Specification of Safety Instrumented Loops

• Specification based on the hazard analysis
    Safety functions, immediate safety states, process safety time (PST)
    Structure of each safety instrumented loop
    Independent control and protective structure of the plant automation
    Interacting of plant subsystems
    Consider a safety shutdown while the process is in start up or controlled shutdown down.
    Specification of organisational measures (operation , inspection)
    Hazards to be covered by full / major responsibility of the plant operator.
• Suitable Ex-protection
    Overvoltage, surge and other EMC protection
• Observe the conditions of use specified by the manufacturer
    Example: Monitored threshold limits and leakage current of the digital I/O modules
    Electrical insulation provided by the I/O moduls
    Specified environmental stress conditions
• Current loop principle (de-energized to trip, 4-20mA)
    Signals should be dynamic, to the extend possible

Configuration of Safety Instrumented System

• Follow the system documentation incl. safety manual
    Follow the conditions and restrictions stated in the TÜV report to the certificate
• Configuration based on the specification of the safety functions
    Check by a competent and independent person (four eye principle)
• Separate safety-related and non-safety-related programs and data
    Highlight the safety-related paths and data in the logic diagrams and parameter lists
• Configuration with the delivered safety engineering tools only
• Specify the safety-related configuration
    I/O configuration, process safety time (PST), SIL, max. cycle time,
    System reaction to internal failures and failures of the periphery
    Application-specific processing of the discrepancy of inputs
• Select system structure suitable for the required availability, SIL and PST
    (Certified systems provide increased availability but rare software and hardware
     failures
    can lead to a complete shutdown)
    Time limitation of degraded operation
• Only certified safety-related modules for safety functions
    Interference-free modules ("Rückwirkunsfrei") for non-safety-related functions

Communication

• Safety-related communication is currently only supported between systems of the same family- vendor-independent safety bus specifications are currently under certification
    Communication with other non-safety-related systems can be made safe only by
    additional measures in the application program
    Access control for external communication partners (Examples: Engineering work
    station and DCS)
• Communication adds to the safety-related reaction time
    Specify and configure time limit for the monitoring of the communication
    Unfavourable communication structures and parameters may reduce the plant
    availability

Application Programming

• Program based on logic diagrams or cause + effect matrices only
• Program with the delivered safety engineering tools only
    (if no safety engineering tools exist, each path must be fully tested)
• Avoid instruction lists / mnemonics
    Use function block diagrams, cause + effect matrix or sequential function charts
• Use proven-in-use or pre-tested function blocks
    Maintain a library of such blocks
• Keep the reaction time of the application program constant
    Test of the maximum system reaction time to all external events
• Test the re-start after power failure in all operating modes
• Check modifications always with the certified revision comparator
• Check during commissioning that the compiled configuration loaded in the safety
  instrumented system and the configuration theoretically checked previously are equal

Operation and Modifications

• Safety relevant fault reactions which only lead to signalling are only permitted under
    supervised operation. (Operator must have enough information and time to react)
• Maintenance Override requires (operator-specified) guidelines
    Plant operator must nevertheless receive sufficient information about the safety status of the plant see the Document "Maintenance Override"
• Hazards associated with on-line modifications
    On-line modifications reduce safety by its nature. Full functional testing should be done at simulators or at a similar plant.

Timing restriction after degradation

• The generic standards ( IEC 61508 and DIN 19250 in companion with DIN 0801) don't give exact figures or guidelines for a system, when a fault has been detected in the system, and the system strucure has been degraded as a result of that fault.
• For ESD applications, where the AK system according to the DIN 19250 is used, only supervised operation should be possible after reaching a single channel mode of operation. Online repair is possible. If not repaired, single channel operation is possible with the following maximum timing :
  - in AK 5 : shutdown after a maximum of 72 hours of supervised operation in single
    channel mode
  - in AK 6 : shutdown after a maximum of 1 hour of supervised operation in single
    channel mode