2. Safety Manual

8/13/2019 2. Safety Manual

http://slidepdf.com/reader/full/2-safety-manual 1/25

User’sanual

Safety Manual

IM 32S01S10-01E

M 32S01S10-01E1st Edition



IM 32S01S10-01E

Introductions ocument presents t e sa ety requ rements w en u ng t e sa ety system w t t e ro-

Safe-RS. The safety application that meets the requirements of SIL3 of the IEC61508 standardcan e rea ze y o ow ng t ese requ rements.

e con orm ty o t e ro a e- to t e requ rements o o t e as een cert -

ed by TÜV Industrial Services GmbH Business Sector ASI (http://tuvasi.com/), TÜV RheinlandGroup. The contents of this safety manual has also been approved by T V.or t e proper use o t e ro a e- , re er a so to t e user s ocuments s own n our e s te

(http://www.yokogawa.com/iss/).1. Safety lifecycle

s c apter expa ns t e overvew o t e sa ety ecyce or t e sa ety system.. ystem cons erat ons

his chapter explains the details of the safety considerations for building the safety systemwith the ProSafe-RS.

Abbreviationse o ow ng ta e sts t e a rev at ons use n t s sa ety manua .

a e rev a ons

Abbreviation Denition Remarks

naog npuCPU Central Processing UnitDI Digital InputDO Digital OutputENG Engineering Personal Computer Device of CS 3000FB Function Block Element used in FBD/LDFBD Function Block Diagram IEC 61131-3 LanguageFCS Field Control Station Device of CS 3000FU Function Element used in FBD/LDHIS Human Interface Station Device of CS 3000I/O Input/Output

a er agram - anguageSCS Safety Control Station Device of ProSafe-RS systemSENG Safety Engineering Personal Computer Device of ProSafe-RS systemSIL Safety Integrity Level Dened by IEC 61508

CS 3000Designation of the Yokogawa Electric prod-uct, Integrated Production Control SystemCENTUMProbability of Failure on Demand Dened by IEC 61508

1st Edition : Mar.25,2005-00edia No. IM 32S01S10-01E (CD) 1st Edition : Mar. 2005 (YK) All Rights Reserved Copyright © 2005, Yokogawa Electric Corporation



ii

IM 32S01S10-01E 1st Edition : Mar.25,2005-00

EnginerringGuide

Utilities andMaintenance

Reference

EngineeringReference

Messages

ProSafe-RS Document Map

Manual

Software Help

Read Me First

Safety ControlStations

(Hardware)

Installation

Safety ControlStations

Integration withCENTUM CS 3000

CommunicationDevices

Open Interfaces

Safety Manual

IM 32S01C10-01E

IM 32S01C50-01E

IM 32S06C10-01E IM 32S06H10-01E

IM 32S05B10-01E

IM 32S02B10-01E

IM 32S01E10-01E

IM 32S04B20-01E

IM 32S03B10-01E

IM 32S04B10-01E

IM 32S01S10-01E

Safety System

Software

Installation

Workbench User’s Guide

Hardware



iii

IM 32S01S10-01E

Safety Precautions

Safety, Protection, and Modication of the Product• In order to protect the system controlled by the product and the product itself and ensure

sa e operat on, o serve t e sa ety precaut ons escr e n t s user s manua . e assumeno liability for safety if users fail to observe these instructions when operating the product.

• If this instrument is used in a manner not specied in this user’s manual, the protection pro-v e y t s nstrument may e mpa re .

• any protecton or sa ety c rcu t s requ re or t e system contro e y t e pro uct or orthe product itself, prepare it separately.

• Be sure to use the spare parts approved by Yokogawa Electric Corporation (hereafter sim-p y re erre to as w en rep acng parts or consuma es.

• Modication of the product is strictly prohibited.

• The following symbols are used in the product and user’s manual to indicate that there are

precaut ons or sa ety:

Indicates that caution is required for operation. This symbol is placed on the product tore er t e user to t e user s manua n or er to protect t e operator an t e equ pment. nthe user’s manuals you will nd precautions to avoid physical injury or death of the operator,nc u ng e ectr ca s oc s.

Identies a protective grounding terminal. Before using the product, ground the terminal.

ent es a unct ona groun ng term na . e ore us ng t e pro uct, groun t e term na .

n cates an supp y.

Indicates a DC supply.

n cates t at t e man swtc s .

n cates t at t e man swtc s .

1st Edition : Mar.25,2005-00



iv

IM 32S01S10-01E

Notes on Handling User’s Manuals• Please hand over the user’s manuals to your end users so that they can keep the user’s

manua s on an or convenent re erence.

• Please read the information thoroughly before using the product.

• The purpose of these user’s manuals is not to warrant that the product is well suited to anypart cu ar purpose ut rat er to escr e t e unct ona eta s o t e pro uct.

• o part o t e user s manua s may e trans erre or repro uce w t out pr or wr tten con-sent from YOKOGAWA.

• YOKOGAWA reserves the right to make improvements in the user’s manuals and product atany tme, wt out not ce or o gat on.

• you ave any quest ons, or you n m sta es or om ssons n t e user s manua s, p easecontact our sales representative or your local distributor.

Warning and Disclaimer e pro uct s prov e on an as s as s. s a ave ne t er a ty nor respon-

sibility to any person or entity with respect to any direct or indirect loss or damage arising fromus ng t e pro uct or any e ect o t e pro uct t at can not pre ct n a vance.

Notes on Software• ma es no warrant es, e t er expresse or mp e , w t respect to t e so t-

ware’s merchantability or suitability for any particular purpose, except as specied in theterms o warranty.

• s pro uct may e use on a mac ne on y. you nee to use t e pro uct on anot ermachine, you must purchase another product.

• It is strictly prohibited to reproduce the product except for the purpose of backup.• tore t e - t e or g na me um n a sa e p ace.

• t s str ct y pro te to per orm any reverse-eng neer ng operat on, suc as reverse comp-lation or reverse assembling on the product.

• No part of the product may be transferred, converted or sublet for use by any third party,w t out pr or wr tten consent rom .




v

IM 32S01S10-01E

Documentation Conventions

Typographical ConventionsThe following typographical conventions are used throughout the user’s manuals:

Commonly used conventions throughout user’s manuals:

Character string to be entered:The characters that must be entered are shown in monospace font as follows:

xamp e: FIC100.SV=50.0

” Mark

Indicates a space between character strings that must be entered.Example: Calling the tuning window with the tag name of S0001 on HIS (Human Interface Stationo t e ntegrate ;

∆

Character string enclosed by brackets ({ }):Indicates an option that can be omitted.Example: Parameters for calling the tuning windows on HIS. Tag name ∆TUN {∆-window size} {∆=Display position}

Conventions used to show key or button operations:

Characters enclosed by brackets ([ ]):

Characters enclosed by brackets within any description on a key or button operation, indicatee t er a ey on t e ey oar , a utton name on a w n ow, or an tem sp aye on a w n ow.

xamp e: c utton.

Conventions of User Dened Folder

ser- ne o er ame t e name an t e pat o a o er can e e ne y users, t e o er w e escr e n pa r o

parenthess.Example: (RS Project Folder) \SCS0101If the RS project folder is C: \MYRSPJT, the above path becomes: C: \MYRSPJT\SCS0101




vi

IM 32S01S10-01E

Symbol MarksThroughout this user’s manual, you will nd several different types of symbols are used to identify

erent sect ons o text. s sect on escr es t ese cons.

CAUTION

ent es nstruct ons t at must e o serve n or er to avo p ys ca n ury an e ectr cshock or death of the operator.

WARNING

Identies instructions that must be observed in order to prevent the software or hardwarerom e ng amage or t e system rom ecom ng au ty.

IMPORTANT

ent es mportant n ormat on requre to un erstan operat ons or unct ons.

ent es a t ona n ormaton.

SEELSO

Identies a source to be referred to.

Clicking a reference displayed in green can call up its source, while clicking a referencesp aye n ac cannot.

Drawing ConventionsSome drawings may be partially emphasized, simplied, or omitted, for the convenience of de-scr pt on.

ome screen mages epcte n t e user s manua may ave erent sp ay pos t ons orcharacter types (e.g., the upper / lower case). Also note that some of the images contained in thisuser’s manual are display examples.

Integration with CENTUM CS 3000

rosa e- s genera y app e n an ntegrate system. n t e users mana s,CENTUM CS 3000 is normally referred to as CS 3000.

SEEALSO For more information about integrating Prosafe-RS as a compornent in CENTUM CS 3000 system, see the users

manuals, TI, GS and other CENTUM CS 3000 related documents.




vii

IM 32S01S10-01E

Copyright and Trademark Notices

All Rights ReservedThe copyrights of the programs and online manual contained in the CD-ROM are reserved.

The online manual is protected by the PDF security from modication, however, it can be outputv a a pr nter. r nt ng out t e on ne manua s on y a owe or t e purpose o us ng t e pro uct.When using the printed information of the online manual, check if the version is the most recentone by referring to the CD-ROM’s version.No part of the online manual may be transferred, sold, distributed (including delivery via a com-merc a networ or t e e , or reg stere or recor e on v eo tapes.

Trademark Acknowledgments• CENTUM, Prosafe is a registered trademark of YOKOGAWA.

• Microsoft, Windows, Visual Basic and Visual C++ are either registered trademarks or trade-mar s o croso t orporat on n t e n te tates an or ot er countr es.

• o e, cro at an cro at ea er are e t er reg stere tra emar s or tra emar s o Adobe Systems Incorporated in the United States and/or other countries.

• Ethernet is a registered trademark of XEROX Corporation.

• o con an o us are regstere tra emar s o c ne er ectr c .

• s a reg stere tra emar o oc we utomat on, nc.

• All other company and product names mentioned in this user’s manual are trademarks orregistered trademarks of their respective companies.

• e o not use or mar to n cate t ose tra emar s or reg stere tra emar s n t suser’s manual.




Toc-1

IM 32S01S10-01E

ProSafe-RSSafety Manual


ONTENTS

IM 32S01S10-01E 1st Edition

1 Safety lifecycle .......................................................................................... 1-

2 System Considerations 2-.1 Overview of ProSafe-RS ................................................................................... 2-1

.2 Hardware Structure ........................................................................................... 2-2

.3 Application Development ................................................................................ 2-

.4 Security .............................................................................................................. 2-

.5 On-line Change ...............................................................................................2-1

.6 Forcing ............................................................................................................. 2-11

.7 Maintenance Override ....................................................................................2-12

.8 Replacement of Modules in SCS ...................................................................2-1

Appendix A Product Support App.A-



<1. Safety lifecycle> 1-1

IM 32S01S10-01E

1. Safety lifecyclee requ res e use o e sa e y ecyc e or e ac evemen o unc ona

safety. This chapter explains the overview of the safety lifecycle for the safety system.

Overview of the Safety Lifecyclee sa ety ecyc e, w c cons sts o s xteen p ases t at start at t e concept p ase o a pro ectand nish when all of the safety functions are no longer available for use, denes necessaryact v t es or t e p ases. s t e sa ety ecyc e s cons ere as a ramewor to m n m ze t esystematic failure caused by human errors, persons involved in the implementation of the safetyfunctions need to understand the requirements of the safety lifecycle well and follow it.

As part of the safety lifecycle, the planning phases for operation and maintenance, safety valida-t on, an nsta aton an comm ss on ng are requ re pr or to actua mp ementat on p ases. sis because adequate preparations that include the procedures and measures derived from thempact ana ys s are mportant to ensure unct ona sa ety an or to prevent an unsa e state ur ngthe implementation.The standard also requires that the functional safety management runs in parallel with the safety

ecyc e p ases w t emp as s on t e mportance o t e ocumentat on. e n ormat on a outall activities and the results of each phase needs to be documented in such way that the descrip-tions are accurate and easy to understand for users. The document of the phase is used as annput o t e su sequent p ase o t e sa ety ecyc e n pr nc p e. s ma es t poss e to ma n-tain the consistency of the lifecycle and trace the activities afterward.

Another aspect of the functional safety management is to manage competence. The organiza-t ons an or persons nvo ve n t e sa ety ecyce must e competent or t e r actv t es t atthey have responsibilities for. Adequate experience and training are necessary for this purpose.This safety manual provides information for all planning phases of the safety lifecycle to ensuret e correct use o ro a e- to reac t e a me sa ety ntegr ty y t e en user.




<2.1 Overview of ProSafe-RS> 2-1

IM 32S01S10-01E

2. System Considerationss c ap er prov es e e a s o e sa e y cons era ons or u ng e sa e y sys-

tem with the ProSafe-RS.

2.1 Overview of ProSafe-RSThis section explains the overview of ProSafe-RS.

Overview of ProSafe-RSe ro a e- s t e sa ety system to cons st o t e sa ety contro er, , an t e eng neer ng

and maintenance PC, SENG. The minimum conguration includes one SCS and one SENG.

V net

SCSEngineering •Maintenance

Safety comm. btw. SCSs Alarm

Alarm

Alarm

CENTUM CS 3000ProSafe-RS

SENG

SCS SCS

HIS ENG

FCS

020101E.ai

Figure Example of System Conguration

The single conguration that a safety loop consists of one input module, one CPU module andone output mo u e can e use or t e app cat on t at meet t e requ rements o o t eIEC61508 standard. To increase the availability, CPU modules and/or I/O modules can be du-p exe up ex con gurat on .nter- sa ety commun cat on a ows a sa ety oop t at meets t e requ rement o to ebuilt between different SCSs connected via V net.The ProSafe-RS can be integrated seamlessly into the CS3000 on one V net, and the SCSs canbe monitored together with the CS 3000 by its operator on the window of HIS.

Safety Applicationt s assume t at t e ro a e- s pr mar y use or t e o ow ng sa ety app cat ons. e useof the ProSafe-RS conforming to the standards for each application is also certied.For the details of the requirements, refer to each standard.

• ESD (Emergency Shutdown System) / PSD (Process Shutdown System)

• F&G (Fire and Gas detection System: EN54, NFPA72)

• urner anagement ystem: , , , pr




<2.2 Hardware Structure> 2-2

IM 32S01S10-01E

2.2 Hardware Structures sec on exp a ns e ar ware s ruc ure.

Safety and AvailabilityThe single conguration that a safety loop consists of one input module, one CPU module andone output mo u e can e use or t e app cat on t at meet t e requ rements o . or t emodels and revisions of each module, refer to our Website (http://www.yokogawa.com/iss/).To increase the availability, CPU modules and/or I/O modules can be duplexed (duplex congu-rat on . en a au t s etecte n one mo u e o t e up ex con gurat on, t e ot er mo u egets control to continue the operation.

SCS Hardware

SCS Basic Components

e as c components o t e ar ware nc u e t e o ow ng.• a ety ontro n t

- CPU Module

- Power Supply Module (Duplex)

- Communication Module between CPU module and I/O module (Duplex)

- qu pments or net commun caton up ex

• o e n t

- ower upp y o u e up ex

- ESB Bus Slave Interface Module (Duplex)

I/O Modules

e o ow ng ta e sts t e mo u es use or t e ro a e- system.se sa ety mo u es or sa ety oops.

Table Safety I/O Module List

Digital Input Module (24 V DC)Digital Output Module (24 V DC)

Analog Input Module (4-20 mA)

Analog Input Module (1-5 V/1-10 V)Serial Communication Module (RS-232C) (*1)Serial Communication Module (RS-422/RS-485) (*1)

*1: Interference free

Environmental Requirements

Refer to ProSafe-RS Installation Guidance (TI 32S01J10-01E) for the details of the environmen-ta con t ons o t e ro a e- an t e connect on w t externa ev ces.





IM 32S01S10-01E

Fault Detection and Reaction

Basic Behaviour CPU modules and I/O modules are diagnosed by the hardware and software periodically. Errorsin communication between CPU module and I/O modules and in Inter-SCS communication cane etecte y varous measures.

en an error s etecte , t e a sa e vaue s use or output vaue an a agnost c n ormat onmessage is issued. The diagnostic information message, which is delivered to the SENG and

n t e ro a e- ntegrat on tructure v a t e net, s use u or ent y ng t edetail and the cause of the error.In the duplex conguration, the other module that is working normally gets control to continue theoperat on. e agnost c n ormaton message t at s ssue at t e same t me e ps ent y t eerror location.The user can dene the behavior of the system when a fault is detected in an I/O module. Thefollowing section describes the details.

Diagnosis and Reaction

This section explains the fault detection and reaction of the system in the single conguration.In the duplex conguration, the other module that is working normally gets control to continue theoperat on.

• o u ehe major components in the CPU module are duplicated, and their operation results are

always compared between the two of each pair. This enables to detect a fault in a verys ort t me. e etect on o a au t causes a s ut own o t e mo u e. ccor ng y,the output module detects a communication halt of the CPU module and outputs the failsafevaue pre e ne or eac c anne .

• nput o u eDiagnostic tests of input modules are performed by the rmware periodically. When one oft e o ow ng au ts s etecte , t e state nput c anne ecomes a an a pre e ne va ue(input value for a fault) is transferred to the application logic. Consequently, a fault in aninput module, as well as a demand (change in an input value), can be handled by applica-tion logic.

- Fault in the common part of an input module

- Fault in an input channel

- Failure in communication between an input module and a CPU module

• utput o u eDiagnostic tests of output modules are performed by the rmware periodically. When one ofthe following faults is detected, all the output channels are turned OFF (0) forcedly.

- au t n t e common part o an output mo u e

- tuc -at-one, t e case w ere t e output cannot e turne

In the case of a fault in communication between an output module and a CPU module or thefaults except for the above, the failsafe value for each channel is outputted.





IM 32S01S10-01E

• Diagnosis of Field Wiringe agnost c unct on s prov e to etect a rea an s ort c rcu t n w r ng etween e

devices and I/O modules.e e av or a ter etect on o a au t s t e same as t e case o a au t n a c anne o a

digital I/O module.

For this diagnosis with a DI module, connect the dedicated diagnostic adaptor with the wir-ng c ose to t e e ev ce. e agnost c a aptors are prov e or orma y nerg zeand for “Normally De-energized” respectively.

• Inter-SCS Safety Communicatione rece ver s e o can etect a a ure t at cause y a au t n t e an t e re ay

devices on the communication path.en a a ure n nter- sa ety commun cat on s etecte , t e pre e ne va ue s

transferred to the application logic of the receiver side of SCS. This is implemented by thededicated FB for inter-SCS safety communication.

System Timing

System Reaction TimeThe system reaction time of SCS includes the reaction time for the external demand and the re-act on t me w en a au t s etecte n t e . e system react on t me s w t n t e ou e oa scan period in principle. However the system reaction time for the following cases are different.

or t e eta s, re er to ro a e- ng neer ng u e - .• au t s etecte n t e commun cat on etween t e mo u e an mo u es

• e occurrence o a rea or s ort c rcu t n t e e w r ng connecte w t t e mo -u e

• A fault is detected in the inter-SCS safety communication

Process Safety TimeThe process safety time that depends on each process is the period from occurrence of a fault int e process unt t e process enters a angerous state. e sa ety system nee s to trans er t eprocess to a safe state within the process safety time after external demand occurs.The reaction time of the safety system, which is the total of the reaction time of the sensor, actua-tor, an sa ety contro er, nee s to e s orter t an t e process sa ety t me. ons er t e systemreaction time of SCS as the reaction time of the safety controller.

PFD CalculationThe ProSafe-RS has been designed to meet the requirement for PFD of SIL3 that is dened asa ract on o 4 to -3 n t e , w t t e con t on t at t e nterva etween proo testsis ten years. Further information on this, refer to ProSafe-RS Engineering Guide (IM 32S01C10-

.





IM 32S01S10-01E

Check list for Hardware EngineeringTable Check list for Hardware Engineering

o. escr p on Check

1 Have the modules for safety and the ones for non-safety been used appropriately?Have the devices and wiring been installed according to ProSafe-RS Installation Guidance(TI 32S01J10-01E) ?

3 Has the mechanism of the fault detection and reaction been understood?

4 For diagnosis of the eld wiring of DI modules, has the dedicated adaptor for wiring diagnos-tics been connected?

5 Has the system reaction time and the process safety time been understood?

SEEALSO For each No. of the Check list, see the following:

“2.2 Hardware Structure, SCS Hardware”.




< . pp ca on eve opmen > 2-6

IM 32S01S10-01E

. pp cat on eve opments sec on exp a ns e cons era on a e app ca on eve opmen .

Parameter SettingsTo ensure the correct operation of the system, the proper parameters are to be dened with theeng neer ng unct on.

Scan Period A safety application runs at intervals of a dened scan period.Determine a scan period to meet the requirement for the process safety time.

Input Value for a Fault and Failsafe Value

Dene the input value to application logic when a fault in an input module is detected (input valuefor a fault) and the output value from a DO module when a fault in a CPU or DO module is de-tecte a sa e vaue . ey can e n v ua y e ne on eac c anne .

ttent on nee s to e pa to e n ng t ese va ues t at may eterm ne t e sa ety state o t esystem. 0 for De-energize to trip system and 1 for Energize to trip system is generally used,t oug t epen s on t e app cat on. us ng anot er va ue, an mme ate repa r a ter a a ureoccurs should be taken into account.

Activation of Output Shutoff Switche utput uto w tc n t e mo u e s a common sw tc to a c anne s an norma y

closed. The Switch is activated to shut off all channels of the DO module when a stuck-at-oneau t t at t e c anne can not output s etecte y t e agnost c test, t e sett ng o t echannel is the default value.

The behavior of the Output Shutoff Switch is denable per channel. Select the default value to allc anne s or a sa ety app cat on, w c act vates t e sw tc w en t e au t ment one a ove sdetected in a channel.

Diagnostics of Field Wiringe ne w et er to per orm t e agnost c tests o e w r ng on eac c anne o a g ta mo -

ule.

Time-Out time for Inter-SCS Safety Communication

e ne t e proper t me-out t me o t e e cate or nter- sa ety commun cat on.

e engt o t s t me epen s on t e trans er t me o net commun cat on an t e prec s on otime synchronization between SCSs. For the calculation of the time-out time, refer to ProSafe-RSEngineering Guide (IM 32S01C10-01E).





IM 32S01S10-01E

ProgrammingThe engineering function of the ProSafe-RS provides the programming language conforming tot e - stan ar . e o ow ng anguages are use to program sa ety app cat on og cs.

• unct on oc agram

• LD (Ladder Diagram)

Use proper FU/FB and LD elements of these languages. Some of them can be used for safetyapp cat ons, ut t e ot ers cannot, w c s s own n ro a e- ngneerng u e32S01C10-01E).

Application Test After completion of programming application, the application needs to be tested for the operationaccor ng to t e spec cat ons.

• ter programmng t e app caton, save t, pr nt t out w t t e e - ocumentat on unct on,and check that the inputs and the contents of the printout agree with each other.

• Use the integrity analyzer to check whether the FU/FB, etc. used for programming the safetyapp cat on are app ca e to sa ety use. on rm t at ts resu t s as nten e .

• o e ug t e app cat on, a test can e per orme w t out ut w t t e s mu ator on t eSENG.

• The test of safety application logic can be performed with the Target Test Function on thetarget even w en no mo u e or no w r ng w t t e e ev ce s nsta e n t eSCS.

• The target test incorporated with necessary devices should be performed.

• en oa ng t e app cat on nto , ma e sure t at t e correct app cat on as eenloaded with the version information appearing on the SENG.

• After completion of the test at the security level 0 when starting the operation, perform off-ne own oa an c ange t e secur ty eve to eve .

en part o t e app cat on s mo e , t e mpact o t e mo cat on nee s to e ana yze e-fore a test. Unintended modication can be detected with the Cross Reference Analyzer beforet e test. s e ps oca ze t e part to e teste , so t at on y t e mo e part can e teste .The procedure is as follows:

• After modifying the application on the engineering tool, print it out and make sure of the cor-rect nput.

• a e sure t at t e c ec resu ts o t e ross e erence na yzer are as nten e .

• ec t e operat on o t e app cat on w t t e s mu ator, necessary, an test t on t etarget.

To modify the application correctly, the history of the application needs to be managed. For thispurpose, t e verson contro uncton s prov e .





IM 32S01S10-01E

Check list for Application Development

Parameter Settings and Programming

Table Check list for Parameter Settings and Programming

No. Description Check

1 Has a scan period been determined to meet the requirement of the process safety time?as e u pu u o w c o e mo u e een se ec e o e ac va e

3 Have the input value for fault and failsafe values been determined?

4 For inter-SCS safety communication, has the application logic been written with the dedi-cated FB?

5 Has the proper time-out period for inter-SCS safety communication been determined?6 Has the application logic been written with the proper language or language element?

Procedure for Application Test

The following check list shows the procedure after application input. When a error is found at astep, go ac to a proper step, t e app cat on nput n pr nc p e.

Table Check list for Procedure for Application Test


1 Save the application on SENG, print it out with the Self-Documentation Function, and com-pare the inputs with the printout.

2 Use the integrity analyzer and check the result.3 Use the Cross Reference Analyzer and check the result4 Use simulator on the SENG for debugging.5 Download the application into SCS.

es e app ca on on arge




<2.4 Security> 2-9

IM 32S01S10-01E

2.4 Securityo preven access rom unau or ze users or ev ces ur ng opera on an un n en e

c anges ue o user s opera on errors, cons er e secur y men one n s sec on.

SCS Security Levele contros t e secur ty eve s or sa e operat on o t e system.

et t e secur ty eve to eve urng t e norma operat on o to protect t e aga nstillegal access. It needs to be set to Level 1 for maintenance, and to Level 0 for off-line operation.o prevent erroneous c anges o t e secur ty eve , passwor aut or zaton s nee e .ss gn erent passwor s or aut or zat on to n v ua secur ty eve s an s. ec t at

the security level on the display of the SENG is correct when changing the security level.

Access to SCSChanging of the security levels enables SCS to be accessed. To prevent erroneous access to

, correct operat on on s nee e . or t s purpose, s prov e w t t e systemalarms to indicate which part of SCS is to be accessed and the display of SCS status. When ac-cess ng , use t ese unct ons to ensure t e correct access or ts sa e operat on.

Access Control on SENGe sa ety app cat on store n s protecte w t a passwor , so t at on y t e aut or ze

user is allowed to operate and modify it. The passwords for operating the safety application needto e erent n eac .

Check list for SecurityTable Check list for Security


1 Has the usage of the SCS Security Levels been understood?

2 ave eren passwor s or c ang ng ecur y eve s een ass gne o n v uasecurity levels and SCSs?Has the Security Level of the SCS in operation been set to Level 2?

4 When operating SCS, conrm that its settings and the state are as intended?Have different passwords for operating safety application on the SENG been assigned toindividual SCSs?




<2.5 On-line Change> 2-10

IM 32S01S10-01E

2.5 On-line Changero a e- a ows e app ca on o e mo e an e mo u e se ngs o e

changed both on-line. Before On-line Change, analyze its impact on the system, provideex erna measures accor ng o e resu o e ana ys s an a e a equa e care n sexecution.

On-line Change Considerationter mo y ng t e app caton an compet ng t e c ec , t e mo e part nee s to e teste

with On-line Change Download. Before On-line Change Download, change the SCS SecurityLevel to Level 1, and return it to Level 2 after completion of the test.o prevent a system error, n- ne ange own oa must not e per orme w en ma ntenance

override from HIS is going on.On-line Change Download can cause the following system behaviour. Use the Forcing Functionor x ng utput unct on to prevent unnecessary s ut own, an prov e t e outs e owith proper measures for emergency situation in advance.

• System malfunction due to a unintended error of application.

• An I/O module stops its function after On-line Change Download if the setting of the I/Omo u e s c ange .

SEE For the detailed procedure of On-line Change, refer to ProSafe-RS Engineering Guide (IM 32S01C10-01E)

Check list for On-line ChangeTable Check list for On-line Change


1 Have the plan of the modication been reviewed and approved?2 Does the modication need to be done on-line?3 Has the impact of the on-line change on the system been analyzed and fully understood?

as e orc ng unc on or x ng u pu unc on een a en n o accounHave adequate measures for emergency situation been prepared outside SCS?

6 Has the appropriate procedure for the on-line change been established?




< . orc ng> 2-11

IM 32S01S10-01E

. orc ngs sec on exp a ns e cons era on a e me o per orm ng e orc ng unc on.

Forcing FunctionThe forcing function of the SENG is for locking and forcing the value on I/O channels and thevar a es use n app cat on og c.o start t e orc ng unct on, c ange t e ecur ty eve to eve .

en operat ng rom t e , ma e sure t at t e correct var a e s oc e .o return to t e norma operat on, un oc a t e nput output var a es, an c ange t e

Security Level to Level 2.Using the dedicated FB helps manage the forcing condition, such as the presence and thenum er o oc e var a es an orce un oc ng o oc e var a es.

or per orm ng t e orc ng unct on, w c s use or ma ntenance o ev ces an or n- neChange, analyze the impact on the system and take adequate measures beforehand.

Check list for ForcingTable Check list for Forcing

o. escr p on Check

1 Has the impact of the forcing on the system been analyzed and fully understood?2 Has the use of the dedicated FB for managing the forcing condition been taken into account?3 Has the procedure for forcing been established?

4 oes e proce ure nc u e e ns ruc on a a e vara es mus e unoc e anac e o norma

Have adequate measures for emergency situation been prepared outside SCS?




<2.7 Maintenance Override> 2-12

IM 32S01S10-01E

2.7 Maintenance Overrides sec on exp a ns e cons era on a e me o per orm ng e ma n enance over-

r e.

Maintenance Overridee mantenance overr e, w c s use or mantenance, ass gns an unusua vaue or state to

an I/O variable.For a maintenance override from the HIS of the ProSafe-RS/CS 3000 Integration system, buildsa ety app cat on og c e ore an us ng t e e cate or ma ntenance overr es.

e ma ntenance overr e operat on as two steps: t e aut or zat on comman an t e execu-tion command of the override. After completion of maintenance, clear the maintenance override.Perform a series of operation from the HIS by operator’s conrming the contents and the mes-sage on t e spay.

Check list for Maintenance Overridea e ec s or a n enance verr e


1 Has the effect of the maintenance override been analyzed and fully understood?2 Has the application logic been written with the dedicated FB for the maintenance override,?3 Has the operation manual been prepared and conrmed by the operator?

Does the operation manual include the instruction that all overrides must be removed at thecompletion of the maintenance?

5 Has an alternative method of removing overrides been prepared?Have adequate measures for emergency situation been prepared outside SCS?




<2.8 Replacement of Modules in SCS> 2-13

IM 32S01S10-01E

2.8 Replacement of Modules in SCSs sec on exp a ns e cons era on a e me o rep acemen o mo u es.

Replacement of ModulesWhen a module failure occurs, identify the failure location according to the LED display of mod-u es or t e agnost c n ormat on o t e to rep ace t e re evant mo u e.

ter rep ac ng t e mo u e o t e s ng e con gurat on, c ec t e vers on n ormat on o t eapplication in the memory to ensure the operation of a correct application. If an incorrect applica-t on runs, per orm aster ata ase - ne own oa .n case t at a mo u e a ure oesn t ea to s ut own n t e s ng e con gurat on, t e rep ace-ment of the module should take place within MTTR.Even in case of a failure in one module of the duplex conguration, the safety of SIL3 is guaran-teed. The failed module can be replaced while the SCS is in operation.

Check list for Replacement of Modulesa e ec s or ep acemen o o u es


1 Has the diagnostic information of the SENG been conrmed?2 Is the LED display of the relevant module showing the failure?3 Has the replacement of the module been done carefully?4 After replacing a CPU module, has the application been correct (in the single conguration)?

5 Has Master Database Off-line Download been performed to load the correct application ifnecessary?




<Appendix A Product Support> App.A-1

IM 32S01S10-01E

Appendix A Product Support

Please contact our ofces listed below for the technical support of the ProSafe-RS system.

Yokogawa Electric CorporationIndustrial Safety Systems Dep.Industrial Automation Systems Business Div.2-9-32 Nakacho, Musashino-Shi, Tokyo180-8750 JapanTel.: +81 422 52 5816Fax: +81 422 52 0571E-mail: [email protected]

Yokogawa System Center Europe B.V.Lange Amerikaweg 55, 7332 BP ApeldoornP.O. Box 20020, 7302 HA ApeldoornThe NetherlandsTel.: +31 (0) 55 538 9500Fax: +31 (0) 55 538 9511E-mail: [email protected]

Yokogawa Industrial Safety Systems Sdn. Bhd.Lot 10, Jalan Astaka U8/84,Seksyen U8, Bukit Jelutong Industrial Park,40150 Shah Alam, Selangor MalaysiaTel.: +60 (0) 3 7846 2100Fax: +60 (0) 3 7846 1585E-mail: [email protected]

1st Edition : 2005.03.25-00



IM 32S01S10-01E

Revision Information Title : Safety Manual Manual No. : IM 32S01S10-01

Mar. 2005/1st Edition/R1.01 or later*

Newly published: eno es e re ease num er o e so ware correspon ng o e con en s o s user s manua . erev se con en s are va un e nex e on s ssue .

or uest ons an ore n ormat on n ne uery: query orm s ava a e on t e o owng or on ne query. http://www.yokogawa.co.jp

you want ave more n ormat on a out o ogawa pro ucts, you can v s t o ogawa s omepage at t e o ow ng we s te. Homepage: http://www.yokogawa.com/

r tten y n ustr a a ety ystems ept. ystems us ness v. Yokogawa Electric Corporation

u s e y o ogawa ectr c orporat on- - a ac o, usas no-s , o yo - ,


2. Safety Manual

Documents

Transcript of 2. Safety Manual