5. DeltaV SIS Process Safety System Safety Manual 1
1 DeltaV SIS Process Safety System Safety
Manual
This document contains important information on how DeltaV SIS is to be used in a
safety instrumented system to place and/or maintain the equipment under control in
an appropriate state when expected to do so. The guidelines in this document should
be followed when using DeltaV SIS in safety-critical applications.
To determine whether this document is the most recent revision applicable to a
particular revision of the SLS 1508, compare the part number shown on the cover of
this document to the part number found on the SureService Guardian website:
https://guardian.emersonprocess.com
Log into the Guardian website and look for the DeltaV SIS links under Resources.
2 Certification Coverage
2.1 Certified Components
The information in this document applies to hardware and software components of
DeltaV SIS that have been certified according to IEC 61508. TUV has certified the
SLS 1508 hardware and firmware as suitable for use in safety applications with a
maximum Safety Integrity Level (SIL) of 3 (SIL3) according to IEC 61508 Part 1 to
Part 7. Refer to https://guardian.emersonprocess.com for a complete listing of the
certified SIL compliant and interference free hardware and software components of
DeltaV SIS.
2.2 SIL Applicability
The maximum Safety Integrity Level for the SLS 1508:
Refer to “Other Applications” on page 8 for SIL ratings and a discussion on energized
to trip applications.
Simplex Redundant
De-energized to
Trip application
SIL3 SIL3
6. 2 DeltaV SIS Process Safety System Safety Manual
2.2.1 De-energized to Trip Applications
In de-energized to trip applications the advanced logic solver architecture of the SLS
1508 achieves SIL3 safety in a simplex hardware module. A simplex SLS 1508
provides the hardware fault tolerance and safe failure fraction to meet SIL3
architectural requirements. A redundant SLS 1508 meets SIL3 architectural
requirements, utilizing redundancy to increase availability and to reduce false trips.
The SIL3 rating applies to both the low and high demand modes of operation.
In a de-energized to trip application the safe state for all output channels of a given
safety instrumented function (SIF) is off/low. This corresponds to the safe state of
output channels if the SLS 1508 needs to remove power in response to a dangerous
failure being detected by its advanced diagnostics.
Refer to “Engineering Practices” in the DeltaV SIS Process Safety System Users Guide for
configuration guidelines for de-energized to trip applications.
When higher powered discrete outputs are needed, there are two standard product
options that utilize external relay modules as part of the logic solver subsystem. There
is a SIL3 option if line monitoring is not needed and a SIL2 option with line
monitoring. Refer to Installing Your DeltaV SIS Process Safety System Hardware for more
information. SIS module configuration techniques do not change when the auxiliary
relays are used in a de-energized to trip function.
2.2.2 Response Time
The response time for a SIF should be less than the process safety time. The SIF has
a response time associated with the sensor, logic solver, and final element subsystems.
The sum of the response times should be less than the process safety time. The
response time of the logic solver subsystem is the time between any change on a SIF
input channel that should result in a trip and the time that the output channel or
channels change to the tripped state. The time is measured from screw terminal to
screw terminal.
The response time is impacted by the configured scan rate of the SLS 1508 containing
the SIS module logic for the SIF. There is some variability due to the alignment of the
7. SIL Verification 3
change at the input screw terminal and I/O scanning in the SLS 1508. The following
table shows the maximum response times.
Note the following concerning response times for the logic solver subsystem.
1. The response time does not increase if an input channel of the SIF is on an SLS
1508 other than the SLS 1508 driving outputs.
2. If there are multiple SIS modules involved in the SIF with communication using
secure parameters, the maximum response time increases by the scan rate of the
SLS 1508 containing the secure parameter (not the secure parameter reference).
For example, two SIS modules at a 50 millisecond scan rate increases the
maximum response time from 175 to 225 milliseconds. If communication is
between DeltaV SIS nodes across the remote peer ring (SISNet), there is a
potential for the response time to increase by an additional 50 milliseconds.
3. If SIS module logic includes delays such as the trip delay time in voter function
blocks, the response time will increase by the length of those delays.
3 SIL Verification
In order to verify that a SIF meets the assigned SIL the probability of the SIF failing
dangerously is determined. The DeltaV SIS FMEDA Report contains failure rate and
other data to help you verify that your safety requirements are being met. It contains
the information necessary to do SIL verification calculations for the SIF’s logic solver
subsystem, including failure rates by failure category, diagnostic coverage and
common cause factors, hardware fault tolerance, and device type.
The use of a SIL verification tool is encouraged in order to get the most accurate
results possible. Emerson Process Management recommends the exida exSILentia
tool (SILVer), whose SIL verification uses Markov analysis and is based on data from
the DeltaV SIS FMEDA Report.
SLS 1508 scan rate
(milliseconds)
Maximum response
time
(milliseconds)
50 175
100 275
150 375
200 475
8. 4 DeltaV SIS Process Safety System Safety Manual
The DeltaV SIS FMEDA Report is available at
https://guardian.emersonprocess.com.
4 Restrictions: SLS 1508 Specific
There are no SLS 1508 specific restrictions.
5 Restrictions: All Logic Solver Systems
As with all safety logic solvers, the SLS 1508 is to be used according to the practices
required by IEC 61508 and IEC 61511 as summarized below:
As with any logic solver, any modification or change shall be subject to a safety
impact analysis to determine all software modules impacted and the necessary re-
verification activities. A full functional test of the logic solver configuration may
be needed before the logic solver provides the protection function in a running
process.
Your site acceptance procedures should address functional testing of the
applications running in logic solvers.
Note It is possible to assess what has changed in the SLS 1508 since the last functional test
by examining the CRC values in DeltaV Diagnostics Explorer.
The SLS 1508 provides the ability to download configuration changes on-line.
When any safety instrumented function in any logic solver is disabled or
bypassed, safety should be provided by alternative means. If a logic solver allows
on-line changes, until those changes are verified via functional testing it is
assumed that the SIF(s) under change are disabled. For any disabled or bypassed
SIF:
1. The equipment under control should be supervised until completion of the
functional test (or the assessment of the need to test if a functional test is not
required).
2. The process safety time associated with the hazard should be long enough
for operators to monitor and react, and thus manually provide the protection
function during the bypass or download / functional test.
A periodic proof test should be performed to reveal potentially dangerous faults
not detected by continuous runtime diagnostics in the logic solver. The necessary
frequency of the proof test is a function of the probability of dangerous failure
for the safety instrumented function(s) associated with the logic solver.
9. Special Features: SLS 1508 Specific 5
6 Special Features: SLS 1508 Specific
The SLS 1508 provides a Non-Secure Parameter Reference feature. This is a user-
defined parameter type available in SIS modules for non safety-critical use. If a
parameter of this type contributes to a safety-critical control action, special
consideration is needed in SIS module logic to validate the parameter value. The
application programmer should not allow the safety function to be compromised
based on the value of a Non-Secure Parameter Reference. Refer to “Engineering
Practices” in the DeltaV SIS Process Safety System Users Guide for more information.
Other than the Non-Secure Parameter Reference, all configuration elements
available in SIS modules may be used without special consideration in a safety-
critical application up to and including SIL3. This includes the Calculation-Logic
function block expression language, which is a limited variability language.
The SLS 1508 automatically responds to faults common to all I/O channels, such
as malfunction of a processor or a memory failure, by de-energizing all output
channels. This leaves output devices under control of the partner when using
redundant SLS 1508s. A fault on an output channel will not prevent de-
energization in the case of a demand to trip on that channel. There is an
automatic, secondary means of de-energization when needed. For detail on fault
detection and how the SLS 1508 and DeltaV SIS respond to those faults, refer to
“Maintenance Practices” in the DeltaV SIS Process Safety System Users Guide.
The person configuring SIS module logic has influence over the SLS 1508's
response to certain faults detected in the SLS 1508 and field instruments. For
faults specific to one I/O channel or one field device, the SLS 1508 integrates
Bad status with the value on the channel. The SIS module can be configured to
respond to Bad status as needed by the application. Configuring the system
response to Bad status is a matter of choosing status options, fault state options,
and certain time duration values as the application requires. Refer to “Engineering
Practices” in the DeltaV SIS Process Safety System Users Guide for more information
on configuring the system response to detected faults. The DeltaV SIS book in
DeltaV Books Online has detailed information on the features of the function
blocks available in SIS modules.
SLS 1508 outputs configured as HART Two-state Output channels are intended
for certain final elements. You should physically connect a channel of this type to
only a Fisher Controls DVC6000 SIS (firmware revision 6 or later) or a digital
valve controller certified by Emerson Process Management as being equivalent.
10. 6 DeltaV SIS Process Safety System Safety Manual
Refer to “Engineering Practices” in the DeltaV SIS Process Safety System Users Guide
for more information on using digital valve controllers with the SLS 1508.
The DeltaV SIS secure write server is certified for use in safety rated applications
up to SIL3. Only the secure write server can make runtime changes to parameters
in the SLS 1508 made from DeltaV workstations, including maintenance
bypasses, operator resets, and all other parameters that are allowed to be changed
at runtime. The secure write capability is integrated with DeltaV Operate
dynamos and faceplates for the advanced SIS function blocks and in DeltaV
Control Studio Online/Debug for SIS modules.
Note It is not necessary to do a functional test after a secure write is done. You can be certain
that the parameter value in the SLS 1508 is the value confirmed.
The secure write operation is in addition to DeltaV security. The user who is
logged in at the DeltaV workstation needs to have the software key to the lock
associated with the writable parameter and parameter field.
DeltaV SIS has a built-in bypass facility for managing maintenance overrides. A
bypass allows a maintenance activity such as calibration, proof testing, or repair of
a transmitter or other sensor to take place without a concern for a spurious trip.
Bypasses in SIS module logic in the SLS 1508 can be set and cleared from DeltaV
workstations using a secure write operation. Refer to “Operations Practices” in
the DeltaV SIS Process Safety System Users Guide for additional information on the
DeltaV SIS bypass facility.
A proof test of the SLS 1508 is conducted by forcing the logic solver to go
through reset and power-up testing. This is initiated by using a context menu
command from DeltaV Diagnostics Explorer and has no adverse impact to a
running process when redundant SLS 1508s are used. An automatic proof test is
optional for redundant SLS 1508s based on a configured proof test interval. Refer
to “Maintenance Practices” in the DeltaV SIS Process Safety System Users Guide for
more information on proof testing and additional topics on recommended
operations and maintenance practices for DeltaV SIS.
7 Limits
7.1 Product Life
The useful lifetime of the critical components of the SLS 1508 is 20 years.
11. Recommendations for Management of Functional Competency 7
7.2 Environmental Conditions
Refer to Installing Your DeltaV SIS Process Safety System Hardware for limits on
environmental conditions.
7.3 Application Limits
DeltaV engineering tools ensure that application limits are not exceeded. There are no
requirements to consider to prevent limits from being exceeded. Refer to “System
Capacities” in the Configuration book in DeltaV Books Online for the SIS application
limits.
8 Recommendations for Management of
Functional Competency
DeltaV SIS is intended to be used in accordance with a defined safety life cycle such as
that described in IEC 61511. IEC 61511 requires that persons, departments or
organizations involved in safety life-cycle activities shall be competent to carry out the
activities for which they are accountable. Emerson Process Management strongly
recommends that the following be considered when developing a competency
management program in order for DeltaV SIS users to achieve IEC 61511
compliance.
Competence of Persons - Engineering
All persons involved in the initial implementation or modification of the application
software should have appropriate training. Opportunities for training include reading
the DeltaV SIS Process Safety System Safety Manual, the DeltaV SIS Process Safety System
Users Guide, DeltaV Books Online, and attending a training class lead by Emerson
Process Management certified personnel. Formal training is available through
Emerson Process Management Educational Services. For information, visit:
http://www.emersonprocess.com/education/contacts_centers.asp
Competence of Persons - Installation and Hardware Maintenance
All persons involved in installation and hardware maintenance activities should have
appropriate training. Opportunities for training include reading the DeltaV SIS Process
Safety System Users Guide, Installing Your DeltaV SIS Process Safety System Hardware, reading
DeltaV Books Online, and attending a training class lead by Emerson Process
Management certified personnel. Formal training is available through Emerson
Process Management Educational Services.
12. 8 DeltaV SIS Process Safety System Safety Manual
Competence of Persons - General
All persons involved in any aspect of DeltaV SIS, including engineers, operators,
supervisors, maintenance personnel, and system administrators, should have training
in the importance of safety instrumented systems. All persons should have specific
training in the procedures for which they are responsible. DeltaV system
administrators should ensure that all individuals having security keys for DeltaV SIS
activities are trained and competent.
For technical support contact information and for reporting product issues, visit:
http://www.emersonprocess.com/systems/support/ratecard.htm
9 Reporting Product Issues
Refer to “Maintenance Practices” in the DeltaV SIS Process Safety System Users Guide for
more information on reporting product issues.
10 Other Applications
10.1 Energized to Trip Applications
The maximum Safety Integrity Levels for the SLS 1508 in energized to trip
applications are as follows:
10.1.1 Energized to Trip Applications (with Inverted Logic)
When the safe state for an SLS 1508 output channel is on/high, the application is
energized to trip from the perspective of the output channel. Energized to trip output
channels require SIS module configuration to drive the SLS 1508 output channel
value on/high to achieve the safe state. The SIS module logic essentially inverts the
output signals as compared to de-energized to trip logic.
Simplex Redundant
With inverted logic
Low demand mode SIL3 SIL3
High demand mode ___ SIL1
With auxiliary relay SIL2 SIL2
13. Other Applications 9
If the SLS 1508 removes power in response to detecting a dangerous failure in an
application with inverted SIS module logic, the equipment under control remains in
the normal operating state. The DeltaV system annunciates a dangerous failure in a
SLS 1508 by means of a hardware alarm. In response to the alarm operators can
manually take the process to the safe state if the repair cannot be completed within the
mean time to repair (MTTR) used for SIL verification.
Refer to “Engineering Practices” in the DeltaV SIS Process Safety System Users Guide for
configuration guidelines for energized to trip applications using inverted logic. Refer
to “Maintenance Practices” in the DeltaV SIS Process Safety System Users Guide for more
information on DeltaV SIS fault annunciation.
10.1.1.1 Using Inverted Logic in Low Demand Mode
In the low demand mode of operation there is ample time to manually respond to an
annunciated dangerous failure. Credit can be taken for SLS 1508 diagnostics such that
dangerous detected failures are included in the safe failure fraction. The SLS 1508
meets SIL 3 architectural requirements as simplex or redundant.
10.1.1.2 Using Inverted Logic in High Demand Mode
In the high demand mode the process safety time or demand rate may not allow time
for a manual response following the annunciation of a dangerous failure. Emerson
Process Management recommends that no credit be taken for diagnostics when using
inverted logic in high demand mode.
A redundant hardware configuration is required for safety rated applications. In a
redundant configuration either of the two hardware modules is able to drive the
output channel on/high, providing the hardware fault tolerance and safe failure
fraction to meet SIL 1 architectural requirements. The amount of time operating
without an available partner SLS 1508 should be limited to the MTTR used in SIL
verification.
10.1.2 Energized to Trip Applications (with Auxiliary Relay)
If a higher powered discrete output is needed for an energized to trip application, an
Auxiliary Relay DTA-Inverting and Auxiliary Relay Diode module can be combined
with the SLS 1508. In this case the inverting of the output signal is done through
external hardware. The SIS module is configured to drive the outputs off/low to
achieve the safe state, the same as in a de-energized to trip application. The logic
solver subsystem meets a SIL2 architectural requirement with a simplex or redundant
SLS 1508 in both low and high demand modes. Refer to Installing Your DeltaV SIS
Process Safety System Hardware for more information.
14. 10 DeltaV SIS Process Safety System Safety Manual
Refer to “Engineering Practices” in the DeltaV SIS Process Safety System Users Guide for
configuration guidelines for energized to trip applications using the auxiliary relay
modules.
10.2 High Demand Mode
10.2.1 Response Time in High Demand Mode
The response time discussion for low demand mode on page 2 also applies when
operating in high demand mode.
Although the probability of an undetected fault being present at the time of a demand
is extremely low, you should assume a fault may be present when allocating the
response time for the logic solver subsystem in high demand mode applications. The
maximum fault detection plus reaction time of the SLS 1508 for any scan rate is 400
milliseconds. Therefore, for high demand mode applications, you should allocate an
additional 400 milliseconds for the logic solver subsystem response time, for example,
575 milliseconds for an SLS 1508 whose scan rate is 50 milliseconds. Note that the
recommendation to include the fault detection plus reaction time in the response time
does not apply in the low demand mode.
10.2.2 Other Considerations for High Demand Mode
The high demand mode of operation is defined by IEC 61508. High demand mode
may apply by definition or whenever it is more appropriate to treat a SIF as operating
in high demand mode instead of low demand. The following applies to both de-
energized to trip and energized to trip applications.
The SLS 1508 does not automatically de-energize outputs when faults are detected on
input channels because the fault may originate in field devices or field wiring. Instead,
the SLS 1508 integrates Bad status with the channel value. SIS module logic can be
configured to respond appropriately to Bad status on input channels. In high demand
mode applications the allowed repair time for faults detected on input channels
should be limited by SIS module configuration so that the SLS 1508 will drive
applicable outputs to the safe state if the repair cannot be completed in time.
Refer to “Engineering Practices” in the DeltaV SIS Process Safety System Users Guide for
more information on configuring the system response to detected faults.