Today is...
Sunday, April 22, 2018
Welcome to, the global online
community of automation professionals.
Featured Video...
Featured Video
Watch an animation of a conveyor stacking operation demonstrating the use of a move on a gear command.
Our Advertisers
Help keep our servers running...
Patronize our advertisers!
Visit our Post Archive
SIL 3 ESD system and stopping Motors/ pumps
What is the correct way to stop motors/ pumps to maintain a SIL3 ESD system?

We have been discussing the correct way to "stop" and ESD shutdown motors via SIL2 PLC's and SIL3 ESD PLC's..

1. Having separate Start/ Stop Interposing Relays from the SIL2 Process PLC, with a 3rd ESD Interposing Relay for the SIL3 ESD system with Stop contacts wired in series in the MCC.
Eg. 2 separate Process PLC and ESD PLC's with extra hardware including Interposing Relays.

2. Sending a "healthy" signal from the SIL3 ESD system to an input of the SIL2 Process PLC with Start/ Stop Interposing Relays from the SIL2 Process PLC to stop the motor.
Eg. An ESD would go through the Process PLC.

3. Sending a "healthy" signal from the SIL2 Process PLC system to an input of the SIL3 ESD PLC to Stop the motor via Interposing relay. Start would be from the Process PLC to interposing relay.
Eg. The PLC starts the motor direct and stops the motor via an ESD output.

Which is the correct method to maintain SIL2 and SIL3 integrity of systems? Thanks in advance.

Note: Running and Stopped status has not been mentioned.


By Anonymous on 22 March, 2004 - 3:54 pm

I'd say option 2 is a no go. If I had a hazard requiring SIL 3 protection id configure two redundant channels of protection fully segregated from each other. In your apps Id combine option 1 & option 3 using two output cards (protect against CMF) to provide series contacts in the MCC (via IP relays). One contact derived from H/W inputs into the ESD PLC and the other derived from the process PLC inputs into the ESD.

By Chris Jennings on 24 March, 2004 - 6:28 pm

I would have thought that if a complete fault tree was developed for the application you are discussing you would be able to easily identify if the system you are suggesting will meet the SIL requirements.

>From your assessment of what would happen if the motors failed dangerous work backwards and determine each of the failure modes that could cause this and create your fault tree. Using the probabilities of failure of each component then you will work out if the entire system meets the assessment as to whether the system meets SIL1,2 or 3.

Chris Jennings