Ovation SIS Safety Manual

OW351_45

Version 1
March 2014
(SIL3 Certified July 2012)
Copyright Notice

Since the equipment explained in this document has a variety of uses, the user and those
responsible for applying this equipment must satisfy themselves as to the acceptability of each
application and use of the equipment. Under no circumstances will Emerson Process
Management be responsible or liable for any damage, including indirect or consequential losses
resulting from the use, misuse, or application of this equipment.

The text, illustrations, charts, and examples included in this manual are intended solely to explain
TM
the use and application of the Ovation Unit. Due to the many variables associated with specific
uses or applications, Emerson Process Management cannot assume responsibility or liability for
actual use based upon the data provided in this manual.

No patent liability is assumed by Emerson Process Management with respect to the use of
circuits, information, equipment, or software described in this manual.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, including electronic, mechanical, photocopying, recording or otherwise
without the prior express written permission of Emerson Process Management.

The document is the property of and contains Proprietary Information owned by Emerson Process
Management and/or its subcontractors and suppliers. It is transmitted in confidence and trust, and
the user agrees to treat this document in strict accordance with the terms and conditions of the
agreement under which it was provided.

This manual is printed in the USA and is subject to change without notice.

Ovation is the mark of Emerson Process Management. Other marks are the property of their
respective holders.

Copyright © Emerson Process Management Power & Water Solutions, Inc. All rights reserved.
Emerson Process Management
Power & Water Solutions
200 Beta Drive
Pittsburgh, PA 15238
USA

E-Mail: Technical.Communications@Emerson.com
Web site: https://www.ovationusers.com
 Contents

1 Ovation SIS Safety Manual 1

1.1 Ovation SIS Safety Manual Overview.............................................................................. 1

2 Certification Coverage 3
2.1 Certified Components ..................................................................................................... 3
2.2 SIL Applicability .............................................................................................................. 4
2.2.1 De-energized-to-trip Applications........................................................................ 4
2.2.2 Response Time Data.......................................................................................... 4

3 SIL Verification 7
3.1 SIL Verification Tool - Exida exSILentia Tool (SILVer) ..................................................... 7

4 Restrictions: SIS Logic Solver Specification 9

4.1 Specification Restrictions ................................................................................................ 9

5 Restrictions: All Logic Solver Systems 11

5.1 Restrictions................................................................................................................... 11

6 Special Features: SIS Logic Solver Specific 13

6.1 Special Features ........................................................................................................... 14

7 Limits 15
7.1 Product Life .................................................................................................................. 15
7.2 Environmental Conditions ............................................................................................. 15
7.3 Application Configuration Limits .................................................................................... 15

8 Recommendations for Management of Functional Competency 17

8.1 Recommendations ........................................................................................................ 17

9 Energized-to-trip Applications 19
9.1 Safety Integrity Levels (SILs) for Energized-to-trip Applications ..................................... 19
9.1.1 Energized-to-trip Applications (with Inverted Logic)........................................... 20
9.1.2 Energized-to-trip Applications (with Auxiliary Relay) ......................................... 20
9.2 High Demand Mode...................................................................................................... 21
9.2.1 Response Time in High Demand Mode ............................................................ 21

OW351_45 i
Table of Contents

9.2.2 Other Considerations for High Demand Mode................................................... 21

10 Required Practices 23
10.1 Required practices overview ......................................................................................... 23
10.1.1 Installation and Site Acceptance Testing .......................................................... 23
10.1.2 Managing Changes in the Ovation SIS Runtime System ................................... 23
10.1.3 Fire and Gas Applications ................................................................................ 29
10.1.4 Burner Management System Applications ........................................................ 30
10.1.5 Using HART Two-state Output Channels and Digital Valve Controllers ............. 30
10.1.6 Using Non-secure Parameter References in SIS Modules ................................ 30

Index 33

ii OW351_45
 S E C T I O N 1

1 Ovation SIS Safety Manual

IN THIS SECTION

Ovation SIS Safety Manual Overview ..............................................................................1

1.1 Ov ation SIS Safety M anual Ov erv iew

This document contains important information on how Ovation SIS is to be used in a safety
instrumented system to place and/or maintain the equipment under control in an appropriate
state. The guidelines in this document must be followed when using Ovation SIS in a safety-
critical application.

To determine whether this document is the most recent revision applicable to a particular revision
of the Logic Solver, compare the version information shown on the cover of this document with
the information given at the following website:

http://www.emersonprocess-powerwater.com/ovationsis/

OW351_45 1
 S E C T I O N 2

2 Certification Coverage

IN THIS SECTION

Certified Components......................................................................................................3
SIL Applicability...............................................................................................................4

2.1 Certified Compon ent s

The information in this document applies to the following hardware and software components of
Ovation SIS:

SIS components

R AT ING S C O M P O NE NT

Safety Rated Logic Solver hardware module revision 4.xx.

Logic Solver firmware revision 1.xx.xx.xx cr.
Logic Solver firmware revision 2.xx.xx.xx cr.
Logic Solver firmware revision 3.xx.xx.xx cr.
ETA Relay Module, KJ2231X1-BA1-PW
DTA Relay Module, KJ2231X1-BB1-PW
Relay Diode Module, KJ2231X1-BC1-PW
Voltage Monitor, KJ2231X1-EB1-PW
Safety Relevant SISNet Repeater hardware module.
SISNet Repeater firmware.
Logic Solver simplex termination block.
Logic Solver redundant termination block.
Ovation SIS Data Server hardware.
Ovation SIS Data Server firmware.
Ovation Developer Studio.
Ovation Control Builder in SIS module context.
Interference-Free All other Ovation and Ovation SIS hardware, firmware, and software components
not listed above.

OW351_45 3
2.2 SIL Applicability

2.2 SIL Appli cability

According to IEC 61508, Exida has certified the Ovation SIS Logic Solver hardware and firmware
as SIL3 capable with a maximum Safety Integrity Level of three (3). The SIL3 capability rating
applies to both simplex and redundant Logic Solvers. Redundancy increases availability;
however, it does not increase safety.

The Ovation SIS Logic Solver is certified to use in both the low demand and high demand mode
of operation as defined by IEC 61508.

2.2.1 De-energized-to-trip Applications

In de-energized-to-trip applications, the advanced architecture of the SIS Logic Solver achieves
SIL3 safety in a simplex hardware module. A simplex SIS Logic Solver provides the hardware
fault tolerance and safe failure fraction to meet the SIL3 architectural requirements. A redundant
SIS Logic Solver increases availability and reduces false trips to meet the SIL3 architectural
requirement.

The SIL3 rating applies to both low and high demand modes of operation. In a de-energized-to-
trip application, the safe state for all output channels of a given Safety Instrumented Function
(SIF) is off or low. This corresponds to the safe state of output channels if the SIS Logic Solver
needs to remove power in response to a dangerous failure being detected by its advanced
diagnostics. Refer to Engineering Practices in the Ovation SIS Accessories Safety Manual for
configuration guidelines for de-energized-to-trip applications.

When the high power discrete outputs are needed, the following two standard product options that
utilize external relay modules as part of the Logic Solver subsystem are used:
 SIL3, if line monitoring is not needed.
 SIL2, if line monitoring is needed.
SIS module configuration techniques do not change when the auxiliary relays are used in a de-
energized-to-trip application.

2.2.2 Response Time Data

The response time for a SIF must be less than the process safety time. The SIF has a response
time associated with the sensor, Logic Solver, and final element subsystems. The sum of all the
values of response time must be less than the process safety time. The response time of the
Logic Solver subsystem is the time between any change on a SIF input channel that should result
in a trip and the time that the output channel or channels change to the tripped state. The time is
measured from one screw terminal to another screw terminal.

The configured scan rate of the Logic Solver that contains the SIS module logic for the SIF and
the fault presented in the Logic Solver impact the response time. There is some variability in the
Logic Solver due to the alignment of the change at the input screw terminal and I/O scanning in
the Logic Solver. The following table shows the maximum values of the response time:

Maximum Logic Solver Response Time with No Faults Present

LO G IC S O L V E R S C AN R AT E M AX I M UM R E SP O NS E T I M E V AL UE WI T H NO
( M I L L IS E C O N D S ) F A U L T S P R E S E N T (M I L L I S E C O N D S )

50 175

4 OW351_45
 2.2 SIL Applicability

LO G IC S O L V E R S C AN R AT E M AX I M UM R E SP O NS E T I M E V AL UE WI T H NO
( M I L L IS E C O N D S ) F A U L T S P R E S E N T (M I L L I S E C O N D S )

100 275
150 375
200 475

Although the probability of an undetected fault being present at the time of demand is extremely
low, you must assume that a fault may be present when allocating the response time for the Logic
Solver subsystem. At the time of demand, a fault, such as a stuck on output channel, delays the
trip by the time taken by the Logic Solver to determine that the channel has not gone off and to
initiate a reset to remove power. The maximum fault detection or reaction time for any scan rate is
400 milliseconds. Therefore, you must allocate the response time for the Logic Solver subsystem
as 575 milliseconds for a Logic Solver whose scan rate is 50 milliseconds.

Note the following items regarding response times for the Logic Solver subsystem:

1. The response time does not increase if an input channel of the SIF is on a Logic Solver that
does not drive outputs.
2. If there are multiple SIS modules involved in the SIF that communicate using the secure
parameters, the maximum response time increases by the scan rate of the Logic Solver that
contains the secure parameter (not the secure parameter reference). For example, two SIS
modules at a 50-millisecond scan rate increase the maximum response time from 175 to 225
milliseconds.
3. If SIS module logic includes delays such as the trip delay time in voter algorithms, the
response time increases by the length of those delays.

OW351_45 5
 S E C T I O N 3

3 SIL Verification

IN THIS SECTION

SIL Verification Tool - Exida exSILentia Tool (SILVer) .....................................................7

3.1 SIL Verification T ool - Exida exSILe ntia T ool (SILVer)

To verify that a SIF meets the assigned SIL, the probability of the failing SIF needs to be
determined. The Ovation SIS Failure Modes Effects and Diagnostics Analysis (FMEDA) report
contains failure rate and other data to help you verify that the safety requirements are met. It
contains the information necessary to perform SIL verification calculations for the SIF’s Logic
Solver subsystem, including failure rates by failure category, diagnostic coverage and common
cause factors, hardware fault tolerance, and device type.

Emerson Power & Water Solutions provides a service to perform SIL verification of the safety
system that generates an Ovation SIS FMEDA report. Contact your local PWS Sales
Representative, PWS Service Engineer, or PWS Project Engineer to get the SIL verification
performed for your safety system.

OW351_45 7
 S E C T I O N 4

4 Restrictions: SIS Logic Solver Specification

IN THIS SECTION

Specification Restrictions ................................................................................................9

4.1 Specificatio n Restriction s

There are no SIS Logic Solver specific restrictions.

OW351_45 9
 S E C T I O N 5

5 Restrictions: All Logic Solver Systems

IN THIS SECTION

Restrictions ...................................................................................................................11

5.1 Restrictions

As with all safety Logic Solvers, the Ovation SIS Logic Solver is to be used according to the
practices required by IEC 61508 and IEC 61511 as summarized below. Each topic is discussed in
more detail in Required Practices (see page 23).
 As with any Logic Solver, you must complete a full functional test of the Ovation SIS Logic
Solver configuration before it is allowed to provide the protection function in a running
process.
After a subsequent load and prior to the Logic Solver continuing to provide its protection
function unsupervised, you must assess what has changed in the Logic Solver since the last
functional test by examining the CRC values in the Ovation Developer Studio. Refer to
Ovation Developer Studio User Guide for more information. Any Control module or I/O
channel that indicates a change must be revalidated; that is, a functional test must be
completed.
 You are allowed to load a Logic Solver while it is providing the protection function in a
running process under the following condition:
 The equipment under control of the Logic Solver must be supervised during the load
and until completion of the functional test (or until it is determined that a functional
test is not required).
 The shortest process safety time associated with the Logic Solver must be long enough
for operators to monitor and react. This helps the operator to manually provide the
protection function during the load and functional test.
 All changes to operational parameters must be validated prior to the system providing the
protection function without supervision.
 Fire and gas applications should comply with local fire codes by following all standards
required by the authority having jurisdiction such as EN54 in Europe and NFPA72 in the
United States. Refer to Required Practices (see page 23) for more information.
 Burner Management Systems should comply with local codes by following all standards
required by the authority having jurisdiction such as NFPA85 in the United States and
EN50156-1 in Europe.
 A periodic proof test must be performed to reveal that the potentially dangerous faults are not
detected by continuous runtime diagnostics in the Logic Solver. The necessary frequency of
the proof test is a function of the probability of a dangerous failure for the safety instrumented
function(s) associated with the Logic Solver.

OW351_45 11
 S E C T I O N 6

6 Special Features: SIS Logic Solver Specific

IN THIS SECTION

Special Features ...........................................................................................................14

OW351_45 13
6.1 Special Features

6.1 Special F eatures

The special features specific to SIS Logic Solver are as follows:
 The Logic Solver is designed for a de-energized-to-trip or energize-to-trip operation. Refer to
Required Practices (see page 23) for more information.
 The use of HART two-state output channels on the Logic Solver is intended for certain final
elements. You should physically connect a HART two-state output channel to only a Fisher
Controls DVC6000 digital valve controller with an ESD tier (firmware revision 6 or later) or to a
digital valve controller certified by Emerson Process Management as being equivalent.
Required Practices (see page 23) has more information on using the digital valve controllers
with the Logic Solver.
 The non-secure parameter reference is a user-defined parameter type available in SIS
modules for non-safety-critical use. If a parameter of this type contributes to a safety-critical
control action, special consideration is required in the SIS module logic to validate the
parameter value. The application programmer must not allow the safety function to be
compromised based on the value of a non-secure parameter reference. Refer to Required
Practices (see page 23) for more information.
 Other than the non-secure parameter reference, all configuration elements available in the
SIS modules may be used without special consideration in a safety critical application up to
and including SIL3. This includes the Calculation-Logic function block expression language,
which is a limited variability language.
 The SIS Logic Solver automatically responds to faults common to all I/O channels, such as
malfunction of a processor or a memory failure, by de-energizing all output channels. This
keeps output devices under control of the partner when using the redundant SIS Logic
Solvers. A fault on an output channel does not prevent de-energization in the case of a
demand to trip on that channel. There is an automatic and secondary means of de-
energization when needed. For details on fault detection and how the SIS Logic Solver and
Ovation SIS respond to those faults, refer to Using Ovation SIS in the Ovation SIS Process
Safety System Users Guide. The person configuring SIS module logic has influence over the
SIS Logic Solver's response to certain faults detected in the SIS Logic Solver and field
instruments. For faults specific to one I/O channel or one field device, the SIS Logic Solver
integrates Bad status with the value on the channel. The SIS module can be configured to
respond to Bad status as needed by the application. Configuring the system response to Bad
status includes choosing the status options, fault state options, and certain time duration
values when the application requires.
 The Ovation SIS secure write server is certified for use in safety rated applications up to SIL3.
Only the secure write server can make runtime changes to parameters in the SIS Logic
Solver made from the Developers Studio, including maintenance bypasses, operator resets,
and all other parameters that are allowed to be changed at runtime.
 Ovation SIS has a built-in bypass facility for managing maintenance overrides. A bypass
allows a maintenance activity, such as calibration, proof testing, or repair of a transmitter or
other sensor, to take place without a concern for a spurious trip. Bypasses in Control module
logic in the SIS Logic Solver can be set and cleared using a secure write operation.

14 OW351_45
 S E C T I O N 7

7 Limits

IN THIS SECTION

Product Life...................................................................................................................15
Environmental Conditions..............................................................................................15
Application Configuration Limits.....................................................................................15

7.1 Product Life

The approximate lifetime limit of the Logic Solver is 20 years based on the worst case scenario.

7.2 Env ironmental Conditions

Refer to SIS environmental specifications in the Ovation SIS User Guide for limits on
environmental conditions.

7.3 Appli cation Configuratio n Limits

Application configuration limits are imposed by the Ovation Control Builder (refer to Ovation
Control Builder User Guide for more information). Special consideration is not required to prevent
limits from being exceeded. Refer to Limitations for SIS in the Ovation SIS User Guide for the SIS
application limits.

OW351_45 15
 S E C T I O N 8

8 Recommendations for Management of Functional

Competency

IN THIS SECTION

Recommendations ........................................................................................................17

8.1 Recomm endatio ns

Ovation SIS is intended to be used in accordance with a defined safety lifecycle that is described
in IEC 61511. Emerson Process Management recommends the following additional functional
safety management requirements:

Competence of Persons - Engineering

All persons involved in the initial implementation or modification of the application software must
have appropriate training. Opportunities for training include reading this manual, reading Ovation
SIS product manuals, and attending a training class taught by certified personnel.

Competence of Persons - Installation and Hardware Maintenance

All persons involved in installation and hardware maintenance activities must have appropriate
training. Opportunities for training include reading this manual, reading Ovation SIS product
manuals, and attending a training class taught by certified personnel.

Competence of Persons - General

All persons involved in any aspect of Ovation SIS use, including engineers, operators,
supervisors, maintenance personnel, and system administrators, must have training in the
importance of safety instrumented systems. All persons must have a specific training in the
procedures for which they are responsible. Ovation system administrators must ensure that all
individuals that have access to Ovation SIS activities are trained and competent.

OW351_45 17
 S E C T I O N 9

9 Energized-to-trip Applications

IN THIS SECTION

Safety Integrity Levels (SILs) for Energized-to-trip Applications .....................................19

High Demand Mode ......................................................................................................21

9.1 Safety Integrity Lev els (SILs) for Energiz ed -to-trip App lications

The maximum Safety Integrity Levels (SILs) for the SIS Logic Solver in energized-to-trip
applications are as follows:

Safety Integrity Levels

E N E R G I Z E D - T O -T R I P S IM P L EX R E D UND ANT
AP P L IC AT IO NS

With inverted logic

Low demand mode SIL3 SIL3
High demand mode SIL1
With auxiliary relay SIL2 SIL2

OW351_45 19
9.1 Safety Integrity Levels (SILs) for Energized-to-trip Applications

9.1.1 Energized-to-trip Applications (with Inverted Logic)

When the safe state for an SIS Logic Solver output channel is on or high, the application is
energized-to-trip from the perspective of the output channel. To achieve the safe state, the
energized-to-trip output channels require Control module configuration to drive the SIS Logic
Solver output channel value to the on or high state. The SIS module logic essentially inverts the
output signals as compared to de-energized-to-trip logic.

If the SIS Logic Solver removes power in response to detecting a dangerous failure in an
application with inverted SIS module logic, the equipment under control remains in the normal
operating state. The Ovation system annunciates a dangerous failure in a SIS Logic Solver
through a hardware alarm. In response to the alarm, the operators can manually take the process
to the safe state if the repair cannot be completed within the Mean Time To Repair (MTTR) used
for SIL verification.

Using Inverted Logic in Low Demand Mode

In the low demand mode of operation, there is sufficient time to manually respond to an
annunciated dangerous failure. Credit can be taken for SIS Logic Solver diagnostics such that
dangerous detected failures are included in the safe failure fraction. The SIS Logic Solver meets
the SIL3 architectural requirements for a simplex or redundant Logic Solver.

Using Inverted Logic in High Demand Mode

In the high demand mode, the process safety time or demand rate may not allow time for a
manual response following the annunciation of a dangerous failure. Emerson Process
Management recommends that no credit be taken for diagnostics when using the inverted logic in
the high demand mode.

A redundant hardware configuration is required for safety rated applications. In a redundant

configuration, either of the two hardware modules is able to drive the output channel to the on or
high state. As a result, the hardware fault tolerance and safe failure fraction of SIL1 architectural
requirements are met. Also, the amount of time required to operate without an available SIS Logic
Solver partner is limited to the MTTR used in the SIL verification.

9.1.2 Energized-to-trip Applications (with Auxiliary Relay)

If a high-power discrete output is needed for an energized-to-trip application, the Auxiliary Relay
DTA-Inverting and Auxiliary Relay Diode modules can be combined with the SIS Logic Solver. In
this case, the inverting of the output signal is made through external hardware. Like the de-
energized-to-trip application, the control module is configured to drive the outputs to the off or low
state to achieve the safe state. The Logic Solver subsystem meets a SIL2 architectural
requirement with a simplex or redundant SIS Logic Solver in both low and high demand modes.

The DTA-Inverting relay module is installed near the Logic Solver and is wired to both the Digital
Output channel and supplemental Digital Input channel. The Diode module is installed near the
final element and is wired to the DTA-Inverting relay module and the final element. The DTA-
Inverting relay module adds 30 milliseconds to the response time of the SIF. Refer to the Ovation
SIS User Guide for installation details.

20 OW351_45
 9.2 High Demand Mode

9.2 High De mand M ode

The following sections discuss considerations for high demand mode.

9.2.1 Response Time in High Demand Mode

The response time discussion for the low demand mode in Response Time Data (see page 4)
also applies when operating in high demand mode. Although the probability of an undetected fault
being present at the time of a demand is extremely low, you must assume a fault may be present
when allocating the response time for the Logic Solver subsystem in the high demand mode
applications. The maximum fault detection and reaction time of the SIS Logic Solver for any scan
rate is 400 milliseconds. Therefore, for high demand mode applications, you must allocate an
additional 400 milliseconds for the Logic Solver subsystem response time (for example, 575
milliseconds for an SIS Logic Solver whose scan rate is 50 milliseconds).

Note: The recommendation to include the fault detection and reaction time in the response time
does not apply in the low demand mode.

9.2.2 Other Considerations for High Demand Mode

The high demand mode of operation is defined by IEC 61508. High demand mode may apply by
definition or whenever it is more appropriate to treat a SIF as operating in high demand mode
instead of low demand. The following applies to both de-energized-to-trip and energized-to-trip
applications.

The SIS Logic Solver does not automatically de-energize outputs when faults are detected on
input channels because the fault may originate in field devices or field wiring. Instead, the SIS
Logic Solver integrates Bad status with the channel value. SIS module logic can be configured to
respond appropriately to Bad status on input channels. In the high demand mode applications, the
allowed repair time for faults detected on input channels should be limited by SIS module
configuration. This helps the SIS Logic Solver to drive applicable outputs to the safe state if the
repair cannot be completed in time.

Refer to Engineering Practices in the Ovation SIS Accessories Safety Manual for more
information on configuring the system response to detected faults.

OW351_45 21
 S E C T I O N 10

10 Required Practices

IN THIS SECTION

Required practices overview..........................................................................................23

10.1 Required practic es ov erv iew

This section contains additional information on required practices as they relate to restrictions in
the use of Ovation SIS.

10.1.1 Installation and Site Acceptance Testing

Installation of an Ovation SIS system must conform to the guidelines in the Ovation SIS User
Guide.

Your site acceptance procedures must include functional testing of the application programs
running in Logic Solvers. Managing changes in the Ovation SIS runtime system (see page 23)
contains requirements related to loading and testing the Logic Solver.

10.1.2 Managing Changes in the Ovation SIS Runtime System

Perform either of the following tasks to make a change to the Ovation SIS runtime system:
 Load the application to a Logic Solver using the Ovation Developer Studio.
 Change a parameter value in the Logic Solver using an SIS write operation from Ovation
Signal Viewer or Ovation Operator Graphics application.
You are required to perform a functional test after a load or a change to a parameter value
through an SIS write operation.

Loading the Logic Solver

Ovation SIS provides a way to determine what changes have been made to the runtime system
as a result of a Logic Solver load. As a result, it is easy to determine what subset of the logic in
the Logic Solver must be revalidated (functionally tested after the load).

Loading of a Logic Solver is always a user-initiated event. After the initial load, a subsequent load
of the Logic Solver is not necessary unless you have made changes to the configuration
applicable to the Logic Solver. A Logic Solver needs a subsequent load if it loses power for more
than 10 days or it has been removed from the carrier. Loss of power for less than 10 days results
in an initializing reload of the application program from within the Logic Solver when power is
restored to the Logic Solver.

OW351_45 23
10.1 Required practices overview

Functional testing after the initial load

WARNING! You must complete a full functional test of the Logic Solver configuration before it
is allowed to provide the protection function in a running process.

After an initial load of a Logic Solver, you must ensure that all the output channels respond
appropriately as you manipulate the value of input channels on that Logic Solver (and other Logic
Solvers, if applicable). This initial test must be a screw terminal to screw terminal test, preferably
from sensor to final element.

Recording CRC values

The Logic Solver calculates a number of Cyclic Redundancy Check (CRC) values as it processes
a load script. The CRC values are visible in Ovation Developer Studio and are useful for verifying
whether subsequent loads produce logic in the Logic Solver identical to what had been running. A
different CRC value for a given SIS module or I/O channel after a load indicates that there is
some difference in what is now running in the Logic Solver. The CRC value calculated by the
Logic Solver accurately reflects what is running in the Logic Solver when the load script is applied.
The Ovation Developer Studio shows the CRC values calculated by the Logic Solver, which
include:
 An overall CRC for the device.
 A CRC for each SIS module.
 A combined CRC for all the I/O channels.
 A CRC for each individual I/O channel.
 The overall device CRC from the previous load.

Note: Whenever you perform a functional test of the logic in a Logic Solver, document the
applicable CRC values along with the test results as part of your safety lifecycle management
procedures.

24 OW351_45
 10.1 Required practices overview

Subsequent loads

After the initial load, a Logic Solver requires a subsequent load when there have been
configuration changes made to it and the time is appropriate to apply the changes. When a Logic
Solver is loaded, it receives a complete load script, not a partial script of the changes that have
been made. The Logic Solver processes the script and replaces the entire running configuration
after copying certain parameter information where possible, so that non-disruptive online changes
occur (refer to Loading to a running process (see page 27)).

WARNING! After a subsequent load and prior to the Logic Solver continuing to provide its
protection function, you must assess what has changed in the Logic Solver since the last
functional test by examining the CRC values using the Ovation Developer Studio. Any Control
module or I/O channel that indicates a change must be revalidated.

If the overall CRC value for the Logic Solver matches the value from the previous load, you can
be certain the identical configuration is running in the Logic Solver after the load. However, the
overall CRC must have the same value as your documented, last-tested overall CRC. If it does
not, some functional testing is required. Compare the overall CRC with your documented last-
tested value. If they differ, check for differences between the current CRC value for each of the
four potential SIS modules and your documented last-tested value for each Control module. Also
check for differences between the combined I/O CRC value and your documented, last-tested
combined I/O CRC value.

CAUTION! Whenever you load a Logic Solver, compare the newly calculated overall CRC
value with your documented last-tested value even if you do not anticipate a difference.

Any Control module whose CRC value differs from the last-tested value must have a functional
test done before it can provide its protection function in a running process. Unless the load is
being done online (while the process is running) your standard test procedure for that Control
module should be followed. For modifications to the standard test procedure following an on-line
load, see Functional testing after loading to a running process (see page 28).

If the combined I/O CRC value differs from your documented last-tested value, examine each of
the 16 individual channel CRC values to view which value differs from the documented last-tested
value. Any difference implies a change in a configurable I/O channel parameter value. For
channels whose CRC value has changed, perform tests according to the following table based on
the channel type:

When to Test Channel Parameters when the CRC Value Changes After a Load

C HA N NE L TY P E C O NF IG U R AB L E P A RAM E T E R WHE N T O T E ST

Analog Input Enable NAMUR alarming Test if configured as True.

Analog over range pct Test channel if referenced by an Analog
Input algorithm (in this or another Logic
Analog under range pct Solver) with the SOP8 ("Status Opt: Bad if
Limited") parameter enabled.
HART Analog Enable NAMUR alarming Same as Analog Input channel.
Input
Analog over range pct
Analog under range pct

OW351_45 25
10.1 Required practices overview

C HA N NE L TY P E C O NF IG U R AB L E P A RAM E T E R WHE N T O T E ST

Ignore PV Out of Limits Not required; HART communication is not

safety-critical.
Ignore Analog-Digital Mismatch
Ignore PV Output Saturated
Ignore PV Output Fixed
Ignore Loss of Digital Comms
Ignore Field Device Malfunction
Loop current mismatch detection
Digital Input Detect open and short circuit Test if configured as True.
Digital Output Detect open and short circuit Test if configured as True.
HART Two-state Loop current mismatch detection Not required; HART communication is not
Output safety-critical.
The slot n device code from the
AO card
Enabled HART slot n

26 OW351_45
 10.1 Required practices overview

Loading to a running process

The need to make configuration changes to a Logic Solver after it is protecting a running process
should be infrequent, and the need to load those changes prior to the next scheduled outage
should be even less frequent.

WARNING! You are allowed to load a Logic Solver while it is providing the protection function
in a running process, with the following restrictions:

1. The equipment under control of the Logic Solver must be supervised during the load and
until completion of the functional test (or until it is determined that a functional test is not
required).

2. The shortest process safety time associated with the Logic Solver must be long enough to
allow time for operators to monitor and react, and thus manually provide the protection
function during the load and functional test.

Some changes require a load to the Logic Solver to take effect. There are certain changes that
require a Logic Solver load. However, those changes do not result in a modification to the overall
CRC value in the Logic Solver after the load completes. The following table lists various changes
that can be made, what is required to apply the change to the runtime system, and the impact to
the Logic Solver overall CRC value.

How to Apply Logic Solver Configuration Changes to the Runtime Systems

C HA NG E M AD E T O T HE C O NF IG U RAT IO N HOW T O AP P L Y T HE C HA NG E T O T HE
D AT AB AS E R UNT IM E S YST EM AND T HE RE S UL T ING
IM P ACT T O T HE LO G IC S O LV E R
 Add/delete an algorithm. Requires a Logic Solver load to take effect.
 Add/delete a user-defined parameter or change
its definition. Changes the Logic Solver CRC value.
 Add/delete a signal line.
 Change a configurable but not runtime- writable
Control module parameter value.
 Change a configurable I/O channel parameter
value.
 Change a Logic Solver scan rate or global
publishing property.
 Change a Logic Solver property other than Requires a Logic Solver load to take effect, but
scan rate or global publishing. does not change the Logic Solver CRC value.
 Change a Control module property.
 Change a HART device property.
 Change a runtime-writable Control module Can be changed by an SIS write command or a
parameter value. load. If changed by a load, it changes the Logic
Solver CRC value. However, if changed by the
SIS write command, it does not change the CRC
value.
It changes the Logic Solver CRC value on the
next load if the change is made using the SIS
write command, and then reconciled.

OW351_45 27
10.1 Required practices overview

C HA NG E M AD E T O T HE C O NF IG U RAT IO N HOW T O AP P L Y T HE C HA NG E T O T HE
D AT AB AS E R UNT IM E S YST EM AND T HE RE S UL T ING
IM P ACT T O T HE LO G IC S O LV E R

 Change a configurable field of an alarm Can be changed using an SIS write command or
parameter. a load. It does not change the Logic Solver CRC
 Change the value of an algorithm parameter value in either case.
not associated with SIS logic.

Any successful load performed on a Logic Solver replaces the application program running in the
Logic Solver.

Make sure that after reconciling the parameter change with the database, a subsequent load
results in a change to the overall Logic solver CRC value. There is no requirement to perform a
subsequent load as a result of a runtime parameter change. However, if the runtime change is
reconciled, the next time a load is performed, a functional test is required even if there were no
other changes made to the database.

Functional testing after loading to a running process

You may modify your standard test procedure when the process is running to reduce the chance
of the test causing a process disruption. You can use the Ovation Signal Viewer and the SIS
Force function to isolate sections of the logic. Refer to Ovation Control Builder User Guide for
more information on the Signal Viewer and the SIS Force function. The logic within a Control
module can be tested in this way by observing parameter values without manipulating the I/O at
the screw terminals. However, at some point during the test, you must validate that I/O algorithms
are properly linked with the screw terminals and the secure parameter references are properly
linked with their referenced secure parameters. The suggested test procedures are described in
the following table:

Suggested Test Procedures after Loading to a Running Process

I T EM TE ST P RO C E D URE FOR " P RO P E RL Y LI NK E D "

Digital input channel  If value of OUT (Digital Output with Status) of LSDI algorithm is
1, perform an SIS Force on the destination of signal line from
OUT.
 Disconnect the physical wire on the input channel. Confirm that
the value of OUT goes to 0.
 Restore.

Note 1: For energize-to-trip applications or when the "Inverted"

I/O option is used, it may be necessary to manipulate the input
channel to confirm the link.

Note 2: Repeat for all LSDI algorithms in all SIS modules in this
Logic Solver, whether the physical channel is on this or another
Logic Solver.

28 OW351_45
 10.1 Required practices overview

I T EM TE ST P RO C E D URE FOR " P RO P E RL Y LI NK E D "

Analog input channel  Measure the current at the input screw terminals.
 Calculate the expected value on OUT of the LSAI algorithm using
HART analog input channel the value of LTYP (Linearization Type) and Output Scale
parameters TPSC (Output Scale: Top) and BTSC (Output Scale:
Bottom).
 Confirm that the expected value matches the value of OUT.

Note 1: Repeat for all LSAI algorithms in all SIS modules in this
Logic Solver, whether the physical channel is on this or another
Logic Solver.

Note 2: If the value on OUT is the same for multiple LSAI

algorithms, it is necessary to manipulate one or more input
channels to confirm.

Secure parameter reference  Perform an SIS Force function on the destination of the signal
line from the parameter.
 Using the Ovation Signal Viewer for the source SIS module,
perform an SIS Force on the referenced secure parameter.
 Change the value on the secure parameter and confirm that the
value changes in the destination module.
 Restore.
Digital output channel  Open the process bypass valve for the final element.
 Cause the value on CASND (Input) of the LSDO/LSDVC
HART two-state output channel algorithm to change state by manipulating the logic using SIS
Force or other means.
 Visually verify that the final element changes state (or measure
the voltage/current at the screw terminal).
 Restore.

Note: If there is no process bypass capability, it is acceptable to

temporarily block the actuation of the final element. In either case,
you must be able to provide the protection function manually.

10.1.3 Fire and Gas Applications

Fire and gas applications must comply with local fire codes by following all standards required by
the authority having jurisdiction, such as EN54 in Europe and NFPA72 in the United States.
According to the NFPA72, the requirements for all Logic Solvers are as follows:
 Hardware and software version numbers should be recorded.
 Programming must be protected against unauthorized changes. Ovation system
administrators should ensure that only authorized individuals have security keys to configure
and download the SIS Logic Solver.

OW351_45 29
10.1 Required practices overview

10.1.4 Burner Management System Applications

Burner Management Systems must comply with local codes by following all standards required by
the authority having jurisdiction, such as NFPA 85 in the United States and EN 50156-1 in
Europe.

10.1.5 Using HART Two-state Output Channels and Digital Valve Controllers

WARNING! The use of HART two-state output channels on the Logic Solver is intended for
certain final elements. You should physically connect a channel of this type to only a Fisher
Controls DVC6000 digital valve controller with ESD tier (firmware revision 6 or later) or a
digital valve controller certified by Emerson Process Management as being equivalent.

A HART two-state output channel is manipulated by Control module logic through the use of a
Digital Valve Controller (LSDVC) algorithm. The Logic Solver applies 20 milliamps on the channel
when the algorithm's OUT (Output Value) parameter is 1. The value of the OFCUR (Valve
Controller Off Current) parameter in the LSDVC algorithm determines the current applied when
the value of OUT is 0. Options for OFCUR include "0 milliamps" and "4 milliamps". The following
table summarizes the characteristics of the OFCUR options:

Characteristics of the Valve Controller Off Current Options

0 M ILL IAM P S 4 M ILL IAM P S

 Power is removed entirely from the digital valve  The digital valve controller places the final
controller when Control module logic drives the element in the tripped state when the Control
channel Off. The digital valve controller places module logic drives the channel Off.
the final element in the tripped state.  HART communication with the digital valve
controller continues while the final element is in
the tripped state.

10.1.6 Using Non-secure Parameter References in SIS Modules

The non-secure parameter reference is a user-defined parameter type available in the SIS folder
of the Ovation Control Builder when an SIS sheet is opened. This parameter type is used to read
a parameter located in a different SIS module or Ovation control sheet.

Runtime communication involves the infrastructure between the Ovation Controller and the Logic
Solver, which is not safety rated. Reading a parameter in another Control module using a non-
secure reference uses the SIS backplane or SIS LAN communication even if the Control module
is in the same Logic Solver.

It is preferable to use a secure parameter and secure parameter reference to communicate

between Control modules because they use the safety-rated peer bus and the update rate is at
the Logic Solver scan rate (the non-secure update rate is 1 second). However, secure parameter
communication is made using the Boolean data type. For data types other than Boolean, a non-
secure parameter reference can be more convenient if the use is not safety-critical.

30 OW351_45
 10.1 Required practices overview

Non-safety-critical use

A non-secure parameter reference can be used without special consideration when the value
does not contribute to a safety-critical control action.

An example of a non-safety-critical use is as follows:

Read the commanded state for a motor or discrete valve from an Ovation control sheet, then
apply a safety interlock and drive an output channel of the Logic Solver. This use is not
considered safety-critical because the safety interlock always overrides the value of the
commanded state.

Safety-critical use

If a non-secure parameter reference contributes to a safety-critical control action, special

consideration is required in the Control module logic to validate the parameter value. The
engineer configuring the logic must not allow the safety function to be compromised based on the
value of a non-secure parameter reference.

If a non-secure parameter reference is used as part of a safety-critical control action, it is

important to validate the value read into the Control module by some independent methods. An
example of independent confirmation is using other process inputs from channels of this or other
Logic Solvers as a means of validating the value of the non-secure parameter. If the value of the
non-secure parameter reference cannot be validated by an independent method, the most
conservative trip limit values should be applied.

A non-secure parameter reference has a value and a status. Normally, the status is that of the
referenced parameter. If there is a communication issue between the Ovation Controller and the
Logic Solver, the status of the non-secure parameter reference is Bad, which causes the Logic
Solver to interpret it as a loss of communication. If the source parameter has Bad status or the
Logic Solver is not able to read its value, the non-secure parameter reference has Bad status.
Therefore, the SIS module logic should take appropriate action when the status is Bad if the use
is safety-critical.

The Limit (LSLIM) algorithm can be used downstream from a non-secure parameter reference to
limit its value within a valid range. The algorithm has an optional parameter, LMOPT. It
determines the output value when the input is outside the valid range. The choices are as follows:
 Clamping the value at the limit.
 Using the last value prior to limit violation.
 Using a configurable default value.

OW351_45 31
Index

A O
Application Configuration Limits • 15 Other Considerations for High Demand
Mode • 21
B Ovation SIS Safety Manual • 1
Burner Management System Applications • Ovation SIS Safety Manual Overview • 1
30
P
C Product Life • 15
Certification Coverage • 3 R
Certified Components • 3
Copyright Notice • 2 Recommendations • 17
Recommendations for Management of
D Functional Competency • 17
De-energized-to-trip Applications • 4 Recording CRC values • 24
Required Practices • 23
E Required practices overview • 23
Response Time Data • 4
Energized-to-trip Applications • 19
Response Time in High Demand Mode • 21
Energized-to-trip Applications (with Auxiliary
Restrictions • 11
Relay) • 20
All Logic Solver Systems • 11
Energized-to-trip Applications (with Inverted
SIS Logic Solver Specification • 9
Logic) • 20
Environmental Conditions • 15 S
F Safety Integrity Levels (SILs) for Energized-
to-trip Applications • 19
Fire and Gas Applications • 29
Safety-critical use • 31
Functional testing after loading to a running
SIL Applicability • 4
process • 28
SIL Verification • 7
Functional testing after the initial load • 24
SIL Verification Tool - Exida exSILentia Tool
H (SILVer) • 7
Special Features • 14
High Demand Mode • 21 SIS Logic Solver Specific • 13
I Specification Restrictions • 9
Subsequent loads • 25
Installation and Site Acceptance Testing • 23
U
L
Using HART Two-state Output Channels
Limits • 15 and Digital Valve Controllers • 30
Loading the Logic Solver • 23 Using Non-secure Parameter References in
Loading to a running process • 27 SIS Modules • 30
M
Managing Changes in the Ovation SIS
Runtime System • 23
N
Non-safety-critical use • 31

OW351_45 33