LION safety concept
The L-BUS² ensures the safe transport of process and diagnostics data between the bus coupler and all connected modules. The software of the SIL0 modules were developed according to the normed and standardised development process of the EN 50128. The SIL0 modules communicate without reaction on the L-BUS². The field level of the modules is galvanically isolated.
The I/O module transfers the process input and diagnostic data via the bus coupler to the control unit using a safe fieldbus protocol. The unit assesses the data based on the diagnostic information, decides on its validity and processes a safe reaction in case of malfunction.
Errors can be detected by diagnostics and self-test functions within the digital outputs and the bus coupler. This leads to zero setting of the inputs in the process data and to the marking of invalid values in the diagnostic data. Non-controllable errors in the I/O module lead to a failsafe condition.
The I/O module switches the outputs and determined the diagnostics information. The diagnostic data are sent by the bus coupler via a safe protocol to the control unit. The control unit processes the safety related function based on the diagnostic information.
Errors can be detected by diagnostics and self-test functions within the digital outputs and the bus coupler. This leads to switch-off of the outputs and to an error message by the diagnostic data. Non controllable errors in the I/O module lead to the failsafe mode and the switching off of the outputs.
Safety architectures with LION
With this architecture pattern, the safety level SIL2* can be achieved. Here the input signal is read in as redundant/antivalent. The user must ensure that a plausibility inspection of the signals read into the control takes place. Two input channels are required for the antivalence. Here all possibilities are open to the user as to which inputs are used. Two neighbouring input channels or, for example, two inputs from different modules or I/O stations can be combined.
For SIL1* applications, any safe input channel can be used. Here the input signal of the sensor is read in via one channel. All inputs are monitored cyclic with test pulses to reveal the error status "Stuck-at-High". A total of 16 input channels are available per safe I/O module.
In order to achieve safety level SIL2*, an architecture pattern can be used in which the actuator is controlled via plus/minus-switching. Here two output channels are used. The user is free to choose which outputs are used for the purpose. Two neighbouring output channels or, for example, two inputs from different modules or I/O stations can be combined.
In order to achieve safety level SIL1* it is sufficient to switch the output signal via one channel. Here the outputs are monitored in channel granular manner. The user can read back the current switching condition of the transistor in addition to the internal module monitoring (detection of Stuck-On errors) in order to diagnose other error statuses such as short-circuits or overload. A total of 8 output channels are available per safe I/O module.
*The achievable SIL level is dependent on the THR (EN 50129) of the overall system.