, unless line fault detection is enabled, in which case

detection is enabled, in which case the channel has Bad status.the channel has Bad status. 2.2.1.2 Using Bad Status in the SIS Module

2.2.1.2 Using Bad Status in the SIS Module Tw

Two function blocks are o function blocks are available in SIS available in SIS modules to manipulate output modules to manipulate output channels: thechannels: the Discrete Output (LSDO) block and

Discrete Output (LSDO) block and the Digital Valve Controller (LSDVthe Digital Valve Controller (LSDVC) block.C) block. Each has a CAS_IN_D input parameter whose value is the commanded state for the Each has a CAS_IN_D input parameter whose value is the commanded state for the output channel, which is wired from upstream logic in the SIS module. When

output channel, which is wired from upstream logic in the SIS module. When thethe status of CAS_IN_D changes to Bad, the block starts a timer whose value is stored in status of CAS_IN_D changes to Bad, the block starts a timer whose value is stored in

(10)

SIS function blocks have a predetermined way of propagating

SIS function blocks have a predetermined way of propagating the status of inputthe status of input parameters to output parameters. Faults detected on input channels cause Bad status parameters to output parameters. Faults detected on input channels cause Bad status to reach output function blocks in SIS modules depending on the c

to reach output function blocks in SIS modules depending on the configuration ofonfiguration of other function blocks in the SIS

other function blocks in the SIS module. The configured value of FSTATE_TIME inmodule. The configured value of FSTATE_TIME in output blocks determines how long status can be Bad before the output block initiates output blocks determines how long status can be Bad before the output block initiates a trip. The default value is 300 seconds, which gives enough time for operators to a trip. The default value is 300 seconds, which gives enough time for operators to bypass a Bad input and take cor

bypass a Bad input and take corrective action before a trip is initiated. Use anrective action before a trip is initiated. Use an appropriate value for FSTATE_TIME in each output function block. Some SIFs appropriate value for FSTATE_TIME in each output function block. Some SIFs cancan tolerate a high number corresponding to your allowed repair time, while other SIFs tolerate a high number corresponding to your allowed repair time, while other SIFs may need a low number of just a few seconds.

may need a low number of just a few seconds. Fi

Figugurere 2-2-11 illustrates the use of common SIS function blocks to create s illustrates the use of common SIS function blocks to create shutdown logichutdown logic in an SIS module. The status

in an SIS module. The status on the output parameter of the input function blocks,on the output parameter of the input function blocks, LSAI and LSDI, is the status

LSAI and LSDI, is the status of the referenced input channel. The Analog Voterof the referenced input channel. The Analog Voter (LSA

(LSAVTR) and Discrete VTR) and Discrete VVoter (LSDVTR) blocks propagate Boter (LSDVTR) blocks propagate Bad status on ad status on inputinput parameters selectively

parameters selectively. For example, if a single . For example, if a single input of a 1oo2 input of a 1oo2 or 2oo3 voter block hasor 2oo3 voter block has Bad status, OUT_D continues to have Good status because there are enough g Bad status, OUT_D continues to have Good status because there are enough goodood inputs for a real process

inputs for a real process demand to cause a demand to cause a trip. Howtrip. However, if a single input of a ever, if a single input of a 1oo1 or1oo1 or 2oo2 voter block has Bad status, its OUT_D has Bad status. If a Cause

2oo2 voter block has Bad status, its OUT_D has Bad status. If a Cause input of ainput of a Cause Effect Matrix (LSCEM) block has Bad s

Cause Effect Matrix (LSCEM) block has Bad status, all Effect outputs associated withtatus, all Effect outputs associated with that input have Bad status.

that input have Bad status. A

AVTR, DVTR, and CEM VTR, DVTR, and CEM function blocks havfunction blocks have a configurable STe a configurable STATUS_OPTATUS_OPT parameter, which impacts how the blocks determine the

parameter, which impacts how the blocks determine the valuevalueof their outputof their output parameter(s) based on the status of the

parameter(s) based on the status of their inputs. These blocks determine their inputs. These blocks determine the status status of of their output parameter(s) by a fixed status propagation algorithm unique to the block their output parameter(s) by a fixed status propagation algorithm unique to the block and independent of the STATUS_OPT parameter. This assures that if Bad status and independent of the STATUS_OPT parameter. This assures that if Bad status isis capable of preventing a process demand from causing a trip, Bad status propagates to capable of preventing a process demand from causing a trip, Bad status propagates to the output function block(s). Refer to

the output function block(s). Refer to the function block documentation in thethe function block documentation in the DeltaV SIS book in DeltaV Books

DeltaV SIS book in DeltaV Books Online for more detail on the impact of theOnline for more detail on the impact of the STATUS_OPT parameter in these

(11)

Fig

Figure ure 2-1 2-1 ExaExamplmple Use Use of Se of SIS FIS Funcunctiotion Bln Blockocks fos for a Shr a Shutdutdown own FunFunctictionon

2.2.2 Faults Detected on Output Channels

Faults detected by the SLS 1508

Faults detected by the SLS 1508 on output channels can originate in on output channels can originate in field devices, fieldfield devices, field wiring, or the SLS

wiring, or the SLS 1508 output circuitry1508 output circuitry. As with input channels. As with input channels, the SLS 1508, the SLS 1508 responds to faults on output channels by integrating B

responds to faults on output channels by integrating Bad status with the channel valuead status with the channel value and annunciating the fault.

and annunciating the fault. A fault on an ou

A fault on an output channel does not tput channel does not prevent the output prevent the output from being deenergizedfrom being deenergized should there be a demand to trip on

should there be a demand to trip on that channel. Suppose a Discrete Output channelthat channel. Suppose a Discrete Output channel is stuck On due to a fault in the

is stuck On due to a fault in the output circuitry. When SIS module logic detects aoutput circuitry. When SIS module logic detects a process demand to trip and the DO block drives the channel Off, power remains On process demand to trip and the DO block drives the channel Off, power remains On as a result of

as a result of the fault. However, the SLS 1508 reads back the output as the fault. However, the SLS 1508 reads back the output as still being Onstill being On and initiates a reset, which opens the master power switch and deenergizes all output and initiates a reset, which opens the master power switch and deenergizes all output

(12)

If the SLS 1508 detects an

If the SLS 1508 detects an open or short in field wiring or the output circuitropen or short in field wiring or the output circuitryy, it, it integrates a special

integrates a special status with the channel value called Bad Sestatus with the channel value called Bad SensorFailurensorFailure

LowLimited. Output function blocks detect this status on the referenced output LowLimited. Output function blocks detect this status on the referenced output channel and optionally drive the output channel Off. If the “Enable detection based channel and optionally drive the output channel Off. If the “Enable detection based on output channel status” option

on output channel status” option is set in is set in the block’the block’s FSTATE_OPTS parameter, thes FSTATE_OPTS parameter, the block enters the fault state and drives the channel Off immediately upon detection. block enters the fault state and drives the channel Off immediately upon detection. The FSTATE_TIME v

The FSTATE_TIME value is not used in thalue is not used in this case.is case. An open or short in

An open or short in field wiring implies the final field wiring implies the final element is in the deenergized stateelement is in the deenergized state.. Therefore th

Therefore the default e default value value for for the the “Enable “Enable detection bdetection based on ased on output output channel channel status”status” option drives the channel Off when an open or short is detected. In order to keep the option drives the channel Off when an open or short is detected. In order to keep the channel Off after it is driven Off, an operator reset is needed somewhere. The rese channel Off after it is driven Off, an operator reset is needed somewhere. The resett can be on the final element itself, in the

can be on the final element itself, in the output function block, or in the upstreamoutput function block, or in the upstream CEM function block.

CEM function block. Fi

Figugurere 2-2-22 shows a recommended configuration technique. shows a recommended configuration technique.

Fig

Figure ure 2-2 2-2 ExaExamplmple Use Use of e of a CEa CEM BlM Block ock for for LatLatchiching Ong Off aff an Oun Outputput Fat Faultult

The CAUSE3 in

The CAUSE3 input of the put of the CEM block CEM block has a value has a value of 1 when of 1 when neither output funeither output functionnction block is in the

block is in the fault state. FAfault state. FAULT_STULT_STATE is normally ATE is normally an internal parameter, but an internal parameter, but inin this example it is exposed a

this example it is exposed as an output parameter on the DO and DVC blocks ands an output parameter on the DO and DVC blocks and wired to a NOR b

wired to a NOR block. If either outpulock. If either output block detects an open t block detects an open or short on itsor short on its referenced channel, a trip occurs on EFFECT1 of the CEM block and

referenced channel, a trip occurs on EFFECT1 of the CEM block and both outputboth output blocks drive their outputs Off (because CAS_IN_D becomes 0). The block that blocks drive their outputs Off (because CAS_IN_D becomes 0). The block that detected the open or short had

detected the open or short had already driven its output Off. The outputs remain Offalready driven its output Off. The outputs remain Off until an operator reset is done on the Effect by changing RESET1 of the C

until an operator reset is done on the Effect by changing RESET1 of the CEM blockEM block to True. The fault state condition clea

to True. The fault state condition clears when a Discrete Output channel is rs when a Discrete Output channel is driven Offdriven Off because the diagnostic no longer detects the condition. The same is true for a HART because the diagnostic no longer detects the condition. The same is true for a HART Tw

(13)

This technique applies to

This technique applies to the case where the case where a coordinated a coordinated trip of trip of multiple final multiple final elementselements is needed when any of the final

is needed when any of the final elements involved in an interlock becomeselements involved in an interlock becomes deenergized due to an open or shor

deenergized due to an open or short. If you want to drive Off only the output with thet. If you want to drive Off only the output with the open or short, use a

open or short, use a separate CEM Effect output for each output block and wireseparate CEM Effect output for each output block and wire F

FAULAULT_STATE into a T_STATE into a separate separate Cause input.Cause input. In some applications it may not be desirable to

In some applications it may not be desirable to drive an output Off when an open ordrive an output Off when an open or short is detected. For example, you may want the final element to become energized short is detected. For example, you may want the final element to become energized without operator intervention whenev

without operator intervention whenever an intermittent short clears. er an intermittent short clears. In this case de-In this case de-select the “Enable dete

select the “Enable detection based on output status” option in FSTATE_OPTS ofction based on output status” option in FSTATE_OPTS of the output block.

(14)

2 2..3

3 U

Us

siin

ng

g H

HA

AR

RT

T T

Tw

wo

o--S

Stta

atte

e O

Ou

uttp

pu

ut

t C

Ch

ha

an

nn

ne

ells

s a

an

nd

d

Digital Valve Controllers

Warning

The us

The use of

e of HART

HART Two-state O

Two-state Output channels

utput channels on the

on the SLS

SLS 1508 is

1508 is intended for

intended for

certain final elements. You should physically connect a channel of this type to

only a Fisher Controls DVC6000 digital valve controller with SIS tier

(firmware revision 6 or later) or a digital

(firmware revision 6 or later) or a digital valve controller certified by Emerson

valve controller certified by Emerson

Process Management as being equivalent.

A HART T

A HART Two-state Output cwo-state Output channel is manipulated by Shannel is manipulated by SIS module logic through IS module logic through thethe use of a Digital

use of a Digital ValvValve Controller (LSDVC) function block. The SLS e Controller (LSDVC) function block. The SLS 1508 applies 201508 applies 20 milliamps on the channel when the block’s OUT_D parameter is 1. The value of the milliamps on the channel when the block’s OUT_D parameter is 1. The value of the OFF_CURRENT parameter in the DVC block determines the cur

OFF_CURRENT parameter in the DVC block determines the current applied whenrent applied when the value of OUT_D is 0. Options for OFF_CURRENT include 0

the value of OUT_D is 0. Options for OFF_CURRENT include 0 milliamps and 4milliamps and 4 milliamps.

milliamps. Table Table 2-12-1 summarizes the characteristics of the OFF_CURRENT options. summarizes the characteristics of the OFF_CURRENT options.

Note

Note _{If you choose 4 milliamps as the off-current option for a}_{If you choose 4 milliamps as the off-current option for a HART Two-state Output}_{HART Two-state Output}

channel, consider installing the digital valve controller (DVC 6000

channel, consider installing the digital valve controller (DVC 6000 SIS or equivalent)SIS or equivalent) and valve/actuator in a four-wire arrangement.

and valve/actuator in a four-wire arrangement. A four-wire

A four-wire arrangement uses two output channels on arrangement uses two output channels on the SLS 1508. A HART the SLS 1508. A HART TwTwo- o-state Output channel is connected to

state Output channel is connected to the DVC 6000 SIS. A Discrete Output channel isthe DVC 6000 SIS. A Discrete Output channel is connected to a 24V solenoid valve installed in the pneumatic line

connected to a 24V solenoid valve installed in the pneumatic line between the DVCbetween the DVC 6000 SIS and

6000 SIS and the valve actuator.the valve actuator.

T

Table 2-1 able 2-1 Characteristics of the OFF_CUCharacteristics of the OFF_CURRENT OptionsRRENT Options

0

0 mmiilllliiaammppss 4 4 mmiilllliiaammppss •• PoPowewer is rer is remomoveved entd entireirely fly frorom thm thee

digital valve controller when SIS digital valve controller when SIS module logic drives the channel module logic drives the channel Off.Off. The digital valve controller places the The digital valve controller places the final element in the tripped state. final element in the tripped state.

•• The diThe digitgital valal valve conve controtrolleller placr places thes the finae final eleml elementent in the tripped state when SIS module logic drives in the tripped state when SIS module logic drives the channel Off.

the channel Off.

•• HARHART coT commummunicnicatiation wion with tth the dhe digiigital tal valvalveve

controller continues while the final element is in the controller continues while the final element is in the tripped state.

(15)

2 2..4

4 U

Us

siin

ng

g N

No

on

n--S

Se

ec

cu

urre

e P

Pa

arra

am

me

ette

er

r R

Re

effe

erre

en

nc

ce

es

s iin

n S

SIIS

S

Modules

The Non-Secure Parameter R

The Non-Secure Parameter Reference is a user-defined eference is a user-defined parameter type available parameter type available onon the Special Items palette w

the Special Items palette when an SIS module has been opened when an SIS module has been opened with Control Studio.ith Control Studio. This parameter type is used to r

This parameter type is used to read a parameter located in a ead a parameter located in a different module, eitherdifferent module, either an SIS or non-SIS

an SIS or non-SIS module. Runtime communication involvmodule. Runtime communication involves the I/O es the I/O bus betweenbus between the DeltaV controller and the SLS 1508, which is not s

the DeltaV controller and the SLS 1508, which is not safety rated. Reading aafety rated. Reading a parameter in another SIS module using a non-secure

parameter in another SIS module using a non-secure reference uses I/O busreference uses I/O bus

communication even if the SIS module is in the same SLS 1508. It is preferable to use communication even if the SIS module is in the same SLS 1508. It is preferable to use a Secure Parameter and Secure

a Secure Parameter and Secure Parameter Reference to communicate between SISParameter Reference to communicate between SIS modules because they use

modules because they use the safety-rated Peer bus and the update rate is at the the safety-rated Peer bus and the update rate is at the SLSSLS scan rate (the non-secure update rate is

scan rate (the non-secure update rate is 1 second). However, secure parameter1 second). However, secure parameter communication is done using the Boolean data

communication is done using the Boolean data type. For data types other thantype. For data types other than

Boolean, a Non-Secure Parameter Reference can be more convenient if the use is not Boolean, a Non-Secure Parameter Reference can be more convenient if the use is not safety-critical.

safety-critical.

2.4.1 Non-Safety-Critical Use

A Non-Secure P

A Non-Secure Parameter Reference can be arameter Reference can be used without special consideration whenused without special consideration when the value does not contribute to a safety-critical control action.

the value does not contribute to a safety-critical control action. Examples of non-safety-critical use include:

Examples of non-safety-critical use include:



 Reading a HART digital Reading a HART digital variable from a control module for variable from a control module for feedback onlyfeedback only. By. By

means of an external reference parameter a control module is able to access means of an external reference parameter a control module is able to access HART digital variables from HART devices connected to SLS 1508 channels. HART digital variables from HART devices connected to SLS 1508 channels. The actual valve position

The actual valve position feedback from a feedback from a digital valve contrdigital valve controller, for oller, for example,example, can be read into an SIS module using a

can be read into an SIS module using a Non-Secure Parameter Reference, thenNon-Secure Parameter Reference, then compared to a limit and wired to the RDB

compared to a limit and wired to the RDBK_IN_D input of a DVC functionK_IN_D input of a DVC function block.

block.



 Reading the commanded state for a motor or discrete valve from a controlReading the commanded state for a motor or discrete valve from a control

module, then applying a safety

module, then applying a safety interlock and driving an output channel of the SLSinterlock and driving an output channel of the SLS 1508. This use is not considered sa

1508. This use is not considered safety-critical because the safety interlock alwaysfety-critical because the safety interlock always overrides the value of the commanded state.

(16)

2.4.2 Safety-Critical Use

If a Non-Secure Parameter Reference contributes to a safety-critical control action, If a Non-Secure Parameter Reference contributes to a safety-critical control action, special consideration is needed in

special consideration is needed in SIS module logic to validate the parameter value.SIS module logic to validate the parameter value. The configurer should

The configurer should not allow not allow the safety function the safety function to be to be compromised based compromised based on theon the value of a Non-S

value of a Non-Secure Parameter Recure Parameter Reference.eference. An example of safety-critical use is

An example of safety-critical use is a batch safety application tha batch safety application that reads the activeat reads the active phase or recipe in order to apply the appropriate trip limit(s) for the c

phase or recipe in order to apply the appropriate trip limit(s) for the current state ofurrent state of the process. It is important to validate the value read into the SIS

the process. It is important to validate the value read into the SIS module by somemodule by some independent means. An example of independent confirmation of the current process independent means. An example of independent confirmation of the current process state is inferring the

state is inferring the state by using process inputs from channels of this or other SLSstate by using process inputs from channels of this or other SLS 1508s, or using operator input from a secure write operation to confir

1508s, or using operator input from a secure write operation to confirm the state. Ifm the state. If the value of the Non-Secure

the value of the Non-Secure Parameter Reference cannot be validated by anParameter Reference cannot be validated by an independent method, the most conser

independent method, the most conservative trip limit values should be applied.vative trip limit values should be applied. A Non-Secure P

A Non-Secure Parameter Reference has a varameter Reference has a value and a statusalue and a status. Normally the status is. Normally the status is that of the referenced parameter. If there is a communication issue between the that of the referenced parameter. If there is a communication issue between the DeltaV controller and the SLS 1508, the status

DeltaV controller and the SLS 1508, the status of the Non-Secure Parameterof the Non-Secure Parameter

Reference becomes BadNoComm. If the source parameter has Bad status or the SLS Reference becomes BadNoComm. If the source parameter has Bad status or the SLS 1508 is not able to read its

1508 is not able to read its value, the Non-Secure Parameter Rvalue, the Non-Secure Parameter Reference has Bad status.eference has Bad status. Therefore, SIS module logic should

Therefore, SIS module logic should take appropriate action take appropriate action when the status is Bad ifwhen the status is Bad if the use is safety-critical. Refer to

the use is safety-critical. Refer to “Using Bad Status in the SIS Module” on page “Using Bad Status in the SIS Module” on page 55 forfor more information.

more information.

The Limit function block can

The Limit function block can be used downstream from be used downstream from a Non-Secure Para Non-Secure Parameterameter Reference to limit its value within a valid range. The block has a

Reference to limit its value within a valid range. The block has an option parametern option parameter (LIMIT_OPT) that determines the

(LIMIT_OPT) that determines the output value when the input is outside the validoutput value when the input is outside the valid range. Choices include clamping the value at the

range. Choices include clamping the value at the limit, using the last value prior tolimit, using the last value prior to limit violation, and using a configurable default value.

limit violation, and using a configurable default value.

2 2..5

5 U

Us

siin

ng

g a

an

n S

SIIS

S M

Mo

od

du

ulle

e T

Te

em

mp

plla

atte

e tto

o M

Me

ee

et

t O

Op

pe

erra

atto

orr

Notification Requirements

DeltaV SIS allows you to create a new

DeltaV SIS allows you to create a new SIS module starting from an exisSIS module starting from an existing SISting SIS module or SIS module

module or SIS module template in addition to template in addition to creating a newcreating a new, empty SIS , empty SIS module.module. When creating SIS mod

When creating SIS module logic, it ule logic, it is preferable to is preferable to start with an SIS start with an SIS module templatemodule template rather than an empty SIS module. DeltaV SIS provides one SIS

rather than an empty SIS module. DeltaV SIS provides one SIS module templatemodule template named SIS_DEFA

named SIS_DEFAULULT having an empty T having an empty diagram view diagram view and two alarm and two alarm parameters.parameters. Start from this template or one of your own so you do not have to manually create Start from this template or one of your own so you do not have to manually create standard alarms

(17)

The SIS_DEFA

The SIS_DEFAULT ULT module template contains twmodule template contains two alarms, BYPo alarms, BYPASS_ALM andASS_ALM and IO_ALM. BYPASS_

IO_ALM. BYPASS_ALM references bits in ALM references bits in the SIF_ALERTS parameter found in allthe SIF_ALERTS parameter found in all SIS modules. IO_ALM references bits in the

SIS modules. IO_ALM references bits in the SIF_ERRORS parameter common to allSIF_ERRORS parameter common to all SIS modules. SIF_ERRORS and SIF_ALERTS are bitstring parameters whose bits SIS modules. SIF_ERRORS and SIF_ALERTS are bitstring parameters whose bits hold conditions detected in function blocks in the SIS module. When the

hold conditions detected in function blocks in the SIS module. When the alarmalarm references a parameter whose parameter type is

references a parameter whose parameter type is Option Bitstring, you select whichOption Bitstring, you select which bits cause the alar

bits cause the alarm to be active.m to be active. BYP

BYPASS_ALM references conditions in ASS_ALM references conditions in SIF_ALERTS shown by the selected SIF_ALERTS shown by the selected checkcheck boxes in the dialog in

boxes in the dialog in FiFigugurere 2-2-33..

Fi

(18)

IO_ALM references conditions in SI

IO_ALM references conditions in SIF_ERRORS shown by the selected F_ERRORS shown by the selected check boxescheck boxes in the dialog in

in the dialog in FiFigugurere 2-2-44..

Fi

Figugure re 2-2-4 4 SISIF_F_ERERRORORS RS MaMask sk fofor r IOIO_A_ALMLM

Whichever SIS module t

Whichever SIS module template you use to create emplate you use to create a new SIS module, a new SIS module, make sure itmake sure it contains the standard alarm paramete

contains the standard alarm parameters needed to meet your operator notificationrs needed to meet your operator notification requirements. The alarms can reference

requirements. The alarms can reference SIF_ERRORS and SIF_ALERTS at the SISSIF_ERRORS and SIF_ALERTS at the SIS module level or specific parameters in function blocks within the SIS

module level or specific parameters in function blocks within the SIS module.module. SIF_ERRORS and SIF_ALERTS are recommended for standard alarms

SIF_ERRORS and SIF_ALERTS are recommended for standard alarms becausebecause they are not dependent on having partic

they are not dependent on having particular function blocks on the diagram. It is aular function blocks on the diagram. It is a matter of preference whether to have more standard alarms that reference

matter of preference whether to have more standard alarms that reference fewerfewer conditions or fewer standard alar

conditions or fewer standard alarms that reference ms that reference more conditions. Ymore conditions. You couldou could choose to have an alarm parameter called ERROR_ALM, which references all

choose to have an alarm parameter called ERROR_ALM, which references all bits inbits in SIF_ERRORS. When ERROR_ALM becomes active, the operator can se

SIF_ERRORS. When ERROR_ALM becomes active, the operator can see whiche which conditions are active on the generic face

conditions are active on the generic faceplate for SIS modules in DeltaV Operate.plate for SIS modules in DeltaV Operate.

2 2..6

6 C

Ch

ho

oo

os

siin

ng

g tth

he

e S

SL

LS

S 1

15

50

08 8 S

Sc

ca

an

n R

Ra

atte

e

The default scan rate for SIS

The default scan rate for SIS module execution in the module execution in the SLS 1508 is 50 millisecondsSLS 1508 is 50 milliseconds.. Y

You can ou can change the change the scan rate scan rate to to 100, 150, 100, 150, or or 200 m200 milliseconds from illiseconds from the SLS the SLS propertiesproperties dialog in DeltaV Explorer. Increasing the SLS scan rate value impacts

dialog in DeltaV Explorer. Increasing the SLS scan rate value impacts the executionthe execution rate of SIS modules. But diagnostic cycle times in the SLS 1508 remain constant, with rate of SIS modules. But diagnostic cycle times in the SLS 1508 remain constant, with the exception of the main processor comparison diagnostic, which is a function of SIS the exception of the main processor comparison diagnostic, which is a function of SIS module scan rate.

(19)

The recommended scan rate to use whenev

The recommended scan rate to use whenever possible is 50 millisecondser possible is 50 milliseconds. This scan. This scan rate minimizes the input to output response time. The only reason t

rate minimizes the input to output response time. The only reason to change the scano change the scan rate beyond the default 50 milliseconds is if the SLS 1508 is not able

rate beyond the default 50 milliseconds is if the SLS 1508 is not able to execute the SISto execute the SIS module or modules at the configured scan rate.

module or modules at the configured scan rate. At do

At download wnload time time the SLS the SLS 1508 estimates 1508 estimates the the total total execution execution time time of of the SIS the SIS modules.modules. If the configured scan rate is not long

If the configured scan rate is not long enough for the estimated execution time, theenough for the estimated execution time, the SLS 1508 sets the actual scan rate to the next higher value and sets a maintenance alert SLS 1508 sets the actual scan rate to the next higher value and sets a maintenance alert (a referenced condition in the standard SLS alar

(a referenced condition in the standard SLS alarm MAINT_ALM), which indicatesm MAINT_ALM), which indicates “Modules not executing at configured scan rate.” This alert creates an audible alar “Modules not executing at configured scan rate.” This alert creates an audible alar m inm in DeltaV Operate. DeltaV Diagnostics Explorer shows this condition in the parameter DeltaV Operate. DeltaV Diagnostics Explorer shows this condition in the parameter MAINT_ALERTS at the SLS level. Diagnostics Explorer also s

MAINT_ALERTS at the SLS level. Diagnostics Explorer also shows the configuredhows the configured and actual scan rates

and actual scan rates in the CFG_SCAN_TIME and ACT_SCAN_TIME parametersin the CFG_SCAN_TIME and ACT_SCAN_TIME parameters at the SLS level.

at the SLS level.

When the configured and actual scan r

When the configured and actual scan rates do not match, ates do not match, the SIS modules are stillthe SIS modules are still executing and providing the protection function. The response time is long

executing and providing the protection function. The response time is longer thaner than had been expected based on the configured sc

had been expected based on the configured scan rate, and a persistent diagnostic erroran rate, and a persistent diagnostic error is present. For this reason you should change the configured scan rate and

is present. For this reason you should change the configured scan rate and re-download the SLS 1508 if a mismatch is indicated after a

download the SLS 1508 if a mismatch is indicated after a download.download. If the total estimated SIS module

If the total estimated SIS module execution time exceeds 200 milliseconds, the SLSexecution time exceeds 200 milliseconds, the SLS 1508 does not apply the downloaded script and the

1508 does not apply the downloaded script and the download fails.download fails.

2 2..7

7 C

Co

on

nffiig

gu

urra

attiio

on

n C

Co

on

ns

siid

de

erra

attiio

on

ns

s ffo

or

r O

On

nlliin

ne

e

Downloads and Restarts

2.7.1 Online Downloads

If you anticipate a need to make online change

If you anticipate a need to make online changes to SIS module logic, that is, tos to SIS module logic, that is, to download SLS 1508s that are protecting a r

download SLS 1508s that are protecting a running process, you should ensure theunning process, you should ensure the download does not disrupt the process. The SLS 1508 copies certain state

download does not disrupt the process. The SLS 1508 copies certain state information and operating data from r

information and operating data from running SIS modules into newly downloadedunning SIS modules into newly downloaded SIS modules so that the download is nondisr

SIS modules so that the download is nondisruptive. The parameters whose values areuptive. The parameters whose values are copied from the running module are s

(20)

discover an issue, the first step is to

discover an issue, the first step is to see if a top-level parameter needs to be see if a top-level parameter needs to be preservedpreserved on download. If the issue persists, consider the use of the

on download. If the issue persists, consider the use of the SYSSTAT function in aSYSSTAT function in a Calc/Logic function block expression. The SYSSTAT function detects the first time Calc/Logic function block expression. The SYSSTAT function detects the first time the SIS module runs a

the SIS module runs after a download (or restart or switchover) so that conditionalfter a download (or restart or switchover) so that conditional logic can execute on that scan.

logic can execute on that scan.

2.7.2 Restarts After Power Failures

A restart can occur after po

A restart can occur after power is restored to wer is restored to an SLS 1508 that had an SLS 1508 that had a runninga running configuration prior to losing power. Refer to DeltaV Books Online

configuration prior to losing power. Refer to DeltaV Books Online for the restartfor the restart criteria for your firmware revision of the SLS 1508. During a

criteria for your firmware revision of the SLS 1508. During a restart the SLS 1508restart the SLS 1508 reapplies the last downloaded configuration and restores parameters

reapplies the last downloaded configuration and restores parameters that had beenthat had been saved to non-volatile memory

saved to non-volatile memory. At the time . At the time power is lost, outputs of the power is lost, outputs of the SLS 1508 areSLS 1508 are deenergized, which should result in the same output st

deenergized, which should result in the same output state as after the originalate as after the original download. After a restart the goal is

download. After a restart the goal is to retain the same process state that occurto retain the same process state that occurred as ared as a result of the power failure, yet to restore the parameter values that were saved to result of the power failure, yet to restore the parameter values that were saved to non- volatile memory

volatile memory, which are mor, which are more current than the last downloaded e current than the last downloaded values.values. The SLS 1508 sav

The SLS 1508 saves certain parameter ves certain parameter values to non-values to non-volatile memory when the olatile memory when the valuevalue changes at runtime. T

changes at runtime. These parameters have the “restored on restart” characteristic.hese parameters have the “restored on restart” characteristic. Applicable SIS function block

Applicable SIS function block parameters are shown as haparameters are shown as having this characteristic inving this characteristic in parameter tables for SI

parameter tables for SIS function blocks in DeltaV S function blocks in DeltaV Books Online. Top-levBooks Online. Top-levelel parameters created in SIS modules and

parameters created in SIS modules and SIS composite blocks have this characteristicSIS composite blocks have this characteristic by default, but from the properties dialog you can change them to have the “preserved by default, but from the properties dialog you can change them to have the “preserved on download” characteristic instead.

on download” characteristic instead. If there is an opportunity

If there is an opportunity for an SLS 1508 to lose power due to the power source notfor an SLS 1508 to lose power due to the power source not being redundant or not having a

being redundant or not having an uninterruptible n uninterruptible power supplypower supply, you should test , you should test thethe behavior following a restart. If you discover an issue, the first ste

behavior following a restart. If you discover an issue, the first step is to see if a top-p is to see if a top-level parameter needs to be changed to “restored

level parameter needs to be changed to “restored on restart.” If the issue persists,on restart.” If the issue persists, consider the use of the SYSSTAT function in a Calc/Logic function block expression. consider the use of the SYSSTAT function in a Calc/Logic function block expression. The SYSSTAT f

The SYSSTAT function detects the first timunction detects the first time the SIS module runs after a e the SIS module runs after a restart (orrestart (or download or switchover) so that conditional logic can execute on that scan.

download or switchover) so that conditional logic can execute on that scan. Most runtime-writable parameters are eligible

Most runtime-writable parameters are eligible to be restored on restart if they hto be restored on restart if they haveave changed since the last download, either by a

changed since the last download, either by a secure write operation from asecure write operation from a workstation,

workstation, or bor by SIS y SIS module logic module logic itself. The itself. The exception is exception is wired input wired input parameters ofparameters of SIS function blocks. Parameter values transferred on wired links

SIS function blocks. Parameter values transferred on wired links are not saved to non-are not saved to non- volatile memory

volatile memory. However. However, assignments made by Calc/Logic b, assignments made by Calc/Logic block expressions arelock expressions are saved to non-volatile

(21)

Parameter values stored in non-volatile memory are cleared on a download. Be sure Parameter values stored in non-volatile memory are cleared on a download. Be sure toto upload parameter values written by secure writes from workstations prior to

upload parameter values written by secure writes from workstations prior to downloading.

downloading.

2 2..8

8 S

Sy

ys

stte

em

m A

Ad

dm

miin

niis

sttrra

attiio

on

n

2.8.1 Database Backups

It is valuable to always have a current backup of the configuration database in case you It is valuable to always have a current backup of the configuration database in case you need to replace your ProfessionalPLUS workstation for any reason. An automatic need to replace your ProfessionalPLUS workstation for any reason. An automatic daily export is recommended beginning with

daily export is recommended beginning with the engineering phase and continuingthe engineering phase and continuing through the entire lifecycle. Use the Daily Export

through the entire lifecycle. Use the Daily Export feature of DeltaV Databasefeature of DeltaV Database Administrator to configure

Administrator to configure automatic database exports.automatic database exports.

2.8.2 Configuration Changes After Startup

After the process is running it is u

After the process is running it is useful to have seful to have an offline DeltaV system available an offline DeltaV system available inin case you need to make and tes

case you need to make and test configuration changes to SIS modules. If you maket configuration changes to SIS modules. If you make changes to SIS modules

changes to SIS modules in the configuration database of your production system, in the configuration database of your production system, youyou should be prepared for a potential need

should be prepared for a potential need to download them at any time, for example, ifto download them at any time, for example, if a simplex SLS 1508 needs to be replaced. It is better to import tested changes into the a simplex SLS 1508 needs to be replaced. It is better to import tested changes into the production system just before you plan to download them.

production system just before you plan to download them.

2.8.3 Uploading Parameter Changes

When you change parameter v

When you change parameter values at runtime using a secure write from alues at runtime using a secure write from DeltaVDeltaV Operate or Control Studio Online/Debug, the change is

Operate or Control Studio Online/Debug, the change is recorded in the workstationrecorded in the workstation so that you can upload the change to the

so that you can upload the change to the configuration database later. Uploading theconfiguration database later. Uploading the change to the database keeps

change to the database keeps the database value in sync with the rthe database value in sync with the runtime value.untime value. However

However, if there is , if there is a need to download the a need to download the SLS 1508, the new CRC value SLS 1508, the new CRC value is differentis different from the existing value and a functional tes

from the existing value and a functional test is needed. One SLS 15t is needed. One SLS 1508 of a redundant08 of a redundant pair can be replaced

pair can be replaced without a download. If you are using siwithout a download. If you are using simplex SLS 1508s, you maymplex SLS 1508s, you may want to forgo uploading p

want to forgo uploading parameter changes so that a doarameter changes so that a download does not require wnload does not require aa functional test. Instead, check to see if the

(22)

2 2..9

9 U

Us

siin

ng

g tth

he

e S

SL

LS

S 1

15

50

08 8 iin

n E

En

ne

errg

giiz

ze

ed

d tto

o T

Trriip

p

Applications

Y

You can ou can create energized create energized to trip to trip applications by applications by using invusing inverted SIS erted SIS module logic module logic or bor byy using auxiliary relays. Use the following guidelines.

using auxiliary relays. Use the following guidelines.

2.9.1 With Inverted Logic

An energized to trip

An energized to trip output has a value output has a value of 1 (On) when of 1 (On) when there is a demand to trthere is a demand to trip andip and has a value of 0 (Off) in the normal operating state. When using SIS function blocks in has a value of 0 (Off) in the normal operating state. When using SIS function blocks in a SIS module, the logic needs to be

a SIS module, the logic needs to be inverted to achieve this.inverted to achieve this. FiFigugurere 2-2-55 on on papagege 1919 shows an example SIS module configuration that inverts the logic

shows an example SIS module configuration that inverts the logic shown inshown in FiFigugurere 2- 2-11 and and FiFigugurere 2-2-22..

The input function blocks

The input function blocks, voter bloc, voter blocks, and LSCEM ks, and LSCEM block are arranged andblock are arranged and configured the same for energized to trip applications as

configured the same for energized to trip applications as de-energized to trip. Thede-energized to trip. The blocks between the LSCEM and LSDO block are added for energized to

blocks between the LSCEM and LSDO block are added for energized to trip outputs.trip outputs. This network of bloc

This network of blocks serves several purposes.ks serves several purposes. 1.

1. The vaThe value olue on the on the outputput of tut of the LShe LSCEM bCEM bloclock gets ik gets invnverteerted.d. 2.

2. The valThe value senue sent to tt to the inphe input of ut of the LSthe LSDO blDO block bock becomes ecomes 1 if t1 if the stathe status comus cominging from the LSCEM block is not Good for the amount of time configured in the from the LSCEM block is not Good for the amount of time configured in the LSOND block.

LSOND block. 3.

3. If a trIf a trip occip occurs duurs due to Be to Bad statad status, us, the Lthe LSDO bSDO block lock latchlatches On es On (if a (if a reset ireset iss required in the LSCEM block) until the status clears and a reset is performed. required in the LSCEM block) until the status clears and a reset is performed. The basic requirement is to inv

The basic requirement is to invert the value on ert the value on the output of the the output of the LSCEM block. TheLSCEM block. The functionality provided in steps 1 and 2 above is optional based on the application. T functionality provided in steps 1 and 2 above is optional based on the application. Thehe requirements of the application determine

requirements of the application determine whether the LSCALC1, LSOND1, andwhether the LSCALC1, LSOND1, and LSNOT2 blocks are needed.

LSNOT2 blocks are needed.

Some of the features of the LSDO block are intended for de-energized to trip Some of the features of the LSDO block are intended for de-energized to trip

outputs. Therefore, use the following guidelines for the LSDO block in energized to outputs. Therefore, use the following guidelines for the LSDO block in energized to trip applications.

trip applications.



 De-select all De-select all options in FSTATE_OPTSoptions in FSTATE_OPTS, that is, all , that is, all options are configured asoptions are configured as

False. False.



 Be sure REQUIRE_RESET is cBe sure REQUIRE_RESET is configured as False.onfigured as False. 

(23)

When using inverted logic to

When using inverted logic to create energized to trip create energized to trip applications, wire the fapplications, wire the finalinal elements directly to the SLS 1508 sc

elements directly to the SLS 1508 screw terminals for the DO rew terminals for the DO channels. Do not usechannels. Do not use the auxiliary relays described in the following section,

the auxiliary relays described in the following section, "With Auxiliary Relays""With Auxiliary Relays".. Redundant SLS 1508s with separate, monitored power sources are recommended. Redundant SLS 1508s with separate, monitored power sources are recommended.

Fig

Figure ure 2-5 2-5 ExaExamplmple SIe SIS MoS Moduldule Coe Confinfigurguratiation won with ith InvInverterted Led Logiogicc

2.9.2 With Auxiliary Relays

Use the following guidelines to create energized to trip applications using auxiliary Use the following guidelines to create energized to trip applications using auxiliary relays.

relays.



 Use redundant SLS 1508s whenever output channels are being Use redundant SLS 1508s whenever output channels are being driven.driven. 

 Use a separate, monitored power source for each SLS 1508 card in Use a separate, monitored power source for each SLS 1508 card in redundantredundant

pairs driving output

pairs driving output channels.channels.



 Each Discrete Output channel on the SLS 1508 should interface with the Each Discrete Output channel on the SLS 1508 should interface with the finalfinal

element using an Auxiliar

DeltaV SIS™ Process Safety System Users Guide

DeltaV

DeltaV SIS

SIS

™

™

Process Safety System

Process Safety System

Users Guide

Contents

Contents

1

1

D

De

elltta

aV

V S

SIIS

S P

Prro

oc

ce

es

ss

s S

Sa

affe

etty

y S

Sy

ys

stte

em

m U

Us

se

errs

s

Guide

Guide

2

2

E

En

ng

giin

ne

ee

erriin

ng

g P

Prra

ac

cttiic

ce

es

s

2

2..1

1

R

Re

eq

qu

uiirriin

ng

g a

a R

Re

es

se

et

t B

Be

effo

orre

e O

Ou

uttp