DO
CT
-194
6C
2018
-07
32
2903
Trip Amplifier 2/209
Safety concept
44
EN
9
Safety concept
The fault detection calculations and measures meet the requirements of SIL3. From a
safety-related point of view, the configuration program is suitable for programming and
configuring the devices.
Conditions
1. The devices must only be operated in housings/control cabinets meeting at least
IP54.
2. Two functionally diverse selector relays must be connected in series (NO/NC series
connection).
3. The analog input circuits must be checked regularly and recurrently (e.g. annually)
in the context of calibration.
4. It must not be possible to modify the programmed switching thresholds (trip values)
via the function buttons on the front plate during operation. This must be ensured
through organizational measures.
5. The user program must be checked during factory/on-site acceptance testing:
– Correct implementation of the specified function in the instruction list must be
verified, e. g. by means of a function check.
– The printout of the read-back instruction list must be compared with the
compiled instruction list for this purpose.
– The user programs must be written such that the application-dependent
response times relating to the process requirements and fault tolerance times,
including in conjunction with the overall control system, are not exceeded (e. g.
1 s for plants complying with DIN VDE 0116).
6. If branch commands are used, it must be demonstrated that the cyclic processing of
the commands for activation of the relay/dynamic pulse outputs is maintained under
all branch conditions. If necessary, the output commands must be protected by
means of a watchdog function (the WTD command must be programmed
immediately before the output commands).
7. The installation conditions for the trip amplifier inputs and outputs must comply with
the IEC 801-5 [7] standard in terms of immunity against transient voltages (well
protected electrical environment, no transient voltages exceeding 25 V) or
protected via external measures.
8. The application notes in the manufacturer’s operating instructions must be
observed.
Additional conditions for SIL2 or SIL3 applications
1. For SIL3 applications, the use of paired output contacts in a safety chain is
mandatory.
2. For SIL2 applications, it must be ensured that a safe status has been achieved and
is maintained upon detection of a potentially hazardous fault during the repeat check
(proof test).
Single-channel use of an output for a safety function is only permissible if “one fault”
safety is not required and the application does not require an equivalent according
to category 3, EN 954-1. Otherwise, configurations according to SIL3 must be used.
3. When determining the checks to be performed at regular intervals, the determined
proof-test intervals must be observed.