Rockwell Automation T8094 User Manual

8000 SERIES TMR SYSTEM

SAFETY MANUAL

T8094

ISSUE 27 – JUNE 2013

SAFETY MANUAL

Printed in England

Doc Number T809 4 Issue 27 – J u n e 2013 Page ii

SAFETY MANUAL

This page intentionally blank

Doc Number T809 4 Issue 27 – J u n e 2013 Page iii

SAFETY MANUAL

Issue Record and Record of Amendments

Issue Changes

Number Date

Issue 1 Sep 99

Issue 2 Sep 01

Issue 3 Nov 01

Issue 4 Mar-02

Issue 5 Mar-02

Issue 6 May-02

Issue 7 Jan-03

Issue 8 Jan-03

Issue 9 May-03

Issue 10 May-03

Issue 11 May-03

Issue 12

Issue 13

Issue 14

Issue 15 Mar-04

Issue 16 Nov 04

Issue 17 Nov 05

Issue 18 July 06

Issue 19

Initial Issue

Updated to reflect re-certification as of September, 2001

Updated to reflect 3.0 certification.

Updated to add new logo

Updated to correct table and figure numbering.

Updated to reflect 3.1 certification.

Updated to reflect 3.2 certification.

Updated to reflect EN 60204 stop categories. Reworded 3.5.1.2

Added IEC 61508, EN54, NFPA 85 and HFPA 86 requirements

Updated to reflect TUV comments

System release 3.3

Not released

Updated Section 3.12.11 For Intelligent Update

Added 3.7.1.6 & updated 3.22; System Release 3.4

Added Appendix B – Triguard (SC300e) support ; Added Application and System Configuration archive to 3.12.1 and 3.12.2.; Added 8472 Output Module to Table 5; Reworded 2.2.1.10.3 & 3.2.4; Removed item 4 from section 3.13.3; Corrected reference in 3.11.3 to specify section 5; Added “Grey Channel” to glossary; Corrected 3.6.2 paragraph 2 to refer to the correct section.; 3.7.2 added ‘companion slot’ to a. and removed ‘pair’ from b.

Updated to incorporate TUV comments to release 3.41; Record of amendments for issue 15 had incorrect table reference for 8472 Output module; Previously unlabelled figures and tables given references in issue 15 and hence figure and table numbering changed.; Some points in checklist 4.2.1 were changed in error and have been corrected in issue 16

Added T8442 Module (Table 6). Added T8424 Module (Table 4). Added Enhanced Peer to Peer (Table 3 & section 3.10).; Updated Table 10, forced air temperatures.; Changed suggested Global Protection to level 8 in table 8.; Corrected reference to NFPA86 & EN54 in 3.2.7 & 3.2.8

Modified table 3 regarding peer to peer

Not released

Doc Number T809 4 Issue 27 – J u n e 2013 P a g e i v

SAFETY MANUAL

Issue Changes

Number Date

Issue 20 Feb 09

Issue 21 Oct 09

Issue 22 Nov 12

Issue 23 Nov 12

Issue 24 Jan 13

Issue 25 May 13

Issue 26

Issue 27 June 13

Company logo; master\slave replaced by active\standby; Section 3.7.2 corrected Companion Slot configuration; Added section 6 SYSTEM SECURITY

Relevant sections revised due to updated standards; NFPA 72:2007, NFPA 85:2007, NFPA 86:2007.; ICS Triplex Technology replaced with ICST Triplex

Update for certification of release 3.5.3.

Obsolete – withdrawn.

Details of CS300 migration added in Appendix C.

Instructions for use of autotest management function blocks added in Appendix C.

Additions and corrections to Appendix C for certification.

Not released. Draft A – 21 May 2013 Draft B – 23 May 2013

Update for TUV certification of CS300 migration (Appendix C and section 3.13)

Change of company name in text to Rockwell Automation

Note:

The latest issue of the Safety Manual is available by either:

- contacting icstsupport@ra.rockwell.com

- visiting the TUV website at www.tuv-fs.com/plcics.htm

Doc Number T809 4 Issue 27 – J u n e 2013 P a g e v

SAFETY MANUAL

NOTICE

The content of this document is confidential to Rockwell Automation companies and their partners. It may not be given away, lent, resold, hired out or made available to a third party for any purpose without the written consent of Rockwell Automation.

This document contains proprietary information that is protected by copyright. All rights are reserved.

Microsoft, Windows, Windows 95, Windows NT, Windows 2000, and Windows XP are registered trademarks of Microsoft Corporation.

The information contained in this document is subject to change without notice. The reader should, in all cases, consult Rockwell Automation to determine whether any such changes have been made. From time to time, amendments to this document will be made as necessary and will be distributed by Rockwell Automation.

Information in this documentation set may be subject to change without notice and does not represent a commitment on the part of Rockwell Automation.

The contents of this document, which may also include the loan of software tools, are subject to the confidentiality and other clause(s) within the Integrator Agreement and Software License Agreement.

No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose, without the express written permission of Rockwell Automation.

DISCLAIMER

The illustrations, figures, charts, and layout examples in this manual are intended solely to illustrate the text of this manual.

The user of, and those responsible for applying this equipment, must satisfy themselves as to the acceptability of each application and use of this equipment.

This document is based on information available at the time of its publication. While efforts have been made to be accurate, the information contained herein does not purport to cover all details or variations in hardware or software, nor to provide for every possible contingency in connection with installation, operation, or maintenance. Features may be described herein which are present in all hardware or software systems. Rockwell Automation assumes no obligation of notice to holders of this document with respect to changes subsequently made.

Rockwell Automation makes no representation or warranty, expressed, implied, or statutory with respect to, and assumes no responsibility for the accuracy, completeness, sufficiency, or usefulness of the information contained herein. No warranties of merchantability or fitness for purpose shall apply.

Doc Number T809 4 Issue 27 – J u n e 2013 P a g e v i

SAFETY MANUAL

PREFACE

This Manual contains the recommended Safety Requirements a System Integrator must consider and implement when designing and building a Safety System using the 8000 series range of products.

The contents of this Manual have been reviewed by TÜV and all recommendations and comments made by TÜV have been incorporated.

REVISION AND UPDATING POLICY

All new and revised information pertinent to this document shall be issued by Rockwell Automation and shall be incorporated into this document in accordance with the enclosed instructions. The change is to be recorded on the Amendment Record of this document.

PRECAUTIONARY INFORMATION

WARNING

Warning notices call attention to the use of materials, processes, methods, procedures or limits which must be followed precisely to avoid personal injury or death.

CAUTION

Caution notices call attention to methods and procedures which must be followed to avoid damage to the equipment.

Notes: Notes highlight procedures and contain information to assist the user in the understanding of the

information contained in this document

Doc Number T809 4 Issue 27 – J u n e 2013 Page vii

MAINTENANCE MUST BE PERFORMED ONLY BY QUALIFIED PERSONNEL.

SAFETY MANUAL

RADIO FREQUENCY INTERFERENCE

MOST ELECTRONIC EQUIPMENT IS INFLUENCED BY RADIO FREQUENCY INTERFERENCE (RFI). CAUTION SHOULD BE EXERCISED WITH REGARD TO THE USE OF PORTABLE COMMUNICATIONS EQUIPMENT AROUND SUCH EQUIPMENT. SIGNS SHOULD BE POSTED IN THE VICINITY OF THE EQUIPMENT CAUTIONING AGAINST THE USE OF PORTABLE COMMUNICATIONS EQUIPMENT.

MAINTENANCE

OTHERWISE PERSONAL INJURY OR DEATH, OR DAMAGE TO THE SYSTEM MAY BE CAUSED.

WARNING

CAUTION

STATIC SENSITIVE DEVICES

MODULES IN THE TMR SYSTEM MAY CONTAIN STATIC SENSITIVE DEVICES WHICH CAN BE DAMAGED BY INCORRECT HANDLING OF THE MODULE. THE PROCEDURE FOR MODULE REMOVAL IS DETAILED IN RELEVANT PRODUCT DESCRIPTIONS AND MUST BE FOLLOWED. ALL TMR SYSTEMS MUST HAVE LABELS FITTED TO THE EXTERIOR SURFACE OF ALL CABINET DOORS CAUTIONING PERSONNEL TO OBSERVE ANTISTATIC PRECAUTIONS WHEN TOUCHING MODULES. THESE PRECAUTIONS ARE DETAILED IN CHAPTER 3 OF THIS PACKAGE.

Doc Number T809 4 Issue 27 – J u n e 2013 Page viii

SAFETY MANUAL

1-oo-2 One-out-of-two 1-oo-2D One-out-of-two with diagnostics 2-oo-2 Two-out-of-two 2-oo-3 Two-out-of-three API Application Program Interface DIN Deutsche Industrie-Norm (German Industrial Standard) DIU Diagnostic Interface Utility EMC Electromagnetic Compatibility EMI Electromagnetic Interference EUC Equipment Under Control FB Function Block FCR Fault Containment Region HIFT Hardware Implemented Fault Tolerance IL Instruction List I/O Input/Output IMB Inter-module Bus LD Ladder Diagram MMU Memory Management Unit MTR Mean Time to Repair PC Personal Computer PST Process Safety Times PSU Power Supply Unit SFC Sequential Function Chart SFOC Second Fault Occurrence Time SIL Safety Integrity Levels ST Structured Text TMR Triple Modular Redundant TÜV Technischer Überwachungs-Verein UPS Uninterruptable Power Supply

ABBREVIATIONS

Doc Number T809 4 Issue 27 – J u n e 2013 P a ge ix

h carry related data.

SAFETY MANUAL

Actuators Devices which cause an action (electrical,

Architecture Organisational structure of a computing system

ASCII The American Standard Code for Information

Availability The probability that a system will be able to

Asynchronous A data communications term describing the

Backplane A printed circuit board which supports bussed

Buffer A type of memory in which information is stored

Bus A group of conductors whic

CIE Control Indicating Equipment

Companion Slot Spare (standby) slot position adjacent (to the

Controller A Controller is the heart of any Rockwell

GLOSSARY

mechanical, pneumatic, etc.) to occur when required within a plant component.

which describes the functional relationship between board level, device level and system level components.

Interchange. Uses seven bits to represent 128 characters. Both upper and lower case letters, numbers, special symbols and a wide range of control codes are included.

perform its designated function when required for use – normally expressed as a percentage.

method by which signals between computers are timed. Although the number of characters to be sent per second is undefined, the rate at which a character’s bits are sent is predetermined. Each character is preceded by a start bit and terminated by a stop bit.

functions to connectors mounted on a printed circuit board. Plug-in components and modules are then able to connect to the bus pins.

temporarily during transfer from one device to another, or one process to another. Normally used to accommodate the difference in the rate or time at which the devices can handle the data.

Micro-based systems have an Address Bus, Data Bus and a Control Bus.

right) to the slot occupied by the ‘active’ module. The slots are inter-connected to enable the ‘active’ module to be ‘hot’ replaced as necessary.

Automation microprocessor based system. It performs central processing of user application logic and controls the actions of input and output hardware, as well as peripheral hardware such as printers and Visual Display Units.

Doc Number T809 4 Issue 27 – J u n e 2013 Page x

SAFETY MANUAL

Discrepancy A discrepancy exists if one or more of the

DRAM Dynamic Random Access Memory. A type of

Element A set of input conditioning, application

Engineering Workstation

EPROM Erasable Programmable Read Only Memory. A

EUC Equipment Under Control. Equipment,

Fail Safe The capability to go to a pre-determined safe

Fault Tolerance Built-in capability of a system to provide

Field Devices Equipment connected to the field side of the I/O

Firmware Special purpose memory units containing

Fixed Frame An empty fixed metal surround, designed to

FBD Functional Block Diagram. A graphical IEC1131

Grey Channel A non-safety critical communication line

GUI Graphical User Interface

elements disagree.

volatile read/write memory where the data is stored as a short-life capacitive charge. Though high density and low cost are a feature of DRAMs, they require each row address and hence all data to be refreshed frequently.

processing and output conditioning. Comprising rugged PC platform fitted with

IEC1131 TOOLSET.

non-volatile storage medium which is electronically programmed. The EPROM device may be erased by strong ultra-violet light.

machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities.

state in the event of a specific malfunction.

continued correct execution of its assigned function in the presence of a limited number of hardware and software faults.

terminals. Such equipment includes field wiring, sensors, final control elements and those operator interface devices hard-wired to I/O terminals.

software embedded in protected memory required for the operation of programmable electronics.

contain 483mm (19”) standard equipment.

language for building complex procedures by taking existing Functional Blocks from the IEC1131 library and wiring them together on the screen.

between two modules that are regarded as safety critical. Communications sent across a “grey channel” are viewed as subject to errors induced by that channel which must be detected and compensated be the safety related receiver.

Doc Number T809 4 Issue 27 – J u n e 2013 P a ge xi

SAFETY MANUAL

Hot Swap Alternative term for Companion Slot

IEC 1131 TOOLSET Software used to configure and program the

8000 series TMR system.

IEC 61508 IEC61508 is an international standard that

covers functional safety, encompassing electrical, electronic and programmable electronic systems; hardware and software aspects.

IEC 61511 IEC61511 is an international standard that

covers functional safety and Safety Instrumented Systems for the process industry, encompassing electrical, electronic and programmable electronic systems, hardware and software aspects.

EPROM A non-volatile storage medium which is

electronically programmed. The EPROM device may be erased by strong ultra-violet light.

IL Instruction List. A low level IEC1131 language,

similar to the simple textual PLC’s language.

Industrial Processor High performance processor for use in non

safety-related applications which can be used in a simplex or dual-redundant configuration.

Input Module Interface that converts input signals from

external devices into signals that the control system can utilise.

I/O Input/Output conditioning circuits (as distinct

from the central processing).

I/O Driver Essential software to allow the IEC1131

TOOLSET to configure and program unique types of TMR system I/O interfaces.

LD Ladder Diagram. An IEC1131 language

composed of contact symbols representing logical equations and simple actions. The main function of the ladder diagram is to control outputs based on input conditions.

MMI Man Machine Interface. The operator’s

window to monitoring and keys, knobs, switches, Graphical User Interface of the Operator Workstation, etc. for making adjustments in the process.

Modbus An industry standard communications

protocol developed by Modicon. Used to communicate with external devices such as distributed control systems (DCSs) or operator

interfaces. M-oo-N m-out-of-n. See Voting System Module An electronic (generally pluggable) sub-

system.

Doc Number T809 4 Issue 27 – J u n e 2013 Page xii

battery backed) form of read/write memory.

SAFETY MANUAL

MORSE Method for Object Reuse in Safety-critical

Output Module Interface that converts output signals from the

Peer-to-Peer

Communications

PCM PCI Mezzanine Card

Protocol A set of rules governing data flow in a

PSU Power Supply Unit.

RAM Random Access Memory. A volatile (unless

Environments. Programming and

configuration software tool for the Fastflex

range of Remote I/O.

control system into signals that can actuate

external devices.

Allows two or more TMR Controllers to

communicate with each other.

communication system. The protocol governs

such matters as the way a message is

addressed and routed, how often it is sent,

how to recover from transmission errors and

how much information is to be sent.

The time to access different locations is the

same. It may be static (SRAM - data held in a

flip- flop) or dynamic (DRAM – data held as a

capacitive charge).

Real Time A method of data processing in which the data

is acted upon immediately instead of being

accumulated and processed in batches.

Redundancy The employment of two or more devices, each

performing the same function, in order to

improve reliability.

RISC Reduced Instruction Set Computer

RS-232C,

RS-422,

RS-485

Standard interfaces introduced by the Energy

Industries Association covering the electrical

connection between data communication

equipment. RS-232C is the most commonly

used interface,. However, RS-422 allows for

high transmission rates over greatly increased

distances.

RTU Remote Telemetry Unit

Safety Where TÜV certification is a requirement, the

Safety Chapter prescribes how to use the TMR

system in a safety-related application.

SFC Sequential Function Chart. A IEC1131

language that divides the process cycle into a

number of well-defined steps separated by

transitions.

Doc Number T809 4 Issue 27 – J u n e 2013 Page xiii

Software specific to the user application.

SAFETY MANUAL

SIL Safety Integrity Level. One of four possible

Slot A slot is the term given to the physical

SmartSlot Spare module slot position wired, and

SOE Sequence of Events

Software (Application

Software)

ST Structured Text. A high level IEC1131

Swingframe An empty hinged metal surround, designed to

Synchronous A data-communication term describing the

System Engineering

Toolset

TMR Triple Modular Redundancy.

TMR Interface An interface between the TMR Controller and 6U

8000 Series Certified family of products for use in a wide

discrete levels for specifying the safety integrity requirements of the safety functions to be allocated to the safety-related systems. SIL4 has the highest level of safety integrity; SIL1 has the lowest.

allocation of a module within a 483mm (19 inch) frame.

configured to enable any one of a number of modules of the same type to be ‘hot’ replaced as necessary.

Generally, it contains logic sequences, permissives, limits, expressions, etc. that control the appropriate input, output, calculations and decisions necessary to meet system safety functional requirements.

structured language with a syntax similar to Pascal. Used mainly to implement complex procedures that cannot be expressed easily with graphical languages.

contain 483mm (19 inch) standard equipment.

method by which signals between computers are timed. In synchronous communications, a pre-arranged number of bits is expected to be sent across a line per second. To synchronise the sending and receiving machines, a clocking signal is sent on the same line by the transmitting computer. There are no start or stop bits in synchronous communications.

Sophisticated software package which can be used to reduce the time to perform applications engineering, manufacturing, validation and support of the TMR system

format TMR I/O Modules (Low Density I/O)

range of controls applications including safety, continuous process, supervisory control/data acquisition, and integrated control and safety.

Doc Number T809 4 Issue 27 – J u n e 2013 Page xiv

SAFETY MANUAL

Communications

Interface

An intelligent communications module which interfaces between a TMR Controller and an Engineering Workstation, third party equipment or other TMR Controllers.

TMR Processor A processor for use in safety-related

applications of the 8000 series system. Handles application program execution, diagnostics and reporting functions. The TMR Processor uses three high performance RISC processors based on patented TMR architecture arranged in a lock-step configuration.

TÜV Certification Independent third party certification against a

defined range of International standards.

U Units of electronic module size (1-¾ inches).

Voting System Redundant system (e.g. m out of n, 1-oo-2, 2-oo-

3 etc.) which requires at least m of the n channels to be in agreement before the system can take action.

Watchdog Watchdog circuitry provides dynamic and/or

static monitoring of processor operation and is used to annunciate processor or processor related failures.

Doc Number T809 4 Issue 27 – J u n e 2013 P a ge xv

SAFETY MANUAL

Paragraph Page

1. INTRODUCTION ............................................................................................ 1

1.1 PURPOSE OF SAFETY ............................................................................ 1

1.2 ASSOCIATED DOCUMENTS ................................................................... 2

1.3 TERMINOLOGY ........................................................................................ 2

1.3.1 Safety and Functional Safety ........................................................... 3

1.3.2 Safety Integrity and Risk Class Levels ............................................ 3

1.3.3 Process Safety Time (PST) ............................................................. 4

1.4 THE 8000 SERIES OVERVIEW ................................................................ 7

2. SAFETY PRINCIPLES .................................................................................... 8

2.1 INTRODUCTION ....................................................................................... 8

2.2 SAFETY MANAGEMENT .......................................................................... 8

2.2.1 Safety Lifecycle ................................................................................ 9

2.3 FUNCTIONAL SAFETY ASSESSMENT ................................................. 16

2.3.1 Competency................................................................................... 17

3. SYSTEM RECOMMENDATIONS ................................................................. 18

3.1 INTRODUCTION ..................................................................................... 18

3.2 I/O ARCHITECTURES ............................................................................ 18

3.2.1 Safety-Related Configurations ....................................................... 19

3.2.2 High-Density I/O ............................................................................ 23

3.2.3 Analog Input Safety Accuracy ........................................................ 25

3.2.4 Energise to Action Configurations ................................................. 25

3.2.5 EN 60204 Category 0 & 1 Configurations ...................................... 26

3.2.6 NFPA 72 Requirements ................................................................. 26

3.2.7 NFPA 85 Requirements ................................................................. 26

3.2.8 NFPA 86 Requirements ................................................................. 27

3.2.9 EN54 Requirements ...................................................................... 28

3.3 SENSOR CONFIGURATIONS ................................................................ 30

3.4 ACTUATOR CONFIGURATIONS ........................................................... 31

3.5 PFD CALCULATIONS ............................................................................. 31

3.6 PROCESSOR CONFIGURATION ........................................................... 32

3.6.1 Timing ............................................................................................ 32

3.6.2 Diagnostic Access ......................................................................... 33

3.6.3 Configuration File Verification ........................................................ 33

3.7 HIGH DENSITY I/O MODULE CONFIGURATION .................................. 33

3.7.1 Module Characteristics .................................................................. 33

3.7.2 Module Replacement Configuration .............................................. 35

3.8 INPUT AND OUTPUT FORCING ............................................................ 36

3.9 MAINTENANCE OVERRIDES................................................................. 37

3.10 PEER COMMUNICATIONS CONFIGURATION ..................................... 38

3.11 APPLICATION PROGRAM DEVELOPMENT ......................................... 38

3.11.1 IEC1131 Workbench Configuration ............................................... 40

3.11.2 Language Selection ....................................................................... 41

3.11.3 Testing of New or Previously Untested Functions ......................... 42

3.11.4 Application Development ............................................................... 44

TABLE OF CONTENTS

Doc Number T809 4 Issue 27 – J u n e 2013 Page xvi

SAFETY MANUAL

3.11.5 Communications Interaction .......................................................... 45

3.11.6 Program Testing ............................................................................ 46

3.12 ON-LINE MODIFICATION ....................................................................... 47

3.12.1 Application Program ...................................................................... 47

3.12.2 System Configuration .................................................................... 48

3.13 ENVIRONMENTAL REQUIREMENTS .................................................... 48

3.13.1 Climatic Conditions ........................................................................ 48

3.13.2 Electromagnetic Compatibility (EMC) ............................................ 50

3.13.3 Physical Installation Design ........................................................... 50

3.13.4 System Power Requirements ........................................................ 51

3.14 ELECTROSTATIC HANDLING PRECAUTIONS .................................... 52

4. CHECKLISTS ............................................................................................... 53

4.1 PRE-ENGINEERING CHECKLISTS ....................................................... 53

4.1.1 Scope Definition Checklist ............................................................. 53

4.1.2 Functional Requirements Checklist ............................................... 54

4.1.3 Safety Requirements Checklist ..................................................... 55

4.2 ENGINEERING CHECKLISTS ................................................................ 56

4.2.1 I/O Architecture Checklist .............................................................. 56

4.2.2 Language Selection Checklist ....................................................... 57

4.2.3 Override Requirements Checklist .................................................. 58

4.2.4 High Density Module Configuration Checklist................................ 59

4.2.5 Processor and Other Configuration ............................................... 59

4.2.6 Testing ........................................................................................... 60

5. PREVIOUSLY ASSESSED FUNCTIONS ..................................................... 61

6. SYSTEM SECURITY .................................................................................... 63

APPENDIX A ...................................................................................................... 64

7. LOW-DENSITY I/O ....................................................................................... 64

7.1.1 Effect of Input Architectures .......................................................... 64

7.1.2 Effect of Output Architectures ....................................................... 64

7.1.3 TX and DX Low Density module types in Safety applications. ...... 67

APPENDIX B ...................................................................................................... 69

8. TRIGUARD I/O ............................................................................................. 69

8.1 AFFECT OF THE INPUT AND OUTPUT STATES ................................. 69

8.1.1 Effect of Input States ..................................................................... 69

8.1.2 Effect of Output States .................................................................. 69

8.2 SAFETY RELATED INPUTS AND OUTPUTS ........................................ 72

8.2.1 Inputs ............................................................................................. 72

8.2.2 Outputs .......................................................................................... 74

APPENDIX C ..................................................................................................... 76

9. MIGRATING A CS300 CONTROLLER ........................................................ 76

9.1 OVERVIEW ............................................................................................. 76

9.2 GLOSSARY ............................................................................................. 77

9.3 ASSOCIATED DOCUMENTS ................................................................. 77

9.3.1 Specifications ................................................................................ 77

9.3.2 TUV Certification ........................................................................... 77

9.4 LIST OF MODULES FOR SAFETY-RELATED APPLICATIONS ............ 77

9.5 REQUIREMENTS FOR THE TRUSTEDTM SYSTEM .............................. 78

9.6 SYSTEM ARCHITECTURE FEATURES ................................................. 79

Doc Number T809 4 Issue 27 – J u n e 2013 Page xvii

SAFETY MANUAL

9.6.1 T8162 CS300 Bridge Module ........................................................ 80

9.6.2 CS300 Equipment Power Supplies................................................ 81

9.6.3 PI-616/PI-716 Digital Input Board .................................................. 81

9.6.4 PI-632/PI-732 Analogue Input Board ............................................. 81

9.6.5 PI-626/PI-726 Digital Output Board ............................................... 82

9.6.6 PI-627/727 Digital Output Board .................................................... 82

9.6.7 TM118-TWD Watchdog Module .................................................... 82

9.7 SITE PLANNING AND INSTALLATION DESIGN ................................... 83

9.7.1 Operational Environment ............................................................... 83

9.7.2 Installation Design ......................................................................... 83

9.8 PLANNING THE MIGRATION ................................................................. 83

9.9 REPLICATING THE APPLICATION ........................................................ 83

9.9.1 Prerequisites .................................................................................. 83

9.9.2 Choosing Application Logic ........................................................... 84

9.9.3 Detecting and Handling Faults....................................................... 84

9.10 USING THE AUTOTEST MANAGEMENT FUNCTION BLOCKS ........... 84

9.10.1 Function Block Library ................................................................... 84

9.10.2 Hardware Arrangements ............................................................... 85

9.10.3 Quick Reference Guide ................................................................. 85

9.10.4 Choosing and Using Function Blocks ............................................ 86

9.10.5 Function Block Specifications ........................................................ 92

9.10.6 Parameter Specifications ............................................................... 94

9.10.7 Connecting F&G and ESD Systems .............................................. 98

9.10.8 Retaining the CD901 Diagnostic Panel ......................................... 98

9.10.9 TM117-DMX Matrix Driver Interface Module ................................. 98

9.10.10 Making Printouts of Alarm and Diagnostic Data ............................ 99

9.11 PREPARING FOR ENTRY INTO SERVICE ........................................... 99

9.12 MAINTAINING THE MIGRATED SYSTEM ............................................. 99

9.12.1 Maintenance Schedule .................................................................. 99

9.13 COMPLETION ......................................................................................... 99

Doc Number T809 4 Issue 27 – J u n e 2013 Page xviii

SAFETY MANUAL

Figure 1 - Simple Triplicated System ................................................................... 5

Figure 2 – TMR Architecture ................................................................................ 6

Figure 3 - Single High Density TMR I/O Module Architecture ............................ 23

Figure 4 - SmartSlot or Adjacent Slot TMR Module Configuration .................... 24

Figure 5 – 2-oo-3 voting logic with discrepancy reporting .................................. 67

Figure 6 – Discrepancy error bit latch and manual reset logic ........................... 68

Figure 7 - Current to Voltage Conversion .......................................................... 73

Figure 8 – System Architecture Features using T8162 Bridge Module ............. 79

Figure 9 - Wiring for CS300 digital inputs using a simplex digital input module100 Figure 10 - Wiring for CS300 digital inputs using duplex digital input modules 101

Figure 11 - Wiring for CS300 analogue inputs ................................................. 102

Figure 12 - Wiring for CS300 digital outputs .................................................... 103

ILLUSTRATIONS

TABLES

Table 1 - Referenced documents ......................................................................... 2

Table 2 - Central Modules .................................................................................. 19

Table 3 - Input Modules High Density I/O .......................................................... 20

Table 4 - Output Modules High Density I/O ....................................................... 20

Table 5 - Multi-purpose Modules, High Density I/O ........................................... 21

Table 6 - Auxiliary Modules ................................................................................ 22

Table 7 - IEC1131 Workbench Recommended Access Levels ......................... 40

Table 8 - Safety Related Programming Language ............................................. 41

Table 9 - Climatic Condition Requirements ....................................................... 49

Table 10 - Electromagnetic Compatibility ........................................................... 50

Table 11 - Input Module, Low Density I/O .......................................................... 65

Table 12 - Output Modules, Low Density I/O ..................................................... 66

Table 13 - Central Modules ................................................................................ 70

Table 14- Input Module, Triguard I/O ................................................................. 70

Table 15- Output Modules, Triguard I/O ............................................................ 71

Table 16 – Triguard Multi-purpose Modules ...................................................... 71

Table 17 – Auxiliary Chassis and PSUs ............................................................. 71

Table 18 - List of CS300 Modules Suitable for Safety-Related Applications ..... 77

Table 19 - TrustedTM Items Needed for the Migration ........................................ 79

Table 20 - Summary of Function Blocks ............................................................ 85

Table 21 - Summary of Function Block Parameters .......................................... 85

Doc Number T809 4 Issue 27 – J u n e 2013 Page xix

SAFETY MANUAL

Doc Number T809 4 Issue 27 – J u n e 2013 Page xx

SAFETY MANUAL

This page intentionally blank

Doc Number T809 4 Issue 27 – J u n e 2013 Page xxi

SAFETY MANUAL

1. INTRODUCTION

1.1 PURPOSE OF SAFETY

The 8000 series TMR system has been designed and certified for use in safety related applications. To ensure that systems build upon these foundations, it is necessary to impose requirements on the way such systems are designed, built, tested, installed and commissioned, operated, maintained and de-commissioned. This Manual sets out the requirements to be met during the lifecycle stages of safety-related systems to ensure that the safety objectives of the safety system are achieved

This Manual is intended primarily for system integrators. It is assumed that the reader has a thorough understanding of the intended application and can translate readily between the generic terms used within this Manual and the terminology specific to the integrator’s or project’s application area.

The TMR system has been independently certified by the German certification authority Technischer Überwachungs-Verein (TÜV) to meet the requirements of IEC 61508 SIL 3.

The content of this Manual has been reviewed by TÜV and it represents the requirements that shall be fulfilled to achieve certifiable safety-related systems up to SIL 3. Conditions and configurations that shall be adhered to if the system is to remain in compliance with the requirements of SIL 3 are clearly marked.

The information contained in this Manual is intended for use by engineers and system integrators and is not intended to be a substitute for expertise or experience in safetyrelated systems. Requirements for quality systems, documentation and competence are included within this document; these are requirements, and NOT replacements, for an operating company’s or integrator's quality systems, procedures and practices. The system integrator remains responsible for the generation of procedures and practices applicable to its business, and shall ensure that these are in accordance with the requirements defined herein. The application of such procedures and practices is also the responsibility of the system integrator, however, these shall be considered mandatory for systems for SIL 3 applications.

Doc Number T809 4 Issue 27 – J u n e 2013 Page 1 of 1 0 3

SAFETY MANUAL

1.2 ASSOCIATED DOCUMENTS

The following documents are associated with the safety requirements applicable to the TMR system or provide supporting information via TUV web Site.

Document Title

"Maintenance Override" by TÜV

Süddeutschland / TÜV Product Service GmbH and TÜV Rheinland

IEC61508 Functional Safety of Programmable

Electronic Systems

IEC61511 Functional safety: Safety Instrumented

Systems for the process industry sector

EN54-2 Fire Detection and Fire Alarm Systems NFPA 72:2007 National Fire Alarm Code NFPA 85:2007 Boiler and Combustion Systems Hazards

Code

NFPA 86:2007 Standard for Ovens and Furnaces

An understanding of basic safety and functional safety principles and the content of these standards in particular are highly recommended. The principles of these standards should be thoroughly understood before generating procedures and practises to meet the requirements of this Safety Manual.

1.3 TERMINOLOGY

The terms ‘certification’ and ‘certified’ are used widely within this Manual. Within the context of this Manual, these terms refer to the functional safety certification of the product to IEC 61508 SIL 3. The 8000 series as a product is certified to a wider range of standards that are outside the scope of this Safety Manual.

This Manual contains rules and recommendations: Rules are mandatory and must be followed if the resulting system is to be a SIL 3

compliant application. These are identified by terms such as ‘shall’. Recommendations are not mandatory, but if they are not followed, extra safety

precautions must be taken in order to certify the system. Recommendations are identified by terms such as `it is strongly recommended’.

Table 1 - Referenced documents

Doc Number T809 4 Issue 27 – J u n e 2013 Page 2 of 1 0 3

SAFETY MANUAL

1.3.1 Safety and Functional Safety

Safety: The expectation that a system will not lead to risk to human life or health.

Safety is traditionally associated with the characteristics or hazards resulting from the system itself; including fire hazards, electrical safety, etc. The requirements to be satisfied by the integrator here include wiring, protective covers, selection of materials, etc.

Functional Safety: The ability of a system to carry out the actions necessary to achieve or to maintain a safe state for the process and its associated equipment.

Functional safety is considered the ability of the system to perform its required safety function. The requirements on the integrator here are to take the steps necessary to ensure that system is free from faults, errors, and correctly implements the required safety functions.

This Manual concentrates on functional safety; it is assumed that the reader is familiar with the methods of achieving basic safety.

1.3.2 Safety Integrity and Risk Class Levels

The TMR system is certified for use for applications to SIL 3 for subsections of the system using low density I/O.

A Safety Integrity Level (SIL) is defined in IEC61508/IEC61511 as one of four possible discrete levels for specifying the safety integrity requirements of the safety functions to be allocated to the safety-related system. SIL 4 has the highest level of safety integrity; SIL 1 has the lowest.

However, IEC61508 requires that the complete installation meet these requirements in order to achieve an overall SIL. The system covered by this technical manual forms only a part of such requirements.

Doc Number T809 4 Issue 27 – J u n e 2013 Page 3 of 1 0 3

SAFETY MANUAL

1.3.3 Process Safety Time (PST)

Every process has a safety time that is the period that the process can be controlled by a faulty control-output signal without entering a dangerous condition. This is a function of the process dynamic and the level of safety built into the process plant. The

Process Safety Time1 (PST) can range from seconds to hours, depending on the process. In instances where the process has a high demand rate and/or highly dynamic process the PST will be short, for example, turbine control applications may dictate process safety times down to around 100ms

The PST dictates the response time for the combination of the sensor, actuators and each realised control or safety function. For demand or event-driven elements of the system, the response time of the system shall be considerably less than:

(PST- Sensor and actuator delay)

For convenience within this document, we will refer to the element of the PST relevant to the system’s response time as PSTE, effective PST.

For cyclic elements of the system, the system’s scan time shall be considerably less than of the effective PST, i.e.:

½ (PST- Sensor and actuator delay), or

The response time in the context of the process safety time must consider the system’s ability to respond, i.e. its probability of failure on demand (including its ability to fulfil the required function within the required time). The probability of failure on

demand is a function of the system’s architecture, its self-test interval and its β-factor2. If the system architecture provided no fault tolerance, it would be necessary to ensure that the sum of the response times (including sensors and actuators) and the fault detection time does not exceed the process safety time.

In practice, many of a system’s self-test intervals vary from seconds to hours depending on the element of the system under test. For higher requirements, the system architecture shall provide sufficient fault tolerance, or faults shall result in failsafe actions, i.e. there shall be no potential covert failures for those safety-related elements of the system. Degraded Operation

Non-fault tolerant (simplex) systems, by definition, do not have the ability to continue their operation in the presence of fault conditions. If we consider a digital point, the state may be 0, 1, or undefined (X). In the case of a fault within a non-fault tolerant system we would normally assume that the state becomes undefined in the presence of faults. For safety applications, however, it is necessary to be able to define how the system will respond in the presence of faults and as faults accumulate, this is the system’s defined degraded operation. Traditionally, 0 is considered the fail-safe state, and 1 considered the operable condition. A standard non-fault tolerant system would therefore be 1 channel operating (or 1-out of-1), degrading to undefined (X) in the case of a fault. Obviously, this would be undesirable for safety applications, where we require a fail-safe reaction in the case of a fault, a system providing this operation would be 1-oo-1 fail-safe, or 1→0.

The additional element in the degradation path is that the fault may occur but may be hidden, or covert. The fault could be such that it prevents the system from responding when required to do so. Obviously, this would also be unacceptable for safety

½ (PSTE)

The only source of information about the PST is the designer’s Loss Prevention Engineer. This data is not

normally supplied at bid or at the manufacturing stage, so a direct request for information should be made. This data must form part of the safety considerations for the system and design reviews must be a fundamental part of safety engineering.

The β-factor is a measure of common cause failure and is dependent on the equipment’s original design,

which is assessed and certified independently, and the implementation of the guidance providing within this Safety Chapter. The compact nature of the TMR system provides a β-factor of better than 1%.

Doc Number T809 4 Issue 27 – J u n e 2013 Page 4 of 1 0 3

SAFETY MANUAL

applications. To detect the presence of these covert faults, it is necessary to perform tests, or diagnostics on the system. Detection of the covert fault is then used to force the system to its fail-safe condition. For a non-fault tolerant (simplex) system with diagnostics, this is referred to as 1-oo-1D.

Fault tolerant systems have redundant elements that allow the system to continue operation or to ensure that the system fails safety in the presence of faults. For example, a dual system may be 1-oo-2 (also known as 2v2), with either channel able to initiate the fail-safe reaction, or 2-oo-2 (1v2) requiring both channels to initiate the fail-safe reaction. The 1-oo-2 system provides a greater period between potential failure to respond to a hazard, but a higher probability of spurious responses. The 2oo-2 system providing a greater period between spurious responses, but a higher chance of not responding when required. It is also possible to have dual systems with diagnostics to address covert failures and help redress the balance between failure to respond and spurious response. A dual system could therefore be 2-oo-2D reverting to 1-oo-1D reverting to fail-safe, or 2→1→0.

Consider a simple triplicated system, as shown in Figure 1. The input and output devices are assumed to be simply wired to the input and output channels to provide the requisite distribution and voting. We have assumed that the output vote is a simple majority vote for this purpose. Note with non-8000 series systems there may be a need for a common output-voting element.

INPUT

(Ch. A)

INPUT

(Ch. B)

INPUT

(Ch. C)

PROCESSOR

(Ch. A)

PROCESSOR

(Ch. B)

PROCESSOR

(Ch. C)

Figure 1 - Simple Triplicated System

OUTPUT

(Ch. A)

OUTPUT

(Ch. B)

OUTPUT

(Ch. C)

Doc Number T809 4 Issue 27 – J u n e 2013 Page 5 of 1 0 3

SAFETY MANUAL

A failure in any element of each channel, e.g. Ch. A Input, will result in that complete channel’s failure. If this failure is fail-safe, only 1 of the remaining channels needs to respond to a demand condition to generate the safe reaction. If a second channel fails safe then the overall system will fail-safe. This is therefore a 3-2-0 architecture. Typically diagnostics are used to ensure that the fail-safe state can be assured, the operation is therefore 2-oo-3D, reverting to 1-oo-2D, reverting to fail-safe.

The 8000 series is a TMR system; this means that each stage of the system is triplicated, with the results from each preceding stage majority voted to provide both fault tolerance and fault detection. Diagnostics are also used to ensure that covert failures are detected and result in the correct fail-safe reaction. For example, a fault within Input Ch. A will be localised to that input, and unlike the standard triplicated system, will allow Processor Ch. A and Output Ch. A to continue operation, i.e. the input is now operating 1-oo-2D whilst the remainder of the system continues to operate 2-oo-3.

Diagnostics

INPUT (Ch. A)

Diagnostics

INPUT (Ch. B)

INPUT (Ch. C)

Diagnostics

PROCESSOR

(Ch. A)

Diagnostics

PROCESSOR

(Ch. B)

DiagnosticsDiagnostics

PROCESSOR

(Ch. C)

Diagnostics

OUTPUT

(Ch. A)

Diagnostics

OUTPUT

(Ch. B)

Diagnostics

OUTPUT

(Ch. C)

Figure 2 – TMR Architecture

The 8000 Series utilises this Triple Modular Redundant architecture with diagnostics, supporting a 2-oo-3D reverting to 1-oo-2D reverting to fail-safe, or 3-2-0 operation. The 1-oo-2D operation is a transient mode of operation where active and standby modules are installed; in this case, the degradation is 3-2-3-2-0.

The architecture, and hence degradation modes for low density I/O may be selected as required, see para. 3.2 in this Manual for further details.

Doc Number T809 4 Issue 27 – J u n e 2013 Page 6 of 1 0 3

SAFETY MANUAL

1.4 THE 8000 SERIES OVERVIEW

The TMR system is based on a triplicated microprocessor with internal redundancy of all critical circuits. The system controls complex and often critical processes in real time - executing programs that accept external sensor signals, solving logic equations, performing calculations for continuous process control and generating external control signals. These user-defined application programs monitor and control real-world processes in the oil and gas, refining, rail transit, power generation and related industries across a wide range of control and safety applications. The TMR system is certified for use in safety-related applications such as fire and gas detection, and emergency shutdown up to requirements of IEC 61508 SIL 3.

Application programs for the TMR system are written and monitored using the IEC1131 TOOLSET , a Microsoft® Windows NT™, Windows 2000™, or Windows XP™, based software suite running on a personal computer.

The TMR architecture provides a flexibility that allows each system to be easily adapted to the different needs of any installation. This flexibility permits the user to choose from different levels of I/O fault protection and provides a variety of I/O interfacing and communications methods, thereby allowing the system to communicate with other equipment and field devices.

Those elements of the system that are to be used in safety-related operations are certified to IEC 61508 SIL 3. The remaining elements of the system are certified for non-interfering operation.

This manual covers the release as specified in the certified module list.

Doc Number T809 4 Issue 27 – J u n e 2013 Page 7 of 1 0 3

SAFETY MANUAL

2. SAFETY PRINCIPLES

2.1 INTRODUCTION

This paragraph provides an overview of generic safety principles with emphasis on the system integration process. These principles are applicable to all safety-related systems, including, but not limited to, the 8000 series system.

2.2 SAFETY MANAGEMENT

A prerequisite for the achievement of functional safety is the implementation of procedural measures applicable to the safety lifecycle; these are collectively referred to as a Safety Management System. The Safety Management System defines the generic management and technical activities necessary for functional safety. In many cases, the Safety Management and Quality systems will be integrated within a single set of procedures. It is highly recommended that the integrator have a quality management system in accordance with ISO9000.

The safety management system shall include:

• A statement of the policy and strategy to achieving functional safety.

• A Safety Planning Procedure. This shall result in the definition of the safety

lifecycle stages to be applied, the measures and techniques to be applied at each stage, and responsibilities for completing these activities.

• Definitions of the records to be produced and methods of managing these records, including change control. The change control procedures shall include records of modification requests, the impact analysis of proposed modifications and the approval of modifications. The baseline for change control shall be defined clearly.

• Configuration items shall be uniquely identified and include version information, e.g. system and safety requirements, system design documentation and drawings, application software source code, test plans, test procedures and results.

• Methods of ensuring that persons are competent to undertake their activities and fulfil their responsibilities.

Expansion of these requirements is included within the following sub-paragraphs.

Doc Number T809 4 Issue 27 – J u n e 2013 Page 8 of 1 0 3

SAFETY MANUAL

2.2.1 Safety Lifecycle

The Safety Lifecycle is designed to structure a system’s production into defined stages and activities, and should include the following elements:

• Scope definition

• Functional requirements specification

• System safety requirements specification

• System engineering

• Application programming

• System production

• System integration

• System safety validation

• System installation and commissioning

• System operation and maintenance procedures

• System modification

• Decommissioning

The definition of each lifecycle stage shall include its inputs, outputs and verification activities. It is not necessary to have stages within the lifecycle addressing each of these elements independently; it is important that all of these stages be covered within the lifecycle. Specific items that need to be considered for each of these lifecycle elements are described in the following sub-paragraphs.

2.2.1.1 Scope Definition

The initial step in the system lifecycle should establish the bounds of the safety-related system and a clear definition of its interfaces with the process and all third party equipment. This stage should also establish the requirements resulting from the intended installation environment, including climatic conditions, power sources, etc.

In most cases, the client will provide this information. It is necessary to review this information and establish a thorough understanding of the intended application, the bounds of the system to be provided and its intended operating conditions. An example checklist for the review of the scope definition is given in para. 4.1.1.

2.2.1.2 Functional Requirements

This stage is to establish the complete set of functions to be implemented by the system. The timing requirements for each of the functions are also to be established. Where possible, the functions should be allocated to defined modes of operation of the process.

For each function, it is necessary to identify the process interfaces involved in each of the functions. Similarly, where the function involves data interchanged with third party equipment, the data and interface are to be clearly identified. Where non-standard field devices, communications interfaces or communications protocols are required, it is important that the detailed requirements for these interfaces be established and recorded at this stage. In general, the client will provide the functional requirements. It is, however, necessary to collate these requirements into a document, or document set, including any clarification of the functional requirements. In cases where the client provides the functional requirements in an ambiguous form it will be necessary to clarify, document and establish agreement on the requirements with the client. It is recommended that logic diagrams be used to represent the required functionality. An example checklist for the review of the functional requirements is given in para. 4.1.2.

Doc Number T809 4 Issue 27 – J u n e 2013 Page 9 of 1 0 3

+ 94 hidden pages