Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ... Safety Considerations Guide for Trident v2 Systems - TUV ...
20 Chapter 2 Application Guidelines Safety Measure Description Protects Against Redundancy with Cross-Checking Different Data Integrity Assurance Systems • PID and other control algorithms should not be used for safety-related functions. Each control function should be checked to verify that it does not provide a safety-related function. • Pointers should not be used for safety-related functions. For TriStation 1131 applications, this includes the use of VAR_IN_OUT variables. • An SIS PES should be wired and grounded according to the procedures defined by the manufacturer. Safety Considerations Guide for Trident v2 Systems In safety-related Fieldbus applications, the safety data may be sent twice, within one or two seperate messages, using identical or different integrity measures independent from the underlying Fieldbus. In addition, the transmitted safety data is cross-checked for validity over the Fieldbus, or over a seperate connection source or sink unit. If a difference is detected, an error has taken place: • during transmission • in the processing unit of the source • in the processing unit of the sink When redundant media are used, common mode protection using suitable measures (for example, diversity and time-skewed transmission) should be considered. If safety-relevant and non-safetyrelevant data are transmitted via the same bus, different data integrity assurance systems or encoding principles may be used (for example, different hash functions or different CRC generator polynomials and algorithms), to ensure that non-safetyrelevant messages cannot influence any safety function in a safety-relevant receiver. • Corruption (only for serial busses, and only comparable with a high-quality data assurance mechanism if a calculation can show that the residual error rate reaches the values required when two messages are sent through independent tranceivers) • Unintended Repetition • Incorrect Sequence •Loss • Insertion Masquerade
Emergency Shutdown Systems The safe state of the plant should be a de-energized or low (0) state. All power supplies should be monitored for proper operation. Burner Management Systems The safe state of the plant is a de-energized or low (0) state. General Guidelines 21 When a safety system is required to conform to the EN 50156 standard for electrical equipment for furnaces, PES throughput time should ensure that a safe shutdown can be performed within one second after a problem in the process is detected. Fire and Gas Systems Fire and gas applications should operate continuously to provide protection. The following industry guidelines apply: • If inputs and outputs are energized to mitigate a problem, a PES system should detect and alarm open and short circuits in the wiring between the PES and the field devices. • An entire PES system should have redundant power supplies. Also, the power supplies that are required to activate critical outputs and read safety-critical inputs should be redundant. All power supplies should be monitored for proper operation. • De-energized outputs may be used for normal operation. To initiate action to mitigate a problem, the outputs are energized. This type of system shall monitor the critical output circuits to ensure that they are properly connected to the end devices. Safety Considerations Guide for Trident v2 Systems
- Page 1 and 2: Trident v2 Systems Safety Considera
- Page 3 and 4: Contents Preface vii Summary of Sec
- Page 5 and 6: Contents v Partitioned Processes. .
- Page 7 and 8: Preface This guide provides informa
- Page 9 and 10: • All other requests are handled
- Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
- Page 13 and 14: Protection Layers Methods that prov
- Page 15 and 16: Hazard and Risk Analysis Hazard and
- Page 17 and 18: Sample SIL Calculation Hazard and R
- Page 19 and 20: Safety Life Cycle Model Hazard and
- Page 21 and 22: Hazard and Risk Analysis 11 • Eac
- Page 23 and 24: CAN/CSA-C22.2 No. 61010-1-04 Safety
- Page 25 and 26: 2 Application Guidelines Overview 1
- Page 27 and 28: General Guidelines This section des
- Page 29: General Guidelines 19 Safety Measur
- Page 33 and 34: Safety-Shutdown Guidelines for Tric
- Page 35 and 36: Guidelines for Triconex Controllers
- Page 37 and 38: Guidelines for Triconex Controllers
- Page 39 and 40: Guidelines for Triconex Controllers
- Page 41 and 42: Guidelines for Triconex Controllers
- Page 43 and 44: 3 Fault Management Overview 34 Syst
- Page 45 and 46: System Diagnostics System Diagnosti
- Page 47 and 48: Operating Modes Each input or outpu
- Page 49 and 50: Analog Output (AO) Modules Module D
- Page 51 and 52: Calculation for Diagnostic Fault Re
- Page 53 and 54: External Communication Module Diagn
- Page 55 and 56: 4 Application Development Developme
- Page 57 and 58: Array Index Errors Infinite Loops D
- Page 59 and 60: Setting Scan Time 49 application. T
- Page 61 and 62: Sample Safety-Shutdown Programs Sam
- Page 63 and 64: Sample Safety-Shutdown Programs 53
- Page 65 and 66: When Some I/O Modules Are Safety-Cr
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Partitioned Processes Sample Safety
- Page 71 and 72: Alarm Usage Alarm Usage 61 To imple
- Page 73 and 74: A Triconex Peer-to-Peer Communicati
- Page 75 and 76: Data Transfer Time Data Transfer Ti
- Page 77 and 78: Data Transfer Time 67 A typical dat
- Page 79 and 80: Examples of Peer-to-Peer Applicatio
20 Chapter 2 Application <strong>Guide</strong>lines<br />
<strong>Safety</strong> Measure Description Protects Against<br />
Redundancy with<br />
Cross-Checking<br />
Different Data<br />
Integrity Assurance<br />
<strong>Systems</strong><br />
• PID and other control algorithms should not be used <strong>for</strong> safety-related functions. Each<br />
control function should be checked to verify that it does not provide a safety-related<br />
function.<br />
• Pointers should not be used <strong>for</strong> safety-related functions. For TriStation 1131<br />
applications, this includes the use of VAR_IN_OUT variables.<br />
• An SIS PES should be wired and grounded according to the procedures defined by the<br />
manufacturer.<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong><br />
In safety-related Fieldbus applications,<br />
the safety data may be sent twice, within<br />
one or two seperate messages, using<br />
identical or different integrity measures<br />
independent from the underlying<br />
Fieldbus. In addition, the transmitted<br />
safety data is cross-checked <strong>for</strong> validity<br />
over the Fieldbus, or over a seperate<br />
connection source or sink unit. If a<br />
difference is detected, an error has taken<br />
place:<br />
• during transmission<br />
• in the processing unit of the source<br />
• in the processing unit of the sink<br />
When redundant media are used,<br />
common mode protection using suitable<br />
measures (<strong>for</strong> example, diversity and<br />
time-skewed transmission) should be<br />
considered.<br />
If safety-relevant and non-safetyrelevant<br />
data are transmitted via the<br />
same bus, different data integrity<br />
assurance systems or encoding<br />
principles may be used (<strong>for</strong> example,<br />
different hash functions or different<br />
CRC generator polynomials and<br />
algorithms), to ensure that non-safetyrelevant<br />
messages cannot influence any<br />
safety function in a safety-relevant<br />
receiver.<br />
• Corruption (only <strong>for</strong><br />
serial busses, and<br />
only comparable with<br />
a high-quality data<br />
assurance mechanism<br />
if a calculation can<br />
show that the residual<br />
error rate reaches the<br />
values required when<br />
two messages are sent<br />
through independent<br />
tranceivers)<br />
• Unintended<br />
Repetition<br />
• Incorrect Sequence<br />
•Loss<br />
• Insertion<br />
Masquerade