3 sensor configurations – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual
Page 51
SAFETY MANUAL
D oc N umber T8094
I ssue 27 – June 2013
Page 30 of 103
3.3 SENSOR CONFIGURATIONS
It is recommended that safety critical process inputs be measured using redundant
input sensors.
Some applications may require multiple sensors and I/O points per safety
function
In safety critical input applications using a single sensor, it is important that the
sensor failure modes be predictable and well understood, so that there is little
probability of a failed sensor not responding to a critical process condition. In
such a configuration, it is important that the sensor be tested regularly, either by
dynamic process conditions that are verified in the TMR system, or by manual
intervention testing.
The function of a signal shall be considered when allocating the module and channel
within the system. In many cases, redundant sensor and actuator configurations may
be used, or differing sensor and actuator types provide alternate detection and control
possibilities. Plant facilities frequently have related signals, e.g. start, and stop signals,
in these cases it is important to ensure that failures beyond the system’s fault-tolerant
capability do not result in either inability to respond safely or in inadvertent operation.
In some cases, this will require that channels be allocated on the same module, to
ensure that a module failure results in the associated signals failing-safe.
However, in most cases, it will be necessary to separate the signals across modules.
Where non-redundant configurations are employed, it is especially important to ensure
that the fail-safe action is generated in case of failures within the system.
Field loop power should be considered in the allocation of signals to input channels
and modules. For normally energised input configurations, field loop power failure will
lead to the fail-safe reaction. As with the allocation of signals to modules, there may
be related functions, e.g. start and stop signals, where loss of field power should be
considered in the same manner as the signal allocation. Where signals are powered
from separate power groups, it is important that this separation be maintained when
allocating the signals to modules, i.e. that they are not connected to input channels
within the same power group.