Safety Considerations Guide for Triconex General ... - ICEWeb
Safety Considerations Guide for Triconex General ... - ICEWeb Safety Considerations Guide for Triconex General ... - ICEWeb
22 Chapter 2 Application Guidelines • The receiving program must monitor the status of the TR_URCV and TR_PORT_STATUS functions to determine if there is a network problem that requires operator intervention. For information on data transfer time and examples of how to use Peer-to-Peer functions to transfer safety-critical data, see Appendix A, Triconex Peer-to-Peer Communication. SIL2 Guidelines For SIL2 applications, these guidelines should be followed: • If non-approved modules are used, the inputs and outputs should be checked to verify that they do not affect safety-critical functions of the controller. • Two modes control write operations from external hosts: — Remote Mode: When true, external hosts, such as Modbus master, DCS, etc., can write to aliased variables in the controller. When false, writes are prohibited. — Program Mode: When true, TriStation 1131 software can make changes including operations that modify the behavior of the currently running application. For example, Download All, Download Change, declaring variables, enabling/disabling variables, changing values of variables and scan time, etc. Remote mode and program mode are independent of each other. In safety applications, operation in these modes is not recommended. In other words, write operations to the controller from external hosts should be prohibited. If remote mode or program mode becomes true, the application should include the following safeguards: — When remote mode is true, the application should turn on an alarm. For example, if using the SYS_SHUTDOWN function block, the ALARM_REMOTE_ACCESS output could be used. Verify that aliased variables adhere to the guidelines described in Maintenance Overrides on page 24. — When program mode is true, the application should turn on an alarm. For example, if using the SYS_SHUTDOWN function block, the ALARM_PROGRAMMING_PERMITTED output could be used. • Wiring and grounding procedures outlined in the Planning and Installation Guide for Triconex General Purpose v2 Systems should be followed. • Maintenance instructions outlined in the Planning and Installation Guide for Triconex General Purpose v2 Systems should be followed. • The operating time restrictions in this table should be followed. Operating Mode SIL 1 Operating Time SIL 2 Operating Time TMR Mode Continuous Continuous Dual Mode Continuous Continuous Single Mode Continuous Industry accepted MTTR Safety Considerations Guide for Triconex General Purpose v2 Systems
Guidelines for Triconex Controllers 23 • Peer-to-Peer communication must be programmed according to the recommendations in Triconex Peer-to-Peer Communication on page 20. Note All Triconex logic solver faults can be repaired online without further degradation of the system and should be performed before a second fault occurrence to maintain the highest availability of the system. The highly effective means of modular insertion and replacement of faulted Triconex components is transparent to the operation of the system and the ease of replacement mitigates the risk of systematic and human induced failure as defined by IEC 61508. It is highly recommended that a faulted component be replaced within industry accepted Mean-Time-To-Repair (MTTR) periods. Additional Fire and Gas Guidelines • Analog input cards with current loop terminations should be used to read digital inputs. Opens and shorts in the wiring to the field devices should be detectable. The Triconex library function LINEMNTR should be used to simplify application development. • A controller should be powered by two independent sources. • If controller operation is degraded to dual mode or single mode, repairs should be timely. The operating time restrictions in the table on page 22 should be followed. Periodic Offline Test Interval Guidelines A safety instrumented function (SIF) may be tested periodically to satisfy the requirements for the specified safety integrity level (SIL). This period is called the periodic offline test interval. Project Change and Control A change to a project, however minor, should comply with the guidelines of your organization’s Safety Change Control Committee (SCCC). Change Procedure 1 Generate a change request defining all changes and the reasons for the changes, then obtain approval for the changes from the SCCC. 2 Develop a specification for the changes, including a test specification, then obtain approval for the specification from the SCCC. 3 Make the appropriate changes to the project, including those related to design, operation, or maintenance documentation. 4 To verify that the configuration in the controller matches the last downloaded configuration, use the Verify Last Download to the Controller command on the Controller Panel. For details, see the TriStation 1131 Developer’s Guide. 5 Compare the configuration in your project with the configuration that was last downloaded to the controller by printing the Compare Project to Last Download report from the Controller Panel. For details, see the TriStation 1131 Developer’s Guide. Safety Considerations Guide for Triconex General Purpose v2 Systems
- Page 1 and 2: Triconex General Purpose v2 Systems
- Page 3 and 4: Contents Preface vii Summary of Sec
- Page 5 and 6: Contents v Partitioned Processes. .
- Page 7 and 8: Preface This guide provides informa
- Page 9 and 10: Preface ix • All other requests a
- Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
- Page 13 and 14: Overview 3 Protection Layers Method
- Page 15 and 16: Hazard and Risk Analysis 5 Hazard a
- Page 17 and 18: Hazard and Risk Analysis 7 Sample S
- Page 19 and 20: Hazard and Risk Analysis 9 Safety L
- Page 21 and 22: Hazard and Risk Analysis 11 • Eac
- Page 23 and 24: Safety Standards 13 CAN/CSA-C22.2 N
- Page 25 and 26: 2 Application Guidelines Overview 1
- Page 27 and 28: General Guidelines 17 General Guide
- Page 29 and 30: Guidelines for Triconex Controllers
- Page 31: Guidelines for Triconex Controllers
- Page 35 and 36: Guidelines for Triconex Controllers
- Page 37 and 38: Guidelines for Triconex Controllers
- Page 39 and 40: Guidelines for Triconex Controllers
- Page 41 and 42: 3 Fault Management Overview 32 Syst
- Page 43 and 44: System Diagnostics 33 System Diagno
- Page 45 and 46: Operating Modes 35 Operating Modes
- Page 47 and 48: Module Diagnostics 37 Analog Output
- Page 49 and 50: Module Diagnostics 39 Calculation f
- Page 51 and 52: Module Diagnostics 41 External Comm
- Page 53 and 54: 4 Application Development Developme
- Page 55 and 56: Development Guidelines 45 Array Ind
- Page 57 and 58: Setting Scan Time 47 application. T
- Page 59 and 60: Sample Safety-Shutdown Programs 49
- Page 61 and 62: Sample Safety-Shutdown Programs 51
- Page 63 and 64: Sample Safety-Shutdown Programs 53
- Page 65 and 66: Sample Safety-Shutdown Programs 55
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Alarm Usage 59 Alarm Usage To imple
- Page 71 and 72: A Triconex Peer-to-Peer Communicati
- Page 73 and 74: Data Transfer Time 63 Data Transfer
- Page 75 and 76: Data Transfer Time 65 A typical dat
- Page 77 and 78: Examples of Peer-to-Peer Applicatio
- Page 79 and 80: B HART Communication Overview 70 HA
- Page 81 and 82: HART Position Paper from TÜV Rhein
<strong>Guide</strong>lines <strong>for</strong> <strong>Triconex</strong> Controllers 23<br />
• Peer-to-Peer communication must be programmed according to the recommendations<br />
in <strong>Triconex</strong> Peer-to-Peer Communication on page 20.<br />
Note<br />
All <strong>Triconex</strong> logic solver faults can be repaired online without further degradation of the<br />
system and should be per<strong>for</strong>med be<strong>for</strong>e a second fault occurrence to maintain the<br />
highest availability of the system. The highly effective means of modular insertion and<br />
replacement of faulted <strong>Triconex</strong> components is transparent to the operation of the<br />
system and the ease of replacement mitigates the risk of systematic and human induced<br />
failure as defined by IEC 61508. It is highly recommended that a faulted component be<br />
replaced within industry accepted Mean-Time-To-Repair (MTTR) periods.<br />
Additional Fire and Gas <strong>Guide</strong>lines<br />
• Analog input cards with current loop terminations should be used to read digital<br />
inputs. Opens and shorts in the wiring to the field devices should be detectable. The<br />
<strong>Triconex</strong> library function LINEMNTR should be used to simplify application<br />
development.<br />
• A controller should be powered by two independent sources.<br />
• If controller operation is degraded to dual mode or single mode, repairs should be<br />
timely. The operating time restrictions in the table on page 22 should be followed.<br />
Periodic Offline Test Interval <strong>Guide</strong>lines<br />
A safety instrumented function (SIF) may be tested periodically to satisfy the requirements <strong>for</strong><br />
the specified safety integrity level (SIL). This period is called the periodic offline test interval.<br />
Project Change and Control<br />
A change to a project, however minor, should comply with the guidelines of your organization’s<br />
<strong>Safety</strong> Change Control Committee (SCCC).<br />
Change Procedure<br />
1 Generate a change request defining all changes and the reasons <strong>for</strong> the changes, then<br />
obtain approval <strong>for</strong> the changes from the SCCC.<br />
2 Develop a specification <strong>for</strong> the changes, including a test specification, then obtain<br />
approval <strong>for</strong> the specification from the SCCC.<br />
3 Make the appropriate changes to the project, including those related to design,<br />
operation, or maintenance documentation.<br />
4 To verify that the configuration in the controller matches the last downloaded<br />
configuration, use the Verify Last Download to the Controller command on the<br />
Controller Panel. For details, see the TriStation 1131 Developer’s <strong>Guide</strong>.<br />
5 Compare the configuration in your project with the configuration that was last<br />
downloaded to the controller by printing the Compare Project to Last Download report<br />
from the Controller Panel. For details, see the TriStation 1131 Developer’s <strong>Guide</strong>.<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Triconex</strong> <strong>General</strong> Purpose v2 Systems