Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com
Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com
26 Guidelines for Tricon Controllers• The sending node must set the SENDFLG parameter in the send call to true(1) so that the sending node sends new data as soon as the acknowledgmentfor the last data is received from the receiving node.• The TR_USEND function block must include a diagnostic integer variablethat is incremented with each new send initiation so that the receiving nodecan check this variable for changes every time it receives new data. Thisnew variable should have a range of 1 to 65,565 where the value 1 is sentwith the first sample of data. When this variable reaches the limit of 65,565,the sending node should set this variable back to 1 for the next data transfer.This diagnostic variable is required because the communication path is nottriplicated like the I/O system.• The number of TR_USEND functions in an application must be less than orequal to five because the controller only initiates five TR_USEND functionsper scan. To send data as fast as possible, the TR_USEND function must beinitiated as soon as the acknowledgment for the last data is received fromthe receiving node.• The sending application must monitor the status of the TR_URCV andTR_PORT_STATUS functions to determine whether there is a networkproblem that requires operator intervention.Receiving NodeThe types of actions required in the logic of the receiving application are:• To transfer safety-critical data, the basic rule is that the receiving node mustreceive at least one sample of new data within the maximum time-out limit.If this does not happen, the application for the receiving node must take oneor more of the following actions, depending on requirements:– Use the last data received for safety-related decisions.– Use default values for safety-related decisions in the application.– Check the status of the TR_URCV and TR_PORT_STATUS functions tosee whether there is a network problem that requires operatorintervention.• The receiving node must monitor the diagnostic integer variable every timeit receives new data to determine whether this variable has changed fromlast time.• The receiving program must monitor the status of the TR_URCV andTR_PORT_STATUS functions to determine if there is a network problemthat requires operator intervention.Tricon Safety Considerations Guide
Guidelines for Tricon Controllers 27For information on data transfer time and examples of how to use Peer-to-Peerfunctions to transfer safety-critical data, see Appendix A, “Peer-to-PeerCommunication”.SIL3/AK5 GuidelinesFor SIL3/AK5 applications, the following guidelines should be followed:• If non-approved modules are used, the inputs and outputs should be checkedto verify that they do not affect safety-critical functions of the controller.• Two modes control write operations from external hosts:– Remote Mode—When the keyswitch setting is REMOTE, externalhosts, such as Modbus master, DCS, etc., can write to aliased variables inthe controller. When false, writes are prohibited.– Program Mode—When the keyswitch setting is PROGRAM, TriStationcan make program changes, including operations that modify thebehavior of the programs currently running. (For example, DownloadAll, Download Change, declaring variables, enabling/disablingvariables, changing values of variables and scan time, etc.)Remote mode and program mode are independent of each other. In safetyapplications, operation in these modes is not recommended. In other words,write operations to the controller from external hosts should be prohibited. Ifremote mode or program mode becomes true, the application programshould include the following safeguards:– When remote mode is true:• A program should turn on an alarm. For example, if using theTR_SHUTDOWN function block, the ALARM_REMOTE_ACCESSoutput could be used.• Aliased variables should be checked for adherence to the guidelinesdescribed in section “Maintenance Overrides” on page 32.– When program mode is true:• A program should turn on an alarm. For example, if using theTR_SHUTDOWN function block, theALARM_PROGRAMMING_PERMITTED output could be used.• Wiring and grounding procedures outlined in the Tricon Planning &Installation Guide should be followed.Chapter 2Application Guidelines
- Page 1 and 2: TriconVersion 9Safety Consideration
- Page 3: AcknowledgementTriconex acknowledge
- Page 6 and 7: viRelated DocumentsRelated Document
- Page 8 and 9: viiiHow to Contact TriconexHow to C
- Page 10: xTrainingFor Turbomachinery Systems
- Page 13 and 14: xiCONTENTSAbout This Guide ........
- Page 15 and 16: xiiiAnalog Input Module Alarms ....
- Page 17 and 18: CHAPTER 1Safety ConceptsThis chapte
- Page 19 and 20: Safety Overview 3Protection LayersT
- Page 21 and 22: Hazard and Risk Analysis 5Hazard an
- Page 23 and 24: Hazard and Risk Analysis 7Completio
- Page 25 and 26: Hazard and Risk Analysis 9Equation
- Page 27 and 28: Hazard and Risk Analysis 11Flowchar
- Page 29 and 30: Hazard and Risk Analysis 13Some key
- Page 31 and 32: Safety Standards 15Safety Standards
- Page 33 and 34: Safety Standards 17Application-Spec
- Page 35 and 36: CHAPTER 2Application GuidelinesThis
- Page 37 and 38: General Guidelines 21• Under cert
- Page 39 and 40: Guidelines for Tricon Controllers 2
- Page 41: Guidelines for Tricon Controllers 2
- Page 45 and 46: Guidelines for Tricon Controllers 2
- Page 47 and 48: Guidelines for Tricon Controllers 3
- Page 49 and 50: Guidelines for Tricon Controllers 3
- Page 51 and 52: Guidelines for Tricon Controllers 3
- Page 53 and 54: CHAPTER 3Fault ManagementThis chapt
- Page 55 and 56: System Diagnostics 39System Diagnos
- Page 57 and 58: Operating Modes 41Operating ModesEa
- Page 59 and 60: Module Diagnostics 43Module Diagnos
- Page 61 and 62: Module Diagnostics 45Relay Output M
- Page 63 and 64: Module Diagnostics 47System Attribu
- Page 65 and 66: CHAPTER 4Application DevelopmentThi
- Page 67 and 68: Important TriStation Commands 51Imp
- Page 69 and 70: Setting Scan Time 53Setting Scan Ti
- Page 71 and 72: Sample Safety-Shutdown Programs 55S
- Page 73 and 74: Sample Safety-Shutdown Programs 57I
- Page 75 and 76: Sample Safety-Shutdown Programs 59A
- Page 77 and 78: Sample Safety-Shutdown Programs 61P
- Page 79 and 80: Sample Safety-Shutdown Programs 63O
- Page 81 and 82: Sample Safety-Shutdown Programs 65D
- Page 83 and 84: Sample Safety-Shutdown Programs 67P
- Page 85 and 86: APPENDIX APeer-to-Peer Communicatio
- Page 87 and 88: Data Transfer Time 71ParameterTS =S
- Page 89 and 90: Examples of Peer-to-Peer Applicatio
- Page 91 and 92: TR_CRITICAL_IO Function Block 75TR_
26 <strong>Guide</strong>lines for <strong>Tricon</strong> Controllers• The sending node must set the SENDFLG parameter in the send call to true(1) so that the sending node sends new data as soon as the acknowledgmentfor the last data is received from the receiving node.• The TR_USEND function block must include a diagnostic integer variablethat is incremented with each new send initiation so that the receiving nodecan check this variable for changes every time it receives new data. Thisnew variable should have a range of 1 to 65,565 where the value 1 is sentwith the first sample of data. When this variable reaches the limit of 65,565,the sending node should set this variable back to 1 for the next data transfer.This diagnostic variable is required because the <strong>com</strong>munication path is nottriplicated like the I/O system.• The number of TR_USEND functions in an application must be less than orequal to five because the controller only initiates five TR_USEND functionsper scan. To send data as fast as possible, the TR_USEND function must beinitiated as soon as the acknowledgment for the last data is received fromthe receiving node.• The sending application must monitor the status of the TR_URCV andTR_PORT_STATUS functions to determine whether there is a networkproblem that requires operator intervention.Receiving NodeThe types of actions required in the logic of the receiving application are:• To transfer safety-critical data, the basic rule is that the receiving node mustreceive at least one sample of new data within the maximum time-out limit.If this does not happen, the application for the receiving node must take oneor more of the following actions, depending on requirements:– Use the last data received for safety-related decisions.– Use default values for safety-related decisions in the application.– Check the status of the TR_URCV and TR_PORT_STATUS functions tosee whether there is a network problem that requires operatorintervention.• The receiving node must monitor the diagnostic integer variable every timeit receives new data to determine whether this variable has changed fromlast time.• The receiving program must monitor the status of the TR_URCV andTR_PORT_STATUS functions to determine if there is a network problemthat requires operator intervention.<strong>Tricon</strong> <strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong>