3 analog input safety accuracy, 4 energise to action configurations – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 25 of 103

3.2.3 Analog Input Safety Accuracy

When High Density Analog input modules are used, the system uses the median
value. The deviations between the redundant channels’ measurements are monitored
to determine if they are within the safety accuracy limit, refer to the associated
module’s Product Description for its safety accuracy specification. When a single
channel measurement exceeds the safety accuracy limit then a discrepancy alarm is
set for the input channel. Furthermore, should two or more redundant channel
measurements exceed the safety accuracy limit then the reported channel value is set
to -2048 and the channel line fault status set to True.

In safety critical applications, the line fault status shall be monitored by the
application program and be used to initiate the appropriate safety function when
two or more slice readings for a channel exceed the safety accuracy limit.
Furthermore, the discrepancy alarms should be monitored and alarmed to the
operator.

3.2.4 Energise to Action Configurations

Certain applications may require normally open (energise to action) input and energise
to action outputs.

Normally de-energised configurations shall only be used if:

• the activation of the system is only mitigating an already existing

hazard such as in fire and gas applications SIL 1 to SIL 3, or

• the activation of the system is a hazard itself and the system is used in

a SIL 1 to SIL 3 application for 8000 series modules and compliant
application for 7000 series modules.

Additionally the following restrictions apply:

• At least two independent power sources must be used. These power

sources must provide emergency power for a safe process shutdown
or a time span required by the application.

• Each power source must be provided with power integrity monitoring

with safety critical input read back into the TMR system controller or
implicit power monitoring provided by the I/O modules. Any power
failure shall lead to an alarm.

• Unless provided implicitly in the I/O modules, all safety critical inputs

and outputs must be fitted with external line and load integrity
monitoring and safety critical read back of the line-status signals. Any
line or load failure shall lead to an alarm.

• Only modules specifically identified for the use in restricted normally

de-energized configurations shall be used.

In cases where one or more output is used in energise to trip configuration all specific
requirements above are to be followed for all associated inputs.

If energise to trip safety-related outputs are used, line fault conditions shall be
monitored by the system application and alarmed to plant operations personnel.
Line monitor devices shall be installed as close to the field sensor (or actuator if
required) as is practicable. Line fault status shall be monitored by the system
application and alarmed to plant operations personnel.

Line monitoring may also be used in de-energise to trip safety critical input applications
but is not specifically required.

When isolation barriers are used in safety critical applications, line-monitoring
thresholds shall be configured to detect barrier faults. This ensures that barrier
faults do not inhibit the safety critical function.