Outputs - ABB Triguard SC300E Safety Manual

The application, by use of either the analogue processing module (available in USR3) or simple
comparators, can provide a bad/safe discrete for each analogue value. An example network
using comparators is given in Network 7 of the example networks. Network 6 shows the same
functionality using USR3 (See Appendix 1).
When large numbers of Analogue Inputs are to be processed, USR3 should be used to
effectively monitor faults within the analogue loops. This is accomplished by configuring the
Analogue Test Database in the TriBuild System Configuration Special Function Configuration.
This configuration provides for each analogue variable an array of discretes for channel faults,
open and short circuit faults, as well as defining a global fault bit and the test parameters. Both
open and short circuit faults values should be configured.
3.3.2

Outputs

The standard configuration for ESD Safety System outputs is to provide digital outputs only,
which are configured for de-energise to trip (3-2-0 GTZ again fail to safe).
3.3.2.1 De-Energise to Trip Outputs
All safety related outputs will be from the Digital Output Module. Each module must be
configured with a hot repair partner slot to allow bump-less hot repair to be accomplished.
The Output Module provides a fully tested six-element switch voting circuit for each individual
output.
Where the safety integrity level (safety classification) requirements of a safety loop requires two
or more final elements to be available for shutdown purpose, then each final elements should be
driven from a separate Digital Output Module and Termination Card, where practical.
The shutdown signal is connected from the Output Module through the chassis backplane, the
hot repair adapter card and the system cable to the Termination Card where the field wiring is
connected.
The simplex part of the termination module (eg fuses) must be considered as part of the field
loop for reliability analysis.
3.3.2.2 Multiple Input / Output Safety Configuration
Where the safety integrity level requires multiple sensors and final elements from a safety loop,
then these configurations will be as follows.
3.3.2.3 Dual Sensors
These will be voted by the application logic in a 1oo2 manner such that either sensor providing
an alarm status requires a shutdown.
Where the sensor diagnostics provide fault status then the safety loop may revert to a 1oo1
voting on the good sensor for the time constraint of the sensor's safety loop. At the termination
of this time constraint the loop will demand a shutdown.
A single remaining sensor going into fault will demand an immediate shutdown.
3.3.2.4 Triplicated Sensors
These will be voted on a 2oo3 basis by the application logic, however, once a sensor has been
voted as bad, the voting logic will revert to a 1oo2 vote on the remaining two sensors following
the strategy determined for dual sensors.
3.3.2.5 Dual Final Elements
These are to be configured in a 1oo2 manner such that either output requires a shutdown.
Issue 5 - September 2006
Page 15 of 65