Can we transmit shutdown signals from one plant DCS to another plant DCS through a redundant fibre optic link? Any standard in this regard

 

How critical are the shutdown signals? What will happen if you loose communications?

Have you considered something like a watchdog timer between the two systems, on loss of communications the DCS assumes "Shutdown".

Roy

 

These are two critical shutdown signals to trip-valves. As such we have not done this yet as we wanted clarity if this is permitted at all.

Watchdog timer is definitely a good point - will take this into account. Thanks

 

In my experience I haven't come across any standards which says that shutdown through serial link can't be done. However, it's not normally done, because of some practical problems:

1. 1st of all is the reliability. You are telling these are critical valves. How critical they are? If you fail to shutdown that will cause serious asset, environmental or human life damage? If that is the case, you can't use a DCS. You have to use a certified safety system and do the SIL evaluation to confirm the loop configuration. If none of the above is in picture, then it is not safety critical and you can use DCS. But there is another point to consider i.e response time.

2. What is the time delay permitted by your process? Shutdown has to perform by 10 s, 20 S or 1 hour time? If the delay in communication and signal processing is less than your process delay permitted you can use the serial link.

3. If the shutdown is safety critical then you can't afford to do it through normal serial link or use a DCS system. You have to use a certified safety system. Hardwire link is preferrable. However, you can use certified serial link also. Many safety system Vendor provide safety certified communication link between his processors.

Hope this will be of some help to you.

Thanks

 

If a SIL assessment has shown that a SIL rating is required for these valves then using serial links between DCS's to control them is most likely inappropriate. Usually a separate safety system is required to provide the identified risk reduction. Note also that the safety system should not use the same sensors and final elements as the DCS to make control decisions! Re. the serial links; there are safety system vendors who have SIL 3 TUV certified serial/Ethernet available (I work for one of them).

 

Thanks Nick,

Actually (I must apologize)the communication required is between two independent ESD systems and not DCS systems (which answers Mr. Hait's point - Thanks) and SIL 3 is a requirement here.
These two systems are connected by a Fibre optic cable 5 KM long - but this link is not certified as such. Based on responses above I presume taking the signals for shutdown thru this fibre optic link is a NO GO.