AADvance Safety Manual - Tuv-fs.com
Share Embed Flag
Download ePaper

AADvance Safety Manual - Tuv-fs.com

AADvance Safety Manual - Tuv-fs.com AADvance Safety Manual - Tuv-fs.com

tuv.fs.com
12.07.2015 Views

AADvance Safety ManualField Loop Circuit for 4-Wire Analogue InputSensor ConfigurationsIn safety critical input applications using a single sensor, it is important that the sensorfailure modes be predictable and well understood, so there is little probability of afailed sensor not responding to a critical process condition. In such a configuration, itis important the sensor be tested regularly, either by dynamic process conditions thatare verified in the AADvance system, or by manual intervention testing.The function of a signal shall be considered when allocating the module and channelwithin the system. In many cases, redundant sensor and actuator configurations maybe used, or differing sensor and actuator types provide alternate detection and controlpossibilities. Plant facilities frequently have related signals such as start, and stop signals.In these cases it is important to ensure that failures beyond the system's fault-tolerantcapability do not result in either inability to respond safely or in inadvertent operation.In some cases, this will require that channels be allocated on the same module, toensure that a module failure results in the associated signals failing-safe.However, in most cases it will be necessary to separate the signals across modules.Where non-redundant configurations are employed, it is especially important to ensurethat the fail-safe action is generated in case of failures within the system.5-16 Document number 553630 Issue 7: February 2010

Chapter 5 AADvance Functional Safety SystemImplementationActuator ConfigurationsField loop power should be considered in the allocation of signals to input channels andmodules. For normally energized input configurations, field loop power failure will leadto the fail-safe reaction. As with the allocation of signals to modules, there may berelated functions (for example start and stop signals) where loss of field power shouldbe considered in the same manner as the signal allocation.In safety-critical applications using a single actuator, it is important that theactuator failure modes be predictable and well understood, so that there is littleprobability of a failed actuator not responding to a critical process condition.In such a configuration, it is important that the actuator be tested regularly, either bydynamic process conditions that are verified in the AADvance system, or by manualintervention testing.The function of a signal shall be considered when allocating the module and channelwithin the system. In many cases, redundant actuator configurations may be used, ordiffering actuator types can provide alternate control and mitigation possibilities. Plantfacilities frequently have related signals; in these cases it is important to ensure thatfailures beyond the system's fault-tolerant capability do not result in either an inabilityto respond to safety demands or in inadvertent operation.In some cases, this will require that channels be allocated on the same module, toensure that a module failure results in the associated signals failing-safe. However, inmost cases, it will be necessary to separate the signals across modules. Where nonredundantconfigurations are employed, it is especially important to ensure that thefail-safe action is generated in case of failures within the system.Field loop power should be considered in the allocation of signals to output channelsand modules. For normally energized configurations, field loop power failure will leadto the fail-safe reaction. As with the allocation of signals to modules, there may berelated functions where loss of field power should be considered in the same manneras the signal allocation. Where signals are powered from separate power groups, it isimportant that this separation be maintained when allocating the signals to modules, i.e.that inadvertent coupling between power groups, and particularly return paths, are notgenerated.Calculations of Probability of Failure upon Demand,Systems that are configured to meet the needs of IEC 61508 will require theProbability of Failure upon Demand (PFD) for the safety instrumented functions to becalculated.For information regarding the calculation and for PFD numbers allocated for theAADvance system pleased refer to the TÜV approved PFD calculation document listedin the approved version list.Document number 553630 Issue 7: February 2010 5-17

Chapter 5 <strong>AADvance</strong> Functional <strong>Safety</strong> SystemImplementationActuator ConfigurationsField loop power should be considered in the allocation of signals to input channels andmodules. For normally energized input configurations, field loop power failure will leadto the fail-safe reaction. As with the allocation of signals to modules, there may berelated functions (for example start and stop signals) where loss of field power shouldbe considered in the same manner as the signal allocation.In safety-critical applications using a single actuator, it is important that theactuator failure modes be predictable and well understood, so that there is littleprobability of a failed actuator not responding to a critical process condition.In such a configuration, it is important that the actuator be tested regularly, either bydynamic process conditions that are verified in the <strong>AADvance</strong> system, or by manualintervention testing.The function of a signal shall be considered when allocating the module and channelwithin the system. In many cases, redundant actuator configurations may be used, ordiffering actuator types can provide alternate control and mitigation possibilities. Plantfacilities frequently have related signals; in these cases it is important to ensure thatfailures beyond the system's fault-tolerant capability do not result in either an inabilityto respond to safety demands or in inadvertent operation.In some cases, this will require that channels be allocated on the same module, toensure that a module failure results in the associated signals failing-safe. However, inmost cases, it will be necessary to separate the signals across modules. Where nonredundantconfigurations are employed, it is especially important to ensure that thefail-safe action is generated in case of failures within the system.Field loop power should be considered in the allocation of signals to output channelsand modules. For normally energized configurations, field loop power failure will leadto the fail-safe reaction. As with the allocation of signals to modules, there may berelated functions where loss of field power should be considered in the same manneras the signal allocation. Where signals are powered from separate power groups, it isimportant that this separation be maintained when allocating the signals to modules, i.e.that inadvertent coupling between power groups, and particularly return paths, are notgenerated.Calculations of Probability of Failure upon Demand,Systems that are configured to meet the needs of IEC 61508 will require theProbability of Failure upon Demand (PFD) for the safety instrumented functions to becalculated.For information regarding the calculation and for PFD numbers allocated for the<strong>AADvance</strong> system pleased refer to the TÜV approved PFD calculation document listedin the approved version list.Document number 553630 Issue 7: February 2010 5-17

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!