In some industries, it is extremely important to ensure reliable protection of personnel, process equipment, and the environment in case an emergency situation occurs at the facility that can lead to an accident. In these areas, using regular distributed control system (DCS) tools is not enough to automate the technological processes. An independent emergency shutdown system (ESD) must also be used. Industry standards impose very strict requirements on ESD systems and the controllers on which they are based. These requirements are reasonable but also difficult to comply with.
Engineers at GP Systems GmbH have many years of experience in developing systems with pre-fault safety functions for various hazardous production facilities. In addition, GP Systems GmbH has long successfully marketed its own range of REGUL RX00 controllers, which include solutions for continuous production. Developing the REGUL R500S specialized controller for emergency control systems involved combining existing knowledge in the emergency automation field and a large database of technical solutions and know-how regarding controller equipment.
The new REGUL R500S controller is based on the platform of the existing commercially available controller, but it is an entirely new product developed according to the IEC 61 508 standard.
To develop the controller in accordance with the strict requirements of the standard, the engineers experts received additional training. Experts certified by the TÜV company were also involved in the development process.
According to the IEC 61508 requirements, when developing the controller, deep analysis is required of the current progress, plans, design, and actual operation at all stages of the product life cycle. Careful analysis of hazards and risks is mandatory at the design and development stages. Data processing and reliability calculation are carried out using specialized certified software.
The REGUL R500S controller hardware fully conforms to the functional SIL3:
- The controller provides everything necessary to ensure the reliability of the ESD systems: the independent hardware watchdog, hardware backup of various types (duplication, triplication), functional redundancy, and diagnostics and analysis systems with a comparison function to compare the values of technologically related parameters.
- The controller provides comprehensive self-diagnostics that allows it to detect an internal failure and ensure that the entire process control system switches to the predetermined safe
- Each input/output module has a built-in microprocessor that is certified for use in functional SIL3 systems and performs tasks related to functional safety.
- Each controller module is powered with two internal buses. At the same time, constant diagnostics are carried out on the supply voltage. If failure occurs, the information is sent to the operating personnel, while the controller continues to operate and perform the functions of monitoring and control without switching to the safe state.
In addition to the self-diagnostic systems, the REGUL R500S controller offers developers a wide range of tools for monitoring the measurement and control of circuit parameters:
- Sensor channel power monitoring with short-circuit and overload protection.
- Digital input modules according to the NAMUR specification.
- Digital output modules with circuit current monitoring. This in-depth, proactive diagnostics allows for early detection and evaluation of a failure, which, in turn, gives the operator time for troubleshooting.
To ensure continuous operation of process equipment, the REGUL R500S controller provides the use of backup input/output modules, called backup assemblies, that consist of two or three modules of the same type.
The channel capacity of the assembly modules at the application program level is combined according to the duplication or triplication method; that is, one input or output logic variable corresponds to two (or three) physical channels. The resulting redundancy allows the user to reduce the number of safe failures (failures caused not by an emergency situation at the facility but by a failure of the ESD system), including field and controller equipment. It allows for rapid replacement of duplicated system components without shutting down the process.
The presence of two independent data buses in the controller allows for the implementation of SIL3 high-availability systems on the basis of the controller. Such systems configured according to the 1oo2 scheme are used at high-risk facilities with a continuous process cycle. Any single failure in such systems does not lead to the command issue to switch the system to the safe state.