We have been discussing the correct way to "stop" and ESD shutdown motors via SIL2 PLC's and SIL3 ESD PLC's..
1. Having separate Start/ Stop Interposing Relays from the SIL2 Process PLC, with a 3rd ESD Interposing Relay for the SIL3 ESD system with Stop contacts wired in series in the MCC.
Eg. 2 separate Process PLC and ESD PLC's with extra hardware including Interposing Relays.
2. Sending a "healthy" signal from the SIL3 ESD system to an input of the SIL2 Process PLC with Start/ Stop Interposing Relays from the SIL2 Process PLC to stop the motor.
Eg. An ESD would go through the Process PLC.
3. Sending a "healthy" signal from the SIL2 Process PLC system to an input of the SIL3 ESD PLC to Stop the motor via Interposing relay. Start would be from the Process PLC to interposing relay.
Eg. The PLC starts the motor direct and stops the motor via an ESD output.
Which is the correct method to maintain SIL2 and SIL3 integrity of systems? Thanks in advance.
Note: Running and Stopped status has not been mentioned.
I'd say option 2 is a no go. If I had a hazard requiring SIL 3 protection id configure two redundant channels of protection fully segregated from each other. In your apps Id combine option 1 & option 3 using two output cards (protect against CMF) to provide series contacts in the MCC (via IP relays). One contact derived from H/W inputs into the ESD PLC and the other derived from the process PLC inputs into the ESD.
I would have thought that if a complete fault tree was developed for the application you are discussing you would be able to easily identify if the system you are suggesting will meet the SIL requirements.
>From your assessment of what would happen if the motors failed dangerous work backwards and determine each of the failure modes that could cause this and create your fault tree. Using the probabilities of failure of each component then you will work out if the entire system meets the assessment as to whether the system meets SIL1,2 or 3.