Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com
Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com
108 TR_SHUTDOWN Function Block* Example EX01_SHUTDOWN shows one way to check that* the safety system is operating within spec when* every module in the safety system is safety critical.* The example uses the Tricon Library function block* TR_SHUTDOWN - one instance named CRITICAL_MODULES.* The output CRITICAL_MODULES.OPERATING indicates* that all safety critical modules are operating* within spec. Input MAX_TIME_DUAL specifies the* maximum time allowed with two channels operating* (for example, 1500 hours).* Input MAX_TIME_SINGLE specifies the maximum time allowed* with only one channel operating (for example, 72 hours).* When CRITICAL_MODULES.OPERATING is FALSE,* the time in degraded operation exceeds the* specified limits -- therefore the control program* should shutdown the plant.** Excluding output voter faults and field faults -- TMR implies* three channels with no detected fatal errors, GE_DUAL implies* at least two channels with no detected fatal errors,* and GE_SINGLE implies at least one channel* with no detected fatal errors -- for every path* from a safety critical input to a safety critical output.* Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE.* (See example EX02_SHUTDOWN to improve availability* using relays and advanced programming techniques.)** The "TMR" output indicates TMR.* The "DUAL" output indicates GE_DUAL but not TMR.* The "SINGL" output indicates GE_SINGLE but not GE_DUAL.* The "ZERO" output indicates not GE_SINGLE.* The "TIMER_RUNNING" output indicates that* the time left to shutdown is decrementing.* The "TIME_LEFT" output indicates the time remaining before shutdown.** WARNING - the TR_SHUTDOWN function block* does not use detected field faults or* combinations of faults reported as field faults.* It is the responsibility of the application program* to use system variable NoFieldFault or FieldOK* to detect and respond to such faults.** To see how to create a user-defined function block* to improve availability, see the examples* in the help topic for TR_SHUTDOWN.** NOTE -- If IO_CO is false (for example, if you do not provide* a user-defined function block like the one in example EX02_SHUTDOWN),* then losing all three legs of an active IO module results in* a transition to "SINGL", not "ZERO".** Runtime Errors* EBADPARAM Bad parameter* CO=FALSE indicates a programming error.* See ERROR number parameter for details.*=F===============================================================================*)Tricon Safety Considerations Guide
TR_SHUTDOWN Function Block 109IF CI THENMP( CI := TRUE ) ;PROG( CI := TRUE ) ;SCAN( CI := TRUE ) ;ERROR := 0 ;IFMAX_TIME_DUAL < MAX_TIME_SINGLE ORMAX_TIME_DUAL < T#0S ORMAX_TIME_SINGLE < T#0S ORMAX_SCAN_TIME < T#0STHENERROR := 1 ;ELSIF IO_ERROR 0 THENERROR := 2 ;ELSIF NOT (MP.CO AND PROG.CO AND SCAN.CO) THENERROR := 3 ;END_IF ;CO := ERROR = 0 ;(* Get Status *)(* Check for programming errors. *)IF CO THENTMR := NOT MP.MPMAIN AND(NOT IO_CO AND NOT MP.IOMAINOR IO_CO AND IO_TMR);(* Summarize redundancy. *)GE_DUAL := NOT MP.MPBAD AND(NOT IO_CO AND NOT MP.IOBADOR IO_CO AND IO_GE_DUAL);GE_SINGLE :=(NOT IO_COOR IO_CO AND IO_GE_SINGLE);(* Update timers. *)DUAL_TIME( IN := NOT TMR, PT := MAX_TIME_DUAL ) ;SINGLE_TIME( IN := NOT GE_DUAL, PT := MAX_TIME_SINGLE ) ;(* Shutdown if excessive time in degraded operation. *)OPERATING :=GE_SINGLEAND NOT DUAL_TIME.QAND NOT SINGLE_TIME.Q;DUAL := GE_DUAL AND NOT TMR ;SINGL := GE_SINGLE AND NOT GE_DUAL ;ZERO := NOT GE_SINGLE ;(* Output current status. *)Appendix BShutdown Function Blocks
- Page 73 and 74: Sample Safety-Shutdown Programs 57I
- Page 75 and 76: Sample Safety-Shutdown Programs 59A
- Page 77 and 78: Sample Safety-Shutdown Programs 61P
- Page 79 and 80: Sample Safety-Shutdown Programs 63O
- Page 81 and 82: Sample Safety-Shutdown Programs 65D
- Page 83 and 84: Sample Safety-Shutdown Programs 67P
- Page 85 and 86: APPENDIX APeer-to-Peer Communicatio
- Page 87 and 88: Data Transfer Time 71ParameterTS =S
- Page 89 and 90: Examples of Peer-to-Peer Applicatio
- Page 91 and 92: TR_CRITICAL_IO Function Block 75TR_
- Page 93 and 94: TR_CRITICAL_IO Function Block 77Par
- Page 95 and 96: TR_CRITICAL_IO Function Block 79Str
- Page 97 and 98: TR_CRITICAL_IO Function Block 81CO
- Page 99 and 100: TR_SHUTDOWN Function Block 83Parame
- Page 101 and 102: TR_SHUTDOWN Function Block 85Relate
- Page 103 and 104: TR_SHUTDOWN Function Block 87* Exam
- Page 105 and 106: TR_SHUTDOWN Function Block 89TIMER_
- Page 107 and 108: TR_VOTE_MODE Function Block 91Param
- Page 109 and 110: TR_VOTE_MODE Function Block 93Appen
- Page 111 and 112: APPENDIX BShutdown Function BlocksT
- Page 113 and 114: TR_CRITICAL_IO Function Block 974 R
- Page 115 and 116: TR_CRITICAL_IO Function Block 99Rel
- Page 117 and 118: TR_CRITICAL_IO Function Block 101*
- Page 119 and 120: TR_SHUTDOWN Function Block 103TR_SH
- Page 121 and 122: TR_SHUTDOWN Function Block 105Param
- Page 123: TR_SHUTDOWN Function Block 107Struc
- Page 127 and 128: TR_VOTE_MODE Function Block 111TR_V
- Page 129 and 130: TR_VOTE_MODE Function Block 113Stru
- Page 131 and 132: Index 115IndexAactual scan time 53a
- Page 133 and 134: Index 117Modbus master functions 25
- Page 135 and 136: Index 119timescan 53TMR architectur
108 TR_SHUTDOWN Function Block* Example EX01_SHUTDOWN shows one way to check that* the safety system is operating within spec when* every module in the safety system is safety critical.* The example uses the <strong>Tricon</strong> Library function block* TR_SHUTDOWN - one instance named CRITICAL_MODULES.* The output CRITICAL_MODULES.OPERATING indicates* that all safety critical modules are operating* within spec. Input MAX_TIME_DUAL specifies the* maximum time allowed with two channels operating* (for example, 1500 hours).* Input MAX_TIME_SINGLE specifies the maximum time allowed* with only one channel operating (for example, 72 hours).* When CRITICAL_MODULES.OPERATING is FALSE,* the time in degraded operation exceeds the* specified limits -- therefore the control program* should shutdown the plant.** Excluding output voter faults and field faults -- TMR implies* three channels with no detected fatal errors, GE_DUAL implies* at least two channels with no detected fatal errors,* and GE_SINGLE implies at least one channel* with no detected fatal errors -- for every path* from a safety critical input to a safety critical output.* Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE.* (See example EX02_SHUTDOWN to improve availability* using relays and advanced programming techniques.)** The "TMR" output indicates TMR.* The "DUAL" output indicates GE_DUAL but not TMR.* The "SINGL" output indicates GE_SINGLE but not GE_DUAL.* The "ZERO" output indicates not GE_SINGLE.* The "TIMER_RUNNING" output indicates that* the time left to shutdown is decrementing.* The "TIME_LEFT" output indicates the time remaining before shutdown.** WARNING - the TR_SHUTDOWN function block* does not use detected field faults or* <strong>com</strong>binations of faults reported as field faults.* It is the responsibility of the application program* to use system variable NoFieldFault or FieldOK* to detect and respond to such faults.** To see how to create a user-defined function block* to improve availability, see the examples* in the help topic for TR_SHUTDOWN.** NOTE -- If IO_CO is false (for example, if you do not provide* a user-defined function block like the one in example EX02_SHUTDOWN),* then losing all three legs of an active IO module results in* a transition to "SINGL", not "ZERO".** Runtime Errors* EBADPARAM Bad parameter* CO=FALSE indicates a programming error.* See ERROR number parameter for details.*=F===============================================================================*)<strong>Tricon</strong> <strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong>
Change language