Table of Contents
Advertisement
Trip Amplifier 2/209
Safety concept
9
Safety concept
The fault detection calculations and measures meet the requirements of SIL3. From a
safety-related point of view, the configuration program is suitable for programming and
EN
configuring the devices.
Conditions
1. The devices must only be operated in housings/control cabinets meeting at least
2. Two functionally diverse selector relays must be connected in series (NO/NC series
3. The analog input circuits must be checked regularly and recurrently (e.g. annually)
4. It must not be possible to modify the programmed switching thresholds (trip values)
5. The user program must be checked during factory/on-site acceptance testing:
6. If branch commands are used, it must be demonstrated that the cyclic processing of
7. The installation conditions for the trip amplifier inputs and outputs must comply with
8. The application notes in the manufacturer's operating instructions must be
Additional conditions for SIL2 or SIL3 applications
1. For SIL3 applications, the use of paired output contacts in a safety chain is
2. For SIL2 applications, it must be ensured that a safe status has been achieved and
3. When determining the checks to be performed at regular intervals, the determined
44
IP54.
connection).
in the context of calibration.
via the function buttons on the front plate during operation. This must be ensured
through organizational measures.
–
Correct implementation of the specified function in the instruction list must be
verified, e. g. by means of a function check.
–
The printout of the read-back instruction list must be compared with the
compiled instruction list for this purpose.
–
The user programs must be written such that the application-dependent
response times relating to the process requirements and fault tolerance times,
including in conjunction with the overall control system, are not exceeded (e. g.
1 s for plants complying with DIN VDE 0116).
the commands for activation of the relay/dynamic pulse outputs is maintained under
all branch conditions. If necessary, the output commands must be protected by
means of a watchdog function (the WTD command must be programmed
immediately before the output commands).
the IEC 801-5 [7] standard in terms of immunity against transient voltages (well
protected electrical environment, no transient voltages exceeding 25 V) or
protected via external measures.
observed.
mandatory.
is maintained upon detection of a potentially hazardous fault during the repeat check
(proof test).
Single-channel use of an output for a safety function is only permissible if "one fault"
safety is not required and the application does not require an equivalent according
to category 3, EN 954-1. Otherwise, configurations according to SIL3 must be used.
proof-test intervals must be observed.
Advertisement
Table of Contents
