Ovation SIS with Electronic Marshalling Safety Manual

OW360_42

Version 1
May 2016
(SIL3 Certified May 2015)
Copyright Notice

Since the equipment explained in this document has a variety of uses, the user and those
responsible for applying this equipment must satisfy themselves as to the acceptability of each
application and use of the equipment. Under no circumstances will Emerson Process
Management be responsible or liable for any damage, including indirect or consequential losses
resulting from the use, misuse, or application of this equipment.

The text, illustrations, charts, and examples included in this manual are intended solely to explain
TM
the use and application of the Ovation Unit. Due to the many variables associated with specific
uses or applications, Emerson Process Management cannot assume responsibility or liability for
actual use based upon the data provided in this manual.

No patent liability is assumed by Emerson Process Management with respect to the use of
circuits, information, equipment, or software described in this manual.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, including electronic, mechanical, photocopying, recording or otherwise
without the prior express written permission of Emerson Process Management.

The document is the property of and contains Proprietary Information owned by Emerson Process
Management and/or its subcontractors and suppliers. It is transmitted in confidence and trust, and
the user agrees to treat this document in strict accordance with the terms and conditions of the
agreement under which it was provided.

This manual is printed in the USA and is subject to change without notice.

Ovation is the mark of Emerson Process Management. Other marks are the property of their
respective holders.

Copyright © Emerson Process Management Power & Water Solutions, Inc. All rights reserved.
Emerson Process Management
Power & Water Solutions
200 Beta Drive
Pittsburgh, PA 15238
USA

E-Mail: Technical.Communications@EmersonProcess.com
Web site: https://www.ovationusers.com
 Contents

1 Ovation SIS with Electronic Marshalling Safety Manual 1

1.1 Ovation SIS with Electronic Marshalling Safety Manual Overview ..................................... 1

2 Certification Coverage 3
2.1 General Information ............................................................................................................ 3
2.2 SIL Applicability ................................................................................................................... 3
2.2.1 De-energized-to-trip Applications ........................................................................... 4
2.2.2 Response Time Data ............................................................................................. 4

3 SIL Verification 7
3.1 SIL Verification Tool - exida exSILentia Tool (SILVer) ....................................................... 7

4 Restrictions: SIS CHARMs Smart Logic Solver Specification 9

4.1 Specification Restrictions .................................................................................................... 9

5 Considerations: All Ovation SIS with Electronic Marshalling

Systems 11
5.1 Considerations .................................................................................................................. 11
5.2 Proof Testing ..................................................................................................................... 12

6 Avoiding the Systematic Failures 13

6.1 To Avoid the Systematic Failures...................................................................................... 13

7 Limits 15
7.1 Product Life ....................................................................................................................... 15
7.2 Environmental Conditions ................................................................................................. 15
7.3 Application Configuration Limits ........................................................................................ 15

8 Recommendations for Management of Functional Competency 17

8.1 Recommendations ............................................................................................................ 17

OW360_42 i
Table of Contents

9 Energized-to-trip Applications 19
9.1 Energized-to-trip Applications ........................................................................................... 19
9.1.1 Energized-to-trip Applications (with Inverted Logic) ............................................ 19
9.1.2 Energized-to-trip Applications (with Auxiliary Relay) ........................................... 20
9.2 High Demand Mode .......................................................................................................... 20
9.2.1 Response Time in High Demand Mode ............................................................... 20
9.2.2 Other Considerations for High Demand Mode ..................................................... 20

10 Required Practices 21
10.1 Required practices overview ............................................................................................. 21
10.1.1 Installation and Site Acceptance Testing ............................................................. 21
10.1.2 Maintenance procedure ....................................................................................... 21
10.1.3 Managing Changes in the Ovation SIS with Electronic Marshalling Runtime
System ................................................................................................................. 21
10.1.4 Loading the SIS CHARMs Smart Logic Solver .................................................... 22
10.1.5 Functional testing after the initial load .................................................................. 22
10.1.6 Recording CRC values ......................................................................................... 22
10.1.7 Subsequent loads ................................................................................................ 23
10.1.8 Loading to a running process ............................................................................... 24
10.1.9 Functional testing after loading to a running process .......................................... 26
10.1.10 Fire and Gas Applications .................................................................................... 27
10.1.11 Burner Management System Applications ........................................................... 27
10.1.12 Using HART Two-state Output Channels and Digital Valve Controllers ............. 28
10.1.13 Using Non-secure Parameter References in SIS Modules .................................. 28
10.1.14 Non-safety-critical use .......................................................................................... 29
10.1.15 Safety-critical use ................................................................................................. 29
10.1.16 Cyber security for SIS for Electronic Marshalling ................................................ 30

Index 31

ii OW360_42
S E C T I O N 1

Ovation SIS with Electronic Marshalling Safety

Manual

IN THIS SECTION

Ovation SIS with Electronic Marshalling Safety Manual Overview ..................................... 1

1.1 Ovation SIS w ith Electronic Marshalling Safety Manual Overview

This document contains important information on how Ovation SIS with Electronic Marshalling is
to be used in a Safety Instrumented System to place and/or maintain the equipment under control
in an appropriate state. The guidelines in this document must be followed when using Ovation SIS
with Electronic Marshalling in a safety-critical application.

OW360_42 1
S E C T I O N 2

Certification Coverage

IN THIS SECTION

General Information ............................................................................................................ 3

SIL Applicability ................................................................................................................... 3

2.1 General Information

The Characterization Module (CHARM) subsystem and the CHARMs Smart Logic Solver (CSLS)
hardware and firmware have been certified by TUV and exida for use in applications with a
maximum Safety Integrity Level of three (SIL3) according to IEC-61508:2010 Part 1 to Part 7. The
SIL3 rating applies to simplex and redundant CSLS hardware configurations; low and high
demand mode applications, de-energize-to-trip, and energize-to-trip applications.

Consider the following constraints on use in SIL3 applications (no constraints for SIL1 and SIL2):
 In a SIL3 safety instrumented function, each process variable should have a minimum of two
input CHARMs with voting logic in a SIS module to provide fault tolerance.
 In an energized-to-trip Safety Instrumented Function (SIF), the energized-to-trip output
CHARMs should be installed in a redundant hardware configuration. This can be either
redundant CHARMs to a single final element or redundant final elements, each with its own
CHARM as appropriate for the application.
Follow these guidelines in all the energized-to-trip applications:
 Use a separate, monitored power source for each power input to the CSLS/CHARMs carrier.
 Enable line fault detection in the applicable CHARMs and install end of line resistors or
NAMUR sensors as described in the Ovation SIS with Electronic Marshalling User Guide.
The CSLS and CHARMs subsystem have been certified as a logic solver suitable for fire and gas
detection systems and burner management systems by TUV and/or exida according to relevant
requirements of NFPA 72 and EN 54-2 (fire and gas) and NFPA 85, NFPA 86, NFPA 87, EN 298,
and EN 50156 (burner management).

Note: While developing the safety-critical applications, you must comply with the standards
required by the authority having jurisdiction. You must meet all requirements for a given
standard and follow any additional regulatory requirements.

2.2 SIL Applicability

According to IEC 61508, exida has certified the Ovation SIS with Electronic Marshalling hardware
and firmware as SIL3 capable with a maximum Safety Integrity Level of three (3). The SIL3
capability rating applies to both simplex and redundant CHARMs Smart Logic Solvers.
Redundancy increases availability.

OW360_42 3
2.2 SIL Applicability

The Ovation SIS CHARMs Smart Logic Solver is certified to be used in both low demand and high
demand modes of operation as defined by IEC 61508.

2.2.1 De-energized-to-trip Applications

In de-energized-to-trip applications, the advanced architecture of the SIS CHARMs Smart Logic
Solver achieves SIL3 safety in a simplex hardware module. A simplex SIS CHARMs Smart Logic
Solver provides the hardware fault tolerance and safe failure fraction to meet the SIL3
architectural requirements. A redundant SIS CSLS increases availability and reduces false trips to
meet the SIL3 architectural requirement.

The SIL3 rating applies to both low and high demand modes of operation. In a de-energized-to-
trip application, the safe state for all output channels of a given Safety Instrumented Function
(SIF) is off or low. This corresponds to the safe state of output channels if the SIS CSLS needs to
remove power in response to a dangerous failure being detected by its advanced diagnostics.

When the high power discrete outputs are needed, utilize the certified external power relay.

SIS module configuration techniques do not change when the auxiliary relays are used in a de-
energized-to-trip application.

2.2.2 Response Time Data

The response time for a SIF must be less than the process safety time. The SIF has a response
time associated with the sensor, CHARMs Smart Logic Solver, CHARMs I/Os, and final element
subsystems. The sum of all the values of response time must be less than the process safety
time. The response time of the CHARMs Smart Logic Solver subsystem is the time between any
change on a SIF input channel that should result in a trip and the time that the output channel or
channels change to the tripped state. The time is measured from one screw terminal to another
screw terminal.

Use the following information when determining the response time of your safety instrumented
functions. The following table shows the maximum response time as a function of the CSLS scan
rate. The time begins with a change at the screw terminals of an input CHARM that initiates a trip
and ends when the screw terminals at the output CHARM apply the tripped state.

The table is based on a Digital Input (DI) initiating the trip to a Digital Output (DO) applying the trip
state.

Maximum CHARMs Smart Logic Solver Response Time with No Faults Present

CHARMS SMART LOGIC SOLVER MAXIMUM RESPONSE TIME VALUE WITH NO

SCAN RATE FAULTS PRESE NT (MILLISE CONDS )
(MILLISECONDS)

50 150
100 250
150 350
200 450

4 OW360_42
 2.2 SIL Applicability

Note the following concerning response time:

1. The response time increases by 50 milliseconds when using an Analog Input CHARM as the
trip initiator.
2. The response time increases by 100 milliseconds when using a Thermocouple or RTD
CHARM as the trip initiator.
3. The response time increases by 50 milliseconds if any input CHARM in the safety
instrumented function is on a CSLS other than the CSLS driving the output(s).
4. If there are multiple SIS modules involved in the safety instrumented function using secure
parameter communication, the response time increases by the scan rate of the CSLS
containing the secure parameter (not the secure parameter reference).
5. If SIS module logic includes delays such as the trip delay time in voter function blocks, the
response time will increase by the length of those delays.
6. For high demand mode applications – Although the probability of an undetected fault being
present at the time of a demand is extremely low, it may be appropriate to assume faults are
present when determining the response time for the high demand mode.
7. The maximum fault detection and reaction time of the CSLS at any scan rate and for the
output CHARMs is 400 milliseconds. Therefore, consider allocating an additional 400
milliseconds of response time in high demand mode applications.

OW360_42 5
S E C T I O N 3

SIL Verification

IN THIS SECTION

SIL Verification Tool - exida exSILentia Tool (SILVer)........................................................ 7

3.1 SIL Verification Tool - exida exSILentia Tool (SILVer)

To verify that a SIF meets the assigned SIL, the probability of the failing SIF needs to be
determined. The Ovation SIS with Electronic Marshalling Failure Modes Effects and Diagnostics
Analysis (FMEDA) report contains failure rate and other data to help you verify that the safety
requirements are met. It contains the information necessary to perform SIL verification
calculations for the SIF’s CHARMs Smart Logic Solver subsystem, including failure rates by
failure category, diagnostic coverage and common cause factors, hardware fault tolerance, and
device type.

The Ovation SIS with Electronic Marshalling FMEDA report provides data for probabilistic
calculations for your safety instrumented functions and other evidences to verify that your safety
requirements are being met. The use of a SIL verification tool is recommended to get the most
accurate results possible. Emerson Process Management recommends the exida exSILentia tool
(SILVer), whose SIL verification uses Markov analysis and is based on data from the Ovation SIS
with Electronic Marshalling FMEDA Report. Visit the exida website at http://www.exida.com. An
Emerson specific version is also available on the Guardian website. Refer to the FMEDA report
on the Guardian website for the following information on various components with assumptions
and justification:
 Failure behavior and failure rates.
 Diagnostics coverage factors for automatic diagnostics and manual proof tests.
 Diagnostics test Interval.
 Component type (A or B).
 Hardware fault tolerance.
 Useful lifetime.
Refer to the Ovation SIS with Electronic Marshalling User Guide for the following information:
 Power and grounding restrictions.
 Environmental constraints.
 Hazardous area installation requirements.
 Intrinsically safe input certification and restrictions on the use.
Emerson Power & Water Solutions provides a service to perform SIL verification of the safety
system that generates an Ovation SIS with Electronic Marshalling FMEDA report. Contact your
local Emerson sales representative, service engineer, or project engineer to obtain the SIL
verification performed for your safety system.

OW360_42 7
S E C T I O N 4

Restrictions: SIS CHARMs Smart Logic Solver

Specification

IN THIS SECTION

Specification Restrictions .................................................................................................... 9

4.1 Specification Restrictions

There are no SIS CHARMs Smart Logic Solver specific restrictions.

OW360_42 9
S E C T I O N 5

Considerations: All Ovation SIS with Electronic

Marshalling Systems

IN THIS SECTION

Considerations .................................................................................................................. 11
Proof Testing ..................................................................................................................... 12

5.1 Considerations
Ovation SIS with Electronic Marshalling is to be used according to the practices required by IEC
61508 and IEC 61511 as summarized below. Each topic is discussed in more detail in Required
Practices (see page 21).
 As with any CHARMs Smart Logic Solver, you must complete a full functional test of the
Ovation SIS with Electronic Marshalling configuration before it is allowed to provide the
protection function in a running process.
After a subsequent load and prior to the Ovation SIS with Electronic Marshalling continuing to
provide its protection function unsupervised, you must assess what has changed in the
CHARMs Smart Logic Solver since the last functional test by examining the CRC values in
the Ovation Developer Studio. Refer to Ovation Developer Studio User Guide for more
information. Any control module or I/O channel that indicates a change must be revalidated;
that is, a functional test must be completed.
 You are allowed to load a CHARMs Smart Logic Solver while it is providing the protection
function in a running process under the following condition:
 The equipment under control of the CSLS must be supervised during the load and
until completion of the functional test (or until it is determined that a functional test is
not required).

Note: Loading of the CHARMs Smart Logic Solver may cause temporary unavailability of its
Secured Parameters transmitted to other CSLSs. This may result in activation of the safety
protection in other CSLS.

 The shortest process safety time associated with the CSLS must be long enough for
operators to monitor and react. This helps the operator to manually provide the protection
function during the load and functional test.
 All changes to operational parameters must be validated prior to the system providing the
protection function without supervision.
 Fire and gas applications should comply with local fire codes by following all standards
required by the authority having jurisdiction such as EN54 in Europe and NFPA72 in the
United States. Refer to Required Practices (see page 21) for more information.
 Burner Management Systems should comply with local codes by following all standards
required by the authority having jurisdiction such as NFPA85 in the United States and
EN50156-1 in Europe.

OW360_42 11
5.2 Proof Testing

5.2 Proof Testing

The proof test for a CSLS or CHARM consists of a reset and power-up of the component. During
power-up, the CSLS and CHARMs run additional diagnostic tests that can reveal dangerous
faults not detectable by their continuous runtime diagnostics.

Manual proof tests are started from the Developer Studio. CSLS proof tests can optionally be
scheduled to occur automatically at a configured interval. There is no adverse impact to the
running process when redundant CSLSs are proof tested.

CHARMs are proof tested separately from the CSLS and can be selected for test individually.
Redundant output CHARMs allow online proof testing. Input CHARMs may require a supervised
bypass for online proof testing depending on the voting scheme.

Refer to the Ovation SIS with Electronic Marshalling User Guide for the specific proof test
procedures.

Note: Emerson Process Management imposes no frequency of proof testing for the CSLS or
CHARMs. The necessary interval is entirely dependent on the target hardware safety integrity in
your applications.

12 OW360_42
S E C T I O N 6

Avoiding the Systematic Failures

IN THIS SECTION

To Avoid the Systematic Failures ...................................................................................... 13

6.1 To Avoid the S ystematic Failures

The systematic capability of the CSLS and output CHARMs firmware is SC3. This capability is
achieved through compliance with the requirements of IEC-61508 by following a SIL3 compliant
development process for avoidance and control of the systematic faults. You may use any of the
configuration elements available in the SIS modules in the safety critical applications. Refer to
the Ovation SIS with Electronic Marshalling User Guide for a specification of the function blocks
and other SIS module configuration elements.

When creating and deploying safety-critical applications, follow these guidelines to avoid
systematic failures in the application:
 SIS modules support a user-defined parameter type called non-secure parameter reference,
intended for non-safety-critical use. The application programmer should not allow the safety
function to be compromised based on the value of a non-secure parameter reference. If a
parameter of this type participates in a safety-critical control action, be sure to validate the
parameter value in SIS module logic. Refer to Required Practices (see page 21) for more
information.
 Other than the non-secure parameter reference, all configuration elements available in the
SIS modules may be used without special consideration in a safety critical application up to
and including SIL3. This includes the Calculation-Logic function block expression language,
which is a limited variability language.
 The person configuring SIS module logic has influence over the SIS CHARMs Smart Logic
Solver's response to certain faults detected in the SIS CHARMs Smart Logic Solver and field
instruments. For faults specific to one I/O channel or one field device, the SIS CHARMs
Smart Logic Solver integrates Bad status with the value on the channel. The SIS module can
be configured to respond to Bad status as needed by the application. Configuring the system
response to Bad status includes choosing the status options, fault state options, and certain
time duration values when the application requires.
 Your site acceptance procedures should address functional testing of applications running in
CHARMs Smart Logic Solvers. Ovation SIS with Electronic Marshalling allows online changes
to the application program. Functional testing may be needed after downloading a CSLS that
is providing the protection function for a running process. Online downloads should be subject
to a safety impact analysis to determine which components of the application program have
been impacted and the necessary re-verification and re-validation activities. It is possible to
assess what has changed in SIS modules and CHARM configuration since the last functional
test by examining the CRC values.

OW360_42 13
6.1 To Avoid the Systematic Failures

 After an online download of a CSLS, its safety instrumented functions should be considered
disabled or bypassed until the impact analysis and necessary activities have been completed.
The equipment under control should be supervised during this time. Therefore, you should
allow online downloads only when the process safety time is long enough for operators to
monitor and react to manually provide the protection function.
 The Ovation SIS with Electronic Marshalling secure write server is certified for use in safety
rated applications up to SIL3. Only the secure write server can make runtime changes to
parameters in the SIS CHARMs Smart Logic Solver made from the Developers Studio,
including maintenance bypasses, operator resets, and all other parameters that are allowed
to be changed at runtime.
 Ovation SIS with Electronic Marshalling has a built-in bypass facility for managing
maintenance overrides. A bypass allows a maintenance activity, such as calibration, proof
testing, or repair of a transmitter or other sensor, to take place without a concern for a
spurious trip. Bypasses in control module logic in the SIS CHARMs Smart Logic Solver can
be set and cleared using a secure write operation.

Note: The online parameter changes made by operators, for example resets and maintenance
bypasses, are completed using a SIL3 compliant secure write server and do not require
functional testing. You can be certain the parameter has been changed to the confirmed value.

 Output CHARMs configured as "Two-State DVC Output" are intended for certain final
elements. You should physically connect a CHARM of this type to only a Fisher Controls
DVC6000 SIS (firmware revision 6 or later), a Fisher Controls DVC6200 SIS, or a digital valve
controller certified by Emerson Process Management as being equivalent. Refer to the
Guardian website for the current list.
 The following applies only to safety instrumented functions operating in high demand mode
and having input CHARMs without voting logic in the SIS module to provide fault tolerance.
High demand mode applications may require automatic shutdown following detection of a
dangerous failure. A dangerous failure detected in an input CHARM will result in Bad status
integrated with the value in the SIS module. When automatic shutdown is required, the SIS
module configuration should respond to Bad status on the input to drive the output(s) to the
safe state if the repair cannot be completed in time.

14 OW360_42
S E C T I O N 7

Limits

IN THIS SECTION

Product Life ....................................................................................................................... 15

Environmental Conditions ................................................................................................. 15
Application Configuration Limits ........................................................................................ 15

7.1 Product Life

The approximate lifetime limit of the CHARMs Smart Logic Solver is 50 years based on the worst
case scenario.

7.2 Environmental Conditions

Refer to SIS environmental specifications in the Ovation SIS with Electronic Marshalling User
Guide for limits on environmental conditions.

7.3 Application Configuration Limits

Application configuration limits are imposed by the Ovation Control Builder (refer to Ovation
Control Builder User Guide for more information). Special consideration is not required to prevent
limits from being exceeded. Refer to Limitations for SIS in the Ovation SIS with Electronic
Marshalling User Guide for the SIS application limits.

OW360_42 15
S E C T I O N 8

Recommendations for Management of Functional

Competency

IN THIS SECTION

Recommendations ............................................................................................................ 17

8.1 Recommendations

Ovation SIS with Electronic Marshalling is intended to be used in accordance with a defined
safety lifecycle that is described in IEC 61511. Emerson recommends the following additional
functional safety management requirements:

Competence of Persons - Engineering

All persons involved in the initial implementation or modification of the application software must
have appropriate training. Opportunities for training include reading this manual, reading Ovation
SIS with Electronic Marshalling product manuals, and attending a training class taught by certified
personnel.

Competence of Persons - Installation and Hardware Maintenance

All persons involved in installation and hardware maintenance activities must have appropriate
training. Opportunities for training include reading this manual, reading Ovation SIS with
Electronic Marshalling product manuals, and attending a training class taught by certified
personnel.

Competence of Persons - General

All persons involved in any aspect of Ovation SIS with Electronic Marshalling use, including
engineers, operators, supervisors, maintenance personnel, and system administrators, must have
training in the importance of safety instrumented systems. All persons must have a specific
training in the procedures for which they are responsible. Ovation system administrators must
ensure that all individuals that have access to Ovation SIS with Electronic Marshalling activities
are trained and competent.

OW360_42 17
S E C T I O N 9

Energized-to-trip Applications

IN THIS SECTION

Energized-to-trip Applications ........................................................................................... 19

High Demand Mode .......................................................................................................... 20

9.1 Energized-to-trip Applications

To achieve SIL3 in an energize-to-trip application, a HFT = 1 is required for the output.

This can be achieved by using redundant ETA CHARM or using two ETA CHARMs and two field
elements.

9.1.1 Energized-to-trip Applications (with Inverted Logic)

When the safe state for an SIS CHARMs output channel is on or high, the application is
energized-to-trip from the perspective of the output channel. To achieve the safe state, the
energized-to-trip output channels require control module configuration to drive the SIS CHARMs
Smart Logic Solver output channel value to the on or high state. The SIS module logic essentially
inverts the output signals as compared to de-energized-to-trip logic.

If the SIS CHARMs Smart Logic Solver removes power in response to detecting a dangerous
failure in an application with inverted SIS module logic, the equipment under control remains in
the normal operating state. The Ovation system annunciates a dangerous failure in a SIS
CHARMs Smart Logic Solver through a hardware alarm. In response to the alarm, the operators
can manually take the process to the safe state if the repair cannot be completed within the Mean
Time To Repair (MTTR) used for SIL verification.

Using Inverted Logic in Low Demand Mode

In the low demand mode of operation, there is sufficient time to manually respond to an
annunciated dangerous failure. Credit can be taken for SIS CHARMs Smart Logic Solver
diagnostics such that dangerous detected failures are included in the safe failure fraction. The SIS
CHARMs Smart Logic Solver meets the SIL3 architectural requirements for a simplex or
redundant Logic Solver.

Using Inverted Logic in High Demand Mode

In the high demand mode, the process safety time or demand rate may not allow time for a
manual response following the annunciation of a dangerous failure. Emerson recommends that
no credit be taken for diagnostics when using the inverted logic in the high demand mode.

OW360_42 19
9.2 High Demand Mode

9.1.2 Energized-to-trip Applications (with Auxiliary Relay)

If a high-power discrete output is needed for an energized-to-trip application, the Auxiliary Relay
energized-to-trip and Auxiliary Relay Diode modules can be combined with the energized-to-trip
CHARM output.

The energized-to-trip relay module is installed near the CHARM energized-to-trip output and is
wired to both the Digital Output channel and supplemental Digital Input channel. The Diode
module is installed near the final element and is wired to the energized-to-trip relay module and
the final element. The energized-to-trip relay module adds 30 milliseconds to the response time of
the SIF. Refer to the Ovation SIS with Electronic Marshalling User Guide for installation details.

9.2 High Demand Mode

The following sections discuss considerations for high demand mode.

9.2.1 Response Time in High Demand Mode

The response time discussion for the low demand mode in Response Time Data (see page 4)
also applies when operating in high demand mode. Although the probability of an undetected fault
being present at the time of a demand is extremely low, you must assume a fault may be present
when allocating the response time for the Ovation SIS with Electronic Marshalling subsystem in
the high demand mode applications. The maximum fault detection and reaction time of the
Ovation SIS with Electronic Marshalling for any scan rate is 400 milliseconds. Therefore, for high
demand mode applications, you must allocate an additional 400 milliseconds for the CHARMs
Smart Logic Solver subsystem response time.

Note: The recommendation to include the fault detection and reaction time in the response time
does not apply in the low demand mode.

9.2.2 Other Considerations for High Demand Mode

The high demand mode of operation is defined by IEC 61508. High demand mode may apply by
definition or whenever it is more appropriate to treat a SIF as operating in high demand mode
instead of low demand. The following applies to both de-energized-to-trip and energized-to-trip
applications.

The SIS CHARMs Smart Logic Solver does not automatically de-energize outputs when faults are
detected on input channels because the fault may originate in field devices or field wiring. Instead,
the SIS CHARMs Smart Logic Solver integrates Bad status with the channel value. The SIS
module logic can be configured to respond appropriately to Bad status on input channels. In the
high demand mode applications, the allowed repair time for faults detected on input channels
should be limited by SIS module configuration. This helps the SIS CHARMs Smart Logic Solver to
drive applicable outputs to the safe state if the repair cannot be completed in time.

20 OW360_42
S E C T I O N 10

Required Practices

IN THIS SECTION

Required practices overview ............................................................................................. 21

10.1 Required practices overview

This section contains additional information on required practices as they relate to restrictions in
the use of Ovation SIS with Electronic Marshalling.

10.1.1 Installation and Site Acceptance Testing

Installation of an Ovation SIS with Electronic Marshalling system must conform to the guidelines
in the Ovation SIS with Electronic Marshalling User Guide.

Your site acceptance procedures must include functional testing of the application programs
running in CHARMs Smart Logic Solvers. Managing changes in the Ovation SIS with Electronic
Marshalling runtime system (see page 21) contains requirements related to loading and testing
the CHARMs Smart Logic Solver.

10.1.2 Maintenance procedure

Repairing a defective CSLS or CHARM consists of replacing the broken or defective components.
You do not need any tools for replacing the components.

10.1.3 Managing Changes in the Ovation SIS with Electronic Marshalling Runtime
System

Perform either of the following tasks to make a change to the Ovation SIS with Electronic
Marshalling runtime system:
 Load the application to a CHARMs Smart Logic Solver using the Ovation Developer Studio.
 Change a parameter value in the CHARMs Smart Logic Solver using an SIS write operation
from the Ovation Signal Viewer or the Ovation Operator Graphics application.
You are required to perform a functional test after a load or a change to a parameter value
through an SIS write operation.

For more details, see the following sections:

 Loading the SIS CHARMs Smart Logic Solver (see page 22).
 Functional testing after the initial load (see page 22).
 Recording CRC values (see page 22).
 Subsequent loads (see page 23).

OW360_42 21
10.1 Required practices overview

 Loading to a running process (see page 24).

 Functional testing after loading to a running process (see page 26).

10.1.4 Loading the SIS CHARMs Smart Logic Solver

Ovation SIS with Electronic Marshalling provides a way to determine what changes have been
made to the runtime system as a result of an SIS CHARMs Smart Logic Solver load. As a result, it
is easy to determine what subset of the logic in the SIS CSLS must be revalidated (functionally
tested after the load).

Loading of an SIS CLSL is always a user-initiated event. After the initial load, a subsequent load
of the SIS CSLS is not necessary unless you have made changes to the configuration applicable
to the SIS CSLS.

Note: The secured parameter transmission might be suspended during online loads, which, as
a result, may further lead to BAD quality generation at the receiving side and subsequent
actions related to the programmed logic.

10.1.5 Functional testing after the initial load

WARNING! You must complete a full functional test of the Logic Solver configuration before it
is allowed to provide the protection function in a running process.

After an initial load of a CHARMs Smart Logic Solver, you must ensure that all the output
channels respond appropriately as you manipulate the value of input channels on that CSLS (and
other CSLSs, if applicable). This initial test must be a screw terminal to screw terminal test,
preferably from sensor to final element.

10.1.6 Recording CRC values

The CHARMs Smart Logic Solver calculates a number of Cyclic Redundancy Check (CRC)
values as it processes a load script. The CRC values are visible in the Ovation Developer Studio
and are useful for verifying whether subsequent loads produce logic in the CHARMs Smart Logic
Solver identical to what had been running. A different CRC value for a given SIS module or I/O
channel after a load indicates that there is some difference in what is now running in the CHARMs
Smart Logic Solver. The CRC value calculated by the CHARMs Smart Logic solver accurately
reflects what is running in the CHARMs Smart Logic Solver when the load script is applied. The
Ovation Developer Studio shows the CRC values calculated by the CHARMs Smart Logic Solver,
which include:
 An overall CRC for the device.
 A CRC for each SIS module.
 A CRC for each individual I/O channel.

Note: Whenever you perform a functional test of the logic in an SIS CHARMs Smart Logic
Solver, document the applicable CRC values along with the test results as part of your safety
lifecycle management procedures.

22 OW360_42
 10.1 Required practices overview

10.1.7 Subsequent loads

After the initial load, a CHARMs Smart Logic Solver requires a subsequent load when there have
been configuration changes made to it and the time is appropriate to apply the changes. When a
CHARMs Smart Logic Solver is loaded, it receives a complete load script, not a partial script of
the changes that have been made. The CHARMs Smart Logic Solver processes the script and
replaces the entire running configuration after copying certain parameter information where
possible, so that non-disruptive online changes occur (see Loading to a running process (see
page 24)).

WARNING! After a subsequent load and prior to the CHARMs Smart Logic Solver continuing
to provide its protection function, you must assess what has changed in the CHARMs Smart
Logic Solver since the last functional test by examining the CRC values using the Ovation
Developer Studio. Any control module or I/O channel that indicates a change must be
revalidated.

If the overall CRC value for the CHARMs Smart Logic Solver matches the value from the previous
load, you can be certain the identical configuration is running in the CHARMs Smart Logic Solver
after the load. However, the overall CRC must have the same value as your documented, last-
tested overall CRC. If it does not, some functional testing is required. Compare the overall CRC
with your documented, last-tested value. If they differ, check for differences between the current
CRC value for each of the four potential SIS modules and your documented, last-tested value for
each control module. Also check for differences between the combined I/O CRC value and your
documented, last-tested combined I/O CRC value.

CAUTION! Whenever you load a CHARMs Smart Logic Solver, compare the newly calculated
overall CRC value with your documented last-tested value even if you do not anticipate a
difference.

Any control module whose CRC value differs from the last-tested value must have a functional
test done before it can provide its protection function in a running process. Unless the load is
being done online (while the process is running), your standard test procedure for that control
module should be followed. For modifications to the standard test procedure following an online
load, see Functional testing after loading to a running process (see page 26).

If the combined I/O CRC value differs from your documented last-tested value, examine each of
the individual channel CRC values to view which value differs from the documented, last-tested
value. Any difference implies a change in a configurable I/O channel parameter value. For
channels whose CRC values have changed, perform tests according to the following table based
on the channel type:

When to Test Channel Parameters when the CRC Value Changes After a Load

CHANNEL TYPE CONFIGURABLE P ARAME TE R WHEN TO TEST

Analog Input Enable NAMUR alarming Test if configured as True.

Analog over range pct Test channel if referenced by an Analog Input
algorithm (in this or another CHARMs Smart
Analog under range pct Logic Solver) with the SOP8 ("Status Opt: Bad
if Limited") parameter enabled.

OW360_42 23
10.1 Required practices overview

CHANNEL TYPE CONFIGURABLE P ARAME TE R WHEN TO TEST

HART Analog Enable NAMUR alarming Same as Analog Input channel.

Input
Analog over range pct
Analog under range pct
Ignore PV Out of Limits Not required; HART communication is not
safety-critical.
Ignore Analog-Digital Mismatch
Ignore PV Output Saturated
Ignore PV Output Fixed
Ignore Loss of Digital Comms
Ignore Field Device Malfunction
Loop current mismatch detection
Digital Input Detect open and short circuit Test if configured as True.
Digital Output Detect open and short circuit Test if configured as True.
HART Two-state Loop current mismatch detection Not required; HART communication is not
Output safety-critical.
The slot n device code from the
AO card
Enabled HART slot n

10.1.8 Loading to a running process

The need to make configuration changes to a CHARMs Smart Logic Solver after it is protecting a
running process should be infrequent, and the need to load those changes prior to the next
scheduled outage should be even less frequent.

WARNING! You are allowed to load a CHARMs Smart Logic Solver while it is providing the
protection function in a running process, with the following restrictions:

1. The equipment under control of the CHARMs Smart Logic Solver must be supervised during
the load and until completion of the functional test (or until it is determined that a functional test
is not required).

2. The shortest process safety time associated with the CHARMs Smart Logic Solver must be
long enough to allow time for operators to monitor and react, and thus manually provide the
protection function during the load and functional test.

Note: The secured parameter transmission might be suspended during online loads, which, as
a result, may further lead to BAD quality generation at the receiving side and subsequent
actions related to the programmed logic.

Some changes require a load to the CHARMs Smart Logic Solver to take effect. There are certain
changes that require a CSLS load. However, those changes do not result in a modification to the
overall CRC value in the CSLS after the load completes. The following table lists various changes
that can be made, what is required to apply the change to the runtime system, and the impact to
the CHARMs Smart Logic Solver overall CRC value.

24 OW360_42
 10.1 Required practices overview

How to Apply CHARMs Smart Logic Solver Configuration Changes to the Runtime Systems

CHANGE MADE TO THE CONFIGURATION HOW TO APPLY THE CHANGE TO THE RUNTIME SYSTEM
DATABASE AND THE RESULTING IMPACT TO THE CHARMS SMART
LOGIC SOLVER
 Add/delete an algorithm. Requires a CHARMs Smart Logic Solver load to take effect.
 Add/delete a user-defined parameter or change
its definition. Changes the CHARMs Smart Logic Solver CRC value.
 Add/delete a signal line.
 Change a configurable but not runtime- writable
control module parameter value.
 Change a configurable I/O channel parameter
value.
 Change a CHARMs Smart Logic Solver scan
rate or global publishing property.
 Change a CHARMs Smart Logic Solver Requires a CHARMs Smart Logic Solver load to take effect,
property other than scan rate or global but does not change the CHARMs Smart Logic Solver CRC
publishing. value.
 Change a control module property.
 Change a HART device property.
 Change a runtime-writable control module Can be changed by an SIS write command or a load. If
parameter value. changed by a load, it changes the CHARMs Smart Logic
Solver CRC value. However, if changed by the SIS write
command, it does not change the CRC value.
It changes the CHARMs Smart Logic Solver CRC value on
the next load if the change is made using the SIS write
command, and then reconciled.
 Change a configurable field of an alarm Can be changed using an SIS write command or a load. It
parameter. does not change the CHARMs Smart Logic Solver CRC value
 Change the value of an algorithm parameter in either case.
not associated with SIS logic.

Any successful load performed on a CHARMs Smart Logic Solver replaces the application
program running in the Logic Solver.

Make sure that after reconciling the parameter change with the database, a subsequent load
results in a change to the overall CHARMs Smart Logic solver CRC value. There is no
requirement to perform a subsequent load as a result of a runtime parameter change. However, if
the runtime change is reconciled, the next time a load is performed, a functional test is required
even if there were no other changes made to the database.

OW360_42 25
10.1 Required practices overview

10.1.9 Functional testing after loading to a running process

You may modify your standard test procedure when the process is running to reduce the chance
of the test causing a process disruption. You can use the Ovation Signal Viewer and the SIS
Force function to isolate sections of the logic. Refer to Ovation Control Builder User Guide for
more information on the Signal Viewer and the SIS Force function. The logic within a control
module can be tested in this way by observing parameter values without manipulating the I/O at
the screw terminals. However, at some point during the test, you must validate that I/O algorithms
are properly linked with the screw terminals and the secure parameter references are properly
linked with their referenced secure parameters. The suggested test procedures are described in
the following table:

Suggested Test Procedures after Loading to a Running Process

ITEM TEST PROCEDURE FOR "PROPERLY LINKED"

Digital input channel  If value of OUT (Digital Output with Status) of LSDI algorithm is 1,
perform an SIS Force on the destination of signal line from OUT.
 Disconnect the physical wire on the input channel. Confirm that
the value of OUT goes to 0.
 Restore.

Note 1: For energize-to-trip applications or when the "Inverted" I/O

option is used, it may be necessary to manipulate the input channel
to confirm the link.

Note 2: Repeat for all LSDI algorithms in all SIS modules in this
CHARMs Smart Logic Solver, whether the physical channel is on
this or another CHARMs Smart Logic Solver.

Note 3: For more information on the LSDI algorithm, refer to

Ovation Q-Line and Specialty Algorithms Reference Manual.

Analog input channel  Measure the current at the input screw terminals.
 Calculate the expected value on OUT of the LSAI algorithm using
HART analog input channel the value of LTYP (Linearization Type) and Output Scale
parameters TPSC (Output Scale: Top) and BTSC (Output Scale:
Bottom).
 Confirm that the expected value matches the value of OUT.

Note 1: Repeat for all LSAI algorithms in all SIS modules in this
CHARMS Smart Logic Solver, whether the physical channel is on
this or another CHARMS Smart Logic Solver.

Note 2: If the value of OUT is the same for multiple LSAI

algorithms, it is necessary to manipulate one or more input
channels to confirm.

Note 3: For more information on the LSAI algorithm, refer to

Ovation Q-Line and Specialty Algorithms Reference Manual.

26 OW360_42
 10.1 Required practices overview

ITEM TEST PROCEDURE FOR "PROPERLY LINKED"

Secure parameter reference  Perform an SIS Force function on the destination of the signal line
from the parameter.
 Using the Ovation Signal Viewer for the source SIS module,
perform an SIS Force on the referenced secure parameter.
 Change the value on the secure parameter and confirm that the
value changes in the destination module.
 Restore.
Digital output channel  Open the process bypass valve for the final element.
 Cause the value on CASND (Input) of the LSDO/LSDVC algorithm
HART two-state output channel to change state by manipulating the logic using SIS Force or other
means.
 Visually verify that the final element changes state (or measure
the voltage/current at the screw terminal).
 Restore.

Note: If there is no process bypass capability, you can temporarily

block the actuation of the final element. In either case, you must be
able to provide the protection function manually.

10.1.10 Fire and Gas Applications

Fire and gas applications must comply with local fire codes by following all standards required by
the authority having jurisdiction, such as EN54 in Europe and NFPA72 in the United States.
According to the NFPA72, the requirements for all SIS CHARMs Smart Logic Solvers are as
follows:
 Hardware and software version numbers should be recorded.
 Programming must be protected against unauthorized changes. Ovation system
administrators should ensure that only authorized individuals have security keys to configure
and download the SIS CHARMs Smart Logic Solver.

10.1.11 Burner Management System Applications

Burner Management Systems must comply with local codes by following all standards required by
the authority having jurisdiction, such as NFPA 85 in the United States and EN 50156-1 in
Europe.

OW360_42 27
10.1 Required practices overview

10.1.12 Using HART Two-state Output Channels and Digital Valve Controllers

WARNING! The use of HART two-state output CHARM channels is intended for certain final
elements. You should physically connect a channel of this type to only a Fisher Controls
DVC6000 digital valve controller with ESD tier (firmware revision 6 or later) or a digital valve
controller certified by Emerson Process Management as being equivalent.

A HART two-state output channel is manipulated by control module logic through the use of a
Digital Valve Controller (LSDVC) algorithm. The CHARMs Smart Logic Solver applies 20
milliamps on the channel when the algorithm's OUT (Output Value) parameter is 1. The value of
the OFCUR (Valve Controller Off Current) parameter in the LSDVC algorithm determines the
current applied when the value of OUT is 0. Options for OFCUR include "0 milliamps" and "4
milliamps." The following table summarizes the characteristics of the OFCUR options:

Characteristics of the Valve Controller Off Current Options

0 M ILLIAM PS 4 MILLIAMPS

 Power is removed entirely from the digital valve  The digital valve controller places the final element
controller when control module logic drives the in the tripped state when the control module logic
channel off. The digital valve controller places drives the channel off.
the final element in the tripped state.  HART communication with the digital valve
controller continues while the final element is in the
tripped state.

10.1.13 Using Non-secure Parameter References in SIS Modules

The non-secure parameter reference is a user-defined parameter type available in the SIS folder
of the Ovation Control Builder when an SIS sheet is opened. This parameter type is used to read
a parameter located in a different SIS module or Ovation control sheet.

Runtime communication involves the infrastructure between the Ovation Controller and the
CHARMs Smart Logic Solver, which is not safety rated. Reading a parameter in another control
module using a non-secure reference uses the SIS backplane or SIS LAN communication even if
the control module is in the same CHARMs Smart Logic Solver.

Emerson recommends that you use a secure parameter and secure parameter reference to
communicate between control modules because they use the safety-rated peer bus, and the
update rate is at the CHARMs Smart Logic Solver scan rate (the non-secure update rate is 1
second). However, secure parameter communication is made using the Boolean data type. For
data types other than Boolean, a non-secure parameter reference can be more convenient if the
use is not safety-critical.

For more details, see Non-safety-critical use (see page 29) and Safety-critical use (see page 29).

28 OW360_42
 10.1 Required practices overview

10.1.14 Non-safety-critical use

A non-secure parameter reference can be used without special consideration when the value
does not contribute to a safety-critical control action.

An example of a non-safety-critical use is as follows:

Read the commanded state for a motor or discrete valve from an Ovation control sheet. Then
apply a safety interlock and drive a CHARM output channel. This use is not considered
safety-critical because the safety interlock always overrides the value of the commanded
state.

10.1.15 Safety-critical use

If a non-secure parameter reference contributes to a safety-critical control action, special

consideration is required in the control module logic to validate the parameter value. The engineer
configuring the logic must not allow the safety function to be compromised based on the value of
a non-secure parameter reference.

If a non-secure parameter reference is used as part of a safety-critical control action, it is

important to validate the value read into the control module by some independent methods. An
example of independent confirmation is using other process inputs from channels of this or other
CHARMs Smart Logic Solvers as a means of validating the value of the non-secure parameter. If
the value of the non-secure parameter reference cannot be validated by an independent method,
the most conservative trip limit values should be applied.

A non-secure parameter reference has a value and a status. Normally, the status is that of the
referenced parameter. If there is a communication issue between the Ovation Controller and the
SIS CHARMs Smart Logic Solver, the status of the non-secure parameter reference is Bad, which
causes the SIS CHARMs Smart Logic Solver to interpret it as a loss of communication. If the
source parameter has Bad status or the CHARMs Smart Logic Solver is not able to read its value,
the non-secure parameter reference has Bad status. Therefore, the SIS module logic should take
appropriate action when the status is Bad if the use is safety-critical.

The Limit (LSLIM) algorithm can be used downstream from a non-secure parameter reference to
limit its value within a valid range. The algorithm has an optional parameter, LMOPT. It
determines the output value when the input is outside the valid range. The choices are as follows:
 Clamping the value at the limit.
 Using the last value prior to limit violation.
 Using a configurable default value.

OW360_42 29
10.1 Required practices overview

10.1.16 Cyber security for SIS for Electronic Marshalling

To maintain the cyber security for SIS with Electronic Marshalling, the following guidelines must
be followed:
 Keep all safety equipment in a locked cabinet.
 The Ovation Controller relies on the Ovation network infrastructure to protect it from outside
attacks. Therefore, Emerson recommends that you follow a comprehensive defense approach
to the Ovation network. This includes separating the complete process control network from
both the Internet and any other private network(s) that you manage. Emerson recommends
and utilizes network segmentation of critical devices and processes with strict access control
on communication when air gap is not desired.
 The purpose of the secure write server is to allow runtime changes to the parameter in the
SIS CHARMs Smart Logic Solver. The query/response interaction between the workstation
and the CSLS confirms both ends of the transaction along with the explicit operation.

30 OW360_42
Index

A M
Application Configuration Limits • 15 Maintenance procedure • 21
Avoiding the Systematic Failures • 13 Managing Changes in the Ovation SIS with
Electronic Marshalling Runtime System •
B 21
Burner Management System Applications • N
27
Non-safety-critical use • 29
C
O
Certification Coverage • 3
Considerations • 11 Other Considerations for High Demand
All Ovation SIS with Electronic Mode • 20
Marshalling Systems • 11 Ovation SIS with Electronic Marshalling
Copyright Notice • 2 Safety Manual • 1
Cyber security for SIS for Electronic Ovation SIS with Electronic Marshalling
Marshalling • 30 Safety Manual Overview • 1
D P
De-energized-to-trip Applications • 4 Product Life • 15
Proof Testing • 12
E
R
Energized-to-trip Applications • 19
Energized-to-trip Applications (with Auxiliary Recommendations • 17
Relay) • 20 Recommendations for Management of
Energized-to-trip Applications (with Inverted Functional Competency • 17
Logic) • 19 Recording CRC values • 22
Environmental Conditions • 15 Required Practices • 21
Required practices overview • 21
F Response Time Data • 4
Fire and Gas Applications • 27 Response Time in High Demand Mode • 20
Functional testing after loading to a running Restrictions
process • 26 SIS CHARMs Smart Logic Solver
Functional testing after the initial load • 22 Specification • 9

G S
General Information • 3 Safety-critical use • 29
SIL Applicability • 3
H SIL Verification • 7
SIL Verification Tool - exida exSILentia Tool
High Demand Mode • 20
(SILVer) • 7
I Specification Restrictions • 9
Subsequent loads • 23
Installation and Site Acceptance Testing • 21
T
L
To Avoid the Systematic Failures • 13
Limits • 15
Loading the SIS CHARMs Smart Logic
Solver • 22
Loading to a running process • 24

OW360_42 31
Index

U
Using HART Two-state Output Channels
and Digital Valve Controllers • 28
Using Non-secure Parameter References in
SIS Modules • 28

32 OW360_42