Discussion on Configuration of Emergency Stop System

frozenviolet

Discussion on Configuration of Emergency Stop System [Copy link]

Abstract : Emergency Shutdown Device (ESD) is a special safety protection device developed in the 1990s. Based on the actual application of the emergency shutdown system in Maoming Petrochemical, this paper focuses on the main contents, technical details and precautions of the emergency shutdown system configuration.
Keywords : emergency shutdown system; hardware; software; configuration

1 Introduction
Emergency Shutdown Device (ESD) is a special safety protection device developed in the 1990s. It is a safety interlock protection system for large-scale equipment that is independent of the production process control system. Under normal circumstances, the safety of the device is monitored online in real time; when an emergency occurs in the device, a protection interlock signal is directly issued to implement interlock protection or emergency shutdown of the process flow to avoid the spread of danger and cause huge losses.
ESD is generally used in important production process occasions with high safety control requirements. Especially in petrochemical production, most devices have the characteristics of high temperature, high pressure, flammability, explosiveness, strong process continuity, high complexity, and high safety requirements. Therefore, ESD has been widely promoted and applied in petrochemical enterprises in recent years. Due to the high technical requirements of ESD design, there are no manufacturers in China. The ESD used in China are all imported products. How to combine the imported ESD with the actual production device for hardware and software configuration is the key issue of ESD application. This paper combines the configuration and application of ESD in multiple devices of Maoming Petrochemical Co., Ltd. to conduct a preliminary discussion on the ESD system configuration of petrochemical enterprises.
Since the actual production equipment of petrochemical enterprises has its own characteristics and the process conditions are ever-changing, when configuring the ESD system, it is necessary to start from the basic requirements of system independence, intrinsic safety, rapid response, and combine the standards and rules of the relevant design interlocking system, and comprehensively consider various factors to make the ESD system meet the design requirements, truly play the due safety protection role, and ensure production safety to the greatest extent. At the same time, because the production process is complex and changeable, human misoperation may be varied. When configuring the system, in addition to realizing its normal operating functions according to the process requirements, all possibilities should be considered as much as possible. Fully meeting the design requirements is the most basic requirement of ESD configuration, and ensuring safe production and facilitating process operations to the greatest extent is the goal of ESD configuration.
The basic contents of ESD system configuration include: system configuration, hardware configuration, logic configuration, operation interface configuration, SOE configuration, and configuration of communication with other systems. The following focuses on the technical details and precautions of ESD configuration.

2 System configuration and hardware configuration
System configuration and hardware configuration are the most basic work of ESD configuration. It determines whether the entire system can operate normally and whether some functions of the system can be fully realized. The basic configuration of an ESD system generally includes: control station, engineer station, operation station, SOE station, auxiliary operation table, auxiliary instrument panel and printer. Figure 1 is a typical ESD system configuration and relationship. Figure 1 Typical ESD system configuration

The control station ESD is the core unit. The control station generally realizes triple redundancy of the main control card (usually called CPU card). The main control card communicates with the I/O card through the triple redundant communication cable. The I/O card power supply is generally dual redundant. The control station is connected to two switch HUBs through the system's own communication card, and transmits data with the operation station, engineer station, and SOE station through the HUB.
The engineer station completes all software configuration and downloads. The operation station is a complete human-machine interface, and the SOE station is used to efficiently record the sequence of events. The auxiliary operation table is generally equipped with alarm indicators and stop and reset buttons for each interlocking part. The auxiliary instrument panel can be installed with a hard bypass switch and alarm prompt lights for some process points.
Hardware configuration belongs to the internal configuration of the ESD system, which is generally completed using the configuration software provided by the ESD manufacturer. The hardware configuration content includes: determining the model of the CPU card, the distribution and selection of the I/O card, the allocation of I/O addresses, and the definition of variable addresses. Before hardware configuration, you should pay attention to various preparations, such as the models and performance of all cards and the physical location of each card; the redundancy of each card; the specific allocation of input and output points and their physical addresses; the specific requirements of various interface parameters, etc. After the hardware configuration is completed, the system should be able to idle normally.

3 Logic Configuration
3.1 Configuration Methods
General logic configuration software includes three types: ladder diagram, function block diagram and programming language. There is generally no difference in function between the three types. Programmers can choose to use them according to their programming habits. Ladder diagram and function block diagram are commonly used. The specific functions and implementation methods of various ESD systems are similar.
3.2 Configuration Content and Precautions
(1) Main Content of Logic Configuration
The core content of logic configuration is to edit the logic according to the process logic diagram. When the program is more complex, pay attention to completing it from top to bottom and from first to last. When the same output point appears in multiple locations in the designed logic diagram, the logic should be edited at the last occurrence to realize all its functions. In other places, just assign the result to the intermediate variable.
(2) Determination of the status of input and output points
The current design requirements of input points are generally fail-safe, that is, the input device alarms and interlocks when the power is off and the signal line is disconnected. Before programming, you must be clear about the change of the state of the input point when it is activated, that is, closed or open (or "0" or "1"). Similarly, before programming, it is necessary to know whether the output is "0" stop or "1" stop.
Although buttons and switches are very similar, they must be strictly separated during configuration. The button inputs a pulse signal, that is, after inputting "1" (or "0"), it immediately changes back to "0" (or "1"), while the switch is a maintained signal. If the action is canceled, the switch must be returned to its original position.
Since interlock valves are divided into air-on and air-off, the start and stop of the motor are mostly "0" stop due to safety considerations or the limitations of the electrical circuit itself, but whether it is "0" stop or "1" stop depends on the actual site and process requirements. Usually, the logic drawing of the interlock design only designs the schematic diagram of the interlock, and the specific implementation still requires the coordination and determination of the programmer and multiple units such as design, process, and electrical.
(3) Determination of global variables (shared variables) and local variables
Local variables can only be used in one program. Global variables can be used in various programs in a project. Different systems may have different definitions of global variables and local variables, but the ideas for implementing various functions are basically the same. Regardless of which type, the definition of variables should be regular and easy to remember.
(4) Determination of the value of the intermediate variable during action
The intermediate variable is also called a memory variable. It is a bridge for transferring values between I/O variables in the program. The intermediate variable can be a global variable or a local variable. The intermediate variable is generally a place where "1" or "0" is temporarily stored after a series of conditions are met. As for whether "1" or "0" is stored in the intermediate variable when the interlocking action is performed, it can be determined arbitrarily under the premise of meeting the interlocking action requirements. However, a principle should be formulated during configuration and the configuration should be strictly followed. Otherwise, it will not only increase the difficulty of interlocking debugging, but also it is easy to make mistakes when determining whether it is normally open or normally closed when referencing the intermediate variable. It can be defined that the value sent to the intermediate variable during all interlocking actions is "1" or "0", or it can be defined that the value sent to the intermediate variable when the fault interlock is performed is "0" (or "1"), and the value sent to the intermediate variable when the interlock is normal, that is, when the conditions are met, is "1" (or "0"). That is, before programming, it is necessary to determine the only principle that the intermediate variable assignment adheres to during the programming process.
(5) Uniqueness of variables at output positions
Whether it is an intermediate variable defined in programming or a variable corresponding to a real output point, each variable can only appear once at the output position during programming. Although it is possible to have the same variable appear at multiple output positions, it will increase the difficulty of debugging the program. The more complex the program, the greater the difficulty and the greater the probability of program errors.

4 Operation interface configuration
Although the operation interface configuration rarely affects the logic, it is a window for operators to observe and operate related logic. The quality of the operation interface directly affects the operation of the process. The main work of the operation interface configuration is to define the attributes of each object in the screen, dynamically connect the screen, etc. This work is similar in all systems, and the specific operation will not be repeated. The configuration of the operation interface must follow the principles of convenience and effectiveness. The following mainly introduces several special aspects in the operation interface configuration.
(1) Configuration of network communication status
Whether the operation station communicates normally with the control station can be determined by analyzing the operation interface diagram, but not all operators or instrument workers can analyze it, so it is necessary to make an obvious mark so that operators or instrument workers can easily determine whether the operation station and the control station are communicating. Various ESD systems do not have ready-made marks and need to be configured. They can be distinguished by defining different colors of an icon flashing or jumping when communicating and when not communicating.
(2) Configuration of system operation status
How the various card components of the system operate needs to be reflected in a picture on the operation interface. When a card (or even a channel of a card) fails, in addition to sending a sound alarm to the buzzer, the operation screen should also reflect which card has failed.
(3) Alarm prompt configuration
If the operation screen is divided into many pages, when one or more alarms appear, the operator needs to know in time which operation interface has an alarm or interlock, instead of searching one screen after another or checking the alarm record before finding it. This function can be achieved through configuration. Through configuration, when an alarm occurs, the screen where the alarm is located automatically pops up, or the button pointing to the screen changes color or flashes, etc. In this way, when the buzzer sounds an alarm, the operator can immediately observe where the alarm has occurred and take timely measures.
(4) Operation permission configuration
Operation permission refers to the situation where a certain password is required to operate the soft button on the operation interface. Soft buttons are generally soft bypass buttons or other special buttons, such as exiting the operation interface. The main purpose of setting operation permissions is to prevent operators from operating incorrectly. When the button operation will not affect the safe production of the device or the button is used only in an emergency, it is not necessary or impossible to set the operation authority. The setting of the button operation authority should be carefully set according to the actual needs of the process.

5 Configuration of other aspects
5.1 SOE configuration
(1) SOE configuration
SOE (Sequence of Event) is a record of the sequence of events/accidents. Generally, ESD systems have SOE functions, but they cannot be automatically implemented and must be completed through configuration. Some systems need to start the SOE function in the logical configuration, such as ICS's ESD. Some use special function blocks to implement it, such as Siemens uses MESSAGE function blocks. It is worth noting that this function block must also be placed in the CFC function block like the FC function block, which is equivalent to the ICS system's call in the logic.
(2) Determination of variables that need to be entered into SOE and alarm records
SOE and alarm records are often confused. They have something in common, but there are also strict differences.
① In terms of scanning cycle, the scanning cycle of SOE in most systems is much smaller than that of alarm records.
② In terms of focus, SOE focuses on recording the sequence of accidents or events, which is used to analyze the causes of failures or events; while alarm records record the alarms that have just occurred, mainly to remind the operator on duty what alarms or interlocks have occurred.
③ In terms of the number of recorded events, alarm records are usually not as many as SOE records, or the time of SOE records is not as long. Although SOE has a short cycle and accurate records, it is not the case that the more content is recorded, the better, because too many variables entering SOE will affect the scanning cycle of SOE, thereby affecting the accuracy of the record.
What variables are introduced into SOE must be determined based on the actual logic and the need to analyze the cause of the event. Similarly, the alarm record is to remind the operator of any abnormal situation. The variables introduced into the alarm record should be alarm or interlock variables as much as possible. If too many other variables are introduced, it will be inconvenient for the operator to view the alarm record.
5.2 Configuration of communication with other systems
ESD systems usually require communication with DCS. The configuration of communication with other systems mainly includes the following aspects:
(1) Determination of communication protocol. At present, the communication between various systems mostly adopts MODBUS communication protocol.
(2) Setting of various parameters of the communication port. Including communication port, communication baud rate, parity bit, stop bit, etc.
(3) Determine the variables to be transmitted. The variable addresses should be continuous. The other party determines which variables to use. In order to facilitate variable transmission, simple logic is often edited and values are assigned to make the addresses of the variables to be transmitted continuous.

6 Conclusion
The emergency shutdown system is a special safety protection device for large-scale devices with high safety requirements. The correct and flexible configuration of the ESD system can improve the system performance-price ratio, reduce the probability of production hazards to the lowest level, and maximize the role of each part of the system. Based on the author's work experience, this article discusses the configuration of the ESD system in petrochemical enterprises. In actual application, it is necessary to conduct in-depth exploration of all aspects of ESD application and continuously summarize experience in practice to improve the application level of ESD and truly enable the ESD system to play its due safety protection role.