HIMatrix 3 Safety Concept for Using the PES
HI 800 023 E Rev. 1.01 Page 17 of 72
Ensuring the Safety Function
The planner must make sure that the safety system is able to perform its safety function in
hazardous situations. The safety function is performed when the safety system energizes
one or several actuators and, as a consequence, a safe state is adopted, e.g., a fire
compartment door is closed.
A redundant structure of the safety system components can be required to ensure the
safety function:
Power supply of the controller.
Components of the controller: HIMatrix compact controllers, modules, remote I/Os.
When relay outputs are used, HIMA recommends to configure the relay outputs and the
actuators' power supply redundantly.
Reason:
- A relay output has no line monitoring.
- This step can be necessary to achieve the required SIL.
If the components are no longer operating redundantly due to a failure, repair of the failed
component must be ensured at the earliest opportunity.
It is not required to design the safety system components redundantly if, in the event of a
safety system failure, the required safety level can otherwise be achieved, e.g., by
implementing organizational measures.
Detection of Failed System Components
The safety systems recognizes that components are not functioning. This is done with:
Self-tests of the HIMatrix components.
Line monitoring (short-circuits and open-circuits) with input and output modules.The
modules must be configured accordingly.
Additional inputs for monitoring the actuators, if required by the project.
The user program must be able to process the corresponding fault statuses and to activate
redundant components.
3.2 Time Parameters Important for Safety
Single faults which may lead to a dangerous operating state are detected by the self-test
facilities. Within the controller's safety time, the self-test facilities trigger predefined fault
reactions which bring the faulty components into a safe state.
3.2.1 Fault Tolerance Time (FTT, see DIN VDE 0801, Appendix A1 2.5.3)
The fault tolerance time (FTT) is a property of the process and describes the span of time
during which the process allows faulty signals to exist before the system state becomes
dangerous. A dangerous state can result if the fault exists for longer than the FTT.
3.2.2 Safety Time (of PES)
The safety time is the time period after an internal fault occurred, during which the PES is in
the RUN state and must provides a reaction.
From the process view point, the safety time is the maximum time within which the safety
system must provide a reaction on the output after a change of the input signals (response
time).
Operating system version Safety time - from...to
Versions beyond 7 20...22 500 ms
Versions prior to 7 20...50 000 ms
Table 11: Range of Values for the Safety Time
To Next Page
Loading...
Need help?
General
