3 Safety Concept for Using the PES HIMatrix
Page 18 of 72 HI 800 023 E Rev. 1.01
3.2.3 Multiple Fault Occurrence Time (MOT)
The multiple fault occurrence time is the time span during which the probability that
multiple, safety-critical faults will occur, is sufficiently low.
The multiple fault occurrence time is set in the operating system to 24 hours.
3.2.4 Response Time
Assuming that no delay results from the configuration or the user program logic, the worst
case reaction time of HIMatrix controllers running in cycles is twice the system cycle time.
The cycle time of the controller consists of the following main components:
Reading the inputs
Processing the user program
Writing to the outputs
Process data communication
Performing test routines
Further, the switching times of the inputs and outputs must be taken into account when
determining the worst case for the overall system.
3.2.5 Processor System Watchdog Time
The watchdog time is set in the menu for configuring the PES properties. This time is the
maximum permissible duration of a RUN cycle (cycle time). If the cycle time exceeds the
preset watchdog time, the CPU enters the STOP/INVALID CONFIGURATION state.
The Processor system watchdog time may be set to:
½ * PES safety time.
Operating system
version
Range of values for the
watchdog time
Default value
for the con-
trollers
Default value for
the remote I/Os
Versions beyond 7 8...5 000 ms 200 ms 100 ms
Versions prior to 7 2...5 000 ms 50 ms 10 ms
Table 12: Range of Values for the Watchdog Time
3.3 Proof Test
A proof test is a periodic test performed to detect any hidden faults in a safety-related
system so that, if necessary, the system can be restored to a state where it can perform its
intended functionality.
HIMA safety systems must be subjected to a proof test in intervals of 10 years. This interval
can often be extended by calculating and analyzing the implemented safety loops.
With remote I/Os and modules with relay outputs, the proof test for the relay must be
performed in the intervals defined for the plant.
3.3.1 Proof Test Execution
The execution of the proof test depends on how the system (EUC = equipment under
control) is configured, its intrinsic risk potential and the standards applicable to the
equipment operation and required for approval by the responsible test authority.
According to IEC 61508 1-7, IEC 61511 1-3, IEC 62061 and VDI/VDE 2180 sheets 1 to 4,
the operator of the safety-related systems is responsible for performing the proof tests.
3.3.2 Frequency of Proof Tests
The HIMatrix controller can be proof tested by testing the entire safety loop.
To Next Page
Loading...
Need help?
General
