Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ... Safety Considerations Guide for Trident v2 Systems - TUV ...
90 Appendix C Safety-Critical Function Blocks Library Trident and Tri-GP (TRDLIB) Structured Text FUNCTION_BLOCK SYS_SHUTDOWN VAR_INPUT CI : BOOL := TRUE ; (* Control in. *) IO_CO : BOOL ; (* Critical IO Control out. *) IO_TMR : BOOL ; (* Critical IO 3 channels operating. *) IO_GE_DUAL : BOOL ; (* Critical IO 2 or more channels operating. *) IO_GE_SINGLE : BOOL ; (* Critical IO 1 or more channels operating. *) IO_NO_VOTER_FLTS : BOOL ; (* No voter faults on critical modules. *) IO_ERROR : DINT ; (* Error number, not used. *) MAX_TIME_DUAL : TIME := T#40000d ; (* Max Time with only 2 channels. *) MAX_TIME_SINGLE : TIME := T#40000d ; (* Max Time with only 1 channel. *) MAX_SCAN_TIME : TIME := T#400ms ; (* 50% of Max Response Time. *) END_VAR VAR_OUTPUT CO : BOOL ; (* Control out. *) OPERATING : BOOL ; (* Shutdown if OPERATING=FALSE. *) TMR : BOOL ; (* Three channels operating. *) DUAL : BOOL ; (* Dual mode. *) SINGL : BOOL ; (* Single mode. *) ZERO : BOOL ; (* Zero mode. *) TIMER_RUNNING : BOOL ; (* Shutdown timer is running. *) TIME_LEFT : TIME ; (* Time remaining to shutdown. *) ALARM_PROGRAMMING_PERMITTED : BOOL ; (* Alarm -- download change. *) ALARM_REMOTE_ACCESS : BOOL ; (* Alarm -- remote host writes. *) ALARM_RESPONSE_TIME : BOOL ; (* Alarm -- exceed response time. *) ALARM_DISABLED_POINTS : BOOL ; (* Alarm -- some points disabled. *) ERROR : DINT ; (* Error number. *) (* * Error number: * 0 = No error. * 1 = Error in maximum time. * 2 = IO function block error - IO_ERROR is non-zero. * 3 = System status or MP status function block error. *) END_VAR VAR GE_DUAL : BOOL ; (* Two or more channels operating. *) GE_SINGLE : BOOL ; (* One or more channels operating. *) SYSTEM : SYS_SYSTEM_STATUS ; (* System status. *) MP : SYS_MP_STATUS ; (* MP status. *) MPX : SYS_MP_EXT_STATUS ; (* MP extended status. *) DUAL_TIME : TON ; (* Dual mode timer. *) SINGLE_TIME : TON ; (* Single mode timer. *) U : BOOL ; (* Unused Value. *) END_VAR (* *=F================================================================================ * FUNCTION_BLOCK: SYS_SHUTDOWN * Purpose: Implement TUV restrictions. * * Return: none * * Remarks: * * This example shows one way to check that Safety Considerations Guide for Trident v2 Systems
SYS_SHUTDOWN 91 * the safety system is operating within spec when * every module in the safety system is safety critical. * The example uses the Trident and Tri-GP Library function block * SYS_SHUTDOWN - one instance named CRITICAL_MODULES. * The output CRITICAL_MODULES.OPERATING indicates * that all safety critical modules are operating * within spec. Input MAX_TIME_DUAL specifies the * maximum time allowed with two channels operating * (for example, the default is 40000 days). * Input MAX_TIME_SINGLE specifies the maximum time allowed * with only one channel operating (for example, 3 days). * When CRITICAL_MODULES.OPERATING is FALSE, * the time in degraded operation exceeds the * specified limits -- therefore the control program * should shutdown the plant. * * Excluding output voter faults and field faults -- TMR implies * three channels with no detected fatal errors, GE_DUAL implies * at least two channels with no detected fatal errors, * and GE_SINGLE implies at least one channel * with no detected fatal errors -- for every path * from a safety critical input to a safety critical output. * Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE. * (See example EX02_SHUTDOWN to improve availability * using relays and advanced programming techniques.) * * The "TMR" output indicates TMR. * The "DUAL" output indicates GE_DUAL but not TMR. * The "SINGL" output indicates GE_SINGLE but not GE_DUAL. * The "ZERO" output indicates not GE_SINGLE. * The "TIMER_RUNNING" output indicates that * the time left to shutdown is decrementing. * The "TIME_LEFT" output indicates the time remaining before shutdown. * * WARNING - the SYS_SHUTDOWN function block * does not use detected field faults or * combinations of faults reported as field faults. * It is the responsibility of the application * to use system variable NoFieldFault or FieldOK * to detect and respond to such faults. * * To see how to create a user-defined function block * to improve availability, see the examples * in the help topic for SYS_SHUTDOWN. * * Runtime Errors * EBADPARAM Bad parameter * CO=FALSE indicates a programming error. * See ERROR number parameter for details. *=F=============================================================================== *) IF CI THEN SYSTEM( CI := TRUE ) ; MP( CI := TRUE ) ; MPX( CI := TRUE ) ; ERROR := 0 ; IF MAX_TIME_DUAL < MAX_TIME_SINGLE OR MAX_TIME_DUAL < T#0S OR (* Get Status *) (* Check for programming errors. *) Safety Considerations Guide for Trident v2 Systems
- Page 49 and 50: Analog Output (AO) Modules Module D
- Page 51 and 52: Calculation for Diagnostic Fault Re
- Page 53 and 54: External Communication Module Diagn
- Page 55 and 56: 4 Application Development Developme
- Page 57 and 58: Array Index Errors Infinite Loops D
- Page 59 and 60: Setting Scan Time 49 application. T
- Page 61 and 62: Sample Safety-Shutdown Programs Sam
- Page 63 and 64: Sample Safety-Shutdown Programs 53
- Page 65 and 66: When Some I/O Modules Are Safety-Cr
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Partitioned Processes Sample Safety
- Page 71 and 72: Alarm Usage Alarm Usage 61 To imple
- Page 73 and 74: A Triconex Peer-to-Peer Communicati
- Page 75 and 76: Data Transfer Time Data Transfer Ti
- Page 77 and 78: Data Transfer Time 67 A typical dat
- Page 79 and 80: Examples of Peer-to-Peer Applicatio
- Page 81 and 82: B HART Communication Overview 72 HA
- Page 83 and 84: 2008-04-01 Automation, Software and
- Page 85 and 86: 2008-04-01 HART Position Paper from
- Page 87 and 88: 2008-04-01 A possible impact to the
- Page 89 and 90: 2008-04-01 HART Position Paper from
- Page 91 and 92: C Safety-Critical Function Blocks O
- Page 93 and 94: SYS_CRITICAL_IO Accumulates the sta
- Page 95 and 96: Library Trident and Tri-GP (TRDLIB)
- Page 97 and 98: END_IF ; PREVIOUS_RESET := RESET ;
- Page 99: Output Parameters (continued) Name
- Page 103 and 104: ALARM_DISABLED_POINTS := MPX.POINTS
- Page 105 and 106: Example For shutdown examples, see
- Page 107 and 108: A abbreviations, list of viii actua
- Page 109 and 110: message errors, external communicat
- Page 112: Invensys Operations Management 5601
SYS_SHUTDOWN 91<br />
* the safety system is operating within spec when<br />
* every module in the safety system is safety critical.<br />
* The example uses the <strong>Trident</strong> and Tri-GP Library function block<br />
* SYS_SHUTDOWN - one instance named CRITICAL_MODULES.<br />
* The output CRITICAL_MODULES.OPERATING indicates<br />
* that all safety critical modules are operating<br />
* within spec. Input MAX_TIME_DUAL specifies the<br />
* maximum time allowed with two channels operating<br />
* (<strong>for</strong> example, the default is 40000 days).<br />
* Input MAX_TIME_SINGLE specifies the maximum time allowed<br />
* with only one channel operating (<strong>for</strong> example, 3 days).<br />
* When CRITICAL_MODULES.OPERATING is FALSE,<br />
* the time in degraded operation exceeds the<br />
* specified limits -- there<strong>for</strong>e the control program<br />
* should shutdown the plant.<br />
*<br />
* Excluding output voter faults and field faults -- TMR implies<br />
* three channels with no detected fatal errors, GE_DUAL implies<br />
* at least two channels with no detected fatal errors,<br />
* and GE_SINGLE implies at least one channel<br />
* with no detected fatal errors -- <strong>for</strong> every path<br />
* from a safety critical input to a safety critical output.<br />
* Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE.<br />
* (See example EX02_SHUTDOWN to improve availability<br />
* using relays and advanced programming techniques.)<br />
*<br />
* The "TMR" output indicates TMR.<br />
* The "DUAL" output indicates GE_DUAL but not TMR.<br />
* The "SINGL" output indicates GE_SINGLE but not GE_DUAL.<br />
* The "ZERO" output indicates not GE_SINGLE.<br />
* The "TIMER_RUNNING" output indicates that<br />
* the time left to shutdown is decrementing.<br />
* The "TIME_LEFT" output indicates the time remaining be<strong>for</strong>e shutdown.<br />
*<br />
* WARNING - the SYS_SHUTDOWN function block<br />
* does not use detected field faults or<br />
* combinations of faults reported as field faults.<br />
* It is the responsibility of the application<br />
* to use system variable NoFieldFault or FieldOK<br />
* to detect and respond to such faults.<br />
*<br />
* To see how to create a user-defined function block<br />
* to improve availability, see the examples<br />
* in the help topic <strong>for</strong> SYS_SHUTDOWN.<br />
*<br />
* Runtime Errors<br />
* EBADPARAM Bad parameter<br />
* CO=FALSE indicates a programming error.<br />
* See ERROR number parameter <strong>for</strong> details.<br />
*=F===============================================================================<br />
*)<br />
IF CI THEN<br />
SYSTEM( CI := TRUE ) ;<br />
MP( CI := TRUE ) ;<br />
MPX( CI := TRUE ) ;<br />
ERROR := 0 ;<br />
IF<br />
MAX_TIME_DUAL < MAX_TIME_SINGLE OR<br />
MAX_TIME_DUAL < T#0S OR<br />
(* Get Status *)<br />
(* Check <strong>for</strong> programming errors. *)<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>