800xa high integrity - fgs bms applications alaska … · flexible report creation and ... case of...

800 A Hi h I iLuis M. Duran, Prodict Marketing Manager Safety Systems, February 2012

800xA High IntegrityFGS and BMS ApplicationsFGS and BMS Applications

© ABB Group February 27, 2012 | Slide 1© ABB Group February 27, 2012 | Slide 1

Content

800xA High Integrity Overview 800xA High Integrity Overview

Fire & Gas Systems

S Burner Management Systems

Safety Standards and BMS

Conclusions

© ABB Group February 27, 2012 | Slide 2

Access to information…Seamlessly and in context


Thanks to a Common Operation Environment…Operator can take timely action…Operator can take timely action

Monitor the Process and respond to Abnormal Conditions


Protection is implemented in multiple layers

SIL 2

SIL 3

SIL 0-1

SIL 2


System 800xA HI – Integrated SafetyCustomer value of integration available todayCustomer value of integration – available today

Same operations Centralized

Historian andPlant-wide Sequence of Events

interface and engineering

Historian and Data Archiving

Common system therefore reduced

spare parts trainingspare parts, training etc…

Centralized Historian and

Process control and safety running inHistorian and Data Archivingsafety running in

separate controllers

Centralized Historian and

D t A hi i

Common, integrated asset management

strategyData Archivingstrategy


800xA High Integrity – SIL3 CertifiedCertificateCertificate

Also NFPA certified for F&G and BMS

SIL3 Certified


800xA High IntegrityDiverse Architecture Diverse ImplementationDiverse Architecture, Diverse Implementation

The SIL 3 800xA High Integrity controllerAC800M HI The SIL 3 800xA High Integrity controller has parallel processing paths based on diverse technology

I t it ti b t th

PMCBSIL3

AC800M HISIL3

Integrity voting between paths compliments the built in active diagnosticsSM Safety I/O SIL3

Controller and Supervision Module developed by diverse (different) teams (Vasteras and Malmo, Sweden) and 0SFF (%) 1

HFT

tested by a third team (Oslo, Norway) by people with different backgrounds

The two channel architecture meets SIL390 - 9960 - 90< 60

SIL 3SIL 2SIL 1

SIL 1SIL 2SIL 3SIL 4> 99 The two channel architecture meets SIL3

requirements for hardware fault detection and reaction

1oo1D 1oo2D


IEC61508-2 Table 3

What do you mean Diversity?Example of Embedded DiversityExample of Embedded Diversity

S ft di it i Embedded Diversity offers Software diversity in logic solver

PM865 & SM811

Embedded Diversity offers a significant contribution to overall system integrity.

PM865 & SM811

Different operating systems

Different base software

i.e. to execute the same logic on / in diverse ways / software,

layers

Different un-packing procedures

Different development and testing teams with different background in several locations

Etc…

9

What do you mean Diversity?More on Embedded DiversityMore on Embedded Diversity

Hardware diversity in S800 High Integrity I/O modules

Each IO module has two diverse execution paths based on different hardware technology

MCU d FPGA ti l MCU and FPGA respectively

Each individual single IO module has an internal 1oo2 architecture

AC800M High Integrity Redundant Controller ConfigurationRedundant Controller Configuration

SM811 BC810 PM865 Redundant I/OTB 840

Optical Modulebus

RCU LinkCEX bus


SecuritySystem Security And Embedded FirewallsSystem Security And Embedded Firewalls

Provides functions for protection of SIL Provides functions for protection of SIL classified applications in AC800M HI Controllers

SIL Access Control and Authorization

Force Control / Override Control /Force Control / Override Control / Bypass Management

Confirmed Online Write / Confirmed O tiOperation

Embedded firewalls and confirmation procedures protect the SIL application p p ppfrom inadvertent / accidental control actions


More Efficient and Effective TroubleshootingSafety relevant information is readily availableSafety relevant information is readily available

Alarms Events Audit Trail and Alarms, Events, Audit Trail, and SOE displays for root cause analysis

Real-time information

Standard functionality for inhibiting of specific safetyinhibiting of specific safety functions

Status supervision of Safety S t El tSystem Elements

Flexible Report Creation and Schedulingg

Valve Leak Test, Verification, Automatic Shutdown Reporting SIL statusReporting, SIL status


Installed BaseInstallations Across The GlobeInstallations Across The Globe

ABB’s intimate knowledge of and experience ABB s intimate knowledge of and experience from all conceivable locations, environments and applications directly benefits end-users

With more 30 years on the market the With more 30 years on the market the installed base is spread across

…more than 55 countries…

…on all continents and across all regions…

…and all traditional safety systems More than 3,000 controllers sold since initial release in industry segments such as oil & gas,

petrochemical and chemical industries…

…as well as more non-traditional safety “Reducing risk where it is

sold since initial release in January 2005

systems industry segments such as pulp & paper, semiconductor and minerals & mining facilities.

gneeded…”


U1

U1 How many BMS and how many FGS?USLUDUR, 2/15/2012

Fi d G S tFire and Gas Systems


Fire & Gas System – F&GMain IndustriesMain Industries

Offshore Industry Offshore Industry

Marine

Refineries Refineries

Oil plants

Gas treatment plantsGas treatment plants

Petrochemicals

ChemicalsC e ca s

Electrical Power Industry


Fire & Gas System – F&GApplication CharacteristicsApplication Characteristics

Designed to provide monitoring warning and mitigation in Designed to provide monitoring, warning and mitigation in case of detection of smoke, gas discharge or breakout of fire

Detection – Automatic detection of presence of smoke or fire by monitoring smoke, heat, flame, light or other products of combustion

Announcement – Audible and/or visual warning by means of sounders, flashing light, public addressing system or similarsyste o s a

Containment – Preventing or reducing spread of fire and smoke to adjacent areas in a building/plant

Extinguishment – Utilization of fire fighting equipment and media such as water, foam, CO2 etc.


Fire & Gas System – F&GSystem Configuration ExampleSystem Configuration Example

Living Quarters

Control Room

Serial C

Local Fire Alarm System

Communication link

HVAC

Addressable Fire detection loop Sprinkler

Gas Processing


Fire & Gas System – F&GTypical Functional RequirementsTypical Functional Requirements

Usually divided into fire areas by geographical locationUsually divided into fire areas by geographical location Hierarchical structure

Overview display D t il d t ti f h d t t ith d t il d t t i f ti Detailed presentation of each detector with detailed status information

All alarms and overrides presented in one display Inhibits and override functionality

Specific detectors or a group Manual activation from call points in the field or by operator release commands

from the control room Voting mechanisms used on input channels to avoid spurious trips

1oo2, 2oo3, 2ooN Communication possibilities with addressable F&G stationsp Safety Integrity Level

Typically SIL2


Fire & Gas System – F&G800xA HI Safety Certified Libraries800xA HI – Safety Certified Libraries

Supervision Library Fire & Gas Library Supervision Library

Detector input

System control and

Fire & Gas Library

Modules for monitoring and controlof protection systems

CO2y

monitoring

Output handling

Overview presentation

CO2

Deluge

Sprinkler Overview presentation

Libraries enable significant savings during engineering

Sprinkler

Override functionality built into the modules to supervise the use of Force, Inhibit, Disable, and Manual Mode


Disable, and Manual Mode

Fire & Gas System – F&G800xA HI Operator Display800xA HI – Operator Display

Platform Overview

L11

L12

M21 M22 M23

D11

L13M10 M11 M12

Displays organized in a hierarchy levelsNot only the condition of the detectors but also the

h i l l ti

FIRE

1. Site overview display (the top level display)

2. At least one level of group of areas

physical location


3. Area detail displays (the bottom level)

Fire & Gas System – F&G800xA HI Display Structure

SiteGroup

Overview

800xA HI – Display Structure

SiteOverview

Overview

Group overviewGroup overview

Area Area

Site overview

Area

Area

Area

Area

Detector

AreaOvreview

Faceplate


Fire & Gas System – F&G800xA HI Application Structure800xA HI – Application Structure


Fire & Gas System – F&G800xA HI More Key Benefits

Easy integration of addressable fire & gas

800xA HI - More Key Benefits

Easy integration of addressable fire & gas systems

Built-in Control Modules for certified serial communication

High Integrity Instrumentation

Ü Wide range of SIL-rated TÜV Certified ABB sensors and valve positioners

Instrumentsst u e ts

Pressure(2600T series)

Temperature (TH series)p ( )

Flow (Coriolis)

Positioners (TZID-C)


B M t S tBurner Management Systems


BMSMain IndustriesMain Industries

Power Generation

Thermal Power Plants

District Heating

Pulp & Paper

Petrochemicals

Chemical Plants

Etc…


Burner Management System – BMSApplication CharacteristicsApplication Characteristics

Designed to prevent explosionsDesigned to prevent explosions Improve plant operation by providing safe

and reliable... Start-up (Continuous demand)p ( ) Operation (Low demand) Process and emergency shutdowns

From a simple to complex From a simple to complex,multi-burner process-fired heater unitor power generation boiler

Different Fuel Types Applicable Standards

IEC61508 EN298EN298 NFPA 85


Burner Management System – BMSTypical FunctionalityTypical Functionality

Purge Commence Confirmation - Requirements Purge Commence Confirmation - Requirements

Drum Level Ok, All Burner Valves Ok, ControlEnergies Ok, Fuel Systems Healthy, OxygenAnalyzer Healthy,All Igniter Systems Off, NoFlame Detected

Preventing Unburned Fuel Entering Furnace

Monitoring of Valve Positions

Flame Monitoring (On-line)

Oxygen Analyzer Monitoring (On-line)

Emergency Shutdowns / Trips Emergency Shutdowns / Trips

Activate inerting System

De-energize all ignition sources and valves

Manage fans (depending on cause of trip)

Monitor Start-Up Sequence

Purge Completed → Leak Check of Fuel System → Start Igniter /


Burner

Monitor Shut-Down Sequence (Reverse of Start-Up)

Burner Management System – BMSTypical Trip CausesTypical Trip Causes

Master Fuel Trip (MFT) Master Fuel Trip (MFT) Fuel System Problem

Combustion Air Flow Low

L f f Loss of fans

Excessive furnace pressure

All fuel inputs zero

Loss of flame

Manual trip switch activated

Igniter Trip Loss of igniter flame

Igniter fuel pressure unstable

Burner Tripp Loss of burner flame

Burner valves out of position


Burner Management System – BMSTypical Functional RequirementsTypical Functional Requirements

Enable quick response to operational conditions through easy access Enable quick response to operational conditions through easy access to information during all sequence steps

Enable maintenance and test procedures without compromising process safetyprocess safety

Bypass management

Controlled access to bypasses, normally prohibitedControlled access to bypasses, normally prohibited

Monitoring and Proof Testing

Valve Stroke Test

Verification of integrity of instrumented functions

Safety Integrity Level

SIL2 or SIL3

Have you performed a Safety Assessment?


Burner Management System – BMS800xA HI Example System Configuration

Operator Workplace

Operator Workplace

800xA HI - Example System Configuration

Emergency Off Pushbutton

WorkplaceWorkplace

AC800M HI AC800M

DCS Controller

BMS Controller


Boiler Management System – BMS800xA HI More Key Benefits800xA HI – More Key Benefits

Easy Implementation Supported Languages SIL2 SIL3 Easy Implementation IEC 6-1131-3 supported

languages

SupervisionBasicLib

Supported Languages SIL2 SIL3

Function Block Yes Yes

Structured Text Yes YesSupervisionBasicLib

Display Structure Shutdown System Overview through standard graphic elements

Fle ible displa design to red ce time to decision and action

Sequential Function Chart Yes No

Flexible display design to reduce time to decision and action

Bypass management and Forced Control

Sequence of Events

Information Management for safety Shutdown reports

Valve operation reportsp p

Asset Optimization for monitoring3


S f t St d d d BMSSafety Standards and BMS


Evolution of Safety Standards

1995 2005PRESCRIPTIVE STANDARDSnt

erna

tiona

l

1995

IEC SC 65 IEC 61508

ISO 10418

1995Draft

1993

1999

2005

IEC 61511 2003

PRESCRIPTIVE STANDARDSIn

Ger

man

y DIN VDE 0801

DINVDE 19250

1991

1989

UK HSE PES

OHSA CFR

1987

1992

USA

1910.119

ISA dS84.01

API RP14C

1995Draft

1974

ANSI/ISAS84.01

1996

ANSI/ISAS84.00.01 (IEC 61511 Mod)

2004

974,

Flix

boro

ugh

976,

Sev

eso

984,

Bho

pal

986,

Che

rnob

le

988,

Pip

er A

lpha

989,

Pas

aden

a

PERFORMANCE STANDARDS

© ABB Control SystemsFebruary 27, 2012 | Slide 51

1 1 1 1 1 1

BMS StandardsPrescriptivePrescriptive

Prescribe materials procedures and methods Prescribe materials, procedures and methods, focusing in the constructive characteristics of the resulting system, usually not stating explicitly any system goals or objectivesexplicitly any system goals or objectives

Tell us what to do

NFPA 85 (Boiler and Combustion SystemsNFPA 85 (Boiler and Combustion Systems Hazards Code)

API 556 (Instrumentation and Control S t f Fi d H t d StSystems for Fired Heaters and Steam Generators)

FM 7605 (Approval Standard for PLC ( ppBased Burner Management Systems)

BLRBAC recommended good practices

BMS StandardsPerformance basedPerformance-based

State goals and objectives to be achieved State goals and objectives to be achieved, and methods or procedures to demonstrate that the resulting system meets the goals and objectivesand objectives

Tell us how to proceed

IEC 61508IEC 61508

IEC 61511/ISA 84.00.01

Pros and ConsPrescriptive StandardsPrescriptive Standards

Benefits Benefits Easy to apply (must follow rules) Usually cheap (do not require HRA etc.) Certainty about compliance (do’s or dont’s) User decisions are limited No commitment regarding tolerable risk levelsNo commitment regarding tolerable risk levels

Problems Lack of flexibility to introduce new technologies and

innovationsinnovations Safety problems may be overseen if not considered by the

standard Usually the time variable is not considered Usually the time variable is not considered User decisions are limited Does not give directions on safety system integrity

Pros and ConsPerformance based standardsPerformance-based standards

Benefits Benefits

Flexibility (many systems can be built which solve a given problem)

Thoroughly coverage of risks (by risk analysis methods)

Maintenance and testing considered in calculations

Provide a validation target Provide a validation target

Requires justification of decisions based on objective information

Problems

More difficult and expensive to implement (HRA, FSMS, tests, etc.)

Demonstration of safety level achieved may be expensive too

Requires justification of decisions based on objective informationinformation

Requires user decision about risk tolerance (!)

What do experts say…?

“Independency Consideration for BMS and BCS” (D Lee Independency Consideration for BMS and BCS (D.Lee, paper presented at ISA 2006)

“Physical separation of logic solvers does not ensure a safe logic design.”

“Product listing or labeling does not ensure a safe system design ”system design.

“Designer’s responsibility to consider all possible failure modes and effect that each failure have on the integrity

f th l i t th f t f th it b iof the logic system, the safety of the unit being protected and the safety of the plant personnel”

What do experts say…?

“Industry update: Safety Instrumented Burner Management Industry update: Safety Instrumented Burner Management Systems” (M.Scott, paper presented at ISA 2004)

“Burner Management Systems […] are all defined SIS if they contain sensors a logic solver and a final controlthey contain sensors, a logic solver and a final control element according to ANSI/ISA 84.01.”

“FM Approval Standard 7605 requires that PLC based BMS must comply with IEC 61508 ”BMS must comply with IEC 61508.”

“A BMS can be designed that meets all requirements of the prescriptive standards such as NFPA 85 or 86 and

t ill NOT ti f th i t f SIS ”yet will NOT satisfy the requirements of a SIS.”

“Is a BMS a SIS?” (M.Scott, ISA webinar, 2007)“A BMS is a SIS if the risk analysis determines that A BMS is a SIS if the risk analysis determines that additional risk reduction is required and a SIL 1 or greater is assigned to a BMS SIF”

Conclusion

It’s possible to provide a true integrated control and safety system while maintaining functional independence between y g pprocess control and safety control

Diversity reduces common cause failures

Even in the integrated environment

800xA High Integrity software libraries simplifies the implementation of Fire and Gas Systemsimplementation of Fire and Gas Systems

ABB’s broad product portfolio and partnership enable a comprehensive F&G solution

800xA High Integrity is certified against multiple safety standards including NFPA 85 and 86

Safety Standards moved from Prescriptive to Performance Safety Standards moved from Prescriptive to Performance Base

NFPA 85 is Prescriptive but allows alternative ways to determine risk and risk reduction using ISA84/IEC61511


Is the “Integration” part of the Certification Process?Absolutely It’s Interference Free

PPAOperation ClientOperation Client

Absolutely , It s Interference Free

Engineering Client

Engineering Client

DO880

DI880AI880TB840

Control Network

High Integrity I/OHigh Integrity I/OHigh Integrity Controller

High Integrity Controller

Optical Modulebus

CI854

SM811

PM865

BC810

CEX-bus interconnection Modulebus

Safety certified

© ABB GroupFebruary 27, 2012 | Slide 62 SM811 Synchronization link (RJ45)

RCU linkProfibus Safety relevant

Interference-free

Engineering SIL Compliant Application EnvironmentSIL Compliant Application Environment

The engineering tool the Control The engineering tool, the Control Builder M, will automatically limit user configuration choices to ensure integrityintegrity

Safety functions protect and control download to the process and runtime

i tenvironment

Download is prevented unless all SIL requirements are metq

Embedded firewall mechanisms include

CRC protection on different levels

Double code generation with comparison


comparison

Compiler with revalidation

Grandfather clause (ISA S84.00.01)

“For existing SIS designed and constructed in accordance For existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issue of this standard (e.g., ANSI/ISA-84.01-1996), the owner/operator shall determine that the equipment is designedshall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner”

It would imply…

Risk analysis to be done

V ifi ti th t i ti t d t l dd Verification that existing systems adequately addresses the defined risk level

Documentation of conclusions and decisions

Review and upgrade system (if needed)

800xa high integrity - fgs bms applications alaska … · flexible report creation and ... case of...

Documents