REV 0, June 2005Page 22
Operation Manual SUPREMA
2. System Concept
For gas warning systems with higher safety requirements according to EN 61508 SIL 3 the
system can be provided with redundancy by the use of additional modules. Redundant signal
processing has the same structure and functions the same way as standard non-redundant
processing. Communications between the modules proceed over an internal connection, which
is designed as a redundant CAN bus. If one of the two signal processing routes malfunctions,
an error message to this effect appears on the DISPLAY + OPERATION unit (MDO module)
(SYSTEM FAIL). The remaining signal processing channel takes over all of the necessary
functions until the defective module can be replaced. The failure of individual modules does not
lead automatically to the failure of the entire system. Only the functions assigned to the specific
module in question are not available.
In the simpler expansion stages of the safety requirements according to EN 61508, the gas
warning system can be operated via one of the two possible CAN bus connections. Starting
with SIL 3, both CAN bus connections are generally required. In this case, at least two CENTRAL
PROCESSING units (MCP modules) are present and all of the input and output signals important
for system operations are available over additional modules on both CAN buses in parallel. If
one of these CAN bus connections fails, an error signal is generated by the SYSTEM FAIL
message. The system still remains functional by using the remaining CAN bus connection.
The message SYSTEM FAIL is leading to flash up the SYSTEM FAIL LED and the system
failure relays change to the failure condition. A permanent lasting System fail message indicates
a urgent needs of service (for example the malfunction ones Module). Therefore the connection
of the switching outputs of the system failure relays must be that way that the message triggering
comes promt.
To Next Page
Loading...
