Safety Manual - Tuv-fs.com
13.07.2015 Views
Share Embed Flag

Safety Manual - Tuv-fs.com

Safety Manual - Tuv-fs.com

Safety Manual - Tuv-fs.com

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
  • No tags were found...
tuv.fs.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

User's<strong>Manual</strong><strong>Safety</strong> <strong>Manual</strong>IM 32Q01S10-31EIM 32Q01S10-31E2nd Edition

IntroductioniThis document presents the safety requirements for building a safety system with ProSafe-RS. <strong>Safety</strong> applications that meet the requirements of SIL 3 of the IEC 61508 standard can berealized by following these requirements.The ProSafe-RS has been certified by TÜV Rheinland Industrie Service GmbH Business SectorASI (http://tuvasi.<strong>com</strong>/), TÜV Rheinland Group to fulfill the requirements of SIL 3 of the IEC61508. The contents of this safety manual have also been approved by TÜV.For the proper use of ProSafe-RS, also refer to the user’s manuals available on our Website(http://www.yokogawa.<strong>com</strong>)This document consists of the following chapters.• 1. <strong>Safety</strong> LifecycleThis chapter explains an overview of the safety conditions for building a safety instrumentedsystem.• 2. System ConsiderationsThis chapter explains details of the safety considerations for building a safety instrumentedsystem with the ProSafe-RS.Media No. IM 32Q01S10-31E (CD)2nd Edition : Dec. 2012 (YK)All Rights Reserved Copyright © 2011, Yokogawa Electric CorporationIM 32Q01S10-31E2nd Edition : Dec.28,2012-00

ProSafe-RS Document Mapii<strong>Safety</strong> System<strong>Safety</strong> <strong>Manual</strong>IM 32Q01S10-31EEngineeringGuideIM 32Q01C10-31ERead Me FirstIM 32Q01A30-31ESoftware<strong>Safety</strong> Control StationReferenceIM 32Q03B10-31EIntegration withCENTUM VP/CS 3000IM 32Q01E10-31EOpen InterfacesIM 32Q05B10-31EEngineeringReferenceIM 32Q04B10-31EUtilities andMaintenanceReferenceIM 32Q04B20-31EMessagesIM 32Q02B10-31EProSafe-RSSystem TestReferenceIM 32Q04B30-31EIntegration withFAST/TOOLSIM 32Q56H20-31EWorkbench User’s GuideHardware<strong>Safety</strong> ControlStations(Hardware)IM 32Q06C10-31ECommunicationDevicesIM 32Q06H10-31EVnet/IPProSafe-RSVnet/IPIM 32Q56H10-31EInstallationProSafe-RSSecurity GuideIM 32Q01C70-31EInstallationIM 32Q01C50-31ELicenseManagementIM 32Q01C60-31E<strong>Manual</strong>Software HelpRead Me FirstIM 32Q01S10-31E2nd Edition : Dec.28,2012-00

us or your local distributor. The User's <strong>Manual</strong>s with incorrectly ordered pages or missingpages will be replaced.• Warning and Disclaimer• Except as specified in the warranty terms, YOKOGAWA shall not provide any warranty forthe Product.• YOKOGAWA shall not be liable for any indirect or consequential loss incurred by eitherusing or not being able to use the Product.• Notes on Software• YOKOGAWA makes no warranties, either expressed or implied, with respect to the SoftwareProduct's merchantability or suitability for any particular purpose, except as specifiedin the warranty terms.• Please purchase the appropriate number of licenses of the Software Product according tothe number of <strong>com</strong>puters to be used.• No copy of the Software Product may be made for any purpose other than backup; otherwise,it is deemed as an infringement of YOKOGAWA's Intellectual Property rights.• Keep the software medium of the Software Product in a safe place.• No reverse engineering, reverse <strong>com</strong>piling, reverse assembling, or converting the SoftwareProduct to human-readable format may be performed for the Software Product.• No part of the Software Product may be transferred, converted, or sublet for use by anythird-party, without prior written consent from YOKOGAWA.ivIM 32Q01S10-31E2nd Edition : Dec.28,2012-00

Documentation Conventionsv• Symbol MarksThe following symbols are used throughout the User's <strong>Manual</strong>s.Identifies instructions that must be observed to avoid physicalinjury, electric shock, or death.Identifies instructions that must be observed to prevent damagesto the software or hardware, or system failures of theProduct.Identifies important information required to understand operationsor functions.Identifies additional information.Identifies referenced content.In the online manuals, clicking on the reference link shown ingreen displays the referenced content. This action does not applyto the reference link shown in black.• Typographical ConventionsThe following typographical conventions are used throughout the User's <strong>Manual</strong>s.• Commonly Used Conventions throughout the User's <strong>Manual</strong>s• Δ MarkIndicates that a space must be entered between character strings.Example:.ALΔPIC010Δ-SC• Character string enclosed by braces { }Indicates an option that can be omitted.Example:.PRΔTAG{Δ.sheet name}• Conventions Used to Show Key or Button Operations• Characters enclosed by brackets [ ]When characters are enclosed by brackets in the description of a key or button operation,it indicates a key on the keyboard, a button name in a window, or an item in a list boxdisplayed in a window.Example:To alter the function, press the [ESC] key.• Conventions of a User-defined Folder• User-defined folder name enclosed by parenthesis ( )User definable path is written in a pair of parentheses.Example:IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

vi• Drawing Conventions(RS Project Folder)\SCS0101If the RS Project Folder is C:\MYRSPJT, the above path be<strong>com</strong>es C:\MYRSPJT\SCS0101.Drawings used in the User's <strong>Manual</strong>s may be partially emphasized or simplified for convenienceof description, so that the unnecessary parts are omitted from the drawings.Drawings of the window may be slightly different from the actual screen shots with differentsettings or fonts; the difference is not extended to the range that may hamper the understandingof basic functionalities and operation and monitoring tasks.• Integration with CENTUMThe Product can be integrated with CENTUM VP or CENTUM CS 3000. In the User's <strong>Manual</strong>s,the integration with CENTUM VP or CENTUM CS 3000 is referred to as "Integration withCENTUM."In the User's <strong>Manual</strong>s, the explanations for integrating the Product with CENTUM VP or CEN-TUM CS 3000, the glossary for various features of CENTUM VP is used instead of the glossaryfor CENTUM CS 3000. For example, the term "CENTUM VP System Alarm View" isused instead of "CENTUM CS 3000 System Alarm window." Nevertheless, if the features forintegrating the Product with CENTUM VP and CENTUM CS 3000 are different, both featureswill be explained separately.• Explanation of Hardware and Software Behaviors in the User's <strong>Manual</strong>sIn the User's <strong>Manual</strong>s, system behaviors are explained assuming that the latest versions ofYOKOGAWA software and hardware at the time of publication of the User's <strong>Manual</strong>s are installed.If additional precise information about the safety of legacy versions of software or hardware isrequired, a link to the corresponding explanation is provided. Please refer to the informationaccording to your system.• Station TypesA safety control station (SCS) is named according to the <strong>com</strong>bination of CPU node (SSCx0S/SSCx0D) and CPU module (SCP4x1).• SCSV1-S: An SCS that uses the CPU node SSC10S/SSC10D installed with SCP401• SCSP2-S: An SCS that uses the CPU node SSC60S/SSC60D installed with SCP461The User's <strong>Manual</strong>s use the following generic terms and abbreviations to describe SCS featuresas a whole:• SCS: Generic term for all types of safety control station• SCSV1: Abbreviation of SCSV1-S• SCSP2: Abbreviation of SCSP2-SIM 32Q01S10-31E2nd Edition : Dec.28,2012-00

Copyright and Trademark Noticesvii• All Rights ReservedThe copyright of the programs and online manuals contained in the software medium of theSoftware Product shall remain in YOKOGAWA.You are allowed to print the required pages of the online manuals for the purposes of using oroperating the Product; however, reprinting or reproducing the entire document is strictly prohibitedby the Copyright Law.Except as stated above, no part of the online manuals may be reproduced, transferred, sold,or distributed to a third party in any manner (either in electronic or written form including, withoutlimitation, in the forms of paper documents, electronic media, and transmission via thenetwork). Nor it may be registered or recorded in the media such as films without permission.• Trademark Acknowledgments• CENTUM, ProSafe, Vnet/IP and STARDOM are registered trademarks of YOKOGAWA.• Microsoft, Windows, Windows Vista, Visual Basic, Visual C++, and Visual Studio are eitherregistered trademarks or trademarks of Microsoft Corporation in the United Statesand other countries.• Adobe, Acrobat, and Adobe Reader are registered trademarks of Adobe Systems Incorporated.• Ethernet is a registered trademark of Xerox Corporation.• HART is a registered trademark of the HART Communication Foundation.• Modicon and Modbus are registered trademarks of Schneider Electric SA.• PLC is a registered trademark of Rockwell Automation, Inc.• All other <strong>com</strong>pany and product names mentioned in the User's <strong>Manual</strong>s are trademarksor registered trademarks of their respective <strong>com</strong>panies.• We do not use TM or ® mark to indicate those trademarks or registered trademarks in theUser's <strong>Manual</strong>s.• We do not use logos in the User's <strong>Manual</strong>s.IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

Toc-1<strong>Safety</strong> <strong>Manual</strong>IM 32Q01S10-31E 2nd EditionCONTENTS1. <strong>Safety</strong> lifecycle......................................................................................1-12. System considerations........................................................................ 2-12.1 Overview of ProSafe-RS...............................................................................2-22.2 Hardware configuration............................................................................... 2-32.3 Application development.............................................................................2-72.4 Security........................................................................................................2-102.5 Online change............................................................................................. 2-112.6 Forcing.........................................................................................................2-122.7 Maintenance override.................................................................................2-132.8 Replacement of modules in SCS...............................................................2-14IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

TocApp.-1<strong>Safety</strong> <strong>Manual</strong>IM 32Q01S10-31E 2nd EditionCONTENTSAppendixAppendix 1.Product support.............................................................. App.1-1IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

1-11. <strong>Safety</strong> lifecycleThe IEC 61508 requires the use of its safety lifecycle for configuring and maintaining safetysystems properly. This chapter explains the overview of the safety lifecycle.The following table lists the abbreviations used in this safety manual.Table 1-1 AbbreviationsAbbreviation/generic termAIAOAnalog InputAnalog OutputDefinitionCENTUM Denotes CENTUM VP and CS 3000R3, the Integrated Production ControlSystem of Yokogawa.CPUDIDOCentral Processing UnitDigital InputDigital OutputRemarksENG Engineering Personal Computer Device of CENTUMFB Function Block Element used in FBD/LD/STFBD Function Block Diagram IEC 61131-3 languageFCS Field Control Station Device of CENTUMFU Function Element used in FBD/LD/STHIS Human Interface Station Device of CENTUMI/OInput/OutputLD Ladder Diagram IEC 61131-3 languagePFD Probability of Failure on Demand Defined by IEC 61508SCS <strong>Safety</strong> Control Station Device of ProSafe-RS systemSENG <strong>Safety</strong> Engineering Personal Computer Device of ProSafe-RS systemSIL <strong>Safety</strong> Integrity Level Defined by IEC 61508ST Structured Text IEC 61131-3 language• Overview of the safety lifecycleThe safety lifecycle, which consists of sixteen phases that start at the concept phase of a systemand end at the systems usage expiration, defines necessary activities for these phases.As the safety lifecycle is considered as a framework to minimize the systematic failure causedby human errors, persons involved in the implementation of the safety functions need to understandthe requirements of the safety lifecycle well and follow them.As part of the safety lifecycle, the three planning phases for operation and maintenance, safetyvalidation, and installation and <strong>com</strong>missioning are required prior to actual implementationphases. This is because adequate preparations that include the procedures and measuresderived from the impact analysis are important to ensure functional safety and/or to preventan unsafe state during the implementation.The standard also requires that the functional safety management runs in parallel with thesafety lifecycle phases with emphasis on the importance of the documentation. The informationabout all activities and the results of each phase need to be documented in such way thatthe descriptions are accurate and easy to understand for users. The document of one phaseis used as an input of the subsequent phase of the safety lifecycle in principle. This makes itpossible to maintain the consistency of the lifecycle and trace the activities afterward.IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

1-2Another requirement of the functional safety management is to manage <strong>com</strong>petence. The organizationsand/or persons involved in the safety lifecycle must be <strong>com</strong>petent for their activitiesthat they have responsibilities for. Adequate experience and training are necessary forthis purpose.This safety manual provides information for all planning phases of the safety lifecycle to ensurethe correct use of ProSafe-RS to reach the aimed safety integrity by the end user.IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2. System considerations 2-1This chapter provides details of the safety considerations for building the safety system withthe ProSafe-RS.IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.1 Overview of ProSafe-RSThis section explains the overview of ProSafe-RS.• Overview of ProSafe-RS 2-2ProSafe-RS is a safety system consisting of a safety controller, SCS, and an engineering andmaintenance PC, SENG. The minimum configuration includes one SCS and one SENG.ProSafe-RSCENTUMSENGSCSEngineering •MaintenanceHISENGControl busAlarmInter-SCS safety<strong>com</strong>municationSCS link transmissionsafety <strong>com</strong>municationAlarmAlarmFCSSCSSCSGUID-0138923A-F02C-4ED9-9058-DD6B65CB348C-default-pdf.pdfFigure 2.1-1 Example of system configurationAn SCS in which both CPU and I/O modules are in single configuration can be used for applicationsthat meet the requirements of SIL 3 of the IEC 61508. To increase the system availability,CPU modules and/or I/O modules can be duplexed (dual-redundant).Inter-SCS safety <strong>com</strong>munication and SCS link transmission safety <strong>com</strong>munication allow asafety loop that meets the requirements of SIL 3 to be built between different SCSs connectedvia the control bus.The ProSafe-RS can be integrated seamlessly into a CENTUM VP or CS 3000 (hereafter, referredto as "CENTUM") system connected on the same control bus. This allows operators tomonitor the SCSs through the HIS.• <strong>Safety</strong> applicationsProSafe-RS is primarily intended to be used for the following safety applications. The use ofProSafe-RS conforming to the standards for each application is also certified by TÜV.For the details of the requirements, refer to each standard.• ESD (Emergency Shutdown System) / PSD (Process Shutdown System)• F&G (Fire and Gas detection System: EN 54, NFPA 72)• BMS (Burner Management System: EN 298, NFPA 85, EN 50156)IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.2 Hardware configurationThis section explains the hardware structure.• <strong>Safety</strong> requirements and system availabilityAn SCS in which both CPU and I/O modules are in single configuration can be used for applicationsthat meet the SIL 3 requirements. For the models and revisions of each module, referto our Website (http://www.yokogawa.<strong>com</strong>/)To increase the availability, CPU modules and/or I/O modules can be duplexed (dual-redundant).When a fault is detected in one module in a dual-redundant configuration, the othermodule takes over control to continue operation.• SCS hardware• SCS basic <strong>com</strong>ponentsThe basic <strong>com</strong>ponents of the SCS hardware include the following.• <strong>Safety</strong> control unit• CPU module• Power supply module (dual-redundant)• ESB BUS coupler module (dual-redundant)• Control bus interface (dual-redundant)• Node unit• Power supply module (dual-redundant)• ESB bus interface module (dual-redundant)• I/O modulesThe following table lists the I/O modules used for the ProSafe-RS system.Use safety I/O modules for safety loops.Table 2.2-1 <strong>Safety</strong> I/O module listDigital Input Module (24 V DC)Digital Output Module (24 V DC)Digital Output Module (48 V DC)<strong>Safety</strong> I/O moduleDigital Output Module (100-120 V AC)Analog Input Module (4-20 mA)Analog Input Module (1-5 V/1-10 V)Analog Input Module (TC/mV)Analog Input Module (RTD)Analog Output Module (4-20 mA) 2-3Table 2.2-2 Interference free I/O module listInterference free I/O moduleSerial Communication Module (RS-232C)Serial Communication Module (RS-422/RS-485)IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2-4Interference free I/O moduleEthernet Communication Module• Environmental requirementsRefer to ProSafe-RS Installation Guidance (TI 32S01J10-01E) for details of the permissibleenvironmental conditions for ProSafe-RS, and its connection with external devices.• Fault detection and reaction• Basic behaviorCPU modules and I/O modules are diagnosed by the hardware and software periodically. Errorsin <strong>com</strong>munication between CPU module and I/O modules and in inter-SCS safety <strong>com</strong>municationsare detected by various measures.When an error is detected, the failsafe value is used for the output value and a diagnostic informationmessage is issued. The diagnostic information message, which is sent to the SENGand HIS (when integrated with CENTUM) via the control bus, is useful for identifying the detailsand the cause of the error.In a dual-redundant configuration, the other module that is working normally takes over controlto continue the operation. The diagnostic information message that is issued at the sametime helps identify the failed module.The user can define the fail-safe behavior of the system when faults are detected in I/O modules.The following section describes the details.• Diagnosis and reactionThis section explains the fault detection and reaction of the system in the single configuration.In a dual-redundant configuration, the other module that is working normally takes over controlto continue the operation.• CPU ModuleThe major <strong>com</strong>ponents in the CPU module are duplexed, and their operation results arealways <strong>com</strong>pared between the two. This enables to detect a fault in a very short time.The detection of a fault causes a shutdown of the CPU module. Accordingly, the outputmodules detect a <strong>com</strong>munication halt of the CPU module and outputs the failsafe valuepredefined for each channel.• Input ModuleDiagnostic tests of input modules are performed by the firmware periodically. When oneof the following faults is detected, the status of input channel changes to “bad” and a predefinedvalue (input value of error occurrence) is transferred to the application logic. Thismeans, faults in input modules, as well as demands (changes in input values), can behandled by application logic.• Fault in the <strong>com</strong>mon part of an input module• Fault in an input channel• Failure in <strong>com</strong>munication between an input module and a CPU module• Output ModuleDiagnostic tests of output modules are performed by the firmware periodically. When oneof the following faults is detected, the Output Shutoff Switch is activated to force all theoutput channels to OFF (0).• Fault in the <strong>com</strong>mon part of an output module• A channel is stuck-at-ON, that is, the output cannot be turned to OFF (digital outputmodule (24 V DC, 48 V DC))IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

(In the case of digital output module (100-120 V AC), only the fault-detected channelis turned to OFF(0).)• Output current read back error (analog output module)In case of a <strong>com</strong>munication fault between an output module and a CPU module, the failsafevalue for each channel is output.• Diagnosis of Field WiringA diagnostic function is provided to detect open and short circuits in wiring between fielddevices and I/O modules.The behavior after detection of such a fault is the same as the case of a fault in the channelof the I/O modules.For this diagnosis with a DI module, connect a dedicated wiring check adapter with thewiring close to the field device. The wiring check adapters are available for “NormallyEnergized” and for “Normally De-energized” respectively.• Inter-SCS <strong>Safety</strong> Communication and SCS Link Transmission <strong>Safety</strong> CommunicationThe receiver side of SCS can detect failures caused by faults in the SCSs and the relaydevices on the <strong>com</strong>munication path.When a failure in inter-SCS safety <strong>com</strong>munication and/or SCS link transmission safety<strong>com</strong>munication is detected, the predefined value is transferred to the application logic inthe receiver side of SCS. This is implemented by the dedicated FBs for inter-SCS safety<strong>com</strong>munication and SCS link transmission safety <strong>com</strong>munication respectively.• System timing• System reaction timeThe system reaction time of SCS includes the reaction time for the external demand and thereaction time when a fault is detected in the SCS. For more details, refer to EngineeringGuide (IM 32Q01C10-31E).• Process safety timeThe process safety time is the period from the time of fault occurrence in the process until thetime process enters a dangerous state, which is determined for each process. The safety systemneeds to transfer the process to a safe state within the process safety time after the demand(process error).The reaction time of the safety system, which is the total of the reaction time of the sensor,actuator, and safety controller, needs to be shorter than the process safety time. Consider thesystem reaction time of SCS as the reaction time of the safety controller.• PFD calculationThe ProSafe-RS has been designed to meet the requirements for PFD of SIL 3 that are definedas a fraction of 10 -4 to 10 -3 in the IEC 61508, with the condition that the interval betweenproof tests is ten years. For further information on this, refer to Engineering Guide (IM32Q01C10-31E).• Check list for hardware engineeringTable 2.2-3 Check list for hardware engineeringNo. Description Check1 Have the modules for safety and the ones for non-safety been used appropriately?2 2-5Have the devices and wiring been installed according to ProSafe-RS Installation Guidance(TI 32S01J10-01E) ?IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2-6No. Description Check3 Has the mechanism of the fault detection and reaction been understood?4For diagnosis of the field wiring of DI modules, have the dedicated wiring check adaptersbeen connected?5 Has the system reaction time and the process safety time been understood?SEEALSOFor more information about each No. of the check list, refer to:“• SCS hardware” on page 2-3IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.3 Application developmentThis section explains about the application development.• Parameter settingsTo ensure normal operation of the system, you must set parameters to the appropriate valuesby using the engineering function.• Scan PeriodA safety application runs at intervals of a defined scan period.Determine a scan period to meet the requirements for the process safety time.• Input value for a fault and failsafe valueDefine the value input to the application logic when a fault is detected in an input module (inputvalue for a fault) and the value output from an output module when a fault is detected inthe CPU module or in the <strong>com</strong>munication between the CPU module and output module (failsafevalue). These can be individually defined on each channel.These values, that determine the safety state, should be cautiously defined depending on theapplication. In general, 0 for De-energize to trip system and 1 for Energize to trip system isused. If different values are used, the immediate repair after a failure occurs should be considered.• Activation of output shutoff switchThe Output Shutoff Switch in the output module is a <strong>com</strong>mon switch to all channels and normallyclosed (ON). The switch is activated to shut off all channels of the output module whena stuck-at-ON fault that the channel cannot output OFF (0) for a digital output module (24 VDC or 48 V DC) or an output current read back error for an analog output module is detectedby the diagnostic test, if the setting of the channel is the default value.The behavior of the output shutoff switch is definable per channel. Select the default value toall channels for a safety application, which activates the switch when the fault mentionedabove is detected in a channel.• Diagnostics of field wiringFor each channel of I/O modules, specify whether to perform diagnosis of field wiring.• Timeout settings for inter-SCS safety <strong>com</strong>munication and SCS link transmissionsafety <strong>com</strong>municationSet the proper timeout values for the inter-SCS safety <strong>com</strong>munication dedicated FB and SCSlink transmission safety <strong>com</strong>munication parameter.For calculation of the timeout values, refer to Engineering Guide (IM 32Q01C10-31E).• ProgrammingThe engineering function of the ProSafe-RS provides the programming languages conformingto the IEC 61131-3 standard. The following languages are used to program safety application.• FBD (Function Block Diagram)• LD (Ladder Diagram)• ST (Structured Text) 2-7Use proper FU/FB, LD elements, and ST statements of these languages. Some of them canbe used for safety applications, but the others cannot. Some of them can be used for safetyIM 32Q01S10-31E2nd Edition : Dec.28,2012-00

applications, but the others cannot, which is shown in Engineering Guide (IM32Q01C10-31E).• Application testAfter programming an application, you need to verify if it operates according to the specifications.• After programming the application, save it, print it out using the Self-Documentation Function,and check that the inputs of programming and the contents of the printout match.• Use the Integrity Analyzer to check whether the FU/FB, etc. used for programming thesafety application are applicable to safety use. Confirm that the result is as intended.• The simulator on SENG can test the application for debugging, without the need of theactual SCS.• Testing the safety application logic can be done with the Target Test Function on the targetSCS even when no I/O modules are installed in the SCS or when no field devices areconnected.• You should perform the final test on the target system with the necessary devices installed.• When loading the application into SCS, make sure that the correct application has beenloaded with the version information shown on the SENG.• When starting the operation after <strong>com</strong>pletion of the test at the security level 0, performthe off-line download and change the security level to Level 2.When a part of the application is modified, the impact of the modification needs to be analyzedbefore a test. Unintended result of the modification can be detected with the Cross ReferenceAnalyzer before the test. This helps identify the part to be tested, so that only themodified part needs to be tested. The procedure is as follows:1. After modifying the application using the engineering tool, print it out and make sure thatthe inputs of programming and the contents of the printout match.2. Make sure that the check results by the Cross Reference Analyzer are as intended.3. Check the operation of the application with the SCS simulator, if necessary, then validateit on the target SCS.To modify the application correctly, the modification history of the current application needs tobe managed. For this purpose, the version control function is provided.• Check list for application development• Check list for parameter settings and programmingTable 2.3-1 Check list for parameter settings and programming1No. Description CheckHas the scan period been determined to meet the requirements for the process safetytime?2 Has the Output Shutoff Switch of the output module been selected to be activated?3 Have the input values for faults and failsafe values been determined?45 2-8For inter-SCS safety <strong>com</strong>munication and SCS link transmission safety <strong>com</strong>munication,has the application logic been written with the dedicated FB?For inter-SCS safety <strong>com</strong>munication and SCS link transmission safety <strong>com</strong>munication,have the proper timeout values been set?6 Has the application logic been written with the proper language or language element?IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2-9• Check list for procedure for application testThe following check list shows the procedure after application input. When an error is found ata step, go back to a proper step, the application input step in principle.Table 2.3-2 Check list for procedure for application test1No. Description CheckSave the application on SENG, print it out with the Self-Documentation Function, and<strong>com</strong>pare the inputs with the printout.2 Use the Integrity Analyzer and check the results.3 Use the Cross Reference Analyzer and check the results.4 Use simulator on the SENG for debugging.5 Download the application into SCS.6 Test the application on target.IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.4 SecurityTo prevent accesses from unauthorized users or devices during the operation and unintendedchanges due to user's operation errors, consider the security mentioned in this section.• SCS security levelThe SCS controls the security levels for the safe operation of the system.Set the security level to Level 2 during the normal operation of SCS to protect the SCSagainst illegal access. It needs to be set to Level 1 for maintenance, and to Level 0 for off-lineoperation. To prevent erroneous changes of the security level, password authorization is required.Assign different passwords for authorization to individual security levels and SCSs. Checkthat the security level on the display of SENG is correct when changing the security level.• Access to SCSChanging the security level enables SCS to be accessed. To prevent erroneous access toSCS, correct operation on SENG is needed. For this purpose, SENG is provided with the displayof the system alarms and SCS status to indicate which part of SCS is to be accessed.When accessing SCS, use these functions to ensure the correct access for its safe operation.• Access control on SENGThe safety application is protected with a password, so that only authorized users are allowedto operate and modify it. The passwords for operating the safety application need to be differentfor each SCS.• Check list for securityTable 2.4-1 Check list for securityNo. Description Check1 Is the usage of the SCS Security Levels understood?2Have different passwords for changing SCS Security Levels been assigned to individualsecurity levels and individual SCSs?3 Has the Security Level of the SCS in operation been set to Level 2?45 2-10Performing operations on SCS, have you confirmed that the settings and the state ofSCS are the same as you intended?Have different passwords for operating safety application on the SENG been assignedto individual SCSs?IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.5 Online changeProSafe-RS allows the application to be modified, I/O modules to be added or removed, andthe I/O module settings to be changed online.Before Online Change, analyze its impact on the system, provide external measures whennecessary or appropriate, and then execute it with much caution.• Online change considerationAfter modifying the application and <strong>com</strong>pleting the check, you need to perform Online ChangeDownload and test the modified part. Before Online Change Download, change the SCS SecurityLevel to Level 1, and return it to Level 2 after <strong>com</strong>pletion of the test.To prevent a system error, Online Change Download must not be performed while maintenanceoverride operation by HIS is going on.If the modified application contains any unintended changes, Online Change can lead to unexpectedsystem behavior. To prevent adverse influence on the parts outside of SCS causedby the unexpected behavior, use the Forcing Function, and also provide appropriate measuresoutside of SCS to deal with emergency situations in advance.For the detailed procedure for Online Change, refer to Engineering Guide (IM32Q01C10-31E)• Check list for online changeTable 2.5-1 Check list for online changeNo. Description Check1 Has the plan of modification been reviewed and approved?2 Does the modification need to be done online?3Has the impact of the online change on the system been analyzed and the results fullyunderstood?4 Are the Integrity Analyzer and Cross Reference Analyzer used for change verification?5 Has the Forcing Function or Fixing All Output Function been taken into account?6 Have adequate measures for emergency situations been prepared outside SCS?7 Has the procedure for the online change been clearly established? 2-11IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.6 ForcingThis section explains the consideration at the time of performing the Forcing Function.• Forcing functionThe forcing function of the SENG is for locking and forcing the values on I/O channels and thevariables used in the application logic.To start the forcing function, change the SCS Security Level to Level 1.When operating from the SENG, make sure that the correct variables are locked.To return to the normal operation, unlock all the I/O channels and variables, and change theSCS Security Level to Level 2.Using the dedicated FB helps management of the forcing condition, such as the number oflocked variables and forced unlocking of locked variables.Before performing the forcing function, which is used for maintenance of devices and for OnlineChange, analyze the impact on the system and take adequate measures beforehand.• Check list for forcingTable 2.6-1 Check list for forcing12No. Description CheckHas the impact of the forcing on the system been analyzed and the results fully understood?Has the use of the dedicated FB for managing the forcing condition been taken intoaccount?3 Has the procedure for forcing been clearly established?4Does the procedure include the instruction that, after forcing is finished, all the variablesmust be set back to the normal values and then unlocked?5 Have adequate measures for emergency situations been prepared outside SCS? 2-12IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.7 Maintenance overrideThis section explains the consideration at the time of performing the maintenance override.• Maintenance overrideThe maintenance override, which is used for device maintenance, assigns a predefined valueor state to an I/O variable.For a maintenance override from the HIS in a CENTUM-integrated system, build the safetyapplication logic beforehand, using the dedicated FB for maintenance overrides.The maintenance override operation has two steps: the authorization <strong>com</strong>mand and the execution<strong>com</strong>mand of the override. After <strong>com</strong>pletion of maintenance, clear the maintenanceoverride.Perform a series of operations from the HIS by operator's confirming the contents and themessage on the display.• Check list for maintenance overrideTable 2.7-1 Check list for maintenance override12No. Description CheckHas the effect of the maintenance override been analyzed and the results fully understood?Has the application logic been written with the dedicated FB for the maintenance override?3 Has the operation manual been prepared and confirmed by the operators?4Does the operation manual include the instruction that all overrides must be removedat the <strong>com</strong>pletion of the maintenance?5 Has an alternative method for removing overrides been prepared? 2-136 Have adequate measures for emergency situations been prepared outside SCS?IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

2.8 Replacement of modules in SCSThis section explains the consideration at the time of replacement of modules.• Replacement of modulesWhen a module failure occurs, identify the failed location in SCS using the LED display ofmodules or the diagnostic information of the SENG to replace the relevant module.After replacing the CPU module in a single configuration, perform Master Database OfflineDownload and ensure the correct application has been downloaded.In case a module failure does not lead to a shutdown in a single configuration, the replacementof the module should take place within Mean Time To Repair (MTTR).Even in case of a failure in one module of a duplex configuration, the SIL 3 is guaranteed.The failed module can be replaced while the SCS is in operation.• Check list for replacement of modulesTable 2.8-1 Check list for replacement of modulesNo. Description Check1 Has the diagnostic information of the SENG been confirmed?2 Is the LED display of the relevant module showing the failure?3 Is the procedure of replacing the module understood correctly?45 2-14After replacing a CPU module, has the application been confirmed correct (in the singleconfiguration)?Has Master Database Offline Download been performed to load the correct applicationif necessary?IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

Appendix 1. Product supportApp.1-1Please contact our offices listed below for the technical support of the ProSafe-RS system.Table Appendix 1-1 Product support listYokogawa Electric Corporation2-9-32 Nakacho, Musashino-Shi, Tokyo180-8750 JapanPhone: 0422 (52) 5634Fax: (81)-422-52-9802E-mail: 200502prosafe_<strong>com</strong>@yg.jp.yokogawa.<strong>com</strong>Yokogawa Europe Solutions B.V.Euroweg 2, 3825 HD AmersfoortP.O. Box 163, 3800 AD AmersfoortThe NetherlandsPhone: (31)-281-340-3800Fax: (31)-281-340-3838E-mail: Info@nl.yokogawa.<strong>com</strong>Yokogawa Corporation of America12530 West Airport Blvd, Sugar Land,Texas 77478 U.S.A.Phone: (1)-88-4641000Fax: (1)-88-4641111E-mail:prosafe@us.yokogawa.<strong>com</strong>Yokogawa Middle East B.S.C.P.O. Box 10070, Manama Building 577, Road 2516, Busaiteen 225, Muharraq, BahrainPhone: (973)-17-358100Fax: (973)-17-336100E-mail: YME-SIS-ENG@bh.yokogawa.<strong>com</strong>Yokogawa China Co., Ltd.3F TowerD Cartelo Crocodile Building, No.568 West Tianshan Road, Shanghai 200335, ChinaPhone: (86)-21-62396262Fax: (86)-21-62387866E-mail: YCN_RS_TEAM@gr.cn.yokogawa.<strong>com</strong>Yokogawa Engineering Asia Pte Ltd<strong>Safety</strong> Excellence Center5 Bedok South RoadSingapore 469270Phone: (65)-6241-9933Fax: (65)-6241-2606E-mail: prosafe@sg.yokogawa.<strong>com</strong>IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

Revision InformationRev-1Title: <strong>Safety</strong> <strong>Manual</strong><strong>Manual</strong> No. : IM 32Q01S10-31Dec. 2012/2nd Edition/R3.02 or later**: Denotes the release number of the Software Product corresponding to the contents of this <strong>Manual</strong>.The revised contents are valid until the next edition is issued.2.2 Addition of Ethernet <strong>com</strong>munication module.Aug. 2011/1st Edition/R3.01 or laterNewly published.• For Questions and More InformationOnline Query: A query form is available on the following URL for online query.http://www.yokogawa.<strong>com</strong>/iss• Written by Yokogawa Electric Corporation• Published by Yokogawa Electric Corporation2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, JAPAN• Printed by KOHOKU PUBLISHING & PRINTING INC.IM 32Q01S10-31E2nd Edition : Dec.28,2012-00

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!