Sensor configurations – Rockwell Automation AADvance Controller Safety Manual User Manual







4-20

Document: 553630

ICSTT-RM446K-EN-P Issue: 10

_C

Safety Manual (AADvance Controller)

Sensor Configurations

In safety critical input applications using a single sensor, it is important that the

sensor failure modes be predictable and well understood, so there is little
probability of a failed sensor not responding to a critical process condition. In

such a configuration, it is important the sensor be tested regularly, either by

dynamic process conditions that are verified in the AADvance system, or by
manual intervention testing.
The function of a signal shall be considered when allocating the module and

channel within the system. In many cases, redundant sensor and actuator

configurations may be used, or differing sensor and actuator types provide
alternate detection and control possibilities. Plant facilities frequently have

related signals such as start, and stop signals. In these cases it is important to

ensure that failures beyond the system's fault-tolerant capability do not result
in either inability to respond safely or in inadvertent operation. In some cases,

this will require that channels be allocated on the same module, to ensure that

a module failure results in the associated signals failing-safe.
Sensor configurations should be considered. In most cases it will be necessary

to separate the signals across modules. Where non-redundant configurations

are employed, it is especially important to ensure that the fail-safe action is

generated in case of failures within the system.
Field loop power should be considered in the allocation of signals to input

channels and modules. For normally energized input configurations, field loop

power failure will lead to the fail-safe reaction. As with the allocation of signals
to modules, there may be related functions (for example start and stop signals)

where loss of field power should be considered in the same manner as the

signal allocation.