Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 88 of 103

The ITSTM supports one method of operation (simplex or duplex) and one test
schedule and so, if all the input channels are simplex or duplex (but not a mixture of
the two), and it is applicable to do tests on all of the inputs at the same time, the
application can use only one ITSTM to manage all of the tests. In other circumstances,
do the following:

•

If it is necessary to do tests on different inputs at different times, you have to use
multiple ITSTMs.

•

If there is a mixture of simplex and duplex input channels, you have to use multiple
ITSTMs.

•

When you use multiple ITSTMs, divide the DIPTs into groups and connect each
group to its own ITSTM. Then configure each ITSM to the applicable schedule.

The DIPT has a RAT (request autotest) output, which it sets to TRUE if the inputs of a
duplex module have been inconsistent for more than one application cycle. When this
happens, a test is necessary to find out which half of the duplex input has a fault. The
application must respond to the RAT output by starting a test of the input modules to
find a solution to the discrepancy.

Note: During a test, the DIPT input verification (IPV) output will freeze. An autotest will
not cause a trip.

9.10.4.3 Testing Analogue Inputs

If a safety instrumented function (SIF) relies on one or more CS300 analogue inputs,
you must use the function blocks to do tests on the inputs for open circuit and short
circuit conditions. You will use one LFLT for each analogue input. The LFLT uses the
unscaled process input value taken directly from its PI-732 channel.

The LFLT tests are not scheduled. The LFLT constantly monitors its analogue input
channel (IP) for a deviation which takes the value above the short circuit threshold or
below the open circuit threshold.

•

The Trusted processor constantly monitors the analogue data input from the
CS300 slices. When a discrepancy greater than 1% is detected between two slices
a fault is declared. The migrated application must report the fault to the operator
so that the defective module can be replaced within the mean time to repair used
in the PFD calculation for the module.

•

An analogue input is valid when the values from the three slices are closer than a
count of 41 – this represents 1% of the maximum count, 4,095. The analogue
input cannot distinguish between values greater than 4,095 or less than 0, and so
the usable range for inputs is from 41 to 4,054.

•

The lower (open circuit) threshold (OCTHR) and the higher (short circuit) threshold
(SCTHR) must be in the range 41 to 4054 inclusive. If the application sets either
threshold to a value outside this range, the LFLT uses its limit value (41 or 4,054)
not the requested value.