Home

icstt-rm446 - Literature Library

Contents

1. 4 21 Calculations of Probability of Failure upon Demand 4 22 Processor Functional Safety Configuration sss 4 22 Module Safety PUM Ctl Oris 4 24 Input and Output Forcing eese tete tententententnnentenns 4 32 PAIRS MANGE OVerrid S M NR 4 32 Application Program Development sse 4 33 On line 4 39 Physical 1 4 40 Environmental 4 41 AADvance System Power Requirements eee 4 45 System Security ee ee eseesen senten ten tenente ten ttn tenten tentent 4 47 1 0 Modules The AADvance system supports single module configurations where it is acceptable to either stop the system or allow the signals corresponding to that module to change to their default fail safe state It also supports fault tolerant configurations where it is required to ensure continued system operation in the event of a fault All configurations may be used for safety related applications the choice between the configurations being dependent on the end user s fault to
2. 4 JUNI m e EL 4 1 Energize to Action Configurations sssscsssssssssessessssssssseeseessessesssussecseesccsssussussecseescenssussecsesscessensenees 4 3 Controller Process Safety Time 5 4 3 Industrial Functional Safety Standards sessssessecssesscsssssesseesecssesssussessesscessesssussessessecscesseussessesseessesseseeees 4 5 MPs e T 4 5 86 Requirements eee esten entente ntententnntntenten ten 4 6 4 6 BS EN 54 Requirements 4 7 EN 54 section 7 12 Dependencies More Than One Alarm 4 8 DN 4 9 Field Configurations sssssecscssssssessecsccnccussusscsecscsceussussessesccuccussussesseesecuccussussesssessesceussussesseescencenseness 4 11 Line Monitoring ue esesssssssssssseeseesccsccusssssecsecsccnccussussucssesccsccussussusssesscsccucsussussessecsccuseussussesseesceneeneeness 4 11 Digital Input Field Loop Circuits eese tentent ntentententnnententententententnnentns 4 11 Recommended Field Circuit for
3. 1 10 Non Hazardous Installation Requirements eese eerte entente tnnt nnn I 11 Installation Requirements for Hazardous Environment eese I 11 Installation RequireMent cccccscserssecsscsstesscssesetesscnscuarssocnseuersssssssuetecoctseuetbesasesorssssesenstessotessossebetecseeesers I 11 Certifications for Safety System Applications in Hazardous Environments 1 14 Registration cass orte trt eet i thee 1 24 Chapter 2 Functional Safety Managemennt ceres 2 1 The Safety Management System eee eseeseeesen tentent tentententententn entente nten tenente ten 2 1 T he Safety lLife cycle ettet rtt etre eerte tette te Heer et eee ettet etched us 2 1 Scope D 2 2 Hazard and Risk Analysis s ssssssssssesseesscssssssessecsccnccussussscsscsccuscussussscascnccnscussussecssesccuseussussescescensenees 2 2 System Functional and Safety Requirements esee te tentent ntentententnnennentens 2 3 System 2 3 Application Programming eese esses teens entente 2 4 kela ed o E
4. None If the anticipated EMI exceeds these levels additional protection measures such as a suitably screened and earthed enclosure shall be applied ICSTT RM446 EN P Issue 12 Marine Certification AADvance has been tested and found to comply with the EMC requirements of BS EN 60945 2002 EMC compliance within a marine environment is dependent on and can only be assured by the use of gt shielded Ethernet cables gt adequate bonding of the system chassis to a suitable ground reference Fit EMC Static Protection Covers For EMC static protection you should fit the black plastic protection covers supplied with the base units over any exposed 48 pin DIN connectors on the T9300 I O Base unit Rubber Connector Cover Prastic Protection Using Shielded Cabling for Ethernet and Serial Ports When using cable lengths that exceed 3m for Ethernet and Serial communication you must use shielded cable to remain within the emission and immunity standards Also ensure that the shields are grounded to the controller chassis gt Important The system is resistant to radio interference due to its bus structure However sensible use of site radios is advised do not use radios inside or near an open panel AADvance System Power Requirements The AADvance controller is designed to operate from two independent 24V dc power supplies with a common return path that is the 24V return shall be common between the power fee
5. Configuration Guide s These software technical manuals define how to configure an AADvance controller using the AADvance Workbench to meet your system and application requirements Use the manual appropriate to the version of Workbench being deployed Troubleshooting and Maintenance Manual This technical manual describes how to maintain troubleshoot and repair an AADvance Controller OPC Portal Server User Manual This manual describes how to install configure and use the OPC Server for an AADvance Controller PFHavg and PFDavg Data This document contains the PFH and PFD Data for the AADvance Controller It includes examples on how to calculate the final figures for different controller configurations The data supports the recommendations in this AADvance Safety Manual Regional Offices Rockwell Automation Oil and Gas Resources are available in Regional Offices worldwide Rockwell Automation 4325 West Sam Houston Parkway North Suite 100 Houston Texas 77043 1219 USA Tel 1 713 353 2400 Fax 1 713 353 2401 Rockwell Automation No 2 Corporation Road 04 01 to 03 Corporation Place Singapore 618494 Tel 65 6622 4888 Fax 65 6622 4884 Rockwell Automation Hall Road Maldon Essex CM9 4LA England UK Tel 44 1621 854444 Fax 44 1621 851531 Abu Dhabi 903 Bin Hamoodah Building 9th Floor Khalifa Street Abu Dhabi UAE Tel 971 2 627 6763 Internet
6. 1 21 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller IEC IECEx Certificate of Conformity Certificate No IECEx UL 12 0032X Date of Issue 2014 05 28 Issue No 2 Page 4 of 4 DETAILS OF CERTIFICATE CHANGES for issues 1 and above Issue 1 Addition of Model 9892 and updated drawings Issue 2 Update to the latest edition of IEC 60079 0 Annex Annexe for IECEx UL 12 0032 Issue 2 pdf 122 ICSTT RM446 EN P Issue 12 Annexe for IECEx UL 12 0032 Backplane Ratings Description Voltage Current mA Vdc Input Output Ratings Processor Backplane 10 4A 400mA per slot Dual Processor Backplane 10 4A 400mA per slot Backplane 9 6A 400mA per slot Processor Module Processor Module Digital Input Module Input 18 32Vdc 24 mA 6 5 mA 9432 Channel 9481 9482 9451 9801 9802 9803 9831 9832 9833 9851 9852 9892 9881 9882 Analogue Input Module 16 Analogue Output Module 18 32 Analogue Output Module 8 18 32 Channel Digital Output Module 18 32 165 Termination Assembly 16 Channel Simplex Digital Input Termination Assembly 16 Channel Dual Digital Input Termination Assembly 16 Channel TMR Digital Input Termination Assembly 16 Channel Simplex Analogue Input Termination Assembly 16 Channel Dual Analogue Input Termination Assembly 16 Channel TMR Analogue Input Termination Assembly
7. 2 2 Scope Definition gt Scope definition gt Hazard and risk analysis gt Functional and safety requirements specification gt System engineering gt Application programming gt System production gt System integration gt System installation and commissioning gt Safety system validation gt Operation and maintenance plan gt System modification Decommissioning The definition of each life cycle stage shall include its inputs outputs and verification activities It is not necessary to have separate stages within the lifecycle addressing each of these elements independently but it is important that all of these stages are covered within the lifecycle Specific items that need to be considered for each of these life cycle elements are described in the following sub paragraphs The scope definition is the first step in the system life cycle You have to identify the boundaries of the safety related system and provide a clear definition of its interfaces with the process and with all third party equipment This stage should also establish the derived requirements resulting from the intended installation environment such as environmental conditions and power sources In most cases the client will provide this information The system integrator must review this information and gain a thorough understanding of the intended application the bounds of the system to be provided and its intended operating cond
8. 2 5 System Installation 2 5 System Integration tete teinte cre dasa EEA ESEA EEES 2 6 System Commissioning eese ee esten 2 6 Safety System Validation ssssessessecsscscssssseeseesccnscussssseeseesscsssussusssseenceuscussussesseescenseussussesscescensenseness 2 6 Operation and Maintenance 2 7 Maintaining Functional Safety 0 00 sssessscsscssssesseesecsccsssussesseesscnsenssusssscesccuscussussesscescenseussnsseescessenseness 2 7 ICSTT RM446 EN P Issue 12 Functional Safety Assessment s sssssssecsessscssssssesseescesccussussusscsccnscussussussecsecsccuccussussessecsceuseussusseeseensenseneeees 2 7 Safety Integrity Design eee eie ee eeeeen senten tette ten ten ton teen ttnten ten 2 8 Chapter 3 AADvance System 3 1 ane apa 3 1 Configuration Backups eee tees tentent tenente tententententnn entente 3 1 SIL 2 Fail safe Architectures 3 1
9. ICSTT RM446 EN P Issue 12 SIL 3 Architectures SIL 3 architectures have at least two processor modules and are suitable for use with gt SIL 3 de energize to trip applications gt SIL 3 energize to action applications which have dual digital analogue output modules Faulted input modules in a SIL 3 arrangement may be replaced without a time limit faulted output modules must be replaced within the MTTR assumed in the PFD calculations In all SIL 3 architectures when the processor modules have degraded to loolD on the first detected fault the system must be restored to at least 0020 by replacing the faulty processor module within the MTTR assumed in the PFD calculations or all SIL 3 safety instrumented function and high demand safety instrumented functions must be shut down SIL 3 Fail safe Fault Tolerant Processor A SIL 3 fail safe I O with a fault tolerant processor architecture has a simplex input and output arrangement with dual or triple processor modules The dual processor modules operate oo2D under no fault conditions and degrades to loolD on detection of the first fault in either module When there are faults on both modules the configuration will fail safe Final Elements If required you can configure triple processor modules as a variation of this SIL 3 architecture Using this arrangement the processor modules operate in 2003D under no fault conditions and 20 on the detection of the first f
10. The architectural definition shall define the safety requirements class for each architectural element and identify the safety functions allocated to each element Additional safety functions resulting from the chosen system architecture shall be defined at this stage The detailed engineering design shall refine the architectural elements and culminate in detailed information for system build The design shall be in a form that is readily understood and allows for inspection and review of each stage of the process and final design 2 3 Safety Manual AADvance Controller 2 4 If the possibility of errors cannot be eliminated the system integrator should make sure that procedural methods are devised and applied to detect them The system design should include facilities to allow field maintenance tasks can be performed Each installation shall be designed to ensure that the control equipment is operated in environments that are within its design tolerances Therefore the operating environment should provide the proper control of temperature humidity vibration and shock as well as adequate shielding and earthing to minimize that exposure to sources of electromagnetic interference and electrostatic discharge Application Programming Application programs are developed and monitored using the AADvance Workbench software An overall application program software architecture shall be defined at the application programming stage
11. 6 1 Chapter 7 Additional Resources 7 1 ICSTT RM446 EN P Issue 12 xiii Safety Manual AADvance Controller This page intentionally left blank xiv ICSTT RMAAG EN P Issue 12 Chapter 1 Introduction This chapter provides an introduction to the AADvance Safety Manual and to the AADvance system In This Chapter Verification of the Safety Manual 1 1 1 1 Terminology secssssssecseessessessssssessecsscnscussussesseesscuccussussucsecsesccussussessecscensensensaes 1 2 The AADvance 1 3 AADvarnce Features 1 5 Associated DOCUMEMTS cccccsccscscssssssssssssssssssscssssssssssssssssssssessssscesssssseeessssssees 1 7 Controller TUV 8 Certification for use in Hazardous Environments 1 24 KCC EMC 1 24 Verification of the Safety Manual Competency The AADvance system and the user safety Manual are independently certified by the certification authority Technischer berwachungs Verein T V to meet the requirements of IEC 61508 SIL 3 ICSTT RM446 EN P Issue 12 The achievement of functional safety requires the implementation of the safety lifecycle whilst ensuring that persons who are responsible for any safety lifecycle activities meet the required competency levels in functional safety
12. T9851 2 TA 24V dc 8 Channel Simplex Dual Analogue Outputs T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9881 T9882 TA 8Ch Simplex Dual Modules Processor Base T9100 Base T9300 3 way Safety Manual AADvance Controller Output Modules TUV Certified Configuration lool loo2 or loo2D lool loo2 or loo2D Auxiliary Modules 3 Conditions Conditions De energize to action normally energized SIL 3 with or 2 modules fitted 10020 with dual output modules fitted Energize to action normally de energized SIL 2 with module fitted and SIL 3 with 2 modules fitted A faulty digital output module must be repaired or replaced within the MTTR which was used in the PFD calculation De energize to action normally energized SIL 3 with or 2 modules fitted 10020 with dual output modules fitted Energize to action normally de energized SIL 2 with module fitted and SIL 3 with 2 modules fitted A faulty analogue output module must be repaired or replaced within the MTTR which was used in the PFD calculation Safety related and can be used for safety critical applications in Fault tolerant High demand SIL 2 applications with 2 modules fitted or SIL 3 applications with 2 or 3 modules fitted Safety related and can be used for safety critical applications in SIL Note Revisions of modules are subject to change A list of the released versions is held
13. 2003 voting system Sensors Digital Output Modules A digital output module fault must be repaired within the MTTR which was used in the PFD calculation Analogue Output Modules An analogue output module fault must be repaired within the MTTR which was used in the PFD calculation ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 3 12 Table 9 Modules for TMR Input and Processor Fault Tolerant Output Position Module Type I P A 3 x T9401 2 Digital Input Module 24V dc 8 16 Channel T9803 Digital Input TA 16 Channel TMR or 3 x T943 1 2 Analogue Input Module 8 16 Channel T9833 Analogue Input TA 16 Channel TMR 2 x T9300 I O Base Unit CPU amp 3 x 9110 Processor Module T9100 Processor Base Unit CPU B O P A 2 x T9451 Digital Output Module 24V dc 8 Channel 9852 Digital Output TA 24V dc 8 Channel Dual Or 2 x T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9882 Analogue Output TA 8 Ch Dual Note All configurations that use dual or triplicate processor modules are suitable for SIL 3 architectures with de energize to trip outputs Dual outputs are also required for SIL 3 energize to action outputs ICSTT RM446 EN P Issue 12 Table 11 Modules Processor Module T9110 Modules Digital Inputs T9401 2 24V dc 8 16 Channel isolated T9801 2 3 Digital Input TA 16 channel Simplex Dual TMR Analogue Inputs T9431 2 8 16 Channel
14. 8 Channel Simplex Digital Output Dual Digital Output Dual Digital Output Simplex Analogue Output Dual Analogue Output 260 260 260 60 2 6 0 0 0 6 500 500 00 5 6 5 5 5 2 2 2 2 4 4 4 0 24 4 0 2 Input 0 32Vdc 9 6 5 mA Input 18 32Vdc 24 mA Output 18 32 Vdc 0 20mA Output 18 32Vdc 0 20mA Output 18 32Vdc 0 5A Pilot Duty 16VA 1 5A Inrush i Module 9100 Processor Backplane and 9101 Dual Processor Backplane are for use wit Module 9110 and 9111 Processors Module 9300 I O Backplane is for use with all other Modules ICSTT RM446 EN P Issue 12 Subject devices are all marked Ex nA 4 Gc 1 23 Safety Manual AADvance Controller Module Label The following label information must be attached to each module Rockwell Automation Hall Road Maldon UK CM9 4LA IND CONT EQ FOR USE IN HAZARDOUS LOCATIONS US CLIDIV 2 GP A B C D LISTED 25 60 iL Il 3G Ex nA T4 Gc DEMKO 11 ATEX 1129711X File E341697 IECEx UL 12 0032X A KCC REM RAA e 9000 MODULES TUVRheinland www tuv com 10 0600000000 Battery Fitted polycarbon monofluoride lithium coin battery 3V Size BR2032 Warning Explosion Hazard Batteries must only be changed in an area known to be non hazardous Pile install e Pile bouton au poly lithium carbonmonofluoride 3V taille BR2032 Avertissement risque d explosion Les piles ne d
15. All persons involved in any safety lifecycle activity including management activities shall have the appropriate training technical knowledge experience and qualifications relevant to the specific duties they have to perform The suitability of persons for their designated safety lifecycle activities shall be based on the specific competency factors relevant to the system application and shall be defined and recorded for each individual The following competence factors should be addressed when assessing and justifying the competency level of persons to carry out their duties gt Engineering experience appropriate to the application area gt Engineering experience appropriate to the technology gt Functional safety engineering experience appropriate to the technology gt Knowledge of the legal and safety regulatory framework gt The consequences of failure of the safety related system gt The safety requirements class of the safety related systems gt The novelty of the design design procedures or application Safety Manual AADvance Controller gt Previous experience and its relevance to the specific duties to be performed and the technology being employed In all of the above the higher risk will require increased rigor with the specification and assessment of the competence Terminology Vocabulary and Conventions The terms certification and certified are used widely within this Manual these terms refer principally
16. Modules for SIL 2 Fault Tolerant Output Architecture Position Module Type I P A T9401 2 Digital Input Module 24V dc 8 16 Channel T9801 Digital Input TA 16 Channel Simplex or T943 1 2 Analogue Input Module 8 16 Channel T9831 Analogue Input TA 16 Channel Simplex 34 ICSTT RM446 EN P Issue 12 T9300 Base Unit CPUA x T9110 Processor Module T9100 Processor Base Unit and 9300 I O Base Unit O P A x T9451 Digital Output Module 24V dc 8 Channel T985 Digital Output TA 24V dc 8 Channel Dual Or x T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9881 Analogue Output TA 8 Ch Simplex SIL 2 Fault Tolerant Input and SIL 2 High Demand Architecture ICSTT RM446 EN P Issue 12 A SIL 2 fault tolerant High Demand architecture has dual input dual processor and dual output modules In a dual arrangement the input modules operate in 0020 under no fault conditions degrade to 1 on the detection of the first fault in either module and will fail safe when there are faults on both modules A triple input module arrangement can also be configured if it is required to increase the fault tolerance of the input When a triple input module arrangement is configured the input modules operate in a 2003D under no fault conditions degrade to 10020 on detection of the first fault in any module then degrade to loolD on the detection of faults in any two modules and will fail safe when there
17. Processor Safety Functions The processor module is classified as safety critical and is responsible for the following safety functions gt solving application logic gt external communication Ethernet and serial gt communication with I O modules such as receiving input values sending output values coordinating diagnostics enforcement of system PST diagnostics fault indications and degradation of the processor module enforcement of input PST diagnostics fault indications and degradation of input modules v v v v v initiating diagnostics fault declaration and for some fault conditions the degradation of output modules gt recovery mode operation ICSTT RM446 EN P Issue 12 Reaction to faults in the processor module The processor module reports faults by front panel indicators and fault codes stored in the System Event log SYSTEM HEALTHY and HEALTHY LEDs go RED when a fault is detected in the processor module Fault indications are also sent to the user application by variables that you can set up during the system configuration process These variables provide the following information gt module presence gt module health and status gt channel health and status an echo of the front panel indications For a single fault deemed by the system to be a critical failure the processor module enters the Recovery Mode Recovery Mode Recovery Mode is a shutdown mode and uses a base level firmware It i
18. SIL 2 Fault Tolerant Input Architectures eese teen entente ntes enententententen entente 3 3 SIL 2 Output Architecture essecsscsscssssssseeseesccssssssessessecsscsssussusssseescenscussussesscenscuceussussesseescencenseness 3 4 SIL 2 Fault Tolerant Input and SIL 2 High Demand Architecture eee 3 5 3 7 SIL 3 Fail safe I O Fault Tolerant 0 3 7 SIL 3 Fa lt Tolerant 1 O AFEhIESCEUEBS ot 3 8 SIL 3 Input and Processor Fault Tolerant Output eerte 3 11 Certified Configurations 3 13 Internal Diagnostics RR 3 14 Safety 3 15 Safety Networks sssssssssssessessscsscsssesseesecsscsscsssnssessecsccnscussussessecscsccussussusseesecsceussussussecscescensensaes 3 15 Configuring SNCP Safety Network sssssssessscsscsssssessecseesscsssussessecsecnscsssussecsecsseseeussussessecseessensensees 3 17 Configuring Variable Bindings 3 17 liu 3 18 Chapter 4 AADvance Functional Safety System Implementation 4 1 General Design Measures for Functional
19. applications gt The fail safe state current of the analogue output module is less than 2mA gt For energize to action high demand applications you must use dual analogue output modules gt When the module is unlocked all of its output channels including any channels set to hold last state always go to the de energized state Analogue Output module Safety Functions The Analogue output Module is rated at SIL 3 as a fail safe simplex module And loo2D as a dual module For high demand SIL 2 energize to action high demand applications you must use dual analogue output modules This arrangement is also rated as SIL 3 for energize to action applications Each module provides the following safety functions gt Commanded Values and Scaling Factor gt Fail safe Guard Band 4 29 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Shutdown Module Status Diagnostics Commanded Values and Scaling Factor Fail Safe Guard Shutdown gt User configurable value gt The application cannot change the scaling factor it can only be changed by an on line update User configurable value gt Fail safe guard is user configurable and cannot be changed by the application it can only be changed by an on line update The default value is 1 0 2 When in the Shutdown mode the Ready and Run indicators will go RED You can configure the state of the outputs when the module is in the Shutdo
20. isolated T9831 2 3 Analogue Input TA 16 Channel Simplex Dual TMR ICSTT RM446 EN P Issue 12 Central Modules TUV Certified Configuration loolD loo2D 2003D Input Modules TUV Certified Configuration loolD loo2D 2003D loolD loo2D 2003D Certified Configurations Table 10 Conditions Safety related and can be used for safety critical applications in SIL 2 with module fitted and SIL 3 applications with 2 or 3 modules fitted Note For High Demand applications you must use a minimum of two processors Conditions De energized to action normally energized SIL 3 with 2 or 3 modules fitted Energize to action normally de energized with I 2 or 3 modules fitted Note when the integrity level is at loolD then the faulty module must be replaced to restore the integrity level back to loo2D Within the manufactures specified safety accuracy limits of 0 2mA The safety state of the analogue input has to be set to a safe value which is a calculated value based on a count value of OmA refer to the AADvance Configuration Guide s Doc Nos 553633 amp 555063 for more details SIL 3 with 1 2 or 3 modules fitted Note when the integrity level is at loolD then the faulty module must be replaced within the MTTR assumed for the PFD calculations to restore the integrity level back to 20 Table 12 Table 13 Modules Digital Outputs T8451 24V dc 8 channel
21. 12 Chapter 5 Checklists This chapter contains a number of example checklists These are provided as an aid for competent engineers In general each checklist item should result in yes where this is not the case a justification should be produced In This Chapter Pre Engineering Checklists eee tenentes 5 Engineering Checklists eese entente nter tenentes 5 3 Pre Engineering Checklists The checklists provided within this section are applicable to the requirements It should be recognized that the requirements will undergo refinement particularly in the early stages of a project The information provided initially may be outline in this case these checklists should be used to help identify where omission has occurred or where further refinement is necessary Scope Definition Checklist Description Yes No Has a summary description of the intended application been provided Is the intended installation environment defined If so does this include both normal and possible abnormal conditions does this include geographical distribution requirements Does the installation position the modules in the upright position to ensure non forced air cooling is effective Does the installation environment meet the environmental specification for the controller Has a list of all the third party equipment interfaces been provided and are definitions of bo
22. 12 Safety Manual AADvance Controller Processor Module Access Port The front panel of the T9110 Processor Module has a concealed PS 2 style connector on the front panel behind a plastic cover This connector is for Rockwell Automation use only and is used for factory settings during manufacturing However the plastic cover can be removed to replace the processor battery 1 0 Module Safety Functions This section describes the I O safety parameters 1 0 Module Safety Related Parameters The AADvance Workbench provides you with the capability to adjust these safety related parameters for I O module gt Process safety time gt Shutdown action of a digital output module channel gt Fail safe guard for the Analogue Output Module gt Shutdown action for the Analogue Output module 1 0 Module Start Up and Locking Screw Safety Function 4 24 modules can be replaced or installed on line without effecting the controller operation provided at least one is fitted in a dual triple Termination Assembly and is fully operational However each module must be installed one at a time and allowed to educate before the next module is installed The module locking screw acts as a retaining device and also as a switch that controls the module s operational status For the module to be fully operational the locking screw must be in the locked position When the first I O module is installed and the locking screw set to the lock po
23. 16 Channel Dual or 2 x T9431 2 Analogue Input Module 8 16 Channel T9832 Analogue Input TA 16 Channel Dual 2 x T9300 I O Base Unit CPUA amp 2 x 9110 Processor Module 9100 Processor Base Unit and I P B CPU B O PA x T9451 Digital Output Module 24V dc 8 Channel d T9851 Single Digital Output TA 24V dc 8 Channel for de ii energize to action O P B T9300 Base unit 2 x T9451 Digital Output Module 24V dc 8 Channel T9852 Dual Digital Output TA for energize to action Or 2 x T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9882 Analogue Output TA 8 Ch Dual 3 10 ICSTT RM446 EN P Issue 12 SIL 3 TMR Input and Processor Fault Tolerant Output A SIL 3 TMR architecture offers the highest level of fault tolerance for an AADvance controller and consists of triple input modules triple processors and dual output modules gt The input and processor modules operate in a 2003D under no fault conditions degrade to 0020 on detection of the first fault in any module and degrade to lool on the detection of faults in any two modules and will fail safe when there are faults on all three modules In the event of a failure in any element of a channel the channel processor will still produce a valid output which could be voted on because of the coupling between the channels This is why the triple modular redundant implementation provides a configuration that is inherently better than a typical
24. 2 Reference Documents Document IEC 61508 Part 1 7 1998 2000 IEC 61511 1 2004 ANSI ISA 84 00 01 2004 IEC 61511 2 Mod EN 61131 2 2007 NFPA 72 2013 NFPA 85 2015 NFPA 86 2015 EN 50156 1 2004 EN 54 2 1997 A1 2006 UL 508 Title Functional safety of electrical electronic programmable safety related systems Functional safety Safety instrumented systems for the process industry sector Functional Safety Safety instrumented systems for the process industry sector Programmable controllers Part 2 Equipment requirements and tests National fire alarm and signalling code Boiler and combustion systems hazard code Standards for ovens and furnaces Electrical equipment for furnaces and ancillary equipment Requirements for application design and installation Fire alarm control panels Industrial control equipment Note good understanding of health and safety practices functional safety principles is highly recommended and the principles of these standards should be understood before generating procedures and practices to meet the requirements of this Safety Manual Controller TUV Certification T V Certification T V is the safety certifying authority for an AADvance controller and they have certified The AADvance system to the following standards IEC 61508 Part 1 7 1998 2000 IEC 6151 1 1 2004 EN 61131 2 2007 EN 50178 1997 EN 50156 1 2004 EN 54 2 1997 1 2006
25. Rockwell Automation Ltd Hall Road Maldon 9 4LA United Kingdom Additional Manufacturing location s This certificate is issued as verification that a sample s representative of production was assessed and tested and found to comply with the IEC Standard list below and that the manufacturer s quality system relating to the Ex products covered by this certificate was assessed and found to comply with the IECEx Quality system requirements This certificate is granted subject to the conditions as set out in IECEx Scheme Rules IECEx 02 and Operational Documents as amended STANDARDS The electrical apparatus and any acceptable variations to it specified in the schedule ofthis certificate and the identified documents was found to comply with the following standards IEC 60079 0 2011 Explosive atmospheres Part 0 General requirements Edition 6 0 IEC 60079 15 2010 Explosive atmospheres Part 15 Equipment protection by type of protection n Edition 4 This Certificate does not indicate compliance with electrical safety and performance requirements other than those expressly included in the Standards listed above TEST amp ASSESSMENT REPORTS A sample s of the equipment listed has successfully met the examination and test requirements as recorded in Test Report US UL ExTR12 0041 00 US UL ExTR 12 0041 01 US UL ExTR12 0041 02 Quality Assessment Report DK ULD QAR 10 0001 02 1 20 ICSTT RM446 EN P Issue 12
26. This architecture will identify the software blocks and their functions The application programming shall address methods for addressing system specific testing diagnostics and fault reporting It is highly recommended that simulation testing be performed on each software block The simulation testing should be used to show that each block performs its intended functions and does not perform unintended functions It is also highly recommended that software integration testing is performed within the simulation environment before commencing hardware software integration The software integration testing should show that all software blocks interact correctly to perform their intended functions and do not perform unintended functions The development of the application software shall follow a structured development cycle the minimum requirements of which are ICSTT RM446 EN P Issue 12 gt Architectural definition The application program shall be divided into self contained blocks to simplify the implementation and testing Safety and non safety functions should be separated as far as possible at this stage gt Detailed design and coding The detailed design and coding stage will add detail to the design and implement each of the blocks identified within the architectural definition gt Testing The testing stage will verify the operation of the application it is recommended that the application blocks first be tested individu
27. a period of at least one hour A system fault shall be audibly indicated This indication may be capable of being silenced 4 Safety Manual AADvance Controller gt The cabinet of the control and indicating equipment shall be of robust construction consistent with the method of installation recommended in the documentation It shall meet at least classification IP30 of IEC 60529 1991 gt All mandatory indications shall be visible at access level without prior manual intervention such as the need to open a door gt If the control and indicating equipment is designed to be used with a power supply item L of figure of EN 54 1 contained in a separate cabinet then an interface shall be provided for at least two transmission paths to the power supply such that a short circuit or an interruption in one does not affect the other gt The EN 54 2 certification is only applicable where the system is applied in accordance with this safety manual and EN 54 2 requirements EN 54 section 7 12 Dependencies on More Than One Alarm Signal 7 12 1 A dependency option with requirement Following the receipt of a first alarm signal from a fire detector the entry to the fire alarm condition may be inhibited until the receipt of a confirmation alarm signal from the same fire detector or from a fire detector in the same zone In this case the first alarm state need not be indicated and the following shall apply gt the m
28. are faults on all three modules The processor will operate in 0020 under non faulted conditions and will degrade to loolD on the first detected fault For high demand applications the processor must be repaired within the MTTR assumed in the PFD calculations or the high demand safety instrumented functions must be shut down For High Demand mode applications you must use a minimum of a dual processor configuration High demand energize to action applications will require dual output modules Analogue Output Modules where the normal output current is less than 4mA are classed as energize to action applications 3 5 Safety Manual AADvance Controller Table 6 Final Elements Sensors For Continuous Mode applications the measures defined in this section for High Demand applications must be applied Modules for SIL 2 Fault Tolerant High demand Architecture Position Module Type I P A 2 x T9401 2 Digital Input Module 24V dc 8 16 Channel T9802 Digital Input TA 16 Channel Dual or 2 x T9431 2 Analogue Input Module 8 16 channel T9832 Analogue Input TA 16 Channel Dual 2x T9300 I O Base unit CPU A amp CPU B 2 x T9110 Processor T9100 Processor Base Unit O P A 2 x T9451 Digital Output Module 24V dc 8 Channel T9852 Digital Output TA 24V dc 8 channel T9300 Base Unit or 2x T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9882 Analogue Output TA 8 Ch Dual 3 6
29. as follows RI 15K Q 1 IW maximum power dissipated is 47mW at 26 4V R2 3K9 Q 1 IW maximum power dissipated is 182mW at 26 4V Suggested threshold values for both of the above circuits are as follows Threshold ID Value mV Maximum Allowed 32000 SHORT CIRCUIT Threshold 8 19000 Threshold 7 18500 ON nominal 16 Threshold 6 11000 Threshold 5 10500 INDETERMINATE Threshold 4 6500 Threshold 3 6000 OFF nominal 8V Threshold 2 3500 Threshold 3000 OPEN CIRCUIT Assumptions gt Loop supply voltage 24V 10 4 12 ICSTT RM446 EN P Issue 12 gt Maximum Field Cable Line Resistance lt 100 total this means lt 50 50 for the two cables gt Minimum Isolation is 0 75M Q between the field loop conductors gt These values will allow the input to detect more accurately different voltage levels that represent OPEN CCT OFF ON SHORT CCT and will also detect Over Voltage and an input which is neither ON nor OFF The values ensure that a line fault will be declared before it becomes possible for a false declaration of On and Off states due to a combination of resistor value drift and loop voltage variation Field Loop Circuit for Line Monitored Digital Input for Fire and Gas Systems F amp G 24 dc Controller Termination I Assembly Shield Cif used NONU l 200 Terminal Blocks gt The F amp G circuit will also allow two devices to be
30. by TUV or can be obtained from Rockwell Automation Internal Diagnostics 3 14 ICSTT RM446 EN P Issue 12 The AADvance controller embodies sophisticated internal diagnostic systems to identify faults that develop during operation and raise appropriate alarm and status indications The diagnostic systems run automatically and check for system faults associated with the controller processor and I O modules and field faults associated with field I O circuits 0 wiring principles shall be employed for field loops if it is necessary for the user to guard against short circuit faults between I O channels e g to comply with NFPA 72 requirements The AADvance controller internal diagnostics do not detect external short circuits between channels The diagnostic systems report a serious problem immediately but filter non essential safe failures to avoid spurious alarms The diagnostic systems monitor such non essential items periodically and need a number of occurrences of a potential fault before reporting it as a problem The internal diagnostics detect and reveal both safe and dangerous failures A dual module arrangement for example diagnostics can address dangerous failures and help redress the balance between failure to respond and spurious responses A dual system could therefore be 20 reverting to loolD the first detected fault and reverting to fail safe when both modules have a fault Safety Networks AADvance pr
31. each distribution for example current limited at source or protective devices Where protective devices are used it is important to establish that sufficient current be available to ensure their protective action and that the protective device can break the maximum prospective fault current gt Ensure that the power supplies are sufficient for the system load and for any foreseeable load requirements and load transients gt Ensure that the power supplies have a minimum output hold up time of Oms gt Ensure that the power distribution cabling is sized to accommodate the maximum prospective fault currents and tolerable voltage losses This is specifically important where floating supplies are employed and other power sources may result in high prospective fault currents in the event of multiple earth fault conditions The power supplies used shall conform to the electrical requirements and tests defined in IEC 61131 Part 2 EN 61010 1 and EN 60950 and shall be of appropriate capacity for the system Note It is highly recommended that the negative side of the field supply be connected to earth ground This will avoid possible fail danger conditions that can be caused by some earth fault monitors used with floating power supplies ICSTT RM446 EN P Issue 12 System Security Serial networks are closed and local and have limited protocol functionality therefore immune to any external attack except local deliberate sabotage The
32. enable rather than disable a process demand safety accuracy The accuracy of a signal within which the signal is guaranteed to be free of dangerous faults If the signal drifts outside of this range it is declared faulty safety critical state A faulted state which prevents the execution of a process demand sensor A device or combination of devices that measure a process condition Examples are transmitters transducers process switches and position switches sequential function chart An IEC 61131 language that divides the process cycle into a number of well defined steps separated by transitions See limited variability language 6 7 Safety Manual AADvance Controller 6 8 SFF Safe Failure Fraction Given by the sum of the rate of safe failures plus the rate of detected dangerous failures divided by the sum of the rate of safe failures plus the rate of detected and undetected dangerous failures SIF Safety Instrumented Function A form of process control that performs specified functions to achieve or maintain a safe state of a process when unacceptable or dangerous process conditions are detected SIL Safety Integrity Level One of four possible discrete levels defined in IEC 61508 and IEC 61511 for specifying the safety integrity requirements of the safety functions to be allocated to a safety related system SIL4 has the highest level of safety integrity SILI has the lowest Th
33. equipment through digital or analog inputs or outputs The UL standards can also be used to investigate equipment for use in hazardous locations such as 4 9 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 4 10 The possible presence of an explosive atmosphere such as flammable gas vapors or liquids Class combustible dusts Class II or ignitable fibers Class the likelihood that the explosive atmosphere is present when equipment is operating or the ignition related properties of the explosive atmosphere that is present An area may also be considered hazardous for other reasons such as the use of electrical equipment in the vicinity of water the risk of personal injury from moving or falling parts or even the presence of biological hazards This approach to classifying hazardous locations is used by the United States National Electrical Code Canada Canadian Electrical Code Europe CENELEC EN 60079 10 and throughout the world IEC 60079 10 While hazards are associated with all of these conditions areas are only considered hazardous classified locations under definitions defined by the NEC CEC IEC 60079 10 or CENELEC EN 60079 10 as applicable The AADvance controller has been investigated and approved by UL for use as Industrial Control Equipment in general industrial environment and for use in hazardous locations Class I Division 2 Groups B C and D ICSTT RM446 EN P Issue
34. example a single shutdown initiation signal Each safety function shall be responsible for the control of the corresponding outputs Sharing of outputs between functions shall not be permitted The use of these function blocks in a safety certified system is only permitted once they have been tested for correct operation The new or previously untested function may be gt ageneric function block which forms part of the Workbench but has not previously been subject to the level of testing defined herein or gt a project specific function block which is written to meet the needs of a particular feature within an application program and may comprise a number of generic function blocks or other program functions 4 35 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Individual Safety Related Functions The AADvance Workbench allows the definition of up to 250 individual programs within a single project This facility should be exploited to enable the allocation of individual safety related functions to separate programs Where such programs contain independent logic paths these should be investigated to determine if they are separate safety functions Where they are separate it is recommended that these be further allocated to their own program subject to conforming to the recommendation to minimizing the coupling between programs Cases should be looked for that allow the creation of individual logic paths by rep
35. exist without the protection of a safety instrumented system before a hazardous event occurs processor base unit A backplane assembly which holds all of the processor modules in an AADvance controller Part number 9100 See also processor module processor module The application execution engine of the AADvance controller housed in a self contained and standardized physical form factor ICSTT RM446 EN P Issue 12 producer A controller producing a tag to one or more consumers at the request of the consumers program enable key A security device that protects the application from unauthorized access and change in the form factor of a 9 way D type plug Part number 9906 Supplied with the processor base unit See also key connector project A collection of configurations and the definition of the linking between them See configuration proof test A test performed at a predetermined frequency which functionally tests all of the components that comprise a Safety Instrumented Function designed specifically to reveal any undetected failures that may exist so that they can be repaired to ensure that the Safety Instrumented Function continues to meet its designed performance criteria over the entire safety life cycle protocol A set of rules that is used by devices such as AADvance controllers serial devices and engineering workstations to communicate with each other The rules encompas
36. gt ANSI ISA 12 12 01 2013 Nonincendive Electrical Equipment for use in Class Il Division 2 and Class 111 Division and 2 Hazardous Locations gt UL 508 Industrial Control Equipment Seventeenth edition with revisions through and including April 15 2010 gt NRAG7 E251761 Programmable Controllers for Use in Hazardous Locations Certified for Canada Class Division 2 Groups A B C and D The products have been investigated using requirements contained in the following standards 1 12 ICSTT RM446 EN P Issue 12 gt CSA C222 No 213 1987 Nonincendive Control Equipment for Use in Class Division 2 Hazardous Locations gt CSA 22 2 No 142 MI987 Process Control equipment Edition Revision date 1990 09 01 Products Covered The products investigated and approved Programmable Logic Controllers Models 9110 Processor Module 9401 2 Digital Input Module 9431 2 Analogue Input Module 945 Digital output Module 9482 Analogue Output Module Listed Accessories for use with PLCs 9100 Processor Backplane 9300 I O Backplane 9801 Digital Input Termination Assembly Simplex 9802 Digital Input Termination Assembly Dual 9803 Digital Input Termination Assembly TMR 9831 Analogue input Termination Assembly Simplex 9832 Analogue Input Termination Assembly Dual 9833 Analogue Input Termination Assembly 9851 Digital Output Termination Assembly Simplex 1 13 ICSTT RM446 EN P Issue 12 Safety Manu
37. http www rockwellautomation com icstriplex Technical support icstsupport ra rockwell com Sales enquiries sales icstriplex com 7 2 Rockwell Automation Millennium House Campus 1 Aberdeen Science amp Tech Park Balgownie Road Bridge of Don Scotland UK Tel 44 1224 227780 Dubai Silvertech Middle East FZCO PO Box 17910 Jebel Ali Free Zone Dubai UAE Tel 971 4 883 7070 ICSTT RM446 EN P Issue 12
38. initiates a safe shutdown gt Any changes to hardware or software shall be documented approved and maintained in a file on the site gt System operation shall be tested and verified for compliance with the NFPA 86 standard and the original design criteria whenever the AADvance controller is replaced repaired or updated gt Whenever application software that contains safety logic or detection logic is modified system operation shall be verified for compliance with the NFPA 86 standard and the original design criteria gt The NFPA 86 certification is only applicable where the system is applied in accordance with this safety manual and NFPA 86 requirements EN 50156 1 2004 applies to the application design and installation of electrical equipment control circuits and protective systems for furnaces which are operated with solid liquid or gaseous fuels and their ancillary equipment It specifies requirements to meet operating conditions for furnaces to reduce the hazards of combustion and to protect the heated systems from damage The AADvance controller is certified for use an EN 50156 compliant systems In particular the AADvance controller controls protective devices for gt monitoring of flames and other safety conditions of the firing gt interrupting the flow of the fuel to the furnace for safety reasons gt ventilating the body of the furnace and the flue gas ducts 4 monitoring of safety condition of the heated systems
39. levels The Operating and Maintenance Plan shall include the following items gt Clear definitions of power up and down sequences These definitions shall ensure that the sequences cannot result in periods when the system is unable to respond safely whilst a hazard may be present gt The procedures for re calibrating sensors and actuators The recommended calibration periods shall also be included gt The procedures for periodically testing the system together with definitions of the maximum intervals between testing gt Definitions of the overrides to be applied to be able to carry maintenance of the sensors and actuators gt The procedures for maintaining system security Maintaining Functional Safety Design changes will inevitably occur during the system life cycle to ensure that the system safety is maintained such changes shall be carefully managed Procedures defining the measures for updating the plant or system shall be defined and documented These procedures are the responsibility of the end user but the system integrator shall provide sufficient guidance so that the procedures maintain the required level of functional safety during and after the changes Functional Safety Assessment ICSTT RM446 EN P Issue 12 The functional safety assessment shall confirm the effectiveness of the functional safety performance of the system The assessment in this context is limited to the safety related system and should con
40. module is replaced then the previous fault tolerance level is restored For example in a fault tolerant input arrangement and one module is faulty then the system will degrade to loo lD by replacing the faulty module the configuration is restored to 10020 Configuration Backups You must make a backup of the Workbench system and test the backup copy prior to storing it Refer to the AADvance Configuration Guide for information about these procedures SIL 2 Fail safe Architecture The following is a simplex fail safe SIL 2 architecture where modules operate in loolD under no fault conditions and will fail safe on the first detected fault The processor module operates in loolD and will degrade to fail safe on the first detected fault 3 1 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Table 3 Note Simplex processors can only be used for low demand applications Simplex output modules used for energize to action applications can only be used for low demand applications S O P Final ensors A A A Elements Modules for SIL 2 Fail Safe Architecture Position Module Type I P A T9401 2 Digital Input Module 24V dc 8 16 Channel T9801 Digital Input TA 16 Channel Simplex or T9431 2 Analogue Input Module 8 16 Channel T9831 Analogue Input TA 16 Channel Simplex T9300 I O Base Unit CPU A x T9110 Processor Module T9100 Processor Base Unit O P A T945 Di
41. or x T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9881 Analogue Output TA 8 Ch Simplex SIL 3 Fault Tolerant Architectures A SIL 3 fault tolerant processor and I O is achieved by dual input and output module configurations with dual or triple processor modules The processor modules operate 20 under no fault conditions degrade to loolD on the detection of the first fault in either module and fail safe when there are faults on both modules Similarly the input modules operate in 20 under non faulted conditions and loolD on detection of the first fault in either module and will fail safe when there are faults on both modules The processor must be repaired within the MTTR assumed in the PFD calculations or SIL 3 safety instrumented functions must be shut down ICSTT RM446 EN P Issue 12 For SIL 3 applications you must use a minimum of a dual processor configuration Final Elements Sensors Digital Output Modules A digital output module fault must be repaired within the MTTR which was used in the PFD calculation Analogue Output Modules An analogue output module fault must be repaired within the MTTR which was used in the PFD calculation 3 9 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Table 8 Modules for SIL 3 Fault Tolerant Architectures Position Module Type 2 x T9401 2 Digital Input Module 24V dc 8 16 Channel T9802 Digital Input TA
42. polarization key fitted to the 9100 processor base unit and to each termination assembly which ensures only a module of the correct type may be fitted in a particular slot Part number 9903 coil In IEC 61131 3 a graphical component of a Ladder Diagram program which represents the assignment of an output variable In Modbus language a discrete output value Compiler Verification Tool CVT The Compiler Verification Tool CVT is an automatic software utility that validates the output of the application compilation process This process in conjunction with the validated execution code produced by the AADvance Workbench ensures a high degree of confidence that there are no errors introduced by the Workbench or the compiler during the compilation of the application configuration A grouping of all the application software and settings for a particular AADvance controller The grouping must have a target but for an AADvance controller it can have only one resource ICSTT RM446 EN P Issue 12 consumer The consuming controller requests the tag from the producing controller contact A graphical component of a Ladder Diagram program which represents the status of an input variable continuous mode Where the Safety Instrumented Function in the Safety System is continually maintaining the process in a safe state controller A logic solver the combination of application execution engine and I O har
43. shall be provided to the owner and operator indicating that all safety devices and logic meet the requirements of the application System response time shall be sufficiently short to prevent negative effects on the application The 85 certification is only applicable where the system is applied in accordance with this safety manual and NFPA 85 requirements 4 5 Safety Manual AADvance Controller NFPA 86 Requirements EN 50156 4 6 NFPA 86 2015 provides comprehensive requirements for the safe design installation operation inspection testing and maintenance of Class A B C and D ovens dryers and furnaces The AADvance system is certified for use with NFPA 86 compliant systems The systems should be integrated in accordance with NFPA 86 In particular the following shall be applied gt The supplier of the application software for the AADvance controller shall provide both the end user and the safety authority having jurisdiction with the documentation needed to verify that all related safety devices and safety logic are functional before the controller is placed in operation gt In the event of a power failure the AADvance controller hardware and software shall not prevent the system from reverting to a safe default condition safe condition shall be maintained upon the restoration of power gt The control system shall have a separate manual emergency switch independent of the AADvance controller which
44. software aspects IEC 61511 An international standard for functional safety and safety instrumented systems SIS for the process industry encompassing electrical electronic and programmable electronic systems hardware and software aspects indicator A device which can change its state to give information input Workbench variable In the context of an AADvance Workbench variable this term describes a quantity passed to the Workbench from a controller instruction list An IEC 61131 language similar to the simple textual language of PLCs See limited variability language ICSTT RM446 EN P Issue 12 integer A variable type defined by the IEC 61131 standard IXL stands for ISaGRAF eXchange Layer This is the communication protocol between ISaGRAF based components K key connector The receptacle on the AADvance controller for the program enable key A 9 way D type socket located on the 9100 processor base unit L ladder diagram An IEC 61131 language composed of contact symbols representing logical equations and simple actions The main function is to control outputs based on input conditions See limited variability language LAN Local area network A computer network covering a small physical area characterised by a limited geographic range and lack of a need for leased telecommunication lines live insertion The removal and then reinsertion of an electronic modu
45. temperature range is 25 C to 60 13 F to 140 F All other Models The ambient temperature range is 25 C to 70 13 F to 158 F Subject devices are to be installed in an ATEX IECEx Certified IP54 tool accessible enclosure that has been evaluated to the requirements of EN 60079 0 2012 11 2013 and EN 60079 15 2010 IEC 60079 0 Ed 6 and IEC 60079 15 Ed 4 Enclosure is to be marked with the following Warning Do not open when energized After installation of subject devices into the enclosure access to termination compartments must be dimensioned so that conductors can be readily connected Grounding conductor should have a minimum cross sectional area of 3 31 mm Subject devices are for use in an area of not more than pollution degree 2 in accordance with IEC 60664 1 Subject devices are to use conductors with a minimum conductor temperature rating of 85 Subject devices are to be installed in the vertical orientation only AADvance meets the essential requirements of EN 60079 0 2012 A11 2013 amp EN 60079 15 2010 and IEC 60079 0 Ed 6 and IEC 60079 15 Ed 4 File Number E251761 The AADvance controller investigation and approval is contained in the following file certifications gt NRAG E251761 Programmable Controllers for Use in Hazardous Locations Class 1 Division 2 Groups A B C and D The products have been investigated using requirements contained in the following standards
46. the terminal if fed by a common system mounted supply System powered devices 24V Termination Assembly OV The above circuit is appropriate for devices that are powered by the system The channel will pass a requested current between and 24mA The field device could also be connected between the 24V supply and the Loop Plus terminal 4 16 ICSTT RM446 EN P Issue 12 24V Termination Assembly tu Note If the OV or 24V supply is shared between channels or between modules the field loops will not be isolated from each other ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Field powered devices NV Termination Assembly The above circuit is appropriate for devices that are powered locally and expect a current controlled signal loop Ensure that the loop is wired to pass current to the Loop Plus terminal and return it on the Loop Minus terminal 4 18 ICSTT RM446 EN P Issue 12 Sensor Configurations In safety critical input applications using a single sensor it is important that the sensor failure modes be predictable and well understood so there is little probability of a failed sensor not responding to a critical process condition In such a configuration it is important the sensor be tested regularly either by dynamic process conditions that are verified in the AADvance system or by manual intervention testing The function of a signal shall be considered when al
47. the process and their impact on safety are understood by any person using these facilities It is the plant operators responsibility to ensure that if forced conditions are present that they do not jeopardize the functional safety Forcing requires the program enable key to be fitted to the 9100 Processor Base Unit and is intended only for the purposes of engineering installation and commissioning activities When the system is in service maintenance overrides for safety related inputs and outputs should be implemented using the application program instead The Force LED on the front of the T9110 Processor Module indicates when one or more I O points are forced The application program can determine how many points are currently forced it is highly recommended that this information be used to control an additional status display and or for logging purposes If the forcing facility is used when the system is in service a safety related input connected to an operator accessible switch shall be implemented to initiate the removal of the force condition A list of the currently locked points is read back from the AADvance system and made available within the AADvance Workbench Maintenance Overrides 4 32 Maintenance Overrides set inputs or outputs to a defined state that can be different from the real state during safety operation It is used during maintenance usually to override input or output conditions in order to perform a perio
48. time control application The configuration and programming languages approved for use in SIL 3 safety related application are shown in the table Safety Related Function Block FB Instruction List IL not supported by Workbench 2 0 Structured Text ST Ladder Diagrams LD Sequential Function Chart SFC not supported by Workbench 2 0 in a safety related application gt Safety Related Languages The AADvance controller supports comprehensive set of certified functions The certified function set includes the most commonly used functions These tested functions may be used freely in the development of an application Further functions may be used subject to completion of testing commensurate with the level used for the commonly used function IL not supported by Workbench 2 0 and ST include program flow control functions these functions shall be used with caution to ensure that infinite loop or omitted logic conditions do not result Where these constructs are used it is recommended that full branch and data coverage tests be performed on these sections of program It is recommended that only Boolean conditions be used for these constructs to ensure that a feasible set of tests can be applied ICSTT RM446 EN P Issue 12 Application programmer generated function blocks may be created either on a project specific or library basis Where these functions are to be used for safety related applications th
49. to 70 C Subject devices are to be installed in an ATEX Certified IP54 tool accessible enclosure that has been evaluated to the requirements of EN 60079 0 2012 A11 2013 and EN 60079 15 2010 Enclosure is to be marked with the following Warning Do not open when energized After installation of subject devices into the enclosure access to termination compartments shall be dimensioned so that conductors can be readily connected Grounding conductor should have a minimum cross sectional area of 3 31 mm Subject devices are for use in an area of not more than pollution degree 2 in accordance with IEC 60664 1 Subject devices are to use conductors with a minimum conductor temperature rating of 85 Subject devices are to be installed in the vertical orientation only 18 Essential Health and Safet uirements Rev Level 09 gt gt gt gt Met by compliance with the standards EN 60079 0 2012 11 2013 60079 15 2010 00 IC FO060 Issue 7 0 This certificate may only be reproduced in its entirety and without any change schedule included Date 2012 05 17 2011 12 14 2014 05 2011 08 24 2011 08 24 2011 08 24 2011 08 25 2011 10 24 2011 08 24 2011 10 24 2012 02 09 2012 02 09 2012 02 09 2011 08 24 2011 08 25 2011 08 25 2011 08 24 2011 08 25 2011 08 25 2011 08 25 2011 08 25 2011 08 25 2011 08 04 2011 08 04 2013 12 23 2014 05 Page5 of 5 IC
50. to the functional safety certification of the AADvance system to IEC 61508 SIL 3 and other relevant standards This Manual contains rules and recommendations gt Rules are mandatory and shall be followed if the resulting system is to be a SIL 3 compliant application These are identified by the term shall gt Recommendations not mandatory but if they are not followed extra safety precautions shall be taken in order to certify the system Recommendations are identified by the term it is highly recommended Process Safety Time The process safety time for the equipment under control relates to the logic solver portion of PST amp c it is the period a dangerous condition can exist before a hazardous event occurs without a safety system as a protection It can be a fraction of a second or several hours depending on the process A PST can be defined for a controller via the processor module and independently for individual modules however the processor defined PST will always have priority over the PST if the I O PST exceeds the processor value Fault Tolerance in Safety Applications For safety applications you shall define how the control system will respond in the presence of faults As faults accumulate this becomes the system s defined state of degraded operation or fault tolerance level gt Simplex systems are not fault tolerant and do not have the ability to continue their operation in the presence of faul
51. 02 and 9432 Schematic Board no 151751 62 Pages Model 9881 Schematic Model 9882 Schematic Model 9892 Schematic Model 9100 Construction Drawing 2 Pages representative of Model 9101 Model 9300 Construction Drawing 6 Page Model 9110 Construction Drawing 3 Pages Model 9401 Construction Drawing 2 Pages represents the Processors 9110 and 9111 and all I O Devices Model 9801 Construction Drawing 1 Page represents all termination assemblies Marking Label 9100 9300 1 Page Marking Label 9300 1 Page Marking Label 9100 1 Page Marking Label All Modules 2 Page Marking Label 9110 9101 All Moduels 3 Page Marking Label 9110 1 Page Marking Label 9101 1 Page Marking Label All Termination Assemblies except 9851 and 9852 1 Page Marking Label 9851 and 9852 1 Page Marking Label Model Number only 9801 1 Page Marking Label Model Number only 9802 1 Page Marking Label Model Number only 9803 1 Page Marking Label Model Number only 9831 1 Page Marking Label Model Number only 9832 1 Page Marking Label Model Number only 9833 1 Page Marking Label Model Number only 9851 1 Page Marking Label Model Number only 9852 1 Page Marking Label Model Number only 9881 1 Page Marking Label Model Number only 9882 1 Page Marking Label Model Number only 9892 1 Page ICSTT RM446 EN P Issue 12 Drawing No 130812 130802 130782 130822 130792 130772 130872 1308
52. 12 Field Configurations The following are recommended field loop circuits for line monitoring of digital analogue inputs Use cable monitoring and circuit integrity cable as appropriate for the application as inter channel short circuits cannot be detected by an AADvance controller Line Monitoring This section provides recommended line monitoring circuits and resistor values You can set up line monitoring on the following modules gt T9401 and T9402 Digital Input Modules gt 19431 and T9432 Analogue Input Modules Note You must ensure that there is no crossover between channels Digital Input Field Loop Circuits Recommended Field Loop Circuits This section contains recommended field loop circuits for line monitoring digital inputs used in Emergency Shutdown or Fire amp Gas applications Field Loop Circuit for Digital Input 24V dc Tennination il Controller Assembly l a o 469902 50 Les 10002 Shield jf used IE Temninal Blacks 200 Field Loop Circuit for Line Monitored Digital Input for Emergency Shutdown Systems ESD ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Controller Temination Assembly 469902 50 10002 Shield f used IE Temninal Blocks 200 The suggested values for RI and R2 are
53. 62 131212 151490 GA 9300 GA 9110 GA 9401 GA 9801 GA 274850 274070 274680 275750 275520 273570 276250 276210 276260 274270 274280 274290 274300 274310 274320 274240 274250 275060 275070 276370 Rev Level ma OFS Gy X C1 G1 Ommmooouonm ouocommonmmsoso This certificate may only be reproduced in its entirety and without any change schedule included Date 2009 01 22 2008 04 09 2009 04 23 2008 01 22 2008 01 23 2012 05 25 2009 04 17 2011 04 12 2011 10 17 2012 07 27 2013 10 18 2012 03 13 2008 09 24 2013 07 30 2013 11 04 2011 02 11 2011 08 25 2013 11 04 2012 02 14 2013 11 04 2012 08 02 2011 08 26 2011 08 26 2011 02 15 2011 05 01 2011 05 03 2011 02 15 2011 05 01 2011 05 03 2011 02 11 2012 05 14 2011 02 15 2012 05 17 2011 12 14 Page 4 of 5 1217 Safety Manual AADvance Controller 1 18 13 Schedule 14 TYPE EXAMINATION CERTIFICATE No DEMKO 11 ATEX 1129711XRev 2 Report 4786336921 Description Marking Label Model Number only 9882 1 Page Marking Label Model Number only 9892 1 Page System Build Manual Installation Instructions 107 Pages Model 9100 and 9101 Critical Component List 2 Pages Model 9110 Critical Component List Circuit Number 151421 3 Pages Model 9110 Critical Component List Circuit Number 151431 4 Pages Model 9300 Critical Component List 2 Pages Model 9401 and 9402 Critical Component
54. 9 i 9 Routine tests None 16 Descriptive Documents Project Report No 4786336921 Hazardous Location Testing Drawings Description Drawing No Rev Level Date Model 9100 Schematic 8 Pages 130662 o 2009 12 17 Model 9101 Schematic 6 Pages 131022 1715A2A D7 2011 05 31 Model 9300 Schematic 2 Pages 130622 2008 06 07 Model 9110 and 9111 Schematic Board 151421 25 130642 N1 2011 09 13 Pages Model 9110 and 9111 Schematic Board No 151431 9 130652 P5 2011 05 31 Pages Models 9401 9402 9431 and 9432 Schematic Board 130682 AE3 2012 05 18 Nos 151441 and 151961 67 Pages Model 9481 and 9482 Schematic Board Nos 151631 and 130842 M10 2013 09 26 151791 41 Pages Model 9482 Schematic Board No 151801 56 Pages 130852 H4 2013 09 26 Model 9451 Schematic Board No 151521 42 Pages 130722 R2 2011 05 31 Model 9451 Schematic Board No 151531 21 Pages 130732 o 2009 07 01 00 IC F0060 Issue 7 0 This certificate may only be reproduced in its entirety and without any change schedule included Page3 of 5 1 16 ICSTT RM446 EN P Issue 12 13 14 00 IC F0060 Issue 7 0 Schedule TYPE EXAMINATION CERTIFICATE No DEMKO 11 ATEX 1129711XRev 2 Report 4786336921 Description Model 9801 and 9831 Schematic 6 Pages Model 9802 and 9832 Schematic 7 Pages Model 9803 and 9833 Schematic 7 Pages Model 9851 Schematic 2 Pages Model 9852 Schematic 2 Pages Model 94
55. AADvance The Next Step in Automation AADvance Controller Safety Manual ISSUE 12 ICSTT RM446 EN P LISTEN THINK Rockwell SOLVE icstriplex Automation Safety Manual AADvance Controller This page intentionally left blank ICSTT RM446 EN P Issue 12 Notice In no event will Rockwell Automation be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples given in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation does not assume responsibility or reliability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation with respect to use of information circuits equipment or software described in this manual All trademarks are acknowledged Disclaimer It is not intended that the information in this publication covers every possible detail about the construction operation or maintenance of a control system installation You should refer to your own or supplied system safety manual installation instructions and operator maintenance manuals Revision and Updating Policy This document is based on information available at the time of its publication however the document contents are subject to change from time to time You should contact Rockwell Automation Technical Sup
56. AADvance Communication Ports Availability When configured Always available Always available Always available Always available Always available Always available Always available When configured Always available Always available Purpose Modbus slave ISaGraf application downloads debug SoE etc Transparent Comms Interface Serial Tunnelling CIP Produce amp Consume Telnet diagnostic interface S NTP IXL bindings Discovery and configuration protocol DCP Rockwell Automation CIP Produce amp Consume IO Trusted peer to peer CIP Producer amp Consume When always available ports are not configured or unused they are open to unauthorized access Unused open ports that are not configured should be blocked this can be done at the firewall settings Refer to the appropriate AADvance Configuration Guide for the instructions about blocking these ports The telnet port is for diagnostics access and should only be used by Rockwell Technical Support Associated Documents The following documents are associated with the safety requirements applicable to the AADvance system Further supporting information is available on the TUV web site ICSTT RM446 EN P Issue 12 T4 Safety Manual AADvance Controller 1 8 PFH and PFD Data The PFH and PFD data is provided in a separate document Doc No 553847 PFD Data for AADvance Controllers Table
57. AADvance system however with its workstations and DCS interfaces uses Ethernet networks which tend to be part of a larger corporate network and can expose the system to accidental or malicious infection or attack There are some simple steps that can be taken to help prevent such issues Network and workstation security should be considered for example AADvance should not be on a network with open unsecured access to the Internet The Firewall must be active on the Workstation preventing access to the relevant Ethernet ports on each communication interface Anti virus software must be installed and be kept up to date Note Firewalls have been known to effect the operation of the AADvance Discover tool 4 The workstation should be password protected If the workstation is laptop it should be kept locked when not in use If the workstation uses a hardware license USB dongle it should be kept secure without it the workstation will not run The application should be password protected Removable media such as USB storage devices and CDs should be virus checked before use within the system The program enable key must be inserted into the processor base unit to let you change the application or I O configuration Make sure the key is removed when the changes are finished ICSTT RM446 EN P Issue 12 4 47 Safety Manual AADvance Controller This page intentionally left blank 4 48 ICSTT RM446 EN P Issue
58. Digital Outputs esten entente tnnennes 4 13 Analogue Input Field Loop Circuits eese teen nte 4 15 Recommended Circuit for Analogue 4 16 Sensor Configurations 4 19 lali penc 4 19 Precautions for HART in a Safety 5 4 20 HART Pass Through ssscsssssssssesseesecscsssssssesscsccnccussussecsecsesscuscussussscsscsscsscussussecsscsesseussussnssenceneenseness 4 20 Act ator ConfibUratioNS 4 21 Calculations of Probability of Failure upon Demand eese tenente tenentes 4 22 xi ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Processor Functional Safety Configuration etes tete en tententententenennentens 4 22 Processor Safety 4 22 Reaction to faults in the processor module esten tenente ntententnnennentens 4 23 Recovery Mode RR 4 23 Processor Module Locking Screw safety Function esten ennt 4 23 Proc
59. Distributed process monitoring and control The AADvance controller is a logic solver and I O processing device that consists of processor modules I O modules and field termination assemblies that can easily be assembled and configured A system is built up from one or more controllers a combination of modules power sources communications networks and user workstations How you configure the system determines the type of application it can be used for An AADvance controller is particularly well suited to emergency shut down and fire and gas detection protection applications by providing a system solution with integrated and distributed fault tolerance It is designed and validated to international standards and is certified by T V for functional safety control installations The significant benefits of the AADvance controller are its performance and flexibility Being designed to IEC 61508 it meets both SIL 2 and SIL 3 application requirements from the basic range of modules and mixed SIL rated applications can be covered by this range of modules All of the configurations are readily achieved by combining modules and assemblies without using special cables or interface units System architectures are user configurable and can be changed without major system modifications Processor and I O redundancy is configurable so you can choose between fail safe and fault tolerant solutions This scalability is user configurable therefore there
60. Ethernet w Supports industry standard protocols including Modbus and HART Supports OPC when using an OPC Portal w AADvance serial networks are closed and local and have limited protocol functionality so they are immune to any external attack apart from local deliberate sabotage The AADvance system however with its workstations and DCS interfaces uses Ethernet networks which are frequently part of a larger corporate network and can expose the system to accidental or malicious infection or attack The following general security steps should be used to ensure the system is secure 15 Safety Manual AADvance Controller Network and workstation security must set up when installing and setting up the system As a minimum use the following security measures AADvance system must not be connected to a network with open unsecured access to the Internet A router firewall must be active on the Workstation preventing access to the unused Ethernet ports on each communication interface Anti virus software must be installed and be kept updated IMPORTANT Firewalls have been known to effect the operation of the AADvance Discover utility so it may be necessary to temporary disable the Firewall when using this tool The workstation must be password protected e f the workstation is a laptop it must be kept locked when not in use f the workstation uses a hardware license USB dongle it must be kept secure with
61. ICSTT RM446 EN P Issue 12 EN 61326 3 1 2008 NFPA 72 2013 EN 61000 6 2 2005 NFPA 85 2015 EN 61000 6 4 2007 NFPA 86 2015 The analogue output modules are not certified to EN 54 2 You can download a copy of the TUV certificate from www fs products com System Installation Environment The installation environment can be a source of common cause failure so it is necessary that the installation assessment covers the environmental specification for the AADvance system and includes the following gt the prevailing climatic conditions gt type of area e g is it a hazardous or non hazardous area gt location of power sources gt earthing and EMC conditions In some customer installations parts of the system can be installed in differing locations in these cases the assessment must include each location Power Sources and Heat Dissipation Calculations It is highly recommended that module supply power and field loop power consumption calculations are done to find out the heat dissipation before designing a suitable enclosure and making a decision about the installation environment see topic System Design for Heat Dissipation Safety Related System Installation Process For a Safety Related System the installation process must also be in line with the following You must use the installation guidelines given in this manual and any installation and commissioning procedures that comply with applicable international or lo
62. IE IECEx Certificate C of Conformity Certificate No IECEx UL 12 0032X Date of Issue 2014 05 28 Issue 2 3 of 4 Schedule EQUIPMENT Equipment and systems covered by this certificate are as follows These devices are low power open type programmable logic controllers that are intended for installation in an ultimate enclosure The 9000 Programmable Logic Controller Series consist of the following modules Please see Annex for additional details CONDITIONS OF CERTIFICATION YES as shown below Models 9110 and 9111 The ambient temperature range is 25 to 60 All other Models The ambient temperature range is 25 to 70 Subject devices are to be installed in an IECEx Certified IP54 tool accessible enclosure that has been evaluated to the requirements of IEC 60079 0 Ed 6 and IEC 60079 15 Ed 4 Enclosure is to be marked with the following Warning Do not open when energized After installation of subject devices into the enclosure access to termination compartments shall be dimensioned so that conductors can be readily connected Grounding conductor should have a minimum cross sectional area of 3 31 mm m Subject devices are for use in an area of not more than pollution degree 2 in accordance with 60664 1 Subject devices are to use conductors with a minimum conductor temperature rating of 85 C m Subject devices are to be installed in the vertical orientation only
63. List 4 Pages Model 9402 Critical Component List 2 Pages Model 9431 and 9432 Critical Component List 3 Pages Model 9481 and 9482 Critical Component List 6 Pages Model 9482 Critical Component List 3 Pages Model 9451 Critical Component List Circuit Number 151521 4 Pages Model 9451 Critical Component List Circuit Number 151531 3 Pages Model 9801 Critical Component List 3 Pages Model 9802 Critical Component List 3 Pages Model 9803 Critical Component List 3 Pages Model 9831 Critical Component List 3 Pages Model 9832 Critical Component List 3 Pages Model 9833 Critical Component List 3 Pages Model 9851 Critical Component List 3 Pages Model 9852 Critical Component List 3 Pages Model 9881 Critical Component List 2 Pages Model 9882 Critical Component List 2 Pages Model 9892 Critical Component List 3 Pages T9000 DIB Product Information 17 Special conditions for safe use Drawing No 275070 276370 553632 130669 UL 130649 UL 130659 UL 130629 UL 130689 9401 9402 U L 130779 UL 130689 9431 9432 0 L 130849 9481 9482 U L 130859 9482 UL 130729 UL 130739 UL 130819 9801 UL 130809 9802 UL 130789 9083 UL 130819 9831 UL 130809 9832 UL 130789 9833 UL 130829 9851 UL 130799 9852 UL 130879 9881 UL 130869 9882 UL 131219 9892 UL 554155 Models 9110 and 9111 The ambient temperature range is 25 to 60 All other Models The ambient temperature range is 25 C
64. STT RM446 EN P Issue 12 IECEx UL Certificate IECEx Certificate of Conformity INTERNATIONAL ELECTROTECHNICAL COMMISSION IEC Certification Scheme for Explosive Atmospheres for rules and details of the IECEx Scheme visit www iecex com Certificate No UL 12 0032 issue No 2 Certificate history issue No 2 2014 5 28 Status 7 Issue No 1 2014 1 30 us Current Issue No 0 2012 8 27 Date of Issue 2014 05 28 Page 1 of 4 Applicant Rockwell Automation Ltd Hall Road Maldon 9 4LA United Kingdom Electrical Apparatus Programmable Logic Controllers Optional accessory Type of Protection Non Sparking nA Marking Ex nA IIC T4 Gc Approved for issue on behalf of the IECEx Paul T Kelly Certification Body Position Principal Engineer Global Hazardous Locations Signature for printed version Date 2014 05 28 1 This certificate and schedule may only be reproduced in full 2 This certificate is not transferable and remains the property of the issuing body 3 The Status and authenticity of this certificate may be verified by visiting the Official Website Certificate issued by UL LLC 333 Pfingsten Road Northbrook IL 60062 2096 United States of America 1 19 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller IECEx Certificate of Conformity Certificate No IECEx UL 12 0032X Date of Issue 2014 05 28 Issue 2 Page 2 of 4 Manufacturer
65. a 1 2 Vocabulary and Conventions 1 2 Process Safety Time ssssssscsecsscsssssssssessecsscnsssssssseesecsccussussussecscuccussussesseenccnscussussescesceussussussecscencenseness 1 2 Fault Tolerance in Safety Applications tete eeeeete tentent teen ntententnnennentens 1 2 The AADyance CCODtFOIIGP 1 3 PU vancE FO3EUEGS A AMI DANA 1 5 DY SEEM SO CUI ICY T ECCE 1 5 Comin nicationi Port SECULI 1 6 Associated Seren MUI ME MAMMA 1 7 igo add Eel sme TC 1 8 System Installation Environment eese tenente 1 9 Power Sources and Heat Dissipation Calculations eese retener 1 9 Safety Related System Installation Process 1 9 Environment Standards 1 10 Installation Requirements for Non Hazardous Environment eere 1 10 Investigation File Number 341697
66. a exchange is independent of the physical network configuration as the connection between the controllers is treated as a logical network The physical network is considered a Black Channel so the design of the Ethernet network and the equipment used does not impact the SIL rating of the communications interface but the design of the network does effect the reliability of the network and does impact the spurious trip rate SNCP Network data can be combined on a common network resulting in safety and non safety data sharing in a common physical network this does not compromise the SIL rating of the network but again does introduce failure modes and possibly security risks which can increase the spurious trip rate careful consideration should be given to the network topology during the applications specification and design phase Redundant SNCP Network Dual Processor c bindings Single D Analogue T9110 F 4 Input Sensors 9431 Dual Processor 1 1 1 1 Single T9140 Digital Output N p Field T8451 4 Elements ICSTT RM446 EN P Issue 12 Configuring SNCP Safety Network The SNCP protocol can be configured in the AADvance controller to provide a safety network refer to the AADvance Configuration Guide s Doc Nos 553633 amp 555063 for detailed configuration procedures For SNCP bindings to be used in a Simplex Ne
67. able of being silenced by means of a separate manual control at access level or 2 This control shall only be used for silencing the audible indication and may be the same as that used for silencing in the fault warning condition The control and indicating equipment shall be capable of being reset from the fire alarm condition This shall only be possible by means of a separate manual control at BS EN 54 defined access level 2 This control shall be used only for reset and may be the same as that used for reset from the fault warning condition Unless BS EN 54 7 11 and or 7 12 apply the control and indicating equipment shall action all mandatory outputs within 3 seconds of the indication of a fire alarm condition Unless BS EN 54 7 11 applies the control and indicating equipment shall action all mandatory outputs within 10 seconds of the activation of any manual call point The control and indicating equipment shall enter the fault warning condition within 100 seconds of the occurrence of the fault or the reception of a fault signal or within another time as specified in BS EN 54 In the event of the loss of the main power source as specified in EN 54 4 the control and indicating equipment may have provision to recognize and indicate the failure of the standby power source to a point where it may no longer be possible to fulfill mandatory functions of this European Standard In this case at least an audible indication shall be given for
68. al AADvance Controller Certifications for Safety System Applications Hazardous Environments ATEX Certificate m TYPE EXAMINATION CERTIFICATE 2 Equipment or Protective System intended for use in Potentially Explosive Atmospheres Directive 94 9 EC 3 Type Examination Certificate Number DEMKO 11 ATEX 1129711X Rev 2 4 Equipment Programmable Logic Controllers Models 9110 Processor 9111 Processor 9401 Digital Input 9402 Digital Input 9431 Analog Input 9432 Analog Input 9451 Digital Output 9481 Analog Output 9482 Output Input 9100 Processor Backplane 9101 Dual Backplane 9300 I O Backplane 9801 Digital Input Termination Assembly 9802 Digital Input Termination Assembly 9803 Digital Input Termination Assembly 9831 Analog Input Termination Assembly 9832 Analog Input Termination Assembly 9833 Analog Input Termination Assembly 9851 Digital Output Termination Assembly 9852 Digital Output Termination Assembly 9881 Analog Output Termination Assembly 9882 Analog Output Termination Assembly 9892 Digital Output Termination Assembly 5 Manufacturer Rockwell Automation Ltd 61 Address Hall Road Maldon CM9 4LA United Kingdom 7 This equipment and any acceptable variation thereto are specified in the schedule to this certificate and the documents therein referred to 8 UL International Demko A S certifies that this equipment has been found to comply with the Essential Health and Safety Requirements that relate to the
69. ally and then integrated and tested as a whole All of this testing should be initially done within the simulation environment gt Fault handling strategy This stage defines the fault handling strategy The resultant application software shall be integrated with the system hardware and full integration testing performed on the system System Production The system production stage implements the detailed system design The production techniques tools and equipment including those used for production testing of the system shall be appropriate for the specified safety requirements class System Installation Environment The installation environment is a potential source of common cause failure therefore it is vital that compatibility of the equipment with the environment is known The environment for these purposes includes the prevailing climatic hazardous area power earthing and EMC conditions In many cases there will not be a single installation environment Elements of the system may be installed in differing locations in these cases it is important to know the environment for each location You must use installation and commissioning procedures that comply with applicable standards of the country of installation The applicable standards can include for example IEC 61511 NFPA 72 and ISA 84 00 01 depending on the location 2 5 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 2 6 System Integrat
70. ant configurations The input and output modules support a number of architecture options the effects of the chosen architecture should be evaluated against the system and application specific requirements 2 8 ICSTT RM446 EN P Issue 12 Chapter 3 AADvance System Architectures An AADvance controller can be configured to manage non safety up to SIL 3 safety related system requirements and low demand or high demand fault tolerant applications This chapter describes the different system architectures that can be configured for an AADvance controller to meet this variety of requirements Note Architectures are independent of I O module capacity therefore 8 16 channel I O modules can be used In This Chapter SM Z ArehitectUkES 3 1 SIL 3 ArchitectureS seseeessesseesssssserssssreessssreerssssrerssssreeessnreerssssreressnreresseeeresse 3 7 Certified Configurations eese 3 13 Internal Diagnostics esten tenente tentent ntententnnentenas 3 14 Safety Networks 3 15 SIL 2 Architectures SIL 2 architectures are recommended for fail safe low demand applications All SIL 2 architectures can be used for energize or de energize to trip applications In any configuration when a faulty processor or input
71. ault in any module They degrade to loolD on the detection of faults in any two modules and will fail safe when there are faults on all three modules Digital Output Modules 3 7 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 3 8 gt For de energize to action operation one digital output module is sufficient for SIL 3 requirements However for energize to action operation dual digital output modules are required gt digital output module fault must be repaired within the MTTR which was used in the PFD calculation Analogue Output Modules gt The fail safe state current of the analogue output module is less than 2mA gt For de energize to action operation one analogue output module is sufficient for SIL 3 requirements However for energize to action operation dual analogue output modules are required gt An analogue output module fault must be repaired within the MTTR which was used in the PFD calculation Table 7 Modules for SIL 3 Fail safe Fault Tolerant Processor Position Module Type I P A T9401 2 Digital Input Module 24V c 8 16 Channel T9801 Digital Input TA 16 Channel Simplex or T943 1 2 Analogue Input Module 8 16 channel T9831 Analogue Input TA 16 Channel Simplex T9300 Base unit CPU amp 2x T9110 Processor Module T9100 Base Unit CPU B O PA 1 x T9451 Digital Output Module 24V dc 8 Channel T985 Digital Output TA 24V dc 8 Channel Simplex
72. cal codes and standards CAUTION AADvance modules are suitable for use in Class I Division 2 Groups A B C and D Hazardous locations or Non hazardous locations only or equivalent 19 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller ATTENTION Pour les modules AADvance sont utilisables dans Class Division 2 A B C et D pour un environnement dangereux ou pour un environnement non dangereux ou quivalente Environment Standards The AADvance system has been investigated to United States National Standard s UL 508 7th Edition and Canadian National Standard s C22 2 No 142 Ist Edition The investigation covers the following modules and provides requirements for compliance to the standards for use in a non hazardous and hazardous environments The AADvance controller has been investigated and approved by UL for use as Industrial Control Equipment in hazardous locations Class Division 2 Groups A B C and D in North America The AADvance controller has been assessed for ATEX compliance The UL Certification No is DEMKO 11 ATEX 112971 IX Rev 2 UL report number is 4786144521 The ATEX marking is Ex nA T4 Gc Additionally the AADvance controller is approved under the IECEx certification scheme The certificate number is IECEx UL 12 0032X Installation Requirements for Non Hazardous Environment Investigation File Number E341697 Products Covered The products investigated and approved Pro
73. d generates output signals causing a process and associated equipment to operate in a desired manner but which does not perform any safety instrumented functions with a claimed safety integrity level of or higher Refer to IEC 61511 or to ANSI ISA 84 00 01 2004 Part IEC 61511 1 Mod for a formal definition Equivalent to the Process Control System PCS defined by IEC 61508 breakdown voltage The maximum voltage AC or DC that can be continuously applied between isolated circuits without a breakdown occurring BS EN 54 A standard for fire detection and fire alarm systems BS EN 60204 A standard for the electrical equipment of machines which promotes the safety of persons and property consistency of control response and ease of maintenance bus A group of conductors which carry related data Typically allocated to address data and control functions in a microprocessor based system bus arbitration A mechanism for deciding which device has control of a bus C CIP Common Industrial Protocol A communications protocol formally known as CIP over Ethernet IP created by Rockwell Automation for the Logix controller family and which is also supported by the AADvance controller AADvance controllers use the protocol to exchange data with Logix controllers The data exchange uses a consumer producer model clearance The shortest distance in air between two conductive parts coding peg A
74. ddress the other producer status KvbProdNetStatus for a specific bindings link Identified by the Consumers Resource Number and its IP Address In addition to these an error variable can be configured to report error codes for the bindings links to the application Note The Consumers Network bindings parameters i e timeout values are those located in the Producing Resource Peer to Peer functionality cannot be used in conjunction with AADvance Workbench 2 0 and is therefore not available for use in a safety related system It is the end users responsibility to ensure that any pre existing Peer to Peer configuration is removed before importing an application developed under Workbench 1 3 into Workbench 2 0 AADvance provides the capability for a SIL 3 certified Peer to Peer data connections allowing safety data to be transferred between AADvance and Trusted Controllers The Trusted Peer to Peer network protocol enables you to share safety data between AADvance systems or AADvance and Trusted systems across an Ethernet network Data can be transferred between individual systems or from one to several systems at the same time using multicast network connections Peer to Peer communication is configured by defining a peer network controller and I O devices within the application program Note AADvance currently supports multicast network connections on the left most port of each processor For safety related applications it is recom
75. de 4 41 Safety Manual AADvance Controller Withstand Acceleration Endurance Acceleration Shock Altitude Operating Storage and Transport Electromagnetic Interference Hazardous Location Capability Note IOHz to 150Hz 0 12 in 3 axes IOHz to 150Hz 0 5g in 3 axes 158 peak Ims duration 4 sine 0 to 2000m 0 to 6 600 ft 0 to 3000m 0 to 10 000 ft This equipment must not be transported in unpressurized aircraft flown above 10 000 ft Tested to the following standards EN 61326 1 2006 Class A EN 61326 3 1 2008 EN 54 4 1997 Al EN 61131 2 2007 EN 62061 2005 Suitable for Class Div 2 and Zone 2 IMPORTANT gt This equipment is not certified for use in Zone location gt This equipment is not certified for use a Zone 0 hazardous environment Casing Standard AADvance modules also have a plastic casing and are rated IP20 Protected against solid objects over 12mm 1 2 for example fingers There is no specific protection against liquids Electromagnetic Immunity and Emissions The AADvance system has been designed and tested to withstand normal levels of conducted and radiated electromagnetic interference and electrostatic discharge Electrical noise conditions may vary greatly depending on the equipment installation wiring other installed equipment and its proximity to the AADvance equipment A detailed analysis of the installation electrical and magnetic conditions is ra
76. design of Category 3 equipment which is intended for use in potentially explosive atmospheres These Essential Health and Safety Requirements are given in Annex II to the European Union Directive 94 9 EC of 23 March 1994 The examination and test results are recorded in confidential report no 4786336921 9 Compliance with the Essential Health and Safety Requirements with the exception of those listed in the schedule of this certificate has been assessed by reference to Standards EN 60079 0 2012 A11 2013 EN 60079 15 2010 10 If the sign X is placed after the certificate number it indicates that the equipment or protective system is subject to special conditions for safe use specified in the schedule to this certificate 11 This Type examination certificate relates only to the design of the specified equipment and not to specific items of equipment subsequently manufactured 12 The marking of the equipment or protective system shall include the following 3G ExnAIIC T4 Gc This isto certify that the sample s of the Equipment described herein Certified Equipment has been 2 investigated and found in compliance with the Standard s indicated on this Certificate in accordance with the Certification Manager ATEX Equipment Certification Program Requirements This certificate and test results obtained apply only to 4 le equipment sample s submitted by the Manufacturer UL did nd select the sample s or determine whether Jan Er
77. dic test calibration or repair of a module sensor or actuator To correctly implement a maintenance override scheme within the AADvance system the override or bypass logic shall be programmed within the Application Program with a separate set of safety related input points or variables enabling the bypass logic ICSTT RM446 EN P Issue 12 order to accommodate maintenance overrides safely TUV has documented a set of principles that shall be followed These principles are published in the document Maintenance Override by TUV S ddeutschland T V Product Service GmbH and T V Rheinland There are two basic methods to check safety related peripherals connected to the AADvance system gt External hard wired switches are connected to conventional system inputs These inputs are used to deactivate sensors and actuators during maintenance The maintenance condition is handled as part of the system s application program gt Sensors and actuators are electrically switched off during maintenance and are checked manually In some installations the maintenance console may be integrated with the operator display or maintenance may be covered by other strategies In such installations the guidance given in section Input and Output Forcing is to be followed A checklist for the application of overrides is given in the Checklists chapter Application Program Development The application program development shall follow a structur
78. ds 4 45 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 4 46 The controller must be supplied with system power from a power source that complies with SELV and PELV standards SELV safety extra low voltage is a voltage which does not exceed 30 Vrms 42 4 Vpeak and 60 Vdc between conductors or between each conductor and earth in a circuit which is isolated from the line voltage by a safety transformer PELV protected extra low voltage is an extra low voltage circuit with a protective partition from other circuits which has a protective earth connection To meet SELV and PELV requirements the power source must have a safety transformer with a protective partition between the primary and secondary windings so that the windings are galvanic and electrically isolated The power supplies and power distribution if incorrectly designed present a potential common cause failure It is therefore necessary to gt Establish the power philosophy specific earthing philosophy power requirements and the separation requirements where items of equipment are separately supplied for example system internal supplies and field loop supplies gt Ensure that the chosen PSUs are compatible with the power feeds provided Alternatively measures should be implemented to ensure that the power feeds remain within the specifications of the PSUs gt Define the power distribution requirements together with the protective philosophy for
79. dundant configurations it can be used for energize to action and de energize to trip SIL 3 applications Each module provides the following safety functions gt gt ICSTT RM446 EN P Issue 12 output channel signals based on commands from the processor redundant voltage and current measurements to the processor modules for monitoring and diagnostics over current and over voltage channel protection executing diagnostic tests on command from the processor module and reporting results back to the processor module On power up or module insertion all output channels are set to the de energized fail safe state until command states are received from the processor Each channel is driven individually according to the command state values When the module is unlocked all of its output channels including any channels set to hold last state always go to the de energized state the module enters a Shutdown Mode when the time between processor commands exceeds the PST 4 27 Safety Manual AADvance Controller gt The PFD amp data has been calculated on the basis that the shutdown state is configured to the OFF state Therefore the OFF state shall be used for SIL 2 amp SIL 3 applications gt When a module fails then all the channels are set to the de energized state Reactions to faults in output modules When an output module goes faulty the following status information is reported gt module presence module h
80. dware controller system One or more controllers their power sources Communications networks and workstations coverage The percentage of faults that will be detected by automated diagnostics See also SFF creepage distance The shortest distance along the surface of an insulating material between two conductive parts cross reference Information calculated by the AADvance Workbench relating to the dictionary of variables and where those variables are used in a project D data access DA An OPC data type that provides real time data from AADvance controllers to OPC clients de energize to action A safety instrumented function circuit where the devices are energized under normal operation Removal of power de activates the field devices ICSTT RM446 EN P Issue 12 dictionary The set of internal input and output variables and defined words used in a program discrepancy A condition that exists if one or more of the elements disagree DITA Digital input termination assembly DOTA Digital output termination assembly element A set of input conditioning application processing and output conditioning energize to action A safety instrumented function circuit where the outputs and devices are de energized under normal operation Application of power activates the field device EUC Equipment Under Control The machinery apparatus or plant used for manufacturing process tran
81. e 4 Modules for SIL 2 Architecture Position Module Type I P A and B 2 x T9401 2 Digital Input Module 24V dc 8 16 Channel T9802 Digital Input TA 16 Channel Dual or 2 x T9431 2 Analogue Input Module 8 16 Channel Isolated T9832 Analogue Input TA 16 Channel Dual T9300 I O Base Unit ICSTT RM446 EN P Issue 12 3 3 Safety Manual AADvance Controller CPUA x T9110 Processor Module T9100 Base Unit O PA T945 Digital Output Module 24V dc 8 Channel T985 Digital Output TA 24V dc 8 Channel Simplex T9300 I O Base Unit or x T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9881 Analogue Output TA 8 Ch Simplex SIL 2 Output Architecture A SIL 2 output architecture has a single output module with single processor and single or redundant input modules The illustration shows a SIL 2 single output arrangement where the output and processor modules operate loolD under no fault conditions and will fail safe on the first detected fault Sensors Field Elements For Digital Output Modules the following applies gt For energize to action high demand applications you must use dual digital output modules Digital Output Analogue Output For Analogue Output the Following applies gt The fail safe state current of the Analogue Output module is less than 2mA gt For energize to action high demand applications you must use dual analogue output modules Table 5
82. e g water level limiter in steam boilers ICSTT RM446 EN P Issue 12 4 BS EN 54 Requirements The EN 50156 certification is only applicable where the system is applied in accordance with this safety manual and EN 50156 requirements BS EN 54 21997 A1 2006 specifies the requirements for control and indicating equipment for fire detection and fire alarm systems installed in buildings The AADvance system is certified for use with BS EN 54 compliant systems IMPORTANT The analogue output modules are not certified to EN 54 2 The systems should be integrated in accordance with BS EN 54 In particular the following shall be applied 4 ICSTT RM446 EN P Issue 12 Where an alphanumeric display is used to display indications relating to different functional conditions these may be displayed at the same time However for each functional condition there shall be only one window in which all of the fields relating to that functional condition are grouped Unless BS EN 54 section 7 1 and or 7 12 applies the time taken by scanning interrogation or other processing of signals from fire detectors in addition to that required to take the fire alarm decision shall not delay the indication of the fire alarm condition or of a new zone in alarm by more than 10 seconds The control and indicating equipment shall enter the fire alarm condition within 10 seconds of the activation of any manual call point The audible indication shall be cap
83. e integrated within a single set of procedures The integrator should have an accredited quality management system The Safety Management System shall include gt A statement of the policy and strategy for achieving and maintaining functional safety gt A safety planning procedure which shall result in the definition of the safety lifecycle stages to be applied the measures and techniques to be applied at each stage and the responsibilities for completing these activities gt Definitions of the records to be produced and the methods of managing these records including change control The change control procedures shall include records of modification requests the impact analysis of proposed modifications and the approval of modifications The baseline for change control shall be defined clearly gt Configuration items shall be uniquely identified and include version information Examples of configuration items are system and safety requirements system design documentation and drawings application software source code test plans test procedures and test results gt Methods of ensuring that persons are competent to undertake their activities and fulfill their responsibilities The Safety Life cycle The safety life cycle is defined by the IEC 61508 standard It is designed to structure a system s development into defined stages and activities as follows 2 1 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller
84. e whole of an installation of which the AADvance system forms a part must meet these requirements in order to achieve an overall SIL rating SNCP SNCP Safety Network Control Protocol is the Safety Protocol that allows elements of an AADvance System to exchange data SNCP is a SIL 3 certified protocol which provides a safety layer for the Ethernet network making it a Black Channel SNTP Simple Network Time Protocol Used for synchronizing the clocks of computer systems over packet switched variable latency data networks structured text A high level IEC 61131 3 language with syntax similar to Pascal Used mainly to implement complex procedures that cannot be expressed easily with graphical languages synchronous A data communications term describing a serial transmission protocol A pre arranged number of bits is expected to be sent across a line per second To synchronise the sending and receiving machines a clocking signal is sent by the transmitting computer There are no start or stop bits T TA See termination assembly target An attribute of a configuration which describes characteristics of the AADvance controller on which the configuration will run Includes characteristics such as the memory model and the sizes of variable types for the controller TCP Transmission control protocol One of the core protocols of the Internet Protocol suite It provides reliable ordered delivery of a str
85. ealth and status channel health and status field faults an echo of the front panel indicators for each module v v v When any of the following internal conditions exist the output module will fail safe gt power feed combiner over temperature detection gt power supply rails out of tolerance Process safety time faults Shutdown Mode 4 28 For a digital output module the process safety time represents the period of a watchdog timer that specifies the length of time the controller will allow the module to run without receiving updates from the application If the module runs beyond this time period without receiving any updates it enters the Shutdown Mode When in the Shutdown mode the Ready and Run indicators will go RED You can configure the state of the outputs when the module is in the Shutdown Mode You have to decide when you configure the module how you want the output channels to behave in the Shutdown mode The output modules can be configured to provide the following channel values gt De energized Off default fail safe value gt Hold Last State 0 consideration should be given to the effect on the process of using the hold last state setting The PFD amp PFH data has been calculated on the basis that the shutdown state is configured to the OFF state Therefore the OFF state shall be used for SIL 2 and SIL 3 An installed module automatically transitions from the Shutdown mode to the Ready or Reco
86. eam of bytes from a program on one computer to another program on another computer Common applications include the World Wide Web e mail and file transfer and for an AADvance controller Modbus communications over Ethernet termination assembly A printed circuit board which connects field wiring to an input or output module The circuit includes fuses for field circuits The board carries screw terminals to connect field wiring to the controller and the whole assembly clips onto the 9300 I O base unit TMR Triple modular redundant A fault tolerant arrangement in which three systems carry out a process and their result is processed by a voting system to produce a single output T V certification Independent third party certification against a defined range of international standards including IEC 61508 ICSTT RM446 EN P Issue 12 U W U withstand voltage Rack unit A unit of measure used to describe the height of equipment intended The maximum voltage level that can be for mounting in a standard rack Equivalent applied between circuits or components to 44 45mm 1 74 inches without causing a breakdown validation In quality assurance confirmation that the product does what the user requires verification In quality assurance confirmation that the product conforms to the specifications voting system A redundant system m out of n which requires at least m of the n channels to be in agreement before t
87. eating small sections of logic rather than fanning out the resultant signal s Partitioning the Application Defensive Measures 4 36 It is impractical and unnecessary to apply the same degree of rigorous development and testing to all functions within the Application where some of those functions are not safety related The identification of safety functions is in part dependent on the specific safety philosophy Examples of non safety may include status indication data reporting and sequence of events It is important to establish that these elements are not safety related For example some safety cases rely on human intervention and therefore the correct operation of status indication JN rhe safety related elements shall be implemented within separate programs to those of non safety related elements Where information passes between these elements it shall be arranged that the direction of flow is from safety relevant to non safety relevant only In defining the Application the programmer must consider the potential sources of error and apply reasonable defensive programming techniques Where values are received from other programs or external communications interfaces the validity of the values should be checked where possible Similarly values received from input interfaces should be checked where possible In many cases it will also be possible to monitor permutations of data inputs and plant operating modes to establish the
88. ed approach as defined in the AADvance Workbench documentation 0 of application software consisting of programs POUs User Defined Functions and user Defined Function Blocks must follow the requirements defined in IEC 61511 ANSI ISA 84 00 01 for LVL languages and the requirements defined in IEC 61508 for FVL languages However these requirements can be waived if the programs POUs used have previously been tested and validated according to IEC 61511 ANSI ISA 84 00 01 IEC 61508 and validation evidence is provided as part of the Project Test Documentation The stages defined in the following sub sections shall additionally be applied for safety related applications AADvance Workbench Configuration The AADvance Workbench supports four levels of password access level 0 being the highest access level Each function for example viewing editing compiling downloading may be identified for use only by users with an access level above a certain level 4 33 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Language Selection 4 34 security protection shall be implemented to prevent access change to the application programs A Program Enable key that is inserted into the KEY socket on the T9000 processor base unit can be removed and prevent access change to the application program The AADvance Workbench offers many programming tools to develop algorithms to meet the needs of virtually any real
89. em with the client It is however necessary to collate these requirements into a document including any clarification of the requirements It is recommended that logic diagrams be used to represent the required functionality and highly recommended that all requirements are reviewed clarified where required and approved by the client During the system safety requirements stage the functional requirements are analyzed to determine their safety relevance Where necessary additional safety requirements shall be identified and documented to ensure that the plant will fail safe in the case of failures of the plant safety related system external equipment or communications or if the safety related system s environment exceeds the required operating conditions The appropriate safety integrity level and safety related timing requirements shall be defined for each safety related function For each function the required safety failure mode shall be determined The client should supply this information or it should be defined and agreed with the client as part of this phase The System Integrator shall ensure that the client approves the resulting safety requirements The system engineering stage realizes the design of the safety related system It is recommended that the engineering be divided into two distinct stages the first defining the overall system architecture and the second detailing the engineering of the individual architectural blocks
90. enerated in case of failures within the system 4 21 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Field loop power should be considered in the allocation of signals to output channels and modules For normally energized configurations field loop power failure will lead to the fail safe reaction As with the allocation of signals to modules there may be related functions where loss of field power should be considered in the same manner as the signal allocation Where signals are powered from separate power groups it is important that this separation be maintained when allocating the signals to modules i e that inadvertent coupling between power groups and particularly return paths are not generated Calculations of Probability of Failure upon Demand For information regarding the calculation and for PFD PFH numbers allocated for the AADvance system refer to the T V approved PFD calculation document Doc No 553847 AADvance PFH and PFD Data listed in the approved version list Processor Functional Safety Configuration The T9110 Processor Module supports a limited set of configuration options the system will verify the hardware configuration such as the module locations against actual module types The processor module process safety time can be specified through the AADvance Workbench and details are given in the appropriate AADvance Configuration Guide s Rockwell Automation references 553633 amp 555063
91. ent additionally complies with fail safe performance criteria at increased levels of 20V m over the range 80MHz to GHz and 3V rms m unmodulated over the range 2GHz to 2 7GHz The equipment additionally complies with fail safe performance criteria at increased levels of 2 kV between I O or signalling ports and ground The equipment additionally complies with fail safe performance criteria at increased levels of 2 kV between I O or signalling ports and ground None Power Frequency Magnetic Field immunity voltage Dips Short interruptions and Voltage Variations Immunity BS EN 61000 4 8 1994 A1 2001 BS EN 6100 4 11 2004 30A rms m 50Hz and 60Hz Immunity to Conducted Common Mode ICSTT RM446 EN P Issue 12 Not Applicable 4 43 Safety Manual AADvance Controller 4 44 Disturbance 0 to 150 kHz BS EN 61000 4 16 1998 A1 2004 Voltage Dips Short Interruptions and Voltage Var Ports BS EN 61000 4 29 2001 to 10 rms increasing at 20dB decade from 1 5 to I5kHz 10V rms from I1 5kHz to 150k Hz 100V rms for Is at 16 6Hz 50Hz and 60Hz 10 rms continuous at 150Hz and 180Hz Immunity to Electrostatic Discharge DC amp Ports 40 for Oms 0 for 20ms None iations for DC Input Power The performance criteria for these tests is fail safe Standards Conditions Notes BS EN 61000 4 2 2009 Air discharge 8 kV Contact discharge 6 kV
92. er during the development of the application To achieve this CVT decompiles the application project file and then compares each individual application project POU source files with its decomposed version The CVT analysis is displayed in the Workbench window For Safety Related applications the Compilation Verification Tool must be enabled Communications Interaction The AADvance system provides a range of communications options to allow interaction with external systems Where this communication is used for reporting or out going communications there are no specific safety requirements Data received from external equipment that either controls safety related functions or effects their operation must be handled with caution The Application Program shall handle the received data The received data should be such that it is limited to interactions which 4 37 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Program Testing 4 38 Initiates safety operations i e initiates shutdown sequences Resets signals with the reset action only possible once the initiating conditions have been removed gt Initiate timed start up override signals which are removed automatically either on expiration of the start period or once the associated signal has stabilized in the normal operating condition gt Adjust control parameters within defined safe operational limits i e lowering of trip thresholds Where the inte
93. essor Module ACCESS 4 24 Module Safety Functions eee esee essen teent entente ntententntententententenententensensenten 4 24 Module Safety Related Parameters 4 24 Module Start Up and Locking Screw Safety Function sss 4 24 Module Process Safety Time PST ssecssssssssesssesscsscssssssesseeseesscnssnssessecsecnscuseussussesseescensensenees 4 25 Input Module Safety 4 25 Reactions to faults in the input modules eese tentent ent ententententnnentens 4 26 Input Module Safety Accuracy eee eseseee tenen ten tenente ttn ten senten tenente ttn ttnsen ten saisie 4 26 Output Module Safety Functions 00 0 esesecssssesseesccsccssssssecscenccuccussussecscsccucsussussecsencenseussnsseescesseneensees 4 27 Digital Output Module Safety Functions ee eseeeeeeentententnentententententnnennentens 4 27 Analogue Output Module Safety Features ssessscsssssssessscssssssssecseescessssssessecseescesssussessescessenseeees 4 29 Input and Output Forcing ecscssesessecsscsscsssssessecsecssesssssse
94. ey shall be subject to exhaustive testing commensurate with that used for the commonly used functions Once the function block has been subject to this level of testing it may be used as for commonly used functions Sequential Function Chart The SFC programming language cannot be used with the CVT enabled in Workbench 2 0 and is therefore not suitable for use in a safety related system It may be possible for an SFC application developed using an earlier version of Workbench to be used in a safety related system provided that they have been tested and validated previously It is the end users responsibility to ensure that validation evidence exists in the Project Test Documentation Testing of New or Previously Untested Functions Each safety related software block shall be 10076 testable such functions could be Burner flame supervision including temperature and air gas pressure monitoring gt Burner gas to air ratio control supervision gt Parts or whole of the start up sequence of a batch reactor The fewer the number of inputs outputs and signal paths the fewer the number of permutations that require testing However a single safety function should not be split into separate blocks such a division is likely to lead to the introduction of errors during maintenance activities The interaction between the individual software blocks shall be minimized Where interaction is necessary it should be kept as simple as possible for
95. firm that the system is designed constructed and installed in accordance with the specified safety requirements The assessment shall consider each required safety function and its associated safety properties The effects of faults and errors within the system and application programs failures external to the system and procedural deficiencies in these safety functions are to be considered The assessment is to be carried out by an audit team that shall include independent assessors from outside of the project At least one functional safety assessment shall be performed before the start up of the system and the introduction of any potential hazards 2 T Safety Manual AADvance Controller Safety Integrity Design Safety Integrity The architecture of the AADvance system has been designed to allow a scalable system to be configured using standard components The configurations available range from simplex fail safe to TMR fault tolerance The processor module has been designed to meet the requirements for SIL 2 with one two or three processor modules and SIL 3 when two or three modules are fitted Input and output modules have been designed to meet SIL 3 requirements with a single module in a fail safe mode The processor module and the individual I O modules have built in redundancy and have been designed to withstand multiple faults and support a fixed on line repair by replacement configuration in dual and triple modular redund
96. for use normally expressed as a percentage B backplane clip A sprung plastic device to hold together two adjacent AADvance base units Part number 9904 Used in pairs base unit One of two designs which form the supporting parts of an AADvance controller See I O base unit and processor base unit bindings Bindings describe a relationship between variables in different AADvance controllers Once a variable is bound to another variable a unique and strong relationships is created between the two variables and the SIL 3 Certified SNCP protocol is used to ensure that the consuming variable is updated with the data from the producing variable black channel A communication path whose layer i e cabling connections media converters routers switches and associated firmware software etc has no requirement to maintain the integrity of safety critical data transferred over it Measures to detect and compensate for any errors introduced into the black channel must be implemented by the safety critical sender and receiver by software and or hardware means to make sure the data retains its integrity 6 1 Safety Manual AADvance Controller 6 2 blanking cover A plastic moulding to hide an unused slot in an AADvance base unit boolean A type of variable that can accept only the values true and false BPCS Basic process control system A system which responds to input signals an
97. g Input Model Analog Input Model 16 Channel Analog Output Model Analog Output Model 8 Channel Digital Output Model Termination Assembly 16 Channel Simplex Digital Input Termination Assembly 16 Channel Dual Digital Input Termination Assembly 16 Channel TMR Digital Input Termination Assembly 16 Channel Simplex Analog Input Termination Assembly 16 Channel Dual Analog Input Termination Assembly 16 Channel TMR Analog Input Termination Assembly 8 Channel Simplex Digital Output Termination Assembly 8 Channel Dual Digital Output Termination Assembly 8 Channel Dual Digital Output Termination Assembly 8 Channel Simplex Analog Output Termination Assembly 8 Channel Dual Analog Output Circuit Number 151491 152181 151501 151421 151431 151421 151431 151441 151441 151751 151961 151441 151751 151631 151801 151791 151521 151531 151731 151711 151561 151721 151701 151551 151741 151691 152621 151821 151811 Board Number 130662 131022 130622 130642 130652 130642 130652 130682 130682 130772 130682 130682 130772 130842 130852 130842 130722 130732 130812 130802 130782 130812 130802 130782 130822 130792 131212 130872 130862 Model 9100 Processor Backplane and 9101 Dual Processor Backplane are for use with Model 9110 and 9111 Processors Model 9300 I O Backplane is for use with all other Models Subject devices are all marked Ex nA T4 Gc Te
98. gital Output Module 24V dc 8 Channel isolated T9851 Digital Output TA 24V dc 8 Channel Simplex x T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9881 Analogue Output TA 8 Ch Simplex 3 2 ICSTT RM446 EN P Issue 12 SIL 2 Fault Tolerant Input Architectures A SIL 2 fault tolerant input architecture can have dual or triple input modules with a single processor and single output modules The illustration shows a dual input arrangement where the dual input modules operate in 0020 under no fault conditions they degrade to loolD on detection of the first fault in either module of the redundant pair and when a fault occurs on the second module it will fail safe The processor module operates in loolD under no fault conditions and degrades to fail safe on the first detected fault The output module operates loolD under no fault conditions and will fail safe on the first detected fault When a triple input module arrangement is configured the group of input modules operate 2003D under no fault conditions degrade to 0020 on the detection of first fault in any module then degrade to loolD the detection of faults in any two modules and will fail safe when there are faults on all three modules Note Simplex processors can only be used for low demand applications Simplex output modules used for energize to action applications can only be used for low demand applications Sensors Final Elements Tabl
99. grammable Logic Controller Models 9110 Processor Module 9401 Digital Input Module 9402 Digital Input Module 16 Channel 9431 Analogue Input Module 9432 Analogue Input Module 16 Channel 9451 Digital Output Module 9481 Analog Output Module 9482 Analogue Output Module 8 Channel Listed Accessories for use with PLCs 9100 Processor Backplane 9300 I O Backplane 9801 Digital Input Termination Assembly Simplex 9802 Digital Input Termination Assembly Dual 9803 Digital Input Termination Assembly TMR 9831 Analogue input Termination Assembly Simplex 9832 Analogue Input Termination Assembly Dual 9833 Analogue Input Termination Assembly 9851 Digital Output Termination Assembly Simplex and 9852 Digital Output Termination Assembly Dual 9892 Digital Output Termination Assembly Dual 9881 Analogue Output Termination Assembly Simplex 9882 Analogue Output Termination Assembly Dual ICSTT RM446 EN P Issue 12 Non Hazardous Installation Requirements Environmental In a non hazardous environment a system can be installed in an enclosure or on a support wall however the enclosure or the area where it is installed must not be more than a Pollution Degree 2 or similar environment in accordance with IEC 60664 1 2007 The surrounding air temperature ratings are gt For the 9110 Processor module 60 C gt For all other I O modules base units and termination assemblies 70 C Pollution Degree Definition For the purpose
100. he system can take action ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller This page intentionally left blank 6 2 ICSTT RM446 EN P Issue 12 Chapter 7 Additional Resources Associated AADvance Publications For more information about the AADvance system refer to the associated Rockwell Automation technical manuals shown in this document map Solutions Handbook Safety Manual 553630 System Configuration Trouble PHD and PFD OPC Portal Build Manual Guide shooting and Data Manual Server Maintenance User Manual 553632 553633 Manual 553847 or 553701 555063 553634 Actual configuration guide applicable is dependent upon version of AADvance Workbench used Publication Purpose and Scope Safety Manual This technical manual defines how to safely apply AADvance controllers for a Safety Instrumented Function It sets out standards which are mandatory and makes recommendations to ensure that installations meet and maintain their required safety integrity level Solutions Handbook This technical manual describes the features performance and functionality of the AADvance controller and systems It sets out some guidelines on how to specify a system to meet your application requirements T L ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller System Build Manual This technical manual describes how to assemble a system switch on and validate the operation of a system
101. hen triple analogue input modules are used and active the system adopts the median value When dual modules are used the lowest reported value is used The discrepancy between the redundant channels measurements are monitored to determine if they are within the safety accuracy limit When the safety accuracy within a channel is detected outside the following limits then that channel is set to a fail safe state gt Digital Input Module 1 v gt Analogue Input Module 0 2 mA When the safety accuracy between channels exceeds the following limits then a discrepancy alarm is set for the input channel ICSTT RM446 EN P Issue 12 Digital Input Module 2 v Analogue Input Module 0 4 mA In both situations the following safe values are reported by the variables Digital input modules 4 gt gt gt Input state FALSE Line fault TRUE Discrepancy TRUE Channel fault TRUE and the voltage value is OmV Analogue input module 4 w v v v process value a calculated value based on a count value of 0 51 counts 0 2mA line fault TRUE Discrepancy TRUE Channel Fault TRUE Count value 0 safety critical applications the discrepancy alarms shall be monitored by the application program and be used to provide an alarm to the plant operations personnel Output Module Safety Functions Digital Output Module Safety Functions The digital output module is rated at SIL 3 as a fail safe module In dual re
102. ication Has a method of enabling or more importantly removing the overrides for the system as whole or individual sub systems been provided Have programming or procedural measures been defined to ensure that no more than a single override may be applied to a given safety related process unit Have indication of the presence of override conditions and recording their application and removal been defined Is there an alternative method of removing an override Are there programming or procedural measures to limit the period of override Description Yes No For each of the I O signal types do the I O module settings provide the correct characteristics and behavior for the intended sensor or actuator Have the thresholds been verified with both increasing and decreasing field signal levels and with margins to allow for the measurement accuracy Do threshold states remain unique under all operating tolerances For all configurations have tests been defined and executed to 10076 test the required operation Have Dual Output modules been configured for Energize to trip SIL 3 applications ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Description Yes No Has guidance been followed to ensure that SIL 3 signals are shut down outside the time limit imposed by the MTTR assumed for the PFD calculations Has the Hold Last State been set up for the Digi
103. ik Storgaard le sample s provided were representative of other manufactured equipment UL has not established Follow Service or other surveillance of the equipment The Manufacturer is solely and fully responsible for conformity of all equipment to al applicable Standards specifications requirements or Directives The test results may not be used in whole or in part in any other document without UL s prior written Date of issue 2011 09 02 Re issued 2014 06 03 UL International Demko A S Borupvang 5A 2750 Ballerup Denmark Tel 45 44 85 65 65 info dk ul com www ul com 00 IC F0060 Issue 7 0 This certificate may only be reproduced in its entirety and without any change schedule included Page 1 of 5 1 14 ICSTT RM446 EN P Issue 12 13 14 TYPE EXAMINATION CERTIFICATE No DEMKO 11 ATEX 1129711 2 Report 4786336921 15 Description of Equipment Schedule These devices are low power open type programmable logic controllers that are intended for installation in an ultimate enclosure The 9000 Programmable Logic Controller Series consist of the following Models Model 9100 9101 9300 9110 9111 9401 9402 9431 9432 9481 9482 9451 9801 9802 9803 9831 9832 9833 9851 9852 9892 9881 9882 Description Processor Backplane Dual Processor Backplane VO Backplane Processor Model Processor Model Digital Input Model Digital Input Model 16 Channel Analo
104. in alarm without reporting short circuit gt All of the input circuits are suitable for simplex dual and TMR configurations gt The F amp G circuit assumes that the devices are volt free contacts gt For further information please refer to application note AN T90001 Field Loop Configuration This also includes advice for fire detectors which are not simple volt free contacts Recommended Field Circuit for Digital Outputs This circuit is suitable for simplex and dual configurations of digital output modules The two 10 fuses shown are included on the termination assembly within the controller The field power 5A fuses comply with UL 508 requirements see illustration below The 10 fuses are fitted into the termination assembly and are gt T9902 SMF Omni Block Surface Mount Fuse Block 154 010 with a 10A 125V Fast Acting Fuse Littelfuse ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller gt The field power input 5A fuses are gt 396 5 5A time lag fuse UL 248 14 125 V T Leadfree manufactured by Littelfuse Note Alternatively instead of fitting two 5A fuses you can use Class 2 power supplies for the 24V dc field voltage Class 2 is defined by the NEC as providing less than 100 watts at 24V 2 The field power must be wired using 12 AWG wire 3 The field power must be supplied with an isolating source 4 The minimum current required for line monitoring is 20mA for a dual pa
105. ion The system integration stage shall integrate the application programs with the AADvance controller Where multiple systems are used to meet an overall requirement it is recommended that each sub system undergoes application program and target system integration and testing before commencing overall system integration To meet the requirements of the intended safety requirements class the system integration shall result in full compliance of the software and hardware with the functional safety requirements System Commissioning The commissioning stage is to prove the system installation and verify its correct end to end functionality including the connection between the AADvance controller and the requisite sensors and final elements It is likely that groups of functions are commissioned in stages rather than the system as a whole for example accommodation area functions before production functions It is important to define the commissioning sequence and the measures to be taken to ensure safe operation during such periods of partial commissioning These measures shall be system specific and shall be defined clearly before starting any commissioning It is also important to define that any temporary measures implemented for test purposes or to allow partial commissioning are removed before the system as a whole goes live Records shall be maintained throughout the commissioning process These records shall include evidence of the
106. ir 24 dc Field Power 24V de Source ir Power Distribution Termination Assembly inductive loads a back protection diode shall be fitted at the load 4 14 ICSTT RM446 EN P Issue 12 Analogue Input Field Loop Circuits The recommended field loop circuits for analogue inputs are as shown below Field Loop Circuit for 2 Wire Analogue Input LA l l ai T 1 i Controller o 1 pog EMEN LZ od l d 1 Termination l 1 Assembly 4 20 i i 1 f ee 1 l l Shield l if used IE ug 1200 Terminal Blocks l 244 A l Controller I 1 D po eee 1 Termination l 1 Assembly 4 20 pol l 4 l l E Shield f used Temninal Blocks Field Loop Circuit for 4 Wire Analogue Input ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller i a Controller Termination assembly Shield Of used Tenninal Blocks 7 Recommended Circuit for Analogue Outputs These circuits are suitable for simplex and dual configurations of analogue output modules All channels are isolated from each other but may be bridged at
107. is no change to the complexity of operations or programming if you choose to add redundant capacity to create a fault tolerant solution 158 Safety Manual AADvance Controller 14 A controller is built from a range of compact plug in modules that are straightforward to assemble into a system They can be mounted onto DIN rails in a cabinet see photograph or directly mounted onto a wall in a control room They do not require forced air cooling or special environmental control equipment However certain consideration to the cabinet type must be applied when used in hazardous environments Move D secure network communications protocol developed by Rockwell Automation for the AADvance system permits distributed control and safety using new or existing network infrastructure while ensuring the security and integrity of the data Individual sensors and actuators can connect to a local controller minimizing the lengths of dedicated field cabling There is no need for a large central equipment room rather the complete distributed system can be administered from one or more PC workstations placed at convenient locations Single input modules are designed to meet SIL 3 and in the most basic simplex configuration they offer a fail safe solution The AADvance system has comprehensive built in diagnostics while maintenance activities are straight forward operations which maximize system availability The AADvance controller i
108. itions Hazard and Risk Analysis The hazard and risk analysis has three objectives gt The first objective is to determine the hazards and hazardous events of the controlled system for all reasonably foreseeable circumstances including fault conditions and misuse gt The second objective is to determine the event sequences that may lead to a hazardous event gt The third objective is to determine the risks associated with the hazardous event This risk analysis will provide basic information for identifying the safety related requirements to mitigate risks ICSTT RM446 EN P Issue 12 System Functional and Safety Requirements System Engineering ICSTT RM446 EN P Issue 12 A set of system functions and their timing requirements will be specified Where possible the functions should be allocated to defined modes of operation of the process For each function it will be necessary to identify the process interfaces Similarly where the function involves data interchange with third party equipment the data and interface should be clearly identified Where non standard field devices communications interfaces or communications protocols are required it is especially important that detailed requirements for these interfaces are established and documented at this stage The client should provide the functional requirements where this information is not supplied the System Integrator should define the requirements and agree th
109. le into a system while the system remains powered The assumption is that removal of the module and reinsertion will cause no electrical harm to the system Also referred to as hot swap low demand mode Where the Safety Instrumented Function only performs its designed function on demand and the frequency of demands is no greater than one per year manual call point A component of a fire detection and fire alarm system which is used for the manual initiation of an alarm 6 5 Safety Manual AADvance Controller 6 6 Modbus An industry standard communications protocol developed by Modicon Used to communicate with external devices such as distributed control systems or operator interfaces Modbus object A representation of the configuration settings for a Modbus master or for its associated slave links within the AADvance Workbench The settings include communication settings and messages module locking screw The AADvance latch mechanism seen on the front panel of each module and operated by a broad flat blade screwdriver Uses a cam action to lock to the processor base unit or I O base unit N NFPA 85 The Boiler and Combustion Systems Hazards Code Applies to certain boilers stokers fuel systems and steam generators The purpose of this code is to contribute to operating safety and to prevent uncontrolled fires explosions and implosions NFPA 86 A standard for Ovens and Furnaces Provide
110. lerance requirements The input modules can be configured as a simplex dual or triple arrangement Output modules can be configured as a simplex or dual arrangement All modules include line monitoring facilities it is recommended that these line monitoring facilities be enabled for safety related I O For normally de energized I O these facilities shall be enabled 4 1 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 4 2 Note Refer to the section Digital Field Loop Circuits for details of line monitoring circuits Both input and output modules undergo regular diagnostics testing during operation that is managed by the processor modules The self tests are coordinated between modules that are configured in a fault tolerant arrangement to ensure that the system remains on line even in the case of a demand during the execution of the tests I O channel discrepancy and deviation monitoring further enhances the verification and fault detection of module or field failures The processor reports any detected I O fault to the Workbench application and provides an alarm signal for a central alarm indicator Front panel LEDs on the faulty module will indicate a module or field fault In all cases even in the presence of a fault during this period the system will continue to be able to respond when configured in a fault tolerant arrangement When a channel is not capable of reporting a value within the safety accuracy s
111. locating the module and channel within the system In many cases redundant sensor and actuator configurations may be used or differing sensor and actuator types provide alternate detection and control possibilities Plant facilities frequently have related signals such as start and stop signals In these cases it is important to ensure that failures beyond the system s fault tolerant capability do not result in either inability to respond safely or in inadvertent operation In some cases this will require that channels be allocated on the same module to ensure that a module failure results in the associated signals failing safe Sensor configurations should be considered In most cases it will be necessary to separate the signals across modules Where non redundant configurations are employed it is especially important to ensure that the fail safe action is generated in case of failures within the system Field loop power should be considered in the allocation of signals to input channels and modules For normally energized input configurations field loop power failure will lead to the fail safe reaction As with the allocation of signals to modules there may be related functions for example start and stop signals where loss of field power should be considered in the same manner as the signal allocation HART The AADvance controller supports HART communications using dedicated HART modems on each analogue input and output channels allowi
112. manually cancel the first alarm state at access level 2 This may be done with the same control as is used for reset from the fire alarm condition or fault warning condition gt the Control and Indicating Equipment CIE may have provision to automatically cancel the first alarm state after a time interval which shall not be less than 5 min gt if the mode of operation is configured to accept a confirmation alarm signal from the same fire detector this shall not be inhibited for more than 4 min following the receipt of the first alarm signal Type C dependency option with requirement UL 508 Following the receipt of a fire alarm signal from a fire detector or a manual call point the CIE shall enter the fire alarm condition but may have provision to inhibit the activation of outputs until a second alarm signal is received from another fire detector or manual call point which may be the same or another zone In this case it shall be possible to configure the mode of operation at access level 3 to apply individually to each of the following where provided gt output to fire alarm devices gt output to fire alarm routing equipment gt output to fire protection equipment This standard defines the Safety Requirements for Industrial Control Equipment It covers systems utilizing a programmable memory for storage of user oriented instructions for specific functions such as logic sequencing counting and controlling various industrial
113. mended that the Peer to Peer communications use redundant networks for availability and separate networks from general purpose for security and integrity Any of the AADvance or Trusted ports can be used for Peer to Peer data connections see Example shown ICSTT RM446 EN P Issue 12 The Trusted Peer to Peer protocol is a master slave interaction For each peer communications subnet one system acts as a master while the others act as slaves During the Peer to Peer communication cycle the master sends a command to the first slave to transmit its data When the slave completes this task it acknowledges this back to the master The master repeats this with the next and all slaves in turn Finally the master transmits its own data then repeats the cycle with the slaves Peer Network 1 Controller 4 Trusted Teso Controller 1 AADvance an comm 10 10 14 Interface eee Module Processor A 101011 MERC oa Pracasenr T8150 Module 10 10 2 4 Comm Interface 10 10 2 1 Module Processor B Controller 2 A amp Dvance Processor 10 10 1 9 Processor B 1010 22 Subnet 1 Subnet 2 Controller 3 Processor A 10 10 1 3 Processor tomas Safety Related Peer to Peer Configurations The following Peer to Peer configurations are approved for use in a safety Related Function Table 14 Peer to Peer T V Certified Conditions Settings Configuration Software Board Certified for
114. ments and those operator interface devices hard wired to I O terminals fire alarm device A component of a fire alarm system not incorporated in the control and indicating equipment which is used to give a warning of fire for example a sounder or visual indicator fire alarm receiving station A centre from which the necessary fire protection or fire fighting measures can be initiated at any time fire alarm routing equipment Intermediate equipment which routes an alarm signal from control and indicating equipment to a fire alarm receiving station function block diagram An IEC 61131 language that describes a function between input variables and output variables Input and output variables are connected to blocks by connection lines See limited variability language functional safety The ability of a system to carry out the actions necessary to achieve or to maintain a safe state for the process and its associated equipment G group A collection of two or three input modules or two output modules arranged together to provide enhanced availability for their respective input or output channels H hand held equipment Equipment which is intended to be held in one hand while being operated with the other hand HART HART Highway Addressable Remote Transducer is an open protocol for process control instrumentation It combines digital signals with analogue signals to provide field device con
115. mperature range Models 9110 and 9111 The ambient temperature range is 25 C to 60 C All other Models The ambient temperature range is 25 to 70 00 IC F0060 Issue 7 0 ICSTT RM446 EN P Issue 12 This certificate may only be reproduced in its entirety and without any change schedule included Page 2 of 5 1 15 Safety Manual AADvance Controller 13 Schedule 14 TYPE EXAMINATION CERTIFICATE No DEMKO 11 ATEX 1129711XRev 2 Report 4786336921 Electrical data remo piese to4n stomA person 9101 18 32 104A 40mAperso 9110 18 32 380 9432 1832 260 24mA in Vin VIT MV Us VU M dr M 16VA 1 5A Inrush 2 0 12 Ke amp SFR SFR FL Ju FR TR sr ee ue 18 22 3 47 025 47 Ae A Cw nest aes Wi 33 W 100408 Se Eis bie Pis W dis W CEMETI K 7X L J amp E 2 E 7 E 7A as erm Leo s T eua VATI VET oni Fi ced Hi eens 18327 ww Ww ESNEA 99 9
116. n AADvance controller adopts a default value for the PST 2500ms The system integrator can use the following method to confirm whether this is acceptable and adjust as necessary The value of PST for the controller is governed by this equation PSTeuc PST lt sensor delay actuator delay 2 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller where PSTeuc is the process safety time for the equipment under control As an example consider a system function using one sensor and one actuator given the following parameters gt PST 10 000ms gt Sensor delay 250ms gt Time for actuator an ESD valve to fully operate 1750 In this example therefore the setting of PST for the controller should be less than or equal to 3000ms Choosing Controller PST Settings The response time allocated to a logic solver such as the AADvance controller needs to take account of delays within the operation of sensors and actuators In addition the system s scan time should be considerably less than the process safety time The value of the PST shall form part of the safety considerations for the system The value is defined by the process design authority the system integrator shall calculate and verify that the process safety time meets the stated requirements gt In an AADvance system the PST value is assigned to the system and can be assigned to individual modules The system PST value is enfo
117. ng HART field device status diagnostic data and process signal data to be integrated into the application logic increasing the level SIF diagnostics significantly The AADvance Analogue Input Output modules use HART commands 03 to collect data from the field device as defined by Revision 5 of the HART specification The extra data available from HART enabled field devices is reported to the application in custom data structures The T9K AI HART and T9K AI HART FULL structures provide the following information gt Current in milliamps gt process measurement in engineering units gt errors on HART communication seen by device 4 19 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller gt status of the field device gt time in milliseconds since the last update Typical uses of this data are gt To compare the measured process value from the Analogue input channel with the process variable value transmitted over HART from the field device to detect discrepancies gt To monitor the field device status and report device status and report diagnostic errors or manual configuration changes Note The update rate for HART data from field devices is significantly slower than the update rate for the 4 20mA analogue signal itself HART data may take up to 4 seconds to update depending on the device type and configuration Precautions for HART in a Safety System HART Pass Through 4 20 If using HART in a safet
118. nitor and configure the field device using HART Pass Through shall be evaluated to ensure that it is suitable for use with safety devices Actuator Configurations e In safety critical applications using a single actuator it is important that the actuator failure modes be predictable and well understood so that there is little probability of a failed actuator not responding to a critical process condition In such a configuration it is important that the actuator be tested regularly either by dynamic process conditions that are verified in the AADvance system or by manual intervention testing The function of a signal shall be considered when allocating the module and channel within the system In many cases redundant actuator configurations may be used or differing actuator types can provide alternate control and mitigation possibilities Plant facilities frequently have related signals in these cases it is important to ensure that failures beyond the system s fault tolerant capability do not result in either an inability to respond to safety demands or in inadvertent operation In some cases this will require that channels be allocated on the same module to ensure that a module failure results in the associated signals failing safe However in most cases it will be necessary to separate the signals across modules Where non redundant configurations are employed it is especially important to ensure that the fail safe action is g
119. nuous sunlight will have a higher internal temperature that could effect the operating temperature of the modules Modules operating at the extremes of the temperature band for a continuous period can have a reduced reliability It is recommended that the field power consumption calculations to determine the heat dissipation are done before designing the enclosure and deciding upon the installation environment Environmental Specifications The following environmental specification defines the minimum recommended environmental conditions for an AADvance controller installation Additional conditions apply to installations in a Hazardous environment Table 15 Environmental Specification Attribute Operating Temperature Range For use in Hazardous Environments UL Certification Processor Modules Modules and Assemblies For use in Non Hazardous Environments TUV Certification All Modules and Assemblies Storage and Transport Temperature Module Surface Temperature during normal operation Humidity Operating Storage and Transport Vibration Functional Stress Continuous Occasional ICSTT RM446 EN P Issue 12 Value 25 C to 60 13 F to 140 F 25 C to 70 C 13 F to 158 F 25 C to 70 13 F to 158 F 40 C to 70 40 F to 158 F 43 C 109 F 2 10 to 95 RH non condensing 10 to 95 RH non condensing 5Hz to 9Hz 1 7mm amplitude 3 5mm amplitu
120. o be non hazardous Failure to follow these instructions may result in personal injury MAINTENANCE Maintenance must be carried out by people who are experienced in working on electronic equipment and in particular safety related systems They should have knowledge and experience of local operating and safety standards Failure to follow these recommendations may result in situations that can lead system damage and even personal injury RADIO FREQUENCY INTERFERENCE Most electronic equipment is influenced by Radio Frequency Interference Caution should be exercised with regard to the use of portable communications equipment around such equipment Signs should be posted in the vicinity of the equipment cautioning against the use of portable communications equipment HEAT DISSIPATION AND ENCLOSURE POSITION System and field power consumption by modules and termination assemblies is dissipated as heat You should consider this heat dissipation on the design and positioning of your enclosure e g enclosures exposed to continuous sunlight will have a higher internal temperature that could affect the operating temperature of the modules Modules operating at the extremes of the temperature band for a continuous period can have a reduced reliability ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Issue Record Comments Jan 2009 First Issue o April 2009 Reformat to match associated product user manuals Aug 2009 QA re
121. ode of operation shall be configurable at access level 3 for individual zones gt reception of a confirmation alarm shall not be inhibited for more than 60s following the receipt of the first alarm signal The manufacturer may specify a time shorter than 60 s In this case this specification shall be tested and verified gt the first alarm state shall be automatically canceled within 30 min of the receipt of the first alarm signal gt information on the values of the configured delay times shall be accessible at access levels 2 or 3 4 8 ICSTT RM446 EN P Issue 12 7 12 2 Type B dependency option with requirement Following the receipt of a first alarm signal from a fire detector the entry to the fire alarm condition may be inhibited until the receipt of a confirmation alarm signal from the same fire detector or from a fire detector in the same or a different zone In this case the first alarm state need not be indicated and the following shall apply gt the mode of operation shall be configurable at access level 3 for at least individual zones the first alarm state shall be indicated by means of an audible indication as in 12 10 which may be the same as that in the fire alarm condition or fault warning condition gt a visible indication of effected zone which may be the same as that for indication of zone in alarm as in 7 3 The general fire alarm indicator shall not be illuminated gt it shall be possible to
122. odule scan time exceeds the PST refer to Input Module Safety Accuracy for safe state details All modules provide front panel indications store fault codes in the fault log and can also report via the workbench application variables The following status information is provided gt module presence module health and status channel health and status field faults an echo of the front panel indicators for each module wo v v v Availability of input modules Input modules support redundancy when configured for dual or triple operation using the appropriate termination assembly Redundant input modules may be inserted or removed at any time without any impact on the safety function of the system Redundant input modules operate independently providing independent values of the input values to the processor module Termination Assemblies The termination assemblies are safety critical and provide termination for 16 channels They connect the field signals to the input modules The simplex version connects each input channel to one input module the dual TA routes them to two input modules and the triple TA to three input modules Digital and analogue input TA circuits both have fuse protection and a high reliability input load for each channel Input Module Safety Accuracy 4 26 The input modules determine the channel state and the line fault state by comparing the input reported values with user programmed threshold values W
123. odules and channels considered each of the signals function Do safety related inputs and outputs use only those configurations identified as safety related Are there any safety related normally de energized outputs If so have redundant power sources power failure warning and line monitoring been provided Have actuator fault conditions been taken into account Has an actuator testing schedule been created for regular actuator maintenance Have field power supplies conforming to EN 61010 1 or EN 60950 been used Have variables been set up to report the safety accuracy value for each channel Have variables been set up to report safe values when a channels safety accuracy value fails because it is reported to be outside its accuracy figure Has a maximum duration for a single channel operation of an I O module been specified in accordance with the application requirements Has the Shutdown option for each SIL 2 or SIL 3 Output Channel been set to OFF If HART Pass Through is used have the safety precautions been observed and implemented ICSTT RM446 EN P Issue 12 Description Yes No Are any functions not in the previously tested libraries required If so has provision been made to adequately test these functions Description Yes No Are the effects of overriding fully understood particularly where the override action will effect independent parts of an appl
124. of evaluating creepage distances and clearances the following four degrees of pollution in the micro environment are established gt Pollution Degree No pollution or only dry pollution occurs The pollution has no influence gt Pollution Degree 2 Only non conductive pollution occurs except that occasionally a temporary conductivity caused by condensation is to be expected gt Pollution Degree 3 Conductive pollution occurs or dry non conductive pollution occurs which becomes conductive due to condensation which is to be expected gt Pollution Degree 4 Continuous conductivity occurs due to conductive dust rain or other wet conditions Installation Requirements for Hazardous Environment The AADvance controller has been investigated and approved by UL for use as Industrial Control Equipment in hazardous locations Class Division 2 Groups A B C and D in North America The AADvance controller has been assessed for ATEX compliance The UL Certification No is DEMKO 11 ATEX 112971 IX Rev 2 UL report number is 4786144521 The ATEX marking is Ex nA T4 Gc Additionally the AADvance controller is approved under the IECEx certification scheme The certificate number is IECEx UL 12 0032X Installation Requirements To comply with the standards the following conditions must be applied to the installation ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Special conditions for safe use Model 9110 The ambient
125. oivent tre remplac es que dans une zone r put e non dangereuse KCC EMC Registration 1 717 978 SSSA7I7 0 7 7 9 i78 a ee TapersEms t 71710 QL FAL SE 0 AS FOHA 20590 ALAA ABE AS ett Translation Class device Broadcasting Communication Device for Office Use This device obtained EMC registration for office use Class A and may be used in places other than home Sellers and or users need to take note of this 1 24 ICSTT RM446 EN P Issue 12 Chapter 2 Functional Safety Management This chapter explains the principles that should be applied to managing the safety related system In This Chapter The Safety Management 2 1 The Safety Life cycle 0 0 esescessessssssesscsscecsesseensesssssceccessesssensesscescecsensenseneees 2 1 Functional Safety 5 2 7 Safety Integrity Design tete tentent ntententnnententens 2 8 The Safety Management System A prerequisite for the achievement of functional safety is the creation and use of procedures and other measures as part of a safety lifecycle collectively known as a Safety Management System The Safety Management System defines the generic management and technical activities necessary to achieve and maintain functional safety in the product design and development In many cases the Safety Management and Quality systems will b
126. ons been established Safety Requirements Checklist Description Yes No Have all of the functional requirements been allocated a required safety requirements class Has the safety related timing for each safety related function including process safety time PST and fault tolerance period been established Have the safety requirements been approved Are there clear definitions of the external interfaces involved in each of the safety related functions These may already be defined in the functional requirements Is there now sufficient information to understand how the plant should be controlled safely in each of its intended operating modes 5 2 ICSTT RM446 EN P Issue 12 Description Yes No Are the AADvance System Build Manual installation instructions available for installing and commissioning the system Does the application program shut down the SIL 3 safety instrumented functions if a faulty module has not been replaced within the MTTR assumed for the system in the PFD calculations Have the application programs been set up to monitor the discrepancy alarms and alert the operators when a discrepancy alarm occurs Do the energize to action configurations conform to the restrictions defined in this safety manual that should be applied when using these configurations Have the Controller System Security Measures been set up and observed Have the Communica
127. out it the workstation will not run The Workbench software must be password protected This can be done when the Workbench is installed The application must be protected by using a Program Enable Key Communication Port Security A secure network communications protocol developed by Rockwell Automation for the AADvance system permits distributed control and safety using new or existing network infrastructure while ensuring the security and integrity of the data Individual sensors and actuators can connect to a local controller minimizing the lengths of dedicated field cabling There is no need for a large central equipment room rather the complete distributed system can be administered from one or more computer workstations placed at convenient locations AADvance has a Rockwell secure SIL 3 rated Black Channel external communication over Ethernet The Ethernet transport layer ports services are supported by AADvance some ports are always available others are only available when configured When always available ports are not configured or unused they are open to unauthorized access The following transport layer ports services are supported by AADvance some ports are always available others are only available when configured ICSTT RM446 EN P Issue 12 Table 1 Protocol Port Number TCP 502 TCP 1132 TCP 10001 10006 TCP 44818 TCP 55555 UDP 123 UDP 1123 1124 UDP 2010 UDP 2222 UDP 5000 UDP 44818
128. ovides two safety network functionality that will allow data exchanges across a SIL 3 rated safety communication across the Ethernet communications link gt SNOP Safety Network Control Protocol gt Peer to Peer not supported by Workbench 2 0 SNCP Safety Networks SNCP Safety Network Control Protocol is the Safety Protocol that allows elements of an AADvance System to exchange data AADvance SNCP is a SIL 3 certified protocol which provides a safety layer for the Ethernet network making it a Black Channel Data is exchanged by creating a relationship between variables in different AADvance controllers this is called Binding Variables Once variables are bound between controllers the SNCP protocol provides a transparent SIL 3 Certified layer allowing safety related data to be passed between AADvance controllers The bindings are based on a producer consumer model The controller consuming the data establishes a binding link with the Controller producing the data and manages the entire exchange of data including scheduling the data exchange providing the diagnostics managing the safety response in the event of faults and managing the communications redundancy ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 3 16 SNCP Networks can be configured as Simplex Fail Safe or Redundant Fault tolerant the choice of network configuration is dependent on the applications safety and availability requirements The dat
129. pecified for the module safe values are reported instead Thus an I O channel fault condition results in a fail safe state JN rhe maximum duration for single channel operation of I O modules depends on the specific process and must be specified individually for each application Input modules can operate in a simplex arrangement without time limit for SIL 3 and lower applications Faulty Output modules must be replaced within the MTTR used for PFD calculations Faulty Processor modules must be replaced within the MTTR used for the PFD calculations The application program must be designed to shut down energize to action SIL 3 safety instrumented functions if a faulty output module has not been replaced within the MTTR When a module is operating in a dual mode or is degraded to a dual mode and a state or value discrepancy occurs then if no module fault is detected the state or value reported to the application will always be the lower of the two states or values for a digital and analogue input module configurations In safety applications channel discrepancy alarms shall be monitored by the application program and used to provide an alarm to plant operations personnel ICSTT RM446 EN P Issue 12 Energize to Action Configurations Certain applications may require energize to action for inputs and or outputs Energize to action configurations shall only be used if the following restrictions apply At least two independen
130. plausibility of the information and program measures to ensure safe responses in case of implausible conditions ICSTT RM446 EN P Issue 12 Safety related functions shall be latched when in their tripped state to prevent intermittent field faults from removing the trip condition This can be achieved with the application logic or with measures external to the logic solver The application software shall be written to ensure that safety related functions are in their safe state during system startup Minimize Logic Depth Where possible the logic depth should be minimized This helps reduce visual complexity simplifies testing minimizes the number of interconnects required and improves program efficiency Where there is nested logic it shall be possible to establish the correct operation of all intermediate logic connections The use of memory latch components within the safety function shall be minimized Similarly the permutation of conditions that lead to their activation shall be minimized Compiler Verification Tool Safety Requirement The Compiler Verification Tool CVT is a software utility that validates the output of the application compilation process It is automatically enabled for resources when a project is created and when you add a resource to an existing project This process in conjunction with the validated execution code produced by the AADvance Workbench confirms that there are no errors introduced by the Compil
131. port by e mail icstsupport ra rockwell com to check if you have the latest version of this publication Copyright Notice Rockwell Automation 2015 This document contains proprietary information that is protected by copyright All rights are reserved Documentation Feedback Your comments will help us to serve your documentation needs better If you discover any errors or have any suggestions on how to improve this publication send your comments to our product support group icstsupport ra rockwell com This Safety Manual applies to AADvance Release 1 34 iii ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Notes and Symbols used in this manual This symbol calls attention to items which must be considered and implemented when designing and building an AADvance controller for use in a Safety Instrumented Function SIF It appears extensively in the AADvance Safety Manual Note Notes are used extensively to provide important information about the product ICSTT RM446 EN P Issue 12 Standard Warnings and Cautions WARNING WARNING CAUTION CAUTION ELECTRICAL ARCS AND EXPLOSION RISK IN HAZARDOUS AREAS If you connect or disconnect wiring modules or communications cabling while power is applied an electrical arc can occur This could cause an explosion in hazardous location installations Do not remove wiring fuses modules or communications cabling while circuit is energized unless area is known t
132. programs ensure that all safety related elements are in their safe state during start up 5 6 ICSTT RM446 EN P Issue 12 Description Yes No Have alternate protection measure been considered for safety related functions should you need to do an on line change Ensured that HART data is not used as the primary process measurement in a safety related function SIF The HART Pass Through function has been disabled if the device configuration status is not monitored and alarmed to prevent unauthorized or accidental changes to the field device configuration Testing Checklist Description Yes No Have all of the functions and function blocks used been fully tested Was CVT enabled when you compiled your application Has SFC not been used Has the application been fully tested Are the scan and response times in accordance with the PST requirements lt 4 PST Have the climatic conditions been verified to be suitable Have Test Plans and Test Specifications been developed for the system Has the system been fully tested to the Test Plans and Test Specifications ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller This page intentionally left blank 5 8 ICSTT RM446 EN P Issue 12 Glossary of Terms A accuracy The degree of conformity of a measure to a standard or a true value See also resolution achievable safe state A safe state tha
133. put Module Safety Functions An input module is classified as safety critical and is designed to SIL 3 level as a single fail safe module The input modules offer 8 or 16 isolated channels and reports input voltage levels to the processor for the analogue input variant the module will convert the field current into a voltage Input values are updated by the workbench at least once per application cycle The same hardware is used for the 24Vdc digital input modules and the 4 20mA analogue input module modules can be replaced or installed on line without effecting the controller operation provided at least one is fitted and is fully operational However each module must be installed one at a time and allowed to educate before the next module is installed The input module will operate in a SIL 2 or SIL 3 configuration for energize to action and de energize to trip applications The module provides the following isolation gt channel to channel galvanic isolation gt galvanic isolation between channels and the communication signals gt galvanic isolation between channels and power gt locking screw operational function 4 25 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Reactions to faults in the input modules When an input channel is not capable of reporting a voltage within the safety accuracy specified for the module then the module returns safe values to the processor Signals go to a safe state if the m
134. raction does not fall within these categories the effects of incorrect values and sequences of values shall be considered and measures taken to ensure that the system will respond safely in the event of erroneous data Alternatively measures may be implemented within the application to ensure the integrity and validity of the data Even with a small number of inputs it is possible to reach a point where the number of tests becomes unreasonable Eliminating impossible or unlikely scenarios should be used to reduce the number of logic path tests that need to be performed The selection of what constitutes a scenario that does not require testing can be performed only after a suitable hazard analysis The scenarios should include possible plant conditions sequences of plant conditions and system conditions including partial power conditions module removal and fault conditions Where it is not possible to define a representative suite of test cases all permutations of input conditions i e all possible states on all possible inputs shall be exercised Where the logic includes memory or timing elements additional tests shall be defined to exercise all the possible sequences of input permutations leading to their operation All safety related functions shall be tested and the results of the tests recorded The tests shall include the system scan time fault detection time fault reaction time and throughput delay for shutdown logic The system
135. rced by the processor modules and has priority over the module PST values When the system PST is not met the processor modules will fail safe gt The input PST is also enforced by the processor modules when the PST is not met the processors will present fail safe input values to the application logic gt Output PST is enforced by the output modules and when the output PST is not met the output module will assume the fail safe state Note The fail safe state for all AADvance modules is de energized You must specify the process safety time for the whole controller If desired you can specify additional process safety times for individual groups of I O modules The setting for the whole controller is a top level setting which you make once for all the 9110 processor modules Groups of I O modules can inherit this setting or if desired use individual process safety times instead Notes gt The minimum controller s PST must be at least twice the application scan time 4 4 ICSTT RM446 EN P Issue 12 If you choose to specify a process safety time for a group of I O modules the I O modules use this setting instead of the top level setting If you do not specify a process safety time for a group of I O modules the modules use the top level setting If you do not specify any process safety time the controller will use a default value of 2 500ms throughout Industrial Functional Safety Standards AADvance is designed
136. rchitecture Checklist Input Output Module Configuration Checklist Processor and Application Checklist Testing Checklist Peer to Peer functionality not supported with Workbench 2 0 Removed reference to a Frequency Input Module as this will not be available within AADvance Release 1 34 Revised url and hyperlink to latest TUV certification site Replaced Module Label sample with latest revision ICSTT RM446 EN P Issue 12 Page 1 6 1 7 1 6 1 13 to 1 27 3 1 3 13 4 20 4 34 4 35 4 47 5 3 5 4 5 6 5 7 5 7 3 18 1 3 1 9 1 24 vii Safety Manual AADvance Controller viii Foreword This technical manual defines how to safely apply AADvance controllers for a Safety Instrument Function It sets out standards which are mandatory and makes recommendations to ensure that installations meet their required safety integrity level To do this it addresses how such installations are designed built tested installed and commissioned operated maintained and decommissioned It defines the requirements to be met during the life cycle stages of safety related systems design and commissioning so the safety objectives of the system are achieved during operation There are requirements for quality systems documentation and competency in this technical manual these are additional requirements for an operating company s or integrator s quality systems procedures and practices Note The AADvance controller is a logic solver I
137. re It is therefore necessary to ensure that the system as a whole complies with the client s requirements or appropriate standards EN 61000 6 2 2005 and EN 61000 6 4 2007 within Europe the CE mark requirements form a legal minimum For systems for applications outside Europe it is recommended that at least the same measures be applied and confirmation sought from the client or end user that electromagnetic interference EMI levels are within those shown in the table 4 42 ICSTT RM446 EN P Issue 12 Immunity to Electromagnetic Emissions Standard Radiated Emissions CISPR I 1 2003 BS EN 61000 6 4 2007 Al 2011 Radiated Field Immunity BS EN 61000 4 3 2006 A1 2008 Conditions Class A N A 10V rms m unmodulated 80MHz 2GHz 80 kHz AM I Hz Pulse Modulation 50 50 duty cycle IV rms m unmodulated 2 GHz 2 7 GHz 80 kHz AM Fast Transient Burst Immunity BS EN 61000 4 4 2004 1 2010 Surge Immunity BS EN 61000 4 5 2006 Conducted RF Immunity BS EN 61000 4 6 2003 A1 2004 A2 2006 DC Power 2kV and Signalling Ports IkV DC Power IkV 2kV line line line ground I O Port IkV line ground only 10V rms unmodulated 150kHz 100MHz 80 IkHz AM I Hz PM 50 50 duty Notes Not applicable Access to controller must be restricted to appropriately trained maintenance personnel operating in accordance with and relevant ESD mitigating procedures The equipm
138. s electrical parameters data representation signalling authentication and error detection Examples include Modbus TCP and IP PST Process Safety Time The process safety time for the equipment under control denoted PST is the period a dangerous condition can exist before a hazardous event occurs without a safety system as a protection R real A class of analogue variable stored in a floating single precision 32 bit format redundancy The use of two or more devices each carrying out the same function to improve reliability or availability ICSTT RM446 EN P Issue 12 resolution The smallest interval measurable by an instrument the level of detail which may be represented For example 2 bits can distinguish between 4096 values RS 232 C RS 422 RS 485 Standard interfaces introduced by the Electronic Industries Alliance covering the electrical connection between data communication equipment RS 232 C is the most commonly used interface RS 422 and RS 485 allow for higher transmission rates over increased distances RTC Real time clock RTU Remote terminal unit The Modbus protocol supported by the AADvance controller for Modbus communications over serial links with the ability to multi drop to multiple slave devices S safe state A state which enables the execution of a process demand Usually entered after the detection of a fault condition it makes sure the effect of the fault is to
139. s entered automatically when a critical firmware failure occurs or it can be entered manually by pressing the processor Fault Reset button immediately after the module has booted up As an alternative firmware version it allows the following maintenance activities gt Update the firmware using the ControlFLASH utility gt Program the processor IP Address with the AADvance Discover utility gt Extract diagnostic information In Recovery Mode the Ready Run Force and Aux LEDs go Amber and the Healthy and System Healthy LEDs stay Green The System Healthy and Healthy LEDs may go Red if a fault is detected while in the Recovery Mode Note When in Recovery Mode the I O communications are disabled and the Application code is not running Processor Module Locking Screw safety Function The module locking screw acts as a module retaining device and also as a switch that controls the module s operation For the module to be fully operational the locking screw must be turned to the locked position If the screw is turned to the unlocked position when a module is operational it will initiate a fault indication and the module will become non operational Processor modules can be replaced or installed on line without effecting the controller operation provided at least one is fitted and is fully operational However each module must be installed one at a time and allowed to educate before the next module is installed 4 23 ICSTT RM446 EN P Issue
140. s developed and built for IEC 61131 compliance and includes support for all five programming languages Program access is secured by a removable Program Enable key Simulation software lets you prove a new application before reprogramming and downloading again maximizing system uptime ICSTT RM446 EN P Issue 12 AADvance Features System Security ICSTT RM446 EN P Issue 12 The AADvance system controls complex and often critical processes in real time executing programs that accept external sensor signals solving logic equations performing calculations for continuous process control and generating external control signals These user defined application programs monitor and control real world processes in the oil and gas refining rail transit power generation and related industries across a wide range of control and safety applications The main features of the AADvance system are as follows gt Facilitates differing fault tolerant topologies lool loo2D and 2003 gt Flexible modular construction using individual modules to build system gt Operates as a stand alone system or part of a larger distributed network w Easily transformed from a simplex non safety system to a fault tolerant safety related system gt IEC 61508 certified reviewed and approved by T V and UL Scalable module expansion without system interruption v v Supports secure SIL 3 rated Black Channel external communication over
141. s the requirements for the prevention of fire and explosion hazards in associated with heat processing of materials in ovens furnaces and related equipment on line The state of a controller that is executing the application software OPC A series of standards specifications which support open connectivity in industrial automation output Workbench variable In the context of an AADvance Workbench variable this term describes a quantity passed from the Workbench to a controller P peer to peer A Peer to Peer network consists of one or more Ethernet networks connecting together a series of AADvance and or Trusted controllers to enable application data to be passed between them pinging In Modbus communications sending the diagnostic Query Data command over a link and by receiving a reply ensuring that the link is healthy and the controller is able to communicate with the master No process data is transferred or modified In the case of slave devices that will not support pinging then the Standby command will default to Inactive state but no error will be returned portable equipment Enclosed equipment that is moved while in operation or which can easily be moved from one place to another while connected to the supply Examples are programming and debugging tools and test equipment process safety time PST For equipment under control this represents the period of time a dangerous condition can
142. scan time including Peer to Peer and bindings communications where appropriate shall be less than 2 PST P Functional testing of all safety related programs is considered to be 100 if gt All inputs are exercised through their entire allowable range gt All outputs are exercised through their entire program determined range gt All logic paths are exercised ICSTT RM446 EN P Issue 12 gt All timers have been tested regarding their timing characteristics without changing timing parameters gt All combinatorial permutations of digital signals with the exception of 100 tested function blocks are tested including fault states gt All combinatorial permutations of analogue signals with the exception of 100 tested function blocks are tested within the safety accuracy granularity gt All timing properties of each safety loop have been verified Cross Reference Checking While the aim shall be to minimize the coupling and dependencies between individual programs there will inevitably be occasions where for example a variable is used within two or more programs It is important to ensure that any application program changes that effect these interactions do not jeopardize the functional safety On line Modification It is highly recommended that on line changes are not performed unless absolutely necessary as it could reduce the safety integrity of the system while doing the changes Where changes have to be carried ou
143. seeseessesssussessesscescesssussessesseescesssussessesseeseesseeese 4 32 Maintenance SOV FS Mete 4 32 Application Program Development sscssssssssssssessscsssssssseesecsscsssussesseeseescesscussussecsecsecsssussusseeseeseessenseess 4 33 AADvance Workbench Configuration e eee eeeeeeten tente ntententnnententententenennentns 4 33 Language Selection eee ee eese esten tenen tenente tenter senten te tte ttn senten senten ee ttn ttn senten sentent 4 34 Sequential Function Chart ssessessecsscsssssessecscesscnssssssscsccsccussussussecsccnscussussecseeseeseenssussnsseeseessenseneees 4 35 Testing of New or Previously Untested 4 35 Compiler Verification Tool Safety 4 37 Comm nications Interaction T 4 37 Program E ESSS TT RR 4 38 On line 4 39 Physical N 4 40 Environmental Requirements eese tees entente tentent ten 4 41 Environmental Specifications csecsecssssssessecsecsscsscsssessecscescesssussusseescesccnseussessesseenceuseussussee
144. seessessenseness 4 41 Electromagnetic Immunity and Emissions esee 4 42 Fit EMC Static Protection Covers 4 45 Using Shielded Cabling for Ethernet and Serial Ports eee 4 45 AADvance System Power Requirements eese estne ntentententnnentententententenentente 4 45 System Security RR 4 47 Chapter 5 ell ll E E 5 Pre Engineering Checklists 5 Scope Definition Checklist eee eeeee tentent entente tentent entente 5 Functional Requirements Checklist eese esent nte ente ntententenententens 5 2 Safety Requirements Checklist ee e tete tense entente ntentente aenant anea iasanen tasona Sit 5 2 Engineering Checklists E EEE 5 3 pO Architecture 5 3 Language Selection Checklist e eee te tenente entente ntententnententententen entente 5 5 Override Requirements Checklist eee 5 5 xii ICSTT RM446 EN P Issue 12 Input Output Module Configuration Checklist ssseseeeeeetententtntnnnns Processor and Application Checklist 5 6 Testing c mr 5 7 Chapter 6 Glossary of Tels
145. sition the startup and education process begins automatically When the locking screw is set to the unlocked position then the module will switch off and the following indications will be displayed Status Indicator Colors Healthy GREEN Ready GREEN gt OFF Run GREEN gt RED Channels to 8 OFF or to l6 Note If the above indications are not present when the locking screw is set to the unlocked position refer to the Troubleshooting and Repair Manual ICSTT RM446 EN P Issue 12 1 0 Module Process Safety Time PST This option allows the system integrator to configure the PST for an module independently from the system value set through the processor module If no independent value is set for the module it will adopt by default the top level value of PST set for the processor module When an input module exceeds the PST that is the controller does not receive an update from the I O module within the PST then the I O module is set to a fail safe state and returns safe values to the controller refer to the topic Input Modules Safety Accuracy Digital Analogue output module PST For a digital analogue output module the PST represents the period of a watchdog timer that specifies the length of time the controller will allow the module to run without receiving updates from the application If the module runs beyond this time without receiving any updates it enters its shutdown state The default PST is 2500ms In
146. sportation medical or other activities expansion cable assembly A flexible interconnection carrying bus signals and power supplies between AADvance base units available in a variety of lengths Used in conjunction with a cable socket assembly at the left hand side of a base unit and a cable plug assembly at the right hand side of a base unit F fail operational state A state in which the fault has been masked See tolerant fail safe The capability to go to a pre determined safe state in the event of a specific malfunction 6 3 Safety Manual AADvance Controller 6 4 fault reset button The momentary action push switch located on the front panel of the 9110 processor module fault tolerance Built in capability of a system to provide continued correct execution of its assigned function in the presence of a limited number of hardware and software faults fault tolerant The capability to accept the effect of a single arbitrary fault and continue correct operation fault warning receiving station A centre from which the necessary corrective measures can be initiated fault warning routing equipment Intermediate equipment which routes a fault warning signal from the control and indicating equipment to a fault warning receiving station field device Item of equipment connected to the field side of the I O terminals Such equipment includes field wiring sensors final control ele
147. t conditions however they are designed to fail safe where possible gt Fault tolerant systems have redundant modules and processors that allow the system to continue operation or to ensure that the system fails safe in the presence of faults 12 ICSTT RM446 EN P Issue 12 gt Redundant operation is when modules within the different stages input logic solving and output are configured as dual or triple modules Internal diagnostics enhance the fault tolerance capability The AADvance system has comprehensive internal diagnostics that detect and reveal both covert and overt failures These diagnostics will alert users to hidden faults so that users can repair the system within the MTTR used for the PFD calculations and maintain the system s fault tolerance and integrity level Controller ICSTT RM446 EN P Issue 12 The AADvance controller is specifically designed for functional safety and critical control applications it provides a flexible solution for smaller scale requirements The system can be used for safety implemented functions as well as applications that are non safety but still critical to a business process This controller offers you the ability to create a cost effective system to suit any of the following applications gt Critical process control gt Fire and gas protection systems gt Rotating machinery control systems gt Burner management gt Boiler and furnace control gt
148. t is achievable Note Sometimes a safe state cannot be achieved An example is a non recoverable fault such as a voting element with a shorted switch and no means to bypass the effect of the short actuator A device which cause an electrical mechanical or pneumatic action to occur when required within a plant component Examples are valves and pumps AITA Analogue input termination assembly alarms and events AE An OPC data type that provides time stamped alarm and event notifications allotted process safety time The portion of the total process safety time allotted to a sub function of that process application software Software specific to the user application typically using logic sequences limits and expressions to read inputs make decisions and control outputs to suit the requirements of the system for functional safety architecture Organizational structure of a computing system which describes the functional relationship between board level device level and system level components ICSTT RM446 EN P Issue 12 Chapter 6 asynchronous A data communications term describing a serial transmission protocol A start signal is sent before each byte or character and a stop signal is sent after each byte or character An example is ASCII over RS 232 C See also RS 232 C RS 422 RS 485 availability The probability that a system will be able to carry out its designated function when required
149. t on line alternative safety measures must be implemented for the duration of the change procedure Certain modifications can be performed without directly effecting the system s safety function for example the physical installation of additional modules Although these modifications will not effect the system s operation until the system configuration and application program have been modified caution shall be exercised to ensure that the modifications do not effect other safety related functions The procedures to perform an on line update are written in the AADvance Configuration Guide s Rockwell Automation references 553633 amp 555063 On line modifications must follow the end users MOC process as required by the applicable industry safety standards On line modifications must include any specific checks recommended by Rockwell Automation for the product Important Note For Releases 3x you can change the module configuration with an on line update without having to stop the running application However if you are still using an earlier product release the I O module configuration cannot be changed with an on line update Changes that effect the system s ability to respond safely or that may cause other plant disruption shall not be performed on line unless alternate protection measures can be implemented for the duration of such modifications 4 39 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Ph
150. t power sources must be used These power sources must provide emergency power for a safe process shutdown or a time span required by the application Each power source must be provided with power integrity monitoring with safety critical input read back into the system controller or implicit power monitoring provided by the I O modules Any power failure shall lead to an alarm Unless provided implicitly in the modules all safety critical inputs and outputs must be fitted with external line and load integrity monitoring and safety critical read back of the line status signals Any line or load failure shall lead to an alarm For SIL 3 energize to trip applications a minimum of dual output modules shall be used In cases where one or more outputs are used in an energize to action configuration all the specific requirements above shall be followed for all associated inputs Controller Process Safety Time PST The Process Safety Time PST setting defines the maximum time that the processor will allow the outputs to remain in the ON state in the event of certain internal diagnostic faults or systematic application faults If the process safety time expires the system will go to its safe state You have to specify the PST for the whole controller this is a top level setting that you make once for the whole controller and is set at the processor module I O modules can be set at a lower PST but must not exceed this overall setting A
151. t uses processor modules and I O modules An AADvance system is formed by one or more controllers their power sources communications networks and workstations Who Should Use this Manual This manual is intended primarily for System Integrators The information contained in this manual is intended to be used in conjunction with and not as a substitute for expertise and experience in safety related systems In particular it is expected that the reader has a thorough understanding of the intended application and safety system principles and can understand the generic terms used within this manual and the terminology specific to the integrator s or project s application area Note The System Integrator remains responsible for the generation of procedures and practices applicable to its business and shall ensure that these are in accordance with the requirements defined herein The application of such procedures and practices is also the responsibility of the system integrator and these are mandatory for systems used for SIL 3 applications ICSTT RM446 EN P Issue 12 ICSTT RM446 EN P Issue 12 This page intentionally left blank Safety Manual AADvance Controller Contents Chapter 1 07 1 1 Verification of the Safety Manual esesssssseesecsscsscssssssecsecsccuscussnssessecscesccussussesseescenseussussesseeseessensensees 1 1 nhICI M 1 1 a e e
152. tal Output channels and if so has the effect on the safety functions been taken into account Has input or output forcing been used on any channels and have the effect on the safety function been fully taken into account so that it does not jeopardize functional safety Has a method of manually removing a forced condition e g manually operated switches been set up to remove the forced condition on safety related inputs Has the Workbench system configuration backup copy been tested Processor and Application Checklist Description Yes No If bindings communications is used are the timeouts set to a response time within the required PST Have you dual triple processor been configured for SIL 3 and high demand applications Have you recommended shut down actions for single module configuration outside of the MTTR assumed for the PFD calculations Has security protection been used to prevent unauthorized access to the application programs Have full branch and data tests been carried out on IL and ST program flow functions Have safety related control programs been implemented within separate programs from non safety related control elements Is the data flow programmed so that it goes from Safety functions to non safety functions Are the processor modules loaded with the latest firmware versions Are all processors using the same firmware versions Do the application
153. tests completed any problem reports and the resolution of problems Safety System Validation Safety system validation shall test the integrated system to ensure compliance with the safety requirements specification at the intended safety requirements class The validation activities should include those necessary to prove that the system implements the safety actions during normal start up and shutdown and under abnormal fault modes The validation shall confirm that each functional safety requirement has been implemented at the specified safety integrity level and that the realization of the function achieves its performance criteria specifically that the process safety time requirements have been met The validation shall also consider the potential external common cause failures power sources and environmental conditions and ensure that the system will provide fail safe operation when these conditions exceeded its design capabilities ICSTT RM446 EN P Issue 12 Operation and Maintenance Plan The provision of an Operation and Maintenance Plan ensures that functional safety can be maintained beyond the commissioning of the system The in service operation and maintenance is normally outside the responsibility of the system integrator but the system integrator can provide guidance and procedures to ensure that the persons or organizations responsible for operation and maintenance can ensure the system operates to the specified safety
154. th the protocol and the data to be interchanged established Are all of the plant interfaces defined including the signal qualities and characteristics Have any special or abnormal conditions that exceed the normal equipment capabilities been highlighted to enable special measure to be implemented Is the presented information adequate to support the necessary level of understanding of the plant EUC and its environment 5 1 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Description Yes No Has a risk analysis been completed to determine the Safety Integrity Levels that need to be handled by the system Functional Requirements Checklist Description Yes No Is the definition of each of the required functions complete Are the interfaces signals and data associated with each function clearly identified Where a tag referencing scheme is used for these signals has a summary description of the naming convention been provided to facilitate an understanding of the role of the signal Have the performance requirements for each function or collective functions been defined Have the operating modes of the EUC process or plant been clearly defined Have the functions required to operate in each plant operating mode been identified Have the transitions between each plant operating mode been defined Have the functions necessary to effect these transiti
155. the configured values for the parameter MaxAge The configuration also includes a timeout value BindReqTimeout which is used by a producer system to timeout binding data requests from a consumer system Should a producer fail to receive a binding data request from a consumer within this timeout value the link to the consumer system is closed The consumer system if still functional will timeout the link from its end An UpdateTimeout value can also be configured This timeout is used in both the consumer and producer resources during an on line update During an on line update all binding connections are closed The SNCP binding driver then restarts with the potentially new binding configuration This timeout value is the time in which the consumer must re establish its binding connections 3 47 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Peer to Peer 3 18 Timeout values should be set within the fault tolerant capabilities of the bindings network so the system can still respond within the required PST The network propagation time must be included in the timeout period calculations and should be verified after each change to the network configuration Two function blocks are provided that make the overall status of the bindings communication subsystem available to the application one indicates consumer status KvbConsNetStatus for a specific bindings link identified by the Producers Resource Number and IP A
156. tion Port security measures been set up and observed Engineering Checklists Architecture Checklist Description Yes No Has the PST been specified What is the PST Has the fault detection time for the system been specified What is the fault detection time Is the safety accuracy adequate for the application Where the fault detection time is greater than the PST does the safety related I O configuration provide a fail safe configuration Note If not the system topology shall be discussed with the client to ensure that the system implementation is safe If the probabilities of failure on demand for each function have been specified has they been met Do the selected architectures provide solutions where there is no single power source or distribution point of failure that could lead the system to fail to function safely when required Have sensor fault conditions been taken into account For each of the I O signal types do the modules provide the correct characteristics and behaviour for the intended sensor or actuator including minimum and maximum load requirements Note If not have additional interfacing elements been included to 5 3 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 54 Description Yes No ensure that the effective signal is compatible with the selected module type Has the allocation of signals to m
157. to meet the following industrial safety system requirements NFPA 85 Requirements NFPA 85 2015 provides minimum requirements for the design installation operation and maintenance of large commercial industrial boilers heat recovery heat recovery steam generators and related combustion systems The AADvance system is certified for use with NFPA 85 compliant systems The systems should be integrated in accordance with NFPA 85 In particular the following shall be applied 4 ICSTT RM446 EN P Issue 12 The operator shall be provided with a dedicated manual switch that shall independently and directly actuate the safety shutdown trip relay At least one identified manual switch shall be located remotely from the boiler where it can be reached in case of emergency The burner management system shall be provided with independent logic independent input output systems and independent power supplies and shall be a functionally and physically separate device from other logic systems such as the control system for the boiler or heat recovery steam generator Logic sequences or devices intended to cause a safety shutdown once initiated shall cause a burner or master fuel trip as applicable and shall require operator action prior to resuming operation of the effected plant No logic sequence or device shall be permitted that allows momentary closing and subsequent inadvertent reopening of the main or ignition fuel valves Documentation
158. trol and status information The HART protocol also provides diagnostic data For more details of HART devices refer to the HART Application Guide created by the HART Communication Foundation and their detailed HART specifications You can download documents from www hartcomm org high demand mode Where the Safety Instrumented Function in the Safety System only performs its designed function on a demand and the frequency of demands is greater than one per year hot swap See live insertion ICSTT RM446 EN P Issue 12 1 0 base unit A backplane assembly which holds up to three I O modules and their associated termination assembly or assemblies in an AADvance controller Part number 9300 See module and termination assembly module A collation of interfaces for field sensors inputs or final elements outputs arranged in a self contained and standardized physical form factor IEC 61000 A series of international standards giving test and measurement techniques for electromagnetic compatibility IEC 61131 An international standard defining programming languages electrical parameters and environmental conditions for programmable logic controllers Part 3 which is entitled PFogramming Languages defines several limited variability languages IEC 61508 An international standard for functional safety encompassing electrical electronic and programmable electronic systems hardware and
159. twork configuration SIL 3 can be achieved but the following conditions must be met gt For de energize to trip configurations associated SIF outputs shall be configured to shutdown on loss of communications gt For energize to trip configurations link failures shall be repaired within the MTTR Note Additional measures must be considered for ensuring that the process remains within its safe operating parameters during the repair time these additional measures must be defined in the Operating and Maintenance procedures written for maintaining the SIF for the specific Plant or Process Configuring Variable Bindings The bindings configuration includes the value of an age timeout MaxAge This timeout defines the maximum age of data that can be used by a consumer system Data older than the defined timeout is discarded and the system continues using its last state value Once disconnected the consumer attempts to re establish a connection to the producer by sending a connection request at ConnectTimeout intervals The consumer continues to send connection requests until a connection is established The configuration also includes a timeout value for a consumer BindRespTimeout value for the binding data response from a producer Failure to receive a valid response containing fresh data within this timeout causes the consumer to disconnect from the producer The number of retries that are attempted before a consumer disconnects depends on
160. use over Certified as safety related and can be used for Definitions a single safety critical communications in SIL 3 communication applications Dxpdil6 network or multiple networks Dxpaol6 Dxpdil28 Dxpdil28 amp dxpnc40 3 19 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller 3 20 Peer to Peer Settings Software Board Definitions Dxpail28 Dxpaol28 TUV Certified Configuration Certified for use over a single communication network or multiple networks Conditions Certified as safety related and can be used for safety critical communications in SIL 3 applications provided two separate Dxpail28 amp Dxpaol28 board definitions are used for safety values the safety values from the two Dxpail28 boards or digital trip points from the values shall have a 2 vote within the receiving application ICSTT RM446 EN P Issue 12 Chapter 4 AADvance Functional Safety System Implementation This chapter provides the implementation guidelines for an AADvance safety related system In This Chapter General Design Measures for Functional 4 1 Industrial Functional Safety Standards sss 4 5 Field Configurations e eeeseeeeeeen tentent 4 11 Sensor CONMSUPACIONS 4 19 4 19 Actuator Configurations
161. ver modes and hence to the Run mode when the RESET button on the processor is pressed and the application is running ICSTT RM446 EN P Issue 12 Disable line test The following conditions will also cause a module to enter the Shutdown mode from the Ready Recover or Run modes gt Stopping the application for any reason gt Invalid calibration the module will not be able to transition out of the Shutdown mode until the module has been re calibrated module calibration interval recommendation is every 2 years The digital output module incorporates line test functionality that can report and indicate no load field faults This functionality can be enabled or disabled The settings are Yes disables reporting and indication of no load field faults No load field faults are reported and indicated Availability of output modules Output modules support redundancy when configured in dual operation using the appropriate termination assembly One redundant module may be inserted or removed at any time without any impact on the safety function of the system DO Termination assembly The DO termination assembly is safety critical it comes in two sizes simplex or dual It has fuses for field output power and 8 field termination connections for the output signals Analogue Output Module Safety Features Analogue Output Module Safety Applications The Analogue Output Module can be used in the following safety related
162. view updates Sept 2009 Release 1 1 for approval Oct 2009 TUV approval release Jan 2010 Update for TUV review and comments Feb 2010 Update for TUV review additional comments Nov 2010 Update for SIL 2 and SIL configurations change MTTR change UL requirements Check lists change peer review comments 03 o March 201 I Updates for release 2 July 2012 Updates for Release 1 3 and 1 3 1 I0 A Aug 2012 Updated for additional information about the Analogue Output Module June 2013 Draft issue for release 1 3 incorporating changes following TUV review comments Also added specifications for electrostatic discharge July 2013 Update after peer review lA March 2015 Update to R1 34 first draft March 2015 Updates to spelling and other typographical errors following internal review March 2015 Finalised for AADvance Release 1 34 April 2015 Revised with comments received from T V Previously Issue 1 2 vi ICSTT RM446 EN P Issue 12 SUMMARY OF CHANGES IN THIS DOCUMENT ISSUE Table 1 Topic System security measures added Communication port security measures added Installation requirements update with latest certificates for ATEX and IECEx Configuration backup requirements added Planned removed from Certified Configurations HART Pass Through safety statements added SFC removed from languages list SFC Statement about CVT added SELV specification changed Checklist changes System Requirements checklist A
163. wn Mode You have to decide when you configure the module how you want the output channels to behave in the Shutdown mode The output modules can be configured to provide the following channel values gt De energized Off default fail safe value gt Custom shutdown value gt Hold Last State 0 consideration should be given to the effect on the process of using the custom shutdown value or the hold last state setting The PFD amp PFH data has been calculated on the basis that the shutdown state is configured to the OFF state Therefore the OFF state shall be used for SIL 2 and SIL 3 Reactions to faults in output modules 4 30 When an output module goes faulty the following status information is reported gt module presence module health and status gt channel health and status gt field faults ICSTT RM446 EN P Issue 12 an echo of the front panel indicators for each module When any of the following internal conditions exist the output module will fail safe gt internal software error detected by the FPGA gt power feed combiner over temperature detection 4 31 ICSTT RM446 EN P Issue 12 Safety Manual AADvance Controller Input and Output Forcing The AADvance Workbench supports forcing of individual inputs and outputs The AADvance Workbench uses the term locking to describe forcing It is important the implications of forcing or locking of input and output points on
164. y system follow these precautionary guidelines o HART data shall not be used as the primary process value for Safety Functions as the HART protocol does not meet the required integrity levels for Safety Instrumented Functions o HART Pass Through should be disabled if the field devices do not have locked configuration or if the device status is not monitored and alarmed to prevent accidental or unauthorized changes to field device configuration 0 devices have custom data which is provided in response to HART command 03 the specific data for each device type must be used in accordance with the device manufacturers published recommendations AADvance also supports a HART Pass Through feature This gives AADvance the ability to pass HART data between an external Asset Management System AMS and Field Devices This is strictly a pass through mechanism using a dedicated AADvance HART DTM This pass through capability can however be enabled or disabled under application control ICSTT RM446 EN P Issue 12 e If HART Pass Through is enabled on a safety loop then either the field device shall have the facility to lock the configuration on the field device itself or the HART Pass Through function shall be disabled by the application program during normal operation when HART communication is not required e The device status must be monitored and alarmed if HART Pass hrough is enabled e The software package used to mo
165. ysical Installation 4 40 The installation environment is a potential source of common cause failure therefore it is vital that compatibility of the equipment with the environment is known The environment for these purposes includes the prevailing climatic hazardous area power earthing and EMC conditions In many cases there will not be a single installation environment Elements of the system may be installed in differing locations in these cases it is important to know the environment for each location You must use installation and commissioning procedures that comply with the applicable international or local codes and standards The AADvance controller equipment base units and modules is designed for use when it is installed upright that is with the base units in a vertical plane and the ventilation slots on the modules at the top and bottom This orientation is essential to ensure non forced air cooling is effective and the controller meets the specified MTBF of the modules This rule applies to all installations regardless of ambient temperature and any additional forced air cooling that may be applied ICSTT RM446 EN P Issue 12 Environmental Requirements CAUTION HEAT DISSIPATION AND ENCLOSURE POSITION System and field power consumption by modules and termination assemblies is dissipated as heat You should consider this heat dissipation on the design and positioning of your enclosure e g enclosures exposed to conti

Download Pdf Manuals

Related Search

Related Contents

SK-500I Syringe Pump Instruction Manual  取扱説明書  Appendix 1 - University of Nottingham  DeltaSol® MX  176 SOL 4000    INTEGRA Installation Manual  Pourquoi l`Harmonie - Mon Coin sur le Web  Sa vz. 58 Sporter, Manuel d`instructions  ajustes del sistema  

Copyright © All rights reserved. Failed to retrieve file