Safety Manual - Tuv-fs.com
Safety Manual - Tuv-fs.com Safety Manual - Tuv-fs.com
2.2 Hardware ConfigurationThis section explains the hardware structure. 2-2• Safety Requirement and System AvailabilityAn SCS in which both CPU and I/O modules are in single configuration can be used forapplications that meet the SIL 3 requirements. For the models and revisions of each module,refer to our Website (http://www.yokogawa.com/iss/).To increase the availability, CPU modules and/or I/O modules can be duplexed (dual-redundant).When a fault is detected in one module of a dual-redundant configuration, the other module takesover control to continue the operation.• SCS Hardware• SCS Basic ComponentsThe basic components of the SCS hardware include the following.• Safety Control Unit- CPU Module- Power Supply Module (dual-redundant)- ESB BUS Coupler Module (dual-redundant)- Control Bus Interface (dual-redundant)• Node Unit- Power Supply Module (dual-redundant)- ESB Bus Interface Slave Module (dual-redundant)• I/O ModulesThe following table lists the I/O modules used for the ProSafe-RS system.Use safety I/O modules for safety loops.TableSafety I/O Module ListDigital Input Module (24 V DC)Digital Output Module (24 V DC)Analog Input Module (4-20 mA)Analog Input Module (1-5 V/1-10 V)Analog Output Module (4-20 mA)Serial Communication Module (RS-232C) (*1)Serial Communication Module (RS-422/RS-485) (*1)*1: Interference free• Environmental RequirementsRefer to ProSafe-RS Installation Guidance (TI 32S01J10-01E, TI 32S51J10-01E) for details ofthe permissible environmental conditions for the ProSafe-RS, and its connection with externaldevices.IM 32S01S10-01E3rd Edition : Oct.30,2006-00
2-3• Fault Detection and Reaction• Basic BehaviourCPU modules and I/O modules are diagnosed by the hardware and software periodically.Errors in communication between CPU module and I/O modules and in inter-SCS safetycommunications are detected by various measures.When an error is detected, the failsafe value is used for the output value and a diagnosticinformation message is issued. The diagnostic information message, which is delivered to theSENG and HIS (in the ProSafe-RS/CS 3000 integration configuration) via the control bus, isuseful for identifying the details and the cause of the error.In a dual-redundant configuration, the other module that is working normally takes over control tocontinue the operation. The diagnostic information message that is issued at the same time helpsidentify the failed module.The user can define the fail-safe behavior of the system when faults are detected in I/O modules.The following section describes the details.• Diagnosis and ReactionThis section explains the fault detection and reaction of the system in the single configuration.In a dual-redundant configuration, the other module that is working normally takes over control tocontinue the operation.• CPU ModuleThe major components in the CPU module are duplexed, and their operation results arealways compared between the two of each pair. This enables to detect a fault in a very shorttime. The detection of a fault causes a shutdown of the CPU module. Accordingly, the outputmodule detects a communication halt of the CPU module and outputs the failsafe valuepredefined for each channel.• Input ModuleDiagnostic tests of input modules are performed by the firmware periodically. When oneof the following faults is detected, the status of input channel changes to “bad” and apredefined value (input value of error occurrence) is transferred to the application logic.This means, faults in input modules, as well as demands (changes in input values), can behandled by application logic.- Fault in the common part of an input module- Fault in an input channel- Failure in communication between an input module and a CPU module• Output ModuleDiagnostic tests of output modules are performed by the firmware periodically. When one ofthe following faults is detected, the Output Shutoff Switch is activated to force all the outputchannels are forced OFF (0).- Fault in the common part of an output module- Stuck-at-ON, the case where the output cannot be turned to OFF (DO module)- Output current read back error (AO module)In the case of a fault in communication between an output module and a CPU module orchannel faults other than the above, the failsafe value for each channel is output.IM 32S01S10-01E3rd Edition : Oct.30,2006-00
- Page 1: User’sManualSafety ManualIM 32S01
- Page 4 and 5: Safety Precautionsiii• Safety, Pr
- Page 6 and 7: Documentation Conventionsv• Typog
- Page 8 and 9: Copyright and Trademark Noticesvii
- Page 10 and 11: 1. Safety Lifecycle 1-1The IEC 6150
- Page 14 and 15: 2-4• Diagnosis of Field WiringA d
- Page 16 and 17: 2.3 Application DevelopmentThis sec
- Page 18 and 19: • Check List for Application Deve
- Page 20 and 21: 2.5 On-line Change 2-10ProSafe-RS a
- Page 22 and 23: 2.7 Maintenance Override 2-12This s
- Page 24 and 25: Appendix A Product Support App.A-1P
2-3• Fault Detection and Reaction• Basic BehaviourCPU modules and I/O modules are diagnosed by the hardware and software periodically.Errors in <strong>com</strong>munication between CPU module and I/O modules and in inter-SCS safety<strong>com</strong>munications are detected by various measures.When an error is detected, the failsafe value is used for the output value and a diagnosticinformation message is issued. The diagnostic information message, which is delivered to theSENG and HIS (in the ProSafe-RS/CS 3000 integration configuration) via the control bus, isuseful for identifying the details and the cause of the error.In a dual-redundant configuration, the other module that is working normally takes over control tocontinue the operation. The diagnostic information message that is issued at the same time helpsidentify the failed module.The user can define the fail-safe behavior of the system when faults are detected in I/O modules.The following section describes the details.• Diagnosis and ReactionThis section explains the fault detection and reaction of the system in the single configuration.In a dual-redundant configuration, the other module that is working normally takes over control tocontinue the operation.• CPU ModuleThe major <strong>com</strong>ponents in the CPU module are duplexed, and their operation results arealways <strong>com</strong>pared between the two of each pair. This enables to detect a fault in a very shorttime. The detection of a fault causes a shutdown of the CPU module. Accordingly, the outputmodule detects a <strong>com</strong>munication halt of the CPU module and outputs the failsafe valuepredefined for each channel.• Input ModuleDiagnostic tests of input modules are performed by the firmware periodically. When oneof the following faults is detected, the status of input channel changes to “bad” and apredefined value (input value of error occurrence) is transferred to the application logic.This means, faults in input modules, as well as demands (changes in input values), can behandled by application logic.- Fault in the <strong>com</strong>mon part of an input module- Fault in an input channel- Failure in <strong>com</strong>munication between an input module and a CPU module• Output ModuleDiagnostic tests of output modules are performed by the firmware periodically. When one ofthe following faults is detected, the Output Shutoff Switch is activated to force all the outputchannels are forced OFF (0).- Fault in the <strong>com</strong>mon part of an output module- Stuck-at-ON, the case where the output cannot be turned to OFF (DO module)- Output current read back error (AO module)In the case of a fault in <strong>com</strong>munication between an output module and a CPU module orchannel faults other than the above, the failsafe value for each channel is output.IM 32S01S10-01E3rd Edition : Oct.30,2006-00
Change language