Page 2
References to SIL 4 removed at the request of TUV. Dec 99 Dual hot repair partners. July 2000 New template, changed ABB to ABB Industri, Revised FALT table added appendices 4 and 5 Dec 2000 released Added further fault diagnostic information, corrected...
Glossary of Terms ......................6 Introduction........................8 General Information........................8 Manual Organisation ........................8 Product Introduction and Overview....................8 2.3.1 The Triguard SC300E ........................ 8 2.3.2 SC300E Functional Overview ....................9 2.3.3 Operating System........................10 2.3.4 Off-Line/Start-up Diagnostics ....................10 2.3.5...
Page 4
Process Trips and Events ......................32 5.4.4 Maintenance Engineering Station.................... 32 System Shutdown ........................32 5.5.1 Process Shutdown ........................32 5.5.2 Triguard SC300E System Shutdown..................32 Maintenance And Modifications ..................33 Introduction ........................... 33 Routine Maintenance ........................33 6.2.1 System Verification........................33 6.2.2 Diagnostic Alarms and Messages ...................
Page 5
Appendix 2 - Time Constraint Table (Low Demand of operation)........ 53 Admissible Repair Times in hours for Low Demand Mode of Operation ........53 10 Appendix 3 - Approved RTTS Versions ................. 54 11 Appendix 4 - RTTS versions 8.30-005 and later versions..........55 11.1 System Error Flags for RTTS version 8.30-005 and later versions..........
Glossary of Terms 1oo2 One out of two voting 2oo2 Two out of two voting 2oo3 Two out of three voting 3-2-1 Three to two to one processor degradation 3-2-0 Three to two to zero processor degradation A,B or C System channel reference alternating current British Standards Institute...
Page 7
TÜV Technischer Überwachungs Verein, translates to Technical Supervisory Association, of Germany Triplicated Watchdog Underwriters Laboratories V&V Verification and Validation Work Instruction Issue 5 - September 2006 Page 7 of 65...
It is the responsibility of the System Designer to enquire if any additional points are safety related. By following the guidance in this manual, the user will be assured that his Triguard SC300E Safety System will be configured, installed, commissioned, operated and maintained with safety first as the prime objective.
2.3.2 SC300E Functional Overview A Triguard SC300E system has a fully triplicated architecture from input modules to output modules. All Triguard SC300E input and output modules interface to three isolated I/O communications buses, each being controlled by one of the three processor modules.
For further information regarding the RTTS please refer to the 'TriBuild Software Manual 008- 5206'. For a full description of Triguard SC300E modules refer to the Triguard SC300E Product and Application Guide (008-5112) and the relevant Module User Manuals. 2.3.6 Verification The proving of a part of the system that it meets its specification and only its specification.
This section provides the guidelines that must be followed if certification to DIN VDE 0801 AK 6 / IEC 61508 SIL 3 is to be maintained. The guideline deals only with the Triguard SC300E Safety PLC and its implementation into a Safety System. It does not remove the responsibility of the Systems Designer to ensure that all other analysis and design processes have been completed correctly.
(eg fuses) must be considered for reliability analysis as part of the field loop. The Termination Card will be connected to the Triguard SC300E Input Module via a standard system cable which connects to the socket on the appropriate Hot Repair Adapter Card (THR) or chassis slot.
(eg fuses and monitoring resistors where fitted). Refer to Figure 2. The signal is connected from the termination card to the Triguard SC300E input module via a standard system cable, which connects to the socket on the appropriate Hot Repair Adapter Card (THR) or chassis connector.
The application, by use of either the analogue processing module (available in USR3) or simple comparators, can provide a bad/safe discrete for each analogue value. An example network using comparators is given in Network 7 of the example networks. Network 6 shows the same functionality using USR3 (See Appendix 1).
3.4 Classification (SIL level) System Time Constraint The Triguard SC300E Safety PLC is a fault tolerant system that inherently tolerates and reports a first major fault (for example a processor failure). The system diagnostics of a digital output module are not fully available after a first fault is found on the module.
PLC cycle time plus the field equipment switching time. The PLC cycle time can be estimated from the scan rate data estimator (Triguard SC300E Scan Rate Estimator SS 0730) and may be confirmed by monitoring the three registers available for displaying: -...
3.5 Diagnostic Configuration The Triguard SC300E Fault Tolerant Safety PLC provides an extremely high level of hardware fault diagnostics. All diagnostic errors found initiate a change in state in the Fault Register. It is therefore mandatory that the Fault Call Module be activated in one of the diagnostic networks to provide access to system level diagnostics.
Page 20
The fault/error flags will be located in the Register specified by the user in the "Fault Call" and are defined as follows (for RTTS 8.3-005/006 see appendix 4): -please use table for RTTS 8.3- 001 to 003 Issue 5 - September 2006 Page 20 of 65...
Reference Description History Entry in history table - errors logged relating to processors and communications Data/Voting 2oo3 voting error – voting discrepancies encountered and logged by the processors during I/O scanning latent fault detection of failed on or failed off signal paths –...
Page 22
the first fault has been detected. LFD errors can also be generated by field faults on output modules only, example: open circuit field loops. Note: prior to RTTS version 8.30-003, the LFD cycle was 50 seconds. 3.5.6.4 Bit 3 - Monitor Monitor entries –...
3.5.7 Monitor flag register The setting of bit 3 in the ‘FALT’ call register above results from any bit being set in the 16 bit monitor flag register. These bits are set in the shared RAM on the common Interface by the microcontroller and read by the main processors.
Logic Supply B power fail fault Logic Supply C power fail fault Reserved Reserved Reserved Field power fail fault Output discrepancy error Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Table 4 Piano and Analogue Fault Flags The following alarm contacts are available and can be wired into the system for use by the application logic.
Triguard system to resume application logic execution automatically after power is restored to the main processors. For main processor configuration details refer to revision 6 of the Triguard SC300E MPP Module User Manual. Switch settings allow the auto-restart function to be enabled, assuming battery- backed memory is being used to store both application logic and I/O status.
The System Acceptance Test harness should be configured to as closely as possible simulate the site functional conditions. All Triguard SC300E input and output modules must have their 3-2-0 configuration checked and logged prior to the start of the Factory Acceptance Test (FAT).
Refer to Appendix 1 for example networks detailing the Mandatory Application logic required. 3.8 Environmental Functionality To meet CE Emission requirements the Triguard SC300E System must be mounted within a standard Rittal type cabinet with EMC seals fitted on all doors.
The Power Distribution and Alarm Panel PDD24 is a suitable product for this application. The Triguard SC300E termination cards provide individual loop fusing with alarms. 3.11.3 Field Power Diagnostics Each redundant power module will provide diagnostics fault detection. All faults in external power supply modules connected directly to the system (eg field power supplies) must be alarmed and reported.
The Triguard SC300E TMR User Manual 008-5197 must be referred to. The System Integrator shall also have provided a tailored manual (incorporating the above standard manual) for the specified site.
The Version of RTTS should be confirmed by commanding the System History Report. This report provides a print of the version number of RTTS in its header. The Library version is linked to TriBuild and the version number can be confirmed during the start-up window. 4.4.2 General Description - Shutdown Procedure The process shutdown sequence will be Process dependent and documented in the Bespoke...
Maintenance Manual will include the standard Operations and Maintenance Manual 008- 5202. 5.2 Training All operators of Triguard SC300E Safety Systems must have completed the Triguard SC300E Operators Training Course. It is recommended that operators be re-trained on a SC300E refresher course every 24 months.
5.5.1 Process Shutdown Before the Triguard SC300E Safety System is shutdown the process must first be safely shut down and the plant brought to a safe/neutral state. This would normally require that all hazardous materials are removed and the process purged.
With a fault tolerant system such as the Triguard SC300E one of the primary tasks of maintenance is to maintain the system in a 100% healthy state to enable the full power of the fault tolerance provided, to be delivered to the safeguarding of the plant.
The first level of detailed diagnostics is visual as each module in the Triguard SC300E System has a green health led and the faulty module should already be indicating its fault by extinguishing the health led.
run through its off-line diagnostics to re-check its health, which is indicated by the front lights sequencing and the green health light being turned on. When this has completed, the front LED’s are extinguished for approximately 3 seconds and then are illuminated, the processor is now ready to be warm started into the system. The warm start command instructs the two operating processors to allow the warm starting processor to read their memory.
The Life Cycle Proof Test ensures that all devices in the safety loop, from sensor to final element, operate correctly. The application of a certified Triguard SC300E System as the logic solver does not remove the requirements for full safety loop proof testing.
All maintenance staff that are required to work on the Safety System will complete a one week maintenance training course and will attend refresher courses every 24 months. All maintenance staff that are required to perform modifications to an installed Triguard SC300E Safety System will attend an additional one week course on Triguard SC300E System Engineering prior to the implementation of the system modifications.
Each processor, when in normal operation, should have its front key in the run position and the keys removed to further prevent unauthorised access. It is the responsibility of the end user to ensure proper maintenance control of the Triguard SC300E Safety System. 6.5 Failure Reporting All hardware or software failures or faults that occur during the operational life of the Triguard SC300E Safety System must be logged and analysed for their safety impact.
Before de-commissioning or disposal activity can occur, an impact analysis shall be carried out to assess the impact on the functional safety of the Triguard SC300E System and any adjacent plant or processes that may still be in operation. The de-commissioning plan must fully take into account the results of this analysis.
Network 001 - Input Read / Output Write / Mandatory System Diagnostics Scan Rate 00030 ms Label 01002 Enabled MPP A MPP B 2oo3 VOTED DIAGNOSTIC OUT OF OUT OF SYNC SYNC SHUTDOWN SHUTDOWN 00001 15829 6006 15845 15846 WorkingDis6006 OverlapDis15845 OverlapDis15846 OverlapDis15829...
Page 42
Network 002 - System Repair Time Constraint and Diagnostic Shutdown. Scan Rate 00030 ms Label 01004 Enabled GLOBAL OPERATION TIME TIME UNDER TIME CONSTRAINT CONSTRAINT FAULT CONSTRAINT TIMER TIMER 03600 6003 6007 15853 6007 OverlapDis 15853 WorkingDis6003 WorkingDis6007 WorkingDis6007 1.0s OPERATION TIME UNDER TIME...
Page 43
Network 003 - Individual PLC Diagnostic Annunciation. Scan Rate 00030 ms Label 01005 Enabled ENTRY IN ENTRY IN MPP B MPP B MODULE SINGLE SLOT OPERATION OPERATION HISTORY HISTORY OUT OF OUT OF OFFLINE MODULE UNDER TIME UNDER TIME TABLE TABLE SYNC SYNC...
Page 44
Network 004 - Common PLC Health Signal Scan Rate 00030 ms Label 01006 Enabled ENTRY IN DATA SYSTEM HISTORY VOTE MONITOR INITIALISE ERROR HEALTHY TABLE ETTOR ERROR SHUTDOWN 9021 15840 15841 15842 15843 15827 OverlapDis15840 OverlapDis15841 OverlapDis15842 OverlapDis15843 OverlapDis15827 OutputDis9021 MPP A MPP B MPP C...
Page 45
Network005 - USR3& example of 1 Hz clockgeneration Scan Rate 00030 ms Label 01001 Enabled GLOBAL ANALOGUE FAULT 7922 WorkingDis7922 00000 USR3 00000 0.5 SECOND CLOCK R1212 R1212 00000 00000 6004 WorkingDis6004 > MOVE 1 Hz CLOCK R1981 00050 R1211 00001 6005 R1211...
Appendix 2 - Time Constraint Table (Low Demand of operation) The following tables detail the actual time constraint time that is required for a certified system dependant on the maximum number of Safety loop outputs (SIL level 1 to 3) used on a single output module with.
11 Appendix 4 - RTTS versions 8.30-005 and later versions 11.1 System Error Flags for RTTS version 8.30-005 and later versions The following diagnostic flags are available from the ‘FALT’ call and can be incorporated in the system application logic to drive local alarm indicators and be transmitted to other systems or workstations.
11.2 MHB44IND 4 channels pulse input and 4 channel analogue output module. The Piano module may only be used with TriBuild for Windows version 1.42 and RTTS 8.3-006 or above with the following restrictions. 1. The registers used for the analogue outputs must be initialised to 256 or greater to prevent the module losing health.
12 Appendix 5 – RTTS 8.30-007 and 008 12.1 System Identification RTTS 8.30-007 Version 8.30 REM SC-300E ROM System-007 Generated 04-May-2001 12:24 RTTS 8.30/007 is stored in PVCS Version Manager archives using the version label “Version 8.30-007”. The part numbers and checksums for the RTTS EPROMs are: Part No.
Page 58
12.5 System Identification RTTS 8.30-009 Version 8.30 SC-300E ROM System-009a Generated 28-Mar-2006 14:36 RTTS 8.30/009 is stored in PVCS Version Manager archives using the version label “Version 8.30-009”. The part numbers and checksums for the RTTS EPROMs are: Part No. Checksum 006-1372-34 0FFF...
Appendix 6 - TUV Approved Part Numbers and Revisions 13.1 Hardware Approvals. Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 Chassis Chassis 001-1109-01 Chassis Chassis 001-1209-00-00 Chassis Power Supply - 110/230Vac 031-1053-05-02 Chassis Power Supply - 110/230Vac...
Page 60
Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 32 channel digital input module - 24Vdc MDI32BIS 001-1104-07-03 32 channel digital input module - 120V AC/DC MDI32FIS 001-1157-01-04 32 channel digital input module - 120V AC/DC...
Page 61
Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 16 channel analogue input, DIN to ELCO - internal power TAI16EIC 099-1275-03-01 16 channel analogue input, DIN to ELCO - internal power TAI16EIL 099-1309-00-01 16 channel analogue input, DIN to ELCO - internal power...
Page 62
Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 16 channel digital output, DIN to DIN - internal power - 24Vdc ** future release TDO16BIN 099-1339-03-00 16 channel digital output, DIN to ELCO – internal power - 24Vdc...
13.2 Software Approvals. Triguard SC300E – Software Components Model No Version Certification Software and Firmware AK 5/6 EN54 RTTS Operating System 3-2-0 RTTS 8.30-007 RTTS Operating System 3-2-0 RTTS 8.30-008 RTTS Operating System 3-2-0 RTTS 8.30-009a TriBuild TriBuild SC300E Single User Application Software TriBuild TriBuild V1.42...
Page 64
Triguard SC300E – Software Components Model No Version Certification Software and Firmware AK 5/6 EN54 System Configuration syscon.a86 Triguard protocol (peer to peer) tgprot.lib 3.21 TI protocol (mandatory but not to be used) tiprot.a86 5.31 Network compiler trigardc.lib 5.33 Utilities utils.a86...
Page 65
Triguard SC300E – Software Components Model No Version Certification Software and Firmware AK 5/6 EN54 FPGA 006-1354-00 Quad serial I/O firmware V1.02 006-1355-03 Quad serial I/O firmware V1.02 006-1356-03 Quad serial I/O firmware V1.03 006-1355-04 Quad serial I/O firmware V1.03...