AADvance Safety Manual - Tuv-fs.com

ICS TriplexAADvance Safety ManualISSUE 7DOCUMENT NUMBER 553630

AADvance Safety ManualNoticeDisclaimerThe content of this document is confidential to ICS Triplex companies and theirpartners. It may not be given away, lent, resold, hired out or made available to a thirdparty for any purpose without the written consent of ICS Triplex.This document contains proprietary information that is protected by copyright. Allrights are reserved.The information contained in this document is subject to change without notice anddoes not represent a commitment on the part of ICS Triplex. The reader should, in allcases, consult ICS Triplex to determine whether any such changes have been made.From time to time, amendments to this document will be made as necessary and willbe distributed by ICS Triplex.No part of this documentation may be reproduced or transmitted in any form or byany means, electronic or mechanical, including photocopying and recording, for anypurpose, without the express written permission of ICS Triplex.All trademarks are acknowledged.It is not intended that the information contained in this publication covers everypossible detail about the construction, operation, or maintenance of a control systeminstallation. You should refer to your own (or supplied) system safety manual,installation instructions and operator/maintenance manuals.Revision and Updating PolicyThis document is based on information available at the time of its publication; however,the document contents are subject to change from time to time. You should contactICS Triplex Technical Support by e-mail — support@icstriplex.com to check if youhave the latest version of this publication.This Safety Manual applies to AADvance Release: 1.1.ii Document number 553630 Issue 7: February 2010

Issue RecordIssueNumberDateRevisedbyCheckedbyAuthorizedbyModification01 Jan 2010 S Blackett N Owens P. Stock First Issue02 April 2009 S Blackett P Skipp P Stock Reformat to match associatedproduct user manuals03 Aug 2009 S Blackett A Holgate P Stock QA review updates04 Sept 2009 S Blackett A Holgate P Stock Release 1.1 for TUV approval05 Oct 2009 S Blackett A Holgate P Stock TUV approval release06 Jan 2010 S Blackett A Holgate P Stock TUV review comments07 Feb 2010 S Blackett A Holgate P Stock TUV review additional commentsWARNINGWarning notices call attention to the use of materials, processes, methods,procedures or limits which must be followed precizely to avoid personal injuryor death.CAUTIONCaution notices call attention to methods and procedures which must befollowed to avoid damage to the equipment.SAFETYThis symbol calls attention to items which must be considered andimplemented when designing and building a safety system using the AADvancerange of products.Document number 553630 Issue 7: February 2010iii

AADvance Safety ManualWARNINGELECTRICAL ARCS AND EXPLOSION RISKIf you connect or disconnect wiring, modules or communicationscabling while power is applied, an electrical arc can occur. This couldcause an explosion in hazardous location installations. Be sure thatpower is removed or the area is nonhazardous before proceeding.Do not remove wiring, modules or communications cabling whilecircuit is live unless area is known to be non hazardous.Failure to follow these instructions may result in personal injury.WARNINGMAINTENANCEMaintenance must be carried out only by qualified personnel.Failure to follow these instructions may result in personal injury.CAUTIONRADIO FREQUENCY INTERFERENCEMost electronic equipment is influenced by Radio Frequency Interference.Caution should be exercised with regard to the use of portablecommunications equipment around such equipment. Signs should be posted inthe vicinity of the equipment cautioning against the use of portablecommunications equipment.CAUTIONSTATIC SENSITIVE COMPONENTSThe module PCBs contains static sensitive components. Static handlingprecautions must be observed. DO NOT touch exposed connector pins orattempt to dismantle a module.iv Document number 553630 Issue 7: February 2010

ForewordThis technical manual defines how to safely apply AADvance controllers and theirsystems. It sets out standards (which are mandatory) and makes recommendations toensure that installations meet their required safety integrity level. To do this, itaddresses how such installations are designed, built, tested, installed and commissioned,operated, maintained and decommissioned. It defines the requirements to be metduring the life-cycle stages of safety-related systems design and commissioning so thesafety objectives of the system are achieved during operation.There are requirements for quality systems, documentation and competency in thistechnical manual; these are additional requirements for an operating company's orintegrator's quality systems, procedures and practices.Note: The AADvance controller is a logic solver. It uses processor modules and I/Omodules. An AADvance system is formed by one or more controllers, their powersources, communications networks and workstations.Who Should Use this ManualThis manual is intended primarily for System Integrators. The information contained inthis manual is intended to be used in conjunction with (and not as a substitute for)expertise and experience in safety-related systems. In particular, it is expected that thereader has a thorough understanding of the intended application and can understandthe generic terms used within this manual and the terminology specific to theintegrator's or project's application area.This manual is designed to support personnel who are already trained. ICS Triplexoperates suitable training courses from all its regional centers.Note: The System Integrator remains responsible for the generation of proceduresand practices applicable to its business, and shall ensure that these are in accordancewith the requirements defined herein. The application of such procedures and practicesis also the responsibility of the system integrator, and these are mandatory for systemsused for SIL3 applications.Document number 553630 Issue 7: February 2010v

AADvance Safety ManualThis page intentionally left blankvi Document number 553630 Issue 7: February 2010

ContentsChapter 1 Introduction ............................................................................................. 1-4Verification of the Safety Manual.................................................................................................................... 1-4Competency........................................................................................................................................................ 1-4Terminology ........................................................................................................................................................ 1-4Vocabulary and Conventions .................................................................................................................... 1-4Process Safety Time .................................................................................................................................... 1-4Fault Tolerance in Safety Applications .................................................................................................... 1-4Associated Documents..................................................................................................................................... 1-4Chapter 2 The AADvance System........................................................................... 2-4The AADvance Controller.............................................................................................................................. 2-4Main Components ............................................................................................................................................. 2-4Software Development Environment............................................................................................................ 2-4Chapter 3 Functional Safety Management.............................................................. 3-4The Safety Management System ..................................................................................................................... 3-4The Safety Life-cycle.......................................................................................................................................... 3-4Scope Definition........................................................................................................................................... 3-4Hazard and Risk Analysis............................................................................................................................ 3-4System Functional and Safety Requirements ......................................................................................... 3-4System Engineering ...................................................................................................................................... 3-4Application Programming........................................................................................................................... 3-4System Production....................................................................................................................................... 3-4System Integration ....................................................................................................................................... 3-4System Installation ....................................................................................................................................... 3-4System Commissioning............................................................................................................................... 3-4Safety System Validation............................................................................................................................. 3-4Operation and Maintenance Plan ............................................................................................................. 3-4Maintaining Functional Safety After System Modification................................................................... 3-4Decommissioning......................................................................................................................................... 3-4Functional Safety Assessment ......................................................................................................................... 3-4Safety Integrity Design ...................................................................................................................................... 3-4Chapter 4 AADvance System Architectures .......................................................... 4-4SIL2 Architectures ............................................................................................................................................. 4-4SIL2 Fail-safe Architecture ......................................................................................................................... 4-4SIL2 Fault Tolerant Input Architectures................................................................................................. 4-4SIL2 Fault Tolerant Output Architecture............................................................................................... 4-4SIL2 Fault Tolerant Input and High Demand Architecture................................................................ 4-4SIL3 Architectures ............................................................................................................................................. 4-4SIL3 Fail-safe I/O, Fault Tolerant Processor.......................................................................................... 4-4Document number 553630 Issue 7: February 2010vii

AADvance Safety ManualSIL3 Fault Tolerant I/O Architectures .................................................................................................... 4-4SIL3 TMR Input and Processor, Fault Tolerant Output ..................................................................... 4-4Planned Certified Configurations................................................................................................................... 4-4Internal Diagnostics........................................................................................................................................... 4-4Chapter 5 AADvance Functional Safety System Implementation ....................... 5-4General Design Measures for Functional Safety......................................................................................... 5-4I/O Modules................................................................................................................................................... 5-4Energise to Action Configurations........................................................................................................... 5-4Controller Process Safety Time (PST).................................................................................................... 5-4Connection for a Common Fault Alarm ................................................................................................ 5-4Industrial Functional Safety Standards........................................................................................................... 5-4NFPA 85 Requirements.............................................................................................................................. 5-4EN 50156 ....................................................................................................................................................... 5-4NFPA 86 Requirements.............................................................................................................................. 5-4BS EN 54 Requirements............................................................................................................................. 5-4Field Configurations .......................................................................................................................................... 5-4Line Moitoring............................................................................................................................................... 5-4Digital Field Loop Circuits ......................................................................................................................... 5-4Analogue Field Loop Circuits.................................................................................................................... 5-4Sensor Configurations................................................................................................................................. 5-4Actuator Configurations............................................................................................................................. 5-4Calculations of Probability of Failure upon Demand,................................................................................ 5-4Processor Functional Safety Configuration.................................................................................................. 5-4Processor Safety Functions........................................................................................................................ 5-4Processor Module Access Port ................................................................................................................ 5-4I/O Module Safety Functions........................................................................................................................... 5-4Module Safety Related Parameters .......................................................................................................... 5-4I/O Module Process Safety Time.............................................................................................................. 5-4Input Module Safety Functions.................................................................................................................. 5-4Input Module Safety Accuracy .................................................................................................................. 5-4Output Module Safety Functions.............................................................................................................. 5-4Input and Output Forcing ................................................................................................................................ 5-4Maintenance Overrides .................................................................................................................................... 5-4Variable Bindings ................................................................................................................................................ 5-4Application Program Development ............................................................................................................... 5-4AADvance Workbench Configuration ................................................................................................... 5-4Language Selection....................................................................................................................................... 5-4Testing of New or Previously Untested Functions.............................................................................. 5-4Communications Interaction..................................................................................................................... 5-4Program Testing ........................................................................................................................................... 5-4On-line Modification.......................................................................................................................................... 5-4Physical Installation ............................................................................................................................................ 5-4Environmental Requirements.......................................................................................................................... 5-4viii Document number 553630 Issue 7: February 2010

IntroductionChapter 1This chapter provides an introduction to the AADvance Safety Manual and to theAADvance system.In This ChapterVerification of the Safety Manual..................................................................... 1-4Competency......................................................................................................... 1-4Terminology ......................................................................................................... 1-4Associated Documents...................................................................................... 1-4Verification of the Safety ManualThe AADvance system and the user safety Manual are independently certified by theGerman certification authority Technischer Überwachungs-Verein (TÜV) to meet therequirements of IEC 61508 SIL3.CompetencyThe achievement of functional safety requires the implementation of the safety lifecyclewhilst ensuring that persons who are responsible for any safety lifecycle activities meetthe required competency levels in functional safety.All persons involved in any safety lifecycle activity, including management activities, shallhave the appropriate training, technical knowledge, experience and qualificationsrelevant to the specific duties they have to perform. The suitability of persons for theirdesignated safety lifecycle activities shall be based on the specific competency factorsrelevant to the system application and shall be defined and recorded for each individual.The following competence factors should be addressed when assessing and justifyingthe competency level of persons to carry out their duties: Engineering experience appropriate to the application area Engineering experience appropriate to the technology Functional safety engineering experience appropriate to the technology Knowledge of the legal and safety regulatory framework The consequences of failure of the safety-related system The safety requirements class of the safety-related systems The novelty of the design, design procedures or application Previous experience and its relevance to the specific duties to be performed andthe technology being employedIn all of the above, the higher risk will require increased rigour with the specificationand assessment of the competence.Document number 553630 Issue 7: February 2010 1-1

AADvance Safety ManualTerminologyVocabulary and ConventionsProcess Safety TimeThe terms certification and certified are used widely within this Manual, these termsrefer principally to the functional safety certification of the AADvance system to IEC61508 SIL3 and other relevant standards.This Manual contains rules and recommendations: Rules are mandatory and must be followed if the resulting system is to be a SIL3compliant application. These are identified by the term 'shall'. Recommendations are not mandatory, but if they are not followed, extra safetyprecautions must be taken in order to certify the system. Recommendations areidentified by the term 'it is highly recommended'.The process safety time for the equipment under control (denoted PST EUC ) is theperiod a dangerous condition can exist before a hazardous event occurs without asafety system as a protection. It can be a fraction of a second or several hours,depending on the process. A PST can be defined for a controller via the processormodule and independently for individual I/O modules, however, the processor definedPST will always have priority over the I/O PST if the I/O PST exceeds the processorvalue.Fault Tolerance in Safety ApplicationsFor safety applications, you must define how the control system will respond in thepresence of faults. As faults accumulate, this becomes the system's defined state ofdegraded operation or fault tolerance level. Simplex systems are not fault tolerant and do not have the ability to continue theiroperation in the presence of fault conditions, however they are designed to failsafe. Fault tolerant systems have redundant modules and processors that allow thesystem to continue operation or to ensure that the system fails safe in thepresence of faults. Redundant operation is when modules within the different stages (input, logicsolving and output) are configured as dual or triple modules.Internal diagnostics enhance the fault tolerance capability. For example, when a hiddenor covert fault occurs it could prevent the system from responding when required todo so — this is unacceptable for safety applications. To detect the presence of hiddenor covert faults you must perform diagnostic tests on the system. Detection of a faultis then used to force the system to its fail-safe condition.1-2 Document number 553630 Issue 7: February 2010

Chapter 1 IntroductionAssociated DocumentsThe following documents are associated with the safety requirements applicable to theAADvance system. Further supporting information is available on the TÜV web site.Table 1:Reference DocumentsDocumentIEC 61508IEC 61511IEC 61131TitleFunctional safety of electrical/electronic programmable safety-relatedsystemsFunctional-safety: Safety instrumented systems for the process industrysectorProgrammable ControllersNote: An good understanding of health and safety practices, functional safety principlesis highly recommended; and the principles of these standards should be understoodbefore generating procedures and practices to meet the requirements of this SafetyManual.Document number 553630 Issue 7: February 2010 1-3

AADvance Safety ManualThis page intentionally left blank1-4 Document number 553630 Issue 7: February 2010

The AADvance SystemChapter 2.An AADvance system consists of a controller, an external operator’s station andexternal connections; a system can be built to suit your specific requirements. Thischapter describes the main components that can be used to build an AADvancesystem.In This ChapterThe AADvance Controller............................................................................... 2-4Main Components .............................................................................................. 2-4Software Development Environment............................................................. 2-4The AADvance ControllerThe AADvance system is a new 9000 series controller specifically designed forfunctional safety and critical control applications, it provides a flexible and smaller scalesolution to the proven Trusted 8000 and 6200 products. The system can be used alsofor applications that are non-safety but still critical to a business process. This systemoffers you the ability to create a cost-effective controller to suit any one of a widevariety of applications: Critical process control Fire and gas protection systems Rotating machinery control systems Burner management Boiler and furnace control Distributed monitoring and controlThe AADvance controller is a logic solver, using processor modules, I/O modules andtermination assemblies that can easily be assembled and configured. A system is formedby one or more controllers, I/O modules, their power sources, communicationsnetworks and workstations.An AADvance controller is particularly well suited to emergency shut down and fireand gas protection applications by providing a system solution with integrated anddistributed fault tolerance. It is designed and validated to international standards andwill be certified by TÜV for functional safety control installations.The significant benefits of the AADvance controller are its performance and flexibility.Being designed to IEC 61508 it meets both SIL2 and SIL3 application requirementsfrom the basic range of modules and mixed SIL rated applications can be covered bythis range of modules.Document number 553630 Issue 7: February 2010 2-1

AADvance Safety ManualAll of the configurations are readily achieved by combining more or fewer modules andassemblies, without needing special cables or interface units. System architectures areuser configurable and can be changed without major system modifications and, in mostcases, without even taking the system off-line. Processor and I/O redundancy isconfigurable so you can choose between fail safe and fault tolerant solutions. Thisscaleability is transparent to the user; there is no change to the complexity ofoperations or programming if you choose to add redundant capacity to a fail-safesolution.A controller is built from a range of compact modules that are straightforward toassemble into a system. They can be fitted onto DIN rails in a cabinet (see photograph)or wall mounted in a control room and do not require forced air cooling or specialenvironmental controls.A secure network communications protocol, developed by ICS Triplex for theAADvance system, permits distributed control using new or existing networkinfrastructure while ensuring the security and integrity of the data. Individual sensorsand actuators can connect to a local controller, minimising the lengths of dedicatedfield cabling. There is no need for a large central equipment room; rather, the completedistributed system can be administered from one or more PC workstations placed atconvenient locations.Single input modules are designed to meet SIL3. The AADvance system hascomprehensive built-in diagnostics, while on-line maintenance to remove a module andfit a new one or to expand the system does not need special tools. Maintenanceactivities are straight forward operations which maximize system up time.2-2 Document number 553630 Issue 7: February 2010

Chapter 2 The AADvance SystemThe AADvance controller is built for IEC 61131 compliance, with integral support forall five programming languages. Program access is secured, as is software versioncontrol. Simulation software lets you prove a new application before reprogrammingand downloading, again maximising system uptime. The AADvance controller alsosupports on-line reconfiguration, such as adjustment of input thresholds, withoutnecessitating a process shut downMain ComponentsEach controller is built from a standard range of modules and assemblies, it consists ofa processor module and base units for the processor and for I/O modules which areassembled as follows: A 9110 Processor module is installed into a 9100 processor base unit that can holdup to 3 processor modules. 9300 I/O base units are connected to the processor base unit. Each I/O base unitholds up to three I/O modules and a controller can have up to 8 base units on eachof two I/O busses, giving a total capacity of 48 I/O modules. I/O modules are connected to field devices through matched TerminationAssemblies.The 9110 processor module and 9100 base units are designed for use as a singleprocessor configuration and as dual or triple redundant configurations.A 9300 I/O base units plugs into the 9100 processor base unit and carries theprocessor commands and I/O data across two inter-module communication busses.They also carry the redundant system power from the processor base unit to the I/Omodules.I/O base units also directly plug into each other and are secured and held in place by aclamping arm and retaining clips; hence, a controller becomes a complete mechanicallyand electrically interconnected assembly. Groups of I/O base units can be connected byan expansion cable.The I/O modules are also designed for use in single or redundant configurations. Thepresent range offers the following I/O modules and termination assemblies:I/O MODULES9401 Digital input module, 24V dc, 8 channel9402 Digital input module, 24V dc, 16 channel9431 Analogue input module, 8 channel9432 Analogue input module, 16 channel9451 Digital output module, 24V dc, 8 channel9482 Analogue output module, 24Vdc, 8 channel (to be released soon)TERMINATION ASSEMBLIES9801/2/3 Digital input TA, 16 channel, simplex, dual and TMR9831/2/3 Analogue input TA, 16 channel, simplex, dual and TMR9851/2 Digital output TA, 8 channel, simplex and dual9881/2 Analogue output TA, simplex and dual (to be released soon)Document number 553630 Issue 7: February 2010 2-3

AADvance Safety ManualTermination assemblies are matched to a specific type of I/O module and haveconnections for up to 16 channels. This provides for 8 channel or 16 channel I/Omodules. The termination assemblies for dual and triple arrangements have channel tochannel isolation. Termination assemblies for simplex input modules and terminationassemblies for simplex and dual output modules are single ended (non-isolated), with acommon return.A 9310 expansion cable assembly connects to the processor base unit to an I/O baseunit. It can also connect two I/O base units together. This is useful for to breaking longruns of interconnected base units and provides some flexibility in the physical layout ofa controller installation.Software Development EnvironmentThe Workbench is a complete software development environment for the controller.It lets you to create local and distributed control applications, and supports sixlanguages for automation: the five languages of IEC 61131-3, together with theFunctional Block Diagram of IEC 61499. Engineers can choose one language or acombination of languages that best suits their knowledge and programming style andthe nature of the application.Control applications can be distributed across several hardware platforms,communicating with each other through networks.The development environment includes tools for documentation, library management,archiving, on-line monitoring, off-line simulation and controlled on-line changes.Programs can be simulated and tested on the computer before downloading to thecontroller hardware. Also provided is a set of configuration tools that allows you todefine the hardware architecture; set up the processor functionality; and connectapplication variables to monitor processor and I/O module status information andreport I/O channel data values to the Workbench.2-4 Document number 553630 Issue 7: February 2010

Functional Safety ManagementChapter 3This chapter explains the principles that should be applied to managing the safetyrelated system.In This ChapterThe Safety Management System ...................................................................... 3-4The Safety Life-cycle........................................................................................... 3-4Functional Safety Assessment .......................................................................... 3-4Safety Integrity Design ....................................................................................... 3-4The Safety Management SystemA prerequisite for the achievement of functional safety is the creation and use ofprocedures and other measures as part of a safety lifecycle, collectively known as aSafety Management System. The Safety Management System defines the genericmanagement and technical activities necessary to achieve and maintain functional safetyin the product design and development. In many cases, the Safety Management andQuality systems will be integrated within a single set of procedures. The integratorshould have an accredited quality management system.The Safety Management System shall include: A statement of the policy and strategy for achieving and maintaining functionalsafety. A safety planning procedure, which shall result in the definition of the safetylifecycle stages to be applied, the measures and techniques to be applied at eachstage, and the responsibilities for completing these activities. Definitions of the records to be produced and the methods of managing theserecords, including change control. The change control procedures shall includerecords of modification requests, the impact analysis of proposed modifications andthe approval of modifications. The baseline for change control shall be definedclearly. Configuration items shall be uniquely identified and include version information.Examples of configuration items are system and safety requirements, system designdocumentation and drawings, application software source code, test plans, testprocedures and test results. Methods of ensuring that persons are competent to undertake their activities andfulfill their responsibilities.The Safety Life-cycleThe safety life-cycle is defined by the IEC 61508 standard. It is designed to structure asystem's development into defined stages and activities as follows: Scope definitionDocument number 553630 Issue 7: February 2010 3-1

AADvance Safety ManualScope Definition Hazard and risk analysis Functional and safety requirements specification System engineering Application programming System production System integration System installation and commissioning Safety system validation Operation and maintenance plan System modification DecommissioningThe definition of each life-cycle stage shall include its inputs, outputs and verificationactivities. It is not necessary to have separate stages within the lifecycle addressing eachof these elements independently; but it is important that all of these stages are coveredwithin the lifecycle. Specific items that need to be considered for each of these lifecycleelements are described in the following sub-paragraphs.The scope definition is the first step in the system life-cycle. You have to identify theboundaries of the safety-related system and provide a clear definition of its interfaceswith the process and with all third party equipment. This stage should also establish thederived requirements resulting from the intended installation environment, such asenvironmental conditions and power sources.In most cases, the client will provide this information. The system integrator mustreview this information and gain a thorough understanding of the intended application,the bounds of the system to be provided, and its intended operating conditions.Hazard and Risk AnalysisThe hazard and risk analysis has three objectives: The first objective is to determine the hazards and hazardous events of thecontrolled system for all reasonably foreseeable circumstances, including faultconditions and misuse. The second objective is to determine the event sequences that may lead to ahazardous event. The third objective is to determine the risks associated with the hazardous event.This risk analysis will provide a basic information for identifying the safety-relatedrequirements to mitigate risks.3-2 Document number 553630 Issue 7: February 2010

Chapter 3 Functional Safety ManagementSystem Functional and Safety RequirementsSystem EngineeringA set of system functions and their timing requirements will be specified. Wherepossible, the functions should be allocated to defined modes of operation of theprocess. For each function, it will be necessary to identify the process interfaces.Similarly, where the function involves data interchange with third party equipment, thedata and interface should be clearly identified. Where non-standard field devices,communications interfaces or communications protocols are required, it is especiallyimportant that detailed requirements for these interfaces are established anddocumented at this stage.The client should provide the functional requirements, where this information is notsupplied the System Integrator should define the requirements and agree them with theclient. It is, however, necessary to collate these requirements into a document,including any clarification of the requirements. It is recommended that logic diagramsbe used to represent the required functionality and highly recommended that allrequirements are reviewed, clarified where required and approved by the client.The system safety requirements stage analyses the functional requirements todetermine their safety relevance. Where necessary, additional safety requirements shallbe identified and documented to ensure that the plant will fail-safe in the case offailures of the plant, safety-related system, external equipment or communications, or ifthe safety-related system's environment exceeds the required operating conditions.The appropriate safety integrity level (SIL2 or SIL3) and safety-related timingrequirements shall be defined for each safety-related function. For each function therequired safety failure mode shall be determined. The client should supply thisinformation or it should be defined and agreed with the client as part of this phase.The System Integrator shall ensure that the client approves the resulting safetyrequirements.The system engineering stage realizes the design of the safety-related system. It isrecommended that the engineering be divided into two distinct stages, the first definingthe overall system architecture, and the second detailing the engineering of theindividual architectural blocks.The architectural definition shall define the safety requirements class for eacharchitectural element and identify the safety functions allocated to each element.Additional safety functions resulting from the chosen system architecture shall bedefined at this stage.The detailed engineering design shall refine the architectural elements and culminate indetailed information for system build. The design shall be in a form that is readilyunderstood and allows for inspection and review of each stage of the process and finaldesign.If the possibility of errors cannot be eliminated, the system integrator should makesure that procedural methods are devized and applied to detect them.Document number 553630 Issue 7: February 2010 3-3

AADvance Safety ManualThe system design should include facilities to allow field maintenance tasks can beperformed.Each installation shall be designed to ensure that the control equipment is operated inenvironments that are within its design tolerances. Therefore, the operatingenvironment should provide the proper control of temperature, humidity, vibrationand shock, as well as adequate shielding and earthing to minimize that exposure tosources of electromagnetic interference and electrostatic discharge.Application ProgrammingApplication programs are developed and monitored using the Workbench software.An overall Application Program software architecture shall be defined at the applicationprogramming stage. This architecture will identify the software blocks and theirfunctions.The application programming shall address methods for addressing system specifictesting, diagnostics and fault reporting.It is highly recommended that simulation testing be performed on each software block.The simulation testing should be used to show that each block performs its intendedfunctions and does not perform unintended functions.It is also highly recommended that software integration testing is performed within thesimulation environment before commencing hardware-software integration. Thesoftware integration testing should show that all software blocks interact correctly toperform their intended functions and do not perform unintended functions.The development of the application software shall follow a structured developmentcycle; the minimum requirements of which are: Architectural definition. The application program shall be divided into selfcontained'blocks' to simplify the implementation and testing. Safety and non-safetyfunctions should be separated as far as possible at this stage. Detailed design and coding. The detailed design and coding stage will add detailto the design and implement each of the blocks identified within the architecturaldefinition. Testing. The testing stage will verify the operation of the application; it isrecommended that the application blocks first be tested individually and thenintegrated and tested as a whole. All of this testing should be initially done withinthe simulation environment. Fault handling strategy. This stage defines the fault handling strategy.The resultant application software shall be integrated with the system hardware andfull integration testing performed on the system.3-4 Document number 553630 Issue 7: February 2010

Chapter 3 Functional Safety ManagementSystem ProductionSystem IntegrationSystem InstallationThe system production stage implements the detailed system design. The productiontechniques, tools and equipment, including those used for production testing of thesystem, shall be appropriate for the specified safety requirements class.The system integration stage shall integrate the application programs with theAADvance controller. Where multiple systems are used to meet an overallrequirement, it is recommended that each sub-system undergoes application programand target system integration and testing before commencing overall systemintegration. To meet the requirements of the intended safety requirements class, thesystem integration shall result in full compliance of the software and hardware with thefunctional safety requirements.The system installation stage shall define the steps to be performed that will ensurethat the system is installed correctly and brought into working order on the plant.The installation environment is a potential source of common cause failure, therefore itis vital that compatibility of the equipment is known. The environment for thesepurposes includes the prevailing climatic, hazardous area, power, earthing and EMCconditions. In many cases, there will not be a single installation environment. Elementsof the system may be installed in differing locations; in these cases, it is important toknow the environment for each location. Where the system comprises a number ofphysically separate units, it is important to define a sequence of physical installation.A controller system must be installed in a power network that is designed tomeet over voltage Category II (see BS EN 60664-1)System CommissioningThe commissioning stage is to prove the system installation and verify its correct 'endto-end'functionality, including the connection between the AADvance controller andthe requisite sensors and final elements. It is likely that groups of functions arecommissioned in stages rather than the system as a whole, for exampleaccommodation area functions before production functions. It is important to definethe commissioning sequence and the measures to be taken to ensure safe operationduring such periods of partial commissioning. These measures shall be system specificand shall be defined clearly before starting any commissioning. It is also important todefine that any temporary measures implemented for test purposes, or to allow partialcommissioning, are removed before the system, as a whole, goes live.Document number 553630 Issue 7: February 2010 3-5

AADvance Safety ManualRecords shall be maintained throughout the commissioning process. These recordsshall include evidence of the tests completed, any problem reports and the resolutionof problems.Safety System ValidationSafety system validation shall test the integrated system to ensure compliance with thesafety requirements specification at the intended safety requirements class. Thevalidation activities should include those necessary to prove that the systemimplements the safety actions during normal start-up and shutdown and underabnormal fault modes.The validation shall confirm that each functional safety requirement has beenimplemented at the specified safety integrity level, and that the realization of thefunction achieves its performance criteria, specifically that the process safety timerequirements have been met.The validation shall also consider the potential external common cause failures (powersources and environmental conditions) and ensure that the system will provide fail-safeoperation when these conditions exceeded its design capabilities.Operation and Maintenance PlanThe provision of an Operation and Maintenance Plan ensures that functional safety canbe maintained beyond the commissioning of the system. The in-service operation andmaintenance is normally outside the responsibility of the system integrator, but thesystem integrator can provide guidance and procedures to ensure that the persons ororganizations responsible for operation and maintenance can ensure the systemoperates to the specified safety levels.The Operating and Maintenance Plan shall include the following items: Clear definitions of power up and down sequences. These definitions shall ensurethat the sequences cannot result in periods when the system is unable to respondsafely whilst a hazard may be present. The procedures for re-calibrating sensors and actuators. The recommendedcalibration periods shall also be included. The procedures for periodically testing the system, together with definitions of themaximum intervals between testing. Definitions of the overrides to be applied to be able to carry maintenance of thesensors and actuators. The procedures for maintaining system security.3-6 Document number 553630 Issue 7: February 2010

Chapter 3 Functional Safety ManagementInput Module CalibrationPlanned MaintenanceField Device MaintenanceModule Fault HandlingThe Operation and Maintenance Plan shall include recommendations to check thecalibration of controller input modules.The calibration of each analogue input module should be checked every two years; thecalibration of each digital input module should be checked every five years.In most system configurations there will be some elements that are not tested by thesystem's internal diagnostics — for example, the final passive elements in I/O modules,the sensors and actuators themselves, and the field wiring.A regime of planned maintenance testing shall be defined to ensure that any faults,which could ultimately lead to the system's inability to perform its safety functions, donot accumulate. The maximum interval between these tests shall be defined beforeinstallation. It is highly recommended the test interval be less than 12 months.The Operation and Maintenance Plan shall include field maintenance activities, such asre-calibration, testing and replacement of devices, which were specified by the systemdesign requirements.In general, adequate provision for these measures will be defined by the client. As longas the necessary maintenance overrides and other facilities are implemented, nofurther safety requirements will be needed.It is highly recommended the I/O forcing capability is NOT used to support field devicemaintenance. Should I/O forcing be used to support field device maintenance, therequirements defined for 'Input and Output Forcing' in this manual shall be applied.When the AADvance controller uses modules in a dual or triple redundantconfiguration, the controller can continue to operate if one of its modules shoulddevelop a fault. However, when a module does have a fault it should be replacedpromptly to ensure that faults do not accumulate and that multiple failure conditionsresult in a plant shutdown.All modules permit live removal and replacement within a fault-tolerant configuration(dual or triple redundant configurations only). On-site repair is not supported exceptfor the replacement of fuses within some termination assemblies. All failed modulesshould be returned for repair or fault diagnosis in accordance with the warranty andreturn policy documentation delivered with your system.Document number 553630 Issue 7: February 2010 3-7

AADvance Safety ManualMonitoringTo ensure that the safety objectives are met through the lifetime of the system it isimportant to maintain records of all faults, failures and anomalies as they occur. Thisrequires the maintenance of records by both the end-user and the System Integrator. Itis highly recommended the following information is included: Description of the fault, failure or anomaly Details of the equipment involved, including module types and serial numberswhere appropriate When the fault was experienced and any circumstances leading to its occurrence Any temporary measures implemented to correct or work around the problem Description of the resolution of the problem and reference to remedial actionplans and impact analysisYou should define the procedure for field returns, and repair and defect handling. Theinformation requirements placed on the end user because of this procedure should beclearly documented and provided to the end user. The defect handling procedure shallinclude: Method of detecting product related defects and the reporting of these to theoriginal designers Methods for detecting systematic failure that may affect other elements of thesystem or other systems, and links to the satisfactory resolution of the issues Procedures for tracking all reported anomalies, their work around and resultantcorrective action where applicableMaintaining Functional Safety After System ModificationDesign changes will inevitably occur during the system life-cycle; to ensure that thesystem safety is maintained, such changes shall be carefully managed. Proceduresdefining the measures for updating the plant or system shall be defined anddocumented. These procedures are the responsibility of the end user, but the systemintegrator shall provide sufficient guidance to so that the procedures maintain therequired level of functional safety during and after the changes.Product Level Module and Firmware UpdatesSpecial consideration shall be given to procedures for product level module andfirmware updates.Updates to the system shall include the modification requirements for applicationchanges and firmware changes.The procedures shall include the need to undertake impact analysis of any suchchanges, and the measures to change the system and its application programs as aresult of the the modification requirements.Specifically, the additional requirements defined here shall be applied, as well as therequirements defined for the following items:3-8 Document number 553630 Issue 7: February 2010

Chapter 3 Functional Safety Management Scope definition Hazard and risk analysis System Functional and Safety Requirements System engineering Application programming System production System integration Installation and commissioningThe definition of these procedures shall include the review and authorization processto be adopted for system changes.BaselinesModification RecordsBaselines shall be declared, beyond which any change shall follow the formal changemanagement procedure. The point within the lifecycle at which these baselines aredeclared depends on the detail of the processes involved, the complexity of the system,how amenable to change these processes are, and the required safety requirementsclass. It is recommended the baseline for formal change process be the completion ofeach step in the lifecycle. However, as a minimum the baseline shall be declared beforestart-up, when the potential hazards are introduced.Modification records, to provide traceability of each requested or required change,shall be maintained. The change management procedure shall include the considerationof the impact of each such change before authorizing the change. The implementationof the change should repeat the safety lifecycle phases which are affected by thechange. The test of the resultant changes should include non-regression testing as wellas test of the change itself. All test results should be documented.Document number 553630 Issue 7: February 2010 3-9

AADvance Safety ManualDecommissioningThe procedure for decommissioning the system shall be defined. This procedureshould include specific requirements for the safe decommissioning of the system and,where applicable, the safe disposal or return of materials.As with commissioning, it is likely the decommissioning will be performed in a phasedmanner. The decommissioning procedure shall ensure that a plan be developed thatmaintains the functional safety whilst the corresponding hazards are present. Similarly,the physical environment of the control equipment shall be maintained whilst theequipment is required to function.The procedure for decommissioning shall address the following items: The sequence in which the hazards are to be removed. Methods which permit the removal of interactions between safety functions whilstmaintaining functional safety for the remaining potential hazards and withoutinitiating safety responses. This shall include the interaction between systems. A definition of the modules and materials which are to be returned to ICS Triplexfor safe disposal following decommissioning.Functional Safety AssessmentThe functional safety assessment shall confirm the effectiveness of the functional safetyperformance of the system. The assessment, in this context, is limited to the safetyrelatedsystem and should confirm that the system is designed, constructed andinstalled in accordance with the specified safety requirements.The assessment shall consider each required safety function and its associated safetyproperties. The effects of faults and errors within the system and application programs,failures external to the system and procedural deficiencies in these safety functions areto be considered.The assessment is to be carried out by an audit team that shall include independentassessors from outside of the project. At least one functional safety assessment shall beperformed before the start-up of the system and the introduction of any potentialhazards.Safety Integrity DesignSafety IntegrityThe architecture of the AADvance system has been designed to allow a scalable systemto be configured using standard components. The configurations available range fromsimplex fail-safe to TMR fault tolerance.3-10 Document number 553630 Issue 7: February 2010

Chapter 3 Functional Safety ManagementThe processor module has been designed to meet the requirements for SIL2 with one,two or three processor modules and SIL3 when two or three modules are fitted. Inputand output modules have been designed to meet SIL3 requirements with a singlemodule in a fail-safe mode.The processor module and the individual I/O modules have built in redundancy andhave been designed to withstand multiple faults and support a fixed on-line repair byreplacement configuration in dual and triple modular redundant configurations. Theinput and output modules support a number of architecture options; the effects of thechosen architecture should be evaluated against the system and application specificrequirements.Document number 553630 Issue 7: February 2010 3-11


AADvance System ArchitecturesChapter 4An AADvance controller can be configured to manage non-safety, SIL 2 or SIL 3 safetyrelated system requirements and low demand or high demand fault tolerantapplications.This chapter describes the different system architectures that can be configured for anAADvance controller to meet this variety of requirements.Note: Architectures are independent of I/O module capacity therefore 8 or 16channel I/O modules can be used.In This ChapterSIL2 Architectures .............................................................................................. 4-4SIL3 Architectures .............................................................................................. 4-4Planned Certified Configurations.................................................................... 4-4Internal Diagnostics............................................................................................ 4-4SIL2 ArchitecturesDefinitions:SIL2 Fail-safe ArchitectureSIL2 architectures are recommended for fail-safe low demand applications. All SIL2architectures can be used for de-energize to trip applications; however, for energize toaction applications a SIL2 architecture configured with dual output modules is required.In any configuration when a faulty module is replaced within the MTTR then theprevious fault tolerance level is restored. For example in a fault tolerant inputarrangement and one module is faulty then the system will degrade to 1oo1D, byreplacing the faulty module the configuration is restored to 1oo2D.Low Demand Mode - is where the frequency of demands on the safety-related systemis no greater than twice the proof test frequency. Where the proof test frequencyrefers to how often the the safety system is completely tested and insured to be fullyoperational. For the AADvance System the default Proof Test Interval is 12 months.High Demand Mode - sometimes called continuous mode, is where the frequency ofdemands for operation made on a safety-related system is greater than twice the prooftest frequency.The following is a fail-safe SIL2 architecture where I/O modules operate in 1oo1Dunder no fault conditions and will fail-safe on the first detected fault. The processormodule operates in 1oo1D and will degrade to fail safe on the first detected fault.Document number 553630 Issue 7: February 2010 4-1

AADvance Safety ManualNote: If this configuration is configured and no time limit is applied to a faultyprocessor module should only be used for "low demand" applications.The following AADvance modules and assemblies can be used for this type ofconfiguration:Table 2:Modules for SIL2 Fail-Safe ArchitecturePositionModule TypeI/P A 9401/2 Digital Input Module, 24V dc, 8/16 Channel +9801 Digital Input TA, 16 Channel, Simplex.or9431/2 Analogue Input Module, 8/16 Channel +9831 Analogue Input TA, 16 Channel, SimplexCPU AO/P A1 x 9110 Processor Module, 9100 Processor Base Unit,9300 I/O Base Unit9451 Digital Output Module, 24V dc, 8 Channel,isolated +9851 Digital Output TA, 24V dc 8 Channel, Simplex4-2 Document number 553630 Issue 7: February 2010

Chapter 4 AADvance System ArchitecturesSIL2 Fault Tolerant Input ArchitecturesA SIL2 fault tolerant input architecture can have dual or triple input modules with asingle processor and a single output module.The illustration shows a dual input arrangement where the dual input modules operatein 1oo2D under no fault conditions, they degrade to 1oo1D on detection of the firstfault in either module of the redundant pair, and when a fault occurs on the secondmodule it will fail-safe.The processor module operates in 1oo1D under no fault conditions and degrades tofail safe on the first detected fault. The output module operates in 1oo1D under nofault conditions and will fail-safe on the first detected fault.When a triple input module arrangement is configured the group of input modulesoperate in 2oo3D under no fault conditions, degrade to 1oo2D on the detection offirst fault in any module, then degrade to 1oo1D on the detection of faults in any twomodules, and will fail-safe when there are faults on all three modules.Table 3:Modules for SIL2 ArchitecturePositionModule TypeI/P A and B 2 × 9401/2 Digital Input Module, 24V dc, 8/16 Channel +9802 Digital Input TA, 16 Channel, Dual or 2 × 9431/2Analogue Input Module, 8/16 Channel, Isolated, + 9832Analogue Input TA, 16 Channel, DualCPU A1 x 9110 Processor Module, 9100 Base Unit and 9300 I/OBase UnitO/P A 9451 Digital Output Module, 24V dc, 8 Channel +9851 Digital Output TA, 24V dc, 8 Channel, SimplexDocument number 553630 Issue 7: February 2010 4-3

AADvance Safety ManualSIL2 Fault Tolerant Output ArchitectureA SIL2 fault tolerant output architecture has dual output modules with simplexprocessor and input modules. In de-energize to trip operation, the output modules operate in 2oo2D no faultconditions and degrade to 1oo1D on the detection of the first fault in eithermodule. They fail-safe when there are faults on both modules. In energize to action operation, the output modules operate in 1oo2D under nofault conditions, degrade to 1oo1D on the detection of the first fault in eithermodule, and they fail-safe when there are faults on both modules.The illustration shows a dual output arrangement where the processor and inputmodules operate in 1oo1D under no fault conditions and will fail-safe on the firstdetected fault.Table 4:Modules for SIL2 Fault Tolerant Output ArchitecturePositionModule TypeI/P A 9401/2 Digital Input Module, 24V dc, 8/16 Channel. +9801 Digital Input TA, 16 Channel, Simplex or9431/2 Analogue Input Module, 8/16 Channel +9831 Analogue Input TA, 16 Channel, SimplexCPU AO/P A andO/P B1 x 9110 Processor Module, 9100 Processor Base Unitand 9300 I/O Base Unit2 × 9451 Digital Output Module, 24V dc, 8 Channel +9852 Digital Output TA, 24V dc, 8 Channel, Dual4-4 Document number 553630 Issue 7: February 2010

Chapter 4 AADvance System ArchitecturesSIL2 Fault Tolerant Input and High Demand ArchitectureA SIL2 fault tolerant I/O architecture or High Demand architecture has dual input, dualprocessor and dual output modules. In a dual arrangement the input modules operatein 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the firstfault in either module, and will fail-safe when there are faults on both modules.A triple input module arrangement can also be configured if it is required to increasethe fault tolerance of the input. When a triple input module arrangement is configuredthe input modules operate in a 2oo3D under no fault conditions, degrade to 1oo2D ondetection of the first fault in any module, then degrade to 1oo1D on the detection offaults in any two modules, and will fail-safe when there are faults on all three modules.The processor will operate in 1oo2D under non-faulted conditions and will degrade to1oo1D on the first detected fault. For high demand applications the processor must berepaired within the MTTRFor High Demand applications you must use a minimum of a dualprocessor configuration.For de-energize to trip operation, the output modules operate in 2oo2D under nofault conditions, degrade to 1oo1D on the detection of the first fault in either module,and fail-safe when there are faults on both modules. For energize to action operationthe output modules operate in 1oo2D under no fault conditions, degrade to 1oo1D onthe detection of the first fault in either module, and will fail-safe when there are faultson both modules. For both requirements the output module must be repaired orremoved within the MTTR.Document number 553630 Issue 7: February 2010 4-5

AADvance Safety ManualTable 5:Modules for SIL2 Fault Tolerant Input/Output ArchitecturePositionModule TypeI/P A 2 × 9401/2 Digital Input Module, 24V dc, 8/16 Channel +9802 Digital Input TA, 16 Channel, Dual or2 × 9431/2 Analogue Input Module, 8/16 channel +9832 Analogue Input TA, 16 Channel, DualCPU A &CPU BO/P AandO/P B2 x 9110 Processor, 9100 Processor Base Unit, 2 × 9300 I/OBase unit2 × 9451 Digital Output Module, 24V dc, 8 Channel +9852 Digital Output TA, 24V dc, 8 channel, Dual4-6 Document number 553630 Issue 7: February 2010

Chapter 4 AADvance System ArchitecturesSIL3 ArchitecturesSIL3 architectures have at least two processor modules and are suitable for use with: SIL3 de-energize to trip applications SIL3 energize to action applications when fitted with dual output modulesIn all SIL3 architectures, when the processor modules have degraded to 1oo1D on thefirst detected fault, the system must be restored to 1oo2D by replacing the faultyprocessor module within the MTTR.Faulted input modules in a SIL3 arrangement may be replaced without a time limit;faulted output modules must be replaced within the MTTR.SIL3 Fail-safe I/O, Fault Tolerant ProcessorA SIL3, fail-safe I/O with a fault tolerant processor architecture has a simplex input andoutput arrangement with dual or triple processor modules. The dual processormodules operate in 1oo2D under no fault conditions and degrades to 1oo1D ondetection of the first fault in either module. When there are faults on both modulesthe configuration will fail-safe.If required you can configure triple processor modules as a variation of this SIL3architecture. Using this arrangement the processor modules operate in 2oo3D underno fault conditions and 1oo2D on the detection of the first fault in any module. Theydegrade to 1oo1D on the detection of faults in any two modules, and will fail-safe whenthere are faults on all three modules.Document number 553630 Issue 7: February 2010 4-7

AADvance Safety ManualModules for SIL3 Fail-safe I/O, Fault Tolerant ProcessorPositionModule TypeI/P A 9401/2 Digital Input Module, 24V c, 8/16 Channel +9802 Digital Input TA, 16 Channel, Dual or9431/2 Analogue Input Module, 8/16 channel +9832 Analogue Input TA, 16 Channel, DualCPU A &CPU B2 x 9110 Processor Module, 9100 Base Unit, 9300 BaseUnitO/P A 9451 Digital Output Module, 24V dc, 8 Channel +9851 Digital Output TA, 24V dc, 8 Channel, SimplexSIL3 Fault Tolerant I/O ArchitecturesA SIL3 fault tolerant processor and I/O is achieved by dual input and output moduleconfigurations with dual or triple processor modules. The processor modules operatein 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the firstfault in either module and fail-safe when there are faults on both modules.Similarly the input modules operate in 1oo2D under non faulted conditions and 1oo1Don detection of the first fault in either module and will fail-safe when there are faults onboth modules.For de-energize to trip operation, the output modules operate in 2oo2D under nofault conditions, degrade to 1oo1D on detection of the first fault in either module andfail-safe when there are faults on both modules.For energize to action operation, the output modules operate in 1oo2D under no faultconditions, degrade to 1oo1D on the detection of the first fault in either module andfail-safe when there are faults on both modules.4-8 Document number 553630 Issue 7: February 2010

Chapter 4 AADvance System ArchitecturesTable 6:Modules for SIL3 Fault Tolerant ArchitecturesPositionI/P AandI/P BCPU A &CPU BO/P AandO/P BModule Type2 × 9401/2 Digital Input Module, 24V dc, 8/16 Channel, +9802 Digital Input TA, 16 Channel, Dual or2 × 9431/2 Analogue Input Module, 8/16 Channel +9832 Analogue Input TA, 16 Channel, Dual2 × 9110 Processor Module, 9100 Processor Base Unit,9300 I/O Base Unit2 × 9451 Digital Output Module, 24V dc, 8 Channel +9852 Digital Output TA, 24V dc, 8 Channel, DualSIL3 TMR Input and Processor, Fault Tolerant OutputA SIL3 TMR architecture offers the highest level of fault tolerance for an AADvancecontroller and consists of triple input modules, triple processors and dual outputmodules. The input and processor modules operate in a 2oo3D under no fault conditions,degrade to 1oo2D on detection of the first fault in any module, and degrade to1oo1D on the detection of faults in any two modules and will fail-safe when thereare faults on all three modules. For de-energized to trip operation the output modules operate in 2oo2D undernon faulted conditions and degrade to 1oo1D on detection of the first fault ineither module and fail-safe when there are faults on both modules. For energize to action operation the output modules operate a 1oo2D under nofault conditions and degrade to 1oo1D on the detection of the first fault in eithermodule and fail-safe when there are faults on both modules.In the event of a failure in any element of a channel, the channel processor will stillproduce a valid output which could be voted on because of the coupling between thechannels. This is why the triple modular redundant implementation provides aconfiguration that is inherently better than a typical 2oo3 voting system.Document number 553630 Issue 7: February 2010 4-9

AADvance Safety ManualTable 7:Modules for TMR Input and Processor, Fault Tolerant OutputPositionModule TypeI/P A 3 × 9401/2 Digital Input Module, 24V dc, 8/16 Channel +9803 Digital Input TA, 16 Channel, TMR or3 × 9431/2 Analogue Input Module, 8/16 Channel +9833 Analogue Input TA, 16 Channel, TMRCPU A &CPU B3 × 9110 Processor Module, 9100 Processor Base Unit,2 × 9300 I/O Base UnitO/P A 2 × 9451 Digital Output Module, 24V dc, 8 Channel +9852 Digital Output TA, 24V dc 8 Channel, DualNote: All configurations that use dual or triplicate processor modules are suitable forSIL3 architectures with de-energize to trip outputs. All configurations that are dual ortriplicate processor modules and dual outputs are suitable for SIL3 architectures withde-energize and energize to action outputs.4-10 Document number 553630 Issue 7: February 2010

Chapter 4 AADvance System ArchitecturesPlanned Certified ConfigurationsTable 8:Central ModulesModulesProcessorModule9110TÜV CertifiedConfiguration1oo1D, 1oo2D,2oo3DConditionsSafety-related and can be used for safety-criticalapplications in SIL2 with 1 module fitted and SIL3applications with 2 or 3 modules fitted.Note: For High Demand applications you must usea minimum of two processors in a dualarrangement.Table 9:Input ModulesModulesDigital Inputs9401/2, 24V dc,8/16 Channel,isolated.+9801/2/3 DigitalInput TA, 16channel,Simplex/Dual/TMRAnalogue Inputs9431/2, 8/16Channel, isolated+9831/2/3 AnalogueInput TA, 16Channel,Simplex/Dual/TMRTÜV CertifiedConfiguration1oo1D, 1oo2D,2oo3D1oo1D, 1oo2D,2oo3DConditionsDe-energized to trip (normally energized): SIL3with 1, 2 or 3 modules fitted.Energize to trip (normally de-energized): with 1, 2or 3 modules fittedNote: when the integrity level is at 1oo1D thenthe faulty module must be replac3ed within theMTTR to restore the integrity level back to1oo2D.Within the manufactures specified safety accuracylimits. The safety state of the analogue input has tobe defined to 0mA/0VSIL3 with 1, 2 or 3 modules fitted.Note: when the integrity level is at 1oo1D thenthe faulty module must be replac3ed within theMTTR to restore the integrity level back to1oo2D.Document number 553630 Issue 7: February 2010 4-11

AADvance Safety ManualTable 10:Output ModulesModulesDigital Outputs8451, 24V dc, 8channel.+9851/2 TA,24V dc,8 Channel,Simplex/DualTÜV CertifiedConfiguration1oo1D, 1oo2 or2oo2DConditionsDe-energize to action (normally energized): SIL3with 1 or 2 modules fitted. 2oo2D with dualoutput modules fitted.Energize to trip (normally de-energized): SIL2 with1 module fitted and SIL3 with 2 modules fitted.Note: Faulty modules must be repaired orreplaced within the MTTRTable 11:Auxiliary ModulesModulesProcessor Base9100I/O Base9300 (3-way)ConditionsSafety-related and can be used for safety critical applications inSIL2 with 2 modules fitted or SIL3 applications with 2 or 3modules fitted.Safety-related and can be used for safety critical applications inSIL3.Note: Revisions of modules are subject to change. A list of the released versions isheld by TÜV or can be obtained from ICS Triplex Technology Limited.Internal DiagnosticsThe AADvance controller embodies sophisticated internal diagnostic systems toidentify faults that develop during operation and raise appropriate alarm and statusindications. The diagnostic systems run automatically and check for system faultsassociated with the controller (processor and I/O modules), and field faults associatedwith field I/O circuits.Note: Safety wiring principles shall be employed for field loops if it is necessary for theUser to guard against short circuit faults between I/O channels (e.g. to comply withNFPA-72 requirements).The diagnostic systems report a serious problem immediately, but filter non-essentialitems to avoid spurious alarms. The diagnostic systems monitor such non-essentialitems periodically, and need a number of occurrences of a potential fault beforereporting it as a problem.4-12 Document number 553630 Issue 7: February 2010

Chapter 4 AADvance System ArchitecturesThe internal diagnostics, therefore, detect and reveal both covert and overt failures. Adual module arrangement, for example, with diagnostics can address covert failuresand help redress the balance between failure to respond and spurious responses. Adual system could therefore be 2oo2D reverting to 1oo1D on the first detected faultand reverting to fail-safe when both modules have a fault.Self-test facilities used to diagnose faults within the remainder of the system are definedto provide optimum system and functional safety availability. These self-test facilitiesmay require short periods of off-line operation, or introduce conditions such as alarmor fault test conditions, which effectively result in the channel (point) being off-linewithin that redundant channel. Within fault tolerant configurations, this period of offlineoperation only affects the system's ability to respond under multiple faultconditions.Document number 553630 Issue 7: February 2010 4-13


Chapter 5AADvance Functional Safety System ImplementationThis chapter provides the implementation guidelines for an AADvance safety relatedsystem.In This ChapterGeneral Design Measures for Functional Safety.......................................... 5-4Industrial Functional Safety Standards............................................................ 5-4Field Configurations ........................................................................................... 5-4Calculations of Probability of Failure upon Demand,................................. 5-4Processor Functional Safety Configuration................................................... 5-4I/O Module Safety Functions............................................................................ 5-4Input and Output Forcing ................................................................................. 5-4Maintenance Overrides ..................................................................................... 5-4Variable Bindings ................................................................................................. 5-4Application Program Development................................................................ 5-4On-line Modification .......................................................................................... 5-4Physical Installation............................................................................................. 5-4Environmental Requirements........................................................................... 5-4AADvance System Power Requiremenst...................................................... 5-4System Security ................................................................................................... 5-4General Design Measures for Functional SafetyI/O ModulesThe AADvance system supports single module configurations, where it is acceptable toeither stop the system or allow the signals corresponding to that module to change totheir default fail-safe state. It also supports fault tolerant I/O configurations where it isrequired to ensure continued system operation in the event of a fault. Allconfigurations may be used for safety-related applications; the choice between theconfigurations being dependent on the end-user's fault tolerance requirements.The input modules can be configured as a simplex, dual or triple arrangement. Outputmodules can be configured only as a simplex or dual arrangement. All I/O modulesinclude line-monitoring facilities; it is recommended that these line monitoring facilitiesbe enabled for safety-related I/O. For normally de-energized I/O these facilities shall beenabled.Note: Refer to the section "Digital Field Loop Circuits" for details of linemonitoring circuits.Document number 553630 Issue 7: February 2010 5-1

AADvance Safety ManualBoth input and output modules undergo regular diagnostics testing during operationthat is managed by the processor modules. The self-tests are coordinated betweenmodules that are configured in a fault tolerant arrangement, to ensure that the systemremains on-line even in the case of a demand during the execution of the tests. I/Ochannel discrepancy and deviation monitoring further enhances the verification andfault detection of module or field failures.The processor reports any detected I/O fault to the Workbench application andprovides an alarm signal for a central alarm indicator. A front panel LED indications onthe faulty module will indicate a module or field fault. In all cases, even in the presenceof a fault during this period, the system will continue to be able to respond whenconfigured in a fault tolerant arrangement.When a channel is not capable of reporting a value within a safety accuracyspecification of 1% of the full scale measurement 'safe' values are reported by thevariables. Thus, an I/O point fault condition results in a fail-safe state.The maximum duration for single-channel operation of I/O modules dependson the specific process and must be specified individually for each application: Input modules can operate in a simplex arrangement without time limit for SIL3and lower applications. Output modules can operate in a simplex arrangement without time limit for SIL3de-energize to action applications. Output modules can operate in a simplex arrangement without time limit for SIL2energize to action applications or for up to the MTTR when used in SIL3 energizeto action applications. Processor modules can operate in a simplex arrangement without time limit forSIL2 applications or for up to the MTTR when used in SIL3 applications.The application program must be designed to shut down a SIL3 equipment if afaulty module has not been replaced within the MTTR to meet the appropriaterestrictions stated above.When a module is operating in a dual mode (or is degraded to a dual mode) and a statediscrepancy occurs, then if no module fault is detected, the state reported to theapplication will always be the lower of the two states for a digital and analogue moduleconfigurations.In safety critical applications, the channel discrepancy alarms shall be monitoredby the application program and used to provide an alarm to the plant operationspersonnel.5-2 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationEnergise to Action ConfigurationsCertain applications may require energize to action for inputs and/or outputs.Energize to action configurations shall only be used if the following restrictionsapply: At least two independent power sources must be used. These power sourcesmust provide emergency power for a safe process shutdown or a time spanrequired by the application. Each power source must be provided with power integrity monitoring with safetycritical input read back into the system controller or implicit power monitoringprovided by the I/O modules. Any power failure shall lead to an alarm. Unless provided implicitly in the I/O modules, all safety critical inputs and outputsmust be fitted with external line and load integrity monitoring and safety criticalread back of the line-status signals. Any line or load failure shall lead to an alarm. For SIL3 enerigize to trip applications a minimum of dual output modules shall beused.In cases where one or more outputs is used in an energize to action configuration, allthe specific requirements above shall be followed for all associated inputs.Controller Process Safety Time (PST)The Process Safety Time setting defines the maximum time that the processor willallow the outputs to remain in the ON state in the event of certain internal diagnosticfaults or systematic application faults. If the process safety time expires the system willgo to its safe state.You have to specify the PST for the whole controller, this is a top level setting that youmake once for the whole controller and is set at the processor module. I/O Individualmodules can be set at a lower PST but must not exceed this overall setting.An AADvance controller adopts a default value for process safety time (PST) =2500ms. The system integrator can use the following method to confirm whether thisis acceptable and adjust as necessary.The value of PST for the controller is governed by this equation:Document number 553630 Issue 7: February 2010 5-3

AADvance Safety Manualwhere PST euc is the process safety time for the equipment under control.As an example, consider a system function using one sensor and one actuator given thefollowing parameters: PST euc : 20,000ms Sensor delay: 500ms Time for actuator (an ESD valve) to fully operate: 1500msIn this example therefore, the setting of PST for the controller should be less than orequal to 8000ms.Choosing Controller PST SettingsThe response time allocated to a logic solver such as the AADvance controller needsto take account of delays within the operation of sensors and actuators. In addition, thesystem's scan time should be considerably less than the process safety time.The value of the PST shall form part of the safety considerations for the system. Thevalue is defined by the process design authority; the system integrator shall calculateand verify that the process safety time meets the stated requirements. In an AADvance system the PST value is assigned to the system and can beassigned to individual modules. The system PST value is enforced by the processormodules and has priority over the module PST values. When the system PST is notmet the processor modules will fail-safe. The input PST is also enforced by the processor modules; when the PST is notmet, the processors will present fail-safe input values to the application logic. Output PST is enforced by the output modules and when the output PST is notmet, the output module will assume the fail-safe state.Note: The fail-safe state for all AADvance modules is de-energized.You must specify the process safety time for the whole controller. If desired, you canspecify additional process safety times for individual groups of I/O modules. The settingfor the whole controller is a top level setting, which you make once for all the 9110processor modules. Groups of I/O modules can inherit this setting or, if desired, useindividual process safety times instead.Notes: The minimum controller's PST must be at least twice the application scan time. If you choose to specify a process safety time for a group of I/O modules, the I/Omodules use this setting instead of the top level setting. If you do not specify a process safety time for a group of I/O modules, the I/Omodules use the top level setting. If you do not specify any process safety time, the controller will use a default valueof 2,500ms throughout.5-4 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationConnection for a Common Fault AlarmThe controller provides a dedicated connection for use by a hard-wired device orcircuit that provides the common fault alarm for the system. This connection is thetop-level alarm indicator for the controller. The alarm is functionally equivalent to theSystem Healthy indicator on a processor module, and is usually the starting point forinvestigations into system faults.The controller must be connected to a common fault alarm.The controller provides up to three alarm outputs for a common fault alarm driven bythe processor modules. The alarm outputs are available at the remote fault connectorlabeled FLT ('fault') on the 9100 processor base unit, and are provided by volt-free('clean') relay contacts which are arranged according to the following illustration:The contacts are rated 200mA (continuous and switching) at 30V dc.The contacts are normally closed. They open to indicate a fault condition. For a simpleapplication needing one summary 'fault' indication, do the following: For a controller with one processor module, connect the alarm wiring to pins 1and 2 For a controller with two processor modules, connect the alarm wiring to pins 1and 3 For a controller with three processor modules, connect the alarm wiring to pins 1and 4 Apply a minimum tightening torque of 0.22 Nm (0.16 ft lb) to the terminal screwsDocument number 553630 Issue 7: February 2010 5-5

AADvance Safety ManualMore sophisticated wiring arrangements are possible if required. The remote faultconnector does not carry pin numbers; refer to the illustration to identify the fourterminals.5-6 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationIndustrial Functional Safety StandardsThe AADvance is designed to meet the following industrial safety system requirements:NFPA 85 RequirementsEN 50156NFPA 85 provides minimum requirements for the design, installation, operation andmaintenance of large commercial industrial boilers, heat recovery, heat recovery steamgenerators and related combustion systems. The AADvance system will be certified foruse with NFPA 85 compliant systems.The systems should be integrated in accordance with NFPA 85. In particular thefollowing shall be applied: The operator shall be provided with a dedicated manual switch that shallindependently and directly actuate the safety shutdown trip relay. At least oneidentified manual switch shall be located remotely from the boiler where it can bereached in case of emergency. The burner management system shall be provided with independent logic,independent input/output systems, and independent power supplies and shall be afunctionally and physically separate device from other logic systems, such as thecontrol system for the boiler or heat recovery steam generator. Logic sequences or devices intended to cause a safety shutdown, once initiated,shall cause a burner or master fuel trip, as applicable, and shall require operatoraction prior to resuming operation of the affected plant. No logic sequence ordevice shall be permitted that allows momentary closing and subsequentinadvertent reopening of the main or ignition fuel valves. Documentation shall be provided to the owner and operator, indicating that allsafety devices and logic meet the requirements of the application. System response time shall be sufficiently short to prevent negative effects on theapplication. The NFPA 85 certification is only applicable where the system is applied inaccordance with this safety manual and NFPA 85 requirements.EN 50156 applies to the application design and installation of electrical equipment,control circuits and protective systems for furnaces which are operated with solid,liquid or gaseous fuels and their ancillary equipment. It specifies requirements to meetoperating conditions for furnaces, to reduce the hazards of combustion and to protectthe heated systems from damage. The AADvance controller will be certified for use anEN 50156 compliant systems.In particular the AADvance controller will control protective devices for: monitoring of flames and other safety conditions of the firing interrupting the flow of the fuel to the furnace for safety reasons ventilating the body of the furnace and the flue gas ductsDocument number 553630 Issue 7: February 2010 5-7

AADvance Safety ManualNFPA 86 Requirements monitoring of safety condition of the heated systems (e.g. water level limiter insteam boilers) The EN50156 certification is only applicable where the system is applied inaccordance with this safety manual and EN 50156 requirements.NFPA 86 provides comprehensive requirements for the safe design, installation,operation, inspection, testing and maintenance of Class A,B,C and D ovens, dryers andfurnaces. The AADvance system will be certified for use with NFPA 86 compliantsystems.The systems should be integrated in accordance with NFPA 86. In particular thefollowing shall be applied. The supplier of the application software for the AADvance controller shall provideboth the end user and the safety authority having jurisdiction with thedocumentation needed to verify that all related safety devices and safety logic arefunctional before the controller is placed in operation. In the event of a power failure, the AADvance controller (hardware and software)shall not prevent the system from reverting to a safe default condition. A safecondition shall be maintained upon the restoration of power. The control system shall have a separate manual emergency switch, independent ofthe AADvance controller, which initiates a safe shutdown. Any changes to hardware or software shall be documented, approved, andmaintained in a file on the site. System operation shall be tested and verified for compliance with the NFPA 86standard and the original design criteria whenever the AADvance controller isreplaced, repaired, or updated. Whenever application software that contains safety logic or detection logic ismodified, system operation shall be verified for compliance with the NFPA 86standard and the original design criteria. The NFPA 86 certification is only applicable where the system is applied inaccordance with this safety manual and NFPA 86 requirements.5-8 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationBS EN 54 RequirementsBS EN 54 specifies the requirements for control and indicating equipment for firedetection and fire alarm systems installed in buildings. The AADvance system will becertified for use with BS EN 54 compliant systems.The systems should be integrated in accordance with BS EN 54. In particular thefollowing shall be applied. Where an alphanumeric display is used to display indications relating to differentfunctional conditions these may be displayed at the same time. However, for eachfunctional condition there shall be only one window, in which all of the fieldsrelating to that functional condition are grouped. Unless BS EN 54 section 7.12 applies, the time taken by scanning, interrogation orother processing of signals from fire detectors, in addition to that required to takethe fire alarm decision, shall not delay the indication of the fire alarm condition, orof a new zone in alarm, by more than 10 seconds. The control and indicating equipment shall enter the fire alarm condition within 10seconds of the activation of any manual call point. The audible indication shall be capable of being silenced by means of a separatemanual control at access level 1 or 2. This control shall only be used for silencingthe audible indication, and may be the same as that used for silencing in the faultwarning condition. The control and indicating equipment shall be capable of being reset from the firealarm condition. This shall only be possible by means of a separate manual controlat BS EN 54 defined access level 2. This control shall be used only for reset andmay be the same as that used for reset from the fault warning condition. Unless BS EN 54 7.11 and/or 7.12 apply, the control and indicating equipment shallaction all mandatory outputs within 3 seconds of the indication of a fire alarmcondition. Unless BS EN 54 7.11 applies, the control and indicating equipment shall action allmandatory outputs within 10 seconds of the activation of any manual call point. The control and indicating equipment shall enter the fault warning condition within100 seconds of the occurrence of the fault or the reception of a fault signal, orwithin another time as specified in BS EN 54. In the event of the loss of the main power source (as specified in EN 54-4), thecontrol and indicating equipment may have provision to recognize and indicate thefailure of the standby power source to a point where it may no longer be possibleto fulfill mandatory functions of this European Standard. In this case at least anaudible indication shall be given for a period of at least one hour. A system fault shall be audibly indicated. This indication may be capable of beingsilenced. The cabinet of the control and indicating equipment shall be of robustconstruction, consistent with the method of installation recommended in thedocumentation. It shall meet at least classification IP30 of IEC 60529:1991. All mandatory indications shall be visible at access level 1 without prior manualintervention such as the need to open a door.Document number 553630 Issue 7: February 2010 5-9

AADvance Safety Manual If the control and indicating equipment is designed to be used with a power supply(item L of figure 1 of EN 54-1) contained in a separate cabinet, then an interfaceshall be provided for at least two transmission paths to the power supply, such thata short circuit or an interruption in one does not affect the other. The EN54-2 certification is only applicable where the system is applied inaccordance with this safety manual and EN54-2 requirements.EN54 section 7.12 Dependencies on More Than One Alarm Signal7.12.1 Type A dependency (option with requirement)Following the receipt of a first alarm signal from a fire detector, the entry to the firealarm condition may be inhibited until the receipt of a confirmation alarm signal fromthe same fire detector, or from a fire detector in the same zone. In this case, the firstalarm state need not be indicated, and the following shall apply: the mode of operation shall be configurable at access level 3 for individual zones; reception of a confirmation alarm shall not be inhibited for more than 60s followingthe receipt of the first alarm signal. The manufacturer may specify a time shorterthan 60 s. In this case, this specification shall be tested and verified; the first alarm state shall be automatically cancelled within 30 min of the receipt ofthe first alarm signal; information on the values of the configured delay times shall be accessible at accesslevels 2 or 3.7.12.2 Type B dependency (option with requirement)Following the receipt of a first alarm signal from a fire detector, the entry to the firealarm condition may be inhibited until the receipt of a confirmation alarm signal fromthe same fire detector, or from a fire detector in the same or a different zone. In thiscase, the first alarm state need not be indicated, and the following shall apply: the mode of operation shall be configurable at access level 3 for at least individualzones; the first alarm state shall be indicated by means of: an audible indication as in 12.10 which may be the same as that in the fire alarmcondition or fault warning condition; a visible indication of affected zone, which may be the same as that forindication of zone in alarm as in 7.3. The general fire alarm indicator shall notbe illuminated; it shall be possible to manually cancel the first alarm state at access level 2. Thismay be done with the same control as is used for reset from the fire alarmcondition or fault warning condition; the CIE may have provision to automatically cancel the first alarm state after a timeinterval which shall not be less than 5 min;5-10 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementation if the mode of operation is configured to accept a confirmation alarm signal fromthe same fire detector, this shall not be inhibited for more than 4 min following thereceipt of the first alarm signal.Type C dependency (option with requirement)Following the receipt of a fire alarm signal from a fire detector or a manual call point,the CIE shall enter the fire alarm condition, but may have provision to inhibit theactivation of outputs until a second alarm signal is received from another fire detectoror manual call point, which may be the same or another zone. In this case it shall bepossible to configure the mode of operation at access level 3 to apply individually toeach of the following (where provided): output to fire alarm devices output to fire alarm routing equipment output to fire protection equipmentField ConfigurationsThe following are recommended field loop circuits for line monitoring anddigital/analogue inputs.Line MoitoringThis section provides recommended line monitoring circuits and resistor values. Youcan set-up line monitoring on the following modules: 9401 and 9402 Digital Input Modules 9431 and 9432 Analogue Input ModulesNote: You must ensure that there is no crossover between channels.Document number 553630 Issue 7: February 2010 5-11

AADvance Safety ManualDigital Field Loop CircuitsThis section contains recommended field loop circuits for digital inputs and outputs.Field Loop Circuit for Digital InputField Loop Circuit for Line Monitored Digital Input for Emergency Shutdown Systems5-12 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationField Loop Circuit for Line monitored digital Input for Fire and Gas Control SystemsThe recommended values for R1 and R2 are as follows:R1 = 3K9 ohms 1% (estimated power 0.5W with max power dissipated is 0.128W)R2 = 15K ohms 1% (estimated power 0.5W with max power dissipated is 0.128W)Loop supply voltage = 24V dc (+/- 10%)The recommended threshold values for line monitored digital inputs are as follows:Treshold ID Value (mV)Tmax = 3200T8 = 950T7 = 925T6 = 550T5 = 525T4 = 325T3 = 300T2 = 175T1 = 150These values should be used and will allow the input to detect more accuratelydifferent voltage levels that represent OPEN CCT - OFF - ON - SHORT CCT and willalso detect Over Voltage and an input which is neither ON or OFF.All of the input circuits are suitable for simplex, dual and TMR configurations. Theoutput circuit is suitable for simplex and dual configurations.Document number 553630 Issue 7: February 2010 5-13

AADvance Safety ManualCircuit for Digital OutputFor inductive loads, back EMF protection shall be fitted at the load.5-14 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationAnalogue Input Field Loop CircuitsThe recommended field loop circuits for analogue inputs are as shown below.Field Loop Circuit for 2-Wire Analogue InputField Loop Circuit for 3-Wire Analogue InputDocument number 553630 Issue 7: February 2010 5-15

AADvance Safety ManualField Loop Circuit for 4-Wire Analogue InputSensor ConfigurationsIn safety critical input applications using a single sensor, it is important that the sensorfailure modes be predictable and well understood, so there is little probability of afailed sensor not responding to a critical process condition. In such a configuration, itis important the sensor be tested regularly, either by dynamic process conditions thatare verified in the AADvance system, or by manual intervention testing.The function of a signal shall be considered when allocating the module and channelwithin the system. In many cases, redundant sensor and actuator configurations maybe used, or differing sensor and actuator types provide alternate detection and controlpossibilities. Plant facilities frequently have related signals such as start, and stop signals.In these cases it is important to ensure that failures beyond the system's fault-tolerantcapability do not result in either inability to respond safely or in inadvertent operation.In some cases, this will require that channels be allocated on the same module, toensure that a module failure results in the associated signals failing-safe.However, in most cases it will be necessary to separate the signals across modules.Where non-redundant configurations are employed, it is especially important to ensurethat the fail-safe action is generated in case of failures within the system.5-16 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationActuator ConfigurationsField loop power should be considered in the allocation of signals to input channels andmodules. For normally energized input configurations, field loop power failure will leadto the fail-safe reaction. As with the allocation of signals to modules, there may berelated functions (for example start and stop signals) where loss of field power shouldbe considered in the same manner as the signal allocation.In safety-critical applications using a single actuator, it is important that theactuator failure modes be predictable and well understood, so that there is littleprobability of a failed actuator not responding to a critical process condition.In such a configuration, it is important that the actuator be tested regularly, either bydynamic process conditions that are verified in the AADvance system, or by manualintervention testing.The function of a signal shall be considered when allocating the module and channelwithin the system. In many cases, redundant actuator configurations may be used, ordiffering actuator types can provide alternate control and mitigation possibilities. Plantfacilities frequently have related signals; in these cases it is important to ensure thatfailures beyond the system's fault-tolerant capability do not result in either an inabilityto respond to safety demands or in inadvertent operation.In some cases, this will require that channels be allocated on the same module, toensure that a module failure results in the associated signals failing-safe. However, inmost cases, it will be necessary to separate the signals across modules. Where nonredundantconfigurations are employed, it is especially important to ensure that thefail-safe action is generated in case of failures within the system.Field loop power should be considered in the allocation of signals to output channelsand modules. For normally energized configurations, field loop power failure will leadto the fail-safe reaction. As with the allocation of signals to modules, there may berelated functions where loss of field power should be considered in the same manneras the signal allocation. Where signals are powered from separate power groups, it isimportant that this separation be maintained when allocating the signals to modules, i.e.that inadvertent coupling between power groups, and particularly return paths, are notgenerated.Calculations of Probability of Failure upon Demand,Systems that are configured to meet the needs of IEC 61508 will require theProbability of Failure upon Demand (PFD) for the safety instrumented functions to becalculated.For information regarding the calculation and for PFD numbers allocated for theAADvance system pleased refer to the TÜV approved PFD calculation document listedin the approved version list.Document number 553630 Issue 7: February 2010 5-17

AADvance Safety ManualProcessor Functional Safety ConfigurationThe 9110 Processor Module supports a limited set of configuration options; the systemwill verify the hardware configuration, such as the module locations against actualmodule types. The processor module process safety time can be specified through theWorkbench.Make sure that all specified modules for the required configuration are present andinstalled.Processor Safety FunctionsSafety functionsThe processor module is classified as safety critical and is responsible for the followingsafety functions: solving application logic external communication (Ethernet and serial) communication with I/O modules such as receiving input values, sending outputvalues, coordinating diagnostics enforcement of system PST diagnostics, fault indications and degradation of the processor module enforcement of input PST diagnostics, fault indications and degradation of input modules initiating diagnostics, fault declaration and for some fault conditions thedegradation of output modules.Reaction to faults in the processor moduleThe processor module reports faults by front panel indicators and fault codes stored inthe System Event log. The key indicator SYSTEM HEALTHY reports a fault in any ofthe I/O modules and any processor module. They report to the user application by thevariables set up during the system configuration process. These variables provide thefollowing information: module presence module health and status channel health and status an echo of the front panel indicationsAvailability of processor modulesOne to three redundant processor modules can be installed into a base unit.Thesystem remains functional even if two of three modules are faulty or not present.When two or more processor modules are installed the controller can be configuredfor a SIL3 fault tolerant application.5-18 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationReplacing/installing processor modulesProcessor modules can be replaced or installed on-line without affecting the controlleroperation provided at least one is fitted and is fully operational. However, processorsmust be installed one at a time and allowed to educate before the next processor isinstalled.When a processor module is installed and the locking screw set to the lock position,the module will automatically start to educate from the existing operating processor.The Healthy indicator flashes GREEN during the educating process and goes steadyGREEN when educated. The Run indicator stays RED during the education processthen goes steady AMBER when educated. After the Reset button is pressed the Runindicator goes steady GREEN and the newly installed processor module becomesoperational. If the Run indicator stays AMBER or reverts back to RED then educationprocess has failed and either the module is faulty or the application is invalid.Processor Module Access PortThe front panel of the 9110 Processor Module has a concealed PS/2 style connector onthe front panel behind a plastic cover. This connector is for ICS Triplex use only and isused for factory settings during manufacturing. The plastic cover should only beremoved to replace the processor battery.I/O Module Safety FunctionsThis section describes the adjustable safety parameters that you can set.Module Safety Related ParametersThe Workbench provides you with the capability to adjust two safety relatedparameters for an I/O module: Process safety time Shutdown action of a digital output module channelI/O Module Process Safety TimeThis option allows the system integrator to configure the process safety time (PST) foran I/O module, independently from the system value set through the processormodule. If no independent value is set for the module it will adopt, by default, the toplevel value of PST set for the processor module. When an input module exceeds thePST, that is the controller does not receive an update from the application within thePST then the I/O module is set to a fail safe state and returns a safe values to thecontroller.Digital output module process safety timeDocument number 553630 Issue 7: February 2010 5-19

AADvance Safety ManualFor a digital output module, the process safety time represents the period of awatchdog timer that specifies the length of time the controller will allow the module torun without receiving updates from the application. If the module runs beyond this timewithout receiving any updates, it enters its shutdown state (see below). The defaultprocess safety time is 2500ms.Input Module Safety FunctionsI/O input module safety functionsAn I/O input module is classified as safety critical and is designed to SIL3 level as asingle fail safe module. The input modules offer 8 or 16 isolated channels and reportsinput voltage levels to the processor, for the analogue input variant the module willconvert the field current into a voltage. Input values are updated by the workbench atleast once per application cycle. The same hardware is used for the 24Vdc digital inputmodules and the 4- 20mA analogue input module.The input module will operate in a SIL2 or SIL3 configuration for energize to action andde-energize to trip applications The module provides the following isolation: channel to channel galvanic isolation galvanic isolation between channels and the communication signals galvanic isolation between channels and powerReactions to faults in the input modulesWhen an input channel is not capable of reporting a voltage within a safety accuracyspecification of 1% of the full scale measurement range, then the module returns safevalues to the processor. Signals go to a safe state if the module scan time exceeds thePST. All I/O modules provide front panel indications, store fault codes in the fault logand can also report via the workbench application variables. The following statusinformation is provided: module presence module health and status channel health and status field faults an echo of the front panel indicators for each moduleNote: The HART input information can be used to provide additional diagnosticcoverage for the I/O loop. You have to use the 4 - 20mA current loop as the primarysafety data.Availability of input modules5-20 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationInput modules support redundancy when configured for dual or triple operation usingthe appropriate termination assembly. Redundant input modules may be inserted orremoved at any time without any impact on the safety function of the system.Redundant input modules operate independently providing independent values of theinput values to the processor module.Input module termination assembliesThe termination assemblies are safety critical and provide termination for 16 channels.They connect the field signals to the input modules. The simplex version connects eachinput channel to one input module, the dual TA routes them to two input modules andthe triple TA to three input modules.A digital input TA circuit has fuse protection and a 4.99k high reliability inputtermination for each channel. The analogue input TA has fuse protection for eachchannel and a high reliability 120 ohm input termination for each channel.Input Module Safety AccuracyThe I/O input modules determine the channel state and the line fault state bycomparing the input reported values with user programmed threshold values. Whentriple analogue input modules are used and active, the system adopts the median value.When dual modules are used, the lowest reported value is used. The discrepancybetween the redundant channels' measurements are monitored to determine if theyare within the safety accuracy limit.When the safety accuracy within a channel is detected outside the following limits thenthat channel is set to a fail-safe state. Digital Input Module = 4% Analogue Input Module = 1%When the safety accuracy between channels exceeds the following limits then adiscrepancy alarm is set for the input channel Digital Input Module = 8% Analogue Input Module = 2%in both situations the following safe values are reported by the variables:Digital input modules Input state = FALSE Line fault = TRUE Discrepancy= TRUE Channel fault = TRUEand the voltage value is 0mVDocument number 553630 Issue 7: February 2010 5-21

AADvance Safety ManualAnalogue input module process value = a calculated value based on a count value of 0 (51 counts = 0.2mA) line fault = TRUE Discrepancy= TRUE Channel Fault = TRUE Count value = 0In safety critical applications, the discrepancy alarms shall be monitored by theapplication program and be used to provide an alarm to the plant operations personneland the channel goes into a shutdown state.Output Module Safety FunctionsSafety FunctionsThe digital output module is rated at SIL3 as a fail-safe module. In dual redundantconfigurations it can be used for energize to action and de-energize to trip SIL3applications. Each module provides the following safety functions: output channel signals based on commands from the processor redundant voltage and current measurements to the processor modules formonitoring and diagnostics over current and over voltage channel protection executing diagnostic tests (on command from the processor module) and reportingresults back to the processor module On power up or module insertion all output channels are set to the de-energized(fail-safe) state until command states are received from the processor. Eachchannel is driven individually according to the command state values.Reactions to faults in output modulesWhen an output module goes faulty the following status information is reported: module presence module health and status channel health and status field faults an echo of the front panel indicators for each moduleWhen any of the following internal conditions exist the output module will always failsafe: internal software error detected by the FPGA power feed combiner over temperature detection power supply rails out of tolerance5-22 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationProcess safety time faultsFor a digital output module, the process safety time represents the period of awatchdog timer that specifies the length of time the controller will allow the module torun without receiving updates from the application. If the module runs beyond this timeperiod without receiving any updates, it enters the shut down state.Shutdown stateThe shut down state can be configured for the following settings: off de-energize (fail-safe) hold last stateYou have to decide when you configure the module how you want the output channelsto behave in the shutdown state, the default is fail-safe.Careful consideration should be given to the affect on the process of using the'hold last state' setting.Disable line testThe digital output module incorporates line test functionality that can report andindicate 'no load' field faults. This functionality can be enabled or disabled. The settingsare: Yes - disables reporting and indication of 'no load' field faults No - 'No load' field faults are reported and indicatedAvailability of output modulesOutput modules support redundancy when configured in dual operation using theappropriate termination assembly. One redundant module may be inserted or removedat any time without any impact on the safety function of the system.DO termination assemblyThe DO termination assembly is safety critical, it comes in two sizes — simplex ordual. It has fuses for field output power and 8 field termination connections for theoutput signals.Input and Output ForcingThe AADvance Workbench supports forcing of individual inputs and outputs. TheWorkbench uses the term 'locking' to describe forcing.Document number 553630 Issue 7: February 2010 5-23

AADvance Safety ManualIt is important the implications of forcing (or locking) of input and outputpoints on the process and their impact on safety are understood by any person usingthese facilities. It is the plant operators' responsibility to ensure that if forcedconditions are present that they do not jeopardize the functional safety.Forcing requires the program enable key to be fitted to the 9100 Processor Base Unitand is intended only for the purposes of engineering, installation and commissioningactivities. When the system is in-service, maintenance overrides for safety-relatedinputs and outputs should be implemented using the application program instead.The Force LED on the front of the 9110 Processor Module indicates when one ormore I/O points are forced. The application program can determine how many pointsare currently forced; it is highly recommended that this information be used to controlan additional status display and/or for logging purposes.If the forcing facility is used when the system is in-service, a safety-related inputconnected to an operator accessible switch shall be implemented to initiate theremoval of the force condition.A list of the currently locked points is read back from the AADvance system and madeavailable within the AADvance Workbench.Maintenance OverridesMaintenance Overrides set inputs or outputs to a defined state that can be differentfrom the real state during safety operation. It is used during maintenance, usually tooverride input or output conditions in order to perform a periodic test, calibration orrepair of a module, sensor or actuator.To correctly implement a maintenance override scheme within the AADvance system,the override or 'bypass' logic shall be programmed within the Application Program,with a separate set of safety-related input points or variables enabling the bypass logic.In order to accommodate maintenance overrides safely, TÜV has documenteda set of principles that shall be followed. These principles are published in thedocument "Maintenance Override" by TÜV Süddeutschland / TÜV Product ServiceGmbH and TÜV Rheinland.There are two basic methods to check safety-related peripherals connected to theAADvance system: External hard-wired switches are connected to conventional system inputs. Theseinputs are used to deactivate sensors and actuators during maintenance. Themaintenance condition is handled as part of the system's application program.5-24 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationVariable Bindings Sensors and actuators are electrically switched off during maintenance and arechecked manually.In some installations, the maintenance console may be integrated with the operatordisplay, or maintenance may be covered by other strategies. In such installations, theguidance given in section is to be followed. A checklist for the application of overridesis given in the Checklists chapter.The AADvance system uses variable bindings ('bindings') to pass safety-related databetween controllers. When using this mechanism, as with any other, it is important toensure that the overall system will respond within the required PST. This requirementapplies to normal operation and in the presence of a fault.For safety related applications, it is recommended that the binding communications useredundant networks. It should be noted that high network bandwidth usage by nonsafetyequipment may cause data timeout, and hence spurious trips, and thereforeseparate networks for safety data should be considered.The bindings are based on a producer/consumer model. A consumer systemestablishes a binding link with a producer system, and then repeatedly requests bindingdata.The bindings configuration includes the value of an age timeout. This timeout definesthe maximum age of data that can be used by a consumer system. Data older than thedefined timeout is discarded, and the system continues using its current state or value.The configuration also includes a timeout value for the response to a binding datarequest. Failure to receive a valid response containing fresh data within this timeoutcauses the consumer to disconnect from the producer. In the event of such a timeout,data received from the producer will either hold its current state or value, or go to apre-defined fail-safe state, depending on the configuration. If hold last state isselected it is important that the application programmer include handlingof this condition, including latching of the failure as necessary. For example,the loss of a binding communications link may require a specific safety reaction, or mayrequire that the corresponding data be set to specific states or pre-defined values.The configuration also includes a timeout value which is used by a producer system totimeout binding data requests from a consumer system. Should a producer fail toreceive a binding data request from a consumer within this timeout, the link to theconsumer system is closed. The consumer system, if still functional, will timeout thelink from its end.The timeout values shall be set within the fault tolerant capabilities of theBindings network, so the system can still respond within the required PST.The network propagation time must be included in the timeout periodcalculations, and should be verified after each change to the networkconfiguration.Document number 553630 Issue 7: February 2010 5-25

AADvance Safety ManualTwo function blocks are provided that make the overall status of the bindingscommunication subsystem available to the application — one indicates consumerstatus, the other producer status. In addition to these, each binding link can beconfigured with a variable to make the status of the individual links available to theapplication.Where a binding link is configured over redundant networks, the status of individualphysical networks is also made available to the application.Application Program DevelopmentThe application program development shall follow a structured approach as defined inthe AADvance Workbench documentation. The stages defined in the following subsectionsshall additionally be applied for safety related applications.AADvance Workbench ConfigurationThe AADvance Workbench supports four levels of password access, level 0 being thehighest access level. Each workbench function (for example, viewing, editing, compiling,downloading) may be identified for use only by users with an access level above acertain level.Language SelectionUser access passwords shall be implemented, the recommended access levelsare: Password protection and read-only mode for a complete project Password protection and read-only mode for individual resources Password protection for individual POUs Password protection for a targetThe Workbench offers many programming tools to develop algorithms to meet theneeds of virtually any real-time control application. The configuration and programminglanguages approved for use in SIL3 safety related application are shown in the table.Table 12:Safety and Non-safety LanguagesSafety RelatedFunction Block (FB)Instruction List (IL)Structured Text (ST)Ladder Diagrams (LD)5-26 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationSequential Function Chart (SFC) Safety Related Languages. The AADvance controller supports acomprehensive set of certified functions. The certified functions set includes themost commonly used function. These tested functions may be used freely in thedevelopment of an application. Further functions may be used subject tocompletion of testing commensurate with the level used for the commonly usedfunctionIL and ST include program flow control functions; these functions shall be usedwith caution to ensure that infinite loop or omitted logic conditions do not result.Where these constructs are used, it is recommended that full branch and datacoverage tests be performed on these sections of program. It is recommended thatonly Boolean conditions be used for these constructs to ensure that a feasible set oftests can be applied.Application programmer generated function blocks may be created either on aproject specific or library basis. Where these functions are to be used for safetyrelatedapplications, they shall be subject to exhaustive testing, commensurate withthat used for the commonly used functions. Once the function block has been subjectto this level of testing it may be used as for commonly used functions.There is provision for the AADvance system to support multiple programs within aproject. A complete project may be classified as safety or non-safety related. A safetyrelatedproject may use only the safety programming languages; non-safetyprogramming languages shall not be used. A project classified as non-safety may use anyof the programming languages and the full instruction set but shall not be used toimplement safety related functions.Testing of New or Previously Untested FunctionsThe AADvance Workbench comprises a number of function blocks that can becombined together to form a project application.The use of these function blocks in a safety certified system is only permittedonce they have been tested for correct operation.The new or previously untested function may be: a generic function block, which forms part of the Workbench, but has notpreviously been subject to the level of testing defined herein, or a project-specific function block, which is written to meet the needs of a particularfeature within an application program, and may comprise a number of genericfunction blocks or other program functions.Document number 553630 Issue 7: February 2010 5-27

AADvance Safety ManualTest MethodEach function to be tested shall be placed within an application test harness using theAADvance tool set that exercises its capabilities. The implementation of this harnessshall be such that the function block is exercised automatically, so that the test isrepeatable.As a minimum each test harness shall include all of the following: The function block under test An alternative implementation of the function block A function generator, to generate the stimuli for the function under test Main and alternative comparison Pass/Fail Flag A test results register, that records the functionality of the function blockWhere practical, and with the exception of time, results of the test shall beautomatically recorded and should not require a human to count or record dynamicdata.The alternative implementation of the function being tested shall be performed usingfeatures of the tool set that are as diverse as possible from the actual function block.For example an Or gate can be simulated by counting the number of inputs set to alogical 1 and determining that the count is greater than or equal to 1.The function generator shall be as simple as possible and shall not contain the functionunder test.The results of the alternative implementation shall be compared with the results of thefunction under test; discrepancies shall cause a 'main and alternative comparison failflag' to be set.The registration of test results should be as detailed as possible and use as manypredictable features as possible.ExampleA two-input logical Or gate stimulated by the two lower bits of a 16-bit counter willrecord 32768 logical high states if the counter is allowed to make one complete upcount from 0 to 65536. The results register would count these states and present anumber to the human operator. In this case the results register should also record thatno two consecutive states of the counter caused a logical 1 at the output of the gate.5-28 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationPartitioning the ApplicationIt is impractical and unnecessary to apply the same degree of rigorous developmentand testing to all functions within the Application where some of those functions arenot safety related.The identification of safety functions is, in part, dependent on the specific safetyphilosophy. Examples of non-safety may include status indication, data reporting andsequence of events. It is important to establish that these elements are not safetyrelated. For example, some safety cases rely on human intervention and therefore thecorrect operation of status indication.Defensive MeasuresThe safety related elements shall be implemented within separate programs tothose of non-safety related elements. Where information passes between theseelements, it shall be arranged that the direction of flow is from safety relevant to nonsafetyrelevant only.In defining the Application the programmer must consider the potential sources oferror and apply reasonable defensive programming techniques. Where values arereceived from other programs or external communications interfaces, the validity ofthe values should be checked where possible. Similarly, values received from inputinterfaces should be checked where possible. In many cases, it will also be possible tomonitor permutations of data, inputs and plant operating modes to establish theplausibility of the information and program measures to ensure safe responses in caseof implausible conditions.Testable BlocksSafety related functions shall be latched when in their tripped state to preventintermittent field faults from removing the trip condition. The application softwareshall be written to ensure that safety related functions are in their safe state duringsystem startup.Each safety-related software block shall be 100% testable, such functions could be: Burner flame supervision including temperature and air/gas pressure monitoring Burner gas-to-air ratio control/supervision Parts or whole of the start-up sequence of a batch reactorThe fewer the number of inputs, outputs and signal paths, the fewer the number ofpermutations that require testing. However, a single safety function should not be splitinto separate blocks; such a division is likely to lead to the introduction of errorsduring maintenance activities.The interaction between the individual software blocks shall be minimized. Whereinteraction is necessary, it should be kept as simple as possible, for example a singleshutdown initiation signal.Document number 553630 Issue 7: February 2010 5-29

AADvance Safety ManualEach safety function shall be responsible for the control of the corresponding outputs.Sharing of outputs between functions shall not be permitted.Individual Safety Related FunctionsMinimize Logic DepthThe AADvance Workbench allows the definition of up to 250 individual programswithin a single project. This facility should be exploited to enable the allocation ofindividual safety related functions to separate programs. Where such programs containindependent logic paths, these should be investigated to determine if they are separatesafety functions. Where they are separate, it is recommended that these be furtherallocated to their own program, subject to conforming to the recommendation tominimizing the coupling between programs.Cases should be looked for that allow the creation of individual logic paths by repeatingsmall sections of logic rather than fanning out the resultant signal(s).Where possible, the logic depth should be minimized. This helps reduce visualcomplexity, simplifies testing, minimizes the number of interconnects required andimproves program efficiency.Where there is nested logic, it shall be possible to establish the correct operation of allintermediate logic connections.The use of memory (latch) components within the safety function shall be minimized.Similarly, the permutation of conditions that lead to their activation shall be minimized.Communications InteractionThe AADvance system provides a range of communications options to allowinteraction with external systems. Where this communication is used for reporting (orout-going) communications, there are no specific safety requirements.Data received from external equipment that either controls safety-related functions oraffects their operation must be handled with caution. The Application Program shallhandle the received data.The received data should be such that it is limited to interactions which: Initiates safety operations, i.e. initiates shutdown sequences Resets signals, with the reset action only possible once the initiating conditionshave been removed Initiate timed start-up override signals which are removed automatically either onexpiration of the start period or once the associated signal has stabilized in thenormal operating condition Adjust control parameters within defined safe operational limits, i.e. lowering oftrip thresholds.5-30 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationWhere the interaction does not fall within these categories, the affects of incorrectvalues and sequences of values shall be considered and measures taken to ensure thatthe system will respond safely in the event of erroneous data. Alternatively, measuresmay be implemented within the application to ensure the integrity and validity of thedata.Program TestingEven with a small number of inputs, it is possible to reach a point where the number oftests becomes unreasonable. Eliminating impossible or unlikely scenarios should beused to reduce the number of logic path tests that need to be performed. Theselection of what constitutes a scenario that does not require testing can be performedonly after a suitable hazard analysis.The scenarios should include possible plant conditions, sequences of plant conditions,and system conditions including partial power conditions, module removal and faultconditions.Where it is not possible to define a representative suite of test cases, all permutationsof input conditions, i.e. all possible states on all possible inputs, shall be exercised.Where the logic includes memory or timing elements, additional tests shall be definedto exercise all the possible sequences of input permutations leading to their operation.All safety-related functions shall be tested and the results of the tests recorded.The tests shall include the system scan time, fault detection time, fault reaction timeand throughput delay for shutdown logic. The system scan time, including Peer-to-PeerCommunications where appropriate, shall be less than ½ PST.Functional testing of all safety related programs is considered to be 100% if: All inputs are exercised through their entire allowable range All outputs are exercised through their entire program determined range All logic paths are exercised All timers have been tested regarding their timing characteristics without changingtiming parameters All combinatorial permutations of digital signals, with the exception of 100% testedfunction blocks, are tested, including fault states. All combinatorial permutations of analogue signals, with the exception of 100%tested function blocks, are tested within the safety accuracy granularity. All timing properties of each safety loop have been verifiedDocument number 553630 Issue 7: February 2010 5-31

AADvance Safety ManualCross Reference CheckingWhile the aim shall be to minimise the coupling and dependencies between individualprograms, there will inevitably be occasions where, for example, a variable is usedwithin two or more programs. It is important to ensure that any application programchanges that affect these interactions do not jeopardise the functional safety.On-line ModificationIt is highly recommended that on-line changes are not performed unless absolutelynecessary as it could reduce the safety integrity of the system while doing the changes.Where changes have to be carried out on-line alternative safety measure should beimplemented for the duration of the change procedure.Certain modifications can be performed without directly affecting the system's safetyfunction, for example the installation of additional modules. Although thesemodifications will not affect the system's operation until the system configuration andapplication program have been modified, caution shall be exercised to ensure that themodifications do not affect other safety related functions.Changes that affect the system's ability to respond safely, or thatmay cause other plant disruption shall not be performed on-line unlessalternate protection measures can be implemented for the duration of suchmodifications.Physical InstallationThe AADvance controller equipment (base units and modules) is designed for usewhen it is installed upright, that is with the base units in a vertical plane and theventilation slots on the modules at the top and bottom. This orientation is essential toensure non-forced air cooling is effective and the controller meets the specified MTBFof the modules. This rule applies to all installations regardless of ambient temperatureand any additional forced air cooling that may be applied.5-32 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationEnvironmental RequirementsThe system installation environment presents a potential source of commoncause failure. It is necessary to ensure that the equipment is suitable for the intendedenvironment. Alternatively, methods of maintaining the equipment's environmentalconditions within its capabilities should be provided.The system must be installed in an IP54 standard cabinet if the environment isdesignated Pollution Degree 2 ((IEC 60950).Pollution Degree 2 is an environment classification according to the amount of drypollution and condensation present. Generally normally only non-conductive pollutionoccurs; Temporary conductivity cause by condensation is to be expected. Typically thistype of environment is found in Laboratories, test station and office environmentsController Environmental SpecificationsThe following environmental specification applies to all modules in the 9000 seriesrange.Table 13:Environmental SpecificationAttributeTemperatureOperatingStorage and TransportHumidityOperatingStorage and TransportVibrationFunctional StressContinuousOccasionalWithstandAccelerationEnduranceAccelerationShockAltitudeValue–20°C to 70°C (–4°F to 158°F)–40°C to 70°C (–40°F to 158°F)10% to 95% RH, non-condensing10% to 95% RH, non-condensing5Hz to 9Hz1.7mm amplitude3.5mm amplitude10Hz to 150Hz0.1g in 3 axes10Hz to 150Hz0.5g in 3 axes15g peak, 11ms duration, ½ sineDocument number 553630 Issue 7: February 2010 5-33

AADvance Safety ManualOperatingStorage and TransportPhysical protectionElectromagnetic Interference0 to 2000m (0 to 6,600 ft.)0 to 3000m (0 to 10,000 ft.)This equipment must not be transported inunpressurized aircraft flown above 10,000 ft.The controller is rated IP20: Protected againstsolids objects over 12mm (½ in.), for examplefingers. No protection against liquidsThe modules are designed to meet EN500081/82and EN55011/550225-34 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationElectromagnetic CompatibilityThe AADvance system has been designed and tested to withstand normal levels ofconducted and radiated electromagnetic interference and electrostatic discharge.Electrical noise conditions may vary greatly, depending on the equipment installation,wiring, other installed equipment, and its proximity to the AADvance equipment. Adetailed analysis of the installation electrical and magnetic conditions is rare. It istherefore necessary to ensure that the system as a whole complies with the client'srequirements or appropriate standards; within Europe, the CE mark requirementsform a legal minimum. For systems for applications outside Europe it is recommendedthat at least the same measures be applied, and confirmation sought from the client orend-user that electromagnetic interference (EMI) levels are within those shown in thetable.Standard Conditions NotesRadiated EmissionsCISPR11:2003BS EN 61000-4:2001+ A1:1998+ A2:2001Radiated Field ImmunityBS EN 61000-4-3:2006+A1:2008Fast Transient/Burst ImmunityBS EN 61000-4:2004+ AC1:2006+ AC1:2006+ AC2:2007Surge ImmunityBS EN 61000-4-5:2006Conducted RF ImmunityClass AN/A10V rms/m (unmodulated)80M Hz-2G Hz: 80% 1k HzAM1Hz Pulse Modulation 50:50duty cycle.1V rms/m (unmodulated)2G Hz, 2.7G Hz 80%1k Hz AMDC Power:2k VI/O and Signalling Ports:1k VDC Power 1k V/2k V lineline/line-groundI/O Port: 1kV line-ground onlyNot applicableAccess to controller must berestricted to appropriately trainedmaintenance personnel operatingin accordance with ICS Triplexprocedures, and relevant ESDmitigating procedures.The equipment additionallycomplies with fail-safeperformance criteria at increasedlevels of 20V/m over the range80M Hz to 1G Hz and 3V rms/m(unmodulated) over the range 2GHz to 2.7G Hz.The equipment additionallycomplies with fail-safeperformance criteria at increasedlevels of 2KV between I/O orsignalling ports and ground.The equipment additionallycomplies with fail-safeperformance criteria at increasedlevels of 2 kV between I/O orsignalling ports and ground.Document number 553630 Issue 7: February 2010 5-35

AADvance Safety ManualBS EN 61000-4-6:2003+ A1:2004+A2:200610V rms (unmodulated)150k Hz — 100M Hz 80%1k hZ AM, 1Hz PM 50:50duty.NonePower Frequency Magnetic Field immunity voltage Dips, Short interruptions and VoltageVariations ImmunityBS EN 61000-4-8:1994+ A1:2001 +BS EN 6100-4-11:2004Immunity to Conducted Common ModeDisturbance, 0 to 150kHzBS EN 61000-4-16:1998+ A1:200430A rms/m, 50Hz and 60HzDC & I/O Ports:1 to 10V rms increasing at20dB/decade from 1,5KHzto 15k Hz:10V rms from 15k Hz to150k Hz100V rms for 1s at 16.6Hz,50Hz and 60Hz 10V rmscontinuous at 150Hz and180HzNot ApplicableNoneVoltage Dips, Short Interruptions and Voltage Variations for DC Input Power PortsBS EN 61000-4-29:200140% for 10ms0% for 20msThe performance criteria for thesetests if fail-safeIf the anticipated EMI exceeds these levels, additional protection measures such as asuitably screened and Earthed enclosure shall be applied.Using Shielded Cabling for Ethernet and Serial PortsWhen using cable lengths that exceed 3m for Ethernet and Serial communication youmust use shielded cable to remain within the emission and immunity standards. Alsoensure that the shields are grounded to the controller chassis.5-36 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationAADvance System Power RequiremenstThe AADvance controller is designed to operate from two independent 24V dc powersupplies with a common return path, that is, the 24V return shall be common betweenthe power feeds.The controller must be supplied with system power from a power source thatcomplies with SELV and PELV standards. SELV (safety extra-low voltage) is a voltagewhich does not exceed 50VAC or 120 V ripple-free DC between conductors, orbetween each conductor and earth in a circuit which is isolated from the line voltageby a safety transformer. PELV (protected extra-low voltage) is an extra low voltagecircuit with a protective partition from other circuits which has a protective earthconnection.To meet SELV and PELV requirements the power source must have a safetytransformer with a protective partition between the primary and secondary windingsso that the windings are galvanically and electrically isolated.The power supplies and power distribution, if incorrectly designed, present a potentialcommon cause failure. It is therefore necessary to: Establish the power philosophy, specific earthing philosophy, power requirements,and the separation requirements where items of equipment are separately supplied,for example system internal supplies and field loop supplies. Ensure that the chosen PSUs are compatible with the power feeds provided.Alternatively, measures should be implemented to ensure that the power feedsremain within the specifications of the PSUs. Define the power distribution requirements, together with the protectivephilosophy for each distribution, for example current limited at source orprotective devices. Where protective devices are used, it is important to establishthat sufficient current be available to ensure their protective action and that theprotective device can break the maximum prospective fault current. Ensure that the power supplies are sufficient for the system load and for anyforeseeable load requirements and load transients. Ensure that the power supplies have a minimum output hold-up time of 10ms. Ensure that the power distribution cabling is sized to accommodate the maximumprospective fault currents and tolerable voltage losses. This is specifically importantwhere floating supplies are employed and other power sources may result in highprospective fault currents in the event of multiple earth-fault conditions.The power supplies used shall conform to IEC61131 Part 2, EN61010-1 andEN 60950 and shall be of adequate capacity for the system.Note: It is highly recommended that the negative side of the field supply be connectedto earth (ground). This will avoid possible fail danger conditions that can be caused bysome earth fault monitors used with floating power supplies.Document number 553630 Issue 7: February 2010 5-37

AADvance Safety ManualSystem SecuritySerial networks are closed and local, and have limited protocol functionality. They aretherefore immune to any attack except local deliberate sabotage. The AADvancesystem, however, with its workstations and DCS interfaces, uses Ethernet networkswhich tend to be part of a larger corporate network and can expose limitlesspossibilities for accidental or malicious infection or attack.There are some simple steps that can be taken to help prevent such issues: The AADvance system should not be on a network with open access to theInternet. The Firewall must be active on the Workstation, preventing access to the relevantEthernet ports on each communication interface. Anti-virus software must beinstalled and be kept up-to-date. The workstation should be password protected. If the workstation is a laptop, itshould be kept locked as it is the key to the application. If the workstation uses a USB or parallel port dongle, this should be kept securely.Without it, the workstation will not run (standatd 9000 series controller only). Ensure that the full compiled application and the system configuration are securelybacked up. The application should be password protected. The system is resistant to radio interference due to its bus structure. However,sensible use of site radios is advized; do not use radios inside or near an openpanel. The program enable key should be removed after application download (notapplicable to a Euro Controller). This prevents download of system configurationsor on-line changes through the Workbench. The module removal locks should remain locked (standard 9000 series modulesonly). Removable media, such as USB storage devices and CDs, should be virus checkedbefore use within the system.5-38 Document number 553630 Issue 7: February 2010

ChecklistsChapter 6This chapter contains a number of example checklists. These are provided as an aid forcompetent engineers. In general each checklist item should result in "yes", where this isnot the case a justification should be produced.In This ChapterPre-Engineering Checklists ............................................................................... 6-4Engineering Checklists ....................................................................................... 6-4Pre-Engineering ChecklistsScope Definition ChecklistThe checklists provided within this section are applicable to the requirements. It shouldbe recognised that the requirements will undergo refinement, particularly, in the earlystages of a project. The information provided initially may be 'outline'; in this case thesechecklists should be used to help identify where omission has occurred or wherefurther refinement is necessary.DescriptionHas a summary description of the intended application beenprovided?Yes/NoIs the intended installation environment defined? If so:does this include both normal and possible abnormal conditions?does this include geographical distribution requirements?Has a list of all the third-party equipment interfaces beenprovided and are definitions of both the protocol and the data tobe interchanged established?Are all of the plant interfaces defined, including the signal qualitiesand characteristics?Have any special or abnormal conditions that exceed the normalequipment capabilities been highlighted to enable special measureto be implemented?Is the presented information adequate to support the necessarylevel of understanding of the plant/EUC and its environment?Have you done a risk analysis to determine the Safety IntegrityLevels that need to be handled by your system.Document number 553630 Issue 7: February 2010 6-1

AADvance Safety ManualFunctional Requirements ChecklistDescriptionIs the definition of each of the required functions complete?Are the interfaces, signals, and data associated with each functionclearly identified?Where a 'tag referencing' scheme is used for these signals, has asummary description of the naming convention been provided tofacilitate an understanding of the role of the signal?Have the performance requirements for each function, orcollective functions, been defined?Have the operating modes of the EUC, process or plant beenclearly defined?Have the functions required to operate in each plantoperating-mode been identified?Have the transitions between each plant operating-mode beendefined? Have the functions necessary to effect these transitionsbeen established?Yes/NoSafety Requirements ChecklistDescriptionHave all of the functional requirements been allocated a requiredsafety requirements class?Has the safety-related timing for each safety-related function,including process safety time (PST) and fault tolerance period,been established?Have the safety requirements been approved?Are there clear definitions of the external interfaces involved ineach of the safety-related functions? (These may already bedefined in the functional requirements).Is there now sufficient information to understand how the plantshould be controlled safely in each of its intended operatingmodes?Yes/No6-2 Document number 553630 Issue 7: February 2010

Chapter 6 ChecklistsEngineering ChecklistsI/O Architecture ChecklistDescriptionHas the PST been specified ?What is the PST?Has the fault detection time for the system been specified ?What is the fault detection time?Is the safety-accuracy adequate for the application?Where the fault detection time is greater than the PST, does thesafety-related I/O configuration provide a fail-safe configuration?Yes/NoIf not, the system topology shall be discussed with the client toensure that the system implementation is safe.If a probability of failure on demand has been specified, has thisbeen met?Do the selected architectures provide solutions where there isno single power source or distribution point of failure that couldlead the system to fail to function safely when required?Have sensor fault conditions been taken into account?For each of the I/O signal types, do the I/O modules provide thecorrect characteristics and behaviour for the intended sensor oractuator (including minimum and maximum load requirements)?If not, have additional interfacing elements been included toensure that the effective signal is compatible with the selectedmodule type?Are the selected I/O module types compatible with the requiredI/O architecture?Has the allocation of signals to I/O modules and channelsconsidered each of the signals' function?Ensure that potential module and power group failures result ineither continued safety function or fail-safe operation.Do safety related inputs and outputs use only thoseconfigurations identified as safety relatedAre there any safety-related, normally de-energised outputs?If so have redundant power sources, power failure warning andline monitoring been provided?Document number 553630 Issue 7: February 2010 6-3

AADvance Safety ManualDescriptionHave sensor fault conditions been taken into account?Yes/NoHave actuator fault conditions been taken into account?Have field power supplies conforming to EN61010-1 orEN 60950 been used?Language Selection ChecklistDescriptionAre any functions not in the previously tested libraries required?If so has provision been made to adequately test these functions?Ensure that the programming languages classified as non-safety('C') are NOT used for safety-related projectsYes/NoOverride Requirements ChecklistDescriptionAre the effects of overriding fully understood, particularly wherethe override action will affect independent parts of an application?Has a method of enabling, or more importantly removing, theoverrides for the system as whole, or individual sub-systems,been provided?Have programming or procedural measures been defined toensure that no more than a single override may be applied to agiven safety-related process unit?Have indication of the presence of override conditions andrecording their application and removal been defined?Is there an alternative method of removing an override?Are there programming or procedural measures to limit theperiod of override?Yes/No6-4 Document number 553630 Issue 7: February 2010

Chapter 6 ChecklistsInput/Output Module Configuration ChecklistDescriptionFor each of the I/O signal types, do the I/O module settingsprovide the correct characteristics and behaviour for theintended sensor or actuator?Have the thresholds been verified with both increasing anddecreasing field signal levels and with margins to allow for theaccuracy and calibration to ensure that they do not result inoverlapping bands?Have the settings been defined according to a field device typesetting, and minimal use has been made of channel specificsettings?For any non-standard configuration settings, have tests beendefined and executed to 100% test the required operation?Yes/NoProcessor and Other ConfigurationDescriptionIf bindings communications is used, are the timeouts set to aresponse time within the required PST.Password protection and read-only mode for a complete projectbeen set upPassword protection and read-only mode for individual resourcesbeen set upPassword protection for individual POUs been set upPassword protection and read-only mode for a target been set upYes/NoTestingDescriptionHave all of the functions used been fully tested?Has the program been fully tested? The code checker can beused to highlight which programs have changed duringmodificationRecord the application scan time (read from the AADvanceWorkbench display)Record the system throughput time (output SOE – input SOE)Record the system throughput time where bindingscommunications is required (output SOE – input SOE)Yes/NoDocument number 553630 Issue 7: February 2010 6-5

AADvance Safety ManualDescriptionAre the scan and response times in accordance with the PSTrequirements (< ½ PST)?Have the climatic conditions been verified to be suitable?Yes/No6-6 Document number 553630 Issue 7: February 2010

Chapter 6 Glossary of TermsGlossary of TermsAaccuracyThe degree of conformity of a measure to astandard or a true value. See also'resolution'.achievable safe stateA safe state that is achievable.Note: Sometimes, a safe state cannot beachieved. An example is a non-recoverablefault such as a voting element with a shortedswitch and no means to bypass the effect ofthe short.actuatorA device which cause an electrical,mechanical or pneumatic action to occurwhen required within a plant component.Examples are valves and pumps.AITAAnalogue input termination assembly.alarms and events (AE)An OPC data type that provides timestamped alarm and event notifications.allotted process safety timeThe portion of the total process safety timeallotted to a sub function of that process.application softwareSoftware specific to the user application,typically using logic sequences, limits andexpressions to read inputs, make decisionsand control outputs to suit the requirementsof the system for functional safety.architectureOrganizational structure of a computingsystem which describes the functionalrelationship between board level, devicelevel and system level components.asynchronousA data communications term describing aserial transmission protocol. A start signal issent before each byte or character and astop signal is sent after each byte orcharacter. An example is ASCII over RS-232-C. See also 'RS-232-C, RS-422, RS-485'.availabilityThe probability that a system will be able tocarry out its designated function whenrequired for use — normally expressed as apercentage.Bbackplane clipA sprung, plastic device to hold togethertwo adjacent AADvance base units. Partnumber 9904. Used in pairs.base unitOne of two designs which form thesupporting parts of an AADvance controller.See 'I/O base unit' and 'processor base unit'.black channelA communication path which has norequirement to maintain the integrity ofsafety critical data transferred over it.Measures to detect and compensate for anyerrors introduced by the channel must beimplemented by the safety critical senderand receiver to make sure the data retainsits integrity. Black Channel communicationswill typically use an Ethernet LAN, which canuse off-the-shelf components and provides aparticularly cost-effective solution.blanking coverA plastic moulding to hide an unused slot inan AADvance base unit. Part numbers 9191and 9193. Unscreened. Provides physicalprotection to base unit connectors andensures a neat appearance.booleanA type of variable that can accept only thevalues 'true' and 'false'.Document number 553630 Issue 7: February 2010 7-1

AADvance Safety ManualBPCSBasic process control system. A systemwhich responds to input signals andgenerates output signals causing a processand associated equipment to operate in adesired manner, but which does notperform any safety instrumented functionswith a claimed safety integrity level of 1 orhigher.Refer to IEC 61511 or to ANSI/ISA—84.00.01—2004 Part 1 (IEC 61511-1 Mod)for a formal definition.Equivalent to the Process Control System(PCS) defined by IEC 61508.breakdown voltageThe maximum voltage (AC or DC) that canbe continuously applied between isolatedcircuits without a breakdown occurring.BS EN 54A standard for fire detection and fire alarmsystems.BS EN 60204A standard for the electrical equipment ofmachines, which promotes the safety ofpersons and property, consistency ofcontrol response and ease of maintenance.busA group of conductors which carry relateddata. Typically allocated to address, data andcontrol functions in a microprocessor-basedsystem.bus arbitrationA mechanism for deciding which device hascontrol of a bus.CCIPCommon Industrial Protocol. Acommunications protocol, formally knownas 'CIP over Ethernet/IP', created byRockwell Automation for the Logixcontroller family, and which is alsosupported by the AADvance controller.AADvance controllers use the protocol toexchange data with Logix controllers. Thedata exchange uses a consumer/producermodel.clearanceThe shortest distance in air between twoconductive parts.coding pegA polarization key, fitted to the 9100processor base unit and to each terminationassembly, which ensures only a module ofthe correct type may be fitted in a particularslot. Part number 9903.coilIn IEC 61131-3, a graphical component of aLadder Diagram program, which representsthe assignment of an output variable. InModbus language, a discrete output value.configurationA grouping of all the application softwareand settings for a particular AADvancecontroller. The grouping must have a'target', but for an AADvance controller itcan have only one 'resource'.consumerIn CIP over Ethernet/IP communications, aconsuming controller — a controllerconsuming a tag from another controller.The consuming controller requests the tagfrom the producing controller.contactA graphical component of a Ladder Diagramprogram, which represents the status of aninput variable.continuous modeSee high demand mode.controllerA logic solver; the combination ofapplication execution engine and I/Ohardware.controller systemOne or more controllers, their powersources, communications networks andworkstations.7-2 Document number 553630 Issue 7: February 2010

Chapter 6 Glossary of TermscoverageThe percentage of faults that will bedetected by automated diagnostics. See also'SFF'.creepage distanceThe shortest distance along the surface of aninsulating material between two conductiveparts.cross referenceInformation calculated by the AADvanceWorkbench relating to the dictionary ofvariables and where those variables are usedin a project.Ddata access (DA)An OPC data type that provides real-timedata from AADvance controllers to OPCclients.dictionaryThe set of internal input and outputvariables and defined words used in aprogram.discrepancyA condition that exists if one or more of theelements disagree.DITADigital input termination assembly.DOTADigital output termination assembly.EelementA set of input conditioning, applicationprocessing and output conditioning.energise to tripA safety instrumented function circuit wherethe outputs and devices are de-energizedunder normal operation. Application ofpower activates the field device. Also'energise to action'.EUCEquipment Under Control. The machinery,apparatus or plant used for manufacturing,process, transportation, medical or otheractivities.expansion cable assemblyA flexible interconnection carrying bussignals and power supplies betweenAADvance base units, available in a varietyof lengths. Used in conjunction with a cablesocket assembly (at the left hand side of abase unit) and a cable plug assembly (at theright hand side of a base unit).Ffail operational stateA state in which the fault has been masked.See 'fault tolerant'.fail safeThe capability to go to a pre-determinedsafe state in the event of a specificmalfunction.fault reset buttonThe momentary action push switch locatedon the front panel of the 9110 processormodule.fault toleranceBuilt-in capability of a system to providecontinued correct execution of its assignedfunction in the presence of a limited numberof hardware and software faults.fault tolerantThe capability to accept the effect of a singlearbitrary fault and continue correctoperation.fault warning receiving stationA centre from which the necessarycorrective measures can be initiated.fault warning routing equipmentIntermediate equipment which routes a faultwarning signal from the control andindicating equipment to a fault warningreceiving station.Document number 553630 Issue 7: February 2010 7-3

AADvance Safety Manualfield deviceItem of equipment connected to the fieldside of the I/O terminals. Such equipmentincludes field wiring, sensors, final controlelements and those operator interfacedevices hard-wired to I/O terminals.fire alarm deviceA component of a fire alarm system, notincorporated in the control and indicatingequipment which is used to give a warning offire — for example a sounder or visualindicator.fire alarm receiving stationA centre from which the necessary fireprotection or fire fighting measures can beinitiated at any time.fire alarm routing equipmentIntermediate equipment which routes analarm signal from control and indicatingequipment to a fire alarm receiving station.function block diagramAn IEC 61131 language that describes afunction between input variables and outputvariables. Input and output variables areconnected to blocks by connection lines. See'limited variability language'.functional safetyThe ability of a system to carry out theactions necessary to achieve or to maintain asafe state for the process and its associatedequipment.GgroupA collection of two or three input modules(or two output modules), arranged togetherto provide enhanced availability for theirrespective input or output channels.Hhand-held equipmentEquipment which is intended to be held inone hand while being operated with theother hand.HARTHighway Addressable Remote Transducerprotocol. A bi-directional industrial fieldcommunication protocol used tocommunicate between intelligent fieldinstruments and host systems.high demand modeWhere the frequency of demands foroperation made on a safety-related system isgreater than once per year or greater thantwice the proof test interval. Applies tosafety-related systems that implementcontinuous control to maintain functionalsafety. Sometimes known as 'continuousmode'.hot swapSee live insertion.II/O base unitA backplane assembly which holds up tothree I/O modules and their associatedtermination assembly or assemblies in anAADvance controller. Part number 9300.See 'I/O module' and 'termination assembly'.I/O moduleA collation of interfaces for field sensors(inputs) or final elements (outputs), arrangedin a self-contained and standardized physicalform factor.IEC 61000-4A series of international standards giving testand measurement techniques forelectromagnetic compatibility.IEC 61131An international standard definingprogramming languages, electricalparameters and environmental conditionsfor programmable logic controllers. Part 3,which is entitled 'Programming Languages',defines several limited variability languages.IEC 61499An international standard defining an openarchitecture for distributed control andautomation.7-4 Document number 553630 Issue 7: February 2010

Chapter 6 Glossary of TermsIEC 61508An international standard for functionalsafety, encompassing electrical, electronicand programmable electronic systems;hardware and software aspects.IEC 61511An international standard for functionalsafety and safety instrumented systems (SIS)for the process industry, encompassingelectrical, electronic and programmableelectronic systems, hardware and softwareaspects.indicationThe information given by an indicator.indicatorA device which can change its state to giveinformation.input (Workbench variable)In the context of an AADvance Workbenchvariable, this term describes a quantitypassed to the Workbench from a controller.instruction listAn IEC 61131 language, similar to the simpletextual language of PLCs. See 'limitedvariability language'.integerA 16-bit signed value from -32768 to 32767.One of the IEC 61131 types. See also 'word'.Kkey connectorThe receptacle on the AADvance controllerfor the program enable key. A 9-way 'D'type socket, located on the 9100 processorbase unit.Lladder diagramAn IEC 61131 language composed of contactsymbols representing logical equations andsimple actions. The main function is tocontrol outputs based on input conditions.See 'limited variability language'.LANLocal area network. A computer networkcovering a small physical area, characterisedby a limited geographic range and lack of aneed for leased telecommunication lines.limited variability languageA set of symbols and rules, designed to becomprehensible to process sector users andgiving the capability to combine pre-defined,application-specific library functions toimplement a safety requirementsspecification. Typical examples are given inIEC 61131 (part 3) and include instructionlist, ladder diagram, function block diagramand sequential function chart.live insertionThe removal and then reinsertion of anelectronic module into a system while thesystem remains powered. The assumption isthat removal of the module and reinsertionwill cause no electrical harm to the system.Also referred to as 'hot swap'.low demand modeWhere the frequency of demands foroperation made on a safety-related system isno greater than one per year and no greaterthan twice the proof-test frequency.Mmanual call pointA component of a fire detection and firealarm system which is used for the manualinitiation of an alarm.ModbusAn industry standard communicationsprotocol developed by Modicon. Used tocommunicate with external devices such asdistributed control systems or operatorinterfaces.Modbus objectA representation of the configurationsettings for a Modbus master or for itsassociated slave links, within the AADvanceWorkbench. The settings includecommunication settings and messages.Document number 553630 Issue 7: February 2010 7-5

AADvance Safety ManualmoduleA plastic housing containing a processor or acollation of I/O devices with a self-containedand standardized physical form factor. Oneof the fundamental building blocks of theAADvance controller. Processor modulesplug into the processor base unit, I/Omodules plug into a termination assemblyfitted to an I/O base unit.module clamp screwThe AADvance latch mechanism seen on thefront panel of each module and operated bya broad, flat-blade screwdriver. Uses a camaction to lock to the processor base unit orI/O base unit.NNFPA 85The Boiler and Combustion SystemsHazards Code. Applies to certain boilers,stokers, fuel systems, and steam generators.The purpose of this code is to contribute tooperating safety and to prevent uncontrolledfires, explosions and implosions.NFPA 86A standard for Ovens and Furnaces.Provides the requirements for theprevention of fire and explosion hazards inassociated with heat processing of materialsin ovens, furnaces and related equipment.Oon-lineThe state of a controller that is executingthe application software.OPCA series of standards specifications whichsupport open connectivity in industrialautomation.output (Workbench variable)In the context of an AADvance Workbenchvariable, this term describes a quantitypassed from the Workbench to a controller.PpingingIn Modbus communications, sending thediagnostic Query Data command over a linkand by receiving a reply ensuring that thelink is healthy and the controller is able tocommunicate with the master. No processdata is transferred or modified. In the caseof slave devices that will not support pingingthen the Standby command will default toInactive state, but no error will be returned.portable equipmentEnclosed equipment that is moved while inoperation or which can easily be movedfrom one place to another while connectedto the supply. Examples are programmingand debugging tools and test equipment.precisionSee 'accuracy'.process safety timeThe maximum delay that can elapse betweensuccessive executions before the applicationsoftware is stopped. For equipment undercontrol this represents the period of time adangerous condition can exist without theprotection of a safety instrumented systembefore a hazardous event occurs. It can be afraction of a second or more than an hour,depending on the application.processor base unitA backplane assembly which holds all of theprocessor modules in an AADvancecontroller. Part number 9100. See also'processor module'.processor moduleThe application execution engine of theAADvance controller, housed in a selfcontainedand standardized physical formfactor.producerIn CIP over Ethernet/IP communications, aproducing controller — a controllerproducing a tag to one or more consumers,at the request of the consumers.7-6 Document number 553630 Issue 7: February 2010

Chapter 6 Glossary of Termsprogram enable keyA security device that protects theapplication from unauthorized access andchange, in the form factor of a 9-way 'D'type plug. Part number 9906. Supplied withthe processor base unit. See also 'keyconnector'.projectA collection of configurations and thedefinition of the linking between them. See'configuration'.protocolA set of rules that is used by devices (suchas AADvance controllers, serial devices andengineering workstations) to communicatewith each other. The rules encompasselectrical parameters, data representation,signalling, authentication, and errordetection. Examples include Modbus, TCPand IP.RrealA class of analogue variable stored in afloating, single-precision 32-bit format.redundancyThe use of two or more devices, eachcarrying out the same function, to improvereliability or availability.resolutionThe smallest interval measurable by aninstrument; the level of detail which may berepresented. For example, 12 bits candistinguish between 4096 values.RS-232-C, RS-422, RS-485Standard interfaces introduced by theElectronic Industries Alliance covering theelectrical connection between datacommunication equipment. RS-232-C is themost commonly used interface; RS-422 andRS-485 allow for higher transmission ratesover increased distances.RTCReal-time clock.RTURemote terminal unit. The Modbus protocolsupported by the AADvance controller forModbus communications over serial links,with the ability to multi-drop to multipleslave devices.Ssafe stateA state which enables the execution of aprocess demand. Usually entered after thedetection of a fault condition; it makes surethe effect of the fault is to enable rather thandisable a process demand.safety accuracyThe accuracy of an analogue signal withinwhich the signal is guaranteed to be free ofdangerous faults. If the signal drifts outsideof this range, it is declared faulty.safety-critical stateA faulted state which prevents the executionof a process demand.sensorA device or combination of devices thatmeasure a process condition. Examples aretransmitters, transducers, process switchesand position switches.sequential function chartAn IEC 61131 language that divides theprocess cycle into a number of well-definedsteps separated by transitions. See 'limitedvariability language'.SFFSafe Failure Fraction. Given by (the sum ofthe rate of safe failures plus the rate ofdetected dangerous failures) divided by (thesum of the rate of safe failures plus the rateof detected and undetected dangerousfailures).Document number 553630 Issue 7: February 2010 7-7

AADvance Safety ManualSILSafety Integrity Level. One of four possiblediscrete levels, defined in IEC 61508 and IEC61511, for specifying the safety integrityrequirements of the safety functions to beallocated to a safety-related system. SIL4 hasthe highest level of safety integrity; SIL1 hasthe lowest.The whole of an installation (of which theAADvance system forms a part) must meetthese requirements in order to achieve anoverall SIL rating.SISSafety Instrumented System. A form ofprocess control that performs specifiedfunctions to achieve or maintain a safe stateof a process when unacceptable ordangerous process conditions are detected.SNTPSimple Network Time Protocol. Used forsynchronizing the clocks of computersystems over packet-switched, variablelatencydata networks.structured textA high level IEC 61131-3 language withsyntax similar to Pascal. Used mainly toimplement complex procedures that cannotbe expressed easily with graphical languages.synchronousA data communications term describing aserial transmission protocol. A pre-arrangednumber of bits is expected to be sent acrossa line per second. To synchronise thesending and receiving machines, a clockingsignal is sent by the transmitting computer.There are no start or stop bits.TTASee 'termination assembly'.targetAn attribute of a 'configuration' whichdescribes characteristics of the AADvancecontroller on which the configuration willrun. Includes characteristics such as thememory model and the sizes of variabletypes for the controller.TCPTransmission control protocol. One of thecore protocols of the Internet Protocolsuite. It provides reliable, ordered deliveryof a stream of bytes from a program on onecomputer to another program on anothercomputer. Common applications include theWorld Wide Web, e-mail and file transferand, for an AADvance controller, Modbuscommunications over Ethernet.termination assemblyA printed circuit board which connects fieldwiring to an input or output module. Thecircuit includes fuses for field circuits. Theboard carries screw terminals to connectfield wiring to the controller, and the wholeassembly clips onto the 9300 I/O base unit.TMRTriple modular redundant. A fault tolerantarrangement in which three systems carryout a process and their result is processedby a voting system to produce a singleoutput.TÜV certificationIndependent third party certification againsta defined range of international standardsincluding IEC 61508.UURack unit. A unit of measure used todescribe the height of equipment intendedfor mounting in a standard rack. Equivalentto 44.45mm (1-¾ inches).VvalidationIn quality assurance, confirmation that theproduct does what the user requires.verificationIn quality assurance, confirmation that theproduct conforms to the specifications.7-8 Document number 553630 Issue 7: February 2010

Chapter 6 Glossary of Termsvoting systemA redundant system (m out of n) whichrequires at least m of the n channels to be inagreement before the system can takeaction.Wwithstand voltageThe maximum voltage level that can beapplied between circuits or componentswithout causing a breakdown.wordA 16-bit unsigned value from 0 to 65535.One of the IEC 61131 types. See also'integer'.Document number 553630 Issue 7: February 2010 7-9

Additional ResourcesChapter 7For more information about the AADvance system refer to the associated ICS Triplextechnical manuals shown in this document map.ICS Triplex services are available worldwide.Regional OfficesAmericas: Europe, Middle East and Africa: Asia Pacific:4325 West Sam HoustonParkway North, Suite 100HoustonTexas 77043-1219USATel: +1 713 353 2400Fax: +1 713 353 2401ICS TriplexHall RoadMaldonEssexCM9 4LAEngland, UKTel: +44 1621 854444Fax: +44 1621 851531ICS Triplex Pte Ltd.No. 2 Corporation Road#04-01 to 03Corporation PlaceSingapore 618494Tel: +65 6622-4888Fax: +65 6622-4884Internet: http://www.icstriplex.comTechnical support: support@icstriplex.comSales enquiries: sales@icstriplex.comDocument number 553630 Issue 7: February 2010 8-1

AADvance Safety Manual - Tuv-fs.com

Create successful ePaper yourself

Delete template?

Save as template?