Schneider 140DDO35300 User Manual

Download

Modicon Quantum

33003879 04/2013

Modicon Quantum

Quantum Safety PLC Safety Reference Manual

04/2013

www.schneider-electric.com

33003879.05

The information provided in this documentation contains general descriptions and/or technical characteristics of the performance of the products contained herein. This documentation is not intended as a substitute for and is not to be used for determining suitability or reliability of these products for specific user applications. It is the duty of any such user or integrator to perform the appropriate and complete risk analysis, evaluation and testing of the products with respect to the relevant specific application or use thereof. Neither Schneider Electric nor any of its affiliates or subsidiaries shall be responsible or liable for misuse of the information that is contained herein. If you have any suggestions for improvements or amendments or have found errors in this publication, please notify us.

No part of this document may be reproduced in any form or by any means, electronic or mechanical, including photocopying, without express written permission of Schneider Electric.

All pertinent state, regional, and local safety regulations must be observed when installing and using this product. For reasons of safety and to help ensure compliance with documented system data, only the manufacturer should perform repairs to components.

When devices are used for applications with technical safety requirements, the relevant instructions must be followed.

Failure to use Schneider Electric software or approved software with our hardware products may result in injury, harm, or improper operating results.

2 33003879 04/2013

Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1 General Information on the Quantum Safety PLC. . . . . 13

1.1 General Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

IEC 61508 and Safety Integrity Level (SIL). . . . . . . . . . . . . . . . . . . . . . . . 15

Functional Safety Certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Special Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Difference Between Standard Quantum PLC and Quantum Safety PLC . 25

Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

1.2 Safety Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Requirements for Hardware and Programming. . . . . . . . . . . . . . . . . . . . . 29

Chapter 2 Hardware and Configuration . . . . . . . . . . . . . . . . . . . . . . 31

2.1 Safety CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Standalone Safety CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Hot Standby Safety CPU Specifics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.2 Safety I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

General Information on the Safety I/O Modules . . . . . . . . . . . . . . . . . . . . 39

Safety I/O Modules in High Availability Configurations . . . . . . . . . . . . . . . 40

Safety I/O Modules Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Safety Analog Input Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Safety Digital Input Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Safety Digital Output Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

2.3 Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Power Supply for the Quantum Safety PLC . . . . . . . . . . . . . . . . . . . . . . . 55

2.4 Non-Interfering Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Non-Interfering Modules for the Quantum Safety PLC . . . . . . . . . . . . . . . 56

2.5 Restrictions on I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Description of the Restrictions on I/O Modules . . . . . . . . . . . . . . . . . . . . . 58

2.6 System Behavior in Case of Detected Diagnostic Errors . . . . . . . . . . . . . 59

Improper Behavior of the Safety CPU Modules . . . . . . . . . . . . . . . . . . . . 60

Improper Behavior of the Safety I/O Modules . . . . . . . . . . . . . . . . . . . . . . 62

2.7 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuration Examples for the Quantum Safety PLC . . . . . . . . . . . . . . . 63

33003879 04/2013 3

Chapter 3 Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

3.1 General Information on Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Available Language Sections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Exceptions and Requirements for Programming. . . . . . . . . . . . . . . . . . . 72

Process Safety Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

3.2 Software Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Unity Pro XLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Functions/Function Blocks for SIL3 Applications. . . . . . . . . . . . . . . . . . . 82

Application Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

3.3 Operating Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Operating Modes of the Safety PLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Safety Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

3.4 Special Features and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Checking the Programming Environment . . . . . . . . . . . . . . . . . . . . . . . . 97

Starting the Quantum Safety PLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Version Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Project Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Detected Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 4 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4.1 Memory Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Memory Area Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4.2 PC-PLC Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

PC-PLC Communication Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

4.3 PLC-PLC Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

PLC-PLC Communication Description. . . . . . . . . . . . . . . . . . . . . . . . . . . 108

4.4 Safe Ethernet PLC-PLC Communication. . . . . . . . . . . . . . . . . . . . . . . . . 110

Peer-to-peer Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Solution Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuration of NTP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuration of S_WR_ETH DFB in the User Program of the Sender PLC 115 Configuration of S_RD_ETH DFB in the User Program of the Receiver PLC 116

Configuration of IO Scanning Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Safe Peer-to-peer Communication Impacts. . . . . . . . . . . . . . . . . . . . . . . 121

Example of Configuration, Parameters and Performance Results . . . . . 123

4.5 PLC-HMI Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

PLC-HMI Communication Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Chapter 5 Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Checklist for Configuring Safety-Related Systems . . . . . . . . . . . . . . . . . 128

Checklist for Programming SIL3 Applications . . . . . . . . . . . . . . . . . . . . . 130

Checklist for I/O Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Checklist for Configuring Safe Peer-to-Peer Communication . . . . . . . . . 134

Checklist for Operation, Maintenance, and Repair . . . . . . . . . . . . . . . . . 137

4 33003879 04/2013

Chapter 6 Special Requirements for Application Standards . . . . . 139

Special Requirements for Application Standards . . . . . . . . . . . . . . . . . . . 139

Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Appendix A IEC 61508. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

General Information on the IEC 61508 . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

SIL Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Appendix B System Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

B.1 System Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

System Bit Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Description of the System Bits %S0 to %S13. . . . . . . . . . . . . . . . . . . . . . 154

Description of the System Bits %S15 to %S21. . . . . . . . . . . . . . . . . . . . . 156

Description of the System Bits %S30 to %S51. . . . . . . . . . . . . . . . . . . . . 158

Description of the System Bits %S59 to %S122 . . . . . . . . . . . . . . . . . . . . 159

B.2 System Words. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Description of the System Words %SW0 to %SW21 . . . . . . . . . . . . . . . . 162

Description of the System Words %SW30 to %SW59 . . . . . . . . . . . . . . . 165

Description of the System Words %SW60 to %SW127 . . . . . . . . . . . . . . 169

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

33003879 04/2013 5

6 33003879 04/2013

Safety Information

Important Information

NOTICE

Read these instructions carefully, and look at the equipment to become familiar with the device before trying to install, operate, or maintain it. The following special messages may appear throughout this documentation or on the equipment to warn of potential hazards or to call attention to information that clarifies or simplifies a procedure.

33003879 04/2013 7

PLEASE NOTE

Electrical equipment should be installed, operated, serviced, and maintained only by qualified personnel. No responsibility is assumed by Schneider Electric for any consequences arising out of the use of this material.

A qualified person is one who has skills and knowledge related to the construction and operation of electrical equipment and its installation, and has received safety training to recognize and avoid the hazards involved.

8 33003879 04/2013

At a Glance

Document Scope

Validity Note

About the Book

This Safety Reference Manual describes the Quantum Safety PLC with special regard to how it meets the Safety requirements of the IEC 61508. It provides detailed information on how to install, run, and maintain the system correctly in order to protect human beings as well as to prevent damage to environment, equipment, and production.

This documentation is intended for qualified personnel familiar with Functional Safety and Unity Pro. Commissioning and operating the Quantum Safety PLC may only be performed by persons who are authorized to commission and operate systems in accordance with established Functional Safety standards.

This documentation is valid for Unity Pro from version 7.0.

General Information on the Quantum Safety PLC

Introduction

This chapter provides general information on the Quantum Safety PLC.

What Is in This Chapter?

This chapter contains the following sections:

1.1 General Information 14

1.2 Safety Requirements 29

Section Topic Page

33003879 04/2013 13

1.1 General Information

Introduction

This section provides information on the Quantum Safety PLC.

What Is in This Section?

This section contains the following topics:

IEC 61508 and Safety Integrity Level (SIL) 15 Functional Safety Certification 16 Special Operating Modes 23 Diagnostics 24 Difference Between Standard Quantum PLC and Quantum Safety PLC 25 Training 28

Topic Page

14 33003879 04/2013

IEC 61508 and Safety Integrity Level (SIL)

Introduction

The Quantum Safety PLC is a Safety-Related System certified according to IEC 61508 by TÜV Rheinland Group. It is based on the Quantum family of programmable logic controllers (PLCs). For programming, the Unity Pro XLS programming software of Schneider Electric must be used. Unity Pro XLS provides all the functionality of Unity Pro XL and is additionally able to program the Quantum Safety PLC. For further information on the differences between these software packages, see Differences between standard and Safety Quantum PLC (see page 25).

IEC 61508 Description

The IEC 61508 is a technical standard concerning the Functional Safety of electrical, electronic or programmable electronic Safety-Related Systems.

A Safety-Related System is a system that is required to perform 1 or more specific functions to ensure risks are kept at an acceptable level. Such functions are defined as Safety Functions.

A system is defined functionally Safe if random, systematic, and common cause failures do not lead to malfunctioning of the system and do not result in injury or death of humans, spills to the environment, and loss of equipment and production.

Description of the Safety Integrity Level (SIL)

Safety Functions are executed to achieve and maintain the Safe state of a system. The IEC 61508 specifies 4 levels of Safety performance for a Safety Function. These are called Safety Integrity Levels (SIL), ranging from 1 (the lowest) to 4 (the highest). The Quantum Safety PLC is certified for use in SIL3 applications in which the de-energized state is the Safe state, for example in an emergency shutdown (ESD) system.

You can also use the Schneider Electric Safety products for creating a hot standby (HSBY) solution if you require high availability for a Safety-Related System.

33003879 04/2013 15

Functional Safety Certification

Introduction

The Quantum Safety PLC is certified

z by TÜV Rheinland Group z for use in applications up to and including SIL3 according to IEC 61508 and

IEC 62061.

This certification verifies that the Quantum Safety PLC is compliant with the following standards:

z IEC 61508: Functional safety of electrical/electronic/programmable electronic

safety-related systems, Part 1-7, edition 2.0

z IEC 61131: Programmable controllers

z Part 2: Equipment requirements and tests, Second edition 2003-02

z Boiler protection

z European standard: EN 50156 z US standards: NFPA 85 and NFPA 86

z EN 54 Fire detection and fire alarm systems z EN 298 Automatic gas burner control systems for gas burners and gas burning

appliances with or without fans

z IEC 62061: Safety of machinery z EN ISO 13849: Safety of machinery

NOTE: Using a Quantum Safety PLC is a necessary but not sufficient precondition for the certification of a SIL3 application. A SIL3 application must also fulfill the requirements of the IEC 61508, IEC 61511, IEC 61131-2, and other application standards, see also Requirements for Hardware and Programming, page 29,

Exceptions and Requirements for Programming, page 72 and Special Requirements for Application Standards, page 139.

Classification of the Schneider Electric Products

The Quantum Safety PLC consists of Safety modules, which are allowed to perform Safety Functions. However, it also supports so-called non-interfering modules, thereby enabling you to add non-Safety parts to your SIL3 project.

Therefore, the Schneider Electric products must be distinguished into

z Safety modules and z non-interfering modules.

In contrast to the Safety modules, non-interfering modules are not used to perform Safety Functions. They are certified as non-interfering modules for use in the Quantum Safety PLC. A fault in 1 of these modules does not influence the execution of the Safety Functions in a negative way.

16 33003879 04/2013

Available Safety Products

Schneider Electric offers the following Safety modules certified for use in SIL3 applications. The Safety modules are listed with their corresponding PFD/PFH values for different proof test intervals (PTIs), see Probabilities of Failure, page 20 and Proof Test Interval, page 22. The PFD/PFH are expressed as values that contributes to the overall PFD/PFH of the complete Safety loop (see Safety Loop Description, page 20 and Safety Loop Description, page 148). The values are given for SIL3 applications.

The tables below list the Safety modules and their PFD/PFH values for SIL3 applications:

Product Type Product Reference MTBF [h] PTI = 1 year

Standalone Safety CPU

Hot Standby Safety CPU

Digital Input 140 SDI 953 00S 900,000 5.610E-07 1.218E-10 Digital Output 140 SDO 953 00S 1,000,000 7.156E-07 5.720E-11 Analog Input 140 SAI 940 00S 700,000 8.932E-07 7.770E-11 Power Supply (PS) 140 CPS 124 20 750,000 – – Power Supply (PS) 140 CPS 224 00 1,000,000 – –

PFD

140 CPU 651 60S 600,000 1.527E-05 3.487E-09

140 CPU 671 60S 600,000 1.527E-05 3.487E-09

PFH

Product Type Product Reference PTI = 5 years

PFD

Standalone Safety CPU

Hot Standby Safety CPU

Digital Input 140 SDI 953 00S 2.806E-06 1.218E-10 Digital Output 140 SDO 953 00S 3.579E-06 5.727E-11 Analog Input 140 SAI 940 00S 4.467E-06 7.777E-11 Power Supply (PS) 140 CPS 124 20 – – Power Supply (PS) 140 CPS 224 00 – –

33003879 04/2013 17

140 CPU 651 60S 7.662E-05 3.507E-09

140 CPU 671 60S 7.662E-05 3.507E-09

PFH

Product Type Product Reference PTI = 10 years

PFH

Standalone Safety

PFD

140 CPU 651 60S 1.540E-04 3.532E-09

CPU Hot Standby Safety

140 CPU 671 60S 1.540E-04 3.532E-09

CPU Digital Input 140 SDI 953 00S 5.615E-06 1.219E-10 Digital Output 140 SDO 953 00S 7.160E-06 5.735E-11 Analog Input 140 SAI 940 00S 8.937E-06 7.785E-11 Power Supply (PS) 140 CPS 124 20 – – Power Supply (PS) 140 CPS 224 00 – –

Product Type Product Reference PTI = 15 years

PFH

Standalone Safety

PFD

140 CPU 651 60S 2.321E-04 3.557E-09

CPU Hot Standby Safety

140 CPU 671 60S 2.321E-04 3.557E-09

CPU Digital Input 140 SDI 953 00S 8.426E-06 1.220E-10 Digital Output 140 SDO 953 00S 1.074E-05 5.744E-11 Analog Input 140 SAI 940 00S 1.341E-05 7.794E-11 Power Supply (PS) 140 CPS 124 20 – – Power Supply (PS) 140 CPS 224 00 – –

Product Type Product Reference PTI = 20 years

PFH

Standalone Safety

PFD

140 CPU 651 60S 3.109E-04 3.582E-09

CPU Hot Standby Safety

140 CPU 671 60S 3.109E-04 3.582E-09

CPU Digital Input 140 SDI 953 00S 1.124E-05 1.221E-10 Digital Output 140 SDO 953 00S 1.433E-05 5.753E-11 Analog Input 140 SAI 940 00S 1.788E-05 7.803E-11 Power Supply (PS) 140 CPS 124 20 – – Power Supply (PS) 140 CPS 224 00 – –

18 33003879 04/2013

The Quantum Safety PLC is programmed with Unity Pro XLS. CPU and IO detect the power supply errors, therefore the power supply does not

contribute to the PFD/PFH values.

PCMCIA Memory Cards

The values in the Safety module tables above include the use of the following PCMCIA memory cards:

TSX MCPC 002M TSX MRPC 768K TSX MCPC 512K TSX MRPC 001M TSX MFPP 001M TSX MRPC 01M7 TSX MFPP 002M TSX MRPC 002M TSX MFPP 004M TSX MRPC 003M TSX MFPP 512K TSX MRPC 007M

Functional Safety Parameters

The Functional Safety parameters according to EN ISO 13849 are as follows:

z Performance Level for

z SDI to SDO: PL d z SAI to SDO: PL d

z Category: 3

Available Non-Interfering Products

Schneider Electric offers the following non-interfering products:

Module Type Module Reference

Remote I/O Head Adapter 140 CRP 932 00 Remote I/O Drop Adapter 140 CRA 932 00 Ethernet Module 140 NOE 771 11 Backplane 16 Slots 140 XBP 016 00 Backplane 10 Slots 140 XBP 010 00 Backplane 6 Slots 140 XBP 006 00 Digital Input 140 DDI 353 00 Digital Output 140 DDO 353 00 Analog Input 140 ACI 040 00 Analog Output 140 ACO 020 00 Terminal Strip 140 XTS 001 00 Terminal Strip 140 XTS 002 00

33003879 04/2013 19

Module Type Module Reference

Remote I/O Optical Repeater 140 NRP 954 00 Remote I/O Optical Repeater 140 NRP 954 01C

LOSS OF THE ABILITY TO PERFORM SAFETY FUNCTIONS

z Choose only Schneider Electric products certified for use in Safety-Related

z Use only Safety modules to perform Safety functions. z Do not use inputs or outputs of non-interfering modules for Safety-Related

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Unity Pro XLS offers modularization of the logic into sections. Schneider Electric recommends creating sections which are only used for non-Safety logic of the system. The data from non-interfering modules should be processed in these sections only, which makes the certification of your project much easier.

NOTE: To operate the Quantum Safety PLCs and to program and run your SIL3 project, you need the certified Safety version of the Quantum firmware. For details, see Certified Products, page 22.

Probabilities of Failure

For SIL3 applications, the IEC 61508 defines the following probabilities of failure on demand (PFD) and probabilities of failure per hour (PFH) depending on the mode of operation:

z PFD ≥ 10 z PFH ≥ 10

The Quantum Safety PLC is certified for use in low and high demand systems.

WARNING

Systems in order to create a Safety-Related System.

outputs.

-4

to < 10-3 for low demand mode of operation

-8

to < 10-7 for high demand mode of operation

Safety Loop Description

The Safety loop to which the Quantum Safety PLC belongs consists of the following 3 parts:

z Sensors z Quantum Safety PLC with Safety CPU and Safety I/O modules z Actuators

20 33003879 04/2013

Example Calculation

Backplanes, a remote connection with CRA/CRP and Fiber Optic repeater modules do not destroy a Safety Loop. Backplanes, CRA/CRP and Fiber Optic repeater modules are part of a “black channel”. This means that the data exchanged by I/O and PLC cannot be corrupted without detection by the receiver.

The following figure shows a typical Safety loop:

For the calculation of the PFD/PFH values of an example system, a maximum of 15% is assumed for the PLC. For the PFD/PFH values of the Quantum Safety modules, see Available Safety Products, page 17.

NOTE: The programming tool Unity Pro XLS is not part of the Safety loop. For detailed information on the IEC 61508 and its SIL policy, see also chapter

IEC 61508, page 143.

The following table gives 2 example calculations for PFD values within a SIL3 Safety loop with an assumed proof test interval of 10 years:

If the Safety loop contains ... Then the PLC contributes to

the Safety loop with ...

z 1 digital input, z 1 digital output, and z a standalone CPU

z 2 sensors, z 2 redundant analog inputs, z 2 redundant digital outputs, and z 2 Hot Standby CPUs

33003879 04/2013 21

5.610E-06 + 7.156E-06 +

9.979E-05 = 1.126E-04 => It corresponds to around

11.3% of the complete safety loop.

8.932E-06 + 7.156E-06 +

9.979E-05 = 1.159E-04 => It corresponds to around

11.6% of the complete safety loop. Note: All doubled modules contribute only once because the redundancy is only for high availability. Thus, only 1 module is active in the Safety loop.

And sensors and actuators can use ...

88.7%

88.4%

Safety Times Description

The Quantum Safety PLC has a minimum PLC cycle time of 20 ms, which is necessary for processing the signals from the I/O modules, executing the user logic, and setting the outputs. For calculating the maximum PLC reaction time, the maximum reaction time of the sensors and actuators you use must be known. Further, the maximum PLC reaction time depends on the process Safety time (PST) required for your process. You can find details of how to configure your PLC reaction time in Process Safety Time, page 75.

Proof Test Interval

The proof test is a periodic test performed to detect failures in a Safety-Related System so that, if necessary, the system can be restored to a like new condition or as close as practical to this condition. The time period between these tests is the proof test interval.

The proof test interval depends on the targeted Safety Integrity Level, the sensors, actuators and the PLC application. The Quantum is suitable for use in a SIL3 application and a proof test interval of 10 years. See Available Safety Products (see page 17) and Proof Test Procedure (see page 30).

Certified Products

The Safety product versions are certified. Only certified versions are allowed for programming, commissioning, and operating the Quantum Safety PLC.

NOTE: Only Safety firmware can be loaded into the Quantum Safety PLC. The Safety firmware is loaded with the OSLoader into the Quantum Safety PLC.

Further information on how to load the firmware can be found in the Unity Pro OSLoader User Manual (see Unity Pro, OSLoader, User Manual).

WARNING

Degrading the Safety Integrity Level

Only a CPU with Firmware Version 2.0 and above is suitable for SIL3. A CPU with Firmware Version 1.0 is only suitable for SIL2 applications.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

You can find the most recent information on the certified product versions on the TÜV Rheinland Group website http://www.tuvasi.com/ under Information and further List of Type Approved Programmable Electronic Systems.

22 33003879 04/2013

Special Operating Modes

Introduction

With regard to Functional Safety aspects, the following 2 operating modes of the Quantum Safety PLC are of special importance:

z the Safety Mode z the Maintenance Mode

Safety Mode Description

The Safety Mode is the default mode of the Quantum Safety PLC, in which the Safety Functions are performed to control the process. It is a restricted mode in which modifications and maintenance activities are prohibited. You are only allowed to stop and start the PLC.

You can find a detailed description of the Safety Mode in Safety Mode, page 90.

Maintenance Mode Description

The Maintenance Mode of the Quantum Safety PLC is a temporary mode for debugging and maintaining your program. You are allowed to force values and to modify the program.

In the Maintenance Mode the (STOP or RUN), diagnostics are not available.

LOSS OF ABILITY TO PERFORM SAFETY FUNCTIONS

In Maintenance Mode, all diagnostic functions are performed but their results are not fully evaluated. Once the Quantum Safety PLC exits Safety Mode and enters Maintenance Mode, you are fully responsible for ensuring the Safe state of your system.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING

You can find a detailed description of the Maintenance Mode in Maintenance Mode, page 92.

33003879 04/2013 23

Diagnostics

Introduction

The Quantum Safety PLC provides additional internal diagnostics and system testing, increasing the diagnostic coverage (DC).

Survey of the Diagnostics

The internal architecture of the Quantum Safety CPU

z provides 2 shutdown paths and z allows double code generation and execution to detect

z systematic faults in the code generation and execution and z random faults in the CPU and the RAM.

The double code execution is controlled by 2 different processors integrated into

the CPU. For further details, see Standalone Safety CPU, page 33. The internal architecture of the Quantum Safety I/O modules

z provides redundancy, z detects systematic faults in the code execution, and z random faults in the I/O modules.

The communication between the CPU and the I/O is designed as a black channel. The protocol checks or manages detected errors such as detected transmission errors, omissions, insertions, wrong order, delays, incorrect addresses, and masquerade bits, and retransmissions. Therefore, the non-interfering modules such as backplanes, Fiber Optic repeaters (140 NRP 954 00, 140 NRP 954 01C), remote I/O adapters 140 CRP 932 00 and 140 CRA 932 00 can be used inside the safety loop without impact on the PFD and PFH evaluations.

For further details, see General Information on the Safety I/O Modules, page 39.

24 33003879 04/2013

Difference Between Standard Quantum PLC and Quantum Safety PLC

Differences Between Standard and Safety PLC

To meet the requirements of the IEC 61508 standard, the Quantum Safety PLC differs from the standard Quantum PLC.

The following table lists the main differences between a standard Quantum and a Safety Quantum PLC:

Feature Standard Quantum PLC Quantum Safety PLC

CPU Program Execution executed on application

processor or Intel

Configuration

z backplane z local rack z remote I/O z all power supplies z backplane expanders z distributed I/O z fieldbus I/O

Firmware regular firmware Safety firmware Software

User Logic

Data Type

z Unity Pro XLS z Unity Pro XL z Unity Pro L

z FBD z LD z IL z ST z SFC

z EDT z DDT

Mode –

Restart Behavior

z no restart z cold start z warm start

executed on application processor and Intel

z backplane z local rack z remote I/O z dedicated power supply

z Unity Pro XLS

z FBD z LD

z EDT z only simple arrays

z Maintenance Mode z Safety Mode

z no restart z cold start

Differences Between Standard and Safety PLC OS

To meet the requirements of the IEC 61508 standard, the operating system (OS) of the Quantum Safety PLC differs from that of the standard Quantum PLC.

33003879 04/2013 25

The following table lists the main differences between a standard Quantum PLC OS and a Safety Quantum PLC OS:

Feature Standard Quantum PLC OS Quantum Safety PLC OS

Warm Start yes no Safety Mode no yes Minimal Time Duration for MAST Execution in Cyclic

Mode Forcing Safety Mode by Locking the Key no yes Display of Mode Indicating Characters on LCD no yes Memory Check no yes Password no yes Safety Analog Input no yes Safety Digital Input no yes Safety Digital Output no yes Meaning of SW12, SW13 no Safety mode MSTR Blocks yes no Global Data Subscribing (Ethernet) everywhere only in unrestricted area I/O Scanner Read (Ethernet) everywhere only in unrestricted area Global Input and Specific Input (Modbus Plus) everywhere only in unrestricted area Unrestricted Area for %M and %MW no yes

3ms 20ms

Notes

The Quantum Safety PLCs only perform cold start. Thus, the application is reinitialized at each start.

The Quantum Safety PLC can run in cyclic or periodic mode. Thus, there is no difference in its behavior compared to the standard Quantum PLC. For details on cyclic and periodic execution, see the chapter "Application Program Structure"

(see Unity Pro, Program Languages and Structure, Reference Manual ) in the Unity Pro Program Languages and Structure Reference Manual.

Memory

The memories of the Quantum Safety CPUs are each divided into a Safety and an unrestricted part. The Safety memory area is write protected and used for processing Safety-Related data. The unrestricted memory area is not write protected and used if it is necessary to get access to the Safety Functions. Its values cannot be used directly but by using specific function blocks, see Memory Area Description, page 104.

26 33003879 04/2013

Hot Standby

In slot A, PCMCIA memory cards can be used in a Quantum Safety CPU in the same way as they can be used in a standard Quantum CPU. These cards can be standard type, application and file-type or data and file-type memory cards. For details on this topic, see the chapter "High End CPU" (see Quantum with Unity Pro, Hardware, Reference Manual) in the Quantum with Unity Pro Hardware Reference Manual.

In contrast, slot B for data and file-type memory cards is not allowed to be used because this data storage is not available for SIL3 projects.

WARNING

LOSS OF ABILITY TO PERFORM SAFETY FUNCTIONS

Do not use slot B. Data stored on a memory card in slot B is not processed in SIL3 projects.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

In addition to the standard Quantum Hot Standby functions, you can also use the Quantum Safety PLCs for Safety-Related Hot Standby systems in order to achieve high availability for the CPU in a Safety-Related System. To control the ability of the standby PLC to take over from the primary, you can use an elementary function block (EFB) to program an automatic swap between primary and standby PLC. For further information on this topic, see also Hot Standby Safety CPU Specifics, page 35.

Redundant I/O

To achieve high availability for the I/O, you can also use the Safety I/Os in a redundant manner. For further information on this topic, see also Configuration Examples for the Quantum Safety PLC, page 63.

33003879 04/2013 27

Training

Introduction

Training Contents

As stated in the IEC 61508, Part 1, App. B, all persons involved in a Safety Lifecycle activity should have the appropriate training, technical knowledge, experience, and qualifications relevant to the specific duties they have to perform. This should be assessed in relation to each particular application.

NOTE: Make sure you possess all information and skills required to install, run, and maintain Safety-Related Systems correctly.

In addition to the usual training courses concerning the use of the company’s products, Schneider Electric offers you training courses covering the topics of its IEC 61508 compliant Safety-Related System.

28 33003879 04/2013

1.2 Safety Requirements

Requirements for Hardware and Programming

Introduction

You must fulfill the following Safety requirements when using the Quantum Safety PLC.

Hardware Requirements

z For a SIL3 project, you must use 1 of the 2 following Quantum Safety CPUs:

z 140 CPU 651 60S for stand-alone systems z 140 CPU 671 60S for systems requiring high availability

z Only Quantum Safety modules are allowed to perform Safety Functions. Non-

interfering modules can be part of the Safety PLC because they do not interfere with the Safety modules by their own means. However, they are not allowed to execute Safety Functions. They can only be used to process non-Safety signals except the backplanes and remote IO adapters, which are considered as part of a black channel.

z The Safe state of the outputs is the de-energized state. z You must follow the specified operating conditions regarding EMC, mechanical,

and climatic influences. For details, see the chapter "System Specifications" (see Quantum with Unity Pro, Hardware, Reference Manual) in the Quantum with Unity Pro Hardware Reference Manual.

NOTE: Backplane expanders and distributed I/Os are not allowed in the Quantum Safety PLC configuration.

NOTE: All Safety and non-interfering modules fulfill the requirements of the IEC 61131-2.

33003879 04/2013 29

Programming Requirements

z For programming a SIL3 project, you must use the certified Quantum Safety

firmware and the Safety programming software Unity Pro XLS.

z You must make sure that your SIL3 project is configured and programmed

correctly according to the rules of the IEC 61508 as well as to the rules described

in this Safety Reference Manual.

z For the complete life-cycle of the project development, you must follow the

requirements of the IEC 61511 for installation, commissioning, and validation.

z The logic can be tested in simulation mode but the full test of the Safety Functions

must be performed with the runtime system and the complete installation.

RISK OF PROJECT ERRORS

Check that your project is correct according to your specification by performing tests on the runtime system.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Proof Test Procedure

The user must perform the proof test procedure periodically (see IEC61508-4,

3.8.5). The maximum time between 2 proof test is the proof test interval. For the safety PLC itself, the proof test consists of:

z A power cycle z Checks that all modules restart without a detected diagnostic error

In addition, a complete commissioning of the safety application has to be performed. The complete procedure must include the necessary tests of cabling, sensors and actuators, depending on the full application analysis.

WARNING

30 33003879 04/2013

+ 168 hidden pages

Schneider 140DDO35300 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Modicon Quantum

Table of Contents

Safety Information

About the Book

General Information on the Quantum Safety PLC

1.1 General Information

IEC 61508 and Safety Integrity Level (SIL)

Functional Safety Certification

Special Operating Modes

Diagnostics

Difference Between Standard Quantum PLC and Quantum Safety PLC

Training

1.2 Safety Requirements

Requirements for Hardware and Programming