2 outputs – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 74 of 103

8.2.1.3 Fail Safe Analogue Processing

For each Analogue Input variable received by the system, three values are generated,
one from each channel. Under normal operation (transparent to the application) a
standard mid-value selection algorithm is used selecting the middle value (assuming
all three values are within the health window) to be passed on to the application. It is
this mid-value that the user operates on within the application, all three processing
channels now using this selected mid-value.

When one of the three analogue channel values presented to the processors falls
outside of the health window the processors flag it as bad by converting it to a negative
number. If now the two remaining values diverge by more than the health window
these are also flagged as bad by converting them to negative numbers. The effect is
to present to the application a negative value when 2 or more channels are bad.

The application, by use of either an analogue processing module or simple
comparators, can provide a bad/safe discrete for each analogue value.

When large numbers of Analogue Inputs are to be processed, a function should be
used to effectively monitor faults within the analogue loops.

This configuration provides for each analogue variable an array of discretes for
channel faults, open and short circuit faults, as well as defining a global fault bit and
the test parameters. Both open and short circuit faults values should be configured.

8.2.2 Outputs

The standard configuration for ESD Safety System outputs is to provide digital outputs
only, which are configured for de-energise to trip (again fail to safe).

8.2.2.1 De-Energise to Trip Outputs

All safety related outputs will be from the Digital Output Module. Each module must be
configured with a hot repair partner slot to allow bumpless hot repair to be
accomplished.

The Output Module provides a fully tested six-element switch voting circuit for each
individual output.

Where the safety integrity level (safety classification) requirements of a safety loop
requires two or more final elements to be available for shutdown purpose, then each
final elements should be driven from a separate Digital Output Module and
Termination Card, where practical.

The shutdown signal is connected from the Output Module through the chassis
backplane, the hot repair adapter card and the system cable to the Termination Card
where the field wiring is connected.

The simplex part of the termination module (e.g. fuses) must be considered as part of
the field loop for reliability analysis.