Use Of Triplicated Watchdog Timer With Remote Chassis; Tribuild, Network Examples; Environmental Functionality; Security - ABB Triguard SC300E Safety Manual

users application. The external watchdog timer will be configured for 2oo3 operation and must
be tested periodically as recommended in the user manual.

3.6.11 Use of Triplicated Watchdog Timer with Remote Chassis.

When used in a system with one or more remote chassis, the voted output of the external
watchdog timer is used to remove both power feeds to the chassis power supplies (PAC or
PDC24) of the main chassis. This will ensure that all output modules will fail to a known safe
state 2.64 seconds after the external watchdog trips by the common interface watchdogs.
The fall back state is defined by the links on the digital output modules, for ESD system this is
GTZ (Go To Zero).

3.7 TriBuild, Network Examples

Refer to Appendix 1 for example networks detailing the Mandatory Application logic required.

3.8 Environmental Functionality

To meet CE Emission requirements the Triguard SC300E System must be mounted within a
standard Rittal type cabinet with EMC seals fitted on all doors.

3.9 Security

All system cabinets must be fitted with keylocks to enable the proper control of access to the
Triguard SC300E Safety System.
Software security access via the password protection scheme of TriBuild will be the
responsibility of the end user. The System Integrator must ensure that the end user is fully
aware of the facilities of the TriBuild password protection scheme.
Each processor, when in normal operation, should have its front key in the run position and the
keys removed to further prevent unauthorised access. It is the responsibility of the end user to
ensure proper maintenance control of the Triguard SC300E Safety System.

3.10 System Power Supplies

Each system and I/O chassis requires two power supply feeds. These feeds must be
separately protected and ideally should be derived from two separate secure sources.

3.11 Field Sensors and Final Elements

It is the responsibility of the System Integrator to review the proposed field equipment to ensure
the correct quality of Sensors and Final Elements is being used for safety loops.

3.11.1 Field Power Supplies

All field power supply failures must in principle be fail safe. The field power supply configuration
will be at a minimum 100% functionally redundant (any single power module failure leaves the
bulk power supply in the position of being able to maintain 100% load).
Issue 5 - September 2006
Page 27 of 65