Sei sulla pagina 1di 15

FAQs on RTP3000 Safety Instrumented DCS system a).

Explain the features of fault-tolerance in your system, various diagnostic features and redundancy levels. The RTP3000 system is a high availability system with no single point of failure. I/O cards, communications channels, processors, racks and power supplies can all be redundant. There is redundancy in every level of the system. Inputs from quad redundant input cards are collected to create one combined input to be used in Logic Solution. Each card can be in a different rack, each rack with dual redundant power supplies and Chassis Processors. The Chassis Processors communicate to the quad redundant Node Processors over triple redundant Ethernet networks. All Node Processors do independent logic solutions, and all send their results over the triple redundant Ethernet to all Chassis Processors in all racks. The Chassis Processors pass the outputs to the triple redundant Output cards. The RTP3000 SIS will continue to operate without disruption, even if some of the redundant modules fail. The following covers the functional components in some more detail. POWER AND RACKS: A system can have up to 16 racks, each with dual power supplies and redundant chassis processors. Any I/O card or Node processor can be placed in any rack. Should any card fail, the redundant card(s) will continue. Should an entire rack fail, the cards in the failed rack will have redundant counterparts in other racks that will continue. INPUTS: Inputs from up to 4 input cards are read by the Chassis Processor in the rack (which is backed up by a redundant Chassis Processor). The cards are read across the rack backplane. Each backplane bus transfer occurs twice. The first transfer is sent with the data normal. The second transfer the inverse of the data is sent. The Chassis Processor will check the data for consistency. All input cards may be in different racks. COMMUNICATIONS: Each of the Chassis Processors has two Ethernet links to the Node processors, for a total of 3 channels between each rack and all of the up to 4 Node Processors. All messages across the Ethernet links provide integrity by protecting each 48 Bytes of message data with a software-computed 16-bit CRC, have a CRC-16 on the entire message and have a sequence number on each message. All inputs are sent to all Node processors. NODE PROCESSORS: All of the up to 4 Node Processors get both the Normal and Inverted inputs. Each Node Processor uses all the Inputs received in Signal Validation which votes the inputs according to the configured rules to arrive at a single input value (one normal and one inverted). Each Node Processor then evaluates the user logic program twice using one set of input data for each solution. It then compares the results of both logic solves for consistency. Each Node Processor sends both sets of outputs to all Chassis Processors in all racks via the Ethernet communications channels described above.

RTP Corp Confidential

Page 1

OUTPUTS: The Chassis Processors compare the sets of outputs they receive for consistency, and then pass them across the backplane to the Output cards as described above. Both Normal and Inverse outputs must be consistent. Up to 3 output cards can redundantly control a single output, and each output card can be in a different rack. If the diagnostics detect faults, this safety information is voted with the output data and a failure will cause the cards outputs to be set to a safe state. The Output cards also have Read back values which equal the actual output value and are treated as Inputs to the system. DIAGNOSTICS: Every card in the system from Processors to I/O cards do diagnostics every scan. The Diagnostics for a card are both self checks (for card integrity) and interface checks with all the other cards it talks to. The Diagnostics also check that an injected fault on the card or the interface to other cards will be detected and reported. All cards on the bus in a rack do backplane integrity checks. Some I/O cards also supervise the field wiring Diagnostics include both voltage monitoring and Watchdog times at all levels of the system. PEER TO PEER COMMUNICATIONS: RTP3000 systems can share data with other RTP systems via a TCP/IP Ethernet network.

b). Confirm whether it is possible to execute all the process interlocks and safety shut down logics of the plant on the same platform. If yes, explain it in detail. Yes it is possible. Can do both functions in one controller because all the DCS functions were tested along with the safety functions in the process of getting the TUV safety certification. Per section 2.2 of revision 1.1 of the December 22, 2008 TUV Report on the Certificate for the Safety-Related Programmable System RTP-3000, The Processor Node could include safety-related and non safety related modules in an application

c). How do you categorize your system as a Distributed Control System? The RTP3000 is a hybrid QMR / TMR / Redundant / Simplex DCS. Depending upon the I/O modules used with the system (analog or discrete, input and output) it is capable of both Process Loop control (has PID functions, floating point math and analog I/O) and Logic control (PLC). d). Explain the self-diagnostic capabilities implemented within each channel and a secondary shutdown path controlled by diagnostics features.

RTP Corp Confidential

Page 2

The SIL3 output cards use 3 pieces of information to decide to drive an output channel. The Normal and Inverted output states (X1 and X2) are used, but the safety switch (Xs) that is independently controlled by the 2oo2D diagnostics (the state will be off in the event of diagnostics +V failure) is essential to allow outputs to be energized. The safety switch can be disabled either by a diagnostics failure or from the user logic program that can command the outputs to be set to a safe state. X1 and X2 are the result of the computation done by the user application logic and are driven by separate PLDs on the Output card. Examples of some output cards and their capabilities follow. When the card is a 3003/00 Relay Out card, in order to deal with any potential sticking contact issue, the relays in series are energized at different times and the output of each relay is checked for consistency with the desired output state.
X1 X1

X2

X2

Xs

Xs

Final Output Vote

Actuator

The 3028 16 ch SDO card also has two FET switches in series that are controlled by the Normal and Inverted Outputs so both must agree to energize an output. There is also a 3rd FET (safety) switch in series that is controlled by the diagnostics. The card also has supervision circuitry that will detect and report if the output is externally an open or a short circuit, and report this as a load fault. The 3004/00 4 ch AO card has isolated outputs generated from user supplied 24VDC power supply, and has feedback analog-to-digital converters (per channel) that monitor the output voltages or currents as a safety feature, reporting these Readback values to the user logic program. The 3013/00 16-Ch. AC DO card is SIL-2 in a simplex configuration because each channel is configured 1oo1 and there isnt a secondary independent shutdown. This card can be SIL3 when used redundantly but also with redundant actuators (illustration below).

TM

CARD

TM

CARD

Finally, the 3021/00 16-Ch. AO card is also SIL-2, because it has one PLD. It also is SIL-3 (as illustrated above) when used redundantly with redundant actuators. e). Normally, all modules for an ESD function are certified (with either Redundant/ TMR/ QMR concept) from TUV Rheinland as Safety system complying to SIL3

RTP Corp Confidential

Page 3

(IEC61508). We note that many of your modules are certified as SIL2 and some as SIL3. Your termination modules are certified as SIL2. If a SIL3 card (simplex) is used with a termination module (single termination module) of SIL2 rating then the overall SIL rating would be reduced to SIL2? What is the solution you provide to this? Per sections 1.2 of revision 1.2 of the February 4, 2010 TUV Annex of the Report on the Certificate for the Safety-Related Programmable System RTP-3000, Termination modules are safety-relevant hardware components in that they are supporting hardware to be attached to the safety system. They do not have separate SIL ratings, have been tested along with the card, and do not effect the rating of the card. Per Section 1.1 of the same document, note that the I/O cards are listed in the table. With the exception of 2 cards, all those listed as SIL2 when used singly are rated as SIL3 when used redundantly. Two exceptions (the 3013/00 16 channel AC output card, and the 3021/00 16-Ch. AO card) can be SIL3 when used redundantly but also with redundant actuators (illustration below)

TM

CARD

TM

CARD

Any termination modules that must be used in the above way are covered in the RTP Safety Manual. It is recommended that the following 32-Channel Digital Input Termination Modules be used only in SIL-2 Safety Instrumented Functions:
It is recommended that the following 32-Channel Digital Input Termination Modules be used only in SIL-2 Safety Instrumented Functions: 3099/21-015 3099/21-016 3099/21-018 3099/21-008 3099/21-116 3099/21-115 3099/21-118 3099/21-108 Triple Termination Module - 120 VAC sourcing (close to ground) Triple Termination Module - 240 VAC sourcing (close to ground) Triple Termination Module - 120 VDC sourcing (close to ground) Triple Termination Module - 120 VDC sinking (close to positive) Single Termination Module - 240 VAC sourcing (close to ground) Single Termination Module - 120 VAC sourcing (close to ground) Single Termination Module - 120 VDC sourcing (close to ground) Single Termination Module - 120 VDC sinking (close to positive)

If these modules need to be used in SIL-3 systems, then redundant sensors / field devices need to be employed, using redundant input modules with single termination modules. Signal Validation in the user application logic will perform the MooN voting.

f). Are your non-interfering cards too certified by TUV for non-ESD applications?

RTP Corp Confidential

Page 4

Per section 2.8 of revision 1.1 of the December 22, 2008 TUV Report on the Certificate for the Safety-Related Programmable System RTP-3000, the noninterfering cards are approved as part of the certification. These non-interfering cards shall be able to be inserted into the same chassis as with the safety-certified I/O cards.

g). Explain in detail the following Codes & Standards: . Reference Standard Description IEC 61508 Functional Safety of electrical/ electronic/ programmable electronic safety related systems. This standard gives requirements and guidance for manufacturers, when designing, manufacturing and supplying products that are going to be used for functional safety. This is the safety standard to which the RTP3000 was designed, to which it is tested and to which it is certified by TUV. It is referenced in the TUV Certificate. IEC 61511 Functional Safety Safety instrumented systems for the process industry sector. This standard gives requirements for end-users and system integrators, when implementing functional safety. RT complies with this standard, via publication of safety manual and technical manuals. It is the users / system integrators responsibility to follow this standard (e.g. have a safety requirements specification for their program, have test cases, etc.) By functional safety, we mean the RTP product installed for the purpose of preventing or mitigating hazardous events. The RTP3000 complies with and is tested to and certified to this standard. It is referenced in the TUV Certificate. IEEE 802.3 Communication Std. This is the core IEEE standard on network communications, and to which Ethernet and TCP/IP comply. OPC DA 2.0 & A/E1.0 Computer Openness. OPC: OLE in Process Control DA: Data Acquisition OC DA 2.0: The standard is developed by the OPC Foundation, that gives an interface to 3rd party HMI software to RTP hardware: Instantaneous Tag values in the RTP3000 can be displayed in other manufacturers systems. A/E1.0 Alarms and Events: This standard is not supported by RTP. However, the alarms and events is implemented with RTPADA. Files recorded in RTPADA can be opened via Microsoft ODBC interface. This is the standard that we have designed the RTP software that allows the RTP3000 to share data with HMI systems. RTP provides an alternative to A/E1.0 with the RTPADA Alarm and Data Archiver. IEC-61131/ISA S 5.2 Programmable Logic

RTP Corp Confidential

Page 5

IEC-61131-2: Defines standard test methods for programmable logic controllers, that are part of basic safety. Also used as part of CE conformity. IEC-61131-3: Covers requirements for programming languages (Graphical, flow, and structured text) in programmable logic controllers. By basic safety, we mean not to endanger lives or property, by merely operating or installing the RTP product. IEC-61131-7: Covers fuzzy logic in programmable logic controllers. The RTP3000, in its role as a DCS, is designed and tested to this standard. It is referenced in the TUV Certificate.

h) Explain the concept of obtaining Analog redundancy (Input and output) in your system. INPUTS: Up to 4 analog input values are used by signal validation to create a validated input, using one of the below user selected algorithms. All algorithms first check if the diagnostics for the configured input channels have any hardware errors. If the combination of the error status words indicates a possible failure, then the hardware channel is excluded from signal validation calculations. By specifying one of the below algorithms (see the details under Software, question b.), the user decides how the remaining values will be used. OUTPUTS: First the Chassis Processors each receive a full set of outputs from every Node processor in the system, and checks them for consistency. A Node Processor that deviates from the others will be ignored, and if it continues to deviate, will be taken off-line. All redundant output cards know they are part of a redundant group. If the output is a voltage output, one output card acts as the primary and the other one or two cards (connected to the same physical output point via the termination module) act as redundant back-ups. If the output is a current output, the cards share the load among them, each contributing a portion of the total current required. If one card is removed due to diagnostics failure or other reason, the remaining card(s) share the full output current.

i) What is the CMRR value of your system. Explain a narrative of its significance in any of your practical experience at a plant. The CMRR is defined as the ratio of the powers of the differential gain over the common-mode gain, measured in positive decibels (thus using the 20 log rule):

As differential gain should exceed common-mode gain, this will be a positive number, and the higher the better.

RTP Corp Confidential

Page 6

The CMRR is a very important specification, as it indicates how much of the commonmode signal will appear in your measurement. The value of the CMRR often depends on signal frequency as well, and must be specified as a function thereof. CMRR is often important in reducing noise on transmission lines. For example, when measuring a thermocouple in a noisy environment, the noise from the environment appears as an offset on both input leads, making it a common-mode voltage signal. The CMRR of the measurement instrument determines the attenuation applied to the offset or noise. CMR for Analog Input cards (Thermocouple, High and Low level analog Inputs, RTD) is typically : 160dB at 60 Hz, with a fast OTD version of the card = 110dB at 60 Hz. For the Thermocouple card, Gain of 126.7 for 0 to 78.125 mV signal input voltage, 78.915 mV with guard band. For the Low-level Analog input card, gain of 62.5 for 0 to 160 mV signal input voltage, 161.62 mV with Guard Band. The significance of common mode rejection is that it enables the system to obtain a meaningful input signal from a multiple ground plane, electrically noisy environment.

j) Same to NMRR. Normal mode rejection rating applies to the signal itself after the common mode noise has been rejected. By selecting an appropriate low pass input filter you reduce the effects of higher frequency noise that has "contaminated" the signal you are trying to measure, giving you better accuracy. For RTP3000 Analog Input cards, NMR at specific frequencies will vary from -3dB to -6 dB, depending upon the Low Pass Input Filter option that is selected when the card is configured.

RTP Corp Confidential

Page 7

SOFTWARE: a) Explain how you would do the on line changes in software. First would design, review, develop and test the changes logically using NetArrays and the Node Processor Simulator. To the extent possible, keep the changes in separate modules forms to minimize the changes to existing tested logic, as you will be responsible for testing the changes. Debug of the changes can be done with the RTP3000 simulator, forcing inputs and monitoring the internal and output variables with the debugger, RTPTrend (variables charted as a function of time) and RTPADA (track variables and review the log for sequence of events). Subject the modified program to your regression testing and to a quality test plan developed to test the modifications. It is recommended that all user application undergo full functional testing using the debugging capabilities of the NetArrays Development Studios Simulator prior to downloading the program to the 3000-Node processor. It is also recommended that the user application undergo additional testing on an RTP3000 Node processor. When the modified program is ready to be deployed on the installed system, in order to install the new program without process interruption, utilize the Disable Outputs object and the Download with On-Line updates feature. Disable objects, when activated, will freeze outputs at their current values, though the user logic program solution will continue and new values calculated. Though this is not required, this may be useful to help in phasing in your changes. Download with on-line updates will first generate a list of changes from the installed program versus the new program, ask you to review and approve the changes, and then load the new program into the RTP3000. For the first solve of the new program, all variables configured as retentive will retain their present values, all others will be set to their initial values. Finally, if you have used it, the Disable Outputs object should be de-activated. The following is from the Safety Manual: Programs downloaded to a 3000 system using the NetArrays Developer Studio Download Project w/Online Update command will perform the following: Upload current user program from selected 3000-Node processor. Generate a difference file between current user program and new modified program. (CRC signatures for each page and SIF are utilized in this process.) Prompt operator to review and accept changes as shown in the following figure. (If the changes are rejected the download is aborted.) Download the difference file and new modified program file to all online 3000 Node processors.

RTP Corp Confidential

Page 8

Caution: It is the users responsibility to validate changes to any C++ or Structured Test User Defined DLLs (UDLs). NetArrays cannot validate UDL changes during the Download with Online Update process. Note: Always display the Output Window and the Device Status window to verify the download with online update operation. Device Status messages will indicate if the operation was successful or failed.

Figure 1: RTP Output Window The following then occurs on the 3000 Node processor(s): Verify new modified program IP Address matches Node processors master IP Address. (If this does not compare the downloaded program is discarded and the current program file will continue to execute.) Verify new modified program CRC signatures. (If this does not compare the downloaded program is discarded and the current program file will continue to execute.) Verify that the new modified program name is identical to current user program name. (If this does not compare the downloaded program is discarded and the current program file will continue to execute.) Generate a difference file between the current user program and the new modified program. (CRC signatures for each page and SIF are utilized in this process.) Compare the difference file generated by NetArrays Developer

RTP Corp Confidential

Page 9

Studio with the difference file generated locally. (If the difference files do not compare the downloaded program is discarded and the current program file will continue to execute.) Transfer retentive marked variables from the current user program to the new modified program. Note: The values of variables that are marked as retentive will be transferred to the new program. Therefore, additions to the user application program shall be verified, if the retentive variables have the correct values in the currently executing program. Start execution of new modified program. Note: After the online update, a functional test of the modified/changed functionality should be performed.

b) Explain how would you do the 2oo3, 1oo2, 3oo4 and 1oo1 logic in the software. Up to 4 analog input values are used by signal validation to create a validated input, using one of the below user selected algorithms. All algorithms first check if the diagnostics for the configured input channels have any hardware errors. If the combination of the error status words indicates a possible failure, then the hardware channel is excluded from signal validation calculations. Any channel that is not in agreement with the median value by the value as configured in the Delta column is marked as a possible fault, excluded from the signal validation calculations, and the fault is annunciated. The below tables show how signal validation is done for INPUTS, and can also be used for any set of up to 4 internal program variables. Key differences in each algorithm are indicated in boldface type. ANALOG SIGNAL VALIDATION:
Algorithm 4-3-2-1-0 /F /A 4 ch avail median value of the four channels determines the value in the Destination 3 ch avail (3oo4) median value of the three channels determines the value in the Destination 2 ch avail (2oo3) the average of the two channels is transferred into the value of the Destination 1 ch avail (1oo2) the value in this channel is transferred to the Destination No ch avail (1oo1) the value configured in the Destination is frozen and Status = bad.

RTP Corp Confidential

Page 10

Algorithm 4-3-2-1-0 /V /A

4 ch avail median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination

3 ch avail (3oo4) median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination

2 ch avail (2oo3) the average of the two channels is transferred into the value of the Destination the lowest of the two channels is transferred into the value of the Destination the lowest of the two channels is transferred into the value of the Destination the highest of the two channels is transferred into the value of the Destination the highest of the two channels is transferred into the value of the Destination the average of the two channels is transferred into the value of the Destination the average of the two channels is transferred into the value of the Destination

1 ch avail (1oo2) the value in this channel is transferred to the Destination

4-3-2-1-0 /F /L

the value in this channel is transferred to the Destination the value in this channel is transferred to the Destination

No ch avail (1oo1) value configured in Default is transferred to the Destination and Status = bad. the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad. the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad. the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad.

4-3-2-1-0 /V /L

4-3-2-1-0 /F /H

the value in this channel is transferred to the Destination the value in this channel is transferred to the Destination

4-3-2-1-0 /V /H

4-3-2-0 /F /A

the value configured in the Destination is frozen and Status = bad. value configured in the Default column is transferred to the Destination and Status = bad.

4-3-2-0 /V /A

RTP Corp Confidential

Page 11

Algorithm 4-3-2-0 /F /L

4 ch avail median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination median value of the four channels determines the value in the Destination

4-3-2-0 /V /L

3 ch avail (3oo4) median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination median value of the three channels determines the value in the Destination

2 ch avail (2oo3) the lowest of the two channels is transferred into the value of the Destination the lowest of the two channels is transferred into the value of the Destination the highest of the two channels is transferred into the value of the Destination the highest of the two channels is transferred into the value of the Destination

1 ch avail (1oo2) the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad. the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad.

No ch avail (1oo1) the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad. The value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad.

4-3-2-0 /F /H

4-3-2-0 /V /H

BOOLEAN SIGNAL VALIDATION:


Algorithm 4-3-2-1-0 /F 4 ch avail (3004) 3 must agree to modify the value in the Destination 3 ch avail (2oo3) 2 must agree to modify the value in the Destination 2 ch avail (1oo2) both must agree to modify the value in the Destination or the Destination is frozen. both must agree to modify the value in the Destination or the Default value will be used to modify the Destination 1 ch avail (1oo1) the value in this channel is transferred to the Destination No ch avail the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad.

4-3-2-1-0 /V

3 must agree to modify the value in the Destination

2 must agree to modify the value in the Destination

the value in this channel is transferred to the Destination

RTP Corp Confidential

Page 12

Algorithm 4-3-2-0 /F

4 ch avail (3004) 3 must agree to modify the value in the Destination

3 ch avail (2oo3) 2 must agree to modify the value in the Destination

4-3-2-0 /V

3 must agree to modify the value in the Destination

2 must agree to modify the value in the Destination

2 ch avail (1oo2) both must agree to modify the value in the Destination or the Destination is frozen. both must agree to modify the value in the Destination or the Default value will be used to modify the Destination

1 ch avail (1oo1) the value configured in the Destination is frozen and Status = bad. value configured in the Default column is transferred to the Destination and Status = bad.

No ch avail the value configured in the Destination is frozen and Status = bad. value configured in Default is transferred to the Destination and Status = bad.

OUTPUTS are handled first in software and then in hardware. The Node Processor first compares the outputs resulting from the two solutions of the user logic, compares them for consistency, and flags itself as a possibly bad if they do not compare, taking its outputs out of the next step. Next, the Chassis Processors compare the outputs from all of the Node Processors, again flagging and ignoring any one that is not consistent (3oo4 / 2oo3 / 1oo2, 1oo1 as appropriate). Any Node Processor that is inconsistent for 3 scans is taken off-line. The results of this are passed to the output cards by the Chassis Processor.
2oo2D
+V

As covered above, the output cards use 3 pieces of information to decide to drive an output channel. The Normal and Inverted output states (X1 and X2) are used, but the safety switch (Xs) that is independently controlled by the diagnostics (the state will be off in the event of diagnostics failure) is essential to allow outputs to be energized. The safety switch can be disabled either by a diagnostics failure or from the user logic program that can command the outputs to be set to a safe state. X1 and X2 are the result of the computation done by the user application logic and are driven by separate PLDs on the Output card.

X1

X1

X2

X2

Xs

Xs

Final Output Vote

Actuator

Remember that there can be 3 output channels, each on a separate card, driving one actuator. All redundant output cards know they are part of a redundant group. For Digital outputs, the result of the above output vote drives the output. For analog outputs, if the output is a voltage output, one output card acts as the primary and the other one or two cards (connected to the same physical output point via the termination module) act as redundant back-ups. If the output is a current output, the cards share the load among them, each contributing a portion of the total current

RTP Corp Confidential

Page 13

required. If one card is removed due to diagnostics failure or other reason, the remaining card(s) share the full output current. c) While downloading a change in one control loop, only corresponding output should get affected. Other Control loops should work without any change. Is this possible in your software? Yes. This is possible. Download with on-line updates will first generate a list of changes from the installed program versus the new program, ask you to review and approve the changes, and then load the new program into the RTP3000. For the first solve of the new program, all variables configured as retentive will retain their present values, all others will be set to their initial values. New variables added to the system, retentive or otherwise, will begin at their initial values. Initial values are user specified as part of the Properties of a variable or logic object.

d) Online changes shall be completely possible from engineering station alone without physically going to Control Sub-System. Would you confirm this? If yes, show it using a simulator package. Confirmed, given that there is a path across the network from the Engineering workstation to the RTP3000 system. Each RTP3000 system will have an IP address that is configured as part of the program. NetArrays can select any reachable system and download (given that the password matches the one configured into the RTP3000 system) a program to it. Every system on which NetArrays is installed will also have a Node processor simulator installed as a system process (runs on start-up). It can be selected and a program loaded to it and run as if it were an RTP-3000 system reached across the network. The Simulator also has a breakpoint capability that allows the user to look at the ongoing logic solution when a certain set of conditions occurs.

e) While down loading the changes, configured parameters like Alarm settings and priority, PID settings, constants for calculation, timer values etc. shall be retained. Do you confirm this?

RTP Corp Confidential

Page 14

Confirmed. See above description of Download with on-line update (Software section, answer to question c.)

f) All software or firmware modules shall be TUV approved. Do you confirm this? Confirmed. Per section 2.4 and 2.5 of revision 1.1 of the December 22, 2008 TUV Report on the Certificate for the Safety-Related Programmable System RTP-3000, the safety application programming software NetArrays Developer Studio is able to configure safety-related PES nodes and safety I/O modules and contains a SIL certified subset of the graphical programming languages. Per section 4.1.2, Responsibility of application programmed safety functions are within the scope of the developers.

RTP Corp Confidential

Page 15