Introduction

An Emergency Shutdown (ESD) system is often required to protect personnel and equipment from unsafe conditions. Typical trip conditions are critical pressures, temperatures, levels, and equipment status. Each potentially unsafe condition is monitored, and a trip initiated, when the condition reaches the trigger point. The process-related trip conditions also have pre-alarms to warn the operator that the process is approaching the trigger point. A Cause & Effect diagram provided by the designer of the process specifies the conditions to be monitored, the trip settings, and the pre-alarm settings.

When a trip occurs, the act of shutting down the process will almost certainly cause other trip conditions to occur, thus obscuring the original cause of the trip. Therefore, the ESD logic should capture the first trip condition to occur and flag it as the “first-out”.

Triple-redundant processors, provided by vendors like Triconex, are often needed based on the security level required for the process. However, not all processes require such a high level. In those instances where dual-redundant processors are sufficient, the ESD logic can be based in DCS processors, like the Foxboro I/A system.

This document describes the ESD logic and how to implement it in a Foxboro I/A system.

Voting

Trip conditions can be monitored by one, two, or even three separate transmitters. Voting logic is used to determine whether a trip has occurred. The most common forms of voting logic are:

• 1-out-of-1 (1oo1)
• 2-out-of-2 (2oo2)
• 2-out-of-3 (2oo3)

Each voting type is discussed below in more detail.

1oo1 Voting

1oo1 voting requires only one transmitter or contact input. If the transmitter indicates that the trip setting has been violated, then the trip action is taken. A bad input causes the condition to be alarmed as unprotected and the trip action is not taken. This form of voting should be avoided because a single spurious input can cause a costly trip to occur.

2oo2 Voting

2oo2 voting requires two different transmitters to monitor a trip. Both transmitters must violate the trip setting before the trip action is taken. The two transmitters are usually monitored for significant deviation and alarmed.

When one transmitter input is bad, the voting defaults to 1oo1 using the good transmitter. When both inputs are bad, the condition is alarmed as unprotected and the trip action is not taken.

2oo3 Voting

2oo3 voting requires three different transmitters to monitor a trip. At least two transmitters must violate the trip setting before the trip action is taken. The transmitters are usually monitored for significant deviation and alarmed.

When one transmitter input is bad, the voting defaults to 2oo2 using the two good transmitters. When two transmitter inputs are bad, the voting defaults to 1oo1 using the one good transmitter. When all three inputs are bad, the condition is alarmed as unprotected and the trip action is not taken.

Trip Delay

Each trip condition can include a delay timer to prevent spurious signals and transient conditions from causing a trip. The Cause & Effect diagrams usually specify the delay times. A delay can also be imposed on equipment startup to prevent a trip before the system has time to establish a safe condition.

Trip Bypass

A trip condition can be bypassed to prevent unreliable inputs from causing a trip, or to allow for instrument maintenance and startup. The Cause & Effect diagrams usually specify which trip conditions require a bypass. The bypass is a DCS-resident switch that can be accessed from the DCS displays.

Enabling a bypass often requires the approval of process supervision. In some instances, supervision must turn a bypass key switch to the enable position before the bypass can be activated.

Trip Reset

The ESD logic must include a DCS reset button. The reset button clears the first-out and permits the equipment to be restarted. However, if a trip is still active, then the ESD cannot be reset until the trip clears or the operator bypasses the trip.

2oo3 VOTING WITH HIGH AND LOW TRIPS

2oo3 Voting Logic Blocks

Figure 1 shows the block schematic for 2oo3 voting. In this case, a level input has three separate transmitters and both a high and low trip setpoint. The voting logic contains the following blocks (should be executed in this order):

1. AIN block containing locked-in trip low setpoint (LSP0001L).
2. AIN block containing locked-in trip high setpoint (LSP0001H).
3. REALM block for each transmitter input (LA0001A-C).
4. COUT block for condition bypass switch (HHS0001).
5. CIN block for alarming bypass status (HHA0001).
6. CALCA block containing voting logic (LX0001ESD).
7. CIN block for alarming low trip condition (HA0001L).
8. CIN block for alarming high trip condition (HA0001H).

Low Trip Setpoint Block LSP0001L

The low trip setpoint is locked into place via an AIN block with the following connections:

MEAS = :LSP0001L.MEAS.15.0 (where 15.0 is the low trip setpoint)
MA = :LSP0001L.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 2
HSCO1 = Same as the level inputs (typically 100.0)
LSCO1 = Same as the level inputs (typically 0.0)

High Trip Setpoint Block LSP0001H

The high trip setpoint is locked into place via an AIN block with the following connections:

MEAS = :LSP0001H.MEAS.95.0 (where 95.0 is the high trip setpoint)
MA = :LSP0001H.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 2
HSCO1 = Same as the level inputs (typically 100.0)
LSCO1 = Same as the level inputs (typically 0.0)

Trip Setpoint REALM Block LA0001A

The trip setpoint alarm block is a REALM block with the following connections:

MEAS = transmitter 1 input
HHALIM = :LSP0001H.PNT (high trip setpoint)
LLALIM = :LSP0001L.PNT (low trip setpoint)
MA = :LA0001A.MA.1 (lock in auto)

The block parameters must be set as follows:

HSCI1 = Same as the level inputs (typically 100.0)
LSCI1 = Same as the level inputs (typically 0.0)
HHAOPT = 1 (both HH and LL alarming)

The block generates a high-high alarm (HHAIND = 1) when the MEAS is above HHALIM and a low-low alarm (LLAIND = 1) when the MEAS is below LLALIM.

Trip Setpoint REALM Block LA0001B

The trip setpoint alarm block is a REALM block with the following connections:

MEAS = transmitter 2 input
HHALIM = :LSP0001H.PNT (high trip setpoint)
LLALIM = :LSP0001L.PNT (low trip setpoint)
MA = :LA0001B.MA.1 (lock in auto)

The block parameters must be set as follows:

HSCI1 = Same as the level inputs (typically 100.0)
LSCI1 = Same as the level inputs (typically 0.0)
HHAOPT = 1 (both HH and LL alarming)

The block generates a high-high alarm (HHAIND = 1) when the MEAS is above HHALIM and a low-low alarm (LLAIND = 1) when the MEAS is below LLALIM.

Trip Setpoint REALM Block LA0001C

The trip setpoint alarm block is a REALM block with the following connections:

MEAS = transmitter 3 input
HHALIM = :LSP0001H.PNT (high trip setpoint)
LLALIM = :LSP0001L.PNT (low trip setpoint)
MA = :LA0001C.MA.1 (lock in auto)

The block parameters must be set as follows:

HSCI1 = Same as the level inputs (typically 100.0)
LSCI1 = Same as the level inputs (typically 0.0)
HHAOPT = 1 (both HH and LL alarming)

The block generates a high-high alarm (HHAIND = 1) when the MEAS is above HHALIM and a low-low alarm (LLAIND = 1) when the MEAS is below LLALIM.

Condition Bypass Block HHS0001

The entire condition (often called function) can be bypassed via a COUT block with the following connections:

IN = :HHS0001.COUT (sets input to output for display purposes only)
MA = :HHS0001.MA.0 (lock in manual so operator can toggle COUT)

The block parameters must be set as follows:

IOMOPT = 0

Bypass Status Alarm Block HHA0001

The bypass status can be alarmed via a CIN block with the following connections:

IN = :HHS0001.COUT
MA = :HHA0001.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 0
INVALM = 0 (transitions from 0 to 1 are into alarm)
SAO = 1 (enable state alarm)
SAP = appropriate alarm priority
SAG = appropriate alarm group

Note: A single CIN block can be used for both the bypass COUT block and the bypass alarm block. The CIN block must be locked into auto and the IN parameter toggled to change the bypass status. Alternatively, the block could be locked into manual and the operator toggles the CIN parameter which is connected to the IN parameter.

Voting Logic Block LX0001ESD

LX0001ESD is a CALCA block that performs the voting logic for a condition. The following connections are required:

BI01 = :LA0001A.LLAIND (transmitter 1 low trip)
BI02 = transmitter 1 bad input signal
BI03 = :LA0001B.LLAIND (transmitter 2 low trip)
BI04 = transmitter 2 bad input signal
BI05 = :LA0001C.LLAIND (transmitter 3 low trip)
BI06 = transmitter 3 bad input signal
BI08 = :LA0001A.HHAIND (transmitter 1 high trip)
BI09 = :LA0001B.HHAIND (transmitter 2 high trip)
BI10 = :LA0001C.HHAIND (transmitter 3 high trip)
BI14 = :HHS0001.COUT (bypass status)
BI15 = bypass key switch position
BI16 = equipment run indication
MA = :LX0001ESD.MA.1 (lock to auto)

The block parameters must be set as follows:

TIMINI = 3
M11 = Constant 1.0
M12 = Delay time (sec) after equipment has started up
M13 = Delay time (sec) for low trip (filters out transient inputs)
M14 = Delay time (sec) for high trip (filters out transient inputs)

The block generates the following outputs:

BO01 = low trip signal (connect to trip logic described below)
BO02 = high trip signal (connect to trip logic described below)
BO03 = low trip voting result
BO04 = high trip voting result
BO06 = run delay bypass status
BO07 = condition bypass status
BO08 = all inputs bad (connect to unprotected alarm)
IO01 = number of inputs needed to trip
IO02 = number of low inputs that have tripped
IO03 = number of high inputs that have tripped

Voting Logic Block Steps

STEP01 = AND BI14 BI15 ;BYPASS & KEY
STEP02 = OUT BO07 ;FUNCTION BYPASS
STEP03 = IN BI16 ;RUN IND
STEP04 = DON M12 ;RUN DELAY TIME
STEP05 = OUT ~BO06 ;RUN DELAY BYPASS
STEP06 = CST
STEP07 = IN ~BI02 ;XMTR 1 NOT BAD
STEP08 = IN ~BI04 ;XMTR 2 NOT BAD
STEP09 = IN ~BI06 ;XMTR 3 NOT BAD
STEP10 = ADD 3
STEP11 = IN 2
STEP12 = MIN 2
STEP13 = OUT IO01 ;NO. INPUTS TO TRIP
STEP14 = SUB M11 ;CONSTANT 1
STEP15 = SSN BO08 ;ALL INPUTS BAD
STEP16 = CLR BO08
STEP17 = CST
STEP18 = AND BI01 ~BI02 ;INPUT 1 TRIP & NOT BAD
STEP19 = AND BI03 ~BI04 ;INPUT 2 TRIP & NOT BAD
STEP20 = AND BI05 ~BI06 ;INPUT 3 TRIP & NOT BAD
STEP21 = ADD 3
STEP22 = OUT IO02 ;NO. INPUTS TRIPPED
STEP23 = IN IO01 ;NO. NEEDED TO TRIP
STEP24 = SUB
STEP25 = SSP BO03
STEP26 = CLR BO03
STEP27 = AND BO03 ~BO08 ;& NOT ALL BAD
STEP28 = OUT BO03 ;VOTING RESULT
STEP29 = AND ~BO06 ~BO07 ;NO RUN DELAY & NO BYP
STEP30 = AND 2
STEP31 = DON M13 ;TRIP DELAY TIME
STEP32 = OUT BO01 ;FUNCTION TRIP (LL)
STEP33 = CST
STEP34 = AND BI08 ~BI02 ;INPUT 1 TRIP & NOT BAD
STEP35 = AND BI09 ~BI04 ;INPUT 2 TRIP & NOT BAD
STEP36 = AND BI10 ~BI06 ;INPUT 3 TRIP & NOT BAD
STEP37 = ADD 3
STEP38 = OUT IO03 ;NO. INPUTS TRIPPED
STEP39 = IN IO01 ;NO. NEEDED TO TRIP
STEP40 = SUB
STEP41 = SSP BO04
STEP42 = CLR BO04
STEP43 = AND BO04 ~BO08 ;& NOT ALL BAD
STEP44 = OUT BO04 ;VOTING RESULT
STEP45 = AND ~BO06 ~BO07 ;NO RUN DELAY & NO BYP
STEP46 = AND 2
STEP47 = DON M14 ;TRIP DELAY TIME
STEP48 = OUT BO02 ;FUNCTION TRIP (HH)
STEP49 = END

Voting Logic Block Logic Details

Steps 1-2:  Set BOO7 on when both bypass (BI14) and key switch (BI15) are on.

Steps 3-5:  Set BOO6 on when the run status (BI16) is off or during the delay-on time (M12) after the run status turns on.

Steps 7-13:  Determine the number of inputs that are not bad and store the result to IO01.  This value is the number of inputs needed to trip.

Steps 14-16:  Set BO08 on if all inputs are bad.

Steps 18-22:  Add the number of inputs that show trip and are not bad and store the result to IO02.

Steps 23-26:  If the number of inputs that show trip (IO02) is >= the number needed to trip (IO01), then set BO03 (voting result).

Steps 27-28:  If all inputs are bad (BO08=1), the voting result BO03 must be set to off.

Steps 29-32:  If the run delay is not active (BO06=0) and the bypass is not active (BO07=0) and the voting result is on (BO03=1), then delay setting the trip indication (BO01) on by M13 seconds.

Steps 34-48:  Perform steps 18-32 for the high trip inputs BI08 – BI10.  The voting result is BO04 and the condition trip is BO02.

Low Trip Alarm Block HA0001L

The low trip should be alarmed via a CIN block with the following connections:

IN = :LX0001ESD.BO01
MA = :HA0001L.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 0
INVALM = 0 (transitions from 0 to 1 are into alarm)
SAO = 1 (enable state alarm)
SAP = appropriate alarm priority
SAG = appropriate alarm group

High Trip Alarm Block HA0001H

The high trip should be alarmed via a CIN block with the following connections:

IN = :LX0001ESD.BO02
MA = :HA0001H.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 0
INVALM = 0 (transitions from 0 to 1 are into alarm)
SAO = 1 (enable state alarm)
SAP = appropriate alarm priority
SAG = appropriate alarm group

2oo3 VOTING WITH SINGLE TRIP

2oo3 Voting Logic Blocks

The previous example of 2oo3 voting involved a condition that had both a high and low trip setpoint. Figure 2 shows the block schematic for 2oo3 voting condition with a single trip, in this case a high trip only. The voting logic contains the following blocks (should be executed in this order):

1. AIN block containing locked-in trip setpoint (LSP0001).
2. REALM block for each transmitter input (LA0001A-C).
3. COUT block for condition bypass switch (HHS0001).
4. CIN block for alarming bypass status (HHA0001).
5. CALCA block containing voting logic (LX0001ESD).
6. CIN block for alarming trip condition (HA0001).

The blocks that are different from those shown in Figure 1 are described below.

Trip Setpoint Block LSP0001

The trip setpoint is locked into place via an AIN block with the following connections:

MEAS = :LSP0001.MEAS.95.0 (where 95.0 is the trip setpoint)
MA = :LSP0001.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 2
HSCO1 = Same as the level inputs (typically 100.0)
LSCO1 = Same as the level inputs (typically 0.0)

Trip Setpoint REALM Block LA0001A

The trip setpoint alarm block is a REALM block with the following connections:

MEAS = transmitter 1 input
HHALIM = :LSP0001.PNT (trip setpoint)
MA = :LA0001A.MA.1 (lock in auto)

The block parameters must be set as follows:

HSCI1 = Same as the level inputs (typically 100.0)
LSCI1 = Same as the level inputs (typically 0.0)
HHAOPT = 2 (HH alarming only – set to 3 for LL alarming only)

The block generates a high-high alarm (HHAIND = 1) when the MEAS is above HHALIM.

Trip Setpoint REALM Block LA0001B

The trip setpoint alarm block is a REALM block with the following connections:

MEAS = transmitter 2 input
HHALIM = :LSP0001.PNT (trip setpoint)
MA = :LA0001B.MA.1 (lock in auto)

The block parameters must be set as follows:

HSCI1 = Same as the level inputs (typically 100.0)
LSCI1 = Same as the level inputs (typically 0.0)
HHAOPT = 2 (HH alarming only – set to 3 for LL alarming only)

The block generates a high-high alarm (HHAIND = 1) when the MEAS is above HHALIM.

Trip Setpoint REALM Block LA0001C

The trip setpoint alarm block is a REALM block with the following connections:

MEAS = transmitter 3 input
HHALIM = :LSP0001.PNT (trip setpoint)
MA = :LA0001C.MA.1 (lock in auto)

The block parameters must be set as follows:

HSCI1 = Same as the level inputs (typically 100.0)
LSCI1 = Same as the level inputs (typically 0.0)
HHAOPT = 2 (HH alarming only – set to 3 for LL alarming only)

The block generates a high-high alarm (HHAIND = 1) when the MEAS is above HHALIM.

Voting Logic Block LX0001ESD

LX0001ESD is a CALCA block that performs the voting logic for a condition. The following connections are required:

BI01 = :LA0001A.HHAIND (transmitter 1 high trip)
BI02 = transmitter 1 bad input signal
BI03 = :LA0001B.HHAIND (transmitter 2 high trip)
BI04 = transmitter 2 bad input signal
BI05 = :LA0001C.HHAIND (transmitter 3 high trip)
BI06 = transmitter 3 bad input signal
BI14 = :HHS0001.COUT (bypass status)
BI15 = bypass key switch position
BI16 = equipment run indication
MA = :LX0001ESD.MA.1 (lock to auto)

The block parameters must be set as follows:

TIMINI = 3
M11 = Constant 1.0
M12 = Delay time (sec) after equipment has started up
M13 = Delay time (sec) for trip (filters out transient inputs)

The block generates the following outputs:

BO01 = trip signal (connect to trip logic described below)
BO03 = trip voting result
BO06 = run delay bypass status
BO07 = condition bypass status
BO08 = all inputs bad (connect to unprotected alarm)
IO01 = number of inputs needed to trip
IO02 = number of inputs that have tripped

Voting Logic Block Steps

The steps are the same as previously described. Note: The same block can be used for all voting scenarios.

Trip Alarm Block HA0001

The trip should be alarmed via a CIN block with the following connections:

IN = :LX0001ESD.BO01
MA = :HA0001.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 0
INVALM = 0 (transitions from 0 to 1 are into alarm)
SAO = 1 (enable state alarm)
SAP = appropriate alarm priority
SAG = appropriate alarm group

2oo2 VOTING WITH SINGLE TRIP

2oo2 Voting Logic Blocks

Figure 3 shows the block schematic for 2oo2 voting logic with a single trip, in this case a high trip only. The voting logic contains the following blocks (should be executed in this order):

1. AIN block containing locked-in trip setpoint (LSP0001).
2. REALM block for each transmitter input (LA0001A-B).
3. COUT block for condition bypass switch (HHS0001).
4. CIN block for alarming bypass status (HHA0001).
5. CALCA block containing voting logic (LX0001ESD).
6. CIN block for alarming trip condition (HA0001).

The blocks that are different from those shown in Figure 2 are described below.

Voting Logic Block LX0001ESD

LX0001ESD is a CALCA block that performs the voting logic for a condition. The connections are the same as previously described except for the following:

BI05 = 0
BI06 = :LX0001ESD.BI06.1 (lock on to eliminate third input)

Voting Logic Block Steps

The steps are the same as previously described. Note: The same block can be used for all voting scenarios.

1oo1 VOTING WITH SINGLE TRIP

1oo1 Voting Logic Blocks

Figure 4 shows the block schematic for 1oo1 voting logic with a single trip, in this case a high trip only. The voting logic contains the following blocks (should be executed in this order):

1. AIN block containing locked-in trip setpoint (LSP0001).
2. REALM block for transmitter input (LA0001A).
3. COUT block for condition bypass switch (HHS0001).
4. CIN block for alarming bypass status (HHA0001).
5. CALCA block containing voting logic (LX0001ESD).
6. CIN block for alarming trip condition (HA0001).

The blocks that are different from those shown in Figure 3 are described below.

Voting Logic Block LX0001ESD

LX0001ESD is a CALCA block that performs the voting logic for a condition. The connections are the same as previously described except for the following:

BI03 = 0
BI04 = :LX0001ESD.BI04.1 (lock on to eliminate second input)
BI05 = 0
BI06 = :LX0001ESD.BI06.1 (lock on to eliminate third input)

Voting Logic Block Steps

The steps are the same as previously described. Note: The same block can be used for all voting scenarios.

1oo1 VOTING WITH CONTACT INPUT

1oo1 Voting Logic Blocks

Figure 5 shows the block schematic for 1oo1 voting logic with a contact input. The voting logic contains the following blocks (should be executed in this order):

1. COUT block for condition bypass switch (HHS0001).
2. CIN block for alarming bypass status (HHA0001).
3. CALCA block containing voting logic (LX0001ESD).
4. CIN block for alarming trip condition (HA0001).

The blocks that are different from those shown in Figure 4 are described below.

Voting Logic Block LX0001ESD

LX0001ESD is a CALCA block that performs the voting logic for a condition. The connections are the same as previously described except for the following:

BI01 = contact input
BI02 = contact input bad signal
BI03 = 0
BI04 = :LX0001ESD.BI04.1 (lock on to eliminate second input)
BI05 = 0
BI06 = :LX0001ESD.BI06.1 (lock on to eliminate third input)

Voting Logic Block Steps

The steps are the same as previously described. Note: The same block can be used for all voting scenarios.

OTHER VOTING LOGIC SCENARIOS

No Key Bypass Switch

In some applications, the bypass is not protected by a key switch. The following connection in block LX0001ESD should be modified as follows:

BI15 = :LX0001ESD.BI15.1 (lock on to eliminate bypass key switch)

No Equipment Run Delay

In some applications, the run delay for equipment startup is not necessary. The following connection in block LX0001ESD should be modified as follows:

BI16 = :LX0001ESD.BI16.1 (lock on to eliminate equipment run delay)

ESD TRIP LOGIC WITH FIRST-OUT INDICATION

ESD Trip Logic Blocks

The voting results from the conditions in the ESD application are connected to the ESD trip logic described below. In addition, the logic that performs the first-out indication is shown.

Figure 6 shows the block schematic for the ESD trip logic and first-out indication. In this case, the ESD application includes 14 trip conditions. The logic contains the following blocks (should be executed in this order):

1. COUT block for trip reset switch (HS0002RST).
2. CALCA block containing trip logic for the first 7 conditions (XX0002ESD1).
3. CALCA block containing trip logic for the next 7 conditions (XX0002ESD2).
4. CIN block for indicating the overall trip condition (XA0002).
5. CALCA block containing first-out logic for the first 7 trips (XX0002FO1).
6. CALCA block containing first-out logic for the next 7 trips (XX0002FO1).

Trip Reset Block HS0002RST

A COUT block is used to provide the operator with a means of resetting the trip logic. The block should have the following connections:

IN = :HS0002RST.COUT (sets input to output for display purposes only)
MA = :HS0002RST.MA.0 (lock in manual so operator can toggle COUT)

The block parameters must be set as follows:

IOMOPT = 0

ESD Trip Logic Block XX0002ESD1

XX0002ESD1 is a CALCA block that performs the ESD trip logic for the first seven trip conditions. The following connections are required:

BI01 = condition 1 trip status (typically from a voting block)
BI02 = condition 2 trip status (typically from a voting block)
BI03 = condition 3 trip status (typically from a voting block)
BI04 = condition 4 trip status (typically from a voting block)
BI05 = condition 5 trip status (typically from a voting block)
BI06 = condition 6 trip status (typically from a voting block)
BI07 = condition 7 trip status (typically from a voting block)
BI08 = :HS0002RST.COUT (trip reset)
BI09 = condition 1 trip bypass
BI10 = condition 2 trip bypass
BI11 = condition 3 trip bypass
BI12 = condition 4 trip bypass
BI13 = condition 5 trip bypass
BI14 = condition 6 trip bypass
BI15 = condition 7 trip bypass
BI16 = :XX0002ESD1.BI16.0 (lock off for first ESD Trip Block)
MA = :XX0002ESD1.MA.1 (lock to auto)

The block parameters must be set as follows:

TIMINI = 3
M01 = OSP time (sec) for trip reset pulse

The block generates the following outputs:

BO01 = condition 1 trip status (to FO block)
BO02 = condition 2 trip status (to FO block)
BO03 = condition 3 trip status (to FO block)
BO04 = condition 4 trip status (to FO block)
BO05 = condition 5 trip status (to FO block)
BO06 = condition 6 trip status (to FO block
BO07 = condition 7 trip status (to FO block)
BO08 = overall trip status (connect to next ESD Trip Block)

Note: The trip bypass function is normally handled in the voting blocks, so BI09 – BI15 should locked to 0 (off). However, these bypass inputs can be used by logic to turn trips on and off depending on the application.

ESD Trip Logic Block Steps

STEP01 = IN BI08 ;ESD RESET
STEP02 = OSP M01
STEP03 = OUT M11 ;RESET PULSE
STEP04 = CST
STEP05 = AND BI01 ~BI09 ;ESD 1 & NOT BYP
STEP06 = IN M11
STEP07 = FF
STEP08 = OUT BO01 ;ESD TRIP 1
STEP09 = CST
STEP10 = AND BI02 ~BI10 ;ESD 2 & NOT BYP
STEP11 = IN M11
STEP12 = FF
STEP13 = OUT BO02 ;ESD TRIP 2
STEP14 = CST
STEP15 = AND BI03 ~BI11 ;ESD 3 & NOT BYP
STEP16 = IN M11
STEP17 = FF
STEP18 = OUT BO03 ;ESD TRIP 3
STEP19 = CST
STEP20 = AND BI04 ~BI12 ;ESD 4 & NOT BYP
STEP21 = IN M11
STEP22 = FF
STEP23 = OUT BO04 ;ESD TRIP 4
STEP24 = CST
STEP25 = AND BI05 ~BI13 ;ESD 5 & NOT BYP
STEP26 = IN M11
STEP27 = FF
STEP28 = OUT BO05 ;ESD TRIP 5
STEP29 = CST
STEP30 = AND BI06 ~BI14 ;ESD 6 & NOT BYP
STEP31 = IN M11
STEP32 = FF
STEP33 = OUT BO06 ;ESD TRIP 6
STEP34 = CST
STEP35 = AND BI07 ~BI15 ;ESD 7 & NOT BYP
STEP36 = IN M11
STEP37 = FF
STEP38 = OUT BO07 ;ESD TRIP 7
STEP39 = OR BO06 BO05
STEP40 = OR BO04 BO03
STEP41 = OR BO02 BO01
STEP42 = IN BI16 ;ESD FM UPSTREAM BLK
STEP43 = OR 5
STEP44 = OUT BO08 ;ESD TRIP
STEP45 = END

ESD Trip Block Logic Details

Steps 1-3:  Perform OSP on the trip reset input BI08 and store the resulting pulse into M11.

Steps 5-8:  Perform flip-flop (FF) logic for trip 1.  The FF is set when the trip input BI01 is on and not bypassed (~BI09).  The FF is reset when the reset pulse M11 is on.  The result is stored in BO01.

Steps 10-13:  Perform flip-flop (FF) logic for trip 2.  The FF is set when the trip input BI02 is on and not bypassed (~BI10).  The FF is reset when the reset pulse M11 is on.  The result is stored in BO02.

Steps 15-18:  Perform flip-flop (FF) logic for trip 3.  The FF is set when the trip input BI03 is on and not bypassed (~BI11).  The FF is reset when the reset pulse M11 is on.  The result is stored in BO03.

Steps 20-23:  Perform flip-flop (FF) logic for trip 4.  The FF is set when the trip input BI04 is on and not bypassed (~BI12).  The FF is reset when the reset pulse M11 is on.  The result is stored in BO04.

Steps 25-28:  Perform flip-flop (FF) logic for trip 5.  The FF is set when the trip input BI05 is on and not bypassed (~BI13).  The FF is reset when the reset pulse M11 is on.  The result is stored in BO05.

Steps 30-33:  Perform flip-flop (FF) logic for trip 6.  The FF is set when the trip input BI06 is on and not bypassed (~BI14).  The FF is reset when the reset pulse M11 is on.  The result is stored in BO06.

Steps 35-38:  Perform flip-flop (FF) logic for trip 7.  The FF is set when the trip input BI07 is on and not bypassed (~BI15).  The FF is reset when the reset pulse M11 is on.  The result is stored in BO07.

Steps 39-44:  Perform an OR on BO01 through BO07 and include the trip status from the previous ESD Trip Block (BI16).  Store the result to BO08, which is connected to BI16 in the next ESD Trip Block or to the overall trip status alarm block.

ESD Trip Logic Block XX0002ESD2

XX0002ESD2 is identical to XX0002ESD1 except for the connections. It performs the ESD trip logic for the next seven trip conditions. The following connections are required:

BI01 = condition 8 trip status (typically from a voting block)
BI02 = condition 9 trip status (typically from a voting block)
BI03 = condition 10 trip status (typically from a voting block)
BI04 = condition 11 trip status (typically from a voting block)
BI05 = condition 12 trip status (typically from a voting block)
BI06 = condition 13 trip status (typically from a voting block)
BI07 = condition 14 trip status (typically from a voting block)
BI08 = :HS0002RST.COUT (trip reset)
BI09 = condition 8 trip bypass
BI10 = condition 9 trip bypass
BI11 = condition 10 trip bypass
BI12 = condition 11 trip bypass
BI13 = condition 12 trip bypass
BI14 = condition 13 trip bypass
BI15 = condition 14 trip bypass
BI16 = :XX0002ESD1.BO08 (from the first ESD Trip Block)
MA = :XX0002ESD2.MA.1 (lock to auto)

The block parameters must be set as follows:

TIMINI = 3
M01 = OSP time (sec) for trip reset pulse

The block generates the following outputs:

BO01 = condition 8 trip status (to FO block)
BO02 = condition 9 trip status (to FO block)
BO03 = condition 10 trip status (to FO block)
BO04 = condition 11 trip status (to FO block)
BO05 = condition 12 trip status (to FO block)
BO06 = condition 13 trip status (to FO block
BO07 = condition 14 trip status (to FO block)
BO08 = overall trip status (connect to overall ESD Trip Status Block XA0002)

Overall Trip Status Block XA0002

The overall trip status is indicated and alarmed by a CIN block with the following connections:

IN = :XX0002ESD2.BO08
MA = :XA0002.MA.1 (lock in auto)

The block parameters must be set as follows:

IOMOPT = 0
INVALM = 0 (transitions from 0 to 1 are into alarm)
SAO = 1 (enable state alarm)
SAP = appropriate alarm priority
SAG = appropriate alarm group

First-Out Logic Block XX0002FO1

XX0002FO1 is a CALCA block that performs the first-out logic for the first seven trip conditions. The following connections are required:

BI01 = :XX0002ESD1.BO01
BI02 = :XX0002ESD1.BO02
BI03 = :XX0002ESD1.BO03
BI04 = :XX0002ESD1.BO04
BI05 = :XX0002ESD1.BO05
BI06 = :XX0002ESD1.BO06
BI07 = :XX0002ESD1.BO07
BI08 = :XX0002ESD2.BO08 (first-out status from last First-Out Logic Block)
BI09 = :XA0002.CIN (overall trip status)
MA = :XX0002FO1.MA.1 (lock to auto)

The block parameters must be set as follows:

TIMINI = 3
M01 = block execution frequency (sec) – typically 0.5 sec

The block generates the following outputs:

BO01 = condition 1 trip first-out status (to FO alarm block)
BO02 = condition 2 trip first-out status (to FO alarm block)
BO03 = condition 3 trip first-out status (to FO alarm block)
BO04 = condition 4 trip first-out status (to FO alarm block)
BO05 = condition 5 trip first-out status (to FO alarm block)
BO06 = condition 6 trip first-out status (to FO alarm block)
BO07 = condition 7 trip first-out status (to FO alarm block)
BO08 = overall first-out status (connect to next FO Logic Block)

ESD Trip Logic Block Steps

STEP01 = IN BI08 ;OVERALL FO STATUS
STEP02 = OUT BO08
STEP03 = IN ~BI09 ;NO TRIP
STEP04 = OSP M01
STEP05 = OUT M11 ;TRIP CLEARED PULSE
STEP06 = BIF 8
STEP07 = CLR BO08 ;FO STATUS
STEP08 = AND BI01 ~BO08 ;ESD TRIP 1
STEP09 = IN M11
STEP10 = FF
STEP11 = OUT BO01 ;FO TRIP 1
STEP12 = OR BO08
STEP13 = OUT BO08 ;FO STATUS
STEP14 = AND BI02 ~BO08 ;ESD TRIP 2
STEP15 = IN M11
STEP16 = FF
STEP17 = OUT BO02 ;FO TRIP 2
STEP18 = OR BO08
STEP19 = OUT BO08 ;FO STATUS
STEP20 = AND BI03 ~BO08 ;ESD TRIP 3
STEP21 = IN M11
STEP22 = FF
STEP23 = OUT BO03 ;FO TRIP 3
STEP24 = OR BO08
STEP25 = OUT BO08 ;FO STATUS
STEP26 = AND BI04 ~BO08 ;ESD TRIP 4
STEP27 = IN M11
STEP28 = FF
STEP29 = OUT BO04 ;FO TRIP 4
STEP30 = OR BO08
STEP31 = OUT BO08 ;FO STATUS
STEP32 = AND BI05 ~BO08 ;ESD TRIP 5
STEP33 = IN M11
STEP34 = FF
STEP35 = OUT BO05 ;FO TRIP 5
STEP36 = OR BO08
STEP37 = OUT BO08 ;FO STATUS
STEP38 = AND BI06 ~BO08 ;ESD TRIP 6
STEP39 = IN M11
STEP40 = FF
STEP41 = OUT BO06 ;FO TRIP 6
STEP42 = OR BO08
STEP43 = OUT BO08 ;FO STATUS
STEP44 = AND BI07 ~BO08 ;ESD TRIP 7
STEP45 = IN M11
STEP46 = FF
STEP47 = OUT BO07 ;FO TRIP 7
STEP48 = OR BO08
STEP49 = OUT BO08 ;FO STATUS
STEP50 = END

ESD Trip Block Logic Details

Steps 1-2:  Set the overall FO status BO08 to the status from the previous FO block BI08.

Steps 3-7:  Perform OSP on the trip status BI09 to determine when the trip has cleared and store the resulting pulse into M11.  If M11 is on, then clear the FO status BO08.

Steps 8-13:  Perform flip-flop (FF) logic for trip 1.  The FF is set when the trip input BI01 is on and there is no FO active (~BO08).  The FF is reset when the trip cleared pulse M11 is on.  The result is stored in BO01.  The overall FO status in BO08 is immediately updated with the result.

Steps 14-19:  Perform flip-flop (FF) logic for trip 2.  The FF is set when the trip input BI02 is on and there is no FO active (~BO08).  The FF is reset when the trip cleared pulse M11 is on.  The result is stored in BO02.  The overall FO status in BO08 is immediately updated with the result.

Steps 20-25:  Perform flip-flop (FF) logic for trip 3.  The FF is set when the trip input BI03 is on and there is no FO active (~BO08).  The FF is reset when the trip cleared pulse M11 is on.  The result is stored in BO03.  The overall FO status in BO08 is immediately updated with the result.

Steps 26-31:  Perform flip-flop (FF) logic for trip 4.  The FF is set when the trip input BI04 is on and there is no FO active (~BO08).  The FF is reset when the trip cleared pulse M11 is on.  The result is stored in BO04.  The overall FO status in BO08 is immediately updated with the result.

Steps 32-37:  Perform flip-flop (FF) logic for trip 5.  The FF is set when the trip input BI05 is on and there is no FO active (~BO08).  The FF is reset when the trip cleared pulse M11 is on.  The result is stored in BO05.  The overall FO status in BO08 is immediately updated with the result.

Steps 38-43:  Perform flip-flop (FF) logic for trip 6.  The FF is set when the trip input BI06 is on and there is no FO active (~BO08).  The FF is reset when the trip cleared pulse M11 is on.  The result is stored in BO06.  The overall FO status in BO08 is immediately updated with the result.

Steps 44-49:  Perform flip-flop (FF) logic for trip 7.  The FF is set when the trip input BI07 is on and there is no FO active (~BO08).  The FF is reset when the trip cleared pulse M11 is on.  The result is stored in BO07.  The overall FO status in BO08 is immediately updated with the result.

First-Out Logic Block XX0002FO2

XX0002FO2 is identical to XX0002FO1 except for the connections. It performs the first-out logic for the next seven trip conditions. The following connections are required:

BI01 = :XX0002ESD2.BO01
BI02 = :XX0002ESD2.BO02
BI03 = :XX0002ESD2.BO03
BI04 = :XX0002ESD2.BO04
BI05 = :XX0002ESD2.BO05
BI06 = :XX0002ESD2.BO06
BI07 = :XX0002ESD2.BO07
BI08 = :XX0002ESD1.BO08 (status from previous First-Out Logic Block)
BI09 = :XA0002.CIN (overall trip status)
MA = :XX0002FO2.MA.1 (lock to auto)

The block parameters must be set as follows:

TIMINI = 3
M01 = block execution frequency (sec) – typically 0.5 sec

The block generates the following outputs:

BO01 = condition 8 trip first-out status (to FO alarm block)
BO02 = condition 9 trip first-out status (to FO alarm block)
BO03 = condition 10 trip first-out status (to FO alarm block)
BO04 = condition 11 trip first-out status (to FO alarm block)
BO05 = condition 12 trip first-out status (to FO alarm block)
BO06 = condition 13 trip first-out status (to FO alarm block)
BO07 = condition 14 trip first-out status (to FO alarm block)
BO08 = overall first-out status (connect to first FO Logic Block)

First-Out Alarm Blocks

The first-out status is indicated and alarmed by a CIN block for each trip. Each block should have the following connections:

IN = appropriate boolean out from the first-out logic block
MA = lock in auto

The block parameters must be set as follows:

IOMOPT = 0
INVALM = 0 (transitions from 0 to 1 are into alarm)
SAO = 1 (enable state alarm)
SAP = appropriate alarm priority
SAG = appropriate alarm group

GRAPHICS CONSIDERATIONS

Process Graphic

Each trip condition on a process graphic should be represented by a diamond symbol containing the letter “I”. The diamond background color can indicate the status of the trip condition. For example:

• Red = Tripped
• Yellow = Bypassed
• Green or white = OK

Trip Condition Overlay

Clicking on the diamond in the process graphic should call up an overlay that shows the voting status of the trip condition. The overlay should include:

• Each transmitter reading
• Transmitter deviation alarm
• Trip setpoint
• Voting result for each transmitter (green/red circles)
• Bypass status (click to access bypass toggle)
• Overall voting result (green/red circle)
• First-Out status
• Unprotected alarm

ESD Trip Graphic

All conditions in a trip application should appear on a dedicated trip graphic. The graphic should include each condition and show the same information as in the overlay. The graphic should also include the trip reset button.