HG/T 20511-2000 Design regulations for signal alarm and safety interlocking systems
Some standard content:
Industry Standard of the People's Republic of China
Design Code for Signal Alarm and Safety Interlock SystemHG/T20511-2000
Editor: Donghua Engineering Company
Approval Department: State Bureau of Petroleum and Chemical IndustryImplementation Date: June 1, 2001National Chemical Engineering Construction Standard Editing Center (formerly the Engineering Construction Standard Editing Center of the Ministry of Chemical Industry) 2001 Beijing
1.0.1 This regulation applies to the design of process parameter signal alarm and safety interlock system of chemical plant. 1.0.2 The design of signal alarm and safety interlock system must meet the requirements of chemical process: simple circuits should be used as much as possible to minimize the intermediate links.
1.0.3 The selection and installation of signal alarm and safety interlock system should adopt appropriate types and protective measures according to environmental conditions: appropriate explosion-proof level must be adopted according to the requirements of hazardous area division of the device. 1.0.4
The relevant standards are as follows
HG/T20509
HG/T20510
HG/T20512
《Instrument Power Supply Design Regulations》
《Instrument Gas Supply Design Regulations》
《Instrument Piping and Wiring Design Regulations》
When implementing these regulations, the requirements of the relevant national standards in force shall also be met. 215
2 Signal Alarm System
2.1 Basic Principles
The signal alarm system shall indicate the process parameter exceeding the limit and/or the abnormal status of the equipment in the form of sound and light. 2.1.2 The general signal alarm system shall consist of a signaling device, a logic unit, a light display unit, an audio unit, a button and a power supply device.
2.1.3 The general signal alarm system shall adopt an integrated flash alarm. 2.1.4 When the process control system adopts a distributed control system (DCS) or a programmable logic controller (PLC), the general signal alarm system should be implemented using DCS/PLC. When the process parameter approaches the interlocking set point, a pre-alarm should be set; when the process parameter reaches the interlocking set point, an alarm should also be issued while the interlocking action is generated. 2.2 Logic unit
The logic unit of the signal alarm system with a small scale and simple logical relationship should be composed of relays. 2.2.1
The logic unit of the signal alarm system with a large scale and complex logical relationship should be composed of a plug-in module based on a microprocessor.
2.3 Lighting display unit
When there are both first-out alarm points and general alarm points in the signal alarm system, its lighting display units should be arranged separately.
2.3.2In chemical plants, red lights should indicate over-limit alarms or critical conditions; yellow lights should indicate pre-alarms or non-first-out alarms; green lights should indicate that the operating equipment or process parameters are in normal operating conditions. 2.3.3
Flashing, flat light or extinguishing should be used to indicate different states of the alarm sequence. The alarm point name and/or alarm point number should be marked on the light display unit. 2.4 Audio unit
2.4.1 Audio alarms with different sounds or tones can be used to distinguish different alarm systems or areas, alarm functions and alarm levels.
2.4.2The volume of the audio alarm should be higher than the background noise and should be clearly audible in the vicinity. 2.4.3For important occasions, voice alarms can be used to prompt operators to respond immediately and to prompt the corresponding operating methods.
2.5 Buttons
2.5.1 Buttons should be selected according to the alarm sequence, such as test button, mute button, confirmation button, reset button and first-out reset button.
2.5.2 In chemical plants, confirmation buttons should be black, test buttons should be white, and other buttons can be in appropriate colors according to specific circumstances.
2.6 Auxiliary output
2.6.1 The auxiliary output of the light alarm can represent the information of an individual or a group of alarm points, which can be used for remote alarm, recording or control.
When the auxiliary output contact is connected to the sequential event recorder, the delay time from the alarm contact input to the auxiliary contact output must not change the recording order of the event. 2.6.3
When the auxiliary output contact is used for control or interlocking, the follow-up light signal output method should be selected. 2.7 Signal alarm implemented by DCS/PLC
2.7.1 The alarm information displayed by CRT should include the alarm level, current value of alarm parameters, alarm setting value, text description and other information, and should be arranged in this order. For important alarm points, an operation guidance screen can also be set to help operators deal with problems in a timely and correct manner.
In addition to using conventional methods (see Section 2.4), different alarm functions or alarm levels can be distinguished by changing the sound oscillation frequency2.7.2
or oscillation amplitude within the DCS/PLC. Function buttons such as mute and confirm can use "soft switches" displayed on the screen, or special buttons2.7.3
on the operation keyboard.
2.7.4 For important alarm points, in addition to using CRT display, an independent light display unit should be set. The light display unit can be installed on the auxiliary operation table. Signaling device
General signal alarms can use a separate alarm switch, an instrument with output contacts, or the internal contacts of the DCS/PLC system as a signaling device. 2.8.2
Operation monitoring points that have a significant impact on the production process should use switch sensors as signaling devices. 2.9
Alarm sequence
The alarm sequence should be selected based on process characteristics, operation requirements, and alarm signal types. See Table 2.9.2 for general flash alarm sequences.
See Table 2.9.3 for flash alarm sequences that distinguish first-out signals. See Table 2.9.4 for flash alarm sequences that distinguish instantaneous signals. Table 2.9.2
Process status
Alarm signal input
Press confirmation button
Alarm signal disappears
Test button action
Process status
First signal input
Press confirmation button
Alarm signal disappears
Test button action
Light display
First light display
General flash alarm sequence
Distinguished flash alarm sequence for first signal
Other light displays
Normal operation
Test, inspection||tt ||Other signal input
Normal operation
Test, inspection
Process status
Alarm signal input
(silence)
Instantaneous signal
Continuous signal
Alarm signal disappears
Test button action
Flash alarm sequence to distinguish instantaneous signals
Light display
No alarm signal input
Test, inspection
Safety interlock system
Basic principles
3.1.1 The safety interlock system includes sensors, logic units and final actuators. When the process reaches the predetermined conditions, the safety interlock system will be activated to bring the process into a safe state. 3.1.2 The main functions of the safety interlock system should be determined based on the hazard analysis of the process, the protection requirements and safety requirements of the process and equipment, etc.
3.1.3 Safety interlock systems can be divided into 1, 2, and 3 levels according to their safety performance requirements. The higher the safety level, the stronger the safety function of the safety interlock system. 3.1.4 The safety interlock system should be designed so that once the process is brought into a safe state, the state will be maintained until the reset signal is generated.
The reset signal of the safety interlock system should be given manually. 3.1.6 In general, manual facilities independent of the logic unit should be provided to directly operate the final actuator to bring the process into or maintain a safe state. 3.1.7 In general, the safety interlock system should be designed so that the process should not automatically restart after the energy is interrupted and restored.
3.1.8 When the safety interlock functions of multiple units or devices are completed in a set of safety interlock systems, their common parts must meet the highest safety level requirements. When the actions of non-safety interlock functions are also completed by the safety interlock system, they shall not interfere with or endanger the safety functions of the system.
3.1.10 The connection between the safety interlock system and the process control system generally includes four aspects: sensors, logic units, final actuators and communication between the two. When the process control system fails, the safety function of the safety interlock system should not be affected.
3.2 Sensors
The independence criteria of sensors are as follows:
For level 1 safety interlock system, its sensors can be shared with process control systems:
2For level 2 safety interlock system, its sensors should be separated from process control systems:3For level 3 safety interlock system, its sensors should be separated from process control systems, and different sensors should be used4
When redundant sensors are used, they can be used for both safety interlock system and process control system. The redundancy criteria for sensors are as follows:
For level 1 safety interlock systems, a single sensor can be used; for level 2 safety interlock systems, redundant sensors should be used: 2
For level 3 safety interlock systems, redundant sensors should be used; sensors should be of different forms 3
4For redundant sensors, when the safety of the system is the focus, a two-out-of-one logic structure should be used; when the applicability of the system is the focus, a two-out-of-two logic structure should be used; when both the safety and applicability of the system need to be guaranteed, a three-out-of-two logic structure should generally be used. 3.3 Final actuators
3.3.1 The final actuator can be a shut-off valve dedicated to the safety interlock system, a control valve shared with the process control system, or a motor starter. Pneumatic control valves or shut-off valves should be equipped with solenoid valves that receive interlock control signals. 3.3.2 The independence criteria of valves are as follows:
1 For the level 1 safety interlock system, its valves can be shared with the process control system; it must be ensured that the action of the safety interlock system takes precedence over the action of the process control system: For the level 2 safety interlock system, its valves should be separated from the process control system; 2
For the level 3 safety interlock system, its valves should be separated from the process control system; when redundant valves are used, they can be used for both the safety interlock system and the process control system. The redundancy criteria of valves are as follows:
For the level 1 safety interlock system, a single valve can be used: For the level 2 safety interlock system, redundant valves should be used. If a single valve is used, the matching electromagnetic valves should be redundantly configured:
For the level 3 safety interlock system, redundant valves should be used, and the matching electromagnetic valves should be redundantly configured: 3
For redundant valves, one of them can be given priority to use a control valve. Other matching criteria for solenoid valves are as follows:
Single electric control type solenoid valves should be selected;
The solenoid valve on the control valve should be installed between the valve positioner and the actuator; The vent of the solenoid valve should have appropriate anti-blocking measures. 221
3.3.5 Matching criteria for motor starters are as follows: Motor starters can be used in process control systems and safety interlock systems; 1
2 Motor starters do not need to use redundant configurations. If necessary, redundant contacts can be used to connect to the electrical control circuit.
3.4 Logic unit
3.4.1 The logic unit of the safety interlock system can be composed of a relay system, a programmable electronic system, or a mixture of them as needed.
3.4.2 The technical selection of the logic unit is as follows: 1 Relay system
The relay system can be used in occasions with a small number of input and output points and simple logic functions. 2 Programmable electronic system
(1) A programmable electronic system can be a programmable logic controller (PLC), a distributed control system (DCS) or other microprocessor-based special-purpose system. Personal computers shall not be used for safety interlock systems. (2) Programmable electronic systems may be used in the following situations: - there are a large number of input/output signals, or many analog signals; - the logic requirements are complex, or the logic contains operations; - a large amount of data communication with the process control system is required; different operating conditions require different interlock set points. 3.4.3 The independence criteria of the logic unit are as follows: 1 For a level 1 safety interlock system, its logic unit should be separated from the process control system and can be in the same or different form:
2 For a level 2 safety interlock system, its logic unit should be separated from the process control system and can be in a different form. The process control system and the safety interlock system should be carefully adopted in the same form; 3 For the level 3 safety interlock system, its logic unit should be separated from the process control system and should adopt different forms: 4 If a special control system (such as a turbine control system) contains safety interlock functions and process control functions, the control system should meet the safety level requirements. 3.4.4 The redundancy criteria for logic units are as follows: 1 For the level 1 safety interlock system, a single logic unit can be used; 2 For the level 2 safety interlock system, redundant logic units should be used. If a programmable electronic system is used, its central processing unit and power module should be redundant; 222
3 For the level 3 safety interlock system, redundant logic units should be used. If a programmable electronic system is used, its central processing unit, power module, input/output module, communication network and interface should be redundant. 3.4.5 The safety interlock system should have fault diagnosis measures that meet the safety level requirements. Fault diagnosis should include all units of the system, such as sensor logic units and final execution units. 3.4.6 The software of the safety interlock system shall meet the requirements of the safety level. 3.5 Communication and interface
The communication between the safety interlock system and the process control system shall not affect the ability of the safety interlock system to bring the process into a safe state. The following communication methods can be used: 1
Hard-wired communication;
Network communication. Www.bzxZ.net
3.5.2 The design of the operator interface shall ensure that when it fails, the operator still has appropriate backup measures to bring the process into a safe state, and the automatic function of the safety interlock system will not be affected. The design of the operator interface should generally follow the following principles:
The status information related to the safety level in the safety interlock system should be an integral part of the operator interface; 1
The application software of the safety interlock system should not be modified through the operator interface; 2
The safety interlock system can share CRT and other display devices with the process control system 3
4When connected to the process control system, its related equipment (such as printers) can be used to complete functions such as sequential event recording (SOE), alarm logging and reporting; 5The printer connected to the safety interlock system should not affect the safety function of the safety interlock system in abnormal conditions such as failure, shutdown, lack of paper, etc.
The design of the maintenance/engineer interface should ensure that the safety interlock system will not be affected in bringing the process 3.5.3
to a safe state when it fails. The maintenance/engineer interface shall have the following functions: 1. Safety protection for access to the operating mode, program, data, test, bypass and maintenance of the safety interlock system; 2. Access to the diagnostic, voting and error handling functions of the safety interlock system; 3. Access to application software: 4. Access to the fault diagnosis data used for the safety interlock system. 223. Explanation of the terms used in this regulation. 5. The terms used in this regulation to require different degrees of strict implementation are as follows: 1. The positive terms used to indicate that it is very strict and must be done are "must" and the negative terms are "strictly prohibited". 2. The positive terms used to indicate that it is strict and should be done under normal circumstances are "should" and the negative terms are "should not" or "must not". 3. The positive terms used to indicate that it is allowed to have a slight choice and should be done first when conditions permit are "should" and the negative terms are "should not". Indicates that there is a choice, and it can be done under certain conditions. Use "can" 224
Design regulations for signal alarm and safety interlock system HG/T20511-2000
Article explanation
1.0.2 Most chemical processes require signal alarm and safety interlock systems to adopt the principle of fail safe. The so-called fail safe refers to the ability of a system or equipment to switch to a predefined safe state when a specific fault occurs. In principle, the failure rate of a system is the sum of the failure rates of the various links that make up the system (such as sensors, logic units and final actuators). The fewer the links that make up the system, the lower the failure rate of the system, that is, the higher the reliability of the system. Therefore, in the signal alarm and safety interlock system, intermediate links such as signal isolators, converters, safety barriers and intermediate relays should be used with caution.
Instruments and equipment in chemical production plants often have requirements such as corrosion resistance, dust resistance, waterproofing, shock resistance, electromagnetic interference resistance and explosion resistance.
2 Signal alarm system
2.1.3 An integrated flash alarm can be a single-circuit or multi-circuit flash alarm in which the light display unit and the logic unit are installed in one housing, and the logic unit is usually composed of CMOS circuits; it can also be an integrated signal alarm system based on a microprocessor. 2.1.4 Even if the process control system adopts DCS/PLC, an independent signal alarm system is generally required in the following cases:
(1) The status of key process parameters needs to be monitored frequently, or some parameters that can cause alarms are
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.