from the please department...
SIL 3 ESD system and stopping Motors/ pumps
Continuous process industries, DCS questions. topic
Posted by Gray on 15 March, 2004 - 3:51 pm
We have been discussing the correct way to "stop" and ESD shutdown motors via SIL2 PLC's and SIL3 ESD PLC's..

1. Having separate Start/ Stop Interposing Relays from the SIL2 Process PLC, with a 3rd ESD Interposing Relay for the SIL3 ESD system with Stop contacts wired in series in the MCC.
Eg. 2 separate Process PLC and ESD PLC's with extra hardware including Interposing Relays.

2. Sending a "healthy" signal from the SIL3 ESD system to an input of the SIL2 Process PLC with Start/ Stop Interposing Relays from the SIL2 Process PLC to stop the motor.
Eg. An ESD would go through the Process PLC.

3. Sending a "healthy" signal from the SIL2 Process PLC system to an input of the SIL3 ESD PLC to Stop the motor via Interposing relay. Start would be from the Process PLC to interposing relay.
Eg. The PLC starts the motor direct and stops the motor via an ESD output.

Which is the correct method to maintain SIL2 and SIL3 integrity of systems? Thanks in advance.

Note: Running and Stopped status has not been mentioned.


Posted by Anonymous on 22 March, 2004 - 3:54 pm
I'd say option 2 is a no go. If I had a hazard requiring SIL 3 protection id configure two redundant channels of protection fully segregated from each other. In your apps Id combine option 1 & option 3 using two output cards (protect against CMF) to provide series contacts in the MCC (via IP relays). One contact derived from H/W inputs into the ESD PLC and the other derived from the process PLC inputs into the ESD.

Posted by Chris Jennings on 24 March, 2004 - 6:28 pm
I would have thought that if a complete fault tree was developed for the application you are discussing you would be able to easily identify if the system you are suggesting will meet the SIL requirements.

>From your assessment of what would happen if the motors failed dangerous work backwards and determine each of the failure modes that could cause this and create your fault tree. Using the probabilities of failure of each component then you will work out if the entire system meets the assessment as to whether the system meets SIL1,2 or 3.

Chris Jennings

Your use of this site is subject to the terms and conditions set forth under Legal Notices and the Privacy Policy. Please read those terms and conditions carefully. Subject to the rights expressly reserved to others under Legal Notices, the content of this site and the compilation thereof is © 1999-2014 Nerds in Control, LLC. All rights reserved.

Users of this site are benefiting from open source technologies, including PHP, MySQL and Apache. Be happy.

Abstainer, n.:
A weak person who yields to the temptation of denying himself a
-- Ambrose Bierce, "The Devil's Dictionary"
Advertise here
our advertisers
Help keep our servers running...
Patronize our advertisers!
Visit our Post Archive