ABB Triguard SC300E Safety Manual
  1. Manuals
  2. Brands
  3. ABB Manuals
  4. Controller
  5. Triguard SC300E
  6. Safety manual
ABB Triguard SC300E Safety Manual

ABB Triguard SC300E Safety Manual

Triple modular redundant safety controller
Hide thumbs Also See for Triguard SC300E:
Table of Contents

Advertisement

Quick Links

See also: User Manual
Triguard SC300E Safety Manual
Copyright © ICS Triplex Technology 1998-2006
Printed in England
Document Reference SS 0728
Issue 5 - September 2006

Advertisement

Table of Contents
loading

Related Manuals for ABB Triguard SC300E

Summary of Contents for ABB Triguard SC300E

  • Page 1 Triguard SC300E Safety Manual Copyright © ICS Triplex Technology 1998-2006 Printed in England Document Reference SS 0728 Issue 5 - September 2006...
  • Page 2 References to SIL 4 removed at the request of TUV. Dec 99 Dual hot repair partners. July 2000 New template, changed ABB to ABB Industri, Revised FALT table added appendices 4 and 5 Dec 2000 released Added further fault diagnostic information, corrected...

  • Page 3: Table Of Contents

    Glossary of Terms ......................6 Introduction........................8 General Information........................8 Manual Organisation ........................8 Product Introduction and Overview....................8 2.3.1 The Triguard SC300E ........................ 8 2.3.2 SC300E Functional Overview ....................9 2.3.3 Operating System........................10 2.3.4 Off-Line/Start-up Diagnostics ....................10 2.3.5...
  • Page 4 Process Trips and Events ......................32 5.4.4 Maintenance Engineering Station.................... 32 System Shutdown ........................32 5.5.1 Process Shutdown ........................32 5.5.2 Triguard SC300E System Shutdown..................32 Maintenance And Modifications ..................33 Introduction ........................... 33 Routine Maintenance ........................33 6.2.1 System Verification........................33 6.2.2 Diagnostic Alarms and Messages ...................
  • Page 5 Appendix 2 - Time Constraint Table (Low Demand of operation)........ 53 Admissible Repair Times in hours for Low Demand Mode of Operation ........53 10 Appendix 3 - Approved RTTS Versions ................. 54 11 Appendix 4 - RTTS versions 8.30-005 and later versions..........55 11.1 System Error Flags for RTTS version 8.30-005 and later versions..........

  • Page 6: Glossary Of Terms

    Glossary of Terms 1oo2 One out of two voting 2oo2 Two out of two voting 2oo3 Two out of three voting 3-2-1 Three to two to one processor degradation 3-2-0 Three to two to zero processor degradation A,B or C System channel reference alternating current British Standards Institute...
  • Page 7 TÜV Technischer Überwachungs Verein, translates to Technical Supervisory Association, of Germany Triplicated Watchdog Underwriters Laboratories V&V Verification and Validation Work Instruction Issue 5 - September 2006 Page 7 of 65...

  • Page 8: Introduction

    It is the responsibility of the System Designer to enquire if any additional points are safety related. By following the guidance in this manual, the user will be assured that his Triguard SC300E Safety System will be configured, installed, commissioned, operated and maintained with safety first as the prime objective.

  • Page 9: Sc300E Functional Overview

    2.3.2 SC300E Functional Overview A Triguard SC300E system has a fully triplicated architecture from input modules to output modules. All Triguard SC300E input and output modules interface to three isolated I/O communications buses, each being controlled by one of the three processor modules.

  • Page 10: Operating System

    HOT REPAIR MODULE HOT REPAIR MODULE R/O=Read-Only Links INPUT MODULE OUTPUT MODULE MICRO PROCESSOR MICRO CONTROLLER CONTROLLER I/P PATH A O/P PATH A INPUT TERMINATION OUTPUT TERMINATION MICRO PROCESSOR MICRO VOTER CONTROLLER CONTROLLER 2 oo 3 I/P PATH B O/P PATH B MICRO PROCESSOR MICRO...

  • Page 11: On-Line/Continuous Diagnostics

    For further information regarding the RTTS please refer to the 'TriBuild Software Manual 008- 5206'. For a full description of Triguard SC300E modules refer to the Triguard SC300E Product and Application Guide (008-5112) and the relevant Module User Manuals. 2.3.6 Verification The proving of a part of the system that it meets its specification and only its specification.

  • Page 12: Configuration Application Design

    This section provides the guidelines that must be followed if certification to DIN VDE 0801 AK 6 / IEC 61508 SIL 3 is to be maintained. The guideline deals only with the Triguard SC300E Safety PLC and its implementation into a Safety System. It does not remove the responsibility of the Systems Designer to ensure that all other analysis and design processes have been completed correctly.

  • Page 13: Inputs

    (eg fuses) must be considered for reliability analysis as part of the field loop. The Termination Card will be connected to the Triguard SC300E Input Module via a standard system cable which connects to the socket on the appropriate Hot Repair Adapter Card (THR) or chassis slot.

  • Page 14: Figure 2 Current To Voltage Conversion

    (eg fuses and monitoring resistors where fitted). Refer to Figure 2. The signal is connected from the termination card to the Triguard SC300E input module via a standard system cable, which connects to the socket on the appropriate Hot Repair Adapter Card (THR) or chassis connector.

  • Page 15: Outputs

    The application, by use of either the analogue processing module (available in USR3) or simple comparators, can provide a bad/safe discrete for each analogue value. An example network using comparators is given in Network 7 of the example networks. Network 6 shows the same functionality using USR3 (See Appendix 1).

  • Page 16: Classification (Sil Level) System Time Constraint

    3.4 Classification (SIL level) System Time Constraint The Triguard SC300E Safety PLC is a fault tolerant system that inherently tolerates and reports a first major fault (for example a processor failure). The system diagnostics of a digital output module are not fully available after a first fault is found on the module.

  • Page 17: Figure 3 Dual Final Elements

    Figure 3 Dual Final Elements Issue 5 - September 2006 Page 17 of 65...

  • Page 18: Without Time Constraint Dual Outputs

    PLC cycle time plus the field equipment switching time. The PLC cycle time can be estimated from the scan rate data estimator (Triguard SC300E Scan Rate Estimator SS 0730) and may be confirmed by monitoring the three registers available for displaying: -...

  • Page 19: Diagnostic Configuration

    3.5 Diagnostic Configuration The Triguard SC300E Fault Tolerant Safety PLC provides an extremely high level of hardware fault diagnostics. All diagnostic errors found initiate a change in state in the Fault Register. It is therefore mandatory that the Fault Call Module be activated in one of the diagnostic networks to provide access to system level diagnostics.
  • Page 20 The fault/error flags will be located in the Register specified by the user in the "Fault Call" and are defined as follows (for RTTS 8.3-005/006 see appendix 4): -please use table for RTTS 8.3- 001 to 003 Issue 5 - September 2006 Page 20 of 65...

  • Page 21: Table 1 Falt Error Flags (Rtts 8.30 Versions 001 - 003)

    Reference Description History Entry in history table - errors logged relating to processors and communications Data/Voting 2oo3 voting error – voting discrepancies encountered and logged by the processors during I/O scanning latent fault detection of failed on or failed off signal paths –...
  • Page 22 the first fault has been detected. LFD errors can also be generated by field faults on output modules only, example: open circuit field loops. Note: prior to RTTS version 8.30-003, the LFD cycle was 50 seconds. 3.5.6.4 Bit 3 - Monitor Monitor entries –...

  • Page 23: Monitor Flag Register

    3.5.7 Monitor flag register The setting of bit 3 in the ‘FALT’ call register above results from any bit being set in the 16 bit monitor flag register. These bits are set in the shared RAM on the common Interface by the microcontroller and read by the main processors.

  • Page 24: Automatic Diagnostic Action

    Logic Supply B power fail fault Logic Supply C power fail fault Reserved Reserved Reserved Field power fail fault Output discrepancy error Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Table 4 Piano and Analogue Fault Flags The following alarm contacts are available and can be wired into the system for use by the application logic.

  • Page 25: Mpp A, Mpp B, Mpp C

    Triguard system to resume application logic execution automatically after power is restored to the main processors. For main processor configuration details refer to revision 6 of the Triguard SC300E MPP Module User Manual. Switch settings allow the auto-restart function to be enabled, assuming battery- backed memory is being used to store both application logic and I/O status.

  • Page 26: Application Logic Verification

    The System Acceptance Test harness should be configured to as closely as possible simulate the site functional conditions. All Triguard SC300E input and output modules must have their 3-2-0 configuration checked and logged prior to the start of the Factory Acceptance Test (FAT).

  • Page 27: Use Of Triplicated Watchdog Timer With Remote Chassis

    Refer to Appendix 1 for example networks detailing the Mandatory Application logic required. 3.8 Environmental Functionality To meet CE Emission requirements the Triguard SC300E System must be mounted within a standard Rittal type cabinet with EMC seals fitted on all doors.

  • Page 28: Field Power Distribution

    The Power Distribution and Alarm Panel PDD24 is a suitable product for this application. The Triguard SC300E termination cards provide individual loop fusing with alarms. 3.11.3 Field Power Diagnostics Each redundant power module will provide diagnostics fault detection. All faults in external power supply modules connected directly to the system (eg field power supplies) must be alarmed and reported.

  • Page 29: Installation And Commissioning

    The Triguard SC300E TMR User Manual 008-5197 must be referred to. The System Integrator shall also have provided a tailored manual (incorporating the above standard manual) for the specified site.

  • Page 30: General Description - Shutdown Procedure

    The Version of RTTS should be confirmed by commanding the System History Report. This report provides a print of the version number of RTTS in its header. The Library version is linked to TriBuild and the version number can be confirmed during the start-up window. 4.4.2 General Description - Shutdown Procedure The process shutdown sequence will be Process dependent and documented in the Bespoke...

  • Page 31: Operations

    Maintenance Manual will include the standard Operations and Maintenance Manual 008- 5202. 5.2 Training All operators of Triguard SC300E Safety Systems must have completed the Triguard SC300E Operators Training Course. It is recommended that operators be re-trained on a SC300E refresher course every 24 months.

  • Page 32: Maintenance Actions

    5.5.1 Process Shutdown Before the Triguard SC300E Safety System is shutdown the process must first be safely shut down and the plant brought to a safe/neutral state. This would normally require that all hazardous materials are removed and the process purged.

  • Page 33: Maintenance And Modifications

    With a fault tolerant system such as the Triguard SC300E one of the primary tasks of maintenance is to maintain the system in a 100% healthy state to enable the full power of the fault tolerance provided, to be delivered to the safeguarding of the plant.

  • Page 34: Module Change-Out

    The first level of detailed diagnostics is visual as each module in the Triguard SC300E System has a green health led and the faulty module should already be indicating its fault by extinguishing the health led.

  • Page 35: Sequence Of Repair

    run through its off-line diagnostics to re-check its health, which is indicated by the front lights sequencing and the green health light being turned on. When this has completed, the front LED’s are extinguished for approximately 3 seconds and then are illuminated, the processor is now ready to be warm started into the system. The warm start command instructs the two operating processors to allow the warm starting processor to read their memory.

  • Page 36: System Time Constraints

    The Life Cycle Proof Test ensures that all devices in the safety loop, from sensor to final element, operate correctly. The application of a certified Triguard SC300E System as the logic solver does not remove the requirements for full safety loop proof testing.

  • Page 37: Hazops

    All maintenance staff that are required to work on the Safety System will complete a one week maintenance training course and will attend refresher courses every 24 months. All maintenance staff that are required to perform modifications to an installed Triguard SC300E Safety System will attend an additional one week course on Triguard SC300E System Engineering prior to the implementation of the system modifications.

  • Page 38: Failure Reporting

    Each processor, when in normal operation, should have its front key in the run position and the keys removed to further prevent unauthorised access. It is the responsibility of the end user to ensure proper maintenance control of the Triguard SC300E Safety System. 6.5 Failure Reporting All hardware or software failures or faults that occur during the operational life of the Triguard SC300E Safety System must be logged and analysed for their safety impact.

  • Page 39: De-Commissioning

    Before de-commissioning or disposal activity can occur, an impact analysis shall be carried out to assess the impact on the functional safety of the Triguard SC300E System and any adjacent plant or processes that may still be in operation. The de-commissioning plan must fully take into account the results of this analysis.

  • Page 40: Appendix 1 - Safety Networks

    Appendix 1 - Safety Networks The following networks provide examples of safety network configurations. Network 1 Input and Output Call Fault Call Single Slot Hot Repair Time-out Shutdown PIM INIT Fault Shutdown 2oo3 Watchdog Vote Shutdown Network 2 System Repair Time Constraint Shutdown Network 3 &...

  • Page 41: Issue 5 - September

    Network 001 - Input Read / Output Write / Mandatory System Diagnostics Scan Rate 00030 ms Label 01002 Enabled MPP A MPP B 2oo3 VOTED DIAGNOSTIC OUT OF OUT OF SYNC SYNC SHUTDOWN SHUTDOWN 00001 15829 6006 15845 15846 WorkingDis6006 OverlapDis15845 OverlapDis15846 OverlapDis15829...
  • Page 42 Network 002 - System Repair Time Constraint and Diagnostic Shutdown. Scan Rate 00030 ms Label 01004 Enabled GLOBAL OPERATION TIME TIME UNDER TIME CONSTRAINT CONSTRAINT FAULT CONSTRAINT TIMER TIMER 03600 6003 6007 15853 6007 OverlapDis 15853 WorkingDis6003 WorkingDis6007 WorkingDis6007 1.0s OPERATION TIME UNDER TIME...
  • Page 43 Network 003 - Individual PLC Diagnostic Annunciation. Scan Rate 00030 ms Label 01005 Enabled ENTRY IN ENTRY IN MPP B MPP B MODULE SINGLE SLOT OPERATION OPERATION HISTORY HISTORY OUT OF OUT OF OFFLINE MODULE UNDER TIME UNDER TIME TABLE TABLE SYNC SYNC...
  • Page 44 Network 004 - Common PLC Health Signal Scan Rate 00030 ms Label 01006 Enabled ENTRY IN DATA SYSTEM HISTORY VOTE MONITOR INITIALISE ERROR HEALTHY TABLE ETTOR ERROR SHUTDOWN 9021 15840 15841 15842 15843 15827 OverlapDis15840 OverlapDis15841 OverlapDis15842 OverlapDis15843 OverlapDis15827 OutputDis9021 MPP A MPP B MPP C...
  • Page 45 Network005 - USR3& example of 1 Hz clockgeneration Scan Rate 00030 ms Label 01001 Enabled GLOBAL ANALOGUE FAULT 7922 WorkingDis7922 00000 USR3 00000 0.5 SECOND CLOCK R1212 R1212 00000 00000 6004 WorkingDis6004 > MOVE 1 Hz CLOCK R1981 00050 R1211 00001 6005 R1211...
  • Page 46 Network 006 - Analogue Alarm Monitoring and Logic Input Scan Rate 00030ms Label 03001 Enabled ALARM ALARM 00920 00920 4500 4501 PALL0001A PALL0001B > > PI0001A PALL0001A PI0001B PALL0001B ANALOGUE LOGIC ANALOGUE LOGIC ALARM FAULT INPUT ALARM FAULT INPUT R0500 R0501 4500 13936...
  • Page 47 Network 007 - Analogue Alarm Monitoring and Logic Input Scan Rate 00030 ms Label 03002 Enabled PI0001C PI0001C ANALOGUE FAULT FAULT ALARM 04080 00920 13202 13938 4502 OverlapDis13202 PI0001C-FLT PALL0001C > > PI0001C PAHH0001C ANALOGUE LOGIC ALARM FAULT INPUT R0502 R0502 4502 13938...
  • Page 48 Network 008 - 2oo3 Analogue Alarm/Analogue Alarm Annunciation and 2oo3 fail safe logic voting Scan Rate 00030ms Label 05001 Enabled COMBINED STEAM PALL0001A PALL0001B PALL0001 HEADER LOGIC LOGIC 2oo3 VOTED SHUTDOWN ALARM ALARM PRESSURE INPUT INPUT LOGIC INPUT 9022 3001 6009 4500 4501...
  • Page 49 Network 009 - Example Shutdown Logic Scan Rate 00030ms Label 05010 Enabled MAIN MAIN SV0001 PUMP PUMP LATCH START STOP 3003 1005 1006 HS001 HS002 WorkingDis3003 STEAM COMBINED INLET SV0001 VALVE LATCH SHUTDOWN 3003 6009 9026 WorkingDis3003 WorkingDis6009 SV0001 COMBINED MAIN PALL0001 MAIN...
  • Page 50 Network 010 - Watchdog Outputs Scan Rate 00030ms Label 07001 Enabled TIME MPP A WATCHDOG A 1 Hz CONSTRAINT OUT OF PULSE CLOCK SHUTDOWN SYNCH OUTPUT 9000 6008 15845 6005 WorkingDis6008 OverlapDis15845 WorkingDis6005 OutoutDis9000 MPP B WATCHDOG B 1 Hz OUT OF PULSE CLOCK...
  • Page 51 Network 011 - Chassis Diagnostics to DCS Scan Rate 00030 ms Label 01011 Enabled 00000 00001 MOVE > 0003 R0478 R0202 R0202 > GDIA 00000 R1477 00001 R0202 > > 1.2 second clock R0490 R0490 00025 00025 1016 > > 00000 P1477 R1478...
  • Page 52 Network 012 - Prevent AO outputs being driven below zero and losing health Scan Rate 00030 ms Label 01012 Enabled 00256 00256 00256 00256 MOVE MOVE > > 00001 00001 R1000 R1002 R1000 R1002 > > 00000 00000 00256 00256 00256 00256 MOVE...

  • Page 53: Appendix 2 - Time Constraint Table (Low Demand Of Operation)

    Appendix 2 - Time Constraint Table (Low Demand of operation) The following tables detail the actual time constraint time that is required for a certified system dependant on the maximum number of Safety loop outputs (SIL level 1 to 3) used on a single output module with.

  • Page 54: Appendix 3 - Approved Rtts Versions

    10 Appendix 3 - Approved RTTS Versions 8.30-001 SC300E Operating system Identified Version 8.30 LOC SC-300E ROM System-001 Generated 5-MAR-1999 17:16 Checksum 702Dh U106 - F854h D04Fh U107 - 026Dh 8.30-003 SC300E Operating system Identified Version 8.30 LOC SC-300E ROM System-003 Generated 21-Oct-1999 07:59 Checksum 7045h U106 -...

  • Page 55: Appendix 4 - Rtts Versions 8.30-005 And Later Versions

    11 Appendix 4 - RTTS versions 8.30-005 and later versions 11.1 System Error Flags for RTTS version 8.30-005 and later versions The following diagnostic flags are available from the ‘FALT’ call and can be incorporated in the system application logic to drive local alarm indicators and be transmitted to other systems or workstations.

  • Page 56: Mhb44Ind 4 Channels Pulse Input And 4 Channel Analogue Output Module

    11.2 MHB44IND 4 channels pulse input and 4 channel analogue output module. The Piano module may only be used with TriBuild for Windows version 1.42 and RTTS 8.3-006 or above with the following restrictions. 1. The registers used for the analogue outputs must be initialised to 256 or greater to prevent the module losing health.

  • Page 57: Appendix 5 - Rtts 8.30-007 And 008

    12 Appendix 5 – RTTS 8.30-007 and 008 12.1 System Identification RTTS 8.30-007 Version 8.30 REM SC-300E ROM System-007 Generated 04-May-2001 12:24 RTTS 8.30/007 is stored in PVCS Version Manager archives using the version label “Version 8.30-007”. The part numbers and checksums for the RTTS EPROMs are: Part No.
  • Page 58 12.5 System Identification RTTS 8.30-009 Version 8.30 SC-300E ROM System-009a Generated 28-Mar-2006 14:36 RTTS 8.30/009 is stored in PVCS Version Manager archives using the version label “Version 8.30-009”. The part numbers and checksums for the RTTS EPROMs are: Part No. Checksum 006-1372-34 0FFF...

  • Page 59: Appendix 6 - Tuv Approved Part Numbers And Revisions

    Appendix 6 - TUV Approved Part Numbers and Revisions 13.1 Hardware Approvals. Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 Chassis Chassis 001-1109-01 Chassis Chassis 001-1209-00-00 Chassis Power Supply - 110/230Vac 031-1053-05-02 Chassis Power Supply - 110/230Vac...
  • Page 60 Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 32 channel digital input module - 24Vdc MDI32BIS 001-1104-07-03 32 channel digital input module - 120V AC/DC MDI32FIS 001-1157-01-04 32 channel digital input module - 120V AC/DC...
  • Page 61 Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 16 channel analogue input, DIN to ELCO - internal power TAI16EIC 099-1275-03-01 16 channel analogue input, DIN to ELCO - internal power TAI16EIL 099-1309-00-01 16 channel analogue input, DIN to ELCO - internal power...
  • Page 62 Triguard SC300E – Hardware Components Model No Part No Certification AK5/6 EN 54 16 channel digital output, DIN to DIN - internal power - 24Vdc ** future release TDO16BIN 099-1339-03-00 16 channel digital output, DIN to ELCO – internal power - 24Vdc...

  • Page 63: Software Approvals

    13.2 Software Approvals. Triguard SC300E – Software Components Model No Version Certification Software and Firmware AK 5/6 EN54 RTTS Operating System 3-2-0 RTTS 8.30-007 RTTS Operating System 3-2-0 RTTS 8.30-008 RTTS Operating System 3-2-0 RTTS 8.30-009a TriBuild TriBuild SC300E Single User Application Software TriBuild TriBuild V1.42...
  • Page 64 Triguard SC300E – Software Components Model No Version Certification Software and Firmware AK 5/6 EN54 System Configuration syscon.a86 Triguard protocol (peer to peer) tgprot.lib 3.21 TI protocol (mandatory but not to be used) tiprot.a86 5.31 Network compiler trigardc.lib 5.33 Utilities utils.a86...
  • Page 65 Triguard SC300E – Software Components Model No Version Certification Software and Firmware AK 5/6 EN54 FPGA 006-1354-00 Quad serial I/O firmware V1.02 006-1355-03 Quad serial I/O firmware V1.02 006-1356-03 Quad serial I/O firmware V1.03 006-1355-04 Quad serial I/O firmware V1.03...

Table of Contents