AADvance The Next Step in Automation AADvance Controller Safety Manual ISSUE: 10_C DOCUMENT: 553630 ICSTT-RM446K-EN-P
Safety Manual (AADvance Controller) Notice In no event will Rockwell Automation be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment. The examples given in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation does not assume responsibility or reliability for actual use based on the examples and diagrams.
Notes and Symbols used in this manual This symbol calls attention to items which "must" be considered and implemented when designing and building an AADvance controller for use in a Safety Instrumented Function (SIF). It appears extensively in the AADvance Safety Manual. Note: Notes are used extensively to provide important information about the product.
Safety Manual (AADvance Controller) Issue Record Issue Date Comments 01 Jan 2009 First Issue 02 April 2009 Reformat to match associated product user manuals 03 Aug 2009 QA review updates 04 Sept 2009 Release 1.
SUMMARY OF CHANGES Table 1: Issue 10_B to 10_C Topic Page Added Summary of Changes table to front pages v Re-instatement about ―Modules are for use in an area of not more than pollution 1-11 degree 2 in accordance with IEC60664-1‖. Sentence about replacing input modules removed from the Analogue Output Module 2nd bullet point. 3-4 Added statement about unlocking the module (3rd bullet point) 4-31 Added statement about ―not certified for use in zone 1 and Zone 0 location/environment‖.
Safety Manual (AADvance Controller) Foreword This technical manual defines how to safely apply AADvance controllers for a Safety Instrument Function. It sets out standards (which are mandatory) and makes recommendations to ensure that installations meet their required safety integrity level. To do this, it addresses how such installations are designed, built, tested, installed and commissioned, operated, maintained and decommissioned.
Safety Manual (AADvance Controller) Contents Chapter 1 Introduction ............................................................................................. 1-1 Verification of the Safety Manual.................................................................................................................... 1-1 Competency ........................................................................................................................................................ 1-1 Terminology ..........
SIL3 Architectures ............................................................................................................................................. 3-7 SIL3 Fail-safe I/O, Fault Tolerant Processor .......................................................................................... 3-7 SIL3 Fault Tolerant I/O Architectures .................................................................................................. 3-10 SIL3 TMR Input and Processor, Fault Tolerant Output .............
Safety Manual (AADvance Controller) Input Module Safety Accuracy ................................................................................................................ 4-28 Output Module Safety Functions ................................................................................................................. 4-29 Digital Output Module Safety Functions ..............................................................................................
Chapter 1 Introduction This chapter provides an introduction to the AADvance Safety Manual and to the AADvance system. In This Chapter Verification of the Safety Manual .................................................................... 1-1 Competency ......................................................................................................... 1-1 Terminology ......................................................................................................... 1-2 The AADvance Controller ..
Safety Manual (AADvance Controller) Previous experience and its relevance to the specific duties to be performed and the technology being employed In all of the above, the higher risk will require increased rigor with the specification and assessment of the competence.
Redundant operation is when modules within the different stages (input, logic solving and output) are configured as dual or triple modules. Internal diagnostics enhance the fault tolerance capability. The AADvance system has comprehensive internal diagnostics that detect and reveal both covert and overt failures.
Safety Manual (AADvance Controller) All of the configurations are readily achieved by combining modules and assemblies without using special cables or interface units. System architectures are user configurable and can be changed without major system modifications. Processor and I/O redundancy is configurable so you can choose between fail safe and fault tolerant solutions.
A controller is built from a range of compact plug-in modules that are straightforward to assemble into a system. They can be mounted onto DIN rails in a cabinet (see photograph) or directly mounted onto a wall in a control room. They do not require forced air cooling or special environmental control equipment. However, certain consideration to the cabinet type must be applied when used in hazardous environments.
Safety Manual (AADvance Controller) AADvance Features The AADvance system controls complex and often critical processes in real time — executing programs that accept external sensor signals, solving logic equations, performing calculations for continuous process control and generating external control signals.
Associated Documents The following documents are associated with the safety requirements applicable to the AADvance system. Further supporting information is available on the TÜV web site. PFH and PFD Data The PFH and PFD data is provided in a separate document - Doc No: 553847 - PFHavg and PFDavg Data for AADvance Controllers.
Safety Manual (AADvance Controller) Controller TUV Certification TÜV Certification TÜV is the safety certifying authority for an AADvance controller, and they have certified The AADvance system to the following standards: IEC 61508, Part 17:1998-2000 EN 50178:1997 IEC 61511-1:2004 EN 50156-1:2004 EN 61131-2:2007 EN 54-2:1997, A1:2006 (†) EN 61326-3-1:2008 NFPA 72:2007 EN 61000-6-2:2005 NFPA 85:2007 EN 61000-6-4:2007 NFPA 86:2007 (†) The analogue output modules are not certified to EN 54-2.
CSA C22.2 No 142-M1987, Process Control equipment, Edition 1 Revision date 1990-09-01 Products Covered The products investigated and approved: Programmable Logic Controllers Models: 9110 Processor Module; 9401/2 Digital Input Module; 9431/2 Analogue Input Module; 9451 Digital Output Module; 9482 Analogue Output Module.
Safety Manual (AADvance Controller) Programmable Logic Controllers Models: 9110 Processor Module; 9401/2 Digital Input Module; 9431/2 Analogue Input Module; 9451 Digital Output Module; 9482 Analogue Output Module.
Certificate The AADvance controller modules have been evaluated to the requirements of EN 60079-0: 2009 and EN 60079-15: 2010 under Certificate Number: DEMKO 11 ATEX 1129711X .
Safety Manual (AADvance Controller) The AADvance controller has also been evaluated under certificate IECEx UL 12.0032X to the standards IEC 60079-0; (5th Edition) and IEC 6007915 (4th Edition). [ certificate to be supplied] For a system that is located in a Zone 2 Hazardous environment where ATEX certification is required, all modules should be installed in an ATEX or IECEx Certified, tool accessible IP54 enclosure. The enclosure is to be marked with the following: "Warning - Do not open when energized".
KCC-EMC Registration Other External Testing and validation The Euro Controller is also tested to Q1 Extended Design levels of ISO 13628-6: 2006 Sub Sea Production Control System.
Chapter 2 Functional Safety Management This chapter explains the principles that should be applied to managing the safety related system. In This Chapter The Safety Management System ...................................................................... 2-1 The Safety Life-cycle .......................................................................................... 2-2 Functional Safety Assessment .......................................................................... 2-8 Safety Integrity Design ....
Safety Manual (AADvance Controller) The Safety Life-cycle The safety life-cycle is defined by the IEC 61508 standard.
The second objective is to determine the event sequences that may lead to a hazardous event. The third objective is to determine the risks associated with the hazardous event. This risk analysis will provide basic information for identifying the safetyrelated requirements to mitigate risks. System Functional and Safety Requirements A set of system functions and their timing requirements will be specified. Where possible, the functions should be allocated to defined modes of operation of the process.
Safety Manual (AADvance Controller) The architectural definition shall define the safety requirements class for each architectural element and identify the safety functions allocated to each element. Additional safety functions resulting from the chosen system architecture shall be defined at this stage. The detailed engineering design shall refine the architectural elements and culminate in detailed information for system build.
Application Programming Application programs are developed and monitored using the AADvance Workbench software. An overall application program software architecture shall be defined at the application programming stage. This architecture will identify the software blocks and their functions. The application programming shall address methods for addressing system specific testing, diagnostics and fault reporting. It is highly recommended that simulation testing be performed on each software block.
Safety Manual (AADvance Controller) System Installation Environment The installation environment is a potential source of common cause failure, therefore it is vital that compatibility of the equipment with the environment is known. The environment for these purposes includes the prevailing climatic, hazardous area, power, earthing and EMC conditions. In many cases, there will not be a single installation environment.
Safety System Validation Safety system validation shall test the integrated system to ensure compliance with the safety requirements specification at the intended safety requirements class. The validation activities should include those necessary to prove that the system implements the safety actions during normal start-up and shutdown and under abnormal fault modes.
Safety Manual (AADvance Controller) Functional Safety Assessment The functional safety assessment shall confirm the effectiveness of the functional safety performance of the system. The assessment, in this context, is limited to the safety-related system and should confirm that the system is designed, constructed and installed in accordance with the specified safety requirements. The assessment shall consider each required safety function and its associated safety properties.
This page intentionally left blank Document: 553630 ICSTT-RM446K-EN-P Issue: 10_C 2-9
Chapter 3 AADvance System Architectures An AADvance controller can be configured to manage non-safety up to SIL 3 safety related system requirements and low demand or high demand fault tolerant applications. This chapter describes the different system architectures that can be configured for an AADvance controller to meet this variety of requirements. Note: Architectures are independent of I/O module capacity therefore 8 or 16 channel I/O modules can be used. In This Chapter SIL2 Architectures ............
Safety Manual (AADvance Controller) Table 3: Modules for SIL2 Fail-Safe Architecture Position Module Type I/P A T9401/2 Digital Input Module, 24V dc, 8/16 Channel + T9801 Digital Input TA, 16 Channel, Simplex.
SIL2 Fault Tolerant Input Architectures A SIL2 fault tolerant input architecture can have dual or triple input modules with a single processor and single output modules. The illustration shows a dual input arrangement where the dual input modules operate in 1oo2D under no fault conditions, they degrade to 1oo1D on detection of the first fault in either module of the redundant pair, and when a fault occurs on the second module it will fail-safe.
Safety Manual (AADvance Controller) CPU A 1 x T9110 Processor Module, T9100 Base Unit O/P A T9451 Digital Output Module, 24V dc, 8 Channel + T9851 Digital Output TA, 24V dc, 8 Channel, Simplex T9300 I/O Base Unit or 1 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated + T9881 Analogue Output TA, 8 Ch, Simplex SIL2 Output Architecture A SIL2 output architecture has a single output module with single processor and single or redundant input modules.
T9300 Base Unit CPU A 1 x T9110 Processor Module, T9100 Processor Base Unit and 9300 I/O Base Unit O/P A 1 × T9451 Digital Output Module, 24V dc, 8 Channel + T9851 Digital Output TA, 24V dc, 8 Channel, Dual Or 1 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated + T9881 Analogue Output TA, 8 Ch, Simplex Document: 553630 ICSTT-RM446K-EN-P Issue: 10_C 3-5
Safety Manual (AADvance Controller) SIL2 Fault Tolerant Input and SIL2 High Demand Architecture A SIL2 fault tolerant "High Demand" architecture has dual input, dual processor and dual output modules. In a dual arrangement the input modules operate in 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the first fault in either module, and will fail-safe when there are faults on both modules.
For Continuous Mode applications the measures defined in this section for High Demand applications must be applied.
Safety Manual (AADvance Controller) If required you can configure triple processor modules as a variation of this SIL3 architecture. Using this arrangement the processor modules operate in 2oo3D under no fault conditions and 1oo2D on the detection of the first fault in any module. They degrade to 1oo1D on the detection of faults in any two modules, and will fail-safe when there are faults on all three modules.
CPU A & CPU B 2 x T9110 Processor Module, T9100 Base Unit O/P A 1 x T9451 Digital Output Module, 24V dc, 8 Channel + T9851 Digital Output TA, 24V dc, 8 Channel, Simplex or 1 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated + T9881 Analogue Output TA, 8 Ch, Simplex Document: 553630 ICSTT-RM446K-EN-P Issue: 10_C 3-9
Safety Manual (AADvance Controller) SIL3 Fault Tolerant I/O Architectures A SIL3 fault tolerant processor and I/O is achieved by dual input and output module configurations with dual or triple processor modules. The processor modules operate in 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the first fault in either module and fail-safe when there are faults on both modules.
I/P A and I/P B 2 × T9401/2 Digital Input Module, 24V dc, 8/16 Channel, + T9802 Digital Input TA, 16 Channel, Dual or 2 × T9431/2 Analogue Input Module, 8/16 Channel + T9832 Analogue Input TA, 16 Channel, Dual 2 x T9300 I/O Base Unit CPU A & CPU B 2 × T9110 Processor Module, 9100 Processor Base Unit, O/P A 1 × T9451 Digital Output Module, 24V dc, 8 Channel + T9851 Single Digital Output TA, 24V dc, 8 Channel for deenergize to action.
Safety Manual (AADvance Controller) SIL3 TMR Input and Processor, Fault Tolerant Output A SIL3 TMR architecture offers the highest level of fault tolerance for an AADvance controller and consists of triple input modules, triple processors and dual output modules.
Table 9: Modules for TMR Input and Processor, Fault Tolerant Output Position Module Type I/P A 3 × T9401/2 Digital Input Module, 24V dc, 8/16 Channel + T9803 Digital Input TA, 16 Channel, TMR or 3 × T9431/2 Analogue Input Module, 8/16 Channel + T9833 Analogue Input TA, 16 Channel, TMR 2 × T9300 I/O Base Unit CPU A & CPU B 3 × T9110 Processor Module, T9100 Processor Base Unit, O/P A 2 × T9451 Digital Output Module, 24V dc, 8 Channel + 9852 Digital Output TA, 24V dc 8 Channel, Dual Or 2 x T9481/T9842
Safety Manual (AADvance Controller) Planned Certified Configurations Table 10: Central Modules Modules TÜV Certified Configuration Conditions Processor Module T9110 1oo1D, 1oo2D, 2oo3D Safety-related and can be used for safety-critical applications in SIL2 with 1 module fitted and SIL3 applications with 2 or 3 modules fitted. Note: For High Demand applications you must use a minimum of two processors.
Table 12: Output Modules Modules TÜV Certified Configuration Digital Outputs 1oo1, 1oo2 or 1oo2D De-energize to action (normally energized): SIL3 with 1 or 2 modules fitted. (1oo2D with dual output modules fitted). T8451, 24V dc, 8 channel. Conditions Energize to action (normally de-energized): SIL2 with 1 module fitted and SIL3 with 2 modules fitted.
Safety Manual (AADvance Controller) Internal Diagnostics The AADvance controller embodies sophisticated internal diagnostic systems to identify faults that develop during operation and raise appropriate alarm and status indications. The diagnostic systems run automatically and check for system faults associated with the controller (processor and I/O modules), and field faults associated with field I/O circuits.
The bindings are based on a producer/consumer model. The controller consuming the data establishes a binding link with the Controller producing the data, and manages the entire exchange of data, including scheduling the data exchange, providing the diagnostics, managing the safety response in the event of faults and managing the communications redundancy.
Safety Manual (AADvance Controller) Configuring SNCP Safety Network The SNCP protocol can be configured in the AADvance controller to provide a safety network; refer to the AADvance Configuration Guide (Doc No. 553633) for detailed configuration procedures.
Configuring Variable Bindings The bindings configuration includes the value of an age timeout (MaxAge). This timeout defines the maximum age of data that can be used by a consumer system. Data older than the defined timeout is discarded and the system continues using its last state value. Once disconnected the consumer attempts to re-establish a connection to the producer by sending a connection request at ConnectTimeout intervals.
Safety Manual (AADvance Controller) Peer-to-Peer AADvance provides the capability for a SIL 3 certified Peer-to-Peer data connections, allowing safety data to be transferred between AADvance and Trusted Controllers. The Trusted Peer-to-Peer network protocol enables you to share safety data between AADvance systems or AADvance and Trusted TM systems across an Ethernet network.
Safety Related Peer-to-Peer Configurations The following Peer-to-Peer configurations are approved for use in a safety Related Function: Table 14: Peer-to-Peer Settings TÜV Certified Configuration Conditions Software Board Definitions: Certified for use over a single communication network or multiple networks Certified as safety-related and can be used for safety critical communications in SIL 3 applications.
Safety Manual (AADvance Controller) 3-22 Document: 553630 ICSTT-RM446K-EN-P Issue: 10_C
Chapter 4 AADvance Functional Safety System Implementation This chapter provides the implementation guidelines for an AADvance safety related system. In This Chapter General Design Measures for Functional Safety.......................................... 4-2 Industrial Functional Safety Standards ........................................................... 4-6 Field Configurations ......................................................................................... 4-12 Sensor Configurations ............
Safety Manual (AADvance Controller) General Design Measures for Functional Safety I/O Modules The AADvance system supports single module configurations, where it is acceptable to either stop the system or allow the signals corresponding to that module to change to their default fail-safe state. It also supports fault tolerant I/O configurations where it is required to ensure continued system operation in the event of a fault.
Both input and output modules undergo regular diagnostics testing during operation that is managed by the processor modules. The self-tests are coordinated between modules that are configured in a fault tolerant arrangement, to ensure that the system remains on-line even in the case of a demand during the execution of the tests. I/O channel discrepancy and deviation monitoring further enhances the verification and fault detection of module or field failures.
Safety Manual (AADvance Controller) Certain applications may require energize to action for inputs and/or outputs. Energize to action configurations shall only be used if the following restrictions apply: At least two independent power sources must be used. These power sources must provide emergency power for a safe process shutdown or a time span required by the application.
Sensor delay: 250ms Time for actuator (an ESD valve) to fully operate: 1750ms In this example therefore, the setting of PST for the controller should be less than or equal to 3000ms. Choosing Controller PST Settings The response time allocated to a logic solver such as the AADvance controller needs to take account of delays within the operation of sensors and actuators. In addition, the system's scan time should be considerably less than the process safety time.
Safety Manual (AADvance Controller) Industrial Functional Safety Standards AADvance is designed to meet the following industrial safety system requirements: NFPA 85 Requirements NFPA 85:2007 provides minimum requirements for the design, installation, operation and maintenance of large commercial industrial boilers, heat recovery, heat recovery steam generators and related combustion systems. The AADvance system is certified for use with NFPA 85 compliant systems.
NFPA 86 Requirements NFPA 86:2007 provides comprehensive requirements for the safe design, installation, operation, inspection, testing and maintenance of Class A,B,C and D ovens, dryers and furnaces. The AADvance system is certified for use with NFPA 86 compliant systems. The systems should be integrated in accordance with NFPA 86. In particular the following shall be applied.
Safety Manual (AADvance Controller) BS EN 54 Requirements BS EN 54-21997, A1:2006 specifies the requirements for control and indicating equipment for fire detection and fire alarm systems installed in buildings. The AADvance system is certified for use with BS EN 54 compliant systems. IMPORTANT: The analogue output modules are not certified to EN 54-2 The systems should be integrated in accordance with BS EN 54. In particular the following shall be applied.
A system fault shall be audibly indicated. This indication may be capable of being silenced. The cabinet of the control and indicating equipment shall be of robust construction, consistent with the method of installation recommended in the documentation. It shall meet at least classification IP30 of IEC 60529:1991. All mandatory indications shall be visible at access level 1 without prior manual intervention such as the need to open a door.
Safety Manual (AADvance Controller) 7.12.2 Type B dependency (option with requirement) Following the receipt of a first alarm signal from a fire detector, the entry to the fire alarm condition may be inhibited until the receipt of a confirmation alarm signal from the same fire detector, or from a fire detector in the same or a different zone.
UL 508 This standard defines the Safety Requirements for Industrial Control Equipment. It covers systems utilizing a programmable memory for storage of user-oriented instructions for specific functions such as logic, sequencing, counting and controlling various industrial equipment through digital or analog inputs or outputs.
Safety Manual (AADvance Controller) Field Configurations The following are recommended field loop circuits for line monitoring of digital/analogue inputs. Use cable monitoring and circuit integrity cable as appropriate for the application, as inter-channel short circuits cannot be detected by an AADvance controller. Line Monitoring This section provides recommended line monitoring circuits and resistor values.
Field Loop Circuit for Line Monitored Digital Input for Emergency Shutdown Systems (ESD) The suggested values for R1 and R2 are as follows: R1 = 15K 1%, 1W (maximum power dissipated is 47mW at 26.4V) R2 = 3K9 1%, 1W (maximum power dissipated is 182mW at 26.
Safety Manual (AADvance Controller) Minimum Isolation is 0.75M between the field loop conductors. These values will allow the input to detect more accurately different voltage levels that represent OPEN CCT - OFF - ON - SHORT CCT and will also detect Over Voltage and an input which is neither ON or OFF. The values ensure that a line fault will be declared before it becomes possible for a false declaration of On and Off states due to a combination of resistor value drift and loop voltage variation.
Recommended Field Circuit for Digital Outputs This circuit is suitable for simplex and dual configurations of digital output modules. The two 10A fuses shown are included on the termination assembly within the controller. The field power 5A fuses comply with UL508 requirements see illustration below. The 10A fuses are fitted into the termination assembly and are: T9902: SMF Omni-Block, Surface Mount Fuse Block 154 010, with a 10A, 125V Fast Acting Fuse, Littlefuse.
Safety Manual (AADvance Controller) Analogue Input Field Loop Circuits The recommended field loop circuits for analogue inputs are as shown below.
Field Loop Circuit for 4-Wire Analogue Input Recommended Circuit for Analogue Outputs These circuits are suitable for simplex and dual configurations of analogue output modules. All channels are isolated from each other but may be bridged at the '+' terminal if fed by a common system mounted supply.
Safety Manual (AADvance Controller) The above circuit is appropriate for devices that are powered by the system. The channel will pass a requested current between 0mA and 24mA. The field device could also be connected between the 24V supply and the Loop Plus terminal. Note: If the 0V or 24V supply is shared between channels or between modules, the field loops will not be isolated from each other.
Field powered devices The above circuit is appropriate for devices that are powered locally and expect a current-controlled signal loop. Ensure that the loop is wired to pass current to the Loop Plus terminal and return it on the Loop Minus terminal.
Safety Manual (AADvance Controller) Sensor Configurations In safety critical input applications using a single sensor, it is important that the sensor failure modes be predictable and well understood, so there is little probability of a failed sensor not responding to a critical process condition. In such a configuration, it is important the sensor be tested regularly, either by dynamic process conditions that are verified in the AADvance system, or by manual intervention testing.
HART The AADvance controller supports HART communications using dedicated HART modems on each analogue input and output channels allowing HART field device status, diagnostic data and process signal data to be integrated into the application logic, increasing the level SIF diagnostics significantly. The AADvance Analogue Input/Output modules use HART commands #03 to collect data from the field device as defined by Revision 5 of the HART specification.
Safety Manual (AADvance Controller) AADvance also supports the ability to pass HART data between an external Asset Management System (AMS) and Field Devices. This is strictly a passthru mechanism using a dedicated AADvance HART DTM. This passthru capability can however be enabled or disabled under application control. HART data shall not be used as the primary process value for Safety Functions as the HART protocol does not meet the required integrity levels for Safety Instrumented Functions.
Actuator Configurations In safety-critical applications using a single actuator, it is important that the actuator failure modes be predictable and well understood, so that there is little probability of a failed actuator not responding to a critical process condition. In such a configuration, it is important that the actuator be tested regularly, either by dynamic process conditions that are verified in the AADvance system, or by manual intervention testing.
Safety Manual (AADvance Controller) Processor Functional Safety Configuration The T9110 Processor Module supports a limited set of configuration options; the system will verify the hardware configuration, such as the module locations against actual module types.
For a single fault deemed by the system to be a "critical failure" the processor module enters the Recovery Mode. Recovery Mode Recovery Mode is a shutdown mode and uses a base level firmware. It is entered automatically when a critical firmware failure occurs or it can be entered manually by pressing the processor Fault Reset button immediately after the module has booted up.
Safety Manual (AADvance Controller) I/O Module Safety Related Parameters The AADvance Workbench provides you with the capability to adjust these safety related parameters for an I/O module: Process safety time Shutdown action of a digital output module channel Fail-safe guard for the Analogue Output Module Shutdown action for the Analogue Output module I/O Module Start-Up and Locking Screw Safety Function I/O modules can be replaced or installed on-line without affecting the controller operation p
I/O Module Process Safety Time (PST) This option allows the system integrator to configure the PST for an I/O module, independently from the system value set through the processor module. If no independent value is set for the module it will adopt, by default, the top level value of PST set for the processor module.
Safety Manual (AADvance Controller) Reactions to faults in the input modules When an input channel is not capable of reporting a voltage within a safety accuracy specification of 1% of the full scale measurement range, then the module returns safe values to the processor. Signals go to a safe state if the module scan time exceeds the PST (refer to "Input Module Safety Accuracy" for safe state details).
When the safety accuracy between channels exceeds the following limits then a discrepancy alarm is set for the input channel Digital Input Module = 8% Analogue Input Module = 2% In both situations the following safe values are reported by the variables: Digital input modules Input state FALSE Line fault TRUE Discrepancy TRUE Channel fault TRUE and the voltage value is 0mV Analogue input module process value = a calculated value based on a count value of 0 (51 counts = 0.
Safety Manual (AADvance Controller) The PFD & PFH data has been calculated on the basis that the shutdown state is configured to the OFF state. Therefore the OFF state shall be used for SIL2 & SIL3 applications. When a module fails then all the channels are set to the de-energized state.
Careful consideration should be given to the affect on the process of using the 'hold last state' setting. The PFD & PFH data has been calculated on the basis that the shutdown state is configured to the OFF state. Therefore the OFF state shall be used for SIL2 and SIL3 An installed module automatically transitions from the Shutdown mode to the Ready or Recover modes and hence to the Run mode when the RESET button on the processor is pressed and the application is running.
Safety Manual (AADvance Controller) Analogue Output module Safety Functions The Analogue output Module is rated at SIL3 as a fail-safe simplex module. And 1oo2D as a dual module. For high demand SIL2 energize to action high demand applications you must use dual analogue output modules. This arrangement is also rated as SIL3 for energize to action applications.
Careful consideration should be given to the affect on the process of using the ‗custom shutdown value‘ or the 'hold last state' setting. The PFD & PFH data has been calculated on the basis that the shutdown state is configured to the OFF state. Therefore the OFF state shall be used for SIL2 and SIL3.
Safety Manual (AADvance Controller) Input and Output Forcing The AADvance AADvance Workbench supports forcing of individual inputs and outputs. The AADvance Workbench uses the term 'locking' to describe forcing. It is important the implications of forcing (or locking) of input and output points on the process and their impact on safety are understood by any person using these facilities.
Maintenance Overrides Maintenance Overrides set inputs or outputs to a defined state that can be different from the real state during safety operation. It is used during maintenance, usually to override input or output conditions in order to perform a periodic test, calibration or repair of a module, sensor or actuator.
Safety Manual (AADvance Controller) AADvance AADvance Workbench Configuration The AADvance Workbench supports four levels of password access, level 0 being the highest access level. Each function (for example, viewing, editing, compiling, downloading) may be identified for use only by users with an access level above a certain level. Appropriate security protection shall be implemented to prevent access/change to the application programs.
Language Selection The AADvance Workbench offers many programming tools to develop algorithms to meet the needs of virtually any real-time control application. The configuration and programming languages approved for use in SIL3 safety related application are shown in the table. Safety Related Function Block (FB) Instruction List (IL) Structured Text (ST) Ladder Diagrams (LD) Sequential Function Chart (SFC) Safety Related Languages.
Safety Manual (AADvance Controller) The fewer the number of inputs, outputs and signal paths, the fewer the number of permutations that require testing. However, a single safety function should not be split into separate blocks; such a division is likely to lead to the introduction of errors during maintenance activities. The interaction between the individual software blocks shall be minimized.
Partitioning the Application It is impractical and unnecessary to apply the same degree of rigorous development and testing to all functions within the Application where some of those functions are not safety related. The identification of safety functions is, in part, dependent on the specific safety philosophy. Examples of non-safety may include status indication, data reporting and sequence of events. It is important to establish that these elements are not safety related.
Safety Manual (AADvance Controller) Minimize Logic Depth Where possible, the logic depth should be minimized. This helps reduce visual complexity, simplifies testing, minimizes the number of interconnects required and improves program efficiency. Where there is nested logic, it shall be possible to establish the correct operation of all intermediate logic connections. The use of memory (latch) components within the safety function shall be minimized.
Communications Interaction The AADvance system provides a range of communications options to allow interaction with external systems. Where this communication is used for reporting (or out-going) communications, there are no specific safety requirements. Data received from external equipment that either controls safety-related functions or affects their operation must be handled with caution. The Application Program shall handle the received data.
Safety Manual (AADvance Controller) Functional testing of all safety related programs is considered to be 100% if: All inputs are exercised through their entire allowable range All outputs are exercised through their entire program determined range All logic paths are exercised All timers have been tested regarding their timing characteristics without changing timing parameters All combinatorial permutations of digital signals, with the exception of 100% tested function blocks, are tested, includ
The procedures to do an on-line update are written in the AADvance Configuration Guide, Rockwell Automation reference 553633. On-line modifications must follow the end users' MOC process as required by the applicable industry safety standards. On-line modifications must include any specific checks recommended by Rockwell Automation for the product. Important Note: For Releases 1.3 you can change the I/O module configuration with an on-line update without having to stop the running application.
Safety Manual (AADvance Controller) Environmental Requirements CAUTION HEAT DISSIPATION AND ENCLOSURE POSITION System and field power consumption by modules and termination assemblies is dissipated as heat. You should consider this heat dissipation on the design and positioning of your enclosure; e.g. enclosures exposed to continuous sunlight will have a higher internal temperature that could affect the operating temperature of the modules.
Functional Stress 5Hz to 9Hz Continuous 1.7mm amplitude Occasional 3.5mm amplitude Withstand Acceleration Endurance 10Hz to 150Hz 0.1g in 3 axes 10Hz to 150Hz Acceleration 0.5g in 3 axes Shock 15g peak, 11ms duration, ½ sine Operating 0 to 2000m (0 to 6,600 ft.) Storage and Transport 0 to 3000m (0 to 10,000 ft.) This equipment must not be transported in unpressurized aircraft flown above 10,000 ft.
Safety Manual (AADvance Controller) For systems for applications outside Europe it is recommended that at least the same measures be applied, and confirmation sought from the client or end-user that electromagnetic interference (EMI) levels are within those shown in the table.
Power Frequency Magnetic Field immunity voltage Dips, Short interruptions and Voltage Variations Immunity BS EN 61000-4-8:1994 30A rms/m, 50Hz and 60Hz Not Applicable + A1:2001 + BS EN 6100-4-11:2004 Immunity to Conducted Common Mode Disturbance, 0 to 150 kHz BS EN 61000-4-16:1998 + A1:2004 DC & I/O Ports: None 1 to 10V rms increasing at 20dB/decade from 1,5KHz to 15k Hz: 10V rms from 15k Hz to 150k Hz 100V rms for 1s at 16.
Safety Manual (AADvance Controller) Marine Certification AADvance has been tested and found to comply with the EMC requirements of BS EN 60945:2002.
The controller must be supplied with system power from a power source that complies with SELV and PELV standards. SELV (safety extra-low voltage) is a voltage which does not exceed 50VAC or 120 V ripple-free DC between conductors, or between each conductor and earth in a circuit which is isolated from the line voltage by a safety transformer. PELV (protected extra-low voltage) is an extra low voltage circuit with a protective partition from other circuits which has a protective earth connection.
Safety Manual (AADvance Controller) System Security Serial networks are closed and local and have limited protocol functionality, therefore, immune to any external attack except local deliberate sabotage. The AADvance system, however, with its workstations and DCS interfaces, uses Ethernet networks which tend to be part of a larger corporate network and can expose the system to accidental or malicious infection or attack.
This page intentionally left blank Document: 553630 ICSTT-RM446K-EN-P Issue: 10_C 4-51
Chapter 5 Checklists This chapter contains a number of example checklists. These are provided as an aid for competent engineers. In general each checklist item should result in "yes", where this is not the case a justification should be produced. In This Chapter Pre-Engineering Checklists ............................................................................... 5-1 Engineering Checklists .......................................................................................
Safety Manual (AADvance Controller) Description Yes/No Has a risk analysis been completed to determine the Safety Integrity Levels that need to be handled by the system ? Functional Requirements Checklist Description Yes/No Is the definition of each of the required functions complete? Are the interfaces, signals, and data associated with each function clearly identified? Where a 'tag referencing' scheme is used for these signals, has a summary description of the naming convention been provided to faci
Description Yes/No Are the AADvance System Build Manual installation instructions available for installing and commissioning the system ? Does the application program shut down the SIL3 safety instrumented functions if a faulty module has not been replaced within the MTTR assumed for the system in the PFD calculations ? Have the application programs been set up to monitor the "discrepancy alarms" and alert the operators when a discrepancy alarm occurs ? Do the energize to action configurations conform to
Safety Manual (AADvance Controller) Description Yes/No Do safety related inputs and outputs use only those configurations identified as safety related ? Are there any safety-related, normally de-energized outputs? If so have redundant power sources, power failure warning and line monitoring been provided? Have actuator fault conditions been taken into account? Has an actuator testing schedule been created for regular actuator maintenance ? Have field power supplies conforming to EN61010-1 or EN 60950 bee
Language Selection Checklist Description Yes/No Are any functions not in the previously tested libraries required? If so has provision been made to adequately test these functions? Override Requirements Checklist Description Yes/No Are the effects of overriding fully understood, particularly where the override action will affect independent parts of an application? Has a method of enabling, or more importantly removing, the overrides for the system as whole, or individual sub-systems, been provided? Ha
Safety Manual (AADvance Controller) Description Yes/No Has guidance been followed to ensure that SIL3 signals are shut down outside the time limit imposed by the MTTR assumed for the PFD calculations ? Has the "Hold Last State" been set up for the Digital Output channels and if so has the affect on the safety functions been taken into account ? Has input or output forcing been used on any channels and have the affect on the safety function been fully taken into account so that it does not jeopardize func
Description Yes/No THe HART data is not used as the primary process measurement in a safety related SIF ? The HART Passthru function has been disabled if the device configuration status is not monitored and alarmed to prevent unauthorized or accidental changes to the field device configuration.
Glossary of Terms Glossary of Terms A asynchronous accuracy A data communications term describing a serial transmission protocol. A start signal is sent before each byte or character and a stop signal is sent after each byte or character. An example is ASCII over RS232-C. See also 'RS-232-C, RS-422, RS-485'. The degree of conformity of a measure to a standard or a true value. See also 'resolution'. achievable safe state A safe state that is achievable. Note: Sometimes, a safe state cannot be achieved.
Safety Manual (AADvance Controller) blanking cover C A plastic moulding to hide an unused slot in an AADvance base unit. CIP boolean A type of variable that can accept only the values 'true' and 'false'. BPCS Basic process control system. A system which responds to input signals and generates output signals causing a process and associated equipment to operate in a desired manner, but which does not perform any safety instrumented functions with a claimed safety integrity level of 1 or higher.
Chapter 5 Glossary of Terms consumer dictionary The consuming controller requests the tag from the producing controller. The set of internal input and output variables and defined words used in a program. contact A graphical component of a Ladder Diagram program, which represents the status of an input variable. discrepancy A condition that exists if one or more of the elements disagree.
Safety Manual (AADvance Controller) fault reset button function block diagram The momentary action push switch located on the front panel of the 9110 processor module. An IEC 61131 language that describes a function between input variables and output variables. Input and output variables are connected to blocks by connection lines. See 'limited variability language'.
Chapter 5 Glossary of Terms I instruction list I/O base unit An IEC 61131 language, similar to the simple textual language of PLCs. See 'limited variability language'. A backplane assembly which holds up to three I/O modules and their associated termination assembly or assemblies in an AADvance controller. Part number 9300. See 'I/O module' and 'termination assembly'.
Safety Manual (AADvance Controller) M OPC manual call point A series of standards specifications which support open connectivity in industrial automation. A component of a fire detection and fire alarm system which is used for the manual initiation of an alarm. Modbus An industry standard communications protocol developed by Modicon. Used to communicate with external devices such as distributed control systems or operator interfaces.
Chapter 5 Glossary of Terms processor module PST The application execution engine of the AADvance controller, housed in a selfcontained and standardized physical form factor. Process Safety Time. The process safety time for the equipment under control (denoted PST ) is the period a dangerous condition can exist before a hazardous event occurs without a safety system as a protection. producer A controller producing a tag to one or more consumers, at the request of the consumers.
Safety Manual (AADvance Controller) safety accuracy SNCP The accuracy of an analogue signal within which the signal is guaranteed to be free of dangerous faults. If the signal drifts outside of this range, it is declared faulty. SNCP (Safety Network Control Protocol) is the Safety Protocol that allows elements of an AADvance System to exchange data. SNCP is a SIL 3 certified protocol which provides a safety layer for the Ethernet network making it a "Black Channel".
Chapter 5 Glossary of Terms termination assembly A printed circuit board which connects field wiring to an input or output module. The circuit includes fuses for field circuits. The board carries screw terminals to connect field wiring to the controller, and the whole assembly clips onto the 9300 I/O base unit. TMR Triple modular redundant. A fault tolerant arrangement in which three systems carry out a process and their result is processed by a voting system to produce a single output.
Chapter 7 Additional Resources Associated AADvance Publications For more information about the AADvance system refer to the associated Rockwell Automation technical manuals shown in this document map. Publication Purpose and Scope Safety Manual This technical manual defines how to safely apply AADvance controllers for a Safety Instrumented Function. It sets out standards (which are mandatory) and makes recommendations to ensure that installations meet and maintain their required safety integrity level.
Safety Manual (AADvance Controller) Troubleshooting and Maintenance Manual This technical manual describes how to maintain, troubleshoot and repair an AADvance Controller. OPC Portal Server User Manual This manual describes how to install, configure and use the OPC Server for an AADvance Controller. PFH avg and PFDavg Data This document contains the PFHavg and PFDavg Data for the AADvance Controller. It includes examples on how to calculate the final figures for different controller configurations.
