Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com

60 Sample Safety-Shutdown ProgramsSome I/O Modules Safety-CriticalFor some applications, not all modules may be critical to a process. For example,an output module that interfaces to the status indicators on a local panel is usuallynot critical to a process.The EX02_SHUTDOWN sample program shows how to increase systemavailability by detecting the status of safety-critical modules.The user-definedfunction block CRITICAL_IO checks the safety-critical I/O modules. TheCRITICAL_IO Outputs are connected to the inputs of the CRITICAL_MODULESfunction block. (The sample program is an element of project ExTUV.pt2 found onthe TriStation CD. The default location of the project is C:\ProgramFiles\Triconex\TS1131\_Tricon\Examples.)When the output CRITICAL_MODULES_OPERATING is true, all criticalmodules are operating properly. The input MAX_TIME_DUAL specifies themaximum time allowed with two channels operating (with no connection defaultsto 40000 days). The input MAX_TIME_SINGLE Specifies the maximum timeallowed with one channel operating (3 days in the example).Note In typical applications, continued operation in dual mode is restricted to1500 hours (two months).Continued operation in single mode is restricted to 72 hours for SIL/AK5 and onehour for SIL/AK6 guidelines.When CRITICAL_MODULES_OPERATING is false, the time in degradedoperation exceeds the specified limits; therefore, the control program should shutdown the plant.! CAUTIONThe EX02_SHUTDOWN sample program does not handle detected field faults,rare combinations of faults detected as field faults, or output voter faults hidden byfield faults. The application program, not the TR_SHUTDOWN function block,must read the NO_FLD_FLTS module status or FLD_OK point status to providethe required application-specific action.Tricon Safety Considerations Guide