MSA SUPREMA Touch, Инструкция по установке и обслуживанию, Страница: 18 / 309

MSA AUER
MSA
System Concept
SUPREMATouch 17 US
2.3 Safety Concept
The individual functional modules are connected to each other by a CAN bus. The CAN bus is
designed to be virtually error-proof. Every module can detect errors on the bus and handle them
appropriately. The probability of an undiscovered communications error on the bus is 4.7 * 10
-14
.
Error statuses on the CAN bus are indicated on the D OPERATION unit [MDO module].
Each module with a microcomputer module has a watchdog timer, which actuates a “wired” OR
signal line if the module fails. As a result, the SYSTEM FAILURE common relays on the intercon-
nection board [MIB module] are deactivated. This common failure signal is monitored by the DIS-
PLAY + OPERATION unit .
All the modules are checked for signs of life at fixed, periodic time intervals by the CENTRAL
PROCESSING unit [MCP module] via the CAN bus. The failure of a module can thus be recog-
nised, and the appropriate messages will be generated. These messages are displayed on the
MDO module and, parallel to it, the System Failure is activated by the relevant modules.
The operating voltages of the connected voltage supply units [EXT, INT and BAT] are monitored
by special inputs of the DATA ACQUISITION unit [MDA module]. If a malfunction occurs here, the
POWER-FAIL common relay is released.
For gas warning systems with higher safety requirements according to IEC 61508 SIL 3 the sys-
tem can be provided with redundancy by the use of additional modules. Redundant signal
processing has the same structure and functions the same way as standard non-redundant
processing. Communications between the modules proceed over an internal connection, which is
designed as a redundant CAN bus. If one of the two signal processing routes malfunctions, an
error message to this effect appears on the D OPERATION unit [MDO module] [SYS-
TEM FAIL]. The remaining signal processing channel takes over all of the necessary functions un-
til the defective module can be replaced. The failure of individual modules does not lead
automatically to the failure of the entire system. Only the functions assigned to the specific module
in question are not available.
In the simpler expansion stages of the safety requirements according to IEC 61508, the gas warn-
ing system can be operated via one of the two possible CAN bus connections. Starting with SIL 3,
both CAN bus connections are generally required. In this case, two CENTRAL PROCESSING
units [MCP modules] are present and all of the input and output signals important for system op-
erations are available over additional modules on both CAN buses in parallel. If one of these CAN
bus connections fails, an error signal is generated by the SYSTEM FAIL message. The system
still remains functional by using the remaining CAN bus connection.
The message SYSTEM FAIL is leading to flash up the SYSTEM FAIL LED and the system failure
relays change to the failure condition. A permanent lasting System Fail message indicates an ur-
gent need of service [for example the malfunction of a module]. Therefore the connection of the
switching outputs of the system failure relays has to enable an immediate triggering message.