IET
Decrease font size
Increase font size
Topic Title: ATEX and PLC control
Topic Summary: Is it safe
Created On: 24 March 2015 04:23 PM
Status: Read Only
Linear : Threading : Single : Branch
Search Topic Search Topic
Topic Tools Topic Tools
View similar topics View similar topics
View topic in raw text format. Print this topic.
 24 March 2015 04:23 PM
User is offline View Users Profile Print this message



stephenbiddle

Posts: 259
Joined: 18 January 2003

Hi I'm just about to use a Siemens PLC to control a heater to heat fuel gas. Probably zone 0 Is this safe? ie in the event of a software failure the heater could get stuck on.

Stephen
 24 March 2015 09:56 PM
User is offline View Users Profile Print this message



chartassuk

Posts: 65
Joined: 25 July 2008

Hi Stephen,

I think it will be required to consider different aspects.

DSEAR 2002, regulation 5 requires a risk assessment, and risks must be eliminated or reduced as per regulation 6..

Risk assessment of (hazard x frequency) scenarios and severity of outcomes will help direct control measures required, such as:

1 - remove the hazard? not likely as it's for a fuel heating application
2 - replace the hazard? can a less volatile fuel be used?
3 - reduce the hazard? by means of protective layers, such as:

a) active preventative measures - high integrity (SIL) sensor/logic/actuator circuits
b) passive preventative measures - equipment certified and installed to minimise ignition risk (ATEX elec and non-elec)
c) active mitigative measures - fire extinguishing system
d) passive mitigative measures - blast wall
e) organisational measures - training, procedures
f) PPE

To the information given:

'Probably Zone 0 is this safe?' Has a Hazardous Area Classification been carried out to a recognised methodology by a competent person? Are there corollary Zones 1 and 2 around the application?
Once a HAC is agreed upon then EPLs can be specified, including GG and TC.

'in event of a software failure the heater could get stuck on' As part of the risk assessment above, allocation of safety functions is required, then determination of safety integrity level for these functions, thence design of the circuits with SRS, and for the controller and its programme, a SSRS - by competent persons.

DSEAR 2002 schedule 3 is pertinent to those two statements.

Remember that under DSEAR 2002, regulation 7, clause 4 requires:
"Before a workplace containing places classified as hazardous pursuant to paragraph (1) is used for the first time, the employer shall ensure that its overall explosion safety is verified by a person who is competent in the field of explosion protection as a result of his experience or any professional training or both."

Not quite as simple as taking a PLC off the shelf and wiring the outputs and writing a cyclic timer loop..
 25 March 2015 12:41 PM
User is offline View Users Profile Print this message



stephenbiddle

Posts: 259
Joined: 18 January 2003

Thanks in the light of that I'll put the PLC back on the shelf!
 26 March 2015 08:10 AM
User is offline View Users Profile Print this message



oneye

Posts: 201
Joined: 25 February 2008

You can't just put your plc back on the shelf !

Siemens do both dual redundant and fail safe systems which will fit nicely into SIL rated control systems.


Some years ago my client company had a Hydrogen project with electrical heaters.

The PLC was designed to SIL2 and the heater had 2 sets of contactors in series, with regular integrity checks to ensure fail safe even under fault conditions.'software failure' should be negated by thorough testing before commissioning.
 27 March 2015 08:18 PM
User is offline View Users Profile Print this message



jarathoon

Posts: 1061
Joined: 05 September 2004

Relatively complex PLC code as part of a SCADA control application will normally be classed as safety related.

The process of heating the fuel gas reviewed to identify the conditions under which it can operate safely.

What is the maximum gas temperature?
What is the minimum gas flow?
What is the allowed gas pressure range?
Is there any leaks?
etc

The risk assessment review (e.g. HAZOP review) could specify a simple set of conditions under which the heater cannot be allowed to operate, whether demanded by the plc controller code or manual override via the SCADA. This review will define the design of the safety interlock and how it is to be installed, maintained and tested).

The control output from the plc will then only be used to control the state of the heater via the independent safety critical interlock (i.e. not directly).

If say you set a 500 degc temperature limit for the independent (hard wired) heater safety interlock, then you might want to define a lower temperature limit for the plc to abort the entire process operation before the interlock is triggered.
The plc should have its own independent temperature sensor for this purpose. A digital input signal to the plc can be used to tell it the interlock has tripped.

Any equipment in areas where there may be an explosive atmosphere have to be designed and rated for this purpose. Normally the plc will be housed in a positive pressure control/switch room with control signals exiting via zener barriers or the equivalent.

The plc can send a heartbeat pulse to a watchdog circuit that isolates all the outputs to their fail safe state in the event of failure. This is a sensible measure for a complex safety related system but does not protect against a wide range of software coding errors. Other testing procedures should capture these.

James


-------------------------
James Arathoon
Statistics

New here?


See Also:



FuseTalk Standard Edition v3.2 - © 1999-2017 FuseTalk Inc. All rights reserved.


..