4 actuator configurations, 5 pfd calculations – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 31 of 103

3.4 ACTUATOR CONFIGURATIONS

As with sensor configurations it is recommended that redundant actuator
configurations be used for safety-critical applications.

Some applications may require multiple actuators and I/O points per safety
function

In safety-critical applications using a single actuator, it is important that the
actuator failure modes be predictable and well understood, so that there is little
probability of a failed actuator not responding to a critical process condition.

In such a configuration, it is important that the actuator be tested regularly, either by
dynamic process conditions that are verified in the TMR system, or by manual
intervention testing.

The function of a signal shall be considered when allocating the module and channel
within the system. In many cases, redundant actuator configurations may be used, or
differing actuator types provide alternate control and mitigation possibilities. Plant
facilities frequently have related signals; in these cases it is important to ensure that
failures beyond the system’s fault-tolerant capability do not result in either an inability
to respond to safety demands or in inadvertent operation. In some cases, this will
require that channels be allocated on the same module, to ensure that a module failure
results in the associated signals failing-safe. However, in most cases, it will be
necessary to separate the signals across modules. Where non-redundant
configurations are employed, it is especially important to ensure that the fail-safe
action is generated in case of failures within the system.

Field loop power should be considered in the allocation of signals to output channels
and modules. For normally energised configurations, field loop power failure will lead
to the fail-safe reaction. As with the allocation of signals to modules, there may be
related functions where loss of field power should be considered in the same manner
as the signal allocation. Where signals are powered from separate power groups, it is
important that this separation be maintained when allocating the signals to modules,
i.e. that inadvertent coupling between power groups, and particularly return paths, are
not generated.

3.5 PFD CALCULATIONS

Systems that are configured to meet the needs of IEC 61508 will require the PFD for
the safety instrumented functions to be calculated.

For information regarding the calculation for the 8000 system and PFD numbers
allocated for the 8000 system pleased refer to the TUV approved PFD calculation
document listed in the approved version list.