AADvance Safety Manual - Tuv-fs.com

More documents

Recommendations

Info

AADvance Safety ManualBoth input and output modules undergo regular diagnostics testing during operationthat is managed by the processor modules. The self-tests are coordinated betweenmodules that are configured in a fault tolerant arrangement, to ensure that the systemremains on-line even in the case of a demand during the execution of the tests. I/Ochannel discrepancy and deviation monitoring further enhances the verification andfault detection of module or field failures.The processor reports any detected I/O fault to the Workbench application andprovides an alarm signal for a central alarm indicator. A front panel LED indications onthe faulty module will indicate a module or field fault. In all cases, even in the presenceof a fault during this period, the system will continue to be able to respond whenconfigured in a fault tolerant arrangement.When a channel is not capable of reporting a value within a safety accuracyspecification of 1% of the full scale measurement 'safe' values are reported by thevariables. Thus, an I/O point fault condition results in a fail-safe state.The maximum duration for single-channel operation of I/O modules dependson the specific process and must be specified individually for each application: Input modules can operate in a simplex arrangement without time limit for SIL3and lower applications. Output modules can operate in a simplex arrangement without time limit for SIL3de-energize to action applications. Output modules can operate in a simplex arrangement without time limit for SIL2energize to action applications or for up to the MTTR when used in SIL3 energizeto action applications. Processor modules can operate in a simplex arrangement without time limit forSIL2 applications or for up to the MTTR when used in SIL3 applications.The application program must be designed to shut down a SIL3 equipment if afaulty module has not been replaced within the MTTR to meet the appropriaterestrictions stated above.When a module is operating in a dual mode (or is degraded to a dual mode) and a statediscrepancy occurs, then if no module fault is detected, the state reported to theapplication will always be the lower of the two states for a digital and analogue moduleconfigurations.In safety critical applications, the channel discrepancy alarms shall be monitoredby the application program and used to provide an alarm to the plant operationspersonnel.5-2 Document number 553630 Issue 7: February 2010
Chapter 5 AADvance Functional Safety SystemImplementationEnergise to Action ConfigurationsCertain applications may require energize to action for inputs and/or outputs.Energize to action configurations shall only be used if the following restrictionsapply: At least two independent power sources must be used. These power sourcesmust provide emergency power for a safe process shutdown or a time spanrequired by the application. Each power source must be provided with power integrity monitoring with safetycritical input read back into the system controller or implicit power monitoringprovided by the I/O modules. Any power failure shall lead to an alarm. Unless provided implicitly in the I/O modules, all safety critical inputs and outputsmust be fitted with external line and load integrity monitoring and safety criticalread back of the line-status signals. Any line or load failure shall lead to an alarm. For SIL3 enerigize to trip applications a minimum of dual output modules shall beused.In cases where one or more outputs is used in an energize to action configuration, allthe specific requirements above shall be followed for all associated inputs.Controller Process Safety Time (PST)The Process Safety Time setting defines the maximum time that the processor willallow the outputs to remain in the ON state in the event of certain internal diagnosticfaults or systematic application faults. If the process safety time expires the system willgo to its safe state.You have to specify the PST for the whole controller, this is a top level setting that youmake once for the whole controller and is set at the processor module. I/O Individualmodules can be set at a lower PST but must not exceed this overall setting.An AADvance controller adopts a default value for process safety time (PST) =2500ms. The system integrator can use the following method to confirm whether thisis acceptable and adjust as necessary.The value of PST for the controller is governed by this equation:Document number 553630 Issue 7: February 2010 5-3
Page 1 and 2: ICS TriplexAADvance Safety ManualIS
Page 3 and 4: Issue RecordIssueNumberDateRevisedb
Page 5 and 6: ForewordThis technical manual defin
Page 7 and 8: ContentsChapter 1 Introduction ....
Page 11 and 12: IntroductionChapter 1This chapter p
Page 13 and 14: Chapter 1 IntroductionAssociated Do
Page 15 and 16: The AADvance SystemChapter 2.An AAD
Page 17 and 18: Chapter 2 The AADvance SystemThe AA
Page 19 and 20: Functional Safety ManagementChapter
Page 21 and 22: Chapter 3 Functional Safety Managem
Page 31 and 32: AADvance System ArchitecturesChapte
Page 33 and 34: Chapter 4 AADvance System Architect
Page 45: Chapter 5AADvance Functional Safety
Page 49 and 50: Chapter 5 AADvance Functional Safet
Page 83 and 84: ChecklistsChapter 6This chapter con
Page 85 and 86: Chapter 6 ChecklistsEngineering Che
Page 87 and 88: Chapter 6 ChecklistsInput/Output Mo
Page 89 and 90: Chapter 6 Glossary of TermsGlossary
Page 91 and 92: Chapter 6 Glossary of Termscoverage
Page 93 and 94: Chapter 6 Glossary of TermsIEC 6150
Page 95 and 96: Chapter 6 Glossary of Termsprogram
Page 97:
Chapter 6 Glossary of Termsvoting s
show all

AADvance Safety Manual - Tuv-fs.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?