Modbus and SIL

A

Thread Starter

Andy

Need some answers on SIL implications on Yokogawa Modbus. We are being told due to non safety compliance that we can not use Modbus coms over the Yokogawa network for executive actions in an F&G system.

If you now of a work around or a reason why the modbus can not be used to provide smoke and mac signals via redundant modbus to the Yokogawa with in a non SIL rated F&G system then please do enlighten me.......
 
A specific SIL rating is assigned for each and every Safety Instrumented Function SIF which include sensor, logic solver and final element. F&G system is not SIF it is just mitigation layer. therefore Your Safety system design shall meet the Safety requirement independently from the MODBUS link and the F&G system. If, however, you plan to send safety command through MODBUS, to say another logic solver, then I do not think you would be meeting the SIL requirements as MODBUS is subject to request/ response delay and would not meet the SIL requirements.

Hope this helps.
AbuAhmed.
 
This item cannot be fully or properly addressed without knowing the system design and SIL level requirements. Redundant communications with proper diagnostics designed into the application may meet the SIL requirement. Such applications are likely best dealt with by a certified safety systems engineer.
 
It depends if you are taking credit for this in a LOPA (Levels of Protection Analysis) in which case you need to mathematically be able to demonstrate the likely failure modes and reliability of the system. So even if the F&G is not SIL rated, it may still be part of the overall SIF calculation. As was said, providing the right diagnostics and dualing of common links is in place, there is a case for using it. However, the YISS safety manual for their systems should specify the design that needs to be applied to achieve a given integrity. I suggest getting a copy of that from the Vendor and reviewing it, and hopefully it will tell you how to structure the system and support any conversations with management :)
 
J
Modbus is not a safety protocol. It does not meet the requirements of IEC 62280. It does not contain sufficient communication diagnostics to detect if the message is corrupted, out of sequence, has a masquerading address, is delayed, or queued etc.

Safety system use safety protocols that detect these sort of problems. There are a few to chose from

Cheers,
Jonas
 
Let's go back to the specification of the FGS which should be on the shelf prior to any selection of the entities of the SIS (say, Yokogawa).

Usually this specs requires the rate of reliability and/or SIL of the SIF of the FGS.

From this point, go to the certificate of the Modbus vendor to check this link is at what SIL 1,2, etc. Be carefully look at at what HWT (0 or 1) is respective to which rate.

Then have look again entirely of the SIS loop.

As mentioned by previous posts, need certified someone (or if not need to have ISA 84 (or IEC 61511 modified 2004 in hand) together with other reliability data to calculate and then verify again by an independent person/body dependent on the scale of the project.

If you don't have money or you need something instant to eat, then go into above mentioned standard, look for how to calculate/judge the SIL for the whole loop using SFF (safety failure fraction) applied for subsystem/equipment of group A,B. This is very simple and bery quick for those experienced, but little bit headache or spending time to see how it is for applicable.

Hope it helps some.
 
Hi Andy -

I can see the SIL police have attacked with abbreviations. While they are not incorrect, the thing to keep in mind is that most of the terms and standards being quoted to you are new, less than 10 yrs old, and depending on your country and industry - are not mandated by legislation or regulation.

Looking at this from another perspective - you need to consider ;

(1) Is this an existing site? Has this arrangement been in-service for a period of time - is it proven? Has it ever failed in a dangerous manner?

(2) What functionality is in the yokogawa system? is it acting as the F&G system closing valves in response to smoke/gas detections - or is it merely alarming those actions? Your description is not clear.

(3) What standards (country / industry) apply to your installation?

(4) And ultimately - can the system fail in a way that someone could get hurt?

Pre SIL & SIFs and IEC61508 etc there were (and still are) industry standards & approved equipment & methods for ensuring minimum best practises were maintained.

As far as I know these are still acceptable - and I hazard, still prevail in the majority of existing and new installations world wide.

So - without digging into the bones of what you are trying to do, I will suggest you find yourself an experienced safety systems engineer - though you might find it a little simpler to find an engineer experienced in your industry who can remember the days before everything was about SIL/SIFs/LOPA/Safety Lifecycles/SRS etc.

Regards, PB
 
A specific SIL rating is assigned for each and every Safety Instrumented Function SIF which include sensor, logic solver and final element. F&G system is not SIF it is just mitigation layer. therefore Your Safety system design shall meet the Safety requirement independently from the MODBUS link and the F&G system. If, however, you plan to send safety command through MODBUS, to say another logic solver, then I do not think you would be meeting the SIL requirements as MODBUS is subject to request/ response delay and would not meet the SIL requirements.

Hope this helps.
AbuAhmed.
Hi Abu
There are applications where F&G are part of a SIF as part of prevention layer (explosion protection or process control) and can be used in low demand or continuous mode too.
 
Top