Safety Considerations Guide for Triconex General ... - ICEWeb
Safety Considerations Guide for Triconex General ... - ICEWeb Safety Considerations Guide for Triconex General ... - ICEWeb
88 Appendix C Safety-Critical Function Blocks Library Trident and Tri-GP (TRDLIB) Structured Text FUNCTION_BLOCK SYS_SHUTDOWN VAR_INPUT CI : BOOL := TRUE ; (* Control in. *) IO_CO : BOOL ; (* Critical IO Control out. *) IO_TMR : BOOL ; (* Critical IO 3 channels operating. *) IO_GE_DUAL : BOOL ; (* Critical IO 2 or more channels operating. *) IO_GE_SINGLE : BOOL ; (* Critical IO 1 or more channels operating. *) IO_NO_VOTER_FLTS : BOOL ; (* No voter faults on critical modules. *) IO_ERROR : DINT ; (* Error number, not used. *) MAX_TIME_DUAL : TIME := T#40000d ; (* Max Time with only 2 channels. *) MAX_TIME_SINGLE : TIME := T#40000d ; (* Max Time with only 1 channel. *) MAX_SCAN_TIME : TIME := T#400ms ; (* 50% of Max Response Time. *) END_VAR VAR_OUTPUT CO : BOOL ; (* Control out. *) OPERATING : BOOL ; (* Shutdown if OPERATING=FALSE. *) TMR : BOOL ; (* Three channels operating. *) DUAL : BOOL ; (* Dual mode. *) SINGL : BOOL ; (* Single mode. *) ZERO : BOOL ; (* Zero mode. *) TIMER_RUNNING : BOOL ; (* Shutdown timer is running. *) TIME_LEFT : TIME ; (* Time remaining to shutdown. *) ALARM_PROGRAMMING_PERMITTED : BOOL ; (* Alarm -- download change. *) ALARM_REMOTE_ACCESS : BOOL ; (* Alarm -- remote host writes. *) ALARM_RESPONSE_TIME : BOOL ; (* Alarm -- exceed response time. *) ALARM_DISABLED_POINTS : BOOL ; (* Alarm -- some points disabled. *) ERROR : DINT ; (* Error number. *) (* * Error number: * 0 = No error. * 1 = Error in maximum time. * 2 = IO function block error - IO_ERROR is non-zero. * 3 = System status or MP status function block error. *) END_VAR VAR GE_DUAL : BOOL ; (* Two or more channels operating. *) GE_SINGLE : BOOL ; (* One or more channels operating. *) SYSTEM : SYS_SYSTEM_STATUS ; (* System status. *) MP : SYS_MP_STATUS ; (* MP status. *) MPX : SYS_MP_EXT_STATUS ; (* MP extended status. *) DUAL_TIME : TON ; (* Dual mode timer. *) SINGLE_TIME : TON ; (* Single mode timer. *) U : BOOL ; (* Unused Value. *) END_VAR (* *=F================================================================================ * FUNCTION_BLOCK: SYS_SHUTDOWN * Purpose: Implement TUV restrictions. * * Return: none * * Remarks: * * This example shows one way to check that Safety Considerations Guide for Triconex General Purpose v2 Systems
SYS_SHUTDOWN 89 * the safety system is operating within spec when * every module in the safety system is safety critical. * The example uses the Trident and Tri-GP Library function block * SYS_SHUTDOWN - one instance named CRITICAL_MODULES. * The output CRITICAL_MODULES.OPERATING indicates * that all safety critical modules are operating * within spec. Input MAX_TIME_DUAL specifies the * maximum time allowed with two channels operating * (for example, the default is 40000 days). * Input MAX_TIME_SINGLE specifies the maximum time allowed * with only one channel operating (for example, 3 days). * When CRITICAL_MODULES.OPERATING is FALSE, * the time in degraded operation exceeds the * specified limits -- therefore the control program * should shutdown the plant. * * Excluding output voter faults and field faults -- TMR implies * three channels with no detected fatal errors, GE_DUAL implies * at least two channels with no detected fatal errors, * and GE_SINGLE implies at least one channel * with no detected fatal errors -- for every path * from a safety critical input to a safety critical output. * Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE. * (See example EX02_SHUTDOWN to improve availability * using relays and advanced programming techniques.) * * The "TMR" output indicates TMR. * The "DUAL" output indicates GE_DUAL but not TMR. * The "SINGL" output indicates GE_SINGLE but not GE_DUAL. * The "ZERO" output indicates not GE_SINGLE. * The "TIMER_RUNNING" output indicates that * the time left to shutdown is decrementing. * The "TIME_LEFT" output indicates the time remaining before shutdown. * * WARNING - the SYS_SHUTDOWN function block * does not use detected field faults or * combinations of faults reported as field faults. * It is the responsibility of the application * to use system variable NoFieldFault or FieldOK * to detect and respond to such faults. * * To see how to create a user-defined function block * to improve availability, see the examples * in the help topic for SYS_SHUTDOWN. * * Runtime Errors * EBADPARAM Bad parameter * CO=FALSE indicates a programming error. * See ERROR number parameter for details. *=F=============================================================================== *) IF CI THEN SYSTEM( CI := TRUE ) ; MP( CI := TRUE ) ; MPX( CI := TRUE ) ; ERROR := 0 ; IF MAX_TIME_DUAL < MAX_TIME_SINGLE OR MAX_TIME_DUAL < T#0S OR (* Get Status *) (* Check for programming errors. *) Safety Considerations Guide for Triconex General Purpose v2 Systems
- Page 47 and 48: Module Diagnostics 37 Analog Output
- Page 49 and 50: Module Diagnostics 39 Calculation f
- Page 51 and 52: Module Diagnostics 41 External Comm
- Page 53 and 54: 4 Application Development Developme
- Page 55 and 56: Development Guidelines 45 Array Ind
- Page 57 and 58: Setting Scan Time 47 application. T
- Page 59 and 60: Sample Safety-Shutdown Programs 49
- Page 61 and 62: Sample Safety-Shutdown Programs 51
- Page 63 and 64: Sample Safety-Shutdown Programs 53
- Page 65 and 66: Sample Safety-Shutdown Programs 55
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Alarm Usage 59 Alarm Usage To imple
- Page 71 and 72: A Triconex Peer-to-Peer Communicati
- Page 73 and 74: Data Transfer Time 63 Data Transfer
- Page 75 and 76: Data Transfer Time 65 A typical dat
- Page 77 and 78: Examples of Peer-to-Peer Applicatio
- Page 79 and 80: B HART Communication Overview 70 HA
- Page 81 and 82: HART Position Paper from TÜV Rhein
- Page 83 and 84: HART Position Paper from TÜV Rhein
- Page 85 and 86: HART Position Paper from TÜV Rhein
- Page 87 and 88: HART Position Paper from TÜV Rhein
- Page 89 and 90: C Safety-Critical Function Blocks O
- Page 91 and 92: SYS_CRITICAL_IO 81 SYS_CRITICAL_IO
- Page 93 and 94: SYS_CRITICAL_IO 83 Library Trident
- Page 95 and 96: SYS_CRITICAL_IO 85 END_IF ; PREVIOU
- Page 97: SYS_SHUTDOWN 87 Output Parameters (
- Page 101 and 102: SYS_SHUTDOWN 91 ALARM_DISABLED_POIN
- Page 103 and 104: SYS_VOTE_MODE 93 Example For shutdo
- Page 105 and 106: Index A abbreviations, list of viii
- Page 107 and 108: Index 97 N NFPA 85 12 O operating m
- Page 110: Invensys Operations Management 5601
SYS_SHUTDOWN 89<br />
* the safety system is operating within spec when<br />
* every module in the safety system is safety critical.<br />
* The example uses the Trident and Tri-GP Library function block<br />
* SYS_SHUTDOWN - one instance named CRITICAL_MODULES.<br />
* The output CRITICAL_MODULES.OPERATING indicates<br />
* that all safety critical modules are operating<br />
* within spec. Input MAX_TIME_DUAL specifies the<br />
* maximum time allowed with two channels operating<br />
* (<strong>for</strong> example, the default is 40000 days).<br />
* Input MAX_TIME_SINGLE specifies the maximum time allowed<br />
* with only one channel operating (<strong>for</strong> example, 3 days).<br />
* When CRITICAL_MODULES.OPERATING is FALSE,<br />
* the time in degraded operation exceeds the<br />
* specified limits -- there<strong>for</strong>e the control program<br />
* should shutdown the plant.<br />
*<br />
* Excluding output voter faults and field faults -- TMR implies<br />
* three channels with no detected fatal errors, GE_DUAL implies<br />
* at least two channels with no detected fatal errors,<br />
* and GE_SINGLE implies at least one channel<br />
* with no detected fatal errors -- <strong>for</strong> every path<br />
* from a safety critical input to a safety critical output.<br />
* Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE.<br />
* (See example EX02_SHUTDOWN to improve availability<br />
* using relays and advanced programming techniques.)<br />
*<br />
* The "TMR" output indicates TMR.<br />
* The "DUAL" output indicates GE_DUAL but not TMR.<br />
* The "SINGL" output indicates GE_SINGLE but not GE_DUAL.<br />
* The "ZERO" output indicates not GE_SINGLE.<br />
* The "TIMER_RUNNING" output indicates that<br />
* the time left to shutdown is decrementing.<br />
* The "TIME_LEFT" output indicates the time remaining be<strong>for</strong>e shutdown.<br />
*<br />
* WARNING - the SYS_SHUTDOWN function block<br />
* does not use detected field faults or<br />
* combinations of faults reported as field faults.<br />
* It is the responsibility of the application<br />
* to use system variable NoFieldFault or FieldOK<br />
* to detect and respond to such faults.<br />
*<br />
* To see how to create a user-defined function block<br />
* to improve availability, see the examples<br />
* in the help topic <strong>for</strong> SYS_SHUTDOWN.<br />
*<br />
* Runtime Errors<br />
* EBADPARAM Bad parameter<br />
* CO=FALSE indicates a programming error.<br />
* See ERROR number parameter <strong>for</strong> details.<br />
*=F===============================================================================<br />
*)<br />
IF CI THEN<br />
SYSTEM( CI := TRUE ) ;<br />
MP( CI := TRUE ) ;<br />
MPX( CI := TRUE ) ;<br />
ERROR := 0 ;<br />
IF<br />
MAX_TIME_DUAL < MAX_TIME_SINGLE OR<br />
MAX_TIME_DUAL < T#0S OR<br />
(* Get Status *)<br />
(* Check <strong>for</strong> programming errors. *)<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Triconex</strong> <strong>General</strong> Purpose v2 Systems
Change language