Copyright©2012RockwellAutomation,Inc.Allrightsreserved.Rev5058-CO900C黄辉SolutionsArchitecture,ChongqingBranchOfficeEmail:Mobil:ControlLogix在安全仪表系统中的应用SIL2Copyright©2012RockwellAutomation,Inc.Allrightsreserved.SafetyInstrumentedSystemAsystemcomposedofsensors,logicsolvers,andfinalcontrolelementsforthepurposeoftakingtheprocesstoasafestatewhenpre-determinedconditionsareviolated.I/PFTBasicProcessControlSystem(BPCS)InputsOutputsReactorPT1APT1BSafetyInstrumentedSystem(SIS)InputsOutputsCopyright©2012RockwellAutomation,Inc.Allrightsreserved.WhyShouldICare?“SovietreactorswillsoonbesosafethattheycouldbeinstalledinRedSquare.”Doyouthinkhe’dsaythatnow?AfterThreeMileIsland,butbeforeChernobyl,theheadoftheSovietAcademyofSciencessaid,Copyright©2012RockwellAutomation,Inc.Allrightsreserved.ControlSystemIncidentsSpecification44%ChangesAfterCommissioning20%Design&Implementation15%Operations&Maintenance15%Installation&Commissioning6%From‘OutOfControl’AcompilationofincidentsinvolvingcontrolandsafetysystemsbytheUKHSECopyright©2012RockwellAutomation,Inc.Allrightsreserved.RiskReductionRiskProcessRiskinherentintheprocessTolerableRiskLevelBPCSAlarmsSISOtherMechDoingmoreinonelayerdoesn’tmakethatlayerany“better”Copyright©2012RockwellAutomation,Inc.Allrightsreserved.SIL是量化风险的一种方法风险风险风险风险降低降低降低降低结果结果结果结果多么可能?多么严重?多经常?频率频率频率频率机会机会机会机会系统的危险不同的位置危险/安全安全环境经济/PRCopyright©2012RockwellAutomation,Inc.Allrightsreserved.SIL安全完整性级别IEC61508安全安全安全安全完整性级别完整性级别完整性级别完整性级别SIL4SIL3SIL2SIL1SIL0$费用费用费用费用/风险风险风险风险量化风险的方式可以自我认证风险&危险需要第三方认证特殊的Copyright©2012RockwellAutomation,Inc.Allrightsreserved.SafetyIntegratedLevelsSafetyIntegrityLevelSafetyAvailabilityProbabilityofFailureonDemand(PFD)RiskReductionFactor(1/PFD)499.99–99.999.0001-.0000110,000–100,000399.9–99.99.001-.00011,000–10,000299–99.9.01-.001100–1,000190–99.1–.0110–1000Control(N/A)For“DemandMode”ofoperationCopyright©2012RockwellAutomation,Inc.Allrightsreserved.风险评估-决定/SIL风险参数风险参数风险参数风险参数:D-破坏程度破坏程度破坏程度破坏程度D1:轻微伤害D2:造成一人或多人的严重伤害或造成一人死亡D3:多人死亡D4:灾难性后果,多人死亡E-暴露暴露暴露暴露时间E1:很少到相对频繁E2:频繁到持续不断A-危危危危险避免避免避免避免/缓解解解解A1:可能在一定的条件下A2:很小可能P-出出出出现可能性可能性可能性可能性P1:非常低的可能性P2:低可能P3:相对高可能D1D2D3D4A1A2A1A2E1E2E1E2P3P2P1010113340112332312434000Copyright©2012RockwellAutomation,Inc.Allrightsreserved.分层防护的安全机制防备防备防备防备被动保护层被动保护层被动保护层被动保护层紧急情况响应层紧急情况响应层紧急情况响应层紧急情况响应层工厂和工厂和工厂和工厂和紧急情况紧急情况紧急情况紧急情况响应响应响应响应过程过程过程过程值值值值Normalbehaviour基本基本基本基本过程过程过程过程控制控制控制控制系统系统系统系统过程控制层过程控制层过程控制层过程控制层操作员操作员操作员操作员干预干预干预干预过程控制层过程控制层过程控制层过程控制层过程报警过程报警过程报警过程报警工艺工艺工艺工艺停车停车停车停车故障级别报警故障级别报警故障级别报警故障级别报警安全安全安全安全仪表仪表仪表仪表系统系统系统系统安全层安全层安全层安全层紧急情况紧急情况紧急情况紧急情况停止停止停止停止安全阀安全阀安全阀安全阀,,,,挡板挡板挡板挡板主动保护层主动保护层主动保护层主动保护层防止防止防止防止减轻减轻减轻减轻xxCopyright©2012RockwellAutomation,Inc.Allrightsreserved.MultipleLayersofProtectionCommunityEmergencyResponsePlantEmergencyResponsePhysicalProtection(Dikes)PhysicalProtection(ReliefDevices)SafetyInstrumentedSystemAlarms,OperatorInterventionBasicProcessControlProcessCopyright©2012RockwellAutomation,Inc.Allrightsreserved.SafetyDesignLifecycleStepsperformedthroughoutHazard&RiskAnalysis(8)AllocationofSafetyLayers(9)Design&Engineering(11&12)Operations&Maintenance(16)Management,Assessment,Auditing(5)Decommission(18)DevelopSafetyReq’sSpec(10&12)Verification(7)Installation,Commissioning&Validation(14&15)OtherMeansofRiskReduction(9)Modification(17)NodetailedrequirementsgivenDetailedrequirementsgiven84,Section6Copyright©2012RockwellAutomation,Inc.Allrightsreserved.FailureModesWithasafetysystem,theconcernshouldn’tsomuchbewithhowthesystemoperates,butratherhowthesystemfails.Safetysystemscanfailintwoways:Safefailures•initiating•overt•spurious•costlydowntimeDangerousfailures•inhibiting•covert•potentiallydangerous•mustfindbytestingDxU=Copyright©2012RockwellAutomation,Inc.Allrightsreserved.FailureModes•Withasafetysystem,theconcernshouldn’tsomuchbewithhowthesystemoperates,butratherhowthesystemfails•Safetysystemscanfailintwoways:–Safefailures(nuisancetrips)•Forreliabilitypredictionstobemeaningful,theymustaddressthespecificfailuremode–Simplysayingasystemfailsoncein10years,orhasan‘availability’of99.9%,isoflittlevalueFailclosedmeanslostproductionFailopenmeanssafetyhazard–Dangerousfailures(failtofunction)Copyright©2012RockwellAutomation,Inc.Allrightsreserved.FaultToleranceRequirementsSILMinimumHardwareFaultTolerance1021324SeeIEC61508Forfielddevicesandnon-PElogicsolvers.Thenumbersmayneedtobereducedorincreasedbyoneundercertaincircumstances.Seesection11.4.4.Copyright©2012RockwellAutomation,Inc.Allrightsreserved.SomeTermsAvailabilitySafetyCLXBackUp•RM2•FaultTolerant•1oo1•‘Passive’RedundancyStandardControllers•HighMTBF•LowDC•1oo1SafetyControllers•Failsafe•HighDC•1oo2•SIL3CLXSIL2•I/ORedundancy•FaultTolerantorFailsafe•ControllerBackUpOptionalICSTriplex•FaultTolerant•24/7/365•2oo3(3-3-2-0)•SIL3FaultTolerance‘Active’RedundancyCopyright©2012RockwellAutomation,Inc.Allrightsreserved.SIL2DistributionCopyright©2012RockwellAutomation,Inc.Allrightsreserved.ControlLogixSIL2Requirements24VdcRelaycontrolledbyControlLogixLoad24Vdc24VdcLoadUserresponsibleformeeting‘spirit’ofSIL2referencemanu