GA BlueLine safety manual - TUV Cooperation - Functional Safety
GA BlueLine safety manual - TUV Cooperation - Functional Safety
GA BlueLine safety manual - TUV Cooperation - Functional Safety
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
GEBHARDT Automation GmbH<br />
<strong>GA</strong> <strong>BlueLine</strong><br />
<strong>safety</strong> systems<br />
<strong>Safety</strong> Manual
Title <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong><br />
File <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc<br />
Document<br />
number<br />
Revision index Description<br />
G0.HA.0003.031.41.088.00.01.E.E.O<br />
document history<br />
Author<br />
Review<br />
Release<br />
00.00 first release A = StS<br />
00.01 update for MPU-M1 processor card, <strong>GA</strong> BlueEdit programming<br />
tool, SCM1 current monitoring module<br />
R = MK<br />
Re = UG<br />
A = StS<br />
R = MK<br />
Re = UG<br />
Involved at GEBHARDT Automation GmbH: Ulrich Gebhardt (UG), Wolfgang Paulicks (WP),<br />
Markus König (MK), Stephan Schild (StS), Oliver Bäsken (OB)<br />
Relevant documents:<br />
/1/ <strong>GA</strong> BlueEdit user <strong>manual</strong><br />
/2/ <strong>GA</strong> MCAD-S mod 1 technical description<br />
/3/ <strong>GA</strong> MCADA-S mod 1 technical description<br />
/4/ <strong>GA</strong> MCDIN-S mod 1 technical description<br />
/5/ <strong>GA</strong> MCDOT-S mod 1 technical description<br />
/6/ <strong>GA</strong> MPU-M1 technical description<br />
/7/ <strong>GA</strong> SR-01-42-24-00 technical description<br />
/8/ <strong>GA</strong> SCM1 technical description<br />
/9/ <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system checklists<br />
Date<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 2 of 50<br />
23.07.2009<br />
24.01.2011
Contents<br />
1 INTRODUCTION ...................................................................................................................................... 6<br />
1.1 CONTACT INFORMATION...................................................................................................................... 6<br />
1.2 DOCUMENT SCOPE, APPLIED STANDARDS ............................................................................................ 7<br />
1.3 GENERAL STATEMENTS........................................................................................................................ 9<br />
1.4 DOCUMENT MAP ................................................................................................................................10<br />
1.4.1 Essential documents..................................................................................................................... 10<br />
1.4.2 Software documents ..................................................................................................................... 10<br />
1.4.3 Hardware documents ................................................................................................................... 10<br />
2 SAFETY LIFECYCLE ............................................................................................................................ 11<br />
3 PRODUCT OVERVIEW......................................................................................................................... 13<br />
3.1 <strong>GA</strong> BLUELINE SAFETY SYSTEMS, CONCEPT ....................................................................................... 13<br />
3.1.1 <strong>GA</strong> MCU processor concept ........................................................................................................13<br />
3.1.2 <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> concept ......................................................................................................... 14<br />
3.1.3 Field signal handling ................................................................................................................... 16<br />
3.2 SYSTEM INTEGRATION ....................................................................................................................... 18<br />
3.3 HARDWARE COMPONENTS ................................................................................................................. 19<br />
3.4 DIAGNOSTIC COVERAGE .................................................................................................................... 19<br />
3.5 ERROR RESPONSE............................................................................................................................... 19<br />
3.6 FUNCTIONAL AND DISPLAY ELEMENTS OF HARDWARE COMPONENTS ................................................ 21<br />
3.6.1 Elements of MCxxx-S cards.......................................................................................................... 21<br />
3.6.2 Elements of ICU and MPU-M1 cards .......................................................................................... 22<br />
3.6.3 Elements of DSPVCU cards......................................................................................................... 23<br />
3.6.4 Elements of cooling fan................................................................................................................ 23<br />
3.6.5 Elements of the <strong>safety</strong> relay <strong>GA</strong> SR-01-42-24-00......................................................................... 24<br />
3.6.6 Elements of DFAB-1oo2D external hardware voter .................................................................... 24<br />
3.6.7 Elements of TFAB DIGIO 2oo3 ................................................................................................... 25<br />
3.6.8 Elements of the <strong>GA</strong> SCM1 current measurement module ............................................................ 26<br />
3.7 SAFETY TIME AND REACTION TIME .................................................................................................... 26<br />
3.7.1 System reaction time .................................................................................................................... 26<br />
3.7.2 Diagnostic test interval ................................................................................................................ 27<br />
3.7.3 Process <strong>safety</strong> time....................................................................................................................... 27<br />
3.7.4 Proof test interval......................................................................................................................... 27<br />
4 PES SYSTEM ENGINEERING.............................................................................................................. 28<br />
4.1 HARDWARE ENGINEERING................................................................................................................. 28<br />
4.1.1 Specification of <strong>safety</strong> requirements............................................................................................. 28<br />
4.1.2 Hardware design and validation planning................................................................................... 28<br />
4.1.3 System integration........................................................................................................................ 28<br />
4.1.4 Hardware engineering, check list ................................................................................................29<br />
4.2 SOFTWARE ENGINEERING .................................................................................................................. 29<br />
4.2.1 Specification of <strong>safety</strong> requirements............................................................................................. 29<br />
4.2.2 Software design and validation planning..................................................................................... 29<br />
4.2.3 SIL3-approved function blocks..................................................................................................... 30<br />
4.2.4 Integration of PES hardware and software.................................................................................. 30<br />
4.2.5 Software validation ...................................................................................................................... 30<br />
4.2.6 Software engineering, check list................................................................................................... 31<br />
5 ASSEMBLY AND INSTALLATION..................................................................................................... 32<br />
5.1 QUALIFIED PERSONNEL...................................................................................................................... 32<br />
5.2 SAFETY-RELEVANT RESTRICTIONS OF USE ......................................................................................... 32<br />
5.3 MOUNTING AND CONNECTING ........................................................................................................... 32<br />
5.4 ASSEMBLY AND INSTALLATION, CHECK LIST ..................................................................................... 33<br />
6 FORCING I/O SIGNALS........................................................................................................................ 34<br />
6.1 PROCEDURE ....................................................................................................................................... 34<br />
6.2 FORCING I/O SIGNALS, CHECK LIST .................................................................................................... 34<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 3 of 50
7 COMMISSIONING ................................................................................................................................. 35<br />
7.1 QUALIFIED PERSONNEL...................................................................................................................... 35<br />
7.2 COMMISSIONING PROCEDURES .......................................................................................................... 35<br />
7.3 APPLICATION SOFTWARE MODIFICATION........................................................................................... 36<br />
7.3.1 Program modifications................................................................................................................. 36<br />
7.3.2 Parameter modification................................................................................................................ 36<br />
7.3.3 Online modification...................................................................................................................... 36<br />
7.4 COMMISSIONING, CHECK LIST............................................................................................................ 37<br />
8 MAINTENANCE ..................................................................................................................................... 38<br />
8.1 QUALIFIED PERSONNEL...................................................................................................................... 38<br />
8.2 MAINTENANCE PROCEDURES............................................................................................................. 38<br />
8.3 REPLACEMENT OF COMPONENTS........................................................................................................ 39<br />
8.4 MAINTENANCE, CHECK LIST .............................................................................................................. 39<br />
9 ACCESS AUTHORIZATION................................................................................................................. 41<br />
9.1 USER LOGIN....................................................................................................................................... 41<br />
9.2 KEY SWITCH FOR OPERATING MODE .................................................................................................. 41<br />
10 DIAGNOSTIC INFORMATION............................................................................................................ 43<br />
10.1 DIAGNOSTIC DATA............................................................................................................................. 43<br />
10.2 PROCESS DATA................................................................................................................................... 43<br />
10.3 ANALYZING ERROR MESSAGES .......................................................................................................... 44<br />
11 COMMON TECHNICAL DATA ...........................................................................................................45<br />
12 SAFETY SPECIFIC DATA .................................................................................................................... 46<br />
12.1 SYMBOLS AND ABBREVIATIONS......................................................................................................... 46<br />
12.2 CHARACTERISTIC SAFETY VALUES..................................................................................................... 47<br />
12.2.1 <strong>GA</strong> <strong>BlueLine</strong>: Probability of Failure data............................................................................... 47<br />
12.2.2 SIL example <strong>GA</strong> DUPLEX-S ................................................................................................... 48<br />
12.2.3 SIL example <strong>GA</strong> DualCore-S................................................................................................... 49<br />
13 INDEX ....................................................................................................................................................... 50<br />
List of warnings<br />
Warning 1.................................................................................................................................. 9<br />
Warning 2.................................................................................................................................. 9<br />
Warning 3................................................................................................................................ 32<br />
Warning 4................................................................................................................................ 34<br />
Warning 5................................................................................................................................ 36<br />
Warning 6................................................................................................................................ 36<br />
Warning 7................................................................................................................................ 39<br />
Warning 8................................................................................................................................ 41<br />
Warning 9................................................................................................................................ 42<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 4 of 50
List of figures<br />
Figure 1: overall <strong>safety</strong> lifecycle............................................................................................. 11<br />
Figure 2: hardware <strong>safety</strong> lifecycle ......................................................................................... 12<br />
Figure 3: software <strong>safety</strong> lifecycle .......................................................................................... 12<br />
Figure 4: MCU processor concept, with single-card configuration........................................ 13<br />
Figure 5: <strong>GA</strong> <strong>BlueLine</strong> concept, with single-card configuration............................................ 14<br />
Figure 6: <strong>GA</strong> <strong>BlueLine</strong> concept, DUPLEX-S configuration .................................................. 15<br />
Figure 7: <strong>GA</strong> <strong>BlueLine</strong> system schematic............................................................................... 16<br />
Figure 8: software voting, <strong>GA</strong> DUPLEX-S example.............................................................. 17<br />
Figure 9: Example for network integration............................................................................. 18<br />
Figure 10: front panel and elements of MCxxx-S cards ......................................................... 21<br />
Figure 11: front panel and elements of ICU and MPU-M1 cards........................................... 22<br />
Figure 12: front panel and elements of DSPVCU card........................................................... 23<br />
Figure 13: front panel and elements of cooling fan ................................................................ 23<br />
Figure 14: <strong>GA</strong> SR-01-42-24-00 relay voter, 1oo2 .................................................................. 24<br />
Figure 15: DFAB-1oo2D majority voter................................................................................. 24<br />
Figure 16: TFAB DIGIO 2oo3 majority voter........................................................................ 25<br />
Figure 17: <strong>GA</strong> SCM1 output current monitoring module....................................................... 26<br />
Figure 18: user login ............................................................................................................... 41<br />
Figure 19: key switch Running/Maintenance.......................................................................... 41<br />
Figure 20: Reliability block diagram, 1-out-of-2D example................................................... 48<br />
Figure 21: Reliability block diagram, <strong>GA</strong> DualCore-S........................................................... 49<br />
List of tables<br />
Table 1: check list hardware engineering................................................................................ 29<br />
Table 2: check list software engineering, system integration ................................................. 31<br />
Table 3: check list software engineering, programming......................................................... 31<br />
Table 4: check list software engineering, validation............................................................... 31<br />
Table 5: check list assembly and installation.......................................................................... 33<br />
Table 6: check list forcing i/o signals...................................................................................... 34<br />
Table 7: check list commissioning.......................................................................................... 37<br />
Table 8: check list commissioning, program modification..................................................... 37<br />
Table 9: check list maintenance, exchanging cards ................................................................ 40<br />
Table 10: Probability of failure, externally redundant cards................................................... 47<br />
Table 11: Probability of failure, internally redundant cards ................................................... 47<br />
Table 12: Probability of failure, external hardware voter ....................................................... 47<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 5 of 50
1 Introduction<br />
1.1 Contact information<br />
GEBHARDT Automation GmbH<br />
Thüngenfeld 3<br />
D- 58256 Ennepetal<br />
Germany<br />
Tel.: +49 2333 7908 - 0<br />
available during working hours, Mo to Fr, from 8 00 to 17 00 (5 pm)<br />
central european time (CET, GMT+1).<br />
FAX: +49 2333 7908 - 24<br />
Web: www.gebhardt-automation.de<br />
Support support@gebhardt-automation.de<br />
Information info@gebhardt-automation.de<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 6 of 50
1.2 Document scope, applied standards<br />
This document applies to the following products:<br />
• components based on the <strong>GA</strong> <strong>BlueLine</strong> concept<br />
• systems build with <strong>GA</strong> <strong>BlueLine</strong> components<br />
The GEBHARDT Automation GmbH <strong>safety</strong> systems are TÜV certified for <strong>safety</strong> integrity<br />
level SIL 3 according to IEC 61508 standard and conform to :<br />
TÜV Rheinland Group<br />
TÜV Industrie Service GmbH<br />
Automation, Software und Informationstechnologie<br />
Am Grauen Stein<br />
D - 51105 Köln<br />
Certificate and test report No. 968/EZ 351.01/11<br />
Programmable electronic <strong>safety</strong> systems<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system<br />
GEBHARDT Automation GmbH is entitled to use the above mark of conformity for “<strong>Functional</strong><br />
<strong>Safety</strong>” with its SIL3 certified <strong>safety</strong> systems.<br />
The systems are designed in accordance with following standards. All important, <strong>safety</strong> relevant<br />
features are tested according to:<br />
• IEC 61508 Part 1 – 7: 2010<br />
<strong>Functional</strong> <strong>safety</strong> of programmable electronic systems<br />
• EN 50156-1: 2004<br />
Electrical Equipment for Furnaces<br />
• IEC 61511-1: 2004<br />
<strong>Functional</strong> <strong>safety</strong> - <strong>Safety</strong> instrumented systems for the process industry sector<br />
• NFPA 72: 2010<br />
National Fire Alarm Code Handbook<br />
• NFPA 85: 2007<br />
Boiler and Combustion Systems Hazards Code<br />
• NFPA 86: 2007<br />
Standard for Ovens and Furnaces<br />
• EN 54-2: 1997 + AC: 1999 +A1: 2006<br />
Fire Detection and Fire Alarm Systems Control and Indicating Equipment<br />
• EN 298: 2003<br />
Automatic gas burner control systems for gas burners and gas burning appliances<br />
with or without fans<br />
• EN 62061: 2005 /Corrigendum 1: 2005 / Corrigendum 2: 2008<br />
<strong>Safety</strong> of machinery – <strong>Functional</strong> <strong>safety</strong> of <strong>safety</strong>-related electrical, electronic and<br />
programmable electronic control systems<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 7 of 50
• EN ISO 13849-1: 2008 + AC: 2009<br />
<strong>Safety</strong> of machinery, <strong>Safety</strong>-related parts of control systems,<br />
Part 1: General principles for design<br />
• DIN EN 954-1: 1996<br />
<strong>Safety</strong> of Machinery, <strong>Safety</strong> related parts of control systems<br />
Part 1: General principles for design<br />
• EN 60204-1: 2006 (in extracts)<br />
<strong>Safety</strong> of machinery – Electrical equipment of machines,<br />
Part 1: general requirements<br />
• IEC 61131-2: 2007<br />
Programmable controllers, Part 2: Equipment requirements and tests<br />
• IEC 61326-3-1: 2008<br />
Electrical equipment for measurement, control and laboratory use – EMC requirements<br />
Part 3-1: Immunity requirements for <strong>safety</strong>-related systems and for equipment intended<br />
to perform <strong>safety</strong>-related functions (functional <strong>safety</strong>) – General industrial<br />
applications<br />
• DIN EN 50155: 2008<br />
Railway applications - Electronic equipment used in rolling stock<br />
German version EN 50155: 2007<br />
• DIN EN 61373: 1998-1<br />
Railway applications – Rolling stock equipment – Shock and vibration tests<br />
• DIN EN 50178: 1998<br />
Electronic equipment for use in power installations<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 8 of 50
1.3 General statements<br />
All technical data and information in this document were compiled and controlled with utmost<br />
care. Nevertheless errors can not completely be excluded. GEBHARDT Automation<br />
GmbH assumes no liability for consequences due to incorrect information.<br />
The systems based on the <strong>GA</strong> <strong>BlueLine</strong> concept are designed, manufactured and tested according<br />
to applicable <strong>safety</strong> standards. They must be used only as specified in technical descriptions<br />
and be connected only to approved external devices. The permissible ambient conditions<br />
must be adhered to.<br />
Modification is strictly prohibited. Use only approved replacement parts for repair and maintenance.<br />
Warning 1<br />
Accurate implementation of all <strong>safety</strong> instructions by qualified personnel is required<br />
for every phase of the life cycle, especially installation, commissioning, operating<br />
and maintenance of <strong>GA</strong> <strong>BlueLine</strong> systems.<br />
Disregard of the <strong>safety</strong> <strong>manual</strong> and referenced documents may compromise the performance<br />
of <strong>safety</strong> functions and cause the loss of a required <strong>safety</strong> integrity level (SIL or PL). It may<br />
lead to severe damage to property or environment and death of personnel.<br />
Warning 2<br />
Unqualified use or handling of the systems may impair the performance of <strong>safety</strong><br />
functions and may lead to severe damage to property or environment and death of<br />
personnel. GEBHARDT Automation shall have neither liability nor responsibility<br />
for improper use of equipment.<br />
It is strictly prohibited to reproduce the software for <strong>GA</strong> <strong>BlueLine</strong> systems except for the<br />
purpose of backup.<br />
Any reverse engineering, such as reverse compilation or disassembling of the software is<br />
strictly prohibited.<br />
The GEBHARDT Automation products mentioned in this document may be registered<br />
trademarks.<br />
All other company and product names mentioned in this document are trademarks or registered<br />
trademarks of their respective companies.<br />
No part of this document may be reproduced or transferred without prior written consent<br />
from GEBHARDT Automation GmbH.<br />
GEBHARDT Automation GmbH reserves the right to make improvements at any time, without<br />
notice or obligation.<br />
All rights reserved.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 9 of 50
1.4 Document map<br />
1.4.1 Essential documents<br />
- <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems – <strong>safety</strong> <strong>manual</strong><br />
- <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems – installation <strong>manual</strong><br />
- TÜV Revision Release List<br />
1.4.2 Software documents<br />
- <strong>GA</strong> BlueEdit – user <strong>manual</strong>: <strong>manual</strong> for engineering tool<br />
- <strong>GA</strong> BlueEdit – Online Help<br />
1.4.3 Hardware documents<br />
I/O modules<br />
- <strong>GA</strong> MCAD-S mod. 1 – technical description<br />
- <strong>GA</strong> MCDIN-S mod. 1 – technical description<br />
- <strong>GA</strong> MCDOT-S mod. 1 – technical description<br />
- <strong>GA</strong> MCADA-S mod. 1 – technical description<br />
CPU and Communication modules<br />
- <strong>GA</strong> ICU mod. 1 – technical description<br />
- <strong>GA</strong> ICU mod. 2 – technical description<br />
- <strong>GA</strong> MPU-M1 – technical description<br />
Other rack-internal modules<br />
- <strong>GA</strong> FPR mod. 3 – technical description<br />
- <strong>GA</strong> DSPVCU – technical description<br />
Field output modules<br />
- <strong>GA</strong> SR-01-42-24-00 – technical description<br />
- <strong>GA</strong> DFAB-1oo2D – technical description<br />
- <strong>GA</strong> TFAB-DIGIO-2oo3 – technical description<br />
- <strong>GA</strong> SCM1 – technical description<br />
<strong>Safety</strong> system racks<br />
- <strong>GA</strong> DualCore-S racks – technical description<br />
- <strong>GA</strong> COMPACT-FS1 rack – technical description<br />
- <strong>GA</strong> DUPLEX-S racks – technical description<br />
- <strong>GA</strong> TMR-S racks – technical description<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 10 of 50
2 <strong>Safety</strong> lifecycle<br />
For systematic assessment of <strong>safety</strong> the IEC 61508 standard considers the complete lifecycle<br />
of a system: beginning at the planning stage, continuing with commissioning, distribution,<br />
maintenance and repair, up to de-commissioning. This overall <strong>safety</strong> lifecycle is separated<br />
into 16 phases, defining methods and activities to achieve the required <strong>safety</strong> integrity for<br />
each phase.<br />
Overall<br />
operation and<br />
maintenance<br />
planning<br />
Overall planning<br />
Overall<br />
<strong>safety</strong><br />
validation<br />
planning<br />
6 7 8<br />
Overall<br />
installation and<br />
commissioning<br />
planning<br />
1<br />
2<br />
3<br />
4<br />
5<br />
12<br />
13<br />
Concept<br />
Overall scope<br />
definition<br />
Hazard and risk<br />
analysis<br />
Overall <strong>safety</strong><br />
requirements<br />
<strong>Safety</strong> requirements<br />
allocation<br />
Overall installation<br />
and commissioning<br />
Overall <strong>safety</strong><br />
validation<br />
Overall operation,<br />
14 maintenance and repairr<br />
16<br />
9<br />
<strong>Safety</strong>-related<br />
Systems:<br />
E/E/PES<br />
Realisation<br />
(see E/E/PES<br />
<strong>safety</strong><br />
lifecycle)<br />
Decommissioning<br />
or disposal<br />
10<br />
Figure 1: overall <strong>safety</strong> lifecycle<br />
<strong>Safety</strong>-related<br />
systems:<br />
other technology<br />
15<br />
Realisation<br />
Overall modification<br />
and retrofit<br />
11<br />
External risk<br />
reduction<br />
facilities<br />
Realisation<br />
This document concentrates on phase 9 of the overall <strong>safety</strong> lifecycle, the <strong>safety</strong>-related<br />
E/E/PES system. Specific lifecycles for hardware and software <strong>safety</strong> design define more<br />
detailed phases.<br />
Phases 10 (other technology, i.e. mechanical emergency shut down) and 11 (external facilities,<br />
i.e. escape routes or protective barriers) are not relevant for the scope of this document.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 11 of 50
9.2<br />
E/E/PES <strong>safety</strong><br />
validation planning<br />
9.1<br />
9.1.1<br />
<strong>Safety</strong> functions<br />
requirements<br />
specification<br />
9.3<br />
9.4<br />
9.6<br />
E/E/PES <strong>safety</strong> requirements<br />
specification<br />
9.1.2<br />
E/E/PES design<br />
and development<br />
E/E/PES integration<br />
E/E/PES<br />
<strong>safety</strong> validation<br />
<strong>Safety</strong> integrity<br />
requirements<br />
specification<br />
to box 12 in<br />
overall <strong>safety</strong> lifecycle<br />
9.5<br />
Figure 2: hardware <strong>safety</strong> lifecycle<br />
E/E/PES operation and<br />
maintenance<br />
procedures<br />
to box 14 in<br />
overall <strong>safety</strong> lifecycle<br />
The hardware <strong>safety</strong> lifecycle must be considered during planning and design of the E/E/PES<br />
system. This document defines activities and procedures for each phase.<br />
9.2<br />
Software <strong>safety</strong><br />
validation planning<br />
9.1<br />
9.1.1<br />
<strong>Safety</strong> functions<br />
requirements<br />
specification<br />
9.3<br />
9.4<br />
9.6<br />
Software <strong>safety</strong><br />
requirements specification<br />
9.1.2<br />
Software design<br />
and development<br />
PE integration<br />
(hardware/software)<br />
Software <strong>safety</strong><br />
validation<br />
<strong>Safety</strong> integrity<br />
requirements<br />
specification<br />
to box 12 in<br />
overall <strong>safety</strong> lifecycle<br />
9.5<br />
Figure 3: software <strong>safety</strong> lifecycle<br />
Software operation and<br />
modification procedures<br />
to box 14 in<br />
overall <strong>safety</strong> lifecycle<br />
The software <strong>safety</strong> lifecycle must be considered during planning and design of software for<br />
the E/E/PES system. This document defines activities and procedures for each phase.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 12 of 50
3 Product overview<br />
3.1 <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems, concept<br />
Basically the <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems support two very similar working concepts:<br />
1. the <strong>GA</strong> MCU processor concept, using smart i/o cards without a dedicated processor<br />
card<br />
2. the <strong>GA</strong> <strong>BlueLine</strong> concept, with dedicated processor card and safe Ethernet communication.<br />
Both concepts use identical components and achieve SIL3 <strong>safety</strong> integrity. The <strong>BlueLine</strong><br />
concept is an extension of the previously certified “<strong>GA</strong> MCU <strong>Safety</strong>Core” concept, introducing<br />
the dedicated, internally redundant MPU-M1 processor and communication card (Multi<br />
Processor Unit).<br />
In addition to <strong>safety</strong> functions the systems can also handle regular control functions. For<br />
functions not <strong>safety</strong>-related the systems support regular i/o cards that are certified not to interfere<br />
in <strong>safety</strong> functions. See the list of certified components.<br />
3.1.1 <strong>GA</strong> MCU processor concept<br />
The <strong>GA</strong> MCU processor concept is based on MCU-S (Micro Controller Unit for <strong>Safety</strong>)<br />
cards:<br />
“smart” i/o cards with integrated micro controller units. The system architecture of each card<br />
is consistently dual redundant with hardware fault tolerance HFT = 1. Redundant micro controllers<br />
– MCU-A and MCU-B – access the card’s i/o signals, handle signal diagnostics, continuously<br />
monitor each other for correct operation and run the application software.<br />
The MCU-S cards are passively connected to the data bus. A communication controller card<br />
(ICU) actively reads data packages from each MCU-S input card (type MCAD-S and<br />
MCADA-S for analog, MCDIN-S for digital input) and sends them to the output cards (type<br />
MCADA-S for analog input and output, MCDOT-S for digital output). The output cards use<br />
the input data to calculate their field output signals according to the application software.<br />
For SIL3 output signals an external hardware voter module may be used to create the combined<br />
field output signal.<br />
Figure 4: MCU processor concept, with single-card configuration<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 13 of 50
Figure 4 shows the minimal system configuration <strong>GA</strong> DualCore-S, a SIL3 application with a<br />
hardware fault tolerance of HFT = 1.<br />
• Two MCU processors on one input card read input signals from redundant sensors<br />
A and B. Depending on card type each MCU can typically read up to 12 input signals.<br />
• Field signal diagnostics and card-internal diagnostics verify the signal quality.<br />
• The input signals are transmitted via data bus, consisting of the physical bus connection<br />
and a communication controller card, ICU.<br />
• The data is received by one output card, also with redundant MCU processors.<br />
Each MCU processes both sensor signals according to the application software,<br />
compares its result with the other MCU and separately sets its output signal(s) to<br />
the required ON/OFF state.<br />
• An external hardware voter – basically two relays in serial – combines the output<br />
signals into one 1oo2 field signal. Forcibly guided read-back contacts of the relays<br />
allow separate error diagnostics for each relay.<br />
To improve process availability, redundant input and/or output cards may be used. In that<br />
case two or three i/o cards are used instead of the single, internally-redundant card shown in<br />
Figure 4. In multi-card configuration the systems use 1oo2D or 2oo3 voting, so in case of<br />
failure the failed component may be replaced, without a shut-down of the process. The system<br />
can safely operate with failed components, because even if any card completely fails the<br />
remaining card still has an internal hardware fault tolerance of HFT = 1. See Figure 6 as an<br />
example for multi-card configuration.<br />
For less SIL-demanding applications the input signals may be used non-redundant. Then all<br />
(typically 24) input signals will be available for field signals. See technical <strong>manual</strong>s of i/o<br />
cards for more information.<br />
3.1.2 <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> concept<br />
The <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> concept uses almost the same components. Only the ICU communication<br />
card is replaced by the MPU-M1 processor and communication card.<br />
Figure 5: <strong>GA</strong> <strong>BlueLine</strong> concept, with single-card configuration<br />
The application software runs directly on the MPU-M1 processor card, allowing faster and<br />
larger applications. The i/o cards only handle the signal diagnostics and internal diagnostics.<br />
The MPU-M1 cards also support safe Ethernet communication for exchange of <strong>safety</strong>-related<br />
data.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 14 of 50
A <strong>GA</strong> DualCore-S system as shown in Figure 5 meets SIL3 requirements, using its internal<br />
redundancy. By combining multiple units in on rack (<strong>GA</strong> DUPLEX-S or <strong>GA</strong> TMR-S) the<br />
fault tolerance and availability may be improved.<br />
When using the <strong>GA</strong> DualCore-S or <strong>GA</strong> COMPACT-FS1 racks, multiple racks can be combined<br />
into a redundant system via Ethernet communication. This allows up to quadruple redundancy<br />
Figure 6: <strong>GA</strong> <strong>BlueLine</strong> concept, DUPLEX-S configuration<br />
Figure 6 shows a dual-redundant configuration, either in a <strong>GA</strong> DUPLEX-S rack or in two<br />
separate racks via Ethernet. The main difference is the complete card redundancy. Basically<br />
two identical systems, unit A and unit B, are combined via redundant data bus into a duplex<br />
redundant system. The card-internal redundant handling of input signals as in DualCore-S<br />
configuration is not required, since the complete cards are redundant. The internal signal handling<br />
and processing of application software is quadruple redundant, by two micro controllers<br />
MCU-A and MCU-B on each unit A and B.<br />
The external voter combines the separate output signals into field outputs. Because four<br />
MCUs control each output signal and do signal diagnostics, even at detected failure of one<br />
output the system may continue operation. This results in a 1-out-of-2-D voting, where a<br />
failed component may be replaced while the system continues working. 1oo2D voting requires<br />
voter hardware specifically designed to support extended diagnostics. Simple 1oo2<br />
voting is possible with standard relay outputs.<br />
For triple redundancy, <strong>GA</strong> TMR-S, three identical systems (unit A, B and C) are combined,<br />
typically with an external hardware 2oo3 voter. Each relevant component exists in triplicate;<br />
internal signal processing actually is six-times redundant. The 2oo3 output selection allows<br />
replacing of any component while the system continues working.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 15 of 50
3.1.3 Field signal handling<br />
Figure 7: <strong>GA</strong> <strong>BlueLine</strong> system schematic<br />
Voting on input signals:<br />
To increase system availability regarding input signals, it is recommended to activate input<br />
voting. This will take redundant input signals and combine them into one common signal for<br />
use on all output cards. With detected error at one input signal the common signal will be<br />
degraded (e.g. 2oo3 degrades to 1oo2D, 1oo2D degrades to 1oo1D), but the same common<br />
signal will still be available to all output cards.<br />
Without input voting each unit works with its own input signal only, so if input channel 1<br />
fails on unit A, the output card in unit A would see the failed signal only and would set the<br />
output signal to the safe state OFF.<br />
The settings for input signal voting depend on the system architecture, see <strong>GA</strong> BlueEdit user<br />
<strong>manual</strong> for more information).<br />
Voting will also allow deviation detection for analog input signals. The tolerable deviation is<br />
configured separately for each signal. See <strong>GA</strong> BlueEdit user <strong>manual</strong>, AIN function, for more<br />
information).<br />
Analog output signals<br />
MCADA-S cards have access to all signals generated by input cards, field signals and preprocessed<br />
signals. Two MCUs on every card execute the application software, working redundantly<br />
to determine the output signals to hardware. Every MCU sets its output signals to<br />
the field. For each output channel there is a channel to read-back the signal information from<br />
the field. In case of a read-back failure the relevant output or all outputs (depending on the<br />
fault reaction) are set to the safe state 0.0 mA. There are independent shut-down paths for the<br />
current generation and the connection to the field. Via these shut-down paths a MCADA-S<br />
can always set the outputs to the safe power-off state.<br />
If MCADA-S cards are configured in multiple-card redundancy, i.e. in <strong>GA</strong> DUPLEX-S systems,<br />
only one card is active at any time. The other card(s) are hot-standby.<br />
Voting on digital output signals, using external hardware voter relays:<br />
Each output card does redundant signal processing, using micro-controllers MCU-A and<br />
MCU-B. The separate output signals of both MCUs are compared as 1-out-of-2, to guarantee<br />
correct working of the output card. At failure the card diagnostics will detect a card failure.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 16 of 50
The signal and relay states can be read back as analog signals to allow output diagnostics. In<br />
case of relay failure (for example: relay is “stuck at one”) a secondary, independent shutdown<br />
path allows de-energizing to the safe state.<br />
Voting on digital output signals, using software voting:<br />
A flexible alternative to voting with external hardware voting relays is software voting. Via<br />
data bus communication (internal data bus or Ethernet <strong>safety</strong> communication) the application<br />
software handles M-out-of-N voting. The desired result is available on all output cards configured<br />
as a redundant group (multi-card configuration, or a single MCDOT-S output card).<br />
The two MCU processors on one output card set the “field output” signals and a “system active”<br />
signal. All other cards of the output group are hot-standby, their “field outputs” and<br />
“system active” is “off”.<br />
If one of the two processors on the active card detects a read-back failure the card will deactivate<br />
and a standby card takes over immediately (less than 5 msec switch-over).<br />
Figure 8: software voting, <strong>GA</strong> DUPLEX-S example<br />
This consistent software voting concept is available for all <strong>GA</strong> <strong>BlueLine</strong> systems. It achieves<br />
SIL3 <strong>safety</strong> integrity with a single output card. Additional cards improve the system availability<br />
with hot-standby functionality. A failed card can be replaced without stopping the<br />
system.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 17 of 50
3.2 System integration<br />
Figure 9: Example for network integration<br />
A <strong>safety</strong> project usually consists of at least one PES system (<strong>GA</strong> COMPACT-FS1, <strong>GA</strong> DualCore-S,<br />
<strong>GA</strong> DUPLEX-S or <strong>GA</strong> TMR-S), one engineering station and one visualization<br />
system (DCS, distributed control system). The PES system autonomously handles the <strong>safety</strong>relevant<br />
functions. During normal operation, in “running mode”, no unsafe system (regular<br />
control, Engineering, DCS) can interfere with the PES. Only while switched to “maintenance<br />
mode” with a hardware key switch an authorized user can influence or modify the PES system.<br />
<strong>Safety</strong>-relevant communication between <strong>GA</strong> <strong>safety</strong> systems is available via redundant<br />
Ethernet communication with SIL3 integrity, using the SIL3 certified MPU-M1 communication<br />
and processor card.<br />
Engineering system is a PC, running Windows (2000 or XP) and the integrated development<br />
tool <strong>GA</strong> BlueEdit. After the activation of maintenance mode this system may be used for<br />
commissioning and maintenance of <strong>GA</strong> <strong>safety</strong> systems. In normal operation (running mode)<br />
the engineering station is not required, but may be used by authorized users for extended system<br />
diagnostics.<br />
Optionally engineering may share a PC with DCS. Both programs may be run in parallel on<br />
one computer.<br />
The visualization system (DCS) accesses i/o data and system information via read access<br />
using open communication protocols. Write access from DCS to the PES system must not<br />
interfere with <strong>safety</strong> functions, e.g. interlocking a safe shut-down function with a DCS command<br />
is not allowed. In addition to process values the DCS communication also allows access<br />
to diagnostic information, for visualization, data logging and trending.<br />
Figure 9 shows two variants for a project consisting of one engineering station, one DCS and<br />
two PES systems:<br />
The left figure shows redundant networks. Communication for engineering and process visualization<br />
may be designed dual or triple redundant, depending on the communication capabilities<br />
of the <strong>safety</strong> system. In case of network failure this guarantees undisturbed communication<br />
to the remaining components. Engineering system and DCS must be configured with<br />
independent network cards.<br />
The right figure shows a simple, non-redundant, network. All systems use the same network.<br />
In case of network failure the complete communication may be lost.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 18 of 50
<strong>Safety</strong> functions and <strong>safety</strong> integrity are not influenced by a single network failure. Even at<br />
complete network failure the systems will continue normal operation, if no <strong>safety</strong>-related<br />
communication is required.<br />
Networks according to Figure 9 may be extended with further systems of all types (PES, control,<br />
DCS, Engineering). The same network may also include other, not <strong>safety</strong>-related systems.<br />
3.3 Hardware components<br />
Only hardware components registered in the revision-list of tested and certified components<br />
shall be used in <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems.<br />
See Revision Release List.<br />
3.4 Diagnostic coverage<br />
Multiple build in tests (BITs) implemented in the card firmware allow very high diagnostic<br />
coverage. BITs include power-on tests (run once during start up), cyclic tests (run repeatedly<br />
at fixed time intervals during normal operation) and dynamic tests (i.e. field signal tests or<br />
internal communication). BITs monitor the micro-controllers, the acquisition of field signals,<br />
internal and external memory, the <strong>safety</strong> application software and communication between<br />
modules and units. See <strong>GA</strong> safeEdit user <strong>manual</strong> and <strong>GA</strong> technical description.<br />
<strong>Safety</strong> related configuration of diagnostic coverage<br />
Activation/de-activation of input signal monitoring:<br />
Used signals – digital and analog – are monitored for signal range to detect failures of sensor,<br />
transmitter or cable. This failure detection also allows 1oo2D signal handling, continued operation<br />
with one detected failure on two redundant input signals.<br />
Signal diagnostics on spare input signals should be de-activated. Unused signals will have a<br />
fail-safe state (“low” for digital, 0.0 mA for analog, see <strong>GA</strong> technical description MCxxx-S ).<br />
Test interval for field signal tests:<br />
Execution and time interval of field signal tests can be configured during project engineering<br />
only by GEBHARDT Automation GmbH. These settings influence <strong>safety</strong> integrity (i.e. repair<br />
time MTTR) and are password protected. See <strong>GA</strong> technical description MCxxx-S for details.<br />
If there is no specific agreement with the customer, default settings will be used.<br />
Analog input diagnostics on MCAD-S card:<br />
The thresholds for over-range and under-range of current and frequency input signals are<br />
configurable. At each signal access these ranges are checked for failure.<br />
3.5 Error response<br />
Detected errors are displayed using the front side diagnostic LEDs on every MCxxx-S card.<br />
See technical description for the specific cards.<br />
Detected errors on input cards will set the state of affected signals to “faulty”. Only after repair<br />
and acknowledge the state will return to “okay”. The optional software input signal voting<br />
will be degraded, e.g. from 1oo2D to 1oo1D, until the repair is finished and acknowledged.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 19 of 50
Detected errors on MCDOT-S output cards will immediately turn off the affected card or<br />
signal (de-energize to trip). Repairs can usually be performed by experienced personnel in a<br />
relatively short time (see MTTR, mean time to repair), while the system continues running<br />
with reduced hardware fault tolerance.<br />
In DualCore-S systems a detected error on a MCDOT-S output card will cause a shut-down if<br />
the card is configured for single-card operation. In multiple-card operation a redundant card<br />
will take over and the failed card can be replaced while the system keeps working.<br />
When redundant units reach different states without being able to assign any error, all outputs<br />
of the affected MCDOT-S cards will turn to “low” and the corresponding field contacts will<br />
open.<br />
Detected errors on outputs of the MCADA-S input/output cards will immediately turn off the<br />
affected signal or card (0 mA to trip), depending on the fault reaction. If a redundant card is<br />
available the system will continue operation and the failed card can be replaced.<br />
Detected errors on inputs of the MCADA-S output cards will set the state of affected signals<br />
to “faulty”. The status of input and output signals will return to “okay” either <strong>manual</strong>ly after<br />
repair and acknowledge of the failure or automatically, according to the card configuration.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 20 of 50
3.6 <strong>Functional</strong> and display elements of hardware components<br />
3.6.1 Elements of MCxxx-S cards<br />
All i/o cards use identical functional elements and display LEDs at the front panel. Figure 10<br />
shows diagnostic LEDs and ejection lever.<br />
Figure 10: front panel and elements of MCxxx-S cards<br />
A special module rail in the rack (see bottom right), combined with the guiding pin in the<br />
card’s front panel (see center right) creates galvanic connection and dissipates static charge<br />
before the card electrically connects to the system.<br />
After loosening the neck screws at top and bottom of the front panel the card can be removed<br />
from the system. By pressing the red release button on the ejection lever the integrated micro<br />
switch turns of the card’s power supply and mechanically releases the lever (see center right)<br />
for pushing downwards. This will mechanically extract the card from the rack and internal<br />
data bus, using a clamp and groove mechanism in lever and system rack. This mechanism<br />
prevents accidental removing of cards while the lever is not released.<br />
Replacement cards are inserted using the lever mechanism with clamp and groove. With the<br />
lever pushed down card insertion will be stopped when the clamp hits the groove rail. By<br />
pushing the lever upwards it will mechanically pull the card into the system and data bus. The<br />
card will be turned off while being inserted. Only after mechanically connecting to the data<br />
bus the micro switch will activate the card and lock it into position. This reduces signal interference<br />
on the data bus while inserting or removing cards to non-critical limits.<br />
4 yellow LEDs (see top right) for each MCU processor display the current operating mode<br />
and error state.<br />
See technical description of the respective card for further information.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 21 of 50
3.6.2 Elements of ICU and MPU-M1 cards<br />
The mechanical parts with ejection lever, module rail and guiding pin are identical to<br />
MCxxx-S cards. See Figure 10 and description.<br />
Figure 11: front panel and elements of ICU and MPU-M1 cards<br />
There are two models of ICU card available: ICU model 1 and ICU model 2. Model 1 comes<br />
with optional extensions for additional communication ports. Model 2 uses a high speed<br />
processor, has redundant Ethernet ports and a larger FLASH memory capacity for process<br />
data logging.<br />
The front plates of all ICU variants use LEDs to display status information.<br />
• Ethernet Link/Act: LED shows physical connection and network activity.<br />
Normal state: flashing<br />
• Ethernet 100 or Spd: indicates speed of communication, 10/100 or 100/1000 MBit.<br />
Normal state: static ON for high speed<br />
• MA: green LED indicates correct functionality of ICU as bus master. During system<br />
start up the LED is off.<br />
Normal state: static green<br />
• WDG: red LED indicates Watchdog error.<br />
Normal state: always off<br />
For details see technical description of the specific ICU model.<br />
The MPU-M1 card allows 2 Ethernet connections for each processor A and B, using standard<br />
RJ45 Ethernet connectors. The fifth connector is used for redundant serial RS-232 communication,<br />
one port to each processor. A special adapter plug is required.<br />
The front plate uses LEDs to display status information:<br />
• Ethernet Link/Act: LED shows physical connection and network activity.<br />
Normal state: flashing<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 22 of 50
• RUN CPU A/B: green LED indicates correct functionality of each processor.<br />
Normal state: static green<br />
• ERR CPU A/B: red LED indicates processor error.<br />
Normal state: always off<br />
• DSP BUS ON: green LED indicates correct functionality as bus master.<br />
Normal state: static green<br />
For details see technical description of the MPU-M1 card.<br />
3.6.3 Elements of DSPVCU cards<br />
Figure 12: front panel and elements of DSPVCU card<br />
The DSPVCU voltage control cards are independent control cards for monitoring the secondary<br />
voltages of the two redundant power supplies and generating a malfunction signal in<br />
case of over-voltage or under-voltage detection. They use a simple ejection lever, without<br />
micro switch or mechanical release. The card is not connected to the data bus.<br />
Red LEDs show failures in voltage monitoring of any of the required voltages, indicating<br />
either “Lower Limit” or “Upper Limit” failure. Normal state for all LEDs is off.<br />
The green LED is a combined “Power Good” signal, continuously on during normal operation.<br />
See technical description for further details.<br />
3.6.4 Elements of cooling fan<br />
Figure 13: front panel and elements of cooling fan<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 23 of 50
LEDs in the front panel show the operating mode. Normal state is green LED on and red<br />
(alarm) LED off. A fan malfunction, e.g. mechanical jamming, activates the red “alarm”<br />
LED. Pressing the reset button after correcting the problem acknowledges the fan alarm and<br />
turns the LED off.<br />
The central area indicates the rack type, here “<strong>GA</strong> DualCore-S” .<br />
Loosening of two retaining screws in the front panel allows removal and replacement of the<br />
cooling fan during normal operation.<br />
Fan malfunction has no direct impact on the <strong>safety</strong> system. It may lead to over-temperature of<br />
the complete system or individual components.<br />
3.6.5 Elements of the <strong>safety</strong> relay <strong>GA</strong> SR-01-42-24-00<br />
Figure 14: <strong>GA</strong> SR-01-42-24-00 relay voter, 1oo2<br />
The <strong>GA</strong> SR-01-42-24-00 <strong>safety</strong> relay module is designed for safe shut-down of control circuits.<br />
It is based on two different <strong>safety</strong> relays, by different manufacturers for diversity. Each<br />
relay switches four closing contacts for field signals in an internal 1-out-of-2 selection and<br />
additional opening contacts for messaging and diagnostics. All contacts are forcibly guided.<br />
Each closing contact circuit is protected by a build-in fuse, to prevent welding due to overcurrent.<br />
The fuses are accessible at the front, for easy replacement.<br />
Two LEDs, K1 and K2, at the front plate show the individual state of both <strong>safety</strong> relays.<br />
3.6.6 Elements of DFAB-1oo2D external hardware voter<br />
Figure 15: DFAB-1oo2D majority voter<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 24 of 50
The duplex field assembly board DFAB-1oo2D uses three LEDs to indicate the state of the<br />
redundant external power supplies. Two fuses at the upper left corner must be in the “pushed<br />
in” position. The LED below each fuse shows the state of that supply voltage. The central<br />
LED, between connector plugs and relays, shows that at least one supply voltage is available<br />
and the board is working.<br />
Four relays per signal create the 1oo2D field signals. Usually all relays are in the same position<br />
(ON/OFF). The two “worker” relays from system A and B and the “diagnostic” relays<br />
should always have the same position. In case of a detected failure the “diagnostic” relay is<br />
used to de-couple systems A and B. During self-tests (walking change) one system is decoupled<br />
and tested (position changed to the opposite state), while the remaining system holds<br />
the field signal.<br />
The DFAB is designed with forcibly guided <strong>safety</strong> relays, using the “de-energize to trip”<br />
principle.<br />
3.6.7 Elements of TFAB DIGIO 2oo3<br />
Figure 16: TFAB DIGIO 2oo3 majority voter<br />
The field assembly board TFAB DIGIO 2oo3 uses no direct display elements. Two fuses at<br />
the upper left corner must be in the “pushed in” position.<br />
Three relays for each digital output signal show the output state for each unit A, B or C. Usually<br />
they will show identical position (open/close). During self-tests (walking zero) one relay<br />
will temporarily switch to the other state while the other two relays of the group keep the<br />
correct position.<br />
The TFAB is designed with forcibly guided <strong>safety</strong> relays, using the “de-energize to trip” principle.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 25 of 50
3.6.8 Elements of the <strong>GA</strong> SCM1 current measurement module<br />
Figure 17: <strong>GA</strong> SCM1 output current monitoring module<br />
The SCM1 (<strong>Safety</strong> Current Measurement) module measures the current flowing to field elements<br />
and converts it into two redundant, proportional 4…20 mA current signals. These signals<br />
can be read with analogue input cards and are used to compare the actual field current to<br />
the expected value.<br />
In case of component failure the SCM1 module can not create dangerous field currents.<br />
Two green LEDs “Power okay 1” and “Power okay 2” show the operating state of both measurements.<br />
Two yellow LEDs “Open 1” and “Open2” indicate open cable on the secondary<br />
side, between SCM1 module and analog input module.<br />
3.7 <strong>Safety</strong> time and reaction time<br />
3.7.1 System reaction time<br />
System reaction time is the interval between occurrence of an external demand and the PES<br />
system’s response. It includes the time between occurrence and detection, time for internal<br />
calculations, setting of hardware output signals and relay switching times.<br />
The time for internal calculations, the program cycle time, depends on complexity of all control<br />
functions handled by one MPU-M1, MCDOT-S or MCADA-S processor card.<br />
For details on program cycle time see <strong>GA</strong> BlueEdit user <strong>manual</strong>.<br />
The reaction time is calculated as: cycle time of processor card + i/o cycle time + internal<br />
communication time + 15 msec relay switching.<br />
Exceptions from this time may occur when:<br />
• <strong>safety</strong> functions are distributed over multiple MCDOT-S or MCADA-S output cards<br />
• communication between <strong>GA</strong> <strong>safety</strong> racks is used for the <strong>safety</strong> function<br />
• frequency signals at low frequency: see MCAD-S technical description<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 26 of 50
3.7.2 Diagnostic test interval<br />
In addition to <strong>safety</strong> functions the PES system also continually performs diagnostic functions<br />
to detect erroneous system performance. Diagnostic test interval defines the time between<br />
repetitions of diagnostic tests.<br />
The diagnostic test interval must be chosen to achieve a probability of random hardware failure<br />
below or equal to the target failure measure defined in <strong>safety</strong> integrity specifications.<br />
All systems based on <strong>GA</strong> <strong>BlueLine</strong> components use a consistent hardware fault tolerance of<br />
at least HFT = 1, so the diagnostic test interval doesn’t significantly affect the system reaction<br />
time. It is specified in system firmware and should not be modified by the user.<br />
3.7.3 Process <strong>safety</strong> time<br />
The process <strong>safety</strong> time is the interval between occurrence of a disorder (at machine or process,<br />
equipment under control, EUC) and reaching of a critical state. The <strong>safety</strong> system must<br />
be able to bring the process to a safe state in this time interval. Process <strong>safety</strong> time considers<br />
the complete <strong>safety</strong> loop: from sensor and transmitter, over PES system, to actuator.<br />
The PES system reaction time may be used as basis for calculating process <strong>safety</strong> time compliance.<br />
The diagnostic test interval is doesn’t significantly affect the calculation, see above.<br />
3.7.4 Proof test interval<br />
The proof test is used at specified intervals to completely check the PES system and bring it<br />
back to “like new” <strong>safety</strong> integrity. Special attention is given to failures not detectable by<br />
internal diagnostic tests.<br />
As minimum all <strong>safety</strong> functions handled by the PES system must be checked according to<br />
specification.<br />
The default time interval between proof tests is 10 years.<br />
Shortening the test interval will improve the probability of system failure. Typical intervals<br />
are 5 years or 3 years. The proof test interval may also be extended, up to 20 years.<br />
When frequency signals are used for <strong>safety</strong> functions, the calibration of frequency inputs<br />
must be considered to determine the proof test interval, see MCAD-S technical description.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 27 of 50
4 PES system engineering<br />
Planning, design and realization of the PES system are implemented according to box 9<br />
“<strong>safety</strong>-related systems: E/E/PES” in Figure 1: overall <strong>safety</strong> lifecycle on page 11.<br />
Figure 2: hardware and Figure 3: software show detailed phases for engineering and specify<br />
required activities and procedures.<br />
4.1 Hardware Engineering<br />
4.1.1 Specification of <strong>safety</strong> requirements<br />
A detailed list with all <strong>safety</strong> requirements for the project is compiled. This is the basis for all<br />
decisions on hardware and software design of the PES system.<br />
4.1.2 Hardware design and validation planning<br />
Hardware design takes the list of requirements and decides on the necessary hardware to<br />
handle these requirements. The number and type of PES systems, including system architecture<br />
and number of i/o cards, is defined. In parallel to planning the hardware the required<br />
methods for hardware validation are defined.<br />
Specific procedures and measures during hardware design are:<br />
• For each specified <strong>safety</strong> function the PES-internal <strong>safety</strong> loop (input signals, control<br />
and output signals) is designed. All input signals should be accessed by cards in<br />
the same system, all outputs should be handled on the same output card MCDOT-S<br />
or MCADA-S.<br />
Segmentation of <strong>safety</strong> loops to multiple PES systems is admissible, but should be<br />
avoided when possible. Affected loops require special attention in validation planning,<br />
specifically considering system reaction time.<br />
• If no dedicated processor card MPU-M1 is used, every output card may process<br />
multiple <strong>safety</strong> functions. Usually a uniform distribution of <strong>safety</strong> functions over<br />
processor cards is recommended to achieve similar system reaction times.<br />
• Interdependencies of input signals used in multiple <strong>safety</strong> functions must be specified<br />
and documented. They require special attention during validation.<br />
• Distribution of i/o signals to PES systems and their respective i/o cards must be<br />
documented and considered for validation.<br />
• Distribution of <strong>safety</strong> functions to PES systems and processor cards must be documented<br />
and considered for validation and software engineering.<br />
4.1.3 System integration<br />
System integration designs the integration of the PES systems in the project’s <strong>safety</strong> concept.<br />
The following measures need to be considered:<br />
• Integration of PES systems in the control panel, including external hardware.<br />
• Integration of multiple PES systems, with special attention on communication.<br />
• Integration of PES systems in the overall concept, including engineering station and<br />
visualization (DCS)<br />
• Network layout for engineering and visualization, including redundancy and address<br />
configuration.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 28 of 50
4.1.4 Hardware engineering, check list<br />
No. Description Check<br />
1 Correct system architecture selected to meet requirements regarding process<br />
<strong>safety</strong> and process availability?<br />
2 Number of i/o cards according to <strong>safety</strong> functions, including spare signals?<br />
3 Slot position of i/o cards according to system design specification?<br />
4 Analog frequency inputs with correct cut-off frequency?<br />
5 Appropriate distribution of <strong>safety</strong> functions over MCDOT-S and<br />
MCADA-S cards with regard to output signals?<br />
6 correct external voter hardware for <strong>safety</strong> and availability requirements?<br />
7 <strong>safety</strong>-relevant communication between PES systems: acceptable system<br />
reaction time?<br />
8 Connecting cables: correct cable type and length?<br />
9 Network layout: distance, cable length, cable type (copper, optical),<br />
switches, routers, redundancy, addressing<br />
Table 1: check list hardware engineering<br />
See also <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system checklists for additional information.<br />
4.2 Software engineering<br />
4.2.1 Specification of <strong>safety</strong> requirements<br />
The list of <strong>safety</strong> requirements according to chapter Specification of <strong>safety</strong> requirements on<br />
page 28 is extended with signal information on i/o signals. For each digital signal the contact<br />
mode (normally open, normally closed) is specified, for analog signals the physical range is<br />
defined.<br />
For each <strong>safety</strong> function the required <strong>safety</strong> time is specified.<br />
For each <strong>safety</strong> function the working principle is defined.<br />
4.2.2 Software design and validation planning<br />
The distribution of <strong>safety</strong> functions to PES hardware components is implemented as application<br />
software, considering software <strong>safety</strong> specifications. For each <strong>safety</strong> function the PESinternal<br />
<strong>safety</strong> loop of input signal, application program and output signal is considered.<br />
<strong>GA</strong> BlueEdit is used as programming tool, see <strong>GA</strong> BlueEdit user <strong>manual</strong>.<br />
Software design considers the following measures:<br />
• Application programming for specific <strong>safety</strong> functions on MPU-M1, MCDOT-S or<br />
MCADA-S cards according to hardware design specifications.<br />
• Error response for signal failure specified for every input signal in every <strong>safety</strong><br />
function: Mid-of-3, 1oo2, available/error, (see <strong>GA</strong> BlueEdit user <strong>manual</strong>). Documentation<br />
and validation planning for each signal.<br />
• Analysis of switch-over between operating modes in <strong>safety</strong> functions. Validation<br />
planning for all operating modes with special attention on the moment of switchover.<br />
• Interdependencies between <strong>safety</strong> functions (one input signal or calculated internal<br />
state used in multiple <strong>safety</strong> functions) must be clearly defined, documented and<br />
considered in validation.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 29 of 50
• Definition of calculated thresholds for analog inputs, physically and scaled to controller-internal<br />
range, with hysteresis. Documentation and validation planning.<br />
• Power-on behavior for <strong>safety</strong> functions, including validation.<br />
• Signal tracking for software functions with internal memory function (e.g. RS flip<br />
flop), including validation.<br />
4.2.3 SIL3-approved function blocks<br />
Most <strong>GA</strong> BlueEdit function blocks are approved for use in SIL3 <strong>safety</strong> functions. They may<br />
be used without restriction for application programming. The <strong>GA</strong> BlueEdit user <strong>manual</strong> supplies<br />
the current list of approved function blocks.<br />
Function blocks not listed are not approved for <strong>safety</strong> functions. They may be used for functions<br />
that are not <strong>safety</strong> relevant, the use in <strong>safety</strong> functions is not allowed.<br />
4.2.4 Integration of PES hardware and software<br />
PES system integration gives special attention to dependencies between hardware and software.<br />
An important factor is also the integration into the overall system concept, including<br />
PES diagnostics in regular process visualization (DCS).<br />
Integration considers the following measures:<br />
• Coordinating of hardware and software configuration (slot configuration, network,<br />
i/o access).<br />
• Activation of signal diagnostics (cable failure, short cut) for used signals, deactivation<br />
for spare signals, correct software configuration for the implemented hardware<br />
architecture (DualCore-S, DUPLEX-S, TMR-S).<br />
• Estimation of system reaction time of all cards running application software (MPU-<br />
M1, MCDOT-S and MCADA-S) and comparison to required system reaction time.<br />
Consider adequate reserve for software changes during commissioning.<br />
• Memory utilization of MPU-M1, MCDOT-S and MCADA-S cards acceptable, including<br />
adequate reserve for software changes during commissioning.<br />
• All relevant diagnostic information of PES systems should be displayed on regular<br />
process visualization, to inform about critical states or system degradation and allow<br />
sufficient time for corrective maintenance.<br />
4.2.5 Software validation<br />
Software validation uses the programming tool <strong>GA</strong> BlueEdit and the following methods:<br />
• Syntax check and parameter check, offline. On engineering station or PC.<br />
• Offline simulation on engineering station or PC, without PES hardware.<br />
• Online debug on PES hardware, with forced i/o signals, no field signals<br />
or<br />
Online debug on PES hardware, with field signals simulated by test equipment<br />
(usually during panel acceptance test)<br />
• During commissioning full software test, online debug and functional, with full<br />
field wiring. First with stopped machine, finally with the machine running.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 30 of 50
4.2.6 Software engineering, check list<br />
No. Description Check<br />
1 Hardware and software configuration corresponding<br />
2 Network configuration correct in hardware and software<br />
3 System reaction time of each MCDOT-S, MCADA-S and MPU-M1 card<br />
acceptable as compared to required <strong>safety</strong> times<br />
4 Memory utilization of MPU-M1, MCDOT-S and MCADA-S cards acceptable,<br />
with enough free memory for modifications during commissioning<br />
5 Signal error detection cable failure/short cut active for used signals, inactive<br />
for spare signals<br />
6 Access to all necessary diagnostic information specified and/or programmed<br />
for process visualization (DCS)<br />
7 System configuration according to project requirements<br />
(time-outs, time settings, internal communication, ...)<br />
Table 2: check list software engineering, system integration<br />
No. Description Check<br />
1 Signal states and ranges for each signal programmed according to specification?<br />
2 Signal behavior (Mo3, 1oo2, ...) for each signal in every <strong>safety</strong> function<br />
defined according to specification?<br />
3 Analog thresholds programmed according to specification, including scaling<br />
and hysteresis?<br />
4 Interdependencies between <strong>safety</strong> functions according to specification?<br />
5 Power-on behavior of <strong>safety</strong> functions according to specification?<br />
6 Signal tracking for software functions with internal memory (RSF, ...)<br />
implemented according to specification?<br />
7 Only SIL3-approved function blocks used in programming of <strong>safety</strong> functions?<br />
Table 3: check list software engineering, programming<br />
No. Description Check<br />
1 Syntax check and parameter check: no errors, no warnings?<br />
2 Simulation offline on PC: functionality as specified?<br />
3 Online debug on PES system, without field signals, forced signals in<br />
maintenance mode: functionality as specified?<br />
4 Online debug on PES system, with simulated field signals (test equipment,<br />
panel acceptance test), in running mode: functionality as specified?<br />
Table 4: check list software engineering, validation<br />
See also <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system checklists for additional information.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 31 of 50
5 Assembly and installation<br />
5.1 Qualified personnel<br />
All persons involved in assembly and installation must be qualified according to their duties.<br />
They must be familiar with relevant technical <strong>manual</strong>s and system hardware, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• experience in installation of <strong>GA</strong> <strong>safety</strong> components<br />
• training in i/o signal diagnostics with programming tool <strong>GA</strong> BlueEdit may be required<br />
• instruction in project specific <strong>safety</strong> concept<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
Warning 3<br />
Mistakes during assembly and installation may impair the performance of <strong>safety</strong><br />
functions and cause the loss of a required <strong>safety</strong> integrity level (SIL or PL). They<br />
may lead to severe damage to property or environment and death of personnel.<br />
5.2 <strong>Safety</strong>-relevant restrictions of use<br />
The systems must be used only in normal environments, according to specification. They<br />
must be protected against acidic environments, especially H2S components.<br />
5.3 Mounting and connecting<br />
For details on mounting and electrical connecting see technical descriptions of relevant components<br />
and installation <strong>manual</strong>s for the specific type of system.<br />
Generally the following items apply:<br />
• mounting must be stable, no mechanical vibrations<br />
all screws fixed tightly<br />
• to allow adequate cooling all components must be mounted in correct position,<br />
keeping sufficient distance from other components.<br />
• Signal lines must be kept separate from power lines. All lines require tidy wiring<br />
and appropriate labeling.<br />
If required, signal lines must be protected against over voltage and over current.<br />
• Power supply must be in acceptable range.<br />
• Component mounting must be EMC compatible. For racks this includes correct<br />
connection to protective ground.<br />
• Most components include devices sensitive to electrostatic discharge. Discharges by<br />
touching components must be avoided by using appropriate measures (touching of<br />
or connection to electrically grounded metal parts, ...).<br />
Protective measures are always required when replacing components.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 32 of 50
5.4 Assembly and installation, check list<br />
No. Description Check<br />
1 Optical check: no damage, proper mounting, proper and tidy wiring, component<br />
labeling present and correct<br />
2 Mechanical check: screws tightened, components fixed in position, no<br />
vibration<br />
3 wiring: plugs connected and fixed, correct grounding, separation of signal<br />
and power wiring<br />
4 Power-on test: all LEDs show normal state<br />
Table 5: check list assembly and installation<br />
See also <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system checklists for additional information.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 33 of 50
6 Forcing i/o signals<br />
6.1 Procedure<br />
With forcing, sometimes called maintenance override, all input and output signals of a PES<br />
system may be set to any specific value, independent of field inputs or PES control outputs.<br />
This will override <strong>safety</strong> functions, restricting or disabling them, so forcing may be used only<br />
during commissioning and maintenance, under specified operating conditions.<br />
The <strong>GA</strong> BlueEdit user <strong>manual</strong> explains procedures for forcing all types of i/o signals.<br />
The following items must be considered concerning forcing:<br />
• Impact analysis: the impact on PES system and process must be analyzed and<br />
clearly understood before forcing. Required operating conditions on PES system,<br />
machine and process must be defined and established.<br />
• Forcing is allowed only to qualified personnel, during commissioning or maintenance.<br />
In normal operation forced signals are not allowed, because related <strong>safety</strong> functions<br />
are restricted or disabled.<br />
• The procedure to achieve desired forced states must be clearly understood: is there<br />
any specific order required in forcing several signals? The system architecture (redundancy)<br />
must be considered in procedures.<br />
• The procedure for releasing the forced mode must be clearly understood.<br />
• Additional external <strong>safety</strong> measures may be required to compensate for disabled<br />
<strong>safety</strong> functions (e.g. restricted access to areas).<br />
• Emergency procedures must be defined and prepared to handle potential problems<br />
due to disabled <strong>safety</strong> functions.<br />
6.2 Forcing i/o signals, check list<br />
Nr. description Check<br />
1 Are impacts on system and process analyzed and clearly understood?<br />
2 Are system and process requirements (e.g. operating conditions) established?<br />
3 Is the procedure for forcing the desired state clearly understood, including<br />
the system architecture and type of redundancy of affected i/o signals?<br />
4 Is the procedure for releasing force-mode and return to normal operation<br />
clearly understood?<br />
5 Are required external <strong>safety</strong>/protective measures prepared?<br />
6 Are sufficient emergency measures prepared?<br />
Table 6: check list forcing i/o signals<br />
See also <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system checklists for additional information.<br />
Warning 4<br />
Forcing of i/o signals will override the working of <strong>safety</strong> functions, endangering<br />
personnel, environment and property. Appropriate measures to achieve the required<br />
<strong>safety</strong> by other means need to be implemented!<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 34 of 50
7 Commissioning<br />
7.1 Qualified personnel<br />
All persons involved in commissioning must be qualified according to their duties. They<br />
must be familiar with relevant technical <strong>manual</strong>s, system hardware and software, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• software training for the programming tool <strong>GA</strong> BlueEdit for commissioning of SIL3<br />
<strong>safety</strong> systems<br />
• instruction in project specific <strong>safety</strong> concept<br />
• instruction in project specific application software<br />
• experience in integration of control systems with control panel<br />
• instruction in machinery and processes to be controlled<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
7.2 Commissioning procedures<br />
Commissioning uses the programming tool <strong>GA</strong> BlueEdit for programming, system configuration<br />
and diagnostic of hardware and software. A visualization on a DCS may be running in<br />
parallel via communication, for process states and diagnostics. This communication must also<br />
be checked and, when required, be modified during commissioning.<br />
During commissioning the PES system will often run in maintenance mode. The commissioning<br />
technician needs hardware keys and appropriate passwords to enter maintenance<br />
mode. The system must be protected against unauthorized access.<br />
Activities and procedures during commissioning:<br />
• During commissioning the <strong>safety</strong> functions are not yet working or work only partially.<br />
Appropriate <strong>safety</strong> and emergency measures must be provided.<br />
• At the first use of PES hardware electrical connections of all components must be<br />
checked.<br />
• Check software system configuration: in accordance with documentation<br />
• Check network communication: all systems connected and responding<br />
• Loop check: all i/o signals in <strong>GA</strong> BlueEdit diagnostic display and in visualization.<br />
Check full range, including cable failure and short cut. Error diagnostics must be<br />
correct in engineering station and DCS.<br />
• <strong>Functional</strong> check of <strong>safety</strong> functions, machine stopped<br />
• <strong>Functional</strong> check of <strong>safety</strong> functions, machine running<br />
• Data back-up and documentation of all changes<br />
• Enter normal, safe operating mode. Check: running mode active, key for mode<br />
switch removed, no signals forced, password protection<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 35 of 50
Warning 5<br />
During commissioning <strong>safety</strong> functions are not or only partially available, endangering<br />
personnel, environment and property. Appropriate measures to achieve the<br />
required <strong>safety</strong> by other means need to be observed!<br />
7.3 Application software modification<br />
7.3.1 Program modifications<br />
Any modifications in existing and approved application software require an impact analysis:<br />
• Print current program version, create software back-up.<br />
• Plan modifications and create new program with <strong>GA</strong> BlueEdit.<br />
• Print and save new program.<br />
• Check for interconnections between modified <strong>safety</strong> functions and other functions,<br />
using graphical program editor.<br />
• Analyze modified functions, including interconnected old functions, regarding:<br />
only the desired effects on modified functions, no side-effects in modified or old<br />
functions.<br />
When modifications affect switches between operating modes the time of switching<br />
requires special attention.<br />
• Test the new version, at first with simulation, than with stopped machine.<br />
• Check system reaction time of new software.<br />
• All changes must be documented and backed-up.<br />
7.3.2 Parameter modification<br />
Any modifications require an impact analysis:<br />
• Create software backup.<br />
• Plan modifications.<br />
• Check for interconnection of modified parameters in other functions, using graphical<br />
program editor.<br />
• Analyze affected <strong>safety</strong> functions, including interconnected functions:<br />
only desired effects, no side-effects?<br />
• When changing range or scaling of i/o signals the communication to visualization<br />
system may be affected.<br />
• Test the new version.<br />
• All changes must be documented and backed-up.<br />
7.3.3 Online modification<br />
Warning 6<br />
Whenever possible changes should be done with the machine stopped. During<br />
modification the system’s <strong>safety</strong> integrity is partially compromised. Incorrect<br />
changes or procedures may compromise <strong>safety</strong> functions.<br />
Modifications with the machine running are possible but need special attention:<br />
• Impact analysis just like analysis for normal changes.<br />
• Additional impact analysis for power-on behavior.<br />
• Additional impact analysis of different signal states on the separate units in a redundant<br />
system, during re-programming and start-up.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 36 of 50
• All units must be programmed separately. After each unit is programmed the correct<br />
state of all i/o signals and internal states must be checked. Balancing of states by<br />
forcing of i/o signals may be required.<br />
• During the time of modification appropriate <strong>safety</strong> measures must be used, see also<br />
chapter Forcing i/o signals on page 34.<br />
• During modification the <strong>safety</strong> functions are compromised. Appropriate emergency<br />
measures must be prepared.<br />
7.4 Commissioning, check list<br />
No. Description Check<br />
1 Is the project’s <strong>safety</strong> concept clearly understood?<br />
2 Required key switches and passwords available?<br />
3 System hardware configuration correct?<br />
4 Communication check with all systems successful?<br />
5 Loop check for all i/o signals: range and diagnostics correct?<br />
6 Appropriate <strong>safety</strong> measures and emergency measures prepared?<br />
7 Check of <strong>safety</strong> functions: machine stopped, machine running.<br />
7a When required: program modification, see additional check list below.<br />
8 Check system reaction time, for each i/o and MPU-M1 card. Compare<br />
with process <strong>safety</strong> time.<br />
9 Set safe operating state: system locked, no i/o forcing active.<br />
Key handed over to:<br />
10 Data back-up of complete software and system configuration.<br />
date:<br />
copy handed over to:<br />
Table 7: check list commissioning<br />
No. Description Check<br />
1 Back-up old version.<br />
2 Modification with machine stopped or running?<br />
3 Planning of modifications and impact analysis, with consideration of the<br />
list of SIL3-approved function blocks.<br />
4 Appropriate <strong>safety</strong> measures and emergency measures prepared?<br />
5 Implementation and test of new software<br />
6 Check system reaction time, for each affected card. Compare with process<br />
<strong>safety</strong> time.<br />
7 Documentation of successful changes.<br />
8 Back-up new version.<br />
Table 8: check list commissioning, program modification<br />
See also <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system checklists for additional information.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 37 of 50
8 Maintenance<br />
8.1 Qualified personnel<br />
All persons involved in maintenance must be qualified according to their duties. They must<br />
be familiar with relevant technical <strong>manual</strong>s, system hardware and software, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• software training for the programming tool <strong>GA</strong> BlueEdit for maintenance and diagnostics<br />
• instruction in project specific <strong>safety</strong> concept<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
8.2 Maintenance procedures<br />
Regular maintenance is planned in detail as component of the <strong>safety</strong> concept. The planned<br />
tasks are performed in specified service intervals, including:<br />
• Proof-Test interval<br />
• checking and changing air filters<br />
• checking for fouling or contamination<br />
• control of system diagnostics like: diagnostic visualization in DCS, alarms, LED<br />
display on hardware components, extended diagnostic information on engineering<br />
station using <strong>GA</strong> BlueEdit<br />
Unscheduled maintenance becomes necessary when the <strong>safety</strong> system shows irregularities. It<br />
is generically considered in the <strong>safety</strong> concept and includes the activities:<br />
• identification and repair of i/o signal failures<br />
• identification and repair/exchange of PES system components (i/o cards, fan, power<br />
supply, ...)<br />
• identification and repair of network communication failures<br />
Unscheduled maintenance requires:<br />
• Unequivocal identification of error messages and cause for error: i.e. high system<br />
temperature may have several causes: fouled air filter, cooling fan failure, control<br />
panel air conditioning failure.<br />
• Cross-check of detected error or message with all available tools: DCS visualization,<br />
hardware check (optical, LEDs, ...), extended diagnostics on engineering station.<br />
• Impact analysis of error/failure consequences on <strong>safety</strong> and availability.<br />
• Planning of maintenance tasks, procedures and responsible personnel.<br />
• Planning of appropriate <strong>safety</strong> and emergency measures.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 38 of 50
Warning 7<br />
Unqualified maintenance may cause the loss of a required <strong>safety</strong> integrity level<br />
(SIL, PL) and may compromise the performance of <strong>safety</strong> functions, leading to severe<br />
damage to property or environment and death of personnel.<br />
8.3 Replacement of components<br />
Replacement of components is possible during normal operation. Details are specified in<br />
technical descriptions of the components and systems.<br />
Replacement of programmable system components, MCxxx-S cards, MPU-M1 processor<br />
cards and ICU communication cards requires special attention:<br />
• Replacement of MCxxx-S, MPU-M1 or ICU cards requires use of engineering station<br />
with <strong>GA</strong> BlueEdit.<br />
• The PES system is switched to maintenance mode.<br />
• Password protection of <strong>GA</strong> safeEdit requires use of valid password.<br />
• Error and cause of error is identified, analyzed and documented.<br />
• The failed card is removed, see relevant technical documentation.<br />
• Hardware settings (jumper, switches) of spare card are compared and adjusted with<br />
failed card, see relevant technical descriptions.<br />
• Spare card is inserted into the system rack.<br />
• Configuration of spare card is checked and modified as required. Correct detection<br />
and configuration is displayed in <strong>GA</strong> BlueEdit.<br />
• Replacing i/o cards and MPU-M1 cards:<br />
o The application program is checked. Usually the current program must be<br />
downloaded to the spare card.<br />
o signal cable from field assembly module to connector is plugged in and fixed.<br />
o Correct state of i/o signals and internally calculated states is checked, in systems<br />
with redundancy i/o signals are compared with redundant cards of other<br />
units.<br />
• The complete system is checked, running with the new card.<br />
• The system is returned to “Running” operation mode.<br />
The relevant technical description of each card shows details on card exchange and configuration.<br />
Additional information on configuration and programming is available in <strong>GA</strong> BlueEdit<br />
user <strong>manual</strong>.<br />
8.4 Maintenance, check list<br />
Checks for regular maintenance, including proof-test intervals, use project specific check<br />
lists.<br />
No. Description Check<br />
1 Unequivocal identification of problem: corresponding diagnostics in visualization,<br />
engineering station and LEDs on card?<br />
2 Process for exchanging cards clearly understood?<br />
3 Appropriate <strong>safety</strong> and emergency measures prepared?<br />
4 New card configured and correctly detected by the system?<br />
5 Correct application program on new card?<br />
6 External signals and internal card states agree with cards on redundant<br />
units?<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 39 of 50
7 All i/o signals working?<br />
8 System returned to safe operating state after finishing maintenance work?<br />
Table 9: check list maintenance, exchanging cards<br />
See also <strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> system checklists for additional information.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 40 of 50
9 Access authorization<br />
9.1 User login<br />
Figure 18: user login<br />
Before using <strong>GA</strong> BlueEdit to access <strong>GA</strong> <strong>safety</strong> systems a user authorization is required. In<br />
“Account login” select a user name from the list of authorized users. Enter the corresponding<br />
password below.<br />
The list always has at least the user “Admin”, other user names depend on system configuration.<br />
The user may work within the scope of his access permissions. Modification of user authorization<br />
and permissions is available for “Admin” only. Users with highest priority may fully<br />
access diagnostics, configuration and programming of i/o cards, ICU communication cards or<br />
MPU-M1 processor and communication cards.<br />
Access beyond diagnostics, affecting the PES system, additionally requires activation of<br />
“Maintenance” mode with the hardware key switch. “Running” mode allows only diagnostics.<br />
User configuration and access rights are explained in <strong>GA</strong> BlueEdit <strong>manual</strong>.<br />
9.2 Key switch for operating mode<br />
Figure 19: key switch Running/Maintenance<br />
The hardware key switch selects between “Running” and “Maintenance” operating mode, i.e.<br />
normal <strong>safety</strong> operating mode and unsafe maintenance mode.<br />
Warning 8<br />
Maintenance mode allows hardware access that may compromise <strong>safety</strong> functions,<br />
including forcing of i/o signals, programming of control processors and system configuration.<br />
When using appropriate <strong>safety</strong> and emergency measures, maintenance<br />
mode may be allowed with the machine/process running. Ordinary, day-to-day operation of<br />
the machine is not allowed in maintenance mode.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 41 of 50
Running mode is the safe operating mode.<br />
After successful commissioning or maintenance all forced i/o signals have to be released,<br />
than the key switch is turned to “Running” position and the key removed. This mode protects<br />
the PES system from external interference by the engineering station. Diagnostics on engineering<br />
station and communication to DCS remain available.<br />
Warning 9<br />
Signals forced to specific states in maintenance mode, analog or digital, remain at<br />
the forced state when the system changes to running mode. A warning message informs<br />
of this unsafe condition.<br />
Affected <strong>safety</strong> functions will be compromised, endangering personnel, environment and<br />
property.<br />
Appropriate measures to achieve the required <strong>safety</strong> by other means need to be implemented!<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 42 of 50
10 Diagnostic information<br />
10.1 Diagnostic data<br />
Self test statistics<br />
Authorized users can access self test statistics, stored on each MPU-M1 and MCxxx-S card.<br />
The information is stored in card-internal flash memory. Access via <strong>GA</strong> BlueEdit, see <strong>GA</strong><br />
BlueEdit user <strong>manual</strong>.<br />
Log-book of system messages<br />
The engineering station logs all system messages (information, warnings, errors). All messages<br />
are displayed on screen and written to a log-book file. Each message includes time<br />
stamp and informational text. See chapter Analyzing error messages on page 44.<br />
Additionally all messages are stored in flash memory on their respective ICU card and can be<br />
accessed from the engineering station.<br />
Visualization system<br />
Via communication extensive diagnostic information on all i/o signals is accessible for the<br />
DCS: cable failure, short cut, signal forced, forced-state for digital signals.<br />
Life-bit diagnostic may be programmed for each i/o card to continually check communication<br />
and functionality.<br />
System temperatures and voltages of MPU-M1 processor cards and ICU communication<br />
cards are also accessible.<br />
Storage or logging of this data is available according to capabilities of the visualization system.<br />
10.2 Process data<br />
All process data is continually available to the DCS system, using communication via ICU<br />
communication controller or MPU-M1 processor card. Display and logging of data is available<br />
according to capabilities of that system.<br />
Online data may also be accessed from the engineering station, using the graphical trend analyzer<br />
in <strong>GA</strong> BlueEdit, see <strong>GA</strong> BlueEdit user <strong>manual</strong>.<br />
Real-time data logging of all i/o signals, including time synchronization between several controllers,<br />
is optionally available on the ICU cards.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 43 of 50
10.3 Analyzing error messages<br />
The programming tool <strong>GA</strong> BlueEdit shows extensive diagnostic information. If unusual system<br />
behavior occurs appropriate diagnostic messages are displayed and logged to file.<br />
The example shows a typical error message:<br />
Fr, 16 Sep 2005 15:57:52 : MCU-S 192.168.100.183 (1): (1,13,0) Card<br />
Timeout (ID:116): unit:0, slot:6, timestamp:0xe377, time:0xe44f<br />
The first part shows date and time information about the error:<br />
Friday, 16 th September 2005 at 15:57 and 52 seconds.<br />
The next part is the type of processor sending the message, followed by the TCP/IP address<br />
of the ICU sending this error, and the network number in redundant network:<br />
MCU-S, an i/o card with MCU processors on address 192.168.100.183 in network number<br />
(1). DUPLEX-S systems may use two redundant networks (1) and (2), TMR-S systems may<br />
use three separate networks.<br />
The next part is the card position in the system, identified by unit number (0 = unit A, 1 =<br />
unit B), card slot number (1 ... 16) and processor number (0 = MCU-A, 1 = MCU-B):<br />
(1,13,0) identifies a card in unit B, slot 13, processor MCU-A<br />
The next part is the actual error message, followed by an identification number. The number<br />
is used as reference to detailed error information in technical description of the respective<br />
card, explaining causes and procedures for responding to the error:<br />
Card Timeout is the actual error, (ID:116) the ID in technical description. To get detailed<br />
information on error 116 check the card type in slot 13 (MCDIN-S, MCAD-S,<br />
MCADA-S or MCDOT-S) and read the technical description for this card type.<br />
The last part is internal time information. Internal time stamps use a system-relative time<br />
count in milliseconds. Timestamp specifies the internal time when the error occurred, time is<br />
the current time when the error was reported. Time stamps are used to analyze a sequence of<br />
events if multiple errors occur.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 44 of 50
11 Common technical data<br />
power supply<br />
nominal operating voltage 100 ... 240 VAC, 50 ... 60 Hz<br />
maximum operating voltage 85 ... 264 VAC, 47 ... 63 Hz<br />
max. power TMR/10-S 450 W, largest system<br />
max. power DUPLEX SMART-S, DualCore-S 300 W<br />
max. power COMPACT-FS1 60 W<br />
digital inputs, MCDIN-S<br />
type 0, NAMUR input<br />
input current according to NAMUR<br />
“high level” current > 2,1 mA<br />
“low level” current < 1,2 mA<br />
type 1: 24 V active or passive input<br />
input voltage 24 V<br />
high level voltage, default > 15 V, IEC61131-2<br />
low level voltage, default < 5 V, IEC61131-2<br />
type 2: 24 V passive input<br />
input voltage 24 V<br />
high level voltage, default > 11 V, IEC61131-2<br />
low level voltage, default < 5 V, IEC61131-2<br />
analog inputs, MCAD-S<br />
input current 0 ... 25mA<br />
frequency input 1 Hz ... 20 kHz<br />
analog inputs and outputs, MCADA-S<br />
input current 0 ... 25mA<br />
output current 0 ... 25mA<br />
digital outputs, MCDOT-S + output voter<br />
output voltage 24 VDC, 230 VAC<br />
output current, per channel (max.) 0 ... 6A<br />
environmental conditions<br />
storage temperature -25°C ... +70 °C<br />
operating temperature +0°C ... +55°C<br />
relative humidity 10% ... 90%, non condensing<br />
protection class IEC 525 IP 20<br />
operating altitude max. 2000m<br />
pollution degree 2<br />
power supply IEC 536 <strong>safety</strong> class 1, with PE<br />
field connections <strong>safety</strong> class III<br />
dimensions<br />
DualCore-S/DUPLEX SMART-S/TMR SMART-S<br />
(4HE / 84TE)<br />
DUPLEX/7-S (7HE / 84 TE)<br />
TMR/10-S (10 HE / 84 TE)<br />
For more details see technical description of components.<br />
483 x 191 x 391 mm [W x H x D]<br />
483 x 324 x 391 mm [W x H x D]<br />
483 x 458 x 391 mm [W x H x D]<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 45 of 50
12 <strong>Safety</strong> specific data<br />
12.1 Symbols and abbreviations<br />
Symbol Description<br />
β weighting factor for dangerous undetected common cause failures<br />
βD weighting factor for dangerous detected common cause failures<br />
λ failure rate (per hour) of one channel in one sub-system<br />
λD dangerous failure rate (per hour) of one channel in one sub-system (D = dangerous)<br />
λDD detected dangerous failure rate (per hour) (DD = dangerous, detected)<br />
λDU undetected dangerous failure rate (per hour) (DU = dangerous, undetected)<br />
λS safe failure rate (per hour) of one channel in one sub-system (S = safe)<br />
proof test interval (in hours)<br />
T1<br />
MTTR Mean Time To Repair (in hours)<br />
MTTFd Mean Time To Failure, dangerous, in years. The value applies to dangerous<br />
failures of one channel, not the redundant system<br />
DC diagnostic coverage<br />
SFF safe failure fraction<br />
PFDavg average probability of failure on demand, in low demand mode<br />
PFHG average probability of failure per hour in system with majority voter, in high<br />
demand mode<br />
tCE average channel-related failure time (in hours)<br />
average system-related failure time (in hours)<br />
tGE<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 46 of 50
12.2 Characteristic <strong>safety</strong> values<br />
The characteristic <strong>safety</strong> values for a complete <strong>safety</strong> loop are calculated as sum of the probability<br />
of failure for every component, modified according to system architecture.<br />
The probability of failure values of all components used for handling one <strong>safety</strong> function are<br />
added into the total probability for this specific <strong>safety</strong> function. This calculation has to be<br />
done for each <strong>safety</strong> function separately.<br />
The part of the logic solver is determined by adding failure probabilities for each component<br />
from the tables below. They already account for the system architecture, so the values of single<br />
components may simply be added to get the total value for the logic solver.<br />
12.2.1 <strong>GA</strong> <strong>BlueLine</strong>: Probability of Failure data<br />
for systems: DUPLEX-S, TMR-S, DualCore-S, COMPACT-FS1 in multi-card configuration<br />
externally redundant<br />
cards<br />
PFDavg<br />
T1 = 1y<br />
PFDavg<br />
T1 = 5y<br />
PFDavg<br />
T1 = 10y<br />
PFDavg<br />
T1 = 20y<br />
PFHG I/O<br />
MPU-M1 1.10E-06 5.00E-06 1.00E-05 2.00E-05 6.40E-09 n. a.<br />
MCAD-S 4.85E-07 2.43E-06 4.85E-06 9.70E-06 5.04E-09 24 AI<br />
MCDIN-S 3.50E-07 1.75E-06 3.50E-06 7.00E-06 3.80E-09 24 DI<br />
MCDOT-S 3.65E-07 1.83E-06 3.65E-06 7.30E-06 3.94E-09 8-10 DO<br />
MCADA-S 2.86E-07 1.43E-06 2.86E-06 5.72E-06 2.60E-09 8 AI, 8 AO<br />
MCADA-S IN 9.94E-08 4.97E-07 9.94E-07 1.99E-06 8.99E-10 8 AI<br />
MCADA-S OUT 2.32E-07 1.16E-06 2.32E-06 4.64E-06 2.10E-09 8 AO<br />
Table 10: Probability of failure, externally redundant cards<br />
for systems: DualCore-S and COMPACT-FS1 in single-card configuration<br />
internally redundant<br />
cards<br />
PFDavg<br />
T1 = 1y<br />
PFDavg<br />
T1 = 5y<br />
PFDavg<br />
T1 = 10y<br />
PFDavg<br />
T1 = 20y<br />
PFHG I/O<br />
MPU-M1 8.21E-06 3.20E-05 6.18E-05 1.22E-04 8.34E-09 n. a.<br />
MCAD-S 6.41E-07 3.21E-06 6.41E-06 1.28E-05 6.61E-09 12 AI<br />
MCDIN-S 4.64E-07 2.32E-06 4.64E-06 9.27E-06 5.01E-09 12 DI<br />
MCDOT-S 4.83E-07 2.41E-06 4.83E-06 9.66E-06 5.18E-09 8 DO<br />
MCADA-S 3.80E-07 1.90E-06 3.80E-06 7.60E-06 3.43E-09 4 AI, 4 AO<br />
MCADA-S IN 1.98E-07 9.92E-07 1.98E-06 3.97E-06 1.79E-09 4 AI<br />
MCADA-S OUT 4.62E-07 2.31E-06 4.62E-06 9.25E-06 4.18E-09 4 AO<br />
Table 11: Probability of failure, internally redundant cards<br />
external hard- PFDavg PFDavg PFDavg PFDavg PFHG I/O<br />
ware voter T1 = 1y T1 = 5y T1 = 10y T1 = 20y<br />
SR-01-42-24-00 5.59E-07 2.80E-06 5.59E-06 1.12E-05 5.05E-09 1 DO<br />
SCM1 5.40E-06 2.54E-05 5.06E-05 1.03E-04 1.64E-08 2x AI<br />
DFAB-1oo2D 1.73E-07 8.65E-07 1.73E-06 3.46E-06 1.17E-09 8 DO<br />
TFAB-2oo3 2.70E-07 1.35E-06 2.70E-06 5.40E-06 2.16E-09 10 DO<br />
Table 12: Probability of failure, external hardware voter<br />
All tables are based on a mean time to repair of MTTR = 24 hours.<br />
The safe failure fraction for a complete system is SFF > 99 %, with the exception of SCM1<br />
modules. SCM1 modules have a SFF = 97.65%.<br />
The diagnostic coverage is DC > 99%.<br />
All components except hardware voters are complex type B components with HFT = 1.<br />
Hardware voters are type A components, also with HFT = 1.<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 47 of 50
Cards in DualCore-S or COMPECT-FS1 systems can be configured in single-card mode,<br />
with card-internal redundancy. This affects the handling of i/o signals and results in a higher<br />
probability of failure for those cards, as shown in Table 11. When the cards are configured in<br />
multiple-card mode – using two or three separate cards to achieve hardware fault tolerance –<br />
Table 10 is used for the PFD and PFH calculation.<br />
In DualCore-S or COMPACT-FS1 systems the processor card MPU-M1 can not be used in<br />
multiple-card mode. If redundant MPU-M1 cards are used they are always configured in single-card<br />
mode as hot-standby.<br />
I/O cards of type MCADA-S support analog input and output signals. If both signal types are<br />
used in the <strong>safety</strong> function, the values are selected from row “MCADA-S”. If only one type is<br />
used, the values are selected from row “MCADA-S IN” for analog input or “MCADA-S<br />
OUT” for analog output.<br />
The number of available digital output signals on MCDOT-S cards depends on the system<br />
architecture:<br />
• <strong>GA</strong> DualCore-S, card internal redundancy: 8 digital outputs, on SR-01 relay, 1oo2<br />
• <strong>GA</strong> DUPLEX-S, full redundancy: 8 digital outputs, on DFAB-1oo2D voter<br />
• <strong>GA</strong> TMR-S, full redundancy: 10 digital outputs, on TFAB-2oo3 voter<br />
See technical <strong>manual</strong>s for each card about additional information on the number of available<br />
i/o signals.<br />
12.2.2 SIL example <strong>GA</strong> DUPLEX-S<br />
Figure 20: Reliability block diagram, 1-out-of-2D example<br />
Figure 20 shows an example for a <strong>GA</strong> DUPLEX-S system. One set of redundant MCDIN-S<br />
input cards reads up to 24 digital input states. One set of MCDOT-S output cards sets up to 8<br />
digital outputs. One external voter DFAB-1oo2D combines those 8 redundant output signals<br />
into 8 field outputs. To calculate the probability of failure for a <strong>safety</strong> function that uses not<br />
more than these i/o signals, the probability of failure values from Table 10 are used:<br />
PFDavg, total = PFDavg, MCDIN-S + PFDavg, MCDOT-S + PFDavg, DFAB-1oo2D<br />
PFDavg, total = 8.88E-06, for T1 = 10 years<br />
PFHG, total = PFHG, MCDIN-S + PFHG, MCDOT-S + PFHG, DFAB-1oo2D<br />
PFHG, total = 8.91E-09<br />
PFDavg is proportional to the proof test interval T1, so the PFDavg value must be taken from<br />
the respective column.<br />
The logic solver according to the example above is suitable for use in SIL3 <strong>safety</strong> functions.<br />
The probability of failure in low demand mode – PFDavg, total = 8.88E-06 for T1 = 10 years – is<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 48 of 50
elow the limit for SIL3. The probability in high demand mode – PFHG, total = 8.91E-09 – also<br />
is below the SIL3 limit.<br />
With hardware fault tolerance HFT = 1 and safe failure fraction SFF > 99.8% architectural<br />
constraints according to IEC 61508-2, table 2 and table 3, also allow SIL3.<br />
Note: The suitability of the complete <strong>safety</strong> function for the required SIL must be checked,<br />
since the logic solver is only a part of the complete <strong>safety</strong> loop!<br />
12.2.3 SIL example <strong>GA</strong> DualCore-S<br />
A <strong>safety</strong> function requires one (redundant) analog input, one (redundant) digital input, two<br />
independent digital output signals and shall meet SIL3 requirements.<br />
A <strong>GA</strong> DualCore-S system with internal card redundancy is chosen as logic solver.<br />
Figure 21: Reliability block diagram, <strong>GA</strong> DualCore-S<br />
Figure 21 shows the reliability block diagram for the chosen logic solver. The input cards<br />
each can handle up to 12 analog (MCAD-S) or digital (MCDIN-S) input signals. The output<br />
card (MCDOT-S) can set up to 8 independent, redundant digital outputs. The hardware voter<br />
SR-01-42-24-00 combines two redundant output signals into one field signal, so two voters<br />
are required.<br />
The <strong>safety</strong> calculation according to Table 11 and Table 12 shows:<br />
PFDavg, total = PFDavg, MCAD-S + PFDavg, MCDIN-S + PFDavg, MCDOT-S + 2 * PFDavg, SR-01<br />
PFDavg, total = 2.71E-05, for T1 = 10 years<br />
PFHG, total = PFHG, MCAD-S + PFHG, MCDIN-S + PFHG, MCDOT-S + 2 * PFHG, SR-01<br />
PFHG, total = 2.69E-08<br />
The probability of failure in low demand mode – PFDavg, total = 2.71E-05 for T1 = 10 years – is<br />
below the limit for SIL3.<br />
The probability in high demand mode – PFHG, total = 2.69E-08 – also is below the SIL3 limit,<br />
but it is higher than the 15% fraction of SIL3 that is the recommended limit for the logic<br />
solver.<br />
The logic solver may be suitable for use in SIL3 <strong>safety</strong> functions.<br />
With hardware fault tolerance HFT = 1 and safe failure fraction SFF > 99.8% architectural<br />
constraints according to IEC 61508-2, table 2 and table 3, also allow SIL3.<br />
Note: The suitability of the complete <strong>safety</strong> function for the required SIL must be checked,<br />
since the logic solver is only a part of the complete <strong>safety</strong> loop!<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 49 of 50
13 Index<br />
calculations<br />
failure rate .......................................... 45<br />
MTTR................................................. 45<br />
cards<br />
DSPVCU ............................................ 22<br />
i/o................................ 20, 27, 28, 37, 38<br />
ICU............................. 21, 38, 40, 42, 43<br />
MCADA-S ........... 16, 27, 28, 29, 30, 43<br />
MCAD-S ...................................... 43, 44<br />
MCDIN-S........................................... 43<br />
MCDOT-S 25, 27, 28, 29, 30, 36, 43, 44<br />
MCxxx-S .................... 18, 20, 21, 38, 42<br />
MPU-M1 .......................... 28, 29, 30, 38<br />
certificate.................................................. 7<br />
common cause........................................ 45<br />
communication17, 25, 27, 28, 30, 34, 35,<br />
36, 37, 40, 41, 42<br />
DCS .............. 17, 27, 29, 30, 34, 37, 41, 42<br />
diagnostic test................................... 25, 26<br />
Engineering<br />
Hardware ...................................... 27, 28<br />
software .................................. 27, 28, 30<br />
station ....... 17, 27, 29, 34, 37, 38, 41, 42<br />
<strong>GA</strong> BlueEdit17, 28, 29, 31, 33, 34, 35, 37,<br />
38, 40, 42, 43<br />
<strong>GA</strong> DualCore-S................................ 17, 23<br />
<strong>GA</strong> DUPLEX-S.................... 17, 23, 25, 31<br />
<strong>GA</strong> <strong>safety</strong> systems.................................. 40<br />
<strong>GA</strong> TMR-S............................................. 17<br />
IEC 61508 .......................................... 7, 11<br />
key switch ............................ 17, 36, 40, 41<br />
lifecycle............................................ 11, 12<br />
maintenance9, 11, 17, 29, 30, 33, 34, 37,<br />
38, 40, 41<br />
PES system11, 12, 17, 25, 26, 27, 28, 29,<br />
30, 33, 34, 37, 38, 40, 41<br />
process data ............................................ 42<br />
program cycle time................................. 25<br />
proof test .......................................... 26, 45<br />
running ..................... 17, 30, 34, 38, 40, 41<br />
Selbsttest ................................................ 24<br />
self test ................................................... 42<br />
SIL3-approved functions............ 29, 30, 36<br />
system reaction time25, 26, 27, 28, 29, 30,<br />
35, 36<br />
time synchronisation .............................. 42<br />
trend analyzer......................................... 42<br />
visualisation system ............................... 42<br />
visualization system ......................... 17, 35<br />
<strong>GA</strong> <strong>BlueLine</strong> <strong>safety</strong> systems - <strong>safety</strong> <strong>manual</strong> Rev00.01 24.01.2011.doc page 50 of 50