manualshive.com logo in svg

Allen-Bradley AADvance T9110, Safety Manual

Share
Download
Allen-Bradley AADvance T9110 Safety Manual Download Page 86

86

Rockwell Automation Publication ICSTT-RM446N-EN-P - April 2018

Chapter 4

AADvance Functional Safety System Implementation

• diagnostics, fault indications and degradation of input modules
• initiating diagnostics, fault declaration and for some fault conditions the 

degradation of output modules

• recovery mode operation

Reaction to faults in the processor module

The processor module reports faults by front panel indicators and fault codes 
stored in the System Event log. 

SYSTEM HEALTHY

 and 

HEALTHY 

LEDs 

go RED when a fault is detected in the processor module. Fault indications are 
also sent to the user application by variables that you can set up during the 
system configuration process. These variables provide the following 
information:

• module presence
• module  health  and  status
• channel  health  and  status
• an echo of the front panel indications

For a single fault deemed by the system to be a "critical failure" the processor 
module enters the Recovery Mode.

Recovery Mode

Recovery Mode is a shutdown mode and uses a base level firmware. It is entered 
automatically when a critical firmware failure occurs or it can be entered 
manually by pressing either the processor 

Fault Reset

 button or enabling the 

remote fault/reset join feature immediately after the module has booted up.

As an alternative firmware version it allows the following maintenance 
activities:

• Update the firmware using the 

ControlFLASH

 utility

• Program the processor IP Address with the AADvance Discover utility
• Extract diagnostic information

In Recovery Mode the 

Ready

Run

Force

 and 

Aux

 LEDs go Amber and the 

Healthy

 and 

System Healthy

 LEDs stay Green. The System Healthy and 

Healthy LEDs may go Red if a fault is detected while in the Recovery Mode. 

NOTE

When in Recovery Mode the I/O communications are disabled and the 
Application code is not running.

Summary of Contents for AADvance T9110

Page 1: ...AADvance Controller Catalog Numbers T9110 T9300 T9310 T9401 2 T9431 2 T9451 T9481 2 Safety Manual OriginalInstructions ...

Page 2: ...with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell...

Page 3: ...oltage may be present BURNHAZARD Labelsmaybeonorinsidetheequipment forexample adriveormotor toalertpeoplethatsurfacesmay reach dangerous temperatures ARC FLASH HAZARD Labels may be on or inside the equipment for example a motor control center to alert people to potentialArcFlash ArcFlashwillcausesevereinjuryordeath WearproperPersonalProtectiveEquipment PPE FollowALL Regulatory requirements for saf...

Page 4: ...4 Rockwell Automation Publication ICSTT RM446N EN P April 2018 ...

Page 5: ...orporating changes following TUV review comments Also added specifications for electrostatic discharge 10_C July 2013 Update after peer review 11A March 2015 Update to R1 34 first draft 11B March 2015 Updates to spelling and other typographical errors following internal review 11 March 2015 Finalised for AADvance Release 1 34 12 April 2015 Revised with comments received from TÜV 13 March 2016 Adde...

Page 6: ...90001 77 Update to Recovery Mode 87 Update to Processor Module Locking Screw Safety Function 88 Update to I O Module Start UP and Locking Screw Safety Function 88 Update to I O Module Process Safety Time PST 89 Update to Protective ability and versatility of the input module 89 90 Update to Output Module Safety Functions 92 93 Update to Application Program Development 97 101 103 Update to Online M...

Page 7: ... UPDATING POLICY This document is based on information available at the time of its publication The document contents are subject to change from time to time The latest versions of the manuals are available at the Rockwell Automation Literature Library under Product Information information Critical Process Control Safety Systems ROCKWELL AUTOMATION SUPPORT Any required support can be accessed thro...

Page 8: ... more information about TechConnect Support Contract Access Level and Features please click on the following link https rockwellautomation custhelp com app answers detail a_id 898272 This will get you to the login page where you must enter your login details PURPOSE OF THIS MANUAL This technical manual defines how to safely apply AADvance controllers for a Safety Instrument Function It sets out st...

Page 9: ...ntroller is a logic solver It uses processor modules and I O modules An AADvance system is formed by one or more controllers their power sources communications networks and workstations WARNING ThismanualisintendedprimarilyforSystemIntegrators The information contained in this manual is intended to be used in conjunctionwith andnotasasubstitutefor expertiseandexperiencein safety related systems In...

Page 10: ...10 Rockwell Automation Publication ICSTT RM446N EN P April 2018 Preface ...

Page 11: ...ents for Non Hazardous Environment 24 Investigation File Number E341697 24 Non Hazardous Installation Requirements 25 Installation Requirements for Hazardous Environment 26 Installation Requirements 26 Certifications for Safety System Applications in Hazardous Environments 28 ATEX Certificate 28 IECEx UL Certificate 31 Module Labels 36 KCC EMC Registration 36 Chapter2 Functional Safety Management ...

Page 12: ...s 54 Internal Diagnostics 56 Safety Networks 57 SNCP Safety Networks 57 Configuring Variable Bindings 58 Peer to Peer 60 Chapter4 AADvance Functional Safety System Implementation General Design Measures for Functional Safety 63 I O Modules 63 Energize to Action Configurations 65 Controller Process Safety Time PST 65 Industrial Functional Safety Standards 67 NFPA 85 Requirements 67 NFPA 86 Requirem...

Page 13: ...ety Accuracy 90 Output Module Safety Functions 91 Digital Output Module Safety Functions 91 Analogue Output Module Safety Features 93 Input and Output Forcing 94 Maintenance Overrides 95 Application Program Development 96 AADvance Workbench Configuration 96 Language Selection 96 Sequential Function Chart 97 Testing of New or Previously Untested Functions 97 Compiler Verification Tool Safety Requir...

Page 14: ...g Checklists 113 I O Architecture Checklist 113 Language Selection Checklist 113 Override Requirements Checklist 114 Input Output Module Configuration Checklist 114 Processor and Application Checklist 115 Testing Checklist 115 Chapter6 Additional Resources Associated AADvance Publications 117 Regional Offices 118 Glossary 119 ...

Page 15: ...e to perform The suitability of persons for their designated safety lifecycle activities shall be based on the specific competency factors relevant to the system application and shall be defined and recorded for each individual The following competence factors should be addressed when assessing and justifying the competency level of persons to carry out their duties Engineering experience appropri...

Page 16: ...a configuration parameter called Process Safety Time which is used to enforce the safe state when a dangerous failure is detected to ensure that the Process PST is not exceeded This configuration parameter only applies to the logic solver portion of the process safety time so its value must be configured taking into account both the sensor and final element response times Fault Tolerance in Safety...

Page 17: ...arly well suited to emergency shut down and fire and gas detection protection applications by providing a system solution with integrated and distributed fault tolerance It is designed and validated to international standards and is certified by an independent certifying body for functional safety control installations The benefits of the AADvance Controller are its performance and flexibility Des...

Page 18: ...ed by the PFD unless compensating measures are defined in the Safety Requirements Specification SRS and documented in operating procedures All of the configurations are readily achieved by combining modules and assemblies without using special cables or interface units System architectures are user configurable and can be changed without major system modifications Processor and I O redundancy is c...

Page 19: ...troller minimizing the lengths of dedicated field cabling There is no need for a large central equipment room rather the complete distributed system can be administered from one or more PC workstations placed at convenient locations The AADvance system has comprehensive built in diagnostics while maintenance activities are straight forward operations which maximize system availability The AADvance...

Page 20: ...med from a simplex non safety system to a fault tolerant safety related system IEC 61508 certified Scalable I O module expansion without system interruption Supports secure SIL 3 rated Black Channel external communication over Ethernet Supports industry standard protocols including MODBUS and HART Supports OPC when using an OPC Portal System Security An AADvance system with its workstations and DC...

Page 21: ...ered from one or more computer workstations placed at convenient locations AADvance has a Rockwell secure SIL 3 rated Black Channel external communication over Ethernet The Ethernet transport layer ports services are supported by AADvance some ports are always available others are only available when configured When always available ports are not configured or unused they are open to unauthorized ...

Page 22: ...ed peer to peer UDP 44818 Always available CIP Producer Consume WARNING Unused open ports that are not configured should be blocked this can be done at the firewall settings Refer to the appropriate AADvance Configuration Guide for the instructions about blocking these ports WARNING The telnet port is for diagnostics access and should only be used by Rockwell Technical Support Protocol Port Number...

Page 23: ...mmended that module supply power and field loop power consumption calculations are done to find out the heat dissipation before designing a suitable enclosure and making a decision about the installation environment see topic System Design for Heat Dissipation Safety Related System Installation Process For a Safety Related System the installation process must also be in line with the following EN ...

Page 24: ... number is 4786144521 The ATEX marking is Ex nA IIC T4 Gc Additionally the AADvance controller is approved under the IECEx certification scheme The certificate number is IECEx UL 12 0032X Installation Requirements for Non Hazardous Environment Investigation File Number E341697 ProductsCovered The products investigated and approved Programmable Logic Controller Models 9110 Processor Module 9401 Dig...

Page 25: ...ever the enclosure or the area where it is installed must not be more than a Pollution Degree 2 or similar environment in accordance with IEC 60664 1 2007 The surrounding air temperature ratings are For the 9110 Processor module 60 C For all other I O modules base units and termination assemblies 70 C PollutionDegreeDefinition For the purpose of evaluating creepage distances and clearances the fol...

Page 26: ...ssential requirements of EN 60079 0 2012 A11 2013 EN 60079 15 2010 and IEC 60079 0 Ed 6 and IEC 60079 15 Ed 4 WARNING Special conditions for safe use Model 9110 The ambient temperature range is 25 C to 60 C 13 F to 140 F All other Models The ambient temperature range is 25 C to 70 C 13 F to 158 F Subject devices are to be installed in an ATEX IECEx Certified IP54 tool accessible enclosure that has...

Page 27: ...lass I Division 2 Groups A B C and D The products have been investigated using requirements contained in the following standards CSA C22 2 No 213 M1987 Nonincendive Control Equipment for Use in Class I Division 2 Hazardous Locations CSA C22 2 No 142 M1987 Process Control equipment Edition 1 Revision date 1990 09 01 ProductsCovered The products investigated and approved Programmable Logic Controlle...

Page 28: ...ealth and Safety Requirements are given in Annex II to the European Union Directive 94 9 EC of 23 March 1994 The examination and test results are recorded in confidential report no 4786831849 9 Compliance with the Essential Health and Safety Requirements with the exception of those listed in the schedule of this certificate has been assessed by reference to Standards EN 60079 0 2012 A11 2013 EN 60...

Page 29: ...bly 16 Channel TMR Digital Input 151561 130782 9831 Termination Assembly 16 Channel Simplex Analog Input 151721 130812 9832 Termination Assembly 16 Channel Dual Analog Input 151701 130802 9833 Termination Assembly 16 Channel TMR Analog Input 151551 130782 9851 Termination Assembly 8 Channel Simplex Digital Output 151741 130822 9852 Termination Assembly 8 Channel Dual Digital Output 151691 130792 9...

Page 30: ...0 qC x All other Models The ambient temperature range is 25 qC to 70 qC x Devices are to be installed in an ATEX Certified IP54 tool accessible enclosure that has been evaluated to the requirements of EN 60079 0 2012 A11 2013 and EN 60079 15 2010 Enclosure is to be marked with the following Warning Do not open when energized After installation of subject devices into the enclosure access to termin...

Page 31: ...ing nA Marking Ex nA IIC T4 Gc Approved for issue on behalf of the IECEx Certification Body Paul T Kelly Position Principal Engineer Global Hazardous Locations Signature for printed version Date 1 This certificate and schedule may only be reproduced in full 2 This certificate is not transferable and remains the property of the issuing body 3 The Status and authenticity of this certificate may be v...

Page 32: ...perational Documents as amended STANDARDS The electrical apparatus and any acceptable variations to it specified in the schedule of this certificate and the identified documents was found to comply with the following standards IEC 60079 0 2011 Edition 6 0 Explosive atmospheres Part 0 General requirements IEC 60079 15 2010 Edition 4 Explosive atmospheres Part 15 Equipment protection by type of prot...

Page 33: ... is 25 C to 60 C All other Models The ambient temperature range is 25 C to 70 C Subject devices are to be installed in an IECEx Certified IP54 tool accessible enclosure that has been evaluated to the requirements of IEC 60079 0 Ed 6 and IEC 60079 15 Ed 4 Enclosure is to be marked with the following Warning Do not open when energized After installation of subject devices into the enclosure access t...

Page 34: ...or IECEx UL 12 0032 Issue 2 pdf IECEx Certificate of Conformity Certificate No IECEx UL 12 0032X Date of Issue 2014 05 28 Issue No 2 Page 4 of 4 DETAILS OF CERTIFICATE CHANGES for issues 1 and above Issue 1 Addition of Model 9892 and updated drawings Issue 2 Update to the latest edition of IEC 60079 0 ...

Page 35: ... 18 32 165 Output 18 32Vdc 0 5A Pilot Duty 16VA 1 5A Inrush 9801 Termination Assembly 16 Channel Simplex Digital Input 0 32 6 5 9802 Termination Assembly 16 Channel Dual Digital Input 0 32 6 5 9803 Termination Assembly 16 Channel TMR Digital Input 18 32 0 24 9831 Termination Assembly 16 Channel Simplex Analogue Input 18 32 0 24 9832 Termination Assembly 16 Channel Dual Analogue Input 18 32 0 24 98...

Page 36: ... April 2018 Chapter 1 Introduction Module Labels Labels containing comprehensive safety information are attached to all modules The following CPU label is illustrated as an example but similar labels are produced for each module type KCC EMC Registration ...

Page 37: ...lt in the definition of the safety lifecycle stages to be applied the measures and techniques to be applied at each stage and the responsibilities for completing these activities Definitions of the records to be produced and the methods of managing these records including change control The change control procedures shall include records of modification requests the impact analysis of proposed mod...

Page 38: ...related system and provide a clear definition of its interfaces with the process and with all third party equipment This stage should also establish the derived requirements resulting from the intended installation environment such as environmental conditions and power sources In most cases the client will provide this information The system integrator must review this information and gain a thoro...

Page 39: ...e Where necessary additional safety requirements shall be identified and documented to ensure that the plant will fail safe in the case of failures of the plant safety related system external equipment or communications or if the safety related system s environment exceeds the required operating conditions The appropriate safety integrity level and safety related timing requirements shall be defin...

Page 40: ...n program shall be designed in accordance with this safety manual and the application program safety requirements Design Where both safety and non safety functions are required the design shall ensure that the non safety functions cannot affect the safety functions The design shall be structured to ensure traceability back to the application program safety requirements and for assessment during th...

Page 41: ...ons are commissioned in stages rather than the system as a whole for example accommodation area functions before production functions It is important to define the commissioning sequence and the measures to be taken to ensure safe operation during such periods of partial commissioning These measures shall be system specific and shall be defined clearly before starting any commissioning It is also ...

Page 42: ...and Maintenance Plan shall include the following items Clear definitions of power up and down sequences These definitions shall ensure that the sequences cannot result in periods when the system is unable to respond safely whilst a hazard may be present The procedures for re calibrating sensors and actuators The recommended calibration periods shall also be included The procedures for periodically...

Page 43: ... configurations available range from simplex fail safe to TMR fault tolerance The processor module has been designed to meet the requirements for SIL 2 with one two or three processor modules and SIL 3 when two or three modules are fitted Input and output modules have been designed to meet SIL 3 requirements with a single module in a fail safe mode The processor module and the individual I O modul...

Page 44: ...44 Rockwell Automation Publication ICSTT RM446N EN P April 2018 Chapter 2 Functional Safety Management ...

Page 45: ... in a fault tolerant input arrangement and one module is faulty then the system will degrade to 1oo1D by replacing the faulty module the configuration is restored to 1oo2D Configuration Backups Fail safe Architecture The following is a simplex fail safe SIL 2 architecture where I O modules operate in 1oo1D under no fault conditions and will fail safe on the first detected fault The processor modul...

Page 46: ...n the first detected fault When a triple input module arrangement is configured the group of input modules operate in 2oo3D under no fault conditions degrade to 1oo2D on the detection of first fault in any module then degrade to 1oo1D on the detection of faults in any two modules and will fail safe when there are faults on all three modules Position Module Type I P A T9401 2 Digital Input Module 2...

Page 47: ...n 1oo1D under no fault conditions and will fail safe on the first detected fault Position Module Type I P A and B 2 T9401 2 Digital Input Module 24V dc 8 16 Channel T9802 Digital Input TA 16 Channel Dual or 2 T9431 2 Analogue Input Module 8 16 Channel Isolated T9832 Analogue Input TA 16 Channel Dual T9300 I O Base Unit CPU A 1 x T9110 Processor Module T9100 Base Unit O P A T9451 Digital Output Mod...

Page 48: ...ult tolerance of the input When a triple input module arrangement is configured the input modules operate in a 2oo3D under no fault conditions degrade to 1oo2D on detection of the first fault in any module then degrade to 1oo1D on the detection of faults in any two modules and will fail safe when there are faults on all three modules The processor will operate in 1oo2D under non faulted conditions...

Page 49: ...s less than 4mA are classed as energize to action applications WARNING For Continuous Mode applications the measures defined in this section for High Demand applications must be applied Position Module Type I P A 2 T9401 2 Digital Input Module 24V dc 8 16 Channel T9802 Digital Input TA 16 Channel Dual or 2 T9431 2 Analogue Input Module 8 16 channel T9832 Analogue Input TA 16 Channel Dual 2 T9300 I...

Page 50: ...quirements Specification SRS and documented in operating procedures the application program must be designed to shut down safety instrumented functions if a module failure due to a dangerous fault has not been replaced within the MTTR Fail safe I O Fault Tolerant Processor A SIL 3 fail safe I O with a fault tolerant processor architecture has a simplex input and output arrangement with dual or tri...

Page 51: ...dual input and output module configurations with dual or triple processor modules The processor modules operate in 1oo2D under no fault conditions degrade to 1oo1D on the detection of the first fault in either module and fail safe when there are faults on both modules Similarly the input modules operate in 1oo2D under non faulted conditions and 1oo1D on detection of the first fault in either modul...

Page 52: ...L 3 applications you must use a minimum of a dual processor configuration Position Module Type I P A and I P B 2 T9401 2 Digital Input Module 24V dc 8 16 Channel T9802 Digital Input TA 16 Channel Dual or 2 T9431 2AnalogueInputModule 8 16Channel T9832AnalogueInputTA 16Channel Dual 2 x T9300 I O Base Unit CPU A CPU B 2 T9110 Processor Module 9100 Processor Base Unit O P A and O P B 1 T9451 Digital O...

Page 53: ... 1oo1 on the detection of faults in any two modules and will fail safe when there are faults on all three modules In the event of a failure in any element of a channel the channel processor will still produce a valid output which could be voted on because of the coupling between the channels This is why the triple modular redundant implementation provides a configuration that is inherently better ...

Page 54: ...for safety critical applications in SIL 2 with 1 module fitted and SIL 3 applications with 2 or 3 modules fitted Note For High Demand applications you must use a minimum of two processors Modules Certified Configuration Conditions Digital Inputs T9401 2 24V dc 8 16 Channel isolated T9801 2 3 Digital Input TA 16 channel Simplex Dual TMR 1oo1D 1oo2D 2oo3D De energized to action normally energized SI...

Page 55: ...ergized SIL 2 with 1 module fitted and SIL 3 with 2 modules fitted Afaultydigitaloutputmodulemustberepairedorreplacedwithin the MTTR which was used in the PFD calculation Analogue Outputs T9481 T9842 Analogue Output Module 3 8 Ch Isolated T9881 T9882 TA 8Ch Simplex Dual 1oo1 1oo2 or 1oo2D De energize to action normally energized SIL 3 with 1 or 2 modules fitted 1oo2D with dual output modules fitte...

Page 56: ...module arrangement for example diagnostics can address dangerous failures and help redress the balance between failure to respond and spurious responses A dual system could therefore be 1oo2D reverting to 1oo1D on the first detected fault and reverting to fail safe when both modules have a fault A whole self test cycle completes every 24 hours Modules Conditions Processor Base T9100 Safety related...

Page 57: ...e Controller producing the data and manages the entire exchange of data including scheduling the data exchange providing the diagnostics managing the safety response in the event of faults and managing the communications redundancy SNCP Networks can be configured as Simplex Fail Safe or Redundant Fault tolerant the choice of network configuration is dependent on the applications safety and availab...

Page 58: ...ystem Data older than the defined timeout is discarded and the system WARNING For SNCP bindings to be used in a Simplex Network configuration SIL 3 can be achieved but the following conditions must be met For de energize to trip configurations associated SIF outputs shall be configured to shutdown on loss of communications For energize to trip configurations link failures shall be repaired within ...

Page 59: ...nk from its end An UpdateTimeout value can also be configured This timeout is used in both the consumer and producer resources during an on line update During an on line update all binding connections are closed The SNCP binding driver then restarts with the potentially new binding configuration This timeout value is the time in which the consumer must re establish its binding connections Timeout ...

Page 60: ...cations use redundant networks for availability and separate networks from general purpose for security and integrity Any of the AADvance or Trusted ports can be used for Peer to Peer data connections see Example shown The Trusted Peer to Peer protocol is a master slave interaction For each peer communications subnet one system acts as a master while the others act as slaves During the Peer to Pee...

Page 61: ...ell Automation Publication ICSTT RM446N EN P April 2018 61 AADvance System Architectures Chapter 3 next and all slaves in turn Finally the master transmits its own data then repeats the cycle with the slaves ...

Page 62: ...40 Certified for use over a single communication network or multiple networks Certified as safety related and can be used for safety critical communications in SIL 3 applications Software Board Definitions Dxpai128 Dxpao128 Certified for use over a single communication network or multiple networks Certified as safety related and can be used for safety critical communications in SIL 3 applications ...

Page 63: ... modules can be configured as a simplex or dual arrangement All I O modules include line monitoring facilities it is recommended that these line monitoring facilities be enabled for safety related I O For normally de energized I O these facilities shall be enabled Both input and output modules undergo regular diagnostics testing during operation that is managed by the processor modules The self te...

Page 64: ...nnel fault condition results in a fail safe state ATTENTION The maximum duration for single channel operation of I O modules depends on the specific process and must be specified individually for each application Input modules can operate in a simplex arrangement without time limit for SIL 3 and lower applications Faulty Output modules must be replaced within the MTTR used for PFD calculations Fau...

Page 65: ...e and adjust as necessary The value of PST for the Controller is governed by this equation Where PSTeuc is the process safety time for the equipment under control As an example consider a system function using one sensor and one actuator given the following parameters PSTeuc 10 000ms ATTENTION Energize to action configurations shall only be used if the following restrictions apply At least two ind...

Page 66: ...hen the system PST is not met the processor modules will fail safe The input PST is also enforced by the processor modules when the PST is not met the processors will present fail safe input values to the application logic Output PST is enforced by the output modules and when the output PST is not met the output module will assume the fail safe state You must specify the process safety time for th...

Page 67: ...nd independent power supplies and shall be a functionally and physically separate device from other logic systems such as the control system for the boiler or heat recovery steam generator Logic sequences or devices intended to cause a safety shutdown once initiated shall cause a burner or master fuel trip as applicable and shall require operator action prior to resuming operation of the effected ...

Page 68: ...d Whenever application software that contains safety logic or detection logic is modified system operation shall be verified for compliance with the NFPA 86 standard and the original design criteria The NFPA 86 certification is only applicable where the system is applied in accordance with this safety manual and NFPA 86 requirements NFPA 87 Requirements NFPA 87 2015 provides comprehensive requirem...

Page 69: ... 87 standard and the original design criteria The NFPA 87 certification is only applicable where the system is applied in accordance with this safety manual and NFPA 87 requirements EN 50156 EN 50156 1 2004 applies to the application design and installation of electrical equipment control circuits and protective systems for furnaces which are operated with solid liquid or gaseous fuels and their a...

Page 70: ...l control at access level 1 or 2 This control shall only be used for silencing the audible indication and may be the same as that used for silencing in the fault warning condition The control and indicating equipment shall be capable of being reset from the fire alarm condition This shall only be possible by means of a separate manual control at BS EN 54 defined access level 2 This control shall b...

Page 71: ...eceipt of a first alarm signal from a fire detector the entry to the fire alarm condition may be inhibited until the receipt of a confirmation alarm signal from the same fire detector or from a fire detector in the same zone In this case the first alarm state need not be indicated and the following shall apply the mode of operation shall be configurable at access level 3 for individual zones recep...

Page 72: ...t may have provision to inhibit the activation of outputs until a second alarm signal is received from another fire detector or manual call point which may be the same or another zone In this case it shall be possible to configure the mode of operation at access level 3 to apply individually to each of the following where provided output to fire alarm devices output to fire alarm routing equipment...

Page 73: ... investigated and approved by UL for use as Industrial Control Equipment in a general industrial environment and for use in hazardous locations Class I Division 2 Groups A B C and D Field Configurations The following are recommended field loop circuits for line monitoring of digital analogue inputs Line Monitoring This section provides recommended line monitoring circuits and resistor values You c...

Page 74: ...on contains recommended field loop circuits for line monitoring digital inputs used in Emergency Shutdown or Fire Gas applications FieldLoopCircuitforDigitalInput FieldLoopCircuitforLineMonitoredDigitalInputforEmergencyShutdownSystems ESD The suggested values for R1 and R2 are as follows R1 15K 1 1W maximum power dissipated is 47mW at 26 4V R2 3K9 1 1W maximum power dissipated is 182mW at 26 4V ...

Page 75: ... detect more accurately different voltage levels that represent OPEN CCT OFF ON SHORT CCT and will also detect Over Voltage and an input which is neither ON nor OFF The values ensure that a line fault will be declared before it becomes possible for a false declaration of On and Off states due to a combination of resistor value drift and loop voltage variation Threshold ID Value mV Maximum Allowed ...

Page 76: ...pplication note AN T90001 Field Loop Configuration which is located in the Rockwell Automation Knowledgebase Support Center This also includes advice for fire detectors which are not simple volt free contacts Recommended Field Circuit for Digital Outputs This circuit is suitable for simplex and dual configurations of digital output modules The two 10A fuses shown are included on the termination as...

Page 77: ...o 5A fuses you can use Class 2 power supplies for the 24V dc field voltage Class 2 is defined by the NEC as providing less than 100 watts at 24V 2 The field power must be wired using 12 AWG wire 3 The field power must be supplied with an isolating source 4 The minimum current required for line monitoring is 20mA for a dual pair ATTENTION For inductive loads a back EMF protection diode shall be fit...

Page 78: ...78 Rockwell Automation Publication ICSTT RM446N EN P April 2018 Chapter 4 AADvance Functional Safety System Implementation FieldLoopCircuitfor2 WireAnalogueInput FieldLoopCircuitfor3 WireAnalogueInput ...

Page 79: ...ntation Chapter 4 FieldLoopCircuitfor4 WireAnalogueInput Recommended Circuit for Analogue Outputs These circuits are suitable for simplex and dual configurations of analogue output modules All channels are isolated from each other but may be bridged at the terminal if fed by a common system mounted supply ...

Page 80: ...80 Rockwell Automation Publication ICSTT RM446N EN P April 2018 Chapter 4 AADvance Functional Safety System Implementation Systempowereddevices ...

Page 81: ...circuit is appropriate for devices that are powered by the system The channel will pass a requested current between 0mA and 24mA The field device could also be connected between the 24V supply and the Loop Plus terminal NOTE Ifthe0Vor24Vsupplyissharedbetweenchannelsorbetweenmodules the field loops will not be isolated from each other ...

Page 82: ...her inability to respond safely or in inadvertent operation In some cases this will require that channels be allocated on the same module to ensure that a module failure results in the associated signals failing safe Sensor configurations should be considered In most cases it will be necessary to separate the signals across modules Where non redundant configurations are employed it is especially i...

Page 83: ...m data structures The T9K_AI_HART and T9K_AI_HART_FULL structures provide the following information Current in milliamps process measurement in engineering units errors on HART communication seen by device status of the field device time in milliseconds since the last update Typical uses of this data are To compare the measured process value from the Analogue input channel with the process variabl...

Page 84: ...t actuator configurations may be used or differing actuator types can provide alternate control and mitigation possibilities Plant facilities frequently have related signals in these cases it is important to ensure that failures beyond the system s fault tolerant ATTENTION HART Pass Through should be disabled if the field devices do not have locked configuration or if the device status is not moni...

Page 85: ...cating the signals to modules i e that inadvertent coupling between power groups and particularly return paths are not generated Calculations of Probability of Failure upon Demand For information regarding the calculation and for PFD PFH numbers allocated for the AADvance system refer to the approved PFD calculation document Publication No ICSTT RM449 EN P AADvance PFH and PFDavg Data listed in th...

Page 86: ...cho of the front panel indications For a single fault deemed by the system to be a critical failure the processor module enters the Recovery Mode Recovery Mode Recovery Mode is a shutdown mode and uses a base level firmware It is entered automatically when a critical firmware failure occurs or it can be entered manually by pressing either the processor Fault Reset button or enabling the remote fau...

Page 87: ...plastic cover This connector is for Rockwell Automation use only and is used for factory settings during manufacturing However the plastic cover can be removed to replace the processor battery I O Module Safety Functions This section describes the I O safety parameters I O Module Safety Related Parameters The AADvance Workbench provides you with the capability to adjust these safety related parame...

Page 88: ...dog timer that specifies the length of time the controller will allow the module to run without receiving updates from the application If the module runs beyond this time without receiving any updates it enters its shutdown state The default PST is 2500 ms Protective ability and versatility of the input module An input module is classified as safety critical and is designed to SIL 3 level as a sin...

Page 89: ...ult codes in the fault log and can also report via the workbench application variables The following status information is provided module presence module health and status channel health and status field faults an echo of the front panel indicators for each module Availabilityofinputmodules Input modules support redundancy when configured for dual or triple operation using the appropriate termina...

Page 90: ...side the following limits then that channel is set to a fail safe state Digital Input Module 1 v Analogue Input Module 0 2 mA When the safety accuracy between channels exceeds the following limits then a discrepancy alarm is set for the input channel Digital Input Module 2 v Analogue Input Module 0 4 mA In both situations the following safe values are reported by the variables Digital input module...

Page 91: ...tate values When the module is unlocked all of its output channels including any channels set to hold last state always go to the de energized state the module enters a Shutdown Mode when the time between processor commands exceeds the PST The PFH PFDavg data has been calculated on the basis that the shutdown state is configured to the OFF state Therefore the OFF state shall be used for SIL 2 SIL ...

Page 92: ...lication for any reason Invalid calibration the module will not be able to transition out of the Shutdown mode until the module has been re calibrated module calibration interval recommendation is describe in the Preventive Maintenance Schedule Chapter 2 of The Troubleshooting and Maintenance manual ICSTT RM406 EN P Disablelinetest The digital output module incorporates line test functionality tha...

Page 93: ...ut channels including any channels set to hold last state always go to the de energized state AnalogueOutputmoduleSafetyFunctions The Analogue output Module is rated at SIL 3 as a fail safe simplex module And 1oo2D as a dual module For high demand SIL 2 energize to action high demand applications you must use dual analogue output modules This arrangement is also rated as SIL 3 for energize to acti...

Page 94: ...error detected by the FPGA power feed combiner over temperature detection Input and Output Forcing The AADvance Workbench supports forcing of individual inputs and outputs The AADvance Workbench uses the term locking to describe forcing Forcing requires the program enable key to be fitted to the 9100 Processor Base Unit and is intended only for the purposes of engineering installation and commissi...

Page 95: ...pplication Program with a separate set of safety related input points or variables enabling the bypass logic There are two basic methods to check safety related peripherals connected to the AADvance system External hard wired switches are connected to conventional system inputs These inputs are used to deactivate sensors and actuators during maintenance The maintenance condition is handled as part...

Page 96: ...trol For example a program having its own password remains locked and cannot be modified without entering its password Language Selection The AADvance Workbench offers many programming tools to develop algorithms to meet the needs of virtually any real time control application The configuration and programming languages approved for use in SIL 3 safety related application are shown below ATTENTION...

Page 97: ... be used in a safety related system provided that they have been tested and validated previously It is the end users responsibility to ensure that validation evidence exists in the Project Test Documentation Testing of New or Previously Untested Functions Each safety related software block shall be 100 testable such functions could be ATTENTION IL not supported by Workbench 2 0 and ST include prog...

Page 98: ...ed herein or a project specific function block which is written to meet the needs of a particular feature within an application program and may comprise a number of generic function blocks or other program functions IndividualSafetyRelatedFunctions The AADvance Workbench allows the definition of up to 250 individual programs within a single project This facility should be exploited to enable the a...

Page 99: ... visual complexity simplifies testing minimizes the number of interconnects required and improves program efficiency Where there is nested logic it shall be possible to establish the correct operation of all intermediate logic connections The use of memory latch components within the safety function shall be minimized Similarly the permutation of conditions that lead to their activation shall be m...

Page 100: ...e initiating conditions have been removed Initiate timed start up override signals which are removed automatically either on expiration of the start period or once the associated signal has stabilized in the normal operating condition Adjust control parameters within defined safe operational limits i e lowering of trip thresholds Where the interaction does not fall within these categories the effe...

Page 101: ... exercised Where the logic includes memory or timing elements additional tests shall be defined to exercise all the possible sequences of input permutations leading to their operation Program Testing Even with a small number of inputs it is possible to reach a point where the number of tests becomes unreasonable Eliminating impossible or unlikely scenarios should be used to reduce the number of lo...

Page 102: ...ity of the system while doing the changes Where changes have to be carried out on line alternative safety measures must be implemented for the duration of the change procedure Certain modifications can be performed without directly affecting the system s safety function for example the physical installation of additional modules ATTENTION All safety related functions shall be tested and the result...

Page 103: ...le installation environment Elements of the system may be installed in differing locations in these cases it is important to know the environment for each location IMPORTANT For Releases 1 3x onwards you can change the I O module configuration with an on line update without having to stop the running application However if you are still using an earlier product release the I O module configuration...

Page 104: ...n on the design and positioning of your enclosure e g enclosures exposed to continuoussunlightwillhaveahigherinternaltemperaturethatcouldaffect the operating temperature of the modules Modules operating at the extremes of the temperature band for a continuous period can have a reduced reliability Attribute Value Operating Temperature Range For use in Hazardous Environments UL Certification Process...

Page 105: ...erence EMI levels are within those shown in the table Table 17 Immunity to Electromagnetic Emissions Shock 15g peak 11ms duration sine Altitude Operating 0 to 2000m 0 to 6 600 ft Storage and Transport 0 to 3000m 0 to 10 000 ft This equipment must not be transported in unpressurized aircraft flown above 10 000 ft Electromagnetic Interference Testedtothefollowingstandards EN61326 1 2006 ClassA EN 61...

Page 106: ...61000 4 5 2006 DC Power 1kV 2kV line line line ground I O Port 1kV line ground only The equipment additionally complies with fail safe performance criteria at increased levels of 2 kV between I O or signalling ports and ground Conducted RF Immunity BS EN 61000 4 6 2003 A1 2004 A2 2006 10V rms unmodulated 150kHz 100MHz 80 1kHz AM 1Hz PM 50 50 duty None Power Frequency Magnetic Field immunity voltag...

Page 107: ...h the base units over any exposed 48 pin DIN connectors on the T9300 I O Base unit Using Shielded Cabling for Ethernet and Serial Ports When using cable lengths that exceed 3m for Ethernet and Serial communication you must use shielded cable to remain within the emission and immunity standards Also ensure that the shields are grounded to the controller chassis AADvance System Power Requirements Th...

Page 108: ...rovided Alternatively measures should be implemented to ensure that the power feeds remain within the specifications of the PSUs Define the power distribution requirements together with the protective philosophy for each distribution for example current limited at source or protective devices Where protective devices are used it is important to establish that sufficient current be available to ens...

Page 109: ...d not be on a network with open unsecured access to the Internet The Firewall must be active on the Workstation preventing access to the relevant Ethernet ports on each communication interface Anti virus software must be installed and be kept up to date The workstation should be password protected If the workstation is a laptop it should be kept locked when not in use If the workstation uses a har...

Page 110: ...110 Rockwell Automation Publication ICSTT RM446N EN P April 2018 Chapter 4 AADvance Functional Safety System Implementation ...

Page 111: ...provided Is the intended installation environment defined If so does this include both normal and possible abnormal conditions does this include geographical distribution requirements Does the installation position the modules in the upright position to ensure non forced air cooling is effective Does the installation environment meet the environmental specification for the controller Has a list of...

Page 112: ...he safety related timing for each safety related function including process safety time PST and fault tolerance period been established Have the safety requirements been approved Are there clear definitions of the external interfaces involved in each of the safety related functions These may already be defined in the functional requirements Is there now sufficient informationto understand how the ...

Page 113: ...not haveadditionalinterfacingelementsbeenincludedtoensurethattheeffectivesignalis compatible with the selected module type Has the allocation of signals to I O modules and channels consideredeach of the signals function Do safety related inputs and outputs use only those configurations identified as safety related Are there any safety related normally de energized outputs If so have redundant powe...

Page 114: ...provide the correct characteristics and behavior for the intended sensor or actuator Have the thresholds been verified with both increasing and decreasing field signal levels and with margins to allowfor the measurementaccuracy Do threshold states remain unique under all operatingtolerances For all configurations have tests been defined and executed to 100 test the required operation Have Dual Out...

Page 115: ...es loaded with the latest firmware versions Are all processors using the same firmware versions Dotheapplicationprogramsensurethatallsafetyrelatedelementsareintheirsafestateduringstart up Have alternate protection measure been considered for safety related functions should you need to do an on line change Ensured that HART data is not used as the primary process measurement in a safety related fun...

Page 116: ...116 Rockwell Automation Publication ICSTT RM446N EN P April 2018 Chapter 5 Checklists ...

Page 117: ... manuals shown in table below Actual configuration guide applicable is dependent upon version of AADvance Workbench used Resource Document Number Safety Manual ICSTT RM446 System Build Manual ICSTT RM448 Configuration Guide ICSTT RM405 Configuration Guide ICSTT RM458 OPC Portal Server User Manual ICSTT RM407 PFH and PFDavg Data Manual ICSTT RM449 Solutions Handbook ICSTT RM447 Troubleshooting and ...

Page 118: ...nce Workbench to satisfy your system operation and application requirements Troubleshooting and Maintenance Manual This technical manual describes how to maintain troubleshoot and repair an AADvance Controller OPC Portal Server User Manual This manual describes how to install configure and use the OPCServer for an AADvance Controller PFH and PFDavg Data This document contains the PFH and PFDavg Da...

Page 119: ...typically using logic sequences limits and expressions to read inputs make decisions and control outputs to suit the requirements of the system for functional safety architecture Organizational structure of a computing system which describes the functional relationship between board level device level and system level components asynchronous A data communications term describing a serial transmiss...

Page 120: ...e and or hardware means to make sure the data retains its integrity blanking cover A plastic moulding to hide an unused slot in an AADvance base unit boolean A type of variable that can accept only the values true and false BPCS Basic process control system A system which responds to input signals and generates output signals causing a process and associated equipment to operate in a desired manne...

Page 121: ...ication compilation process This process in conjunction with the validated execution code produced by the AADvance Workbench ensures a high degree of confidence that there are no errors introduced by the Workbench or the compiler during the compilation of the application configuration A grouping of all the application software and settings for a particular AADvance controller The grouping must hav...

Page 122: ...ts if one or more of the elements disagree DITA Digital input termination assembly DOTA Digital output termination assembly E element A set of input conditioning application processing and output conditioning energize to action A safety instrumented function circuit where the outputs and devices are de energized under normal operation Application of power activates the field device EUC Equipment U...

Page 123: ...ault warning receiving station field device Item of equipment connected to the field side of the I O terminals Such equipment includes field wiring sensors final control elements and those operator interface devices hard wired to I O terminals fire alarm device A component of a fire alarm system not incorporated in the control and indicating equipment which is used to give a warning of fire for ex...

Page 124: ...ented Function in the Safety System only performs its designed function on a demand and the frequency of demands is greater than one per year hot swap See live insertion I I O base unit A backplane assembly which holds up to three I O modules and their associated termination assembly or assemblies in an AADvance controller Part number 9300 See I O module and termination assembly I O module A colla...

Page 125: ...SaGRAF based components K key connector The receptacle on the AADvance controller for the program enable key A 9 way D type socket located on the 9100 processor base unit L ladder diagram An IEC 61131 language composed of contact symbols representing logical equations and simple actions The main function is to control outputs based on input conditions See limited variability language LAN Local are...

Page 126: ...r and Combustion Systems Hazards Code Applies to certain boilers stokers fuel systems and steam generators The purpose of this code is to contribute to operating safety and to prevent uncontrolled fires explosions and implosions NFPA 86 A standard for Ovens and Furnaces Provides the requirements for the prevention of fire and explosion hazards in associated with heat processing of materials in ove...

Page 127: ...lds all of the processor modules in an AADvance controller Part number 9100 See also processor module processor module The application execution engine of the AADvance controller housed in a self contained and standardized physical form factor producer A controller producing a tag to one or more consumers at the request of the consumers program enable key A security device that protects the applic...

Page 128: ...time clock RTU Remote terminal unit The MODBUS protocol supported by the AADvance controller for MODBUS communications over serial links with the ability to multi drop to multiple slave devices S safe state A state which enables the execution of a process demand Usually entered after the detection of a fault condition it makes sure the effect of the fault is to enable rather than disable a process...

Page 129: ... safety layer for the Ethernet network making it a Black Channel SNTP Simple Network Time Protocol Used for synchronizing the clocks of computer systems over packet switched variable latency data networks structured text A high level IEC 61131 3 language with syntax similar to Pascal Used mainly to implement complex procedures that cannot be expressed easily with graphical languages synchronous A ...

Page 130: ...r result is processed by a voting system to produce a single output U U Rack unit A unit of measure used to describe the height of equipment intended for mounting in a standard rack Equivalent to 44 45mm 1 inches V validation In quality assurance confirmation that the product does what the user requires verification In quality assurance confirmation that the product conforms to the specifications ...

Page 131: ...es Find the Direct Dial Code for your product Use the code to route your call directly to a technical support engineer http www rockwellautomation com global support direct dial page Literature Library Installation Instructions Manuals Brochures and Technical Data http www rockwellautomation com global literature library overview page Product Compatibility and Download Center PCDC Get help determi...

Reviews:

No comments

Brands by name

Popular brands

Load more brands