12P4000模块备件

12P4000

响应时间
假设配置或用户程序逻辑不会导致延迟
HIMax控制器在循环中运行的响应时间是系统循环时间的两倍。
控制器的循环时间由以下主要部件组成：
ƒ输入处理。
-在输入模块上处理输入数据。
-从通信接口读取和处理数据。
-从输入模块读取和处理数据。
ƒ处理用户程序逻辑。
ƒ输出处理。
-将过程数据写入输出模块。
-将过程数据写入通信接口。
-在输出模块上处理输出数据。
ƒ重新加载的终操作的附加处理、附加处理器模块等。
此反应时间适用于周期持续时间等于一个处理器的用户程序
模块循环。如果用户程序周期分布在多个处理器模块上
在循环中，反应时间增加到循环次数乘以双倍反应时间
循环持续时间。有关更多详细信息，请参阅10.2.3章和10.二.11章。
3.3验证试验
验证测试是为检测安全相关系统中的任何隐藏故障而进行的定期测试
以便在必要时，系统可以恢复到能够执行其操作的状态
预期功能。
HIMA安全系统必须每隔10年进行一次验证测试。这
通常可以通过计算和分析已实现的安全回路来延长间隔。
3.3.1验证试验执行
验证测试的执行取决于系统（EUC=设备）如何运行
控制）的配置、其内在风险潜力和适用于
设备操作和测试要求由负责的测试机构批准。
根据IEC 61508 1-7、IEC 61511-3、IEC 62061和VDI/VDE 21801至4页，
安全相关系统的操作员负责执行验证测试。
3.3.2验证试验的频率
HIMA PES可通过测试整个安全回路进行验证测试。
在实践中，输入和输出现场设备需要更短的验证测试间隔
（例如每6个月或12个月）比HIMax控制器的更高。测试整个安全回路
与现场设备一起自动包括HIMax控制器的测试。有
因此，无需对HIMax控制器进行额外的验证测试。
如果现场设备的验证测试不包括HIMax控制器
控制器必须至少每10年进行一次SIL 3测试。这可以通过以下方式实现：
重新启动HIMax控制器。
3.使用PES HIMax的安全概念
20页，共64页HI 801 003 E版本4.00
3.4安全要求
使用车辆的安全相关PES时，必须满足以下安全要求：
HIMax系统：
3.4.1硬件配置
配置HIMax硬件的人员必须遵守以下安全要求。
产品独立需求
ƒ为确保安全相关操作，仅允许使用经批准的故障安全硬件模块和
可以使用软件组件。经批准的硬件模块和软件
组件在中指定
HIMA Paul Hildebrandt提供的HIMax系统模块和固件版本列表
GmbH+Co KG。
新版本可在与测试一起维护的版本列表中找到
权威
ƒ本安全手册中规定的操作要求（见操作章节
要求）有关EMC、机械、化学和气候影响的信息必须：
观察。
产品相关需求
ƒ仅将与电源安全电气隔离的设备连接到系统
供给
ƒ系统手册中详细说明的操作要求，特别是有关
必须遵守电源电压和通风条件。
ƒ只有安全相关模块可用于处理安全相关任务。
3.4.2编程
开发用户程序的人员必须遵守以下安全要求。
产品独立需求
ƒ在安全相关应用中，确保安全相关系统参数：
正确配置。
ƒ这尤其适用于系统配置、大循环时间和安全性
时间
3.4.3使用编程工具的要求
ƒ必须使用SILworX进行编程。
ƒ在SILworX中编译程序两次，并比较两个创建的文件
确保程序已正确编译。
ƒ必须验证应用规范的正确实施，
验证并记录。逻辑的完整测试必须通过试验进行。
ƒ如果用户程序发生变化，至少测试逻辑的所有部分
关注这些变化。
ƒ必须在中定义安全输入和输出模块故障的系统响应
配置应符合系统特定的安全相关条件。
-用户程序中的故障反应
-变量安全初始值的配置
HIMax 3使用PES的安全概念
HI 801 003 E版本4.00，21页，共64页
3.4.4公社

12P4000

12P4000

Response Time Assuming that no delay results from the configuration or the user program logic, the response time of HIMax controllers running in cycles is twice the system cycle time. The cycle time of the controller consists of the following main components: ƒ Input processing. - Processing input data on input module. - Reading process data from communication interfaces. - Reading process data from input modules. ƒ Processing user program logic. ƒ Output processing. - Writing process data to output modules. - Writing process data to communication interfaces. - Processing output data on output modules. ƒ Additional processing of final actions for reloading, additional processor modules, etc. This reaction time applies for user programs with a cycle duration equal to one processor module cycle. If the user program cycle is distributed over multiple processor module cycles, the reaction time increases up to the number of cycles multiplied by the doubled cycle duration. Refer to Chapter 10.2.3 and Chapter 10.2.11 for more details. 3.3 Proof Test A proof test is a periodic test performed to detect any hidden faults in a safety-related system so that, if necessary, the system can be restored to a state where it can perform its intended functionality. HIMA safety systems must be subjected to a proof test in intervals of 10 years. This interval can often be extended by calculating and analyzing the implemented safety loops. 3.3.1 Proof Test Execution The execution of the proof test depends on how the system (EUC = equipment under control) is configured, its intrinsic risk potential and the standards applicable to the equipment operation and required for approval by the responsible test authority. According to IEC 61508 1-7, IEC 61511 1-3, IEC 62061 and VDI/VDE 2180 sheets 1 to 4, the operator of the safety-related systems is responsible for performing the proof tests. 3.3.2 Frequency of Proof Tests The HIMA PES can be proof tested by testing the entire safety loop. In practice, shorter proof test intervals are required for the input and output field devices (e.g., every 6 or 12 months) than for the HIMax controller. Testing the entire safety loop together with a field device automatically includes the test of the HIMax controller. There is therefore no need to perform additional proof tests of the HIMax controller. If the proof test of the field devices does not include the HIMax controller, the HIMax controller must be tested for SIL 3 at least once every 10 years. This can be achieved by restarting the HIMax controller. 3 Safety Concept for Using the PES HIMax Page 20 of 64 HI 801 003 E Rev. 4.00 3.4 Safety Requirements The following safety requirements must be met when using the safety-related PES of the HIMax system: 3.4.1 Hardware Configuration Personnel configuring the HIMax hardware must observe the following safety requirements. Product-Independent Requirements ƒ To ensure safety-related operation, only approved fail-safe hardware modules and software components may be used. The approved hardware modules and software components are specified in the Version List of Modules and Firmware for HIMax Systems from HIMA Paul Hildebrandt GmbH + Co KG. The latest versions can be found in the version list maintained together with the test authority. ƒ The operating requirements specified in this safety manual (see Chapter Operating Requirements) about EMC, mechanical, chemical, climatic influences must be observed. Product-Dependent Requirements ƒ Only connect devices to the system that are safely electrically isolated from the power supply. ƒ The operating requirements detailed in the system manual, particularly those concerning supply voltage and ventilation, must be observed. ƒ Only safety-related modules may be used to process safety-related tasks. 3.4.2 Programming Personnel developing user programs must observe the following safety requirements. Product-Independent Requirements ƒ In safety-related applications, ensure that the safety-relevant system parameters are properly configured. ƒ In particular, this applies to the system configuration, maximum cycle time and safety time. 3.4.3 Requirements for Using the Programming Tool ƒ SILworX must be used for programming. ƒ Compiling the program twice in SILworX and comparing both of the created files ensures that the program was properly compiled. ƒ The correct implementation of the application specifications must be validated, verified and documented. A complete test of the logic must be performed by trial. ƒ In case of a change of the user program, at minimum test all the parts of the logic concerned by the changes. ƒ The system response to faults in the safe input and output modules must be defined in the configuration in accordance with the system-specific safety-related conditions. - Fault reaction in the user program - Configuration of safe initial values for variables HIMax 3 Safety Concept for Using the PES HI 801 003 E Rev. 4.00 Page 21 of 64 3.4.4 Communication ƒ When implementing safety-related communications between the various devices, ensure that the system's overall response time does not exceed the fault tolerance time. All calculations must be performed in accordance with the rules given in 11.2. ƒ The transfer of safety-relevant data through public networks like the Internet is not permitted unless additional security measures have been implemented such as VPN tunnel. ƒ If data are transferred through company-internal networks, administrative or technical measures must be implemented to ensure sufficient protection against manipulation (e. g. using a firewall to separate the safety-relevant components of the network from other networks). ƒ Never use the standard protocols to transfer safety-related data. ƒ All devices to be connected to the communication interfaces must be equipped with safe electrical isolation. 3.4.5 Maintenance Work ƒ Maintenance work must be performed in accordance with the current version of the document "Maintenance Override“ document published by TÜV Rheinland and TÜV Product Service. ƒ Whenever necessary, the operator must consult with the test authority responsible for the final inspection of the system and define administrative measures appropriate for regulating access to the systems.