HIMax Safety Manual - Tuv-fs.com
HIMax Safety Manual - Tuv-fs.com HIMax Safety Manual - Tuv-fs.com
3 Safety Concept for Using the PES HIMax3 Safety Concept for Using the PESThis chapter contains important general items on the fuctional safety of HIMax systems.• Safety and Availability• Time Parameters Important for Safety• Proof Test• Safety Requirements• Certification3.1 Safety and AvailabilityThe HIMax systems are certified for use in process controllers, protective systems, burnercontrollers and machine controllers.They can be used in applications up to safety integrity level SIL 3 in accordance with IEC61508 or up to safety category Cat. 4 and up to performance level PL e in accordance withEN ISO 13849.All input and output modules (I/O modules) can be used with an individual processormodule or with several redundant processor modules.The HIMax systems have been tested and certified for use in fire alarm and fire-fightingsystems in accordance with EN54 and NFPA72.No imminent danger results from the HIMax systems.DANGERPhysical injury caused by safety-related automation systems improperly connectedor programmed.Check all connections and test the entire system before starting up!NOTICESystem damage!System damage caused by safety-related automation systems improperly connectedor programmed.Check all connections and test the entire system before starting up!3.1.1 Calculating the PFD and the PFH ValuesThe PFD and the PFH values have been calculated for the HIMax systems in accordancewith IEC 61508.IEC 61508-1 defines SIL 3 to have a PFD of 10 -4 ...10 -3 and a PFH value of 10 -8 ...10 -7 perhour.HIMA will gladly provide the PFD, PFH and SFF values upon request. The "SILence“ tool isavailable for more detailed calculations.A proof test interval of 10 years has been defined for the HIMax systems (offline proof test,see IEC 61508-4, paragraph 3.8.5).The safety functions, consisting of a safety-related loop (input, processing unit, output andsafety communication among HIMA systems), meet the requirements described above inall combinations.Page 16 of 70HI 801 003 D Rev.2.0
HIMax3 Safety Concept for Using the PES3.1.2 Self-Test and Fault DiagnosisThe operating system of the modules executes several self-tests at start-up and duringoperation.• Processors• Memory areas (RAM, non-volatile memory)• Watchdog• Connections between modules• Individual channels of the I/O modulesIf faults are detected during these tests, the defective module or the defective channel ofthe I/O module is switched off. If the tests detect a module fault while starting up themodule, the module will not begin to operate.In non-redundant systems, this means that sub-functions or even the entire PES will shutdown. In case of a detected failure within a redundant system, the redundant module orredundant channel takes over the function to be performedAll HIMax modules are equipped with LEDs to indicate that faults have been detected. Thisallows the user to quickly diagnose faults in a module or the external wiring, if a fault isreported.Further, the user program can also be used to evaluate various system variables that reportthe module status.An extensive diagnostic record of the system's performance and detected faults are loggedand stored in the diagnostic memory of the processor module or that of other modules.After a system fault, the recorded data can be read using the PADT.For more information on evaluating diagnostic messages, see "Diagnostics“ in the SystemManual HI 801 001.For a very few number of component failures that do not affect safety, no diagnosticinformation is provided.3.1.3 PADTUsing the PADT, the user creates the program and configures the controller. The safetyconcept of the PADT supports the user in the correct implementation of the control task.The PADT takes numerous measures to check the entered information.3.1.4 RedundancyTo improve availability, all parts of the system containing active components can be set upredundantly and, if necessary, replaced while the system is operating.• The system bus has been designed to allow the use of redundant components. Tworedundant system bus modules can be installed into each base plate (rack). Tworedundant cables are used to connect the base plates.• All processor modules can be used up to fourfold redundancy. Two variants arepossible:- All processor modules can be operated in the same base plate.- Processor modules can also be operated in two different base plates. In doing so,processor modules and I/O modules located in different places, can also be operatedredundantly.• With input and output modules, two modules can be defined as redundant to each other.A redundant channel will thus exist on each module for each corresponding channel onthe other module.• The power supply can be designed for (two-fold) redundancy. The base plates contain awiring for redundant supply of all modules.• Using the safeethernet certified by TÜV, it is possible to implement redundantcommunication connections between HIMax systems.HI 801 003 D Rev.2.0 Page 17 of 70
- Page 1: SAFETYHIMax ®Safety Manual
- Page 4 and 5: Table of contentsHIMax3.5 Certifica
- Page 6 and 7: Table of contentsHIMax10.2.9 Accept
- Page 8: 1 Safety Manual HIMax1.5 GlossaryTe
- Page 12 and 13: 2 Intended Use HIMaxStandardEC/EN 6
- Page 14 and 15: 2 Intended Use HIMax2.3.4 Power Sup
- Page 18 and 19: 3 Safety Concept for Using the PES
- Page 20 and 21: 3 Safety Concept for Using the PES
- Page 22 and 23: 3 Safety Concept for Using the PES
- Page 24 and 25: 4 Processor Modules HIMaxNOTESystem
- Page 26 and 27: 5 System Bus Module HIMaxWARNINGPhy
- Page 28 and 29: 6 Communication Module HIMax6 Commu
- Page 30 and 31: 7 Input Modules HIMaxNOTICESystem m
- Page 32 and 33: 7 Input Modules HIMax7.6 Checklists
- Page 34 and 35: 7 Input Modules HIMax7.6.3 Checklis
- Page 36 and 37: 7 Input Modules HIMax7.7 Safety-Rel
- Page 38 and 39: 7 Input Modules HIMax7.8 Checklist
- Page 40 and 41: 8 Output Modules HIMax8 Output Modu
- Page 42 and 43: 8 Output Modules HIMaxIn this state
- Page 44 and 45: 8 Output Modules HIMax8.7 Checklist
- Page 46 and 47: 9 Software HIMax9 SoftwareThe softw
- Page 48 and 49: 9 Software HIMax9.4 Resource Parame
- Page 50 and 51: 9 Software HIMaxExample: A key swit
- Page 52 and 53: 9 Software HIMaxThe user only need
- Page 54 and 55: 10 User program HIMaxSensors (digit
- Page 56 and 57: 10 User program HIMax10.2.5 Downloa
- Page 58 and 59: 10 User program HIMax10.2.10 Checkl
- Page 60 and 61: 11 Configuring Communication HIMaxN
- Page 62 and 63: 11 Configuring Communication HIMaxF
- Page 64 and 65: 11 Configuring Communication HIMaxP
<strong>HIMax</strong>3 <strong>Safety</strong> Concept for Using the PES3.1.2 Self-Test and Fault DiagnosisThe operating system of the modules executes several self-tests at start-up and duringoperation.• Processors• Memory areas (RAM, non-volatile memory)• Watchdog• Connections between modules• Individual channels of the I/O modulesIf faults are detected during these tests, the defective module or the defective channel ofthe I/O module is switched off. If the tests detect a module fault while starting up themodule, the module will not begin to operate.In non-redundant systems, this means that sub-functions or even the entire PES will shutdown. In case of a detected failure within a redundant system, the redundant module orredundant channel takes over the function to be performedAll <strong>HIMax</strong> modules are equipped with LEDs to indicate that faults have been detected. Thisallows the user to quickly diagnose faults in a module or the external wiring, if a fault isreported.Further, the user program can also be used to evaluate various system variables that reportthe module status.An extensive diagnostic record of the system's performance and detected faults are loggedand stored in the diagnostic memory of the processor module or that of other modules.After a system fault, the recorded data can be read using the PADT.For more information on evaluating diagnostic messages, see "Diagnostics“ in the System<strong>Manual</strong> HI 801 001.For a very few number of <strong>com</strong>ponent failures that do not affect safety, no diagnosticinformation is provided.3.1.3 PADTUsing the PADT, the user creates the program and configures the controller. The safetyconcept of the PADT supports the user in the correct implementation of the control task.The PADT takes numerous measures to check the entered information.3.1.4 RedundancyTo improve availability, all parts of the system containing active <strong>com</strong>ponents can be set upredundantly and, if necessary, replaced while the system is operating.• The system bus has been designed to allow the use of redundant <strong>com</strong>ponents. Tworedundant system bus modules can be installed into each base plate (rack). Tworedundant cables are used to connect the base plates.• All processor modules can be used up to fourfold redundancy. Two variants arepossible:- All processor modules can be operated in the same base plate.- Processor modules can also be operated in two different base plates. In doing so,processor modules and I/O modules located in different places, can also be operatedredundantly.• With input and output modules, two modules can be defined as redundant to each other.A redundant channel will thus exist on each module for each corresponding channel onthe other module.• The power supply can be designed for (two-fold) redundancy. The base plates contain awiring for redundant supply of all modules.• Using the safeethernet certified by TÜV, it is possible to implement redundant<strong>com</strong>munication connections between <strong>HIMax</strong> systems.HI 801 003 D Rev.2.0 Page 17 of 70
Change language