Issue 5 - September 2006 Page 15 of 65The application, by use of either the analogue processing module (available in USR3) or simplecomparators, can provide a bad/safe discrete for each analogue value. An example networkusing comparators is given in Network 7 of the example networks. Network 6 shows the samefunctionality using USR3 (See Appendix 1).When large numbers of Analogue Inputs are to be processed, USR3 should be used toeffectively monitor faults within the analogue loops. This is accomplished by configuring theAnalogue Test Database in the TriBuild System Configuration Special Function Configuration.This configuration provides for each analogue variable an array of discretes for channel faults,open and short circuit faults, as well as defining a global fault bit and the test parameters. Bothopen and short circuit faults values should be configured.3.3.2 OutputsThe standard configuration for ESD Safety System outputs is to provide digital outputs only,which are configured for de-energise to trip (3-2-0 GTZ again fail to safe).3.3.2.1 De-Energise to Trip OutputsAll safety related outputs will be from the Digital Output Module. Each module must beconfigured with a hot repair partner slot to allow bump-less hot repair to be accomplished.The Output Module provides a fully tested six-element switch voting circuit for each individualoutput.Where the safety integrity level (safety classification) requirements of a safety loop requires twoor more final elements to be available for shutdown purpose, then each final elements should bedriven from a separate Digital Output Module and Termination Card, where practical.The shutdown signal is connected from the Output Module through the chassis backplane, thehot repair adapter card and the system cable to the Termination Card where the field wiring isconnected.The simplex part of the termination module (eg fuses) must be considered as part of the fieldloop for reliability analysis.3.3.2.2 Multiple Input / Output Safety ConfigurationWhere the safety integrity level requires multiple sensors and final elements from a safety loop,then these configurations will be as follows.3.3.2.3 Dual SensorsThese will be voted by the application logic in a 1oo2 manner such that either sensor providingan alarm status requires a shutdown.Where the sensor diagnostics provide fault status then the safety loop may revert to a 1oo1voting on the good sensor for the time constraint of the sensor's safety loop. At the terminationof this time constraint the loop will demand a shutdown.A single remaining sensor going into fault will demand an immediate shutdown.3.3.2.4 Triplicated SensorsThese will be voted on a 2oo3 basis by the application logic, however, once a sensor has beenvoted as bad, the voting logic will revert to a 1oo2 vote on the remaining two sensors followingthe strategy determined for dual sensors.3.3.2.5 Dual Final ElementsThese are to be configured in a 1oo2 manner such that either output requires a shutdown.