AADvance Safety Manual - Tuv-fs.com

More documents

Recommendations

Info

AADvance Safety ManualIt is important the implications of forcing (or locking) of input and outputpoints on the process and their impact on safety are understood by any person usingthese facilities. It is the plant operators' responsibility to ensure that if forcedconditions are present that they do not jeopardize the functional safety.Forcing requires the program enable key to be fitted to the 9100 Processor Base Unitand is intended only for the purposes of engineering, installation and commissioningactivities. When the system is in-service, maintenance overrides for safety-relatedinputs and outputs should be implemented using the application program instead.The Force LED on the front of the 9110 Processor Module indicates when one ormore I/O points are forced. The application program can determine how many pointsare currently forced; it is highly recommended that this information be used to controlan additional status display and/or for logging purposes.If the forcing facility is used when the system is in-service, a safety-related inputconnected to an operator accessible switch shall be implemented to initiate theremoval of the force condition.A list of the currently locked points is read back from the AADvance system and madeavailable within the AADvance Workbench.Maintenance OverridesMaintenance Overrides set inputs or outputs to a defined state that can be differentfrom the real state during safety operation. It is used during maintenance, usually tooverride input or output conditions in order to perform a periodic test, calibration orrepair of a module, sensor or actuator.To correctly implement a maintenance override scheme within the AADvance system,the override or 'bypass' logic shall be programmed within the Application Program,with a separate set of safety-related input points or variables enabling the bypass logic.In order to accommodate maintenance overrides safely, TÜV has documenteda set of principles that shall be followed. These principles are published in thedocument "Maintenance Override" by TÜV Süddeutschland / TÜV Product ServiceGmbH and TÜV Rheinland.There are two basic methods to check safety-related peripherals connected to theAADvance system: External hard-wired switches are connected to conventional system inputs. Theseinputs are used to deactivate sensors and actuators during maintenance. Themaintenance condition is handled as part of the system's application program.5-24 Document number 553630 Issue 7: February 2010
Chapter 5 AADvance Functional Safety SystemImplementationVariable Bindings Sensors and actuators are electrically switched off during maintenance and arechecked manually.In some installations, the maintenance console may be integrated with the operatordisplay, or maintenance may be covered by other strategies. In such installations, theguidance given in section is to be followed. A checklist for the application of overridesis given in the Checklists chapter.The AADvance system uses variable bindings ('bindings') to pass safety-related databetween controllers. When using this mechanism, as with any other, it is important toensure that the overall system will respond within the required PST. This requirementapplies to normal operation and in the presence of a fault.For safety related applications, it is recommended that the binding communications useredundant networks. It should be noted that high network bandwidth usage by nonsafetyequipment may cause data timeout, and hence spurious trips, and thereforeseparate networks for safety data should be considered.The bindings are based on a producer/consumer model. A consumer systemestablishes a binding link with a producer system, and then repeatedly requests bindingdata.The bindings configuration includes the value of an age timeout. This timeout definesthe maximum age of data that can be used by a consumer system. Data older than thedefined timeout is discarded, and the system continues using its current state or value.The configuration also includes a timeout value for the response to a binding datarequest. Failure to receive a valid response containing fresh data within this timeoutcauses the consumer to disconnect from the producer. In the event of such a timeout,data received from the producer will either hold its current state or value, or go to apre-defined fail-safe state, depending on the configuration. If hold last state isselected it is important that the application programmer include handlingof this condition, including latching of the failure as necessary. For example,the loss of a binding communications link may require a specific safety reaction, or mayrequire that the corresponding data be set to specific states or pre-defined values.The configuration also includes a timeout value which is used by a producer system totimeout binding data requests from a consumer system. Should a producer fail toreceive a binding data request from a consumer within this timeout, the link to theconsumer system is closed. The consumer system, if still functional, will timeout thelink from its end.The timeout values shall be set within the fault tolerant capabilities of theBindings network, so the system can still respond within the required PST.The network propagation time must be included in the timeout periodcalculations, and should be verified after each change to the networkconfiguration.Document number 553630 Issue 7: February 2010 5-25
Page 1 and 2:
ICS TriplexAADvance Safety ManualIS
Page 3 and 4:
Issue RecordIssueNumberDateRevisedb
Page 5 and 6:
ForewordThis technical manual defin
Page 7 and 8:
ContentsChapter 1 Introduction ....
Page 11 and 12:
IntroductionChapter 1This chapter p
Page 13 and 14:
Chapter 1 IntroductionAssociated Do
Page 15 and 16:
The AADvance SystemChapter 2.An AAD
Page 17 and 18: Chapter 2 The AADvance SystemThe AA
Page 19 and 20: Functional Safety ManagementChapter
Page 21 and 22: Chapter 3 Functional Safety Managem
Page 31 and 32: AADvance System ArchitecturesChapte
Page 33 and 34: Chapter 4 AADvance System Architect
Page 45 and 46: Chapter 5AADvance Functional Safety
Page 47 and 48: Chapter 5 AADvance Functional Safet
Page 67: Chapter 5 AADvance Functional Safet
Page 83 and 84: ChecklistsChapter 6This chapter con
Page 85 and 86: Chapter 6 ChecklistsEngineering Che
Page 87 and 88: Chapter 6 ChecklistsInput/Output Mo
Page 89 and 90: Chapter 6 Glossary of TermsGlossary
Page 91 and 92: Chapter 6 Glossary of Termscoverage
Page 93 and 94: Chapter 6 Glossary of TermsIEC 6150
Page 95 and 96: Chapter 6 Glossary of Termsprogram
Page 97: Chapter 6 Glossary of Termsvoting s
show all

AADvance Safety Manual - Tuv-fs.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?