Recent Control & Safety Systems Discussions
Similar Posts
Identifying Size of Download Script for SLS / CSLS Prior to Download
SZ Controller not downloading Completely and CSLS I/O Decommissioning from Explorer
DeltaVSecure Parameters from one CSLS to other CSLS
Approaches to Partial Stroke Testing Safety Valves
Remote Partial Proof Testing Level Sensors
Share

csls partial download

Gents / Lady,

Is it safe to do partial download in the CSLS controller during the pant normal operation.

As far as i know non secure parameters will get affected or initialize during the download changes which can lead to process S/D . If the non secure parameter are used in the DCS for interlock how to protect them . IS there any possibility to preserve the last known good value during download

Is there any think else to taken care during partial download in order to protect the process upset

Is there any document from Emerson which clearly descries the CSLS on line possibilities and the restrictions (Do / Dent's)

thanks in advance

Regards,

Stanis J

Stanis

5 Replies

  • Marcelo Sottano
    Stanis, I think you can't do "Partial" downloads, yo download de entire CSLS. My suggestion is, if you have a doub't with some action add a Delay Time to some effect, like 10 minutes, then you can analyze and see if something trip, and you have sufficient time to force some actions. If nothing undesire happens, then delete the delay time and download again.
  • BRENT DREISBACH
    Stanis,
    Mr. Sottano is correct. Partial downloads are not an option in the CSLS. You will find the "Download" button grayed out in Control Studio and the "Download" menu option grayed out in DeltaV Explorer.
    In a safety system many checks are done on the configuration prior to download. These checks cannot be done on a partial download. You perform a total download of the CSLS to implement a logic change.
    Minor changes such as modification of tuning parameters and alarm limits can be performed online and then uploaded to the database. But changes to the logic itself are not allowed without a total download.
  • Stanis
    Brent,

    Thanks for the response. If I do download will it make any impact to the running process


    What's is the standard philosophy to download to CSLS

    1) During normal operation
    2) only during plant S/D

    Regards,

    Stanis J
  • Tadeu Batista

    In reply to Stanis:

    Brent,

    To answer the first part of your question, the way the DeltaV SIS logic solvers were developed, is it always performs total logic solver downloads, therefore avoiding memory fragmentation, as other traditional Safety PLCs, this DOES NOT mean though that you cannot download a logic solver under operation, from the product point of view, a total logic solver download will NOT disrupt the process.

    The second part of your question resides on Engineering Configuration Best Practices, as you pointed out, a Non_Secure parameter is being used in a DCS interlock, different than other traditional Safety PLC, the DeltaV ICSS platform natively allows for status handling, so my question back to you is, in your configuration, what happens if the status of this Non_Secure parameter change from good to bad? Same way it can happen when downloading the logic solver, it may also happen during normal operation, due to network issues, or even a failure in the logic solver, so this shall be accounted when engineering the system.

    Lastly, to answer "when the CSLS can be downloaded", the answer will rely on how have you engineered the system.

    Let me know if you have further questions.
  • Andre Dicaire

    In reply to Stanis:

    totally agree with Tadeu. By design, the SIS module can be downloaded without disrupting the Process. But after download, your logic takes over and if you've engineered an action that drives and output via the module logic, the system will execute what you configured it to do. In the case of interlocks, one common oversight is the evaluation of status and/or the lack of appropriate delay, such that transient system conditions across complex hardware solutions don't result in spurious trips.

    I want to point out that a DeltaV SIS Module can support more than one SIF, and that a CSLS can support more than one SIS Module. Each SIS Module has a unique CRC number to identify if the module has been changed in function. Similarly, there is a CRC for the IO. This is to support download of the Logic Solver and subsequently identify which of the SIS Modules and IO require additional validation testing.

    What the Logic Solver cannot tell us is whether any downloaded change will actually do what is intended. That is why IEC61511 calls for all changes to a SIL rated function to be revalidated following a download. The standard is not prescriptive as to what that validation looks like. A strict MOC process should be in place and using the CRC values, an appropriate scope of validation can be supported by this infromation.

    If you are looking for Do's and Don'ts for your SIS system, I would suggest referring to the Standard that governs your application; IEC 61511, BMS, or other, that apply in your country.

    And you should,as part of your design best practices, test the behavior of your configuration so that you understand how actions like Download of the Logic Solver will affect CSLS outputs, Secure and non-secure parameter status and any consequential logic this would trigger. Is the configuration robust to survive Switchover of a processor without tripping a piece of equipment? In any situation, identifying and handling all possible abnormal states is the most difficult. In an SIS, a lot is done to detect abnormal conditions and to go to a safe state, with the goal of mitigating all dangerous failures. Some failure modes are outside the logic solvers scope and it becomes a requirement of the SIF design to further mitigate against those failure modes with added coverage such as multipel initiators and end devices.

    On the BPCS side, the goal is to allow continued overall operation in possible. Using an SIS value for interlock may be to align the BPCS in case of SIS trip, and in that case, such signals can be delayed a second or two so that any transient state does not trip equipment. Or you can use Status to determine if action is required, since it is not explicitly confirmed. There is no reasonable way to document all the ways that a complex system can be engineered. DeltaV Provides Status on all signals and Connection Status and normal Status provide valuable information in addition to a simple Boolean True/False value.

    Andre Dicaire

This is the official online community site of the Emerson Global Users Exchange, a forum for the free exchange of non-proprietary information among the global user community of all Emerson Automation Solution's products and services. Our goal is to improve the efficiency and use of automation systems and solutions employed at members’ facilities by sharing our knowledge, experiences, and application information.

User Groups | World Areas | Community Guidelines | Legal Information | Privacy Policy | Contact Community Manager

Website translation provided by Website Translator

© 2015-2022 Emerson Global Users Exchange. All rights reserved.