GA MCU SafetyCore safety manual - TÜV Rheinland Group
GA MCU SafetyCore safety manual - TÜV Rheinland Group GA MCU SafetyCore safety manual - TÜV Rheinland Group
GEBHARDT Automation GmbH GA MCU SafetyCore safety systems Safety Manual
- Page 2 and 3: Title GA MCU SafetyCore safety manu
- Page 4 and 5: 7.3.3 Online modification..........
- Page 6 and 7: 1 Introduction 1.1 Contact informat
- Page 8 and 9: 1.3 General statements All technica
- Page 10 and 11: 2 Safety lifecycle For systematic a
- Page 12 and 13: 3 Product overview 3.1 GA MCU Safet
- Page 14 and 15: Voting on input signals: To increas
- Page 16 and 17: Networks according to Figure 8 may
- Page 18 and 19: 3.6 Functional and display elements
- Page 20 and 21: 3.6.3 Elements of DSPVCU cards Figu
- Page 22 and 23: coupled and tested (position change
- Page 24 and 25: 4 PES system engineering Planning,
- Page 26 and 27: • Interdependencies between safet
- Page 28 and 29: 5 Assembly and installation 5.1 Qua
- Page 30 and 31: 6 Forcing i/o signals 6.1 Procedure
- Page 32 and 33: Warning 5 During commissioning safe
- Page 34 and 35: 8 Maintenance 8.1 Qualified personn
- Page 36 and 37: 9 Access authorization 9.1 User log
- Page 38 and 39: 10 Diagnostic information 10.1 Diag
- Page 40 and 41: 11 Common technical data power supp
- Page 42 and 43: 12.2 Characteristic safety values T
- Page 44 and 45: 12.2.3 SIL example GA DualCore-S A
GEBHARDT Automation GmbH<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong><br />
<strong>safety</strong> systems<br />
Safety Manual
Title <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> <strong>safety</strong> <strong>manual</strong><br />
File <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc<br />
Document<br />
number<br />
Revision index Description<br />
G0.HA.0003.031.41.088.00.00.E.E.O<br />
document history<br />
Author<br />
Review<br />
Release<br />
00.00 first release A = StS<br />
R = MK<br />
Re = UG<br />
Involved at GEBHARDT Automation GmbH: Ulrich Gebhardt (UG), Wolfgang Paulicks (WP),<br />
Markus König (MK), Stephan Schild (StS), Dr. Peter Dellwig (PD)<br />
Relevant documents:<br />
/1/ <strong>GA</strong> safeEdit user <strong>manual</strong><br />
/2/ <strong>GA</strong> MCAD-S mod 1 technical description<br />
/3/ <strong>GA</strong> MCADA-S mod 1 technical description<br />
/4/ <strong>GA</strong> MCDIN-S mod 1 technical description<br />
/5/ <strong>GA</strong> MCDOT-S mod 1 technical description<br />
/6/ <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> checklists<br />
Date<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 2 of 45<br />
23.07.2009
Contents<br />
1 INTRODUCTION ...................................................................................................................................... 6<br />
1.1 CONTACT INFORMATION...................................................................................................................... 6<br />
1.2 DOCUMENT SCOPE, APPLIED STANDARDS ............................................................................................ 7<br />
1.3 GENERAL STATEMENTS........................................................................................................................ 8<br />
1.4 DOCUMENT MAP .................................................................................................................................. 9<br />
2 SAFETY LIFECYCLE ............................................................................................................................ 10<br />
3 PRODUCT OVERVIEW......................................................................................................................... 12<br />
3.1 <strong>GA</strong> <strong>MCU</strong> SAFETYCORE CONCEPT ..................................................................................................... 12<br />
3.2 SYSTEM INTEGRATION ....................................................................................................................... 15<br />
3.3 HARDWARE COMPONENTS ................................................................................................................. 16<br />
3.4 DIAGNOSTIC COVERAGE .................................................................................................................... 16<br />
3.5 ERROR RESPONSE............................................................................................................................... 16<br />
3.6 FUNCTIONAL AND DISPLAY ELEMENTS OF HARDWARE COMPONENTS ................................................ 18<br />
3.6.1 Elements of MCxxx-S cards.......................................................................................................... 18<br />
3.6.2 Elements of ICU cards ................................................................................................................. 19<br />
3.6.3 Elements of DSPVCU cards......................................................................................................... 20<br />
3.6.4 Elements of cooling fan................................................................................................................ 20<br />
3.6.5 Elements of the <strong>safety</strong> relay <strong>GA</strong> SR-01-42-24-00......................................................................... 21<br />
3.6.6 Elements of DFAB-1oo2D external hardware voter .................................................................... 21<br />
3.6.7 Elements of TFAB DIGIO 2oo3 ................................................................................................... 22<br />
3.7 SAFETY TIME AND REACTION TIME .................................................................................................... 22<br />
3.7.1 System reaction time .................................................................................................................... 22<br />
3.7.2 Diagnostic test interval ................................................................................................................ 23<br />
3.7.3 Process <strong>safety</strong> time....................................................................................................................... 23<br />
3.7.4 Proof test interval......................................................................................................................... 23<br />
4 PES SYSTEM ENGINEERING.............................................................................................................. 24<br />
4.1 HARDWARE ENGINEERING................................................................................................................. 24<br />
4.1.1 Specification of <strong>safety</strong> requirements............................................................................................. 24<br />
4.1.2 Hardware design and validation planning................................................................................... 24<br />
4.1.3 System integration........................................................................................................................ 24<br />
4.1.4 Hardware engineering, check list ................................................................................................25<br />
4.2 SOFTWARE ENGINEERING .................................................................................................................. 25<br />
4.2.1 Specification of <strong>safety</strong> requirements............................................................................................. 25<br />
4.2.2 Software design and validation planning..................................................................................... 25<br />
4.2.3 SIL3-approved function blocks..................................................................................................... 26<br />
4.2.4 Integration of PES hardware and software.................................................................................. 26<br />
4.2.5 Software validation ...................................................................................................................... 26<br />
4.2.6 Software engineering, check list................................................................................................... 27<br />
5 ASSEMBLY AND INSTALLATION..................................................................................................... 28<br />
5.1 QUALIFIED PERSONNEL...................................................................................................................... 28<br />
5.2 SAFETY-RELEVANT RESTRICTIONS OF USE ......................................................................................... 28<br />
5.3 MOUNTING AND CONNECTING ........................................................................................................... 28<br />
5.4 ASSEMBLY AND INSTALLATION, CHECK LIST ..................................................................................... 29<br />
6 FORCING I/O SIGNALS........................................................................................................................ 30<br />
6.1 PROCEDURE ....................................................................................................................................... 30<br />
6.2 FORCING I/O SIGNALS, CHECK LIST .................................................................................................... 30<br />
7 COMMISSIONING ................................................................................................................................. 31<br />
7.1 QUALIFIED PERSONNEL...................................................................................................................... 31<br />
7.2 COMMISSIONING PROCEDURES .......................................................................................................... 31<br />
7.3 APPLICATION SOFTWARE MODIFICATION........................................................................................... 32<br />
7.3.1 Program modifications................................................................................................................. 32<br />
7.3.2 Parameter modification................................................................................................................ 32<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 3 of 45
7.3.3 Online modification...................................................................................................................... 32<br />
7.4 COMMISSIONING, CHECK LIST............................................................................................................ 33<br />
8 MAINTENANCE ..................................................................................................................................... 34<br />
8.1 QUALIFIED PERSONNEL...................................................................................................................... 34<br />
8.2 MAINTENANCE PROCEDURES............................................................................................................. 34<br />
8.3 EXCHANGE OF COMPONENTS ............................................................................................................. 35<br />
8.4 MAINTENANCE, CHECK LIST .............................................................................................................. 35<br />
9 ACCESS AUTHORIZATION................................................................................................................. 36<br />
9.1 USER LOGIN....................................................................................................................................... 36<br />
9.2 KEY SWITCH FOR OPERATING MODE .................................................................................................. 36<br />
10 DIAGNOSTIC INFORMATION............................................................................................................ 38<br />
10.1 DIAGNOSTIC DATA............................................................................................................................. 38<br />
10.2 PROCESS DATA................................................................................................................................... 38<br />
10.3 ANALYZING ERROR MESSAGES .......................................................................................................... 39<br />
11 COMMON TECHNICAL DATA ...........................................................................................................40<br />
12 SAFETY SPECIFIC DATA .................................................................................................................... 41<br />
12.1 SYMBOLS AND ABBREVIATIONS......................................................................................................... 41<br />
12.2 CHARACTERISTIC SAFETY VALUES..................................................................................................... 42<br />
12.2.1 <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong>: Probability of Failure data.................................................................. 42<br />
12.2.2 SIL example <strong>GA</strong> DUPLEX-S ................................................................................................... 43<br />
12.2.3 SIL example <strong>GA</strong> DualCore-S................................................................................................... 44<br />
13 INDEX ....................................................................................................................................................... 45<br />
List of warnings<br />
Warning 1.................................................................................................................................. 8<br />
Warning 2.................................................................................................................................. 8<br />
Warning 3................................................................................................................................ 28<br />
Warning 4................................................................................................................................ 30<br />
Warning 5................................................................................................................................ 32<br />
Warning 6................................................................................................................................ 32<br />
Warning 7................................................................................................................................ 34<br />
Warning 8................................................................................................................................ 36<br />
Warning 9................................................................................................................................ 37<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 4 of 45
List of figures<br />
Figure 1: document map............................................................................................................ 9<br />
Figure 2: overall <strong>safety</strong> lifecycle............................................................................................. 10<br />
Figure 3: hardware <strong>safety</strong> lifecycle ......................................................................................... 11<br />
Figure 4: software <strong>safety</strong> lifecycle .......................................................................................... 11<br />
Figure 5: <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> concept, DualCore-S configuration ..................................... 12<br />
Figure 6: <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> concept, DUPLEX-S configuration ..................................... 13<br />
Figure 7: <strong>GA</strong> BlueLine system schematic............................................................................... 14<br />
Figure 8: Example for network integration............................................................................. 15<br />
Figure 9: front panel and elements of MCxxx-S cards ........................................................... 18<br />
Figure 10: front panel and elements of ICU cards .................................................................. 19<br />
Figure 11: front panel and elements of DSPVCU card........................................................... 20<br />
Figure 12: front panel and elements of cooling fan ................................................................ 20<br />
Figure 13: <strong>GA</strong> SR-01-42-24-00 relay voter, 1oo2 .................................................................. 21<br />
Figure 14: DFAB-1oo2D majority voter................................................................................. 21<br />
Figure 15: TFAB DIGIO 2oo3 majority voter........................................................................ 22<br />
Figure 16: user login ............................................................................................................... 36<br />
Figure 17: key switch Running/Maintenance.......................................................................... 36<br />
Figure 18: Reliability block diagram, 1-out-of-2D example................................................... 43<br />
Figure 19: Reliability block diagram, <strong>GA</strong> DualCore-S........................................................... 44<br />
List of tables<br />
Table 1: check list hardware engineering................................................................................ 25<br />
Table 2: check list software engineering, system integration ................................................. 27<br />
Table 3: check list software engineering, programming......................................................... 27<br />
Table 4: check list software engineering, validation............................................................... 27<br />
Table 5: check list assembly and installation.......................................................................... 29<br />
Table 6: check list forcing i/o signals...................................................................................... 30<br />
Table 7: check list commissioning.......................................................................................... 33<br />
Table 8: check list commissioning, program modification..................................................... 33<br />
Table 9: check list maintenance, exchanging cards ................................................................ 35<br />
Table 10: Probability of failure, externally redundant i/o cards ............................................. 42<br />
Table 11: Probability of failure, internally redundant i/o cards .............................................. 42<br />
Table 12: Probability of failure, external hardware voter ....................................................... 42<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 5 of 45
1 Introduction<br />
1.1 Contact information<br />
GEBHARDT Automation GmbH<br />
Oelkinghauser Str. 12 a<br />
D- 58256 Ennepetal<br />
Germany<br />
Tel.: +49 2333 7908 - 0<br />
available during working hours, Mo to Fr, from 8 00 to 17 00 (5 pm)<br />
central european time (CET, GMT+1).<br />
FAX: +49 2333 7908 - 24<br />
Web: www.gebhardt-automation.de<br />
Support support@gebhardt-automation.de<br />
Information info@gebhardt-automation.de<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 6 of 45
1.2 Document scope, applied standards<br />
This document applies to the following products:<br />
• components based on <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong><br />
• systems build with <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> components<br />
The GEBHARDT Automation GmbH <strong>safety</strong> systems are <strong>TÜV</strong> certified for <strong>safety</strong> integrity<br />
level SIL 3 according to IEC 61508 standard and conform to :<br />
<strong>TÜV</strong> <strong>Rheinland</strong> <strong>Group</strong><br />
<strong>TÜV</strong> Industrie Service GmbH<br />
Automation, Software und Informationstechnologie<br />
Am Grauen Stein<br />
D - 51105 Köln<br />
Certificate and test report No. 968/EZ 351.00/09<br />
Programmable electronic <strong>safety</strong> systems<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong><br />
GEBHARDT Automation GmbH is entitled to use the above mark of conformity for „Functional<br />
Safety“ with its SIL3 certified <strong>safety</strong> systems.<br />
The systems are designed in accordance with following standards. All important, <strong>safety</strong> relevant<br />
features are tested according to:<br />
• IEC 61508 Part 1 – 7:<br />
Functional <strong>safety</strong> of programmable electronic systems<br />
• DIN EN 954-1: 1996<br />
Safety of Machinery, Safety related parts of control systems<br />
Part 1: General principles for design<br />
• EN ISO 13849-1: 2006<br />
Safety of machinery, Safety-related parts of control systems,<br />
Part 1: General principles for design<br />
• IEC 61511-1: 2003<br />
Functional <strong>safety</strong> - Safety instrumented systems for the process industry sector<br />
• DIN EN 50178: 1998<br />
Electronic equipment for use in power installations<br />
• IEC 61131-2: 2003<br />
Programmable controllers, Part 2: Equipment requirements and tests<br />
• EN 60204-1: 2006<br />
Safety of machinery - Electrical equipment of machines<br />
Part 1: General requirements<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 7 of 45
1.3 General statements<br />
All technical data and information in this document were compiled and controlled with utmost<br />
care. Nevertheless errors can not completely be excluded. GEBHARDT Automation<br />
GmbH assumes no liability for consequences due to incorrect information.<br />
The systems based on the <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> are designed, manufactured and tested according<br />
to applicable <strong>safety</strong> standards. They must be used only as specified in technical descriptions<br />
and be connected only to approved external devices. The permissible ambient conditions<br />
must be adhered to.<br />
Modification is strictly prohibited. Use only approved replacement parts for repair and maintenance.<br />
Warning 1<br />
Accurate implementation of all <strong>safety</strong> instructions by qualified personnel is required<br />
for every phase of the life cycle, especially installation, commissioning, operating<br />
and maintenance of <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> systems.<br />
Disregard of the <strong>safety</strong> <strong>manual</strong> and referenced documents may compromise the performance<br />
of <strong>safety</strong> functions and cause the loss of a required <strong>safety</strong> integrity level (SIL or PL). It may<br />
lead to severe damage to property or environment and death of personnel.<br />
Warning 2<br />
Unqualified use or handling of the systems may impair the performance of <strong>safety</strong><br />
functions and may lead to severe damage to property or environment and death of<br />
personnel. GEBHARDT Automation shall have neither liability nor responsibility<br />
for improper use of equipment.<br />
It is strictly prohibited to reproduce the software for <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> systems except for<br />
the purpose of backup.<br />
Any reverse engineering, such as reverse compilation or dis-assembling of the software is<br />
strictly prohibited.<br />
The GEBHARDT Automation products mentioned in this document may be registered<br />
trademarks.<br />
All other company and product names mentioned in this document are trademarks or registered<br />
trademarks of their respective companies.<br />
No part of this document may be reproduced or transferred without prior written consent<br />
from GEBHARDT Automation GmbH.<br />
GEBHARDT Automation GmbH reserves the right to make improvements at any time, without<br />
notice or obligation.<br />
All rights reserved.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 8 of 45
1.4 Document map<br />
<strong>GA</strong> MCAD-S mod 1<br />
technical<br />
description<br />
<strong>GA</strong> DualCore-S racks<br />
technical<br />
description<br />
<strong>GA</strong> SR-01-42-24-00<br />
technical<br />
description<br />
<strong>GA</strong> ICU mod 1<br />
technical<br />
description<br />
Flyer<br />
<strong>GA</strong> BlueLine<br />
systems<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong><br />
<strong>safety</strong> <strong>manual</strong><br />
<strong>GA</strong> safeEdit<br />
user <strong>manual</strong><br />
<strong>GA</strong> MCDIN-S mod 1<br />
technical<br />
description<br />
<strong>GA</strong> DUPLEX-S racks<br />
technical<br />
description<br />
<strong>GA</strong> DFAB-1oo2D<br />
technical<br />
description<br />
<strong>GA</strong> ICU mod 2<br />
technical<br />
description<br />
Flyer<br />
Safety &<br />
Availability<br />
central <strong>manual</strong>s<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong><br />
installation<br />
<strong>manual</strong><br />
software<br />
hardware<br />
information<br />
<strong>GA</strong> safeEdit<br />
online help<br />
<strong>GA</strong> MCDOT-S mod 1<br />
technical<br />
description<br />
<strong>GA</strong> TMR-S racks<br />
technical<br />
description<br />
<strong>GA</strong> TFAB-DIGIO-2oo3<br />
technical<br />
description<br />
<strong>GA</strong> FPR mod 3<br />
technical<br />
description<br />
Flyer<br />
i/o cards<br />
Figure 1: document map<br />
<strong>TÜV</strong><br />
Revision<br />
Release List<br />
<strong>GA</strong> MCADA-S mod 1<br />
technical<br />
description<br />
<strong>GA</strong> DSPVCU<br />
technical<br />
description<br />
Flyer<br />
Non-SIL3 systems<br />
Figure 1 shows documents relevant to <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> systems. This <strong>manual</strong> will reference<br />
to the appropriate documents as required.<br />
Informative documents show an overview of their respective topic but are not <strong>safety</strong> relevant.<br />
They are not referenced in this <strong>safety</strong> <strong>manual</strong>.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 9 of 45
2 Safety lifecycle<br />
For systematic assessment of <strong>safety</strong> the IEC 61508 standard considers the complete lifecycle<br />
of a system: beginning at the planning stage, continuing with commissioning, distribution,<br />
maintenance and repair, up to de-commissioning. This overall <strong>safety</strong> lifecycle is separated<br />
into 16 phases, defining methods and activities to achieve the required <strong>safety</strong> integrity for<br />
each phase.<br />
Overall<br />
operation and<br />
maintenance<br />
planning<br />
Overall planning<br />
Overall<br />
<strong>safety</strong><br />
validation<br />
planning<br />
6 7 8<br />
Overall<br />
installation and<br />
commissioning<br />
planning<br />
1<br />
2<br />
3<br />
4<br />
5<br />
12<br />
13<br />
Concept<br />
Overall scope<br />
definition<br />
Hazard and risk<br />
analysis<br />
Overall <strong>safety</strong><br />
requirements<br />
Safety requirements<br />
allocation<br />
Overall installation<br />
and commissioning<br />
Overall <strong>safety</strong><br />
validation<br />
Overall operation,<br />
14 maintenance and repairr<br />
16<br />
9<br />
Safety-related<br />
Systems:<br />
E/E/PES<br />
Realisation<br />
(see E/E/PES<br />
<strong>safety</strong><br />
lifecycle)<br />
Decommissioning<br />
or disposal<br />
10<br />
Figure 2: overall <strong>safety</strong> lifecycle<br />
Safety-related<br />
systems:<br />
other technology<br />
15<br />
Realisation<br />
Overall modification<br />
and retrofit<br />
11<br />
External risk<br />
reduction<br />
facilities<br />
Realisation<br />
This document concentrates on phase 9 of the overall <strong>safety</strong> lifecycle, the <strong>safety</strong>-related<br />
E/E/PES system. Specific lifecycles for hardware and software <strong>safety</strong> design define more<br />
detailed phases.<br />
Phases 10 (other technology, i.e. mechanical emergency shut down) and 11 (external facilities,<br />
i.e. escape routes or protective barriers) are not relevant for the scope of this document.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 10 of 45
9.2<br />
E/E/PES <strong>safety</strong><br />
validation planning<br />
9.1<br />
9.1.1<br />
Safety functions<br />
requirements<br />
specification<br />
9.3<br />
9.4<br />
9.6<br />
E/E/PES <strong>safety</strong> requirements<br />
specification<br />
9.1.2<br />
E/E/PES design<br />
and development<br />
E/E/PES integration<br />
E/E/PES<br />
<strong>safety</strong> validation<br />
Safety integrity<br />
requirements<br />
specification<br />
to box 12 in<br />
overall <strong>safety</strong> lifecycle<br />
9.5<br />
Figure 3: hardware <strong>safety</strong> lifecycle<br />
E/E/PES operation and<br />
maintenance<br />
procedures<br />
to box 14 in<br />
overall <strong>safety</strong> lifecycle<br />
The hardware <strong>safety</strong> lifecycle must be considered during planning and design of the E/E/PES<br />
system. This document defines activities and procedures for each phase.<br />
9.2<br />
Software <strong>safety</strong><br />
validation planning<br />
9.1<br />
9.1.1<br />
Safety functions<br />
requirements<br />
specification<br />
9.3<br />
9.4<br />
9.6<br />
Software <strong>safety</strong><br />
requirements specification<br />
9.1.2<br />
Software design<br />
and development<br />
PE integration<br />
(hardware/software)<br />
Software <strong>safety</strong><br />
validation<br />
Safety integrity<br />
requirements<br />
specification<br />
to box 12 in<br />
overall <strong>safety</strong> lifecycle<br />
9.5<br />
Figure 4: software <strong>safety</strong> lifecycle<br />
Software operation and<br />
modification procedures<br />
to box 14 in<br />
overall <strong>safety</strong> lifecycle<br />
The software <strong>safety</strong> lifecycle must be considered during planning and design of software for<br />
the E/E/PES system. This document defines activities and procedures for each phase.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 11 of 45
3 Product overview<br />
3.1 <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> concept<br />
The <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> concept is based on <strong>MCU</strong>-S (Micro Controller Unit for Safety)<br />
cards:<br />
“smart” i/o cards with integrated micro controller units. The system architecture of each card<br />
is consistently dual redundant with hardware fault tolerance HFT = 1. Redundant micro controllers<br />
– <strong>MCU</strong>-A and <strong>MCU</strong>-B – access the card’s i/o signals, handle signal diagnostics, continuously<br />
monitor each other for correct operation and run the application software.<br />
The <strong>MCU</strong>-S cards are passively connected to the data bus. A communication controller card<br />
(ICU) actively reads data packages from each <strong>MCU</strong>-S input card (type MCAD-S and<br />
MCADA-S for analog, MCDIN-S for digital input) and sends them to the output cards (type<br />
MCADA-S for analog input and output, MCDOT-S for digital output). The output cards use<br />
the input data to calculate their field output signals according to the application software.<br />
For SIL3 output signals an external hardware voter module is used to create the combined<br />
field output signal.<br />
Figure 5: <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> concept, DualCore-S configuration<br />
Figure 5 shows the minimal system configuration <strong>GA</strong> DualCore-S, a SIL3 application with<br />
hardware fault tolerance HFT = 1.<br />
• Two <strong>MCU</strong> processors on one input card read input signals from redundant sensors<br />
A and B. Depending on card type each <strong>MCU</strong> can typically read up to 12 input signals.<br />
• The input signals are transmitted via data bus, consisting of the physical bus connection<br />
and a communication controller card, ICU.<br />
• The data is received by one output card with redundant <strong>MCU</strong> processors. Each<br />
<strong>MCU</strong> processes both sensor signals according to the application software, compares<br />
its result with the other <strong>MCU</strong> and separately sets its output signal(s) to the required<br />
state ON/OFF.<br />
• An external hardware voter – basically two relays in serial – combines the output<br />
signals into one 1oo2 field signal. Forcibly guided read-back contacts of the relays<br />
allow separate error diagnostics for each relay.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 12 of 45
For less SIL-demanding applications the input signals may be used non-redundant. Then all<br />
(typically 24) input signals will be available for field signals. See technical <strong>manual</strong>s of i/o<br />
cards for more information.<br />
Figure 6: <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> concept, DUPLEX-S configuration<br />
Figure 6 shows a dual-redundant configuration. The main difference is the complete card<br />
redundancy. Basically two identical systems, unit A and unit B, are combined via redundant<br />
data bus into a duplex redundant system. The card-internal redundant handling of input signals<br />
as in DualCore-S configuration is not required, since the complete cards are redundant.<br />
The internal signal handling and processing of application software is quadruple redundant,<br />
by two micro controllers <strong>MCU</strong>-A and <strong>MCU</strong>-B on each unit A and B.<br />
The external voter combines the separate output signals into field outputs. Because four<br />
<strong>MCU</strong>s control each output signal and do signal diagnostics, even at detected failure of one<br />
output the system may continue operation. This results in a 1-out-of-2-D voting, where a<br />
failed component may be replaced while the system continues working. 1oo2D voting requires<br />
voter hardware specifically designed to support extended diagnostics. Simple 1oo2<br />
voting is possible with standard relay outputs.<br />
For triple redundancy, <strong>GA</strong> TMR-S, three identical systems (unit A, B and C) are combined<br />
with a hardware 2oo3 voter. Each relevant component exists in triplicate, internal signal<br />
processing actually is six-times redundant. The 2oo3 output selection allows replacing of any<br />
component while the system continues working.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 13 of 45
Voting on input signals:<br />
To increase system availability regarding input signals, it is recommended to activate input<br />
voting. This will take redundant input signals and combine them into one common signal for<br />
use on all output cards. With detected error at one input signal the common signal will be<br />
degraded (e.g. 2oo3 degrades to 1oo2D, 1oo2D degrades to 1oo1D), but the same common<br />
signal will still be available to all output cards.<br />
Without input voting each unit works with its own input signal only, so if input channel 1<br />
fails on unit A, the output card in unit A would see the failed signal only and would set the<br />
output signal to the safe state OFF.<br />
The settings for input signal voting depend on the system architecture, see <strong>GA</strong> safeEdit user<br />
<strong>manual</strong> for more information).<br />
Voting will also allow deviation detection for analog input signals. The tolerable deviation is<br />
configured separately for each signal. See <strong>GA</strong> safeEdit user <strong>manual</strong>, AIN function, for more<br />
information).<br />
Voting on digital output signals:<br />
Each output card does redundant signal processing, using micro-controllers <strong>MCU</strong>-A and<br />
<strong>MCU</strong>-B. The separate output signals of both <strong>MCU</strong>s are compared as 1-out-of-2, to guarantee<br />
correct working of the output card. At failure the card diagnostics will detect a card failure.<br />
The signal and relay states can be read back as analog signals to allow output diagnostics. In<br />
case of relay failure (for example: relay is “stuck at one”) a secondary, independent shutdown<br />
path allows de-energization to the safe state.<br />
Analog output signals<br />
MCADA-S cards have access to all signals generated by input cards, field signals and preprocessed<br />
signals. Two <strong>MCU</strong>s on every card execute the application software, working redundantly<br />
to determine the output signals to hardware. Every <strong>MCU</strong> sets its output signals to<br />
the field. For each output channel there is a channel to read-back the signal information from<br />
the field. In case of a read-back failure the relevant output or all outputs (depending on the<br />
fault reaction) are set to the safe state 0.0 mA. There are independent shut-down paths for the<br />
current generation and the connection to the field. Via these shut-down paths a MCADA-S<br />
can always set the outputs to the safe power-off state.<br />
Figure 7: <strong>GA</strong> BlueLine system schematic<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> components may be combined with selected components for regular,<br />
non <strong>safety</strong>-related control functions in <strong>GA</strong> BlueLine systems. These components are certified<br />
not to interfere with <strong>safety</strong> functions. See list of certified components.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 14 of 45
3.2 System integration<br />
Figure 8: Example for network integration<br />
A <strong>safety</strong> project usually consists of at least one PES system (<strong>GA</strong> DualCore-S, <strong>GA</strong> DUPLEX-<br />
S or <strong>GA</strong> TMR-S), one engineering station and one visualization system (DCS, distributed<br />
control system). The PES system autonomously handles the <strong>safety</strong>-relevant functions. During<br />
normal operation, in “running mode”, no unsafe system (regular control, Engineering, DCS)<br />
can interfere with the PES. Only while switched to “maintenance mode” with a hardware key<br />
switch an authorized user can influence or modify the PES system.<br />
Safety-relevant communication between <strong>GA</strong> <strong>safety</strong> systems is available via hardwired i/o<br />
signals. The MPU-M1 card, currently beeing SIL3 certified, will allow redundant ethernet<br />
communication with SIL3 integrity.<br />
Engineering system is a PC, running Windows (2000 or XP) and the integrated development<br />
tool <strong>GA</strong> safeEdit. After activating maintenance mode this system may be used for commissioning<br />
and maintenance of <strong>GA</strong> <strong>safety</strong> systems. In normal operation (running mode) the engineering<br />
station is not required, but may be used by authorized users for extended system<br />
diagnostics.<br />
Optionally engineering may share a PC with DCS. Both programs may be run in parallel on<br />
one computer.<br />
The visualization system (DCS) accesses i/o data and system information via read access<br />
using open communication protocols. Write access from DCS to the PES system must not<br />
interfere with <strong>safety</strong> functions, e.g. interlocking a safe shut-down function with a DCS command<br />
is not allowed. In addition to process values the DCS communication also allows access<br />
to diagnostic information, for visualization, data logging and trending.<br />
Figure 8 shows two variants for a project consisting of one engineering station, one DCS and<br />
two PES systems:<br />
The left figure shows redundant networks. Communication for engineering and process visualization<br />
may be designed dual or triple redundant, depending on the communication capabilities<br />
of the <strong>safety</strong> system. In case of network failure this guarantees undisturbed communication<br />
to the remaining components. Engineering system and DCS must be configured with<br />
independent network cards.<br />
The right figure shows a simple, non-redundant, network. All systems use the same network.<br />
In case of network failure the complete communication may be lost.<br />
Safety functions and <strong>safety</strong> integrity are not influenced by network failures.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 15 of 45
Networks according to Figure 8 may be extended with further systems of all types (PES, control,<br />
DCS, Engineering). The same network may also include other, not <strong>safety</strong> related systems.<br />
3.3 Hardware components<br />
Only hardware components registered in the revision-list of tested and certified components<br />
shall be used in <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> systems.<br />
See Revision Release List.<br />
3.4 Diagnostic coverage<br />
Multiple build in tests (BITs) implemented in the card firmware allow very high diagnostic<br />
coverage. BITs include power-on tests (run once during start up), cyclic tests (run repeatedly<br />
at fixed time intervals during normal operation) and dynamic tests (i.e. field signal tests or<br />
internal communication). BITs monitor the micro-controllers, the acquisition of field signals,<br />
internal and external memory, the <strong>safety</strong> application software and communication between<br />
modules and units. See <strong>GA</strong> safeEdit user <strong>manual</strong> and <strong>GA</strong> technical description MCxxx-S.<br />
Safety related configuration of diagnostic coverage<br />
Activation/de-activation of input signal monitoring:<br />
Used signals – digital and analog – are monitored for signal range to detect failures of sensor,<br />
transmitter or cable. This failure detection also allows 1oo2D signal handling, continued operation<br />
with one detected failure on two redundant input signals.<br />
Signal diagnostics on spare input signals should be de-activated. Unused signals will have a<br />
fail-safe state (“low” for digital, 0.0 mA for analog, see <strong>GA</strong> technical description MCxxx-S ).<br />
Test interval for field signal tests:<br />
Execution and time interval of field signal tests can be configured during project engineering<br />
only by GEBHARDT Automation GmbH. These settings influence <strong>safety</strong> integrity (i.e. repair<br />
time MTTR) and are password protected. See <strong>GA</strong> technical description MCxxx-S for details.<br />
If there is no specific agreement with the customer, default settings will be used.<br />
Analog input diagnostics on MCAD-S card:<br />
The thresholds for over-range and under-range of current and frequency input signals are<br />
configurable. At each signal access these ranges are checked for failure.<br />
3.5 Error response<br />
Detected errors are displayed using the front side diagnostic LEDs on every MCxxx-S card.<br />
See technical description for the specific cards.<br />
Detected errors on input cards will set the state of affected signals to “faulty”. Only after repair<br />
and acknowledge the state will return to “okay”. The optional software input signal voting<br />
will be degraded, e.g. from 1oo2D to 1oo1D, until the repair is finished and acknowledged.<br />
Detected errors on MCDOT-S output cards will immediately turn off the affected card or<br />
signal (de-energize to trip). Repairs can usually be performed by experienced personnel in a<br />
short time, while the system continues running with reduced hardware fault tolerance.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 16 of 45
In DualCore-S configuration a detected error on a MCDOT-S output card will cause a shutdown.<br />
When redundant units reach different states without being able to assign any error, all outputs<br />
of the affected MCDOT-S cards will turn to “low” and the corresponding field contacts will<br />
open.<br />
Detected errors on outputs of the MCADA-S output cards will immediately turn off the affected<br />
signal or card (0 mA to trip), depending on the fault reaction.<br />
Detected errors on inputs of the MCADA-S output cards will set the state of affected signals<br />
to “faulty”. The status of input and output signals will return to “okay” either <strong>manual</strong>ly after<br />
repair and acknowledge of the failure or automatically, according to the card configuration.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 17 of 45
3.6 Functional and display elements of hardware components<br />
3.6.1 Elements of MCxxx-S cards<br />
All i/o cards use identical functional elements and display LEDs at the front panel. Figure 9<br />
shows diagnostic LEDs and ejection lever.<br />
Figure 9: front panel and elements of MCxxx-S cards<br />
A special module rail in the rack (see bottom right), combined with the guiding pin in the<br />
card’s front panel (see center right) creates galvanic connection and dissipates static charge<br />
before the card electrically connects to the system.<br />
After loosening the neck screws at top and bottom of the front panel the card can be removed<br />
from the system. By pressing the red release button on the ejection lever the integrated micro<br />
switch turns of the card’s power supply and mechanically releases the lever (see center right)<br />
for pushing downwards. This will mechanically extract the card from the rack and internal<br />
data bus, using a clamp and groove mechanism in lever and system rack. This mechanism<br />
prevents accidental removing of cards while the lever is not released.<br />
Replacement cards are inserted using the lever mechanism with clamp and groove. With the<br />
lever pushed down card insertion will be stopped when the clamp hits the groove rail. By<br />
pushing the lever upwards it will mechanically pull the card into the system and data bus. The<br />
card will be turned off while being inserted. Only after mechanically connecting to the data<br />
bus the micro switch will activate the card and lock it into position. This reduces signal interference<br />
on the data bus while inserting or removing cards to non-critical limits.<br />
4 yellow LEDs (see top right) for each <strong>MCU</strong> processor display the current operating mode<br />
and error state.<br />
See technical description of the respective card for further information.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 18 of 45
3.6.2 Elements of ICU cards<br />
The mechanical parts with ejection lever, module rail and guiding pin are identical to<br />
MCxxx-S cards. See Figure 9 and description.<br />
Figure 10: front panel and elements of ICU cards<br />
There are two models of ICU card available: ICU model 1 and ICU model 2. Model 1 comes<br />
with optional extensions for additional communication ports. Model 2 uses a high speed<br />
processor, has redundant ethernet ports and a larger FLASH memory capacity for process<br />
data logging.<br />
The front plates of all ICU variants use LEDs to display status information.<br />
• Ethernet Link/Act: LED shows physical connection and network activity.<br />
Normal state: flashing<br />
• Ethernet 100 or Spd: indicates speed of communication, 10/100 or 100/1000 MBit.<br />
Normal state: static ON for high speed<br />
• MA: green LED indicates correct functionality of ICU as bus master. During system<br />
start up the LED is off.<br />
Normal state: static green<br />
• WDG: red LED indicates Watchdog error.<br />
Normal state: always off<br />
For details see technical description of the specific ICU model.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 19 of 45
3.6.3 Elements of DSPVCU cards<br />
Figure 11: front panel and elements of DSPVCU card<br />
The DSPVCU voltage control cards are independent control cards for monitoring the secondary<br />
voltages of the two redundant power supplies and generating a malfunction signal in<br />
case of over-voltage or under-voltage detection. They use a simple ejection lever, without<br />
micro switch or mechanical release. The card is not connected to the data bus.<br />
Red LEDs show failures in voltage monitoring of any of the required voltages, indicating<br />
either “Lower Limit” or “Upper Limit” failure. Normal state for all LEDs is off.<br />
The green LED is a combined “Power Good” signal, continuously on during normal operation.<br />
See technical description for further details.<br />
3.6.4 Elements of cooling fan<br />
Figure 12: front panel and elements of cooling fan<br />
LEDs in the front panel show the operating mode. Normal state is green LED on and red<br />
(alarm) LED off. A fan malfunction, e.g. mechanical jamming, activates the red “alarm”<br />
LED. Pressing the reset button after correcting the problem acknowledges the fan alarm and<br />
turns the LED off.<br />
The central area indicates the system architecture, here “<strong>GA</strong> DualCore-S”.<br />
Loosening of two retaining screws in the front panel allows removal and replacement of the<br />
cooling fan during normal operation.<br />
Fan malfunction has no direct impact on the <strong>safety</strong> system. It may lead to over-temperature of<br />
the complete system or individual components.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 20 of 45
3.6.5 Elements of the <strong>safety</strong> relay <strong>GA</strong> SR-01-42-24-00<br />
Figure 13: <strong>GA</strong> SR-01-42-24-00 relay voter, 1oo2<br />
The <strong>GA</strong> SR-01-42-24-00 <strong>safety</strong> relay module is designed for safe shut-down of control circuits.<br />
It is based on two different <strong>safety</strong> relays, by different manufacturers for diversity. Each<br />
relay switches four closing contacts for field signals in an internal 1-out-of-2 selection and<br />
additional opening contacts for messaging and diagnostics. All contacts are forcibly guided.<br />
Each closing contact circuit is protected by a build-in fuse, to prevent welding due to overcurrent.<br />
The fuses are accessible at the front, for easy replacement.<br />
Two LEDs, K1 and K2, at the front plate show the individual state of both <strong>safety</strong> relays.<br />
3.6.6 Elements of DFAB-1oo2D external hardware voter<br />
Figure 14: DFAB-1oo2D majority voter<br />
The duplex field assembly board DFAB-1oo2D uses three LEDs to indicate the state of the<br />
redundant external power supplies. Two fuses at the upper left corner must be in the “pushed<br />
in” position. The LED below each fuse shows the state of that supply voltage. The central<br />
LED, between connector plugs and relays, shows that at least one supply voltage is available<br />
and the board is working.<br />
Four relays per signal create the 1oo2D field signals. Usually all relays are in the same position<br />
(ON/OFF). The two “worker” relays from system A and B and the “diagnostic” relays<br />
should always have the same position. In case of a detected failure the “diagnostic” relay is<br />
used to de-couple systems A and B. During self-tests (walking change) one system is de-<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 21 of 45
coupled and tested (position changed to the opposite state), while the remaining system holds<br />
the field signal.<br />
The DFAB is designed with forcibly guided <strong>safety</strong> relays, using the “de-energize to trip”<br />
principle.<br />
3.6.7 Elements of TFAB DIGIO 2oo3<br />
Figure 15: TFAB DIGIO 2oo3 majority voter<br />
The field assembly board TFAB DIGIO 2oo3 uses no direct display elements. Two fuses at<br />
the upper left corner must be in the “pushed in” position.<br />
Three relays for each digital output signal show the output state for each unit A, B or C. Usually<br />
they will show identical position (open/close). During self-tests (walking zero) one relay<br />
will temporarily switch to the other state while the other two relays of the group keep the<br />
correct position.<br />
The TFAB is designed with forcibly guided <strong>safety</strong> relays, using the “de-energize to trip” principle.<br />
3.7 Safety time and reaction time<br />
3.7.1 System reaction time<br />
System reaction time is the interval between occurrence of an external demand and the PES<br />
system’s response. It includes the time between occurrence and detection, time for internal<br />
calculations, setting of hardware output signals and relay switching times.<br />
The time for internal calculations, the program cycle time, depends on complexity of all control<br />
functions handled by one MCDOT-S or MCADA-S processor card. For details on program<br />
cycle time see <strong>GA</strong> safeEdit user <strong>manual</strong>.<br />
Usually the doubled program cycle time plus 15 msec for relay switching may be used as<br />
system reaction time.<br />
Exceptions from this time may occur when:<br />
• <strong>safety</strong> functions are distributed over multiple MCDOT-S or MCADA-S output cards<br />
• communication between <strong>GA</strong> <strong>safety</strong> racks is used for the <strong>safety</strong> function<br />
• frequency signals at low frequency: see MCAD-S technical description<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 22 of 45
3.7.2 Diagnostic test interval<br />
In addition to <strong>safety</strong> functions the PES system also continually performs diagnostic functions<br />
to detect erroneous system performance. Diagnostic test interval defines the time between<br />
repetitions of diagnostic tests.<br />
The diagnostic test interval must be chosen to achieve a probability of random hardware failure<br />
below or equal to the target failure measure defined in <strong>safety</strong> integrity specifications.<br />
All systems based on <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> components use a consistent hardware fault tolerance<br />
of at least HFT = 1, so the diagnostic test interval doesn’t significantly affect the system<br />
reaction time. It is specified in system firmware and can not be modified by the user.<br />
3.7.3 Process <strong>safety</strong> time<br />
The process <strong>safety</strong> time is the interval between occurrence of a disorder (at machine or process,<br />
equipment under control, EUC) and reaching of a critical state. The <strong>safety</strong> system must<br />
be able to bring the process to a safe state in this time interval. Process <strong>safety</strong> time considers<br />
the complete <strong>safety</strong> loop: from sensor and transmitter, over PES system, to actuator.<br />
The PES system reaction time may be used as basis for calculating process <strong>safety</strong> time compliance.<br />
The diagnostic test interval is doesn’t significantly affect the calculation, see above.<br />
3.7.4 Proof test interval<br />
The proof test is used at specified intervals to completely check the PES system and bring it<br />
back to “like new” <strong>safety</strong> integrity. Special attention is given to failures not detectable by<br />
internal diagnostic tests.<br />
As minimum all <strong>safety</strong> functions handled by the PES system must be checked according to<br />
specification.<br />
The default time interval between proof tests is 10 years.<br />
Shortening the test interval will improve the probability of system failure. Typical intervals<br />
are 5 years or 3 years. The proof test interval may also be extended, up to 20 years.<br />
When frequency signals are used for <strong>safety</strong> functions, the calibration of frequency inputs<br />
must be considered to determine the proof test interval, see MCAD-S technical description.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 23 of 45
4 PES system engineering<br />
Planning, design and realization of the PES system are implemented according to box 9<br />
“<strong>safety</strong>-related systems: E/E/PES” in Figure 2: overall <strong>safety</strong> lifecycle on page 10.<br />
Figure 3: hardware and Figure 4: software show detailed phases for engineering and specify<br />
required activities and procedures.<br />
4.1 Hardware Engineering<br />
4.1.1 Specification of <strong>safety</strong> requirements<br />
A detailed list with all <strong>safety</strong> requirements for the project is compiled. This is the basis for all<br />
decisions on hardware and software design of the PES system.<br />
4.1.2 Hardware design and validation planning<br />
Hardware design takes the list of requirements and decides on the necessary hardware to<br />
handle these requirements. The number and type of PES systems, including system architecture<br />
and number of i/o cards, is defined. In parallel to planning the hardware the required<br />
methods for hardware validation are defined.<br />
Specific procedures and measures during hardware design are:<br />
• For each specified <strong>safety</strong> function the PES-internal <strong>safety</strong> loop (input signals, control<br />
and output signals) is designed. All input signals should be accessed by cards in<br />
the same system, all outputs should be handled on the same output card MCDOT-S<br />
or MCADA-S.<br />
Segmentation of <strong>safety</strong> loops to multiple PES systems is admissible, but should be<br />
avoided when possible. Affected loops require special attention in validation planning,<br />
specifically considering system reaction time.<br />
• Every output card may process multiple <strong>safety</strong> functions. Usually a uniform distribution<br />
of <strong>safety</strong> functions over processor cards is recommended to achieve similar<br />
system reaction times.<br />
• Interdependencies of input signals used in multiple <strong>safety</strong> functions must be specified<br />
and documented. They require special attention during validation.<br />
• Distribution of i/o signals to PES systems and their respective i/o cards must be<br />
documented and considered for validation.<br />
• Distribution of <strong>safety</strong> functions to PES systems and <strong>MCU</strong>-S i/o processor cards<br />
must be documented and considered for validation and software engineering.<br />
4.1.3 System integration<br />
System integration designs the integration of the PES systems in the project’s <strong>safety</strong> concept.<br />
The following measures need to be considered:<br />
• Integration of PES systems in the control panel, including external hardware.<br />
• Integration of multiple PES systems, with special attention on communication.<br />
• Integration of PES systems in the overall concept, including engineering station and<br />
visualization (DCS)<br />
• Network layout for engineering and visualization, including redundancy and address<br />
configuration.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 24 of 45
4.1.4 Hardware engineering, check list<br />
No. Description Check<br />
1 Correct system architecture selected to meet requirements regarding process<br />
<strong>safety</strong> and process availability?<br />
2 Number of i/o cards according to <strong>safety</strong> functions, including spare signals?<br />
3 Slot position of i/o cards according to system design specification?<br />
4 Analog frequency inputs with correct cut-off frequency?<br />
5 Appropriate distribution of <strong>safety</strong> functions over MCDOT-S and<br />
MCADA-S i/o processor cards with regard to output signals?<br />
6 correct external voter hardware for <strong>safety</strong> and availability requirements?<br />
7 <strong>safety</strong>-relevant communication between PES systems: acceptable system<br />
reaction time?<br />
8 Connecting cables: correct cable type and length?<br />
9 appropriate communication extensions (ICU model 1 card) for process<br />
requirements and available space in system rack?<br />
10 Network layout: distance, cable length, cable type (copper, optical),<br />
switches, routers, redundancy, addressing<br />
Table 1: check list hardware engineering<br />
See also <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> checklists for additional information.<br />
4.2 Software engineering<br />
4.2.1 Specification of <strong>safety</strong> requirements<br />
The list of <strong>safety</strong> requirements according to chapter Specification of <strong>safety</strong> requirements on<br />
page 24 is extended with signal information on i/o signals. For each digital signal the contact<br />
mode (normally open, normally closed) if specified, for analog signals the physical range is<br />
defined.<br />
For each <strong>safety</strong> function the required <strong>safety</strong> time is specified.<br />
For each <strong>safety</strong> function the working principle is defined.<br />
4.2.2 Software design and validation planning<br />
The distribution of <strong>safety</strong> functions to PES hardware components is implemented as application<br />
software, considering software <strong>safety</strong> specifications. For each <strong>safety</strong> function the PESinternal<br />
<strong>safety</strong> loop of input signal, application program and output signal is considered.<br />
<strong>GA</strong> safeEdit is used as programming tool, see <strong>GA</strong> safeEdit user <strong>manual</strong>.<br />
Software design considers the following measures:<br />
• Application programming for specific <strong>safety</strong> functions on MCDOT-S or MCADA-S<br />
cards according to hardware design specifications.<br />
• Error response for signal failure specified for every input signal in every <strong>safety</strong><br />
function: Mid-of-3, 1oo2, available/error, (see <strong>GA</strong> safeEdit user <strong>manual</strong>). Documentation<br />
and validation planning for each signal.<br />
• Analysis of switch-over between operating modes in <strong>safety</strong> functions. Validation<br />
planning for all operating modes with special attention on the moment of switchover.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 25 of 45
• Interdependencies between <strong>safety</strong> functions (one input signal or calculated internal<br />
state used in multiple <strong>safety</strong> functions) must be clearly defined, documented and<br />
considered in validation.<br />
• Definition of calculated thresholds for analog inputs, physically and scaled to controller-internal<br />
range, with hysteresis. Documentation and validation planning.<br />
• Power-on behavior for <strong>safety</strong> functions, including validation.<br />
• Signal tracking for software functions with internal memory function (e.g. RS flip<br />
flop) , including validation.<br />
4.2.3 SIL3-approved function blocks<br />
Most <strong>GA</strong> safeEdit function blocks are approved for use in SIL3 <strong>safety</strong> functions. They may<br />
be used without restriction for application programming. The <strong>GA</strong> safeEdit user <strong>manual</strong> supplies<br />
the current list of approved function blocks.<br />
Function blocks not listed are not approved for <strong>safety</strong> functions. They may be used for functions<br />
that are not <strong>safety</strong> relevant, the use in <strong>safety</strong> functions is not allowed.<br />
4.2.4 Integration of PES hardware and software<br />
PES system integration gives special attention to dependencies between hardware and software.<br />
An important factor is also the integration into the overall system concept, including<br />
PES diagnostics in regular process visualization (DCS).<br />
Integration considers the following measures:<br />
• Coordinating of hardware and software configuration (slot configuration, network,<br />
i/o access).<br />
• Activation of signal diagnostics (cable failure, short cut) for used signals, deactivation<br />
for spare signals, correct software configuration for the implemented hardware<br />
architecture (DualCore-S, DUPLEX-S, TMR-S).<br />
• Estimation of system reaction time of all MCDOT-S and MCADA-S output processor<br />
cards, and comparing with required system reaction time. Consider adequate reserve<br />
for software changes during commissioning.<br />
• Memory utilization of MCDOT-S and MCADA-S processor cards acceptable, including<br />
adequate reserve for software changes during commissioning.<br />
• All relevant diagnostic information of PES systems should be displayed on regular<br />
process visualization, to inform about critical states or system degradation and allow<br />
sufficient time for corrective maintenance.<br />
4.2.5 Software validation<br />
Software validation uses the programming tool <strong>GA</strong> safeEdit and the following methods:<br />
• Syntax check and parameter check, offline. On engineering station or PC.<br />
• Offline simulation on engineering station or PC, without PES hardware.<br />
• Online debug on PES hardware, with forced i/o signals, no field signals<br />
or<br />
Online debug on PES hardware, with field signals simulated by test equipment<br />
(usually during panel acceptance test)<br />
• During commissioning full software test, online debug and functional, with full<br />
field wiring. First with stopped machine, finally with the machine running.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 26 of 45
4.2.6 Software engineering, check list<br />
No. Description Check<br />
1 Hardware and software configuration corresponding<br />
2 Network configuration correct in hardware and software<br />
3 System reaction time of each MCDOT-S and MCADA-S card acceptable<br />
as compared to required <strong>safety</strong> times<br />
4 Memory utilization of MCDOT-S and MCADA-S cards acceptable, with<br />
enough free memory for modifications during commissioning<br />
5 Signal error detection cable failure/short cut active for used signals, inactive<br />
for spare signals<br />
6 Access to all necessary diagnostic information specified and/or programmed<br />
for process visualization (DCS)<br />
7 System configuration according to project requirements<br />
(time-outs, time settings, internal communication, ...)<br />
Table 2: check list software engineering, system integration<br />
No. Description Check<br />
1 Signal states and ranges for each signal programmed according to specification?<br />
2 Signal behavior (Mo3, 1oo2, ...) for each signal in every <strong>safety</strong> function<br />
defined according to specification?<br />
3 Analog thresholds programmed according to specification, including scaling<br />
and hysteresis?<br />
4 Interdependencies between <strong>safety</strong> functions according to specification?<br />
5 Power-on behavior of <strong>safety</strong> functions according to specification?<br />
6 Signal tracking for software functions with internal memory (RSF, ...)<br />
implemented according to specification?<br />
7 Only SIL3-approved function blocks used in programming of <strong>safety</strong> functions?<br />
Table 3: check list software engineering, programming<br />
No. Description Check<br />
1 Syntax check and parameter check: no errors, no warnings?<br />
2 Simulation offline on PC: functionality as specified?<br />
3 Online debug on PES system, without field signals, forced signals in<br />
maintenance mode: functionality as specified?<br />
4 Online debug on PES system, with simulated field signals (test equipment,<br />
panel acceptance test), in running mode: functionality as specified?<br />
Table 4: check list software engineering, validation<br />
See also <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> checklists for additional information.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 27 of 45
5 Assembly and installation<br />
5.1 Qualified personnel<br />
All persons involved in assembly and installation must be qualified according to their duties.<br />
They must be familiar with relevant technical <strong>manual</strong>s and system hardware, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• experience in installation of <strong>GA</strong> <strong>safety</strong> components<br />
• training in i/o signal diagnostics with programming tool <strong>GA</strong> safeEdit may be required<br />
• instruction in project specific <strong>safety</strong> concept<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
Warning 3<br />
Mistakes during assembly and installation may impair the performance of <strong>safety</strong><br />
functions and cause the loss of a required <strong>safety</strong> integrity level (SIL or PL). They<br />
may lead to severe damage to property or environment and death of personnel.<br />
5.2 Safety-relevant restrictions of use<br />
The systems must be used in normal environments only. They must be protected against<br />
acidic environments, especially H2S components.<br />
5.3 Mounting and connecting<br />
For details on mounting and electrical connecting see technical descriptions of relevant components<br />
and installation <strong>manual</strong>s for the specific type of system.<br />
Generally the following items apply:<br />
• mounting must be stable, no mechanical vibrations<br />
all screws fixed tightly<br />
• to allow adequate cooling all components must be mounted in correct position,<br />
keeping sufficient distance from other components.<br />
• Signal lines must be kept separately from power lines. All lines require tidy wiring<br />
and appropriate labeling.<br />
If required, signal lines must be protected against over voltage and over current.<br />
• Power supply must be in acceptable range.<br />
• Component mounting must be EMC compatible. For racks this includes correct<br />
connection to protective ground.<br />
• Most components include devices sensitive to electro-static discharge. Discharges<br />
by touching components must be avoided by using appropriate measures (touching<br />
of or connection to electrically grounded metal parts, ...).<br />
Protective measures are always required when changing components.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 28 of 45
5.4 Assembly and installation, check list<br />
No. Description Check<br />
1 Optical check: no damage, proper mounting, proper and tidy wiring, component<br />
labeling present and correct<br />
2 Mechanical check: screws tightened, components fixed in position, no<br />
vibration<br />
3 wiring: plugs connected and fixed, correct grounding, separation of signal<br />
and power wiring<br />
4 Power-on test: all LEDs show normal state<br />
Table 5: check list assembly and installation<br />
See also <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> checklists for additional information.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 29 of 45
6 Forcing i/o signals<br />
6.1 Procedure<br />
With forcing all input and output signals of a PES system may be set to any specific value,<br />
independent of field inputs or PES control outputs. This will override <strong>safety</strong> functions, restricting<br />
or disabling them, so forcing may be used only during commissioning and maintenance,<br />
under specified operating conditions.<br />
The <strong>GA</strong> safeEdit user <strong>manual</strong> explains procedures for forcing all types of i/o signals.<br />
The following items must be considered concerning forcing:<br />
• Impact analysis: the impact on PES system and process must be analyzed and<br />
clearly understood before forcing. Required operating conditions on PES system,<br />
machine and process must be defined and established.<br />
• Forcing is allowed only to qualified personnel, during commissioning or maintenance.<br />
In normal operation forced signals are not allowed, because related <strong>safety</strong> functions<br />
are restricted or disabled.<br />
• The procedure to achieve desired forced states must be clearly understood: is there<br />
any specific order required in forcing several signals? The system architecture (redundancy)<br />
must be considered in procedures.<br />
• The procedure for releasing the forced mode must be clearly understood.<br />
• Additional external <strong>safety</strong> measures may be required to compensate for disabled<br />
<strong>safety</strong> functions (e.g. restricted access to areas).<br />
• Emergency procedures must be defined and prepared to handle potential problems<br />
due to disabled <strong>safety</strong> functions.<br />
6.2 Forcing i/o signals, check list<br />
Nr. description Check<br />
1 Are impacts on system and process analyzed and clearly understood?<br />
2 Are system and process requirements (e.g. operating conditions) established?<br />
3 Is the procedure for forcing the desired state clearly understood, including<br />
the system architecture and type of redundancy of affected i/o signals?<br />
4 Is the procedure for releasing force-mode and return to normal operation<br />
clearly understood?<br />
5 Are required external <strong>safety</strong>/protective measures prepared?<br />
6 Are sufficient emergency measures prepared?<br />
Table 6: check list forcing i/o signals<br />
See also <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> checklists for additional information.<br />
Warning 4<br />
Forcing of i/o signals will override the working of <strong>safety</strong> functions, endangering<br />
personnel, environment and property. Appropriate measures to achieve the required<br />
<strong>safety</strong> by other means need to be implemented!<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 30 of 45
7 Commissioning<br />
7.1 Qualified personnel<br />
All persons involved in commissioning must be qualified according to their duties. They<br />
must be familiar with relevant technical <strong>manual</strong>s, system hardware and software, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• software training for the programming tool <strong>GA</strong> safeEdit for commissioning of SIL3<br />
<strong>safety</strong> systems<br />
• instruction in project specific <strong>safety</strong> concept<br />
• instruction in project specific application software<br />
• experience in integration of control systems with control panel<br />
• instruction in machinery and processes to be controlled<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
7.2 Commissioning procedures<br />
Commissioning uses the programming tool <strong>GA</strong> safeEdit for programming, system configuration<br />
and diagnostic of hardware and software. A visualization on a DCS may be running in<br />
parallel via communication, for process states and diagnostics. This communication must also<br />
be checked and, when required, be modified during commissioning.<br />
During commissioning the PES system will mostly run in maintenance mode. The commissioning<br />
technician needs hardware keys and appropriate passwords to enter maintenance<br />
mode. The system must be protected against unauthorized access.<br />
Activities and procedures during commissioning:<br />
• During commissioning the <strong>safety</strong> functions are not yet working or work only partially.<br />
Appropriate <strong>safety</strong> and emergency measures must be provided.<br />
• At the first use of PES hardware electrical connections of all components must be<br />
checked.<br />
• Check software system configuration: in accordance with documentation<br />
• Check network communication: all systems connected and responding<br />
• Loop check: all i/o signals in <strong>GA</strong> safeEdit diagnostic display and in visualization.<br />
Check full range, including cable failure and short cut. Error diagnostics must be<br />
correct in engineering station and DCS.<br />
• Functional check of <strong>safety</strong> functions, machine stopped<br />
• Functional check of <strong>safety</strong> functions, machine running<br />
• Data back-up and documentation of all changes<br />
• Enter normal, safe operating mode. Check: running mode active, key for mode<br />
switch removed, no signals forced, password protection<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 31 of 45
Warning 5<br />
During commissioning <strong>safety</strong> functions are not or only partially available, endangering<br />
personnel, environment and property. Appropriate measures to achieve the<br />
required <strong>safety</strong> by other means need to be observed!<br />
7.3 Application software modification<br />
7.3.1 Program modifications<br />
Any modifications in existing and approved application software require an impact analysis:<br />
• Print current program version, create software back-up.<br />
• Plan modifications and create new program with <strong>GA</strong> safeEdit.<br />
• Print and save new program.<br />
• Check for interconnections between modified <strong>safety</strong> functions and other functions,<br />
using graphical program editor.<br />
• Analyze modified functions, including interconnected old functions, regarding:<br />
only the desired effects on modified functions, no side-effects in modified or old<br />
functions.<br />
When modifications affect switches between operating modes the time of switching<br />
requires special attention.<br />
• Test the new version, at first with simulation, than with stopped machine.<br />
• Check system reaction time of new software.<br />
• All changes must be documented and backed-up.<br />
7.3.2 Parameter modification<br />
Any modifications require an impact analysis:<br />
• Create software backup.<br />
• Plan modifications.<br />
• Check for interconnection of modified parameters in other functions, using graphical<br />
program editor.<br />
• Analyze affected <strong>safety</strong> functions, including interconnected functions:<br />
only desired effects, no side-effects?<br />
• When changing range or scaling of i/o signals the communication to visualization<br />
system may be affected.<br />
• Test the new version.<br />
• All changes must be documented and backed-up.<br />
7.3.3 Online modification<br />
Warning 6<br />
Whenever possible changes should be done with the machine stopped. During<br />
modification the system’s <strong>safety</strong> integrity is partially compromised. Incorrect<br />
changes or procedures may compromise <strong>safety</strong> functions.<br />
Modifications with the machine running are possible but need special attention:<br />
• Impact analysis just like analysis for normal changes.<br />
• Additional impact analysis for power-on behavior.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 32 of 45
• Additional impact analysis of different signal states on the separate units in a redundant<br />
system, during re-programming and start-up.<br />
• All units must be programmed separately. After each unit is programmed the correct<br />
state of all i/o signals and internal states must be checked. Balancing of states by<br />
forcing of i/o signals may be required.<br />
• During the time of modification appropriate <strong>safety</strong> measures must be used, see also<br />
chapter Forcing i/o signals on page 30.<br />
• During modification the <strong>safety</strong> functions are compromised. Appropriate emergency<br />
measures must be prepared.<br />
7.4 Commissioning, check list<br />
No. Description Check<br />
1 Is the project’s <strong>safety</strong> concept clearly understood?<br />
2 Required key switches and passwords available?<br />
3 System hardware configuration correct?<br />
4 Communication check with all systems successful?<br />
5 Loop check for all i/o signals: range and diagnostics correct?<br />
6 Appropriate <strong>safety</strong> measures and emergency measures prepared?<br />
7 Check of <strong>safety</strong> functions: machine stopped, machine running.<br />
7a When required: program modification, see additional check list below.<br />
8 Check system reaction time, for each i/o card. Compare with process<br />
<strong>safety</strong> time.<br />
9 Set safe operating state: system locked, no i/o forcing active.<br />
Key handed over to:<br />
10 Data back-up of complete software and system configuration.<br />
date:<br />
copy handed over to:<br />
Table 7: check list commissioning<br />
No. Description Check<br />
1 Back-up old version.<br />
2 Modification with machine stopped or running?<br />
3 Planning of modifications and impact analysis, with consideration of the<br />
list of SIL3-approved function blocks.<br />
4 Appropriate <strong>safety</strong> measures and emergency measures prepared?<br />
5 Implementation and test of new software<br />
6 Check system reaction time, for each affected i/o card. Compare with<br />
process <strong>safety</strong> time.<br />
7 Documentation of successful changes.<br />
8 Back-up new version.<br />
Table 8: check list commissioning, program modification<br />
See also <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> checklists for additional information.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 33 of 45
8 Maintenance<br />
8.1 Qualified personnel<br />
All persons involved in maintenance must be qualified according to their duties. They must<br />
be familiar with relevant technical <strong>manual</strong>s, system hardware and software, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• software training for the programming tool <strong>GA</strong> safeEdit for maintenance and diagnostics<br />
• instruction in project specific <strong>safety</strong> concept<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
8.2 Maintenance procedures<br />
Regular maintenance is planned in detail as component of the <strong>safety</strong> concept. The planned<br />
tasks are performed in specified service intervals, including:<br />
• Proof-Test interval<br />
• checking and changing air filters<br />
• checking for fouling or contamination<br />
• control of system diagnostics like: diagnostic visualization in DCS, alarms, LED<br />
display on hardware components, extended diagnostic information on engineering<br />
station using <strong>GA</strong> safeEdit<br />
Unscheduled maintenance becomes necessary when regular maintenance shows irregularities.<br />
It is generically considered in the <strong>safety</strong> concept and includes the activities:<br />
• identification and repair of i/o signal failures<br />
• identification and repair/exchange of PES system components (i/o cards, fan, power<br />
supply, ...)<br />
• identification and repair of network communication failures<br />
Unscheduled maintenance requires:<br />
• Unequivocal identification of error messages and cause for error: i.e. high system<br />
temperature may have several causes: fouled air filter, cooling fan failure, control<br />
panel air conditioning failure.<br />
• Cross-check of detected error or message with all available tools: DCS visualization,<br />
hardware check (optical, LEDs, ...), extended diagnostics on engineering station.<br />
• Impact analysis of error/failure consequences on <strong>safety</strong> and availability.<br />
• Planning of maintenance tasks, procedures and responsible personnel.<br />
• Planning of appropriate <strong>safety</strong> and emergency measures.<br />
Warning 7<br />
Unqualified maintenance may cause the loss of a required <strong>safety</strong> integrity level<br />
(SIL, PL) and may compromise the performance of <strong>safety</strong> functions, leading to severe<br />
damage to property or environment and death of personnel.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 34 of 45
8.3 Exchange of components<br />
Exchange of components is possible during normal operation. Details are specified in technical<br />
descriptions of the components and systems.<br />
Exchange of programmable system components, MCxxx-S cards and ICU cards requires special<br />
attention:<br />
• Exchange of MCxxx-S or ICU cards requires use of engineering station with <strong>GA</strong><br />
safeEdit.<br />
• The PES system is switched to maintenance mode.<br />
• Password protection of <strong>GA</strong> safeEdit requires use of valid password.<br />
• Error and cause of error is identified, analyzed and documented.<br />
• The failed card is removed, see relevant technical documentation.<br />
• Hardware settings (jumper, switches) of spare card are compared and adjusted with<br />
failed card, see relevant technical descriptions.<br />
• Spare card is inserted into the system rack.<br />
• Configuration of spare card is checked and modified as required. Correct detection<br />
and configuration is displayed in <strong>GA</strong> safeEdit.<br />
• Replacing i/o cards:<br />
o The application program is checked. Usually the current program must be<br />
downloaded to the spare card.<br />
o signal cable from field assembly module to connector is plugged in and fixed.<br />
o Correct state of i/o signals and internally calculated states is compared with<br />
redundant cards of other DUPLEX-S unit.<br />
• The complete system is checked, running with the new card.<br />
• The system is returned to “Running” operation mode.<br />
The relevant technical description of each card shows details on card exchange and configuration.<br />
Additional information on configuration and programming is available in <strong>GA</strong> safeEdit<br />
user <strong>manual</strong>.<br />
8.4 Maintenance, check list<br />
Checks for regular maintenance, including proof-test intervals, use project specific check<br />
lists.<br />
No. Description Check<br />
1 Unequivocal identification of problem: corresponding diagnostics in visualization,<br />
engineering station and LEDs on card?<br />
2 Process for exchanging cards clearly understood?<br />
3 Appropriate <strong>safety</strong> and emergency measures prepared?<br />
4 New card configured and correctly detected by the system?<br />
5 Correct application program on new card?<br />
6 External signals and internal card states agree with cards on redundant<br />
units?<br />
7 All i/o signals working?<br />
8 System returned to safe operating state after finishing maintenance work?<br />
Table 9: check list maintenance, exchanging cards<br />
See also <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> checklists for additional information.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 35 of 45
9 Access authorization<br />
9.1 User login<br />
Figure 16: user login<br />
Before using <strong>GA</strong> safeEdit to access <strong>GA</strong> <strong>safety</strong> systems a user authorization is required. In<br />
“Account login” select a user name from the list of authorized users. Enter the corresponding<br />
password below.<br />
The list always has at least the user “Admin”, other user names depend on system configuration.<br />
The user may work within the scope of his access permissions. Modification of user authorization<br />
and permissions is available for “Admin” only. Users with highest priority may fully<br />
access diagnostics, configuration and programming of i/o processor cards and ICU communication<br />
processor.<br />
Access beyond diagnostics, affecting the PES system, additionally requires activation of<br />
“Maintenance” mode with the hardware key switch. “Running” mode allows only diagnostics.<br />
User configuration and access rights are explained in <strong>GA</strong> safeEdit user <strong>manual</strong>.<br />
9.2 Key switch for operating mode<br />
Figure 17: key switch Running/Maintenance<br />
The hardware key switch selects between “Running” and “Maintenance” operating mode, i.e.<br />
normal <strong>safety</strong> operating mode and unsafe maintenance mode.<br />
Warning 8<br />
Maintenance mode allows hardware access that may compromise <strong>safety</strong> functions,<br />
including forcing of i/o signals, programming of control processors and system configuration.<br />
When using appropriate <strong>safety</strong> and emergency measures, maintenance<br />
mode may be allowed with the machine/process running. Ordinary, day-to-day operation of<br />
the machine is not allowed in maintenance mode.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 36 of 45
Running mode is the safe operating mode.<br />
After successful commissioning or maintenance all forced i/o signals have to be released,<br />
than the key switch is turned to “Running” position and the key removed. This mode protects<br />
the PES system from external interference by the engineering station. Diagnostics on engineering<br />
station and communication to DCS remain available.<br />
Warning 9<br />
Signals forced to specific states in maintenance mode, analog or digital, remain at<br />
the forced state when the system changes to running mode. A warning message informs<br />
of this unsafe condition.<br />
Affected <strong>safety</strong> functions will be compromised, endangering personnel, environment and<br />
property.<br />
Appropriate measures to achieve the required <strong>safety</strong> by other means need to be implemented!<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 37 of 45
10 Diagnostic information<br />
10.1 Diagnostic data<br />
Self test statistics<br />
Authorized users can access self test statistics, stored on each MCxxx-S card. The information<br />
is stored in card-internal flash memory. Access via <strong>GA</strong> safeEdit, see <strong>GA</strong> safeEdit user<br />
<strong>manual</strong>.<br />
Log-book of system messages<br />
The engineering station logs all system messages (information, warnings, errors). All messages<br />
are displayed on screen and written to a log-book file. Each message includes time<br />
stamp and informational text. See chapter Analyzing error messages on page 39.<br />
Additionally all messages of the DUPLEX units A and B are stored in flash memory on their<br />
respective ICU card and can be accessed from the engineering station.<br />
Visualization system<br />
Via communication extensive diagnostic information on all i/o signals is accessible for the<br />
DCS: cable failure, short cut, signal forced, forced-state for digital signals.<br />
Life-bit diagnostic may be programmed for each i/o card to continually check communication<br />
and functionality.<br />
System temperatures and voltages of ICU communication controllers are also accessible.<br />
Storage or logging of this data is available according to capabilities of the visualization system.<br />
10.2 Process data<br />
All process data is continually available to the DCS system, using communication via ICU<br />
communication controller. Display and logging of data is available according to capabilities<br />
of that system.<br />
Online data may also be accessed from the engineering station, using the graphical trend analyzer<br />
in <strong>GA</strong> safeEdit, see <strong>GA</strong> safeEdit user <strong>manual</strong>.<br />
Real-time data logging of all i/o signals, including time synchronization between several controllers,<br />
is optionally available on the ICU controllers.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 38 of 45
10.3 Analyzing error messages<br />
The programming tool <strong>GA</strong> safeEdit shows extensive diagnostic information. If unusual system<br />
behavior occurs appropriate diagnostic messages are displayed and logged to file.<br />
The example shows a typical error message:<br />
Fr, 16 Sep 2005 15:57:52 : <strong>MCU</strong>-S 192.168.100.183 (1): (1,13,0) Card<br />
Timeout (ID:116): unit:0, slot:6, timestamp:0xe377, time:0xe44f<br />
The first part shows date and time information about the error:<br />
Friday, 16 th September 2005 at 15:57 and 52 seconds.<br />
The next part is the type of processor sending the message, followed by the TCP/IP address<br />
of the ICU sending this error, and the network number in redundant network:<br />
<strong>MCU</strong>-S, an i/o card with <strong>MCU</strong> processors on address 192.168.100.183 in network number<br />
(1). DUPLEX-S systems may use two redundant networks (1) and (2), TMR-S systems may<br />
use three separate networks.<br />
The next part is the card position in the system, identified by unit number (0 = unit A, 1 =<br />
unit B), card slot number (1 ... 16) and processor number (0 = <strong>MCU</strong>-A, 1 = <strong>MCU</strong>-B):<br />
(1,13,0) identifies a card in unit B, slot 13, processor <strong>MCU</strong>-A<br />
The next part is the actual error message, followed by an identification number. The number<br />
is used as reference to detailed error information in technical description of the respective<br />
card, explaining causes and procedures for responding to the error:<br />
Card Timeout is the actual error, (ID:116) the ID in technical description. To get detailed<br />
information on error 116 check the card type in slot 13 (MCDIN-S, MCAD-S,<br />
MCADA-S or MCDOT-S) and read the technical description for this card type.<br />
The last part is internal time information. Internal time stamps use a system-relative time<br />
count in milliseconds. Timestamp specifies the internal time when the error occurred, time is<br />
the current time when the error was reported. Time stamps are used to analyze a sequence of<br />
events if multiple errors occur.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 39 of 45
11 Common technical data<br />
power supply<br />
nominal operating voltage 100 ... 240 VAC, 50 ... 60 Hz<br />
maximum operating voltage 85 ... 264 VAC, 47 ... 63 Hz<br />
max. power DUPLEX/7-S 450 W<br />
max. power DUPLEX SMART-S 300 W<br />
digital inputs, MCDIN-S<br />
type 0, NAMUR input<br />
input current according to NAMUR<br />
“high level” current > 2,1 mA<br />
“low level” current < 1,2 mA<br />
type 1: 24 V active or passive input<br />
input voltage 24 V<br />
high level voltage, default > 15 V, IEC61131-2<br />
low level voltage, default < 5 V, IEC61131-2<br />
type 2: 24 V passive input<br />
input voltage 24 V<br />
high level voltage, default > 11 V, IEC61131-2<br />
low level voltage, default < 5 V, IEC61131-2<br />
analog inputs, MCAD-S<br />
input current 0 ... 25mA<br />
frequency input 1 Hz ... 20 kHz<br />
analog inputs and outputs, MCADA-S<br />
input current 0 ... 25mA<br />
output current 0 ... 25mA<br />
digital outputs, MCDOT-S / DFAB<br />
output voltage 24 VDC, 230 VAC<br />
output current, per channel (max.) 0 ... 6A<br />
environmental conditions<br />
storage temperature -25°C ... +70 °C<br />
operating temperature +0°C ... +55°C<br />
relative humidity 10% ... 90%, non condensing<br />
protection class IEC 525 IP 20<br />
operating altitude max. 2000m<br />
pollution degree 2<br />
power supply IEC 536 <strong>safety</strong> class 1, with PE<br />
field connections <strong>safety</strong> class III<br />
dimensions<br />
DualCore-S/DUPLEX SMART-S/TMR SMART-S<br />
(4HE / 84TE)<br />
DUPLEX/7-S (7HE / 84 TE)<br />
TMR/10-S (10 HE / 84 TE)<br />
For more details see technical description of components.<br />
483 x 191 x 391 mm [W x H x D]<br />
483 x 324 x 391 mm [W x H x D]<br />
483 x 458 x 391 mm [W x H x D]<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 40 of 45
12 Safety specific data<br />
12.1 Symbols and abbreviations<br />
Symbol Description<br />
β weighting factor for dangerous undetected common cause failures<br />
βD weighting factor for dangerous detected common cause failures<br />
λ failure rate (per hour) of one channel in one sub-system<br />
λD dangerous failure rate (per hour) of one channel in one sub-system (D = dangerous)<br />
λDD detected dangerous failure rate (per hour) (DD = dangerous, detected)<br />
λDU undetected dangerous failure rate (per hour) (DU = dangerous, undetected)<br />
λS safe failure rate (per hour) of one channel in one sub-system (S = safe)<br />
proof test interval (in hours)<br />
T1<br />
MTTR Mean Time To Repair (in hours)<br />
MTTFd Mean Time To Failure, dangerous, in years. The value applies to dangerous<br />
failures of one channel, not the redundant system<br />
DC diagnostic coverage<br />
SFF safe failure fraction<br />
PFDavg average probability of failure on demand, in low demand mode<br />
PFHG average probability of failure per hour in system with majority voter, in high<br />
demand mode<br />
tCE average channel-related failure time (in hours)<br />
average system-related failure time (in hours)<br />
tGE<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 41 of 45
12.2 Characteristic <strong>safety</strong> values<br />
The characteristic <strong>safety</strong> values for a complete <strong>safety</strong> loop are calculated as summation of the<br />
probability of failure for every component, modified according to system architecture.<br />
The probability of failure of all components used for handling one <strong>safety</strong> function are added<br />
into the total probability for this specific <strong>safety</strong> function. This calculation has to be done for<br />
each <strong>safety</strong> function separately.<br />
The part of the logic solver is determined by adding failure probabilities for each component<br />
from the tables below. They already account for the system architecture, so the values of single<br />
components may simply be added to get the total value for the logic solver.<br />
12.2.1 <strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong>: Probability of Failure data<br />
externally redundant<br />
cards<br />
PFDavg<br />
T1 = 1y<br />
PFDavg<br />
T1 = 5y<br />
PFDavg<br />
T1 = 10y<br />
PFDavg<br />
T1 = 20y<br />
PFHG I/O<br />
MCAD-S 4.85E-07 2.43E-06 4.85E-06 9.70E-06 5.04E-09 24 AI<br />
MCDIN-S 3.50E-07 1.75E-06 3.50E-06 7.00E-06 3.80E-09 24 DI<br />
MCDOT-S 3.65E-07 1.83E-06 3.65E-06 7.30E-06 3.94E-09 8-10 DO<br />
MCADA-S 2.86E-07 1.43E-06 2.86E-06 5.72E-06 2.60E-09 8 AI, 8 AO<br />
MCADA-S IN 9.94E-08 4.97E-07 9.94E-07 1.99E-06 8.99E-10 8 AI<br />
MCADA-S OUT 2.32E-07 1.16E-06 2.32E-06 4.64E-06 2.10E-09 8 AO<br />
Table 10: Probability of failure, externally redundant i/o cards<br />
internally redundant<br />
cards<br />
PFDavg<br />
T1 = 1y<br />
PFDavg<br />
T1 = 5y<br />
PFDavg<br />
T1 = 10y<br />
PFDavg<br />
T1 = 20y<br />
PFHG I/O<br />
MCAD-S 6.41E-07 3.21E-06 6.41E-06 1.28E-05 6.61E-09 12 AI<br />
MCDIN-S 4.64E-07 2.32E-06 4.64E-06 9.27E-06 5.01E-09 12 DI<br />
MCDOT-S 4.83E-07 2.41E-06 4.83E-06 9.66E-06 5.18E-09 8 DO<br />
MCADA-S 3.80E-07 1.90E-06 3.80E-06 7.60E-06 3.43E-09 4 AI, 4 AO<br />
MCADA-S IN 1.98E-07 9.92E-07 1.98E-06 3.97E-06 1.79E-09 4 AI<br />
MCADA-S OUT 4.62E-07 2.31E-06 4.62E-06 9.25E-06 4.18E-09 4 AO<br />
Table 11: Probability of failure, internally redundant i/o cards<br />
external hard- PFDavg PFDavg PFDavg PFDavg PFHG I/O<br />
ware voter T1 = 1y T1 = 5y T1 = 10y T1 = 20y<br />
SR-01-42-24-00 5.59E-07 2.80E-06 5.59E-06 1.12E-05 5.05E-09 1 DO<br />
DFAB-1oo2D 1.73E-07 8.65E-07 1.73E-06 3.46E-06 1.17E-09 8 DO<br />
TFAB-2oo3 2.70E-07 1.35E-06 2.70E-06 5.40E-06 2.16E-09 10 DO<br />
Table 12: Probability of failure, external hardware voter<br />
All tables are based on a mean time to repair of MTTR = 24 hours.<br />
The safe failure fraction for a complete system is SFF > 99.8 %.<br />
The diagnostic coverage is DC > 99%.<br />
All components except hardware voters are complex type B components with HFT = 1.<br />
Hardware voters are type A components, also with HFT = 1.<br />
Cards in <strong>GA</strong> DualCore-S systems can be configured with card-internal redundancy. This affects<br />
the handling of i/o signals and results in a higher probability of failure for those cards,<br />
as shown in Table 11. When the cards are configured for external redundancy – using two or<br />
three separate cards to achieve hardware fault tolerance – Table 10 is used for the PFD and<br />
PFH calculation.<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 42 of 45
I/O cards of type MCADA-S support analog input and output signals. If both signal types are<br />
used in the <strong>safety</strong> function, the values are selected from row “MCADA-S”. If only one type is<br />
used, the values are selected from row “MCADA-S IN” for analog input or “MCADA-S<br />
OUT” for analog output.<br />
The number of available digital output signals on MCDOT-S cards depends on the system<br />
architecture:<br />
• <strong>GA</strong> DualCore-S, card internal redundancy: 8 digital outputs, on SR-01 relay, 1oo2<br />
• <strong>GA</strong> DUPLEX-S, full redundancy: 8 digital outputs, on DFAB-1oo2D voter<br />
• <strong>GA</strong> TMR-S, full redundancy: 10 digital outputs, on TFAB-2oo3 voter<br />
See technical <strong>manual</strong>s for each card about additional information on the number of available<br />
i/o signals.<br />
12.2.2 SIL example <strong>GA</strong> DUPLEX-S<br />
Figure 18: Reliability block diagram, 1-out-of-2D example<br />
Figure 18 shows an example for a <strong>GA</strong> DUPLEX-S system. One set of redundant MCDIN-S<br />
input cards reads up to 24 digital input states. One set of MCDOT-S output cards sets up to 8<br />
digital outputs. One external voter DFAB-1oo2D combines those 8 redundant output signals<br />
into 8 field outputs. To calculate the probability of failure for a <strong>safety</strong> function that uses not<br />
more than these i/o signals, the probability of failure values from Table 10 are used:<br />
PFDavg, total = PFDavg, MCDIN-S + PFDavg, MCDOT-S + PFDavg, DFAB-1oo2D<br />
PFDavg, total = 8.88E-06, for T1 = 10 years<br />
PFHG, total = PFHG, MCDIN-S + PFHG, MCDOT-S + PFHG, DFAB-1oo2D<br />
PFHG, total = 8.91E-09<br />
PFDavg is proportional to the proof test interval T1, so the PFDavg value must be taken from<br />
the respective column.<br />
The logic solver according to the example above is suitable for use in SIL3 <strong>safety</strong> functions.<br />
The probability of failure in low demand mode – PFDavg, total = 8.88E-06 for T1 = 10 years – is<br />
below the limit for SIL3. The probability in high demand mode – PFHG, total = 8.91E-09 – also<br />
is below the SIL3 limit.<br />
With hardware fault tolerance HFT = 1 and safe failure fraction SFF > 99.8% architectural<br />
constraints according to IEC 61508-2, table 2 and table 3, also allow SIL3.<br />
Note: The suitability of the complete <strong>safety</strong> function for the required SIL must be checked,<br />
since the logic solver is only a part of the complete <strong>safety</strong> loop!<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 43 of 45
12.2.3 SIL example <strong>GA</strong> DualCore-S<br />
A <strong>safety</strong> function requires one (redundant) analog input, one (redundant) digital input, two<br />
independent digital output signals and shall meet SIL3 requirements.<br />
A <strong>GA</strong> DualCore-S system with internal card redundancy is chosen as logic solver.<br />
Figure 19: Reliability block diagram, <strong>GA</strong> DualCore-S<br />
Figure 19 shows the reliability block diagram for the chosen logic solver. The input cards<br />
each can handle up to 12 analog (MCAD-S) or digital (MCDIN-S) input signals. The output<br />
card (MCDOT-S) can set up to 8 independent, redundant digital outputs. The hardware voter<br />
SR-01-42-24-00 combines two redundant output signals into one independent field signal, so<br />
two voters are required.<br />
The <strong>safety</strong> calculation according to Table 11 and Table 12 shows:<br />
PFDavg, total = PFDavg, MCAD-S + PFDavg, MCDIN-S + PFDavg, MCDOT-S + 2 * PFDavg, SR-01<br />
PFDavg, total = 2.71E-05, for T1 = 10 years<br />
PFHG, total = PFHG, MCAD-S + PFHG, MCDIN-S + PFHG, MCDOT-S + 2 * PFHG, SR-01<br />
PFHG, total = 2.69E-08<br />
The probability of failure in low demand mode – PFDavg, total = 2.71E-05 for T1 = 10 years – is<br />
below the limit for SIL3.<br />
The probability in high demand mode – PFHG, total = 2.69E-08 – also is below the SIL3 limit,<br />
but it is higher than the 15% fraction of SIL3 that is the recommended limit for the logic<br />
solver.<br />
The logic solver may be suitable for use in SIL3 <strong>safety</strong> functions.<br />
With hardware fault tolerance HFT = 1 and safe failure fraction SFF > 99.8% architectural<br />
constraints according to IEC 61508-2, table 2 and table 3, also allow SIL3.<br />
Note: The suitability of the complete <strong>safety</strong> function for the required SIL must be checked,<br />
since the logic solver is only a part of the complete <strong>safety</strong> loop!<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 44 of 45
13 Index<br />
calculations<br />
failure rate .......................................... 41<br />
MTTR................................................. 41<br />
cards<br />
DSPVCU ............................................ 20<br />
i/o................................ 18, 24, 25, 34, 35<br />
ICU............................. 19, 35, 36, 38, 39<br />
MCADA-S ................................... 14, 39<br />
MCAD-S ...................................... 39, 40<br />
MCDIN-S........................................... 39<br />
MCDOT-S 22, 24, 25, 26, 27, 33, 39, 40<br />
MCxxx-S .................... 16, 18, 19, 35, 38<br />
certificate.................................................. 7<br />
common cause........................................ 41<br />
communication15, 22, 24, 25, 27, 31, 32,<br />
33, 34, 36, 37, 38<br />
DCS .............. 15, 24, 26, 27, 31, 34, 37, 38<br />
diagnostic test......................................... 23<br />
Engineering<br />
Hardware ...................................... 24, 25<br />
software .................................. 24, 25, 27<br />
station ....... 15, 24, 26, 31, 34, 35, 37, 38<br />
<strong>GA</strong> DualCore-S...................................... 15<br />
<strong>GA</strong> DUPLEX-S.............. 15, 20, 22, 28, 36<br />
<strong>GA</strong> safeEdit15, 25, 26, 28, 31, 32, 34, 35,<br />
36, 38, 39<br />
<strong>GA</strong> TMR-S............................................. 15<br />
IEC 61508 .......................................... 7, 10<br />
key switch ............................ 15, 33, 36, 37<br />
lifecycle............................................ 10, 11<br />
maintenance8, 10, 15, 26, 27, 30, 31, 34,<br />
35, 36, 37<br />
PES system10, 11, 15, 22, 23, 24, 25, 26,<br />
27, 30, 31, 34, 35, 36, 37<br />
process data ............................................ 38<br />
program cycle time................................. 22<br />
proof test .......................................... 23, 41<br />
running ..................... 15, 27, 31, 35, 36, 37<br />
Selbsttest ................................................ 21<br />
self test ................................................... 38<br />
SIL3-approved functions............ 26, 27, 33<br />
system reaction time22, 23, 24, 25, 26, 27,<br />
32, 33<br />
time synchronisation .............................. 38<br />
trend analyzer......................................... 38<br />
visualisation system ................... 15, 32, 38<br />
<strong>GA</strong> <strong>MCU</strong> <strong>SafetyCore</strong> - <strong>safety</strong> <strong>manual</strong> Rev00.00 23072009.doc page 45 of 45