Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com

More documents

Recommendations

Info

40 Types of FaultsTypes of FaultsExternal FaultsA controller is subject to external faults and internal faults, which are reported bythe:• Status indicators on a module’s front panels• Diagnostic Panel in TriStation• System attributes on the Control Panel in TriStationA controller may experience the following types of external faults:• Logic power faults• Field power faults• Load or fuse faultsWhen an external fault occurs, the controller asserts an alarms. How the alarm iscommunicated is module-specific. In some cases, a yellow alarm indicator isprovided on the module. For example, a Load/Fuse alarm is provided on digitaloutput modules. In most cases, the System alarm is asserted, and the System alarmindicators on the Main Chassis Power Modules are lit. The Diagnostic Panel inTriStation identifies the faulting module by displaying a red frame around it. Forinstructions on responding to specific alarm conditions, see the Tricon Planningand Installation Guide.Internal FaultsInternal faults are usually isolated to one of the controller’s three channels (A, B orC). When an internal fault occurs on one of the three channels, the remaining twohealthy channels maintain full control. Depending on the type of fault, thecontroller either remains in TMR mode or degrades to dual mode for the systemcomponent that is affected by the fault. For more information of on operatingmodes, see “Operating Modes” on page 41.When an internal fault occurs, the controller lights the red Fault indicator on thefaulting module and the System alarm on the Main Chassis Power Modules to alertthe operator to replace the faulting module.Tricon Safety Considerations Guide
Operating Modes 41Operating ModesEach input or output point is considered to operate in Triple Modular Redundant,dual, or single mode.The current mode indicates the number of channelscontrolling a point; in other words, the number of channels controlling the outputor having confidence in the input. System variables summarize the status of inputand output points. For safety reasons, system mode is defined as the mode of thepoint controlled by the fewest number of channels. When a safety-critical point isin dual or single mode, the application may need to shut down the controlledprocess within a pre-determined time.A user can further simplify and customize shutdown logic using special functionblocks provided by Triconex. By considering only faults in safety-critical modules,system availability can be improved. For more information, see Appendix A,“Peer-to-Peer Communication.”While operating in TMR mode, the process is protected each scan from the effectof a single safety-critical system fault. The system can also tolerate multiple faultsand continue to operate correctly unless the combined effects of multiple faultsaffects the same point on multiple channels. If a system fault occurs, the loss ofredundancy causes an increased probability-of-failure-on-demand. To keep thePFD within industry-acceptable guidelines, adherence with the recommendedmaximum operating period of 1500 hours in dual mode and 72 hours (SIL3/AK5)or 1 hour (SIL3/AK6) in single mode should be observed.A safety-critical fault is defined as a fault that can affect the ability of the systemto correctly control outputs, including:• Inability to detect a change of state on a digital input point.• Inability to detect a change of value on an analog input point.• Inability to change the state of a digital output point.• Inability of the system to:– Read each input point– Vote the correct value of each input– Execute the control program– Determine the state of each output point correctlyChapter 3Fault Management
Page 1 and 2:
TriconVersion 9Safety Consideration
Page 3:
AcknowledgementTriconex acknowledge
Page 6 and 7: viRelated DocumentsRelated Document
Page 8 and 9: viiiHow to Contact TriconexHow to C
Page 10: xTrainingFor Turbomachinery Systems
Page 13 and 14: xiCONTENTSAbout This Guide ........
Page 15 and 16: xiiiAnalog Input Module Alarms ....
Page 17 and 18: CHAPTER 1Safety ConceptsThis chapte
Page 19 and 20: Safety Overview 3Protection LayersT
Page 21 and 22: Hazard and Risk Analysis 5Hazard an
Page 23 and 24: Hazard and Risk Analysis 7Completio
Page 25 and 26: Hazard and Risk Analysis 9Equation
Page 27 and 28: Hazard and Risk Analysis 11Flowchar
Page 29 and 30: Hazard and Risk Analysis 13Some key
Page 31 and 32: Safety Standards 15Safety Standards
Page 33 and 34: Safety Standards 17Application-Spec
Page 35 and 36: CHAPTER 2Application GuidelinesThis
Page 37 and 38: General Guidelines 21• Under cert
Page 39 and 40: Guidelines for Tricon Controllers 2
Page 53 and 54: CHAPTER 3Fault ManagementThis chapt
Page 55: System Diagnostics 39System Diagnos
Page 59 and 60: Module Diagnostics 43Module Diagnos
Page 61 and 62: Module Diagnostics 45Relay Output M
Page 63 and 64: Module Diagnostics 47System Attribu
Page 65 and 66: CHAPTER 4Application DevelopmentThi
Page 67 and 68: Important TriStation Commands 51Imp
Page 69 and 70: Setting Scan Time 53Setting Scan Ti
Page 71 and 72: Sample Safety-Shutdown Programs 55S
Page 73 and 74: Sample Safety-Shutdown Programs 57I
Page 75 and 76: Sample Safety-Shutdown Programs 59A
Page 77 and 78: Sample Safety-Shutdown Programs 61P
Page 79 and 80: Sample Safety-Shutdown Programs 63O
Page 81 and 82: Sample Safety-Shutdown Programs 65D
Page 83 and 84: Sample Safety-Shutdown Programs 67P
Page 85 and 86: APPENDIX APeer-to-Peer Communicatio
Page 87 and 88: Data Transfer Time 71ParameterTS =S
Page 89 and 90: Examples of Peer-to-Peer Applicatio
Page 91 and 92: TR_CRITICAL_IO Function Block 75TR_
Page 93 and 94: TR_CRITICAL_IO Function Block 77Par
Page 95 and 96: TR_CRITICAL_IO Function Block 79Str
Page 97 and 98: TR_CRITICAL_IO Function Block 81CO
Page 99 and 100: TR_SHUTDOWN Function Block 83Parame
Page 101 and 102: TR_SHUTDOWN Function Block 85Relate
Page 103 and 104: TR_SHUTDOWN Function Block 87* Exam
Page 105 and 106: TR_SHUTDOWN Function Block 89TIMER_
Page 107 and 108:
TR_VOTE_MODE Function Block 91Param
Page 109 and 110:
TR_VOTE_MODE Function Block 93Appen
Page 111 and 112:
APPENDIX BShutdown Function BlocksT
Page 113 and 114:
TR_CRITICAL_IO Function Block 974 R
Page 115 and 116:
TR_CRITICAL_IO Function Block 99Rel
Page 117 and 118:
TR_CRITICAL_IO Function Block 101*
Page 119 and 120:
TR_SHUTDOWN Function Block 103TR_SH
Page 121 and 122:
TR_SHUTDOWN Function Block 105Param
Page 123 and 124:
TR_SHUTDOWN Function Block 107Struc
Page 125 and 126:
TR_SHUTDOWN Function Block 109IF CI
Page 127 and 128:
TR_VOTE_MODE Function Block 111TR_V
Page 129 and 130:
TR_VOTE_MODE Function Block 113Stru
Page 131 and 132:
Index 115IndexAactual scan time 53a
Page 133 and 134:
Index 117Modbus master functions 25
Page 135 and 136:
Index 119timescan 53TMR architectur
show all

Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?