• Not Answered

SLS 1508 Redundant SIS Module

Our team is currently facing a challenge with performing logic modifications on an existing SLS 1508 Redundant Module in a live plant environment. We want to ensure minimal disruption while making these changes. I would appreciate your guidance on the following:

1. When logic modifications are made and downloaded to an SLS 1508 Redundant Module, is the download performed simultaneously on both the primary and secondary modules? Or is the download first applied to the primary module while the secondary module continues to control the inputs and outputs?

2. During the download process, will the existing I/O configurations on the SLS 1508 Module be disrupted?

Thank you in advance for your insights and recommendations!

MUHAMMAD MASHHOOD UR REHMAN

• 21 Jan 2025 10:03 AM
• Cancel

3 Replies

• Tadeu Batista

  

  • 21 Jan 2025 2:03 PM

  Hello MUHAMMAD MASHHOOD UR REHMAN ,
  
  1. There's no such a thing as Primary an Secondary, both logic solvers run in Lockstep, and they will both be in sync at all times.
  2. No disruption in I/O.
  
  That said, all logic modifications to SIS must be thoroughly tested before being applied to make sure the modification itself will not insert hazards to the process, or cause any upsets.
  
  If you are following IEC 61511, it would be arguably impossible to make any modification online, since the SIF must validated before the hazard is present to the process.
  
  Rgs,

  • Cancel
• MUHAMMAD MASHHOOD UR REHMAN

  

  • 21 Jan 2025 5:21 PM

  In reply to Tadeu Batista:

  Thank You Tadeu Batista for your valuable answer.

  • Cancel
• Andre Dicaire

  

  • 21 Jan 2025 6:55 PM

  In reply to Tadeu Batista:

  Terms like Primary and Secondary versus Active and Standby are often used interchangeably. But Active and Standby are more accurate terms at run time.
  
  For accuracy in conveying the state of the cards, using Active/Standby should be used.
  
  DeltaV trains us to think in terms of Primary and Secondary because DeltaV controllers are commissioned with IP addresses of 10.5.x.x/10.9.x.x to the Secondary controllers and IO cards. Either card can be active, but the IP address does denote primary and active. However, the logic solvers are physically addressed on the back plane starting with an odd number. As Tadeu says, DeltaV does not care about "Primary or Secondary". In documentation, especially drawings and such, a redundant pair of logic solvers might be referred to as primary and secondary. Typically, the left logic solver, is often considered the Primary. That is strictly a cosmetic use of the terms. At run time DeltaV cares which card is Active, and either card is equally considered. The first card in a pair to be powered and complete self-test will assume role of Active and there is no preference to position.
  
  IEC61511 methodology for SIS is singularly responsible for a step change reduction in safety incidents. Through the evolution of safety systems from relays to PLC's, to Safety systems, the rate of safety incidents in the industry did not change. With IEC62511, validation procedures and strict adherence to change management resulted in significant reduction of incidents. Partial stroke testing of valves increased diagnostic coverage and validation of logic changes prior to their use in production are key tenets of IEC61511.
  
  Only you can determine if this change can be performed safely and within the guidelines of your facility based on its adherence to IEC 61511.
  
  As Tadeu says, the IO will not be disrupted on Download. The SLS1508 is designed to take a total download without altering the state of the IO. The SIS Modules will load and begin execution, and at that point, the IO will respond to the logic. The logic change poses a risk of a spurious trip and that is the reason for thorough testing.
  
  It is my understanding that the active Logic Solver has two processors that run in lockstep. When they agree on the required output states, the Outputs are driven. The single SLS1508 is SIL 3 capable. The Standby Logic solver also has two processors and also runs them in lockstep, using the same Input signals as the Active. If these processors agree, the Logic Solver's integrity is maintained as good, and it remains available. If the Active logic solver processors disagree, control is passed to the standby, which becomes active and drives the outputs. All four processors execute the logic, requiring two processors to have an issue at the same time. This delivers an extremely high availability. In the case where a Logic Solver is unable agree on the state of the outputs, the outputs will go safe. This would be a spurious trip due to logic solver fault, which is avoided with redundant logic solvers. Also, Redundant logic solvers support periodic initialization self-tests by performing a switch over. The new standby goes through reset to perform low level diagnostics on memory and such which are not possible during operation.
  
  The SLS1508 provides CRC numbers that can be checked to see that the current downloaded configuration matches what is in the database. You should be 100% confident your modification is being done starting with the actual current configuration in the logic solver. If you are adding a new SIS Module to an existing Logic Solver, and do not modify existing modules, the SLS1508 CRC will change but the existing module CRC's will remain unchanged. The IO CRC will change if you add/enable new channels. Modules with a changed CRC should be revalidated.
  
  As for validating your change, you should have a development system with which you can validate the logic change and that the change can be done online either using a simulated solver or a physical one.
  
  Good luck.

  Andre Dicaire

  • Cancel