12E2-MX Additional System Documentation In addition to this manual, the following documents for configuring HIMax systems are also available: Name Content Document no. D = German E = English HIMax System Manual Hardware description of the modular system HI 801 000 D HI 801 001 E Certified test report 1) Test principles, safety requirements, results Manuals for the Components Description of the individual components Communication Manual safeethernet and standard protocols HI 801 100 D HI 801 101 E SILworX First Steps Manual Use of SILworX for engineering, starting up, testing and operating the HIMA systems. HI 801 102 D HI 801 103 E 1) Only supplied with the HIMax system Table 8 Overview System Documentation The documents are available as PDF files on HIMA website at www.hima.com. 3 Safety Concept for Using the PES HIMax Page 14 of 64 HI 801 003 E Rev. 4.00 3 Safety Concept for Using the PES This chapter contains important general items on the fuctional safety of HIMax systems. Safety and availability Time parameters important for safety Proof test Safety requirements Certification 3.1 Safety and Availability No imminent danger results from the HIMax systems. DANGER Physical injury caused by safety-related automation systems improperly connected or programmed. Check all connections and test the entire system before starting up! HIMA strongly recommends replacing failed modules as soon as possible. A replacement module that is used instead of a failed one, starts operation with no operator action. It adopts the function of the failed module provided that is of the same type or is an approved replacement model. 3.1.1 Calculating the PFD and the PFH Values The PFD and the PFH values have been calculated for the HIMax systems in accordance with IEC 61508. HIMA will gladly provide the PFD, PFH and SFF values upon request. A proof test interval of 10 years has been defined for the HIMax systems (offline proof test, see IEC 61508-4, paragraph 3.8.5). The safety functions, consisting of a safety-related loop (input, processing unit, output and safety communication among HIMA systems), meet the requirements described above in all combinations. 3.1.2 Self-Test and Fault Diagnosis The operating system of the modules executes several self-tests at start-up and during operation. The following components are tested: Processors Memory areas (RAM, non-volatile memory) Watchdog Connections between modules Individual channels of the I/O modules If faults are detected during these tests, the defective module or the defective channel of the I/O module is switched off. If the tests detect a module fault while starting up the module, the module will not begin to operate. In non-redundant systems, this means that sub-functions or even the entire PES will shut down. In case of a detected failure within a redundant system, the redundant module or redundant channel takes over the function to be performed. HIMax 3 Safety Concept for Using the PES HI 801 003 E Rev. 4.00 Page 15 of 64 All HIMax modules are equipped with LEDs to indicate that faults have been detected. This allows the user to quickly diagnose faults in a module or the external wiring, if a fault is reported. Further, the user program can also be used to evaluate various system variables that report the module status. An extensive diagnostic record of the system's performance and detected faults are logged and stored in the diagnostic memory of the processor module or that of other modules. After a system fault, the recorded data can be read using the PADT. For more information on evaluating diagnostic messages, see "Diagnostics“ in the System Manual (HI 801 001 E). For a very few number of component failures that do not affect safety, the HIMax system does not provide any diagnostic information. 3.1.3 PADT Using the PADT, the user creates the program and configures the controller. The safety concept of the PADT supports the user in the correct implementation of the control task. The PADT takes numerous measures to check the entered information. 3.1.4 Redundancy To improve availability, all parts of the system containing active components can be set up redundantly and, if necessary, replaced while the system is operating. Redundancy does not impair safety. SIL 3 is still guaranteed even if system components are used redundantly. 3.1.5 Structuring Safety Systems in Accordance with the Energize to Trip Principle Safety systems operating in accordance with the 'energize to trip' principle, e.g., fire alarm and fire-fighting systems , have the following safe states: 1. Safe state in the event of system shutdown. 2. State entered on demand, i.e., when performing the safety function. In such a case, the actuator is activated. Observe the following points when structuring safety systems in accordance with the energize to trip principle: Ensuring the safety function in hazardous situations. Detection of failed system components and reaction: - Failure notification. - Automatic switching to redundant components, if necessary and possible. Ensuring the Safety Function The planner must make sure that the safety system is able to perform its safety function in hazardous situations. The safety function is performed when the safety system energizes one or several actuators and, as a consequence, a safe state is adopted, e.g., a fire compartment door is closed. A redundant structure of the safety system components can be necessary to ensure the safety function, refer to the System Manual (HI 801 001 E) for further details: Power supply of the controller. Components of the controller: HIMax modules. When relay outputs are used, HIMA recommends to configure the relay outputs and the actuators' power supply redundantly. Reason: - A relay output has no line monitorin |
