ESD (Emergency Shutdown Device): An emergency shutdown system, mostly used in petroleum and chemical systems, is a control unit independent of the DCS system. When a hazardous situation occurs in the process, it performs emergency start-up and switch operations on equipment, environment, etc. The configuration equipment is mostly high-end PLCs, which mostly handle DI/DO points and now communicate with DCS.
SIS (Safety Instrumented System): Safety Instrumented System, mainly used for high-speed operating equipment such as steam turbines and compressors, to detect the speed, vibration, displacement, temperature, etc. of bearings and protect the equipment. Originally designed as a module combination, it is equivalent to a combination with intelligent instruments.SIS is a safety instrumented system, ESD is an emergency shutdown system, and ESD is a part of SIS. SIS includes three parts: field instruments, logic solvers, and actuators, all of which must be designed for safety. Conventional ESD systems are only designed for the logic solvers of SIS, but they must also be designed for safety.
Just give an example, it may not be appropriate, but it can help understand these concepts.
Siemens' PCS7 system. It includes S7-400H hardware, WinCC monitoring software, and Simaticnet communication software. Step 7 programming software. PDM and other intelligent instrument tools. PCS7 is a combination of software and hardware, and is a concept of a system. The same principle applies to SIS. Essentially, the hardware system of SIS includes not only SIS controllers and IO (such as Triconex, HIMA, Siemens 400FH). It should also include all other input components that interface with the controller, such as sensors, transmitters, and detection devices that have obtained TUV SIL certification; It should also include all output components, such as TUV SIL certified actuators (hydraulic safety actuators, pneumatic safety actuators, electric safety actuators), as well as certified on-site equipment. Strict on-site requirements require that the valve body must also have a TUV certificate. For example, safety valves in nuclear power plants should not only be qualified in boiler and pressure vessel quality inspection, but also have nuclear inspection certificates and TUV safety certificates, clearly indicating the SIL level.
So, let's now understand that these concepts, safety controllers (currently the most scientific term), are just one part of the SIS system hardware. Manufacturers of safety controllers include Triconex, HIMA, Siemens, Moore, ICS, ABB, EMerson, etc. These safety controllers are called ESD when used in emergency parking situations. For fire detection and gas alarm in oil and gas fields, it is called F&GS. For combustion control in hazardous environments, it is called BMS. ESD, F&GS, BMS do not refer to Triconex, HIMA, or their controllers. But rather, the safety controllers from these manufacturers are used in these different situations and have different purposes, so they have these different names.
Next time, someone asks you why Triconex is sometimes called ESD, sometimes PSD, sometimes F&GS, and sometimes BMS. Also known as SIS. You should understand its meaning. These are all safety controllers, or safety control systems, or what IEC specifications once called safety systems (PES), safety electronic devices.
When used in situations called ESD, it is ESD, and when used in situations called F&GS, it is F&GS.
And SIS is a complete, systematic concept. From its name, it can be seen that it is a complete and holistic concept, a system.
The entire security is built on top of the entire security mechanism, including security controllers (such as ESD, F&GS, BMS, etc.), security instruments, security actuators, security software (function block libraries, interlock specifications), and even "security communication functions" (which are rarely referred to as such at present).
The overall concept of SIS should also include specifications that run through the entire life cycle of the safety control system, such as initial design, mid-term construction, and commissioning; Final trial operation, evaluation, and verification. Subsequent maintenance. Demolition before the end of the safety lifecycle.
In short, the concept of SIS is very complete and vast The first one to faint is always the design institute, and then the design institute deceives the owner into fainting.
And many people who work on SIS and ESD have been working on it for several years, but their concepts are still a bit vague.
Why has the concept of SIS been mentioned more frequently during bidding in recent years? In theory, only ESD may not necessarily be a complete SIS control system. ESD is only one link in SIS, and it is the most important link in physical hardware. So, many people believe that SIS is ESD. ESD is SIS.
With ESD, there are also many peripheral supporting equipment. It can form an SIS control system. What users want is a complete security control system, so in recent years, bidding specifications have been called SIS. To be honest, it's true that changing the soup doesn't change the medicine, but at least it shows that our users have made progress in the overall concept of security. Whether they have been fooled and improved themselves, they have always made progress. Similarly, (I once heard from a well-known DCS sales deputy manager that Siemens DCS, PCS7 is S7-400 PLC, and S7-400 PLC is PCS7 DCS) many things are not simply equivalent! ITCC. Control of high-speed rotating equipment, such as steam turbine unit control, air compressor control, and blast furnace blower control. Even turbine engine control and gas turbine control are separate concepts. For example, Triconex's controller can not only perform ESD, F&GS, but also ITCC. Systems based on SIS concepts such as ESD and F&GS require certification and must have a TUV SIL level certificate. For those who do ITCC, TUV certification is not necessary. The same thing from the same family has different names because it has different uses in different situations. By the same token, you have an extremely large amount of money, and you can use Triconex's system to make PLCs or small DCS for them. At this point, you can also call triconex PLC or DCS, both of which are acceptable. CCC does ITCC, not ESD; Yokogawa and Emerson's safety systems mainly only do ESD, F&GS, and do not do ITCC. Triconex does both ESD and ITCC.
SIS safety instrument system ESD Emergency shutdown is commonly referred to as ESD in petrochemical industry. It is called HIPPS on high-pressure pipelines, FSSS on boilers, and ETS on steam turbines.
ESD is a part of SIS and is considered an important component of SIS=ESD+intermediate wiring+field instruments or actuators. ESD is called SIS, which is not a very reasonable name.
Nowadays, many projects require SIS systems to reach SIL3. It is not enough for ESD to reach SIL3 alone. It is also necessary for on-site instruments to reach this level and the entire control circuit to reach SIL3.
When ESD first entered China, ICS should have done well, followed by HONEYWELL, then triconex represented by Kangjisen, and HIMA only came in after 2000. Recently, it seems that triconex and HIMA have gained more market share.
In addition, ITCC is a term proposed by Kangjisen. Due to some conflicts with the contents of IEC61508 and 11, it is said that the design institute has started to change its name to CCS again. Referring to the ETS+DEH mode of the power system, I personally believe that it is better to separate control and protection for compressor control. In terms of the PCS (Process Control System) of the oil refinery, the overall control system of the oil refinery is composed of DCS, ESD, CCS, MMS, and CGTCS. DCS is responsible for the core control. Esd (Emergency Shutdown Device) - Emergency Shutdown System (including SOE), independent of DCS system, is a Safety Instrumented System (SIS). The Safety Instrumented System (SIS) is mainly composed of emergency shutdown of pipelines and equipment in the event of hazardous conditions in the process, to achieve protection. In terms of system structure and communication methods, it is different from DCS in terms of design, using the 2-o-o-3 voting Triconex system and HART communication method for Ethernet communication with DCS. To ensure the coordinated and safe operation of the entire plant, the ESD system also needs to communicate with CCS (compressor control system), MMS (machine monitoring system), CSTCS (gas turbine control system), and MCC (motor control center) to meet safety protection requirements.
SIS is a safety instrumented system, and ESD is a part of SIS. SIS includes three parts: field instruments, ESD system, and emergency on-off valves. It adopts HART+4-20mA communication connection, and each ESD circuit needs to undergo SIL assessment. To achieve SIL2 or SIL3 safety equivalence, two solenoid valves are used to control emergency opening and closing valves, three differential pressure transmitters are used to measure the same liquid level, and one radar and one ultrasonic instrument are used to measure the same liquid level. Of course, SIL calculation verification is necessary to ensure that the system meets the requirements.
What are the definitions and differences of instrument safety levels, SIL1, SIL2, and SIL3?
Given that SIS involves the safety of personnel, equipment, and the environment, various countries have established relevant standards and specifications to ensure that the design, manufacturing, and use of SIS are systematic. And there is an authoritative certification body to confirm the safety level that the product can achieve. These standards, specifications, and certification bodies mainly include:
The industry standard SHB-Z06-1999 "Design Guidelines for Emergency Shutdown and Safety Interlocking Systems in Petrochemical Industry" formulated by China Petrochemical Group.
In 2006 and 2007, Chinese national standards GB/T20438 and GB/T21109, which were equivalent to IEC61508 and IEC61511, were successively released, and China's functional safety standards began to standardize China's functional safety work.
The IEC 61508/61511 standard, developed by the International Electrotechnical Commission in 1997, provides clear regulations on the hardware, software, and applications of safety interlocking systems composed of electromechanical equipment (relays), solid-state electronic equipment, and programmable electronic equipment (PLCs).
ISA-S84.01-1996 "Application of Safety Instrumented Systems in Process Industry" developed by the American Instrumentation Society.
AICHE (CCPS) -1993, Guidelines for Safe Automation of Chemical Processes, developed by the American Chemical Engineering Society.
HSE PES-1987, "Application of Programmable Electronic Systems in the Field of Safety," developed by the UK Health and Safety Executive Committee.
The German national standards include safety system manufacturer standard DIN V VDE 0801, process operation user standards DIN V 19250 and DIN V 19251, and combustion management system standard DIN VDE 0116.
The German Technical Supervision Association (T Ü V) is an independent and authoritative certification body that classifies ESD safety levels into AK1 to AK8 according to the German National Standard (DIN), with AK8 having the highest safety level. AK4, AK5, and AK6 are SIS products suitable for the petroleum and chemical industries to obtain TUV certification.
Different industrial processes (such as production scale, types of raw materials and products, complexity of processes and equipment, etc.) have different requirements for safety. The above international standards classify it into several Safety Integrity Levels (SIL).
Safety Integrity Level (SIL) is a discrete level used to define the safety integrity requirements assigned to E/E/PE safety related system safety functions.
The safety integrity level can be divided into four levels, SIL4 is the highest level of safety integrity (with the highest average probability), and SIL1 is the lowest level; The higher the level of security integrity, the higher the probability of performing the required security functions: according to the usage of security related systems, the frequency of requirements can be divided into low requirement operation mode (<=1 time/year) and high requirement or continuous operation mode (>1 time/year).
According to the GB/T 20438 standard, the target failure probability and target risk reduction of safety integrity under different operating modes are shown in Tables 1-1 and 1-2 below.
It is possible to use several systems with lower security integrity levels to meet the needs of a higher security integrity level function by adopting different operating mode structures (for example, using one SIL2 and one SIL1 system together to meet the needs of one SIL3 function). Different production processes (such as production scale, types of raw materials and products, complexity of processes and equipment, etc.) have different requirements for safety. The prerequisite for determining whether SIS needs to be configured and what level of SIS should be configured for a specific process is to conduct a risk assessment of the specific process, conduct a hazard and operability analysis (HAZOP), identify the corresponding safety instrument function (SIF), find a safety instrument interlock loop, and based on the frequency of risk occurrence and its serious consequences, find a SIL value corresponding to this SIF. After determining the integrity level (SIL) of a certain safety instrument function, configure the appropriate SIS accordingly. From Table 1-3, it can be seen that if the required SIF for a certain process is evaluated as SIL 2, then an SIS with AK4 configuration is sufficient, and its response failure rate (PFD) is between one percent and one thousandth. It should be noted that SIS with different safety levels can only ensure a response failure rate (PFD) within a certain range. The higher the safety level of SIS, the smaller the PFD, which means the lower the possibility of accidents occurring. However, it cannot change the consequences of accidents. Therefore, the assessment of process safety integrity level is a very important task. However, there are currently no standards or regulations in China for assessing safety integrity levels. International and foreign standards provide certain evaluation methods. The RISK MATRIX assessment method introduced below is for reference.
This method uses the frequency (likelihood) and severity (severity) of process accidents as risk assessment indicators, and artificially quantifies the frequency and severity into several levels, creating a matrix table (see Table 3). To determine the safety integrity level of the process.
The SIL level cannot be configured for modification, as it is calculated. The SIL level of a system indicates that it can be applied to a certain SIL level situation, and of course, a system that reaches SIL3 level can also be used for SIL2 situations. Moreover, according to IEC61508, SIS (Safety Instrumented System) not only requires the control system to have SIL level, but also requires the on-site instrument valves to have SIL level. It is not only the various components that make up a control loop (monitoring instruments, control systems, actuators, etc.) to have SIL level, but also to calculate the PFD of the entire control loop. If the calculated PFD is within the SIL2 range, then the control loop has reached SIL level. The requirement for a control loop to be SIL2 or SIL3 level is based on the importance of the control loop in the entire production facility, its impact on safety, and other aspects of analysis.
However, in China, these have been simplified by people from all walks of life. On site instruments and actuators use ordinary ones that do not have SIL levels. Only control systems require SIL levels, and it is not necessary to calculate which SIL level is needed. In the petrochemical industry, SIS has been upgraded to SIL3 level.
Reprinted from official account: Process Equipment Instrument Electrical
Mega-tek Instrument Classroom