turbolog DSP TMR-S safety manual - Tuv-fs.com
turbolog DSP TMR-S safety manual - Tuv-fs.com turbolog DSP TMR-S safety manual - Tuv-fs.com
turbolog DSP control system TMR/10-S TMR SMART-S safety systems Safety Manual
- Page 2 and 3: Title turbolog DSP TMR-S safety man
- Page 4 and 5: 8 MAINTENANCE .....................
- Page 6 and 7: 1 Introduction 1.1 Contact informat
- Page 8 and 9: 1.3 General statements All technica
- Page 10 and 11: 2 Safety lifecycle For systematic a
- Page 12 and 13: 3 Product overview 3.1 Complete sys
- Page 14 and 15: into 1-out-of-2 software signals. T
- Page 16 and 17: 3.5.2 Elements of ICU cards The mec
- Page 18 and 19: case of over-voltage or under-volta
- Page 20 and 21: 3.6.4 Proof test interval The proof
- Page 22 and 23: 4.1.4 Hardware engineering, check l
- Page 24 and 25: 4.2.5 Software engineering, check l
- Page 26 and 27: 5.4 Assembly and installation, chec
- Page 28 and 29: 7 Commissioning 7.1 Qualified perso
- Page 30 and 31: 7.4 Commissioning, check list No. D
- Page 32 and 33: Exchange of programmable system com
- Page 34 and 35: After successful commissioning or m
- Page 36 and 37: 11 Common technical data power supp
- Page 38 and 39: 12.2 Example A typical, triple redu
- Page 40: 13 Index BITs......................
<strong>turbolog</strong> <strong>DSP</strong> control system<br />
<strong>TMR</strong>/10-S<br />
<strong>TMR</strong> SMART-S<br />
<strong>safety</strong> systems<br />
Safety Manual
Title <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong><br />
File info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc<br />
Document<br />
number<br />
Revision index Description<br />
G0.HA.0003.021.00.088.01.03.E.E.O<br />
document history<br />
Author<br />
Review<br />
Release<br />
00.00 nur Konzept und Gliederung, mit Kommentaren A= SS<br />
00.01 Entwurf weitgehend fertig, einige Kapitel noch offen.<br />
Details zu klären, externe Dokument-Referenzen noch<br />
offen.<br />
Date<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 2 of 40<br />
R =<br />
Re =<br />
A= SS<br />
R =<br />
Re =<br />
00.02 Erweitert und Verbesserungsvorschläge eingearbeitet A= SS<br />
00.03 Translated to english, old parts modified, new parts<br />
added<br />
R =<br />
Re =<br />
A= SS<br />
R =<br />
Re =<br />
01.02 update to official version of german document A= SS<br />
01.03 names modified, reference to “revision release list”,<br />
operating voltage modified, diagnostic test interval<br />
modified<br />
R =<br />
Re =<br />
A= SS<br />
Involved at GEBHARDT Automation GmbH: Ulrich Gebhardt (UG), Wolfgang Paulicks (WP),<br />
Markus König (MK), Stephan Schild (SS), Dr. Peter Dellwig (PD)<br />
R =<br />
Re =<br />
08.09.2005<br />
16.09.2005<br />
19.09.2005<br />
29.09.2005<br />
10.10.2005<br />
11.10.2005
Contents<br />
1 INTRODUCTION ...................................................................................................................................... 6<br />
1.1 CONTACT INFORMATION...................................................................................................................... 6<br />
1.2 DOCUMENT SCOPE, APPLIED STANDARDS ............................................................................................ 7<br />
1.3 GENERAL STATEMENTS........................................................................................................................ 8<br />
1.4 DOCUMENT MAP .................................................................................................................................. 9<br />
2 SAFETY LIFECYCLE ............................................................................................................................ 10<br />
3 PRODUCT OVERVIEW......................................................................................................................... 12<br />
3.1 COMPLETE SYSTEM............................................................................................................................ 12<br />
3.2 FUNCTIONAL PRINCIPLE..................................................................................................................... 13<br />
3.3 HARDWARE COMPONENTS ................................................................................................................. 14<br />
3.4 ERROR RESPONSE............................................................................................................................... 14<br />
3.5 FUNCTIONAL AND DISPLAY ELEMENTS OF HARDWARE COMPONENTS ................................................ 15<br />
3.5.1 Elements of MCxxx-S cards.......................................................................................................... 15<br />
3.5.2 Elements of ICU cards ................................................................................................................. 16<br />
3.5.3 Elements of FPR cards................................................................................................................. 17<br />
3.5.4 Elements of <strong>DSP</strong>VCU cards......................................................................................................... 17<br />
3.5.5 Elements of cooling fan................................................................................................................ 18<br />
3.5.6 Elements of TFAB DIGIO 2oo3 ................................................................................................... 18<br />
3.6 SAFETY TIME AND REACTION TIME .................................................................................................... 19<br />
3.6.1 System reaction time .................................................................................................................... 19<br />
3.6.2 Diagnostic test interval ................................................................................................................ 19<br />
3.6.3 Process <strong>safety</strong> time....................................................................................................................... 19<br />
3.6.4 Proof test interval......................................................................................................................... 20<br />
4 PES SYSTEM ENGINEERING.............................................................................................................. 21<br />
4.1 HARDWARE ENGINEERING................................................................................................................. 21<br />
4.1.1 Specification of <strong>safety</strong> requirements............................................................................................. 21<br />
4.1.2 Hardware design and validation planning................................................................................... 21<br />
4.1.3 System integration........................................................................................................................ 21<br />
4.1.4 Hardware engineering, check list ................................................................................................22<br />
4.2 SOFTWARE ENGINEERING .................................................................................................................. 22<br />
4.2.1 Specification of <strong>safety</strong> requirements............................................................................................. 22<br />
4.2.2 Software design and validation planning..................................................................................... 22<br />
4.2.3 Integration of PES hardware and software.................................................................................. 23<br />
4.2.4 Software validation ...................................................................................................................... 23<br />
4.2.5 Software engineering, check list................................................................................................... 24<br />
5 ASSEMBLY AND INSTALLATION..................................................................................................... 25<br />
5.1 QUALIFIED PERSONNEL...................................................................................................................... 25<br />
5.2 SAFETY-RELEVANT RESTRICTIONS OF USE ......................................................................................... 25<br />
5.3 MOUNTING AND CONNECTING ........................................................................................................... 25<br />
5.4 ASSEMBLY AND INSTALLATION, CHECK LIST ..................................................................................... 26<br />
6 FORCING I/O SIGNALS........................................................................................................................ 27<br />
6.1 PROCEDURE ....................................................................................................................................... 27<br />
6.2 FORCING I/O SIGNALS, CHECK LIST .................................................................................................... 27<br />
7 COMMISSIONING ................................................................................................................................. 28<br />
7.1 QUALIFIED PERSONNEL...................................................................................................................... 28<br />
7.2 COMMISSIONING PROCEDURES .......................................................................................................... 28<br />
7.3 APPLICATION SOFTWARE MODIFICATION........................................................................................... 29<br />
7.3.1 Program modifications................................................................................................................. 29<br />
7.3.2 Parameter modification................................................................................................................ 29<br />
7.3.3 Online modification...................................................................................................................... 29<br />
7.4 COMMISSIONING, CHECK LIST............................................................................................................ 30<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 3 of 40
8 MAINTENANCE ..................................................................................................................................... 31<br />
8.1 QUALIFIED PERSONNEL...................................................................................................................... 31<br />
8.2 MAINTENANCE PROCEDURES............................................................................................................. 31<br />
8.3 EXCHANGE OF COMPONENTS ............................................................................................................. 31<br />
8.4 MAINTENANCE, CHECK LIST .............................................................................................................. 32<br />
9 ACCESS AUTHORISATION................................................................................................................. 33<br />
9.1 USER LOGIN....................................................................................................................................... 33<br />
9.2 KEY SWITCH FOR OPERATING MODE .................................................................................................. 33<br />
10 DIAGNOSTIC INFORMATION............................................................................................................ 34<br />
10.1 DIAGNOSTIC DATA............................................................................................................................. 34<br />
10.2 PROCESS DATA................................................................................................................................... 34<br />
10.3 ANALYSING ERROR MESSAGES .......................................................................................................... 35<br />
11 COMMON TECHNICAL DATA ...........................................................................................................36<br />
12 SAFETY SPECIFIC DATA .................................................................................................................... 37<br />
12.1 EQUATIONS FOR PROBABILITY OF FAILURE........................................................................................ 37<br />
12.2 EXAMPLE........................................................................................................................................... 38<br />
13 INDEX ....................................................................................................................................................... 40<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 4 of 40
List of figures<br />
Figure 1: document map............................................................................................................ 9<br />
Figure 2: overall <strong>safety</strong> lifecycle............................................................................................. 10<br />
Figure 3: hardware <strong>safety</strong> lifecycle ......................................................................................... 11<br />
Figure 4: software <strong>safety</strong> lifecycle .......................................................................................... 11<br />
Figure 5: Example for network integration............................................................................. 12<br />
Figure 6: Functional principle of <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems......................................... 13<br />
Figure 7: front panel and elements of MCxxx-S cards ........................................................... 15<br />
Figure 8: front panel and elements of ICU card...................................................................... 16<br />
Figure 9: front panel and elements of FPR card...................................................................... 17<br />
Figure 10: front panel and elements of <strong>DSP</strong>VCU card........................................................... 17<br />
Figure 11: front panel and elements of cooling fan ................................................................ 18<br />
Figure 12: TFAB DIGIO 2oo3 majority voter........................................................................ 18<br />
Figure 13: user login ............................................................................................................... 33<br />
Figure 14: key switch Running/Maintenance.......................................................................... 33<br />
Figure 15: Reliability diagram for 2-out-of-3 ......................................................................... 38<br />
List of tables<br />
Table 1: check list hardware engineering................................................................................ 22<br />
Table 2: check list software engineering, system integration ................................................. 24<br />
Table 3: check list software engineering, programming......................................................... 24<br />
Table 4: check list software engineering, validation............................................................... 24<br />
Table 5: check list assembly and installation.......................................................................... 26<br />
Table 6: check list forcing i/o signals...................................................................................... 27<br />
Table 7: check list <strong>com</strong>missioning.......................................................................................... 30<br />
Table 8: check list <strong>com</strong>missioning, program modification..................................................... 30<br />
Table 9: check list maintenance, exchanging cards ................................................................ 32<br />
Table 10: SIL rating for low and high demand modes............................................................ 39<br />
Table 11: Safety integrity of hardware subsystems, type B.................................................... 39<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 5 of 40
1 Introduction<br />
1.1 Contact information<br />
GEBHARDT Automation GmbH<br />
Oelkinghauser Str. 12 a<br />
D- 58256 Ennepetal<br />
Germany<br />
Tel.: +49 2333 7908 - 0<br />
available during working hours, Mo to Fr, from 8 00 to 17 00 (5 pm)<br />
central european time (CET, GMT+1).<br />
FAX: +49 2333 7908 - 24<br />
Web: www.gebhardt-automation.de<br />
Support support@gebhardt-automation.de<br />
Information info@gebhardt-automation.de<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 6 of 40
1.2 Document scope, applied standards<br />
This document applies to the following products:<br />
• <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>/10-S<br />
• <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong> SMART-S<br />
hardware revision 00, date 01. Oct. 2005.<br />
The GEBHARDT Automation GmbH <strong>safety</strong> systems are TÜV certified for <strong>safety</strong> integrity<br />
level SIL 3 according to IEC 61508 standard and conform to :<br />
TÜV Rheinland Group<br />
TÜV Industrie Service GmbH<br />
Automation, Software und Informationstechnologie<br />
Am Grauen Stein<br />
D - 51105 Köln<br />
TÜV<br />
Rheinland<br />
Bauart geprüft Type approved<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 7 of 40<br />
Funktionale<br />
Functional<br />
Certificate and test report No. 968/EZ 207.00/05<br />
Programmable electronic <strong>safety</strong> systems<br />
<strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>/10-S and <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong> SMART-S<br />
GEBHARDT Automation GmbH is entitled to use the above mark of conformity for „Functional<br />
Safety“ with its SIL3 certified <strong>safety</strong> systems.<br />
The systems are designed in accordance with following standards. All important, <strong>safety</strong> relevant<br />
features are tested according to:<br />
• IEC 61508 Part 1 – 7: 1998 + 1999<br />
Functional <strong>safety</strong> of programmable electronic systems<br />
• DIN EN 954-1: 03.97<br />
Sicherheit von Maschinen; Sicherheitsbezogene Teile von Steuerungen<br />
Teil 1: Allgemeine Gestaltungsleitsätze<br />
• DIN EN 60204 Teil 1: 11.98<br />
Sicherheit von Maschinen - Elektrische Ausrüstung von Maschinen<br />
Teil 1: Allgemeine Anforderungen<br />
• DIN EN 50178: 1998<br />
Ausrüstung von Starkstromanlagen mit elektronischen Betriebsmitteln<br />
• IEC 61131-2: 2003<br />
Programmable controllers<br />
Part 2: Equipment requirements and tests<br />
Freiwillige Prüfung nach vereinbarten Standards<br />
Sicherheit<br />
Safety
1.3 General statements<br />
All technical data and information in this document were <strong>com</strong>piled and controlled with utmost<br />
care. Nevertheless errors can not <strong>com</strong>pletely be excluded. GEBHARDT Automation<br />
GmbH assumes no liability for consequences due to incorrect information.<br />
Accurate implementation of all <strong>safety</strong> instructions by qualified personnel is required for safe<br />
installation, <strong>com</strong>missioning, operating and maintenance of <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S <strong>safety</strong><br />
systems.<br />
Unqualified use or handling of the systems may impair the performance of <strong>safety</strong> functions<br />
and lead to severe damage to property, environment or personnel. GEBHARDT Automation<br />
shall have neither liability nor responsibility for improper use of equipment.<br />
The <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems are designed, manufactured and tested according to applicable<br />
<strong>safety</strong> standards. They must be used only as specified in technical descriptions and<br />
be connected only to approved external devices.<br />
Modification is strictly prohibited. Use only approved replacement parts for repair and maintenance.<br />
It is strictly prohibited to reproduce the software for <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems except<br />
for the purpose of backup.<br />
Any reverse engineering, such as reverse <strong>com</strong>pilation or dis-assembling of the software is<br />
strictly prohibited.<br />
The GEBHARDT Automation products mentioned in this document may be registered trademarks.<br />
All other <strong>com</strong>pany and product names mentioned in this document are trademarks or registered<br />
trademarks of their respective <strong>com</strong>panies.<br />
No part of this document may be reproduced or transferred without prior written consent<br />
from GEBHARDT Automation GmbH.<br />
GEBHARDT Automation GmbH reserves the right to make improvements at any time, without<br />
notice or obligation.<br />
All rights reserved.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 8 of 40
1.4 Document map<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
MCAD-S mod 1<br />
technical<br />
description<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
<strong>TMR</strong>-S racks<br />
technical<br />
description<br />
Flyer<br />
GA <strong>TMR</strong>-S<br />
systems<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
<strong>TMR</strong>-S<br />
<strong>safety</strong> <strong>manual</strong><br />
<strong>turbolog</strong> <strong>DSP</strong><br />
GA safeEdit<br />
user <strong>manual</strong><br />
<strong>turbolog</strong> <strong>DSP</strong><br />
MCDIN-S mod 1<br />
technical<br />
description<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
ICU mod 1<br />
technical<br />
description<br />
Flyer<br />
Safety &<br />
Availability<br />
central <strong>manual</strong>s<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
<strong>TMR</strong>-S<br />
installation<br />
<strong>manual</strong><br />
software<br />
hardware<br />
information<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
GA safeEdit<br />
online help<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
MCDOT-S mod 1<br />
technical<br />
description<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
FPR mod 1<br />
technical<br />
description<br />
Flyer<br />
i/o cards<br />
Figure 1: document map<br />
TÜV<br />
Revision<br />
Release List<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
TFAB-DIGIO-2oo3<br />
technical<br />
description<br />
<strong>turbolog</strong> <strong>DSP</strong><br />
<strong>DSP</strong>VCU<br />
technical<br />
description<br />
Flyer<br />
Non-SIL3 systems<br />
Figure 1 shows documents relevant to <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S <strong>safety</strong> systems. This <strong>manual</strong><br />
will reference to the appropriate documents as required.<br />
Informative documents show an overview of their respective topic but are not <strong>safety</strong> relevant.<br />
They are not referenced in this <strong>safety</strong> <strong>manual</strong>.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 9 of 40
2 Safety lifecycle<br />
For systematic assessment of <strong>safety</strong> the IEC 61508 standard considers the <strong>com</strong>plete lifecycle<br />
of a system: beginning at the planning stage, continuing with <strong>com</strong>missioning, distribution,<br />
maintenance and repair, up to de-<strong>com</strong>missioning. This overall <strong>safety</strong> lifecycle is separated<br />
into 16 phases, defining methods and activities to achieve the required <strong>safety</strong> integrity for<br />
each phase.<br />
Overall<br />
operation and<br />
maintenance<br />
planning<br />
Overall planning<br />
Overall<br />
<strong>safety</strong><br />
validation<br />
planning<br />
6 7 8<br />
Overall<br />
installation and<br />
<strong>com</strong>missioning<br />
planning<br />
1<br />
2<br />
3<br />
4<br />
5<br />
12<br />
13<br />
Concept<br />
Overall scope<br />
definition<br />
Hazard and risk<br />
analysis<br />
Overall <strong>safety</strong><br />
requirements<br />
Safety requirements<br />
allocation<br />
Overall installation<br />
and <strong>com</strong>missioning<br />
Overall <strong>safety</strong><br />
validation<br />
Overall operation,<br />
14 maintenance and repairr<br />
16<br />
9<br />
Safety-related<br />
Systems:<br />
E/E/PES<br />
Realisation<br />
(see E/E/PES<br />
<strong>safety</strong><br />
lifecycle)<br />
De<strong>com</strong>missioning<br />
or disposal<br />
Safety-related<br />
systems:<br />
other technology<br />
Overall modification<br />
and retrofit<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 10 of 40<br />
10<br />
Figure 2: overall <strong>safety</strong> lifecycle<br />
15<br />
Realisation<br />
11<br />
External risk<br />
reduction<br />
facilities<br />
Realisation<br />
This document concentrates on phase 9 of the overall <strong>safety</strong> lifecycle, the <strong>safety</strong>-related<br />
E/E/PES system. Specific lifecycles for hardware and software <strong>safety</strong> design define more<br />
detailed phases.<br />
Phases 10 (other technology, i.e. mechanical emergency shut down) and 11 (external facilities,<br />
i.e. escape routes or protective barriers) are not relevant for the scope of this document.
9.2<br />
E/E/PES <strong>safety</strong><br />
validation planning<br />
9.1<br />
9.1.1<br />
Safety functions<br />
requirements<br />
specification<br />
9.3<br />
9.4<br />
9.6<br />
E/E/PES <strong>safety</strong> requirements<br />
specification<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 11 of 40<br />
9.1.2<br />
E/E/PES design<br />
and development<br />
E/E/PES integration<br />
E/E/PES<br />
<strong>safety</strong> validation<br />
Safety integrity<br />
requirements<br />
specification<br />
to box 12 in<br />
overall <strong>safety</strong> lifecycle<br />
9.5<br />
Figure 3: hardware <strong>safety</strong> lifecycle<br />
E/E/PES operation and<br />
maintenance<br />
procedures<br />
to box 14 in<br />
overall <strong>safety</strong> lifecycle<br />
The hardware <strong>safety</strong> lifecycle must be considered during planning and design of the E/E/PES<br />
system. This document defines activities and procedures for each phase.<br />
9.2<br />
Software <strong>safety</strong><br />
validation planning<br />
9.1<br />
9.1.1<br />
Safety functions<br />
requirements<br />
specification<br />
9.3<br />
9.4<br />
9.6<br />
Software <strong>safety</strong><br />
requirements specification<br />
9.1.2<br />
Software design<br />
and development<br />
PE integration<br />
(hardware/software)<br />
Software <strong>safety</strong><br />
validation<br />
Safety integrity<br />
requirements<br />
specification<br />
to box 12 in<br />
overall <strong>safety</strong> lifecycle<br />
9.5<br />
Figure 4: software <strong>safety</strong> lifecycle<br />
Software operation and<br />
modification procedures<br />
to box 14 in<br />
overall <strong>safety</strong> lifecycle<br />
The software <strong>safety</strong> lifecycle must be considered during planning and design of software for<br />
the E/E/PES system. This document defines activities and procedures for each phase.
3 Product overview<br />
3.1 Complete system<br />
Figure 5: Example for network integration<br />
A <strong>safety</strong> project usually consists of at least one PES system <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S, one engineering<br />
station and one visualisation system (DCS, distributed control system). The PES<br />
system autonomously handles all <strong>safety</strong> functions. During normal operation, “running mode”,<br />
no other system (other PES, Engineering, DCS) can influence the PES. Only while switched<br />
to “maintenance mode” with a hardware key switch an authorized user can influence or modify<br />
the PES system.<br />
Safety relevant <strong>com</strong>munication between <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems is currently available<br />
only via hardwired i/o signals.<br />
Engineering station is a PC, running Windows (2000 or XP) and the integrated development<br />
tool GA safeEdit. After activating maintenance mode this system may be used for <strong>com</strong>missioning<br />
and maintenance of <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems. In normal operation (running<br />
mode) the engineering station is not required, but may be used by authorized users for extended<br />
system diagnostics.<br />
Optionally engineering may share a PC with DCS. Both programs may be run in parallel on<br />
one <strong>com</strong>puter.<br />
The visualisation system (DCS) accesses i/o data and system information via read access using<br />
open <strong>com</strong>munication protocols. There is no write access to the PES system. In addition to<br />
process values the DCS <strong>com</strong>munication also allows access to diagnostic information, for<br />
visualisation, data logging and trending.<br />
Figure 5 shows two variants for a project consisting of one engineering station, one DCS and<br />
two PES systems:<br />
The left figure shows redundant networks. Communication for engineering and process visualisation<br />
is <strong>com</strong>pletely redundant, each <strong>TMR</strong> unit uses a separate, redundant network. In case<br />
of network failure this guarantees undisturbed <strong>com</strong>munication to the remaining <strong>com</strong>ponents.<br />
Engineering station and DCS must support three independent network cards.<br />
The right figure shows a simple, non-redundant, network. The redundant <strong>TMR</strong> units all use<br />
the same network. In case of network failure the <strong>com</strong>plete <strong>com</strong>munication may be lost.<br />
Safety functions and <strong>safety</strong> integrity are not influenced by network failures.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 12 of 40
Networks according to Figure 5 may be extended with further systems of all types (PES,<br />
DCS, Engineering). The same network may also include other, not <strong>safety</strong> related systems.<br />
3.2 Functional principle<br />
unit A<br />
sensors<br />
unit B<br />
sensors<br />
unit C<br />
sensors<br />
input cards<br />
MCAD-S or MCDIN-S<br />
MCU-A<br />
digital inputs<br />
analog inputs<br />
MCU-B<br />
digital inputs<br />
analog inputs<br />
MCU-A<br />
digital inputs<br />
analog inputs<br />
MCU-B<br />
digital inputs<br />
analog inputs<br />
MCU-A<br />
digital inputs<br />
analog inputs<br />
MCU-B<br />
digital inputs<br />
analog inputs<br />
data, status<br />
data, status<br />
data, status<br />
data, status<br />
data, status<br />
data, status<br />
software<br />
Mo3<br />
software<br />
Mo3<br />
software<br />
Mo3<br />
software<br />
Mo3<br />
software<br />
Mo3<br />
software<br />
Mo3<br />
output cards<br />
MCDOT-S<br />
MCU-A<br />
redundant<br />
control program<br />
MCU-B<br />
redundant<br />
control program<br />
MCU-A<br />
redundant<br />
control program<br />
MCU-B<br />
redundant<br />
control program<br />
MCU-A<br />
redundant<br />
control program<br />
MCU-B<br />
redundant<br />
control program<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 13 of 40<br />
software<br />
1oo2<br />
software<br />
1oo2<br />
software<br />
1oo2<br />
status<br />
data<br />
status<br />
status<br />
data<br />
status<br />
status<br />
data<br />
status<br />
Figure 6: Functional principle of <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems<br />
2-out-of-3<br />
majority voting, external relay hardware<br />
outputs<br />
Figure 6 shows the functional principle of <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems. Input cards<br />
(MCDIN-S for digital inputs, MCAD-S for analog inputs) read field signals. Each card uses<br />
two redundant processors, MCU-A (micro controller unit A) and MCU-B, both having access<br />
to all signals. Using the internal data bus, ICU (industrial controller unit) <strong>com</strong>munication<br />
cards and FPR (four ported RAM) memory cards the field signals are transmitted to output<br />
cards. For signal preprocessing the field signals may be exchanged between the input cards.<br />
Output cards MCDOT-S have access to all signals generated by input cards, field signals and<br />
preprocessed signals. Via software-configurable Mo3 selection (Mid of three) the triple redundant<br />
field signals may be <strong>com</strong>bined into unified signals according to <strong>safety</strong> requirements,<br />
either by majority voting (digital signals) or by analog evaluation. These unified, <strong>com</strong>mon<br />
signals are used on all three redundant output cards. The output cards execute the actual control<br />
program. Two MCUs on every card execute the application software, working redundantly<br />
to determine the output signals to hardware. Their internal output states are <strong>com</strong>bined
into 1-out-of-2 software signals. These signals are used for the external voter with 2-out-of-3<br />
hardwired relay logic. The hardware voter creates the actual field output signal. Outputs to<br />
the voter and relay states are read back as analog signals, allowing extensive signal diagnostics.<br />
A secondary independent shut-down path can always set the outputs to the safe poweroff<br />
state, even at “stuck at one” error.<br />
3.3 Hardware <strong>com</strong>ponents<br />
Only hardware <strong>com</strong>ponents registered in the revision-list of tested and certified <strong>com</strong>ponents<br />
shall be used in <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems.<br />
See Revision Release List.<br />
3.4 Error response<br />
Multiple build in test functions (BITs) running on the MCU processors on all MCxxx-S cards<br />
allow very high diagnostic coverage. This includes once-only tests during power-on, cyclic<br />
tests and dynamic tests. Cyclic BITs are repeated at fixed time intervals, dynamic tests depend<br />
on received data from other cards.<br />
Detected errors are displayed using the front side diagnostic LEDs on every MCxxx-S card.<br />
See technical description for the specific cards. Detected errors will also lead to appropriate<br />
error response of the i/o card, probably requiring user intervention.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 14 of 40
3.5 Functional and display elements of hardware <strong>com</strong>ponents<br />
3.5.1 Elements of MCxxx-S cards<br />
All i/o cards use identical functional elements and display LEDs at the front panel. Figure 7<br />
shows diagnostic LEDs and ejection lever.<br />
Figure 7: front panel and elements of MCxxx-S cards<br />
A special module rail in the rack (see bottom right), <strong>com</strong>bined with the guiding pin in the<br />
card’s front panel (see center right) creates galvanic connection and dissipates static charge<br />
before the card electrically connects to the system.<br />
After loosening the neck screws at top and bottom of the front panel the card can be removed<br />
from the system. By pressing the red release button on the ejection lever the integrated micro<br />
switch turns of the card’s power supply and mechanically releases the lever (see center right)<br />
for pushing downwards. This will mechanically extract the card from the rack and internal<br />
data bus, using a clamp and groove mechanism in lever and system rack. This mechanism<br />
prevents accidental removing of cards while the lever is not released.<br />
Replacement cards are inserted using the lever mechanism with clamp and groove. With the<br />
lever pushed down card insertion will be stopped when the clamp hits the groove rail. By<br />
pushing the lever upwards it will mechanically pull the card into the system and data bus. The<br />
card will be turned off while being inserted. Only after mechanically connecting to the data<br />
bus the micro switch will activate the card and lock it into position. This reduces signal interference<br />
on the data bus while inserting or removing cards to non-critical limits.<br />
4 yellow LEDs (see top right) for each MCU processor display the current operating mode<br />
and error state.<br />
See technical description of the respective card for further information.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 15 of 40
3.5.2 Elements of ICU cards<br />
The mechanical parts with ejection lever, module rail and guiding pin are identical to<br />
MCxxx-S cards. See Figure 7 and description.<br />
Figure 8: front panel and elements of ICU card<br />
The front plate uses LEDs to display status information:<br />
• Ethernet Link/Act: yellow LED shows physical connection and network activity.<br />
Normal state: flashing yellow<br />
• Ethernet 100: green LED shows fast Ethernet, with 100 MBit, LED off indicates<br />
slow, 10 MBit connection.<br />
Normal state: static green<br />
• T/R1 and T/R2: yellow LED indicates activity on serial port COM1 and COM2,<br />
Transmit/Receive 1 and 2<br />
COM1 is used as programming interface only, LED always off<br />
COM2 may be used for MODBUS RTU <strong>com</strong>munication, LED off or flashing<br />
• ARC: yellow LED indicates Arcnet network activity. Arcnet is not used for <strong>TMR</strong>-S<br />
systems.<br />
Normal state: off<br />
• MA: green LED indicates correct functionality of ICU as bus master. During system<br />
start up the LED is off.<br />
Normal state: static green<br />
• R/U: not relevant in <strong>TMR</strong>-S systems, no default state<br />
• WDG: red LED indicates Watchdog error.<br />
Normal state: always off<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 16 of 40
3.5.3 Elements of FPR cards<br />
The mechanical parts with ejection lever, module rail and guiding pin are identical to<br />
MCxxx-S cards. See Figure 7 and description.<br />
Figure 9: front panel and elements of FPR card<br />
The separate units A, B and C in the <strong>TMR</strong>-S system use shared memory areas on FPR cards<br />
(Four Ported RAM) for internal <strong>com</strong>munication. The forth area, D, is not used. Each unit<br />
writes into its own area but reads from all areas.<br />
Green LEDs indicate write access (WR) to an area. Normal state is fast, almost continuous<br />
flashing. Yellow LEDs indicate read access (RD) to an area. Normal state is fast, almost continuous<br />
flashing.<br />
3.5.4 Elements of <strong>DSP</strong>VCU cards<br />
Figure 10: front panel and elements of <strong>DSP</strong>VCU card<br />
The <strong>DSP</strong>VCU voltage control cards are independent control cards for monitoring the secondary<br />
voltages of the two redundant power supplies and generating a malfunction signal in<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 17 of 40
case of over-voltage or under-voltage detection. They use a simple ejection lever, without<br />
micro switch or mechanical release. The card is not connected to the data bus.<br />
Red LEDs show failures in voltage monitoring of any of the required voltages, indicating<br />
either “Lower Limit” or “Upper Limit” failure. Normal state for all LEDs is off.<br />
The green LED is a <strong>com</strong>bined “Power Good” signal, continuously on during normal operation.<br />
See technical description for further details.<br />
3.5.5 Elements of cooling fan<br />
Figure 11: front panel and elements of cooling fan<br />
LEDs in the front panel show the operating mode. Normal state is green LED on and red<br />
LED (alarm) off.<br />
A fan malfunction, e.g. mechanical jamming, activates the red “alarm” LED. Pressing the<br />
reset button after correcting the problem acknowledges the alarm and turns the LED off.<br />
Loosening of two retaining screws in the front panel allow removal and replacement of the<br />
cooling fan during normal operation.<br />
Fan malfunction has no direct impact on the <strong>TMR</strong>-S system. It may lead to over-temperature<br />
of the <strong>com</strong>plete system or individual <strong>com</strong>ponents.<br />
3.5.6 Elements of TFAB DIGIO 2oo3<br />
Figure 12: TFAB DIGIO 2oo3 majority voter<br />
The field assembly board TFAB DIGIO 2oo3 uses no direct display elements. Two fuses at<br />
the upper left corner must be in the “pushed in” position.<br />
Three relays for each digital output signal show the output state for each unit A, B or C. Usually<br />
they will show identical position (open/close). During self-tests (walking zero) one relay<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 18 of 40
will temporarily switch to the other state while the other two relays of the group keep the<br />
correct position.<br />
The TFAB is designed with force-guided <strong>safety</strong> relays, using the “de-energize to trip” principle.<br />
3.6 Safety time and reaction time<br />
3.6.1 System reaction time<br />
System reaction time is the interval between occurrence of an external demand and the PES<br />
system’s response. It includes the time between occurrence and detection, time for internal<br />
calculations, setting of hardware output signals and relay switching times.<br />
The time for internal calculations, the program cycle time, depends on <strong>com</strong>plexity of all control<br />
functions handled by one MCDOT-S processor card. For details on program cycle time<br />
see GA safeEdit user <strong>manual</strong>.<br />
Usually the doubled program cycle time plus 15 msec for relay switching may be used as<br />
system reaction time.<br />
Exceptions from this time may occur when:<br />
• <strong>safety</strong> function distributed over multiple MCDOT-S output cards<br />
• hardwired <strong>com</strong>munication between <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S racks<br />
3.6.2 Diagnostic test interval<br />
In addition to <strong>safety</strong> functions the PES system also continually performs diagnostic functions<br />
to detect erroneous system performance. Diagnostic test interval defines the time between<br />
repetitions of diagnostic tests.<br />
The diagnostic test interval must be chosen to achieve a probability of random hardware failure<br />
below or equal to the target failure measure defined in <strong>safety</strong> integrity specifications.<br />
In non-redundant PES systems the sum of diagnostic test interval and failure reaction time<br />
must be less than the process <strong>safety</strong> time.<br />
For <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems the probability of dangerous hardware failure (failure of<br />
<strong>safety</strong> function without changing to safe state) is extremely low, due to triple redundancy and<br />
fail-safe concept, so the diagnostic test interval is appropriate. It is specified in system firmware<br />
and can not be modified by the user.<br />
3.6.3 Process <strong>safety</strong> time<br />
The process <strong>safety</strong> time is the interval between occurrence of a disorder (at machine or process,<br />
equipment under control, EUC) and reaching of a critical state. The <strong>safety</strong> system must<br />
be able to bring the process to a safe state in this time interval. Process <strong>safety</strong> time considers<br />
the <strong>com</strong>plete <strong>safety</strong> loop: from sensor and transmitter, over PES system, to actuator.<br />
The PES system reaction time may be used as basis for calculating process <strong>safety</strong> time <strong>com</strong>pliance.<br />
The diagnostic test interval is usually not required for the calculation.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 19 of 40
3.6.4 Proof test interval<br />
The proof test is used at specified intervals to <strong>com</strong>pletely check the PES system and bring it<br />
back to “like new” <strong>safety</strong> integrity. Special attention is given to failures not detectable by<br />
internal diagnostic tests.<br />
As minimum all <strong>safety</strong> functions handled by the PES system must be checked according to<br />
specification.<br />
The time interval between proof tests should not exceed 10 years.<br />
Shortening the test interval will reduce the probability of system failure. Typical intervals are<br />
10 years or 3 years.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 20 of 40
4 PES system engineering<br />
Planning, design and realisation of the PES system are implemented according to box 9<br />
“<strong>safety</strong>-related systems: E/E/PES” in Figure 2: overall <strong>safety</strong> lifecycle on page 10.<br />
Figure 3: hardware and Figure 4: software show detailed phases for engineering and specify<br />
required activities and procedures.<br />
4.1 Hardware Engineering<br />
4.1.1 Specification of <strong>safety</strong> requirements<br />
A detailed list with all <strong>safety</strong> requirements for the project is <strong>com</strong>piled. This is the basis for all<br />
decisions on hardware and software design of the PES system.<br />
4.1.2 Hardware design and validation planning<br />
Hardware design takes the list of requirements and decides on the necessary hardware to handle<br />
these requirements. The number and type of PES systems, including number of i/o cards,<br />
is defined. In parallel to planning the hardware the required methods for hardware validation<br />
are defined.<br />
Specific procedures and measures during hardware design are:<br />
• For each specified <strong>safety</strong> function the PES internal <strong>safety</strong> circle (input signals, control,<br />
output signals) is designed. All input signals should be accessed by cards in the<br />
same system, all outputs must be handled on the same output card MCDOT-S.<br />
Segmentation of <strong>safety</strong> circles to multiple PES systems is possible via hardwired<br />
<strong>com</strong>munication, but should be avoided when possible. Affected signals require special<br />
attention in validation planning, specifically considering system reaction time.<br />
• Every MCDOT-S card may process multiple <strong>safety</strong> functions. Usually a uniform<br />
distribution of <strong>safety</strong> functions over processor cards is re<strong>com</strong>mended to achieve<br />
similar system reaction times.<br />
• Interdependencies of input signals used in multiple <strong>safety</strong> functions must be specified<br />
and documented. They require special attention during validation.<br />
• Distribution of i/o signals to PES systems and their respective i/o cards must be<br />
documented and considered for validation.<br />
• Distribution of <strong>safety</strong> functions to PES systems and MCDOT-S i/o processor cards<br />
must be documented and considered for validation and software engineering.<br />
4.1.3 System integration<br />
System integration designs the integration of the PES systems in the project’s <strong>safety</strong> concept.<br />
The following measures need to be considered:<br />
• Integration of PES systems in the control panel, including external hardware.<br />
• Integration of multiple PES systems, with special attention on hardwired <strong>com</strong>munication.<br />
• Integration of PES systems in the overall concept, including engineering station and<br />
visualisation (DCS)<br />
• Network layout for engineering and visualisation, including redundancy and address<br />
configuration.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 21 of 40
4.1.4 Hardware engineering, check list<br />
No. Description Check<br />
1 Number of i/o cards according to <strong>safety</strong> functions, including spare signals<br />
2 Slot position of i/o cards according to system design specification.<br />
3 Analog frequency inputs with correct cut-off frequency.<br />
4 Appropriate distribution of <strong>safety</strong> functions over MCDOT-S i/o processor<br />
cards with regard to output signals.<br />
5 Hardwired <strong>com</strong>munication between PES systems: acceptable system reaction<br />
time?<br />
6 Connecting cables: correct cable type and length?<br />
7 Network layout: distance, cable length, cable type (copper, optical),<br />
switches, routers, redundancy, addressing<br />
4.2 Software engineering<br />
Table 1: check list hardware engineering<br />
4.2.1 Specification of <strong>safety</strong> requirements<br />
The list of <strong>safety</strong> requirements according to chapter Specification of <strong>safety</strong> requirements on<br />
page 21 is extended with signal information on i/o signals. For each digital signal the contact<br />
mode (normally open, normally closed) if specified, for analog signals the physical range is<br />
defined.<br />
For each <strong>safety</strong> function the required <strong>safety</strong> time is specified.<br />
For each <strong>safety</strong> function the working principle is defined.<br />
4.2.2 Software design and validation planning<br />
The distribution of <strong>safety</strong> functions to PES hardware <strong>com</strong>ponents is implemented as application<br />
software, considering software <strong>safety</strong> specifications. For each <strong>safety</strong> function the PESinternal<br />
<strong>safety</strong> circle of input signal, application program and output signal is considered.<br />
GA safeEdit is used as programming tool, see GA safeEdit user <strong>manual</strong>.<br />
Software design considers the following measures:<br />
• Application programming for specific <strong>safety</strong> functions on MCDOT-S cards according<br />
to hardware design specifications.<br />
• Error response for signal failure specified for every input signal in every <strong>safety</strong><br />
function: Mid-of-3, available/error, (see GA safeEdit user <strong>manual</strong>). Documentation<br />
and validation planning for each signal.<br />
• Analysis of switch-over between operating modes in <strong>safety</strong> functions. Validation<br />
planning for all operating modes with special attention on the time of switch-over.<br />
• Interdependencies between <strong>safety</strong> functions (one input signal or calculated internal<br />
state used in multiple <strong>safety</strong> functions) must be clearly defined, documented and<br />
considered in validation.<br />
• Definition of calculated thresholds for analog inputs, physically and scaled to controller-internal<br />
range, with hysteresis. Documentation and validation planning.<br />
• Power-on behaviour for <strong>safety</strong> functions, including validation.<br />
• Signal tracking for software functions with internal memory function (e.g. RS flip<br />
flop) , including validation.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 22 of 40
4.2.3 Integration of PES hardware and software<br />
PES system integration gives special attention to dependencies between hardware and software.<br />
An important factor is also the integration into the overall system concept, including<br />
PES diagnostics in regular process visualisation (DCS).<br />
Integration considers the following measures:<br />
• Coordinating of hardware and software configuration (slot configuration, network,<br />
i/o access).<br />
• Activation of signal diagnostics (cable failure, short cut) for used signals, deactivation<br />
for spare signals.<br />
• Estimation of system reaction time of all MSDOT-S output processor cards, and<br />
<strong>com</strong>paring with required system reaction time. Consider adequate reserve for software<br />
changes during <strong>com</strong>missioning.<br />
• Memory utilization of MCDOT-S processor cards acceptable, including adequate<br />
reserve for software changes during <strong>com</strong>missioning.<br />
• All relevant diagnostic information of PES systems should be displayed on regular<br />
process visualisation, to inform about critical states or system degradation and allow<br />
sufficient time for corrective maintenance.<br />
4.2.4 Software validation<br />
Software validation uses the programming tool GA safeEdit and the following methods:<br />
• Syntax check and parameter check, offline. On engineering station or PC.<br />
• Offline simulation on engineering station or PC, without PES hardware.<br />
• Online debug on PES hardware, with forced i/o signals, no field signals.<br />
• Online debug on PES hardware, with field signals simulates by test equipment (usually<br />
during panel acceptance test)<br />
• During <strong>com</strong>missioning full software test, online debug and functional, with full<br />
field wiring. First with stopped machine, finally with the machine running.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 23 of 40
4.2.5 Software engineering, check list<br />
No. Description Check<br />
1 Hardware and software configuration corresponding<br />
2 Network configuration correct in hardware and software<br />
3 System reaction time of each MCDOT-S card acceptable as <strong>com</strong>pared to<br />
required <strong>safety</strong> times<br />
4 Memory utilization of MCDOT-S cards acceptable with enough free<br />
memory for modifications during <strong>com</strong>missioning<br />
5 Signal error detection cable failure/short cut active for used signals, inactive<br />
for spare signals<br />
6 Access to all necessary diagnostic information specified and/or programmed<br />
for process visualisation (DCS)<br />
7 System configuration according to project requirements<br />
(time-outs, time settings, internal <strong>com</strong>munication, ...)<br />
Table 2: check list software engineering, system integration<br />
No. Description Check<br />
1 Signal states and ranges for each signal programmed according to specification?<br />
2 Signal behaviour (Mo3) for each signal in every <strong>safety</strong> function defined<br />
according to specification?<br />
3 Analog thresholds programmed according to specification, including scaling<br />
and hysteresis?<br />
4 Interdependencies between <strong>safety</strong> functions according to specification?<br />
5 Power-on behaviour of <strong>safety</strong> functions according to specification?<br />
6 Signal tracking (<strong>TMR</strong> tracking) fur software functions with internal<br />
memory implemented according to specification?<br />
Table 3: check list software engineering, programming<br />
No. Description Check<br />
1 Syntax check and parameter check: no errors, no warnings?<br />
2 Simulation offline on PC: functionality as specified?<br />
3 Online debug on PES system, without field signals, forced signals in<br />
maintenance mode: functionality as specified?<br />
4 Online debug on PES system, with simulated field signals (test equipment,<br />
panel acceptance test), in running mode: functionality as specified?<br />
Table 4: check list software engineering, validation<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 24 of 40
5 Assembly and installation<br />
5.1 Qualified personnel<br />
All persons involved in assembly and installation must be qualified according to their duties.<br />
They must be familiar with relevant technical <strong>manual</strong>s and system hardware, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• experience in installation of <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S <strong>com</strong>ponents<br />
• training in i/o signal diagnostics with programming tool GA safeEdit may be required<br />
• instruction in project specific <strong>safety</strong> concept<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
5.2 Safety-relevant restrictions of use<br />
The systems must be used in normal environments only. It must be protected against acidic<br />
environments, especially H2S <strong>com</strong>ponents.<br />
5.3 Mounting and connecting<br />
For details on mounting and electrical connecting see technical descriptions of relevant <strong>com</strong>ponents<br />
and info261E <strong>TMR</strong>-S installation <strong>manual</strong>.<br />
Generally the following items apply:<br />
• mounting must be stable, no mechanical vibrations<br />
all screws fixed tightly<br />
• to allow adequate cooling all <strong>com</strong>ponents must be mounted in correct position, keeping<br />
sufficient distance from other <strong>com</strong>ponents.<br />
• Signal lines must be kept separately from power lines. All lines require tidy wiring<br />
and appropriate labelling.<br />
If required, signal lines must be protected against over voltage and over current.<br />
• Power supply must be in acceptable range.<br />
• Component mounting must be EMC <strong>com</strong>patible. For racks this includes correct connection<br />
to protective ground.<br />
• Most <strong>com</strong>ponents include devices sensitive to electro-static discharge. Discharges<br />
by touching <strong>com</strong>ponents must be avoided by using appropriate measures (touching<br />
of or connection to electrically grounded metal parts, ...).<br />
Protective measures are always required when changing <strong>com</strong>ponents.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 25 of 40
5.4 Assembly and installation, check list<br />
No. Description Check<br />
1 Optical check: no damage, proper mounting, proper and tidy wiring, <strong>com</strong>ponent<br />
labelling present and correct<br />
2 Mechanical check: screws tightened, <strong>com</strong>ponents fixed in position, no<br />
vibration<br />
3 wiring: plugs connected and fixed, correct grounding, separation of signal<br />
and power wiring<br />
4 Power-on test: all LEDs show normal state<br />
Table 5: check list assembly and installation<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 26 of 40
6 Forcing i/o signals<br />
6.1 Procedure<br />
With forcing all input and output signals of a PES system may be set to any specific value,<br />
independent of field inputs or PES control outputs. This will interfere in <strong>safety</strong> functions,<br />
restricting or disabling them, so forcing may be used only during <strong>com</strong>missioning and maintenance,<br />
under specified operating conditions.<br />
The GA safeEdit user <strong>manual</strong> explains procedures for forcing all types of i/o signals.<br />
The following items must be considered concerning forcing:<br />
• Impact analysis: the impact on PES system and process must be analysed and<br />
clearly understood before forcing. Required operating conditions on PES system,<br />
machine and process must be defined and established.<br />
• Forcing is allowed only to qualified personnel, during <strong>com</strong>missioning or maintenance.<br />
In normal operation forced signals are not allowed, because related <strong>safety</strong> functions<br />
are restricted or disabled.<br />
• The procedure to achieve desired forced states must be clearly understood: is there<br />
any specific order required in forcing several signals? The triple redundancy must<br />
be considered in procedures.<br />
• The procedure for releasing the forced mode must be clearly understood.<br />
• Additional external <strong>safety</strong> measures may be required to <strong>com</strong>pensate for disabled<br />
<strong>safety</strong> functions (e.g. restricted areas).<br />
• Emergency procedures must be defined and prepared to handle potential problems<br />
due to disabled <strong>safety</strong> functions.<br />
6.2 Forcing i/o signals, check list<br />
Nr. description Check<br />
1 Are impacts on system and process analysed and clearly understood?<br />
2 Are system and process requirements (e.g. operating conditions) established?<br />
3 Is the procedure for forcing the desired state clearly understood?<br />
4 Is the procedure for releasing force-mode and return to normal operation<br />
clearly understood?<br />
5 Are required external <strong>safety</strong>/protective measures prepared?<br />
6 Are sufficient emergency measures prepared?<br />
Table 6: check list forcing i/o signals<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 27 of 40
7 Commissioning<br />
7.1 Qualified personnel<br />
All persons involved in <strong>com</strong>missioning must be qualified according to their duties. They<br />
must be familiar with relevant technical <strong>manual</strong>s, system hardware and software, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• software training for the programming tool GA safeEdit for <strong>com</strong>missioning of SIL3<br />
<strong>safety</strong> systems<br />
• instruction in project specific <strong>safety</strong> concept<br />
• instruction in project specific application software<br />
• experience in integration of control systems with control panel<br />
• instruction in machinery and processes to be controlled<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
7.2 Commissioning procedures<br />
Commissioning uses the programming tool GA safeEdit for programming, system configuration<br />
and diagnostic of hardware and software. A visualisation on a DCS may be running in<br />
parallel via <strong>com</strong>munication, for process states and diagnostics. This <strong>com</strong>munication must also<br />
be checked and, when required, be modified during <strong>com</strong>missioning.<br />
During <strong>com</strong>missioning the PES system will mostly run in maintenance mode. The <strong>com</strong>missioning<br />
technician needs hardware keys and appropriate passwords to enter maintenance<br />
mode.<br />
The system must be protected against unauthorized access.<br />
Activities and procedures during <strong>com</strong>missioning:<br />
• During <strong>com</strong>missioning the <strong>safety</strong> functions are not yet working or work only partially.<br />
Appropriate <strong>safety</strong> and emergency measures must be provided.<br />
• At the first use of PES hardware electrical connections of all <strong>com</strong>ponents must be<br />
checked.<br />
• Check software system configuration: in accordance with documentation<br />
• Check network <strong>com</strong>munication: all systems connected and responding<br />
• Loop check: all i/o signals in GA safeEdit diagnostic display and in visualisation.<br />
Check full range, including cable failure and short cut. Error diagnostics must be<br />
correct in engineering station and DCS.<br />
• Functional check of <strong>safety</strong> functions, machine stopped<br />
• Functional check of <strong>safety</strong> functions, machine running<br />
• Data back-up and documentation of all changes<br />
• Enter normal, safe operating mode. Check: running mode active, key for mode<br />
switch removed, no signals forced, password protection<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 28 of 40
7.3 Application software modification<br />
7.3.1 Program modifications<br />
Any modifications in existing and approved application software require an impact analysis:<br />
• Print current program version, create software back-up.<br />
• Plan modifications and create new program with GA safeEdit.<br />
• Print and save new program.<br />
• Check for interconnections between modified <strong>safety</strong> functions and other functions,<br />
using graphical program editor.<br />
• Analyse modified functions, including interconnected old functions, regarding:<br />
only the desired effects on modified functions, no side-effects in modified or old<br />
functions.<br />
When modifications affect switches between operating modes the time of switching<br />
requires special attention.<br />
• Test the new version, at first with simulation, than with stopped machine.<br />
• Check system reaction time of new software.<br />
• All changes must be documented and backed-up.<br />
7.3.2 Parameter modification<br />
Any modifications require an impact analysis:<br />
• Create software backup.<br />
• Plan modifications.<br />
• Check for interconnection of modified parameters in other functions, using graphical<br />
program editor.<br />
• Analyse affected <strong>safety</strong> functions, including interconnected functions:<br />
only desired effects, no side-effects?<br />
• When changing range or scaling of i/o signals the <strong>com</strong>munication to visualisation<br />
system may be affected.<br />
• Test the new version.<br />
• All changes must be documented and backed-up.<br />
7.3.3 Online modification<br />
Whenever possible changes should be done with the machine stopped. During modification<br />
the system’s <strong>safety</strong> integrity is partially <strong>com</strong>promised. Incorrect changes or procedures may<br />
affect <strong>safety</strong> functions.<br />
Modifications with the machine running are possible but need special attention:<br />
• Impact analysis just like analysis for normal changes.<br />
• Additionally impact analysis for power-on behaviour.<br />
• Additionally impact analysis of different signal states on the three separate units in a<br />
<strong>TMR</strong>-S system, during re-programming and start-up.<br />
• All units must be programmed separately. After each unit is programmed the correct<br />
state of all i/o signals and internal states must be checked. Balancing of states by<br />
forcing of i/o signals may be required.<br />
• During the time of modification appropriate <strong>safety</strong> measures must be used, see also<br />
chapter Forcing i/o signals on page 27.<br />
• During modification the <strong>safety</strong> functions are affected. Appropriate emergency<br />
measures must be prepared.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 29 of 40
7.4 Commissioning, check list<br />
No. Description Check<br />
1 Is the project’s <strong>safety</strong> concept clearly understood?<br />
2 Required key switches and passwords available?<br />
3 System hardware configuration correct?<br />
4 Communication check with all systems successful?<br />
5 Loop check for all i/o signals: range and diagnostics correct?<br />
6 Appropriate <strong>safety</strong> measures and emergency measures prepared?<br />
7 Check of <strong>safety</strong> functions, machine stopped, running machine.<br />
7a When required: program modification, see additional check list.<br />
8 Check system reaction time, for each MCDOT-S card.<br />
9 Set safe operating state: system locked, no i/o forcing.<br />
10 Data back-up of <strong>com</strong>plete software<br />
Table 7: check list <strong>com</strong>missioning<br />
No. Description Check<br />
1 Back-up old version.<br />
2 Modification with machine stopped or running?<br />
3 Planning of modifications and impact analysis.<br />
4 Appropriate <strong>safety</strong> measures and emergency measures prepared?<br />
5 Implementation and test of new software<br />
6 Check system reaction time, for each affected MCDOT-S card.<br />
7 Documentation of successful changes.<br />
8 Back-up new version.<br />
Table 8: check list <strong>com</strong>missioning, program modification<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 30 of 40
8 Maintenance<br />
8.1 Qualified personnel<br />
All persons involved in maintenance must be qualified according to their duties. They must<br />
be familiar with relevant technical <strong>manual</strong>s, system hardware and software, and be appropriately<br />
trained in <strong>safety</strong> procedures.<br />
Qualification includes:<br />
• training and experience in handling of electrical equipment according to approved<br />
codes of practice<br />
• software training for the programming tool GA safeEdit for maintenance and diagnostics<br />
• instruction in project specific <strong>safety</strong> concept<br />
• training in use of appropriate <strong>safety</strong> equipment<br />
• training in first aid<br />
8.2 Maintenance procedures<br />
Regular maintenance is planned in detail as <strong>com</strong>ponent of the <strong>safety</strong> concept. The planned<br />
tasks are performed in specified service intervals, including:<br />
• Proof-Test interval<br />
• checking and changing air filters<br />
• checking for fouling or contamination<br />
• control of system diagnostics like: diagnostic visualisation in DCS, alarms, LED<br />
display on hardware <strong>com</strong>ponents, extended diagnostic information on engineering<br />
station using GA safeEdit<br />
Unscheduled maintenance be<strong>com</strong>es necessary when regular maintenance shows irregularities.<br />
It is generically considered in the <strong>safety</strong> concept and includes the activities:<br />
• identification and repair of i/o signal failures<br />
• identification and repair/exchange of PES system <strong>com</strong>ponents (i/o cards, fan, power<br />
supply, ...)<br />
• identification and repair of network <strong>com</strong>munication failures<br />
Unscheduled maintenance requires:<br />
• Unequivocal identification of error messages and cause for error: i.e. high system<br />
temperature may have several causes: fouled air filter, cooling fan failure, control<br />
panel air conditioning failure.<br />
• Cross-check of detected error or message with all available tools: DCS visualisation,<br />
hardware check (optical, LEDs, ...), extended diagnostics on engineering station.<br />
• Impact analysis of error/failure consequences on <strong>safety</strong> and availability.<br />
• Planning of maintenance tasks, procedures and responsible personnel.<br />
• Planning of appropriate <strong>safety</strong> and emergency measures.<br />
8.3 Exchange of <strong>com</strong>ponents<br />
Exchange of <strong>com</strong>ponents is possible during normal operation, details are specified in:<br />
info262E <strong>TMR</strong>-S racks technical description<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 31 of 40
Exchange of programmable system <strong>com</strong>ponents, MCxxx-S cards and ICU cards requires special<br />
attention:<br />
• Exchange of MCxxx-S or ICU cards requires use of engineering station with GA<br />
safeEdit.<br />
• The PES system is switched to maintenance mode.<br />
• Password protection of GA safeEdit requires use of valid password.<br />
• Error and cause of error is identified, analysed and documented.<br />
• The failed card is removed, see relevant technical documentation.<br />
• Hardware settings (jumper, switches) of spare card are <strong>com</strong>pared and adjusted with<br />
failed card, see relevant technical descriptions.<br />
• Spare card is inserted into the system rack.<br />
• Configuration of spare card is checked and modified as required. Correct detection<br />
and configuration is displayed in GA safeEdit.<br />
• Replacing i/o cards:<br />
o The application program is checked. Usually the current program must be<br />
downloaded to the spare card.<br />
o signal cable from field assembly module to connector is plugged in and fixed.<br />
o Correct state of i/o signals and internally calculated states is <strong>com</strong>pared with<br />
redundant cards of other <strong>TMR</strong>-S units.<br />
• The <strong>com</strong>plete system is checked, running with the new card.<br />
• The system is returned to “Running” operation mode.<br />
The relevant technical description of each card shows details on card exchange and configuration.<br />
Additional information on configuration and programming is available in GA safeEdit<br />
user <strong>manual</strong>.<br />
8.4 Maintenance, check list<br />
Checks for regular maintenance, including proof-test intervals, uses project specific check<br />
lists.<br />
No. Description Check<br />
1 Unequivocal identification of problem: corresponding diagnostics in visualisation,<br />
engineering station and LEDs on card?<br />
2 Process for exchanging cards clearly understood?<br />
3 Appropriate <strong>safety</strong> and emergency measures prepared?<br />
4 New card configured and correctly detected by the system?<br />
5 Correct application program on new card?<br />
6 External signals and internal card states agree with cards on redundant<br />
units?<br />
7 All i/o signals working?<br />
8 System returned to safe operating state after finishing maintenance work?<br />
Table 9: check list maintenance, exchanging cards<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 32 of 40
9 Access authorisation<br />
9.1 User login<br />
Figure 13: user login<br />
Before using GA safeEdit to access <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S systems a user authorisation is<br />
required. In “Account login” select a user name from the list of authorised users. Enter the<br />
corresponding password below.<br />
The list always has at least the user “Admin”, other user names depend on system configuration.<br />
The user may work within the scope of his access permissions. Modification of user authorisation<br />
and permissions is available for “Admin” only. Users with highest priority may fully<br />
access diagnostics, configuration and programming of i/o processor cards and ICU <strong>com</strong>munication<br />
processor.<br />
Access beyond diagnostics, affecting the PES system, additionally requires activation of<br />
“Maintenance” mode with the hardware key switch. “Running” mode allows only diagnostics.<br />
User configuration and access rights are explained in GA safeEdit user <strong>manual</strong>.<br />
9.2 Key switch for operating mode<br />
Figure 14: key switch Running/Maintenance<br />
The hardware key switch selects between “Running” and “Maintenance” operating mode, i.e.<br />
normal <strong>safety</strong> operating mode and unsafe maintenance mode.<br />
Maintenance mode allows hardware access that may interfere with <strong>safety</strong> functions, including<br />
forcing of i/o signals, programming of control processors and system configuration. When<br />
using appropriate <strong>safety</strong> and emergency measures, maintenance mode can be used with the<br />
machine/process running. Ordinary, day-to-day operation of the machine is not allowed in<br />
maintenance mode.<br />
Running mode is the safe operating mode.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 33 of 40
After successful <strong>com</strong>missioning or maintenance all forced i/o signals are released, than the<br />
key switch is turned to “Running” position and the key removed. This mode protects the PES<br />
system from external interference by the engineering station. Diagnostics on engineering station<br />
and <strong>com</strong>munication to DCS remain available.<br />
Signals forced to specific states in maintenance mode, analog or digital, remain at the forced<br />
state when the system changes to running mode. A warning message informs of this unsafe<br />
condition.<br />
10 Diagnostic information<br />
10.1 Diagnostic data<br />
Self test statistics<br />
Authorised users can access self test statistics, stored on each MCxxx-S card. The information<br />
is stored in card-internal flash memory. Access via GA safeEdit, see user <strong>manual</strong>.<br />
Log-book of system messages<br />
The engineering station logs all system messages (information, warnings, errors). All messages<br />
are displayed on screen and written to a log-book file. Each message includes time<br />
stamp and informational text. See chapter Analysing error messages on page 35.<br />
Additionally all messages of the <strong>TMR</strong> units A, B and C are stored in flash memory on their<br />
respective ICU card and can be accessed from the engineering station.<br />
Visualisation system<br />
Via <strong>com</strong>munication extensive diagnostic information on all i/o signals is accessible at the<br />
DCS: cable failure, short cut, signal forced, forced-state for digital signals.<br />
Life-bit diagnostic may be programmed for each i/o card to continually check <strong>com</strong>munication<br />
and functionality.<br />
System temperatures and voltages of ICU <strong>com</strong>munication controllers are also accessible.<br />
Storage or logging of this data is available according to capabilities of the visualisation system.<br />
10.2 Process data<br />
All process data is continually available to the DCS system, using <strong>com</strong>munication via ICU<br />
<strong>com</strong>munication controller. Display and logging of data is available according to capabilities<br />
of that system.<br />
Online data may also be accessed from the engineering station, using the graphical trend analyzer<br />
in GA safeEdit, see user <strong>manual</strong>.<br />
Real-time data logging of all i/o signals, including time synchronisation between several controllers,<br />
is optionally available on the ICU controllers.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 34 of 40
10.3 Analysing error messages<br />
The programming tool GA safeEdit shows extensive diagnostic information. If unusual system<br />
behaviour occurs appropriate diagnostic messages are displayed and logged to file.<br />
The example shows a typical error message:<br />
Fr, 16 Sep 2005 15:57:52 : MCU-S 192.168.100.183 (1): (2,13,0) Card<br />
Timeout (ID:116): unit:0, slot:6, timestamp:0xe377, time:0xe44f<br />
The first part shows date and time information about the error:<br />
Friday, 16 th September 2005 at 15:57 and 52 seconds.<br />
The next part is type of processor sending the message, followed by the TCP/IP address of<br />
the ICU sending this error, and the network number in redundant network:<br />
MCU-S, an i/o card with MCU processors on address 192.168.100.183 in network number<br />
(1). <strong>TMR</strong>-S systems may use three redundant networks (1), (2) and (3).<br />
The next part is card position in the <strong>TMR</strong>-S system, identified by unit number (0 = unit A, 1<br />
= unit B, 2 = unit C), card slot number (1 ... 16) and processor number (0 = MCU-A, 1 =<br />
MCU-B):<br />
(2,13,0) identifies a card in unit C, slot 13, processor MCU-A<br />
The next part is the actual error message, followed by an identification number. The number<br />
is used as reference to detailed error information in technical description of the respective<br />
card, explaining causes and procedures for responding to the error:<br />
Card Timeout is the actual error, (ID:116) the ID in technical description. To get detailed<br />
information on error 116 check the card type in slot 13 (MCDIN-S, MCAD-S or<br />
MCDOT-S) and read the technical description for this card type.<br />
The last part is internal time information. Internal time stamps use a system-relative time<br />
count in milliseconds. Timestamp specifies the internal time when the error occurred, time is<br />
the current time when the error was reported. Time stamps are used to analyse a sequence of<br />
events if multiple errors occur.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 35 of 40
11 Common technical data<br />
power supply<br />
nominal operating voltage 100 ... 240 VAC, 50 ... 60 Hz<br />
maximum operating voltage 85 ... 264 VAC, 47 ... 63 Hz<br />
max. power <strong>TMR</strong>/10-S 450 W<br />
max. power <strong>TMR</strong> SMART-S 300 W<br />
digital inputs, MCDIN-S<br />
input current according to NAMUR<br />
“high level” current > 2,1 mA<br />
“low level” current < 1,2 mA<br />
analog inputs MCAD-S<br />
input current 0 ... 25mA<br />
frequency input 100 Hz ...15 kHz<br />
digital outputs MCDOT-S / TFAB<br />
output voltage 24 VDC, 230 VAC<br />
output current, per channel (max.) 0 ... 6A<br />
environmental conditions<br />
storage temperature -25°C ... +70 °C<br />
operating temperature +0°C ... +55°C<br />
relative humidity 10% ... 90%, non condensing<br />
protection class IEC 525 IP 20<br />
operating altitude max. 2000m<br />
pollution degree 2<br />
power supply IEC 536 <strong>safety</strong> class 1, with PE<br />
field connections <strong>safety</strong> class III<br />
dimensions<br />
<strong>TMR</strong>/10-S ( 10HE / 84 TE)<br />
<strong>TMR</strong> SMART-S ( 4HE / 84 TE)<br />
For more details see technical description of <strong>com</strong>ponents.<br />
482,6 x 457,5 x 391 mm [W x H x D]<br />
482,6 x 191 x 391 mm [W x H x D]<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 36 of 40
12 Safety specific data<br />
12.1 Equations for probability of failure<br />
In systems with 2-out-of-3 signal handling the probability of failure PFD and PFH is calculated<br />
as:<br />
2<br />
⎛ T1<br />
⎞<br />
PFDG = 6 ⋅ ( ( 1−<br />
β D ) ⋅ λDD<br />
+ ( 1−<br />
β ) ⋅ λDU<br />
) ⋅ tCE<br />
⋅ tGE<br />
+ β D ⋅ λDD<br />
⋅ MTTR + β ⋅ λDU<br />
⋅ ⎜ + MTTR ⎟<br />
⎝ 2 ⎠<br />
G<br />
2<br />
( ( 1−<br />
β D ) ⋅ λDD<br />
+ ( 1−<br />
β ) ⋅ λDU<br />
) ⋅t<br />
CE + β D ⋅ λDD<br />
+ β ⋅ DU<br />
PFH = 6 ⋅<br />
λ<br />
with:<br />
λ<br />
tCE<br />
=<br />
λ<br />
t<br />
GE<br />
DU<br />
D<br />
λ<br />
=<br />
λ<br />
DU<br />
D<br />
⎛ T1<br />
⎞ λDD<br />
⋅⎜<br />
+ MTTR⎟<br />
+ ⋅ MTTR<br />
⎝ 2 ⎠ λD<br />
⎛ T1<br />
⎞ λDD<br />
⋅⎜<br />
+ MTTR⎟<br />
+ ⋅ MTTR<br />
⎝ 3 ⎠ λ<br />
The safe failure fraction SFF is calculated as:<br />
λS<br />
+ λDD<br />
SFF =<br />
λ + λ + λ<br />
S<br />
DD<br />
DU<br />
The diagnostic coverage is calculated as:<br />
∑λ<br />
DD<br />
DC =<br />
λ<br />
∑<br />
D<br />
D<br />
used values:<br />
Symbol Description<br />
β weighting factor for dangerous undetected <strong>com</strong>mon cause failures<br />
βD weighting factor for dangerous detected <strong>com</strong>mon cause failures<br />
λ failure rate (per hour) of one channel in one sub-system<br />
λD dangerous failure rate (per hour) of one channel in one sub-system (D = dangerous)<br />
λDD detected dangerous failure rate (per hour) (DD = dangerous, detected)<br />
λDU undetected dangerous failure rate (per hour) (DU = dangerous, undetected)<br />
safe failure rate (per hour) of one channel in one sub-system (S = safe)<br />
λS<br />
T1<br />
proof test interval (in hours)<br />
MTTR Mean Time To Repair (in hours)<br />
DC diagnostic coverage<br />
SFF safe failure fration<br />
PFDG average probability of failure on demand in system with majority voter<br />
PFHG average probability of failure per hour in system with majority voter<br />
tCE average channel-related failure time (in hours)<br />
average system-related failure time (in hours)<br />
tGE<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 37 of 40
12.2 Example<br />
A typical, triple redundant system with redundant input cards, redundant output cards and a<br />
<strong>com</strong>mon, 2-out-of-3 majority voter TFAB-DIGIO-2oo3 is used as an example.<br />
The example assumes non-redundant sensors and actuators (per <strong>TMR</strong> unit).<br />
Figure 15: Reliability diagram for 2-out-of-3<br />
This configuration can read up to 24 digital input signals (times 3, for redundancy). The processors<br />
on MCDOT-S cards can <strong>com</strong>bine these input signals for <strong>safety</strong> function programming<br />
and can use up to 10 digital output signals to control the EUC (equipment under control).<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 38 of 40
Calculation for this system results in:<br />
T<br />
+ 3<br />
= 8,<br />
7600 ⋅10<br />
(1 year)<br />
MTTR = 8,<br />
0<br />
PFD<br />
PFH<br />
1<br />
β = 2,<br />
0000<br />
λ = 5,<br />
6240 ⋅10<br />
G<br />
G<br />
=<br />
=<br />
=<br />
= 4,<br />
2800 ⋅10<br />
= 3,<br />
1167 ⋅10<br />
= 5,924 ⋅10<br />
= 7,784 ⋅10<br />
SFF = 99,9058%<br />
DC = 99,21%<br />
⋅10<br />
β = 1,<br />
0000 ⋅10<br />
λ<br />
λ<br />
λ<br />
t<br />
t<br />
D<br />
S<br />
D<br />
DD<br />
DU<br />
CE<br />
GE<br />
−2<br />
−2<br />
7,<br />
5795 ⋅10<br />
7,<br />
5193 ⋅10<br />
6,<br />
0135 ⋅10<br />
−6<br />
−7<br />
−7<br />
−9<br />
+ 1<br />
+ 1<br />
−7<br />
−9<br />
Experience in practical use show a distribution of failure rates to 35 % of failures for sensor +<br />
transmitter, 15% failure for control system and 50 % failure for actuator. Considering this<br />
distribution the IEC 61508 table for failure probability shows a rating for the <strong>turbolog</strong> <strong>DSP</strong><br />
<strong>TMR</strong>-S system:<br />
SIL PFD PFH<br />
1 ≥ 10 -2 to < 10 -1 ≥ 10 -6 to < 10 -5<br />
2 ≥ 10 -3 to < 10 -2 ≥ 10 -7 to < 10 -6<br />
3 ≥ 10 -4 to < 10 -3 ≥ 10 -8 to < 10 -7<br />
4 ≥ 10 -5 to < 10 -4 ≥ 10 -9 to < 10 -8<br />
Table 10: SIL rating for low and high demand modes<br />
The IEC 61508 table for <strong>safety</strong> integrity of hardware subsystems, type B, shows a rating for<br />
the <strong>turbolog</strong> <strong>DSP</strong> <strong>TMR</strong>-S system:<br />
SFF<br />
Hardware Fault Tolerance (HFT)<br />
0 1 2<br />
< 60 % nicht erlaubt SIL 1 SIL 2<br />
60 % to < 90 % SIL 1 SIL 2 SIL 3<br />
90 % to < 99 % SIL 2 SIL 3 SIL 4<br />
≥ 99 % SIL 3 SIL 4 SIL 4<br />
Table 11: Safety integrity of hardware subsystems, type B<br />
The required values for SIL 3 according to IEC 61508 are easily met or surpassed.<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 39 of 40
13 Index<br />
BITs........................................................ 14<br />
calculation<br />
SFF ............................................... 37, 39<br />
calculations<br />
diagnostic coverage...................... 14, 37<br />
failure rate .......................................... 37<br />
HFT .................................................... 39<br />
MTTR................................................. 37<br />
PFD............................................... 37, 39<br />
PFH............................................... 37, 39<br />
probability of failure........................... 37<br />
cards<br />
<strong>DSP</strong>VCU ............................................ 17<br />
FPR............................................... 13, 17<br />
i/o................................ 15, 21, 22, 31, 32<br />
ICU....................... 13, 16, 32, 33, 34, 35<br />
MCAD-S ................................ 13, 35, 36<br />
MCDIN-S..................................... 13, 35<br />
MCDOT-S13, 19, 21, 22, 23, 24, 30, 35,<br />
36, 38<br />
MCxxx-S .............. 14, 15, 16, 17, 32, 34<br />
certificate.................................................. 7<br />
<strong>com</strong>mon cause........................................ 37<br />
<strong>com</strong>munication12, 13, 16, 17, 19, 21, 22,<br />
24, 28, 29, 30, 31, 33, 34<br />
DCS .................... 12, 21, 23, 24, 28, 31, 34<br />
diagnostic test......................................... 19<br />
Engineering<br />
Hardware...................................... 21, 22<br />
software.................................. 21, 22, 24<br />
station............. 12, 21, 23, 28, 31, 32, 34<br />
failure rate .............................................. 39<br />
GA safeEdit12, 22, 23, 25, 28, 29, 31, 32,<br />
33, 34, 35<br />
IEC 61508 .................................... 7, 10, 39<br />
key switch ............................ 12, 30, 33, 34<br />
lifecycle............................................ 10, 11<br />
maintenance8, 10, 12, 23, 24, 27, 28, 31,<br />
32, 33, 34<br />
PES system10, 11, 12, 19, 20, 21, 22, 23,<br />
24, 27, 28, 31, 32, 33, 34<br />
process data ............................................ 34<br />
program cycle time................................. 19<br />
proof test .......................................... 20, 37<br />
running ........................... 12, 24, 28, 32, 33<br />
self test ................................................... 34<br />
system reaction time19, 21, 22, 23, 24, 29,<br />
30<br />
time synchronisation .............................. 34<br />
<strong>TMR</strong>-S7, 8, 9, 12, 13, 17, 18, 19, 25, 33,<br />
39<br />
trend analyzer......................................... 34<br />
visualisation system ................... 12, 29, 34<br />
info 261E <strong>TMR</strong>-S <strong>safety</strong> <strong>manual</strong> Rev01.03 11102005.doc page 40 of 40