Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ... Safety Considerations Guide for Trident v2 Systems - TUV ...
36 Chapter 3 Fault Management Types of Faults External Faults Internal Faults A controller is subject to both external faults and internal faults, which are reported by: • The status indicators on a module’s front panels • The Triconex Enhanced Diagnostic Monitor • System attributes on the Controller Panel in the TriStation 1131 software A controller may experience the following types of external faults: • Logic power faults • Field power faults • Load or fuse faults When an external fault occurs, the controller illuminates the yellow indicator on the faulting I/O module and the Field Power or Logic Power alarm indicators on the Main Processors and the System Alarm. The Triconex Enhanced Diagnostic Monitor identifies the faulting module by displaying a red frame around it. When these conditions occur, the faulting module’s power supplies and wiring should be examined. Internal faults are usually isolated to one of the controller’s three channels (A, B, or C). When an internal fault occurs on one of the three channels, the remaining two healthy channels maintain full control. Depending on the type of fault, the controller either remains in TMR mode or degrades to dual mode for the system component that is affected by the fault. For more information about operating modes, see Operating Modes on page 37. When an internal fault occurs, the controller illuminates the red Fault indicator on the faulting I/O module and the System alarm on the Main Processors to alert the operator to replace the faulting module. Safety Considerations Guide for Trident v2 Systems
Operating Modes Each input or output point is considered to operate in one of four modes: • Triple Modular Redundant • Single mode • Dual mode • Zero mode Operating Modes 37 The current mode indicates the number of channels controlling a point; in other words, controlling the output or having confidence in the input. For safety reasons, system mode is defined as the mode of the point controlled by the least number of channels. System variables summarize the status of input and output points. When a safety-critical point is in zero mode, the application should shut down the controlled process. You can further simplify and customize shutdown logic by using special function blocks provided by Triconex. By considering only faults in safety-critical modules, system availability can be improved. Using shutdown function blocks is essential to preventing potential false trips in dual mode and to guaranteeing fail-safe operation in single mode. For more information, see Appendix C, Safety-Critical Function Blocks. A safety-critical fault is defined as a fault that prevents the system from executing the safety function on demand. Safety-critical faults include: • Inability to detect a change of state on a digital input point The controller’s diagnostics verify the ability to detect changes of state independently for each channel, typically every 500 milliseconds. For more information on fault reporting time, see Calculation for Diagnostic Fault Reporting Time on page 41. • Inability to detect a change of value on an analog input point The controller’s diagnostics verify the ability to detect changes of value independently for each channel, typically every 500 milliseconds. For more information on fault reporting time, see Calculation for Diagnostic Fault Reporting Time on page 41. • Inability to change the state of a digital output point The controller’s diagnostics verify the ability to control the state of each output point. • Inability of the system to: — Read each input point — Vote the correct value of each input — Execute the control application — Determine the state of each output point correctly The controller’s diagnostics verify the correct operation of all data paths between the I/O modules and the MPs for each channel independently, typically every 500 milliseconds. For more information on fault reporting time, see Calculation for Diagnostic Fault Reporting Time on page 41. Safety Considerations Guide for Trident v2 Systems
- Page 1 and 2: Trident v2 Systems Safety Considera
- Page 3 and 4: Contents Preface vii Summary of Sec
- Page 5 and 6: Contents v Partitioned Processes. .
- Page 7 and 8: Preface This guide provides informa
- Page 9 and 10: • All other requests are handled
- Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
- Page 13 and 14: Protection Layers Methods that prov
- Page 15 and 16: Hazard and Risk Analysis Hazard and
- Page 17 and 18: Sample SIL Calculation Hazard and R
- Page 19 and 20: Safety Life Cycle Model Hazard and
- Page 21 and 22: Hazard and Risk Analysis 11 • Eac
- Page 23 and 24: CAN/CSA-C22.2 No. 61010-1-04 Safety
- Page 25 and 26: 2 Application Guidelines Overview 1
- Page 27 and 28: General Guidelines This section des
- Page 29 and 30: General Guidelines 19 Safety Measur
- Page 31 and 32: Emergency Shutdown Systems The safe
- Page 33 and 34: Safety-Shutdown Guidelines for Tric
- Page 35 and 36: Guidelines for Triconex Controllers
- Page 37 and 38: Guidelines for Triconex Controllers
- Page 39 and 40: Guidelines for Triconex Controllers
- Page 41 and 42: Guidelines for Triconex Controllers
- Page 43 and 44: 3 Fault Management Overview 34 Syst
- Page 45: System Diagnostics System Diagnosti
- Page 49 and 50: Analog Output (AO) Modules Module D
- Page 51 and 52: Calculation for Diagnostic Fault Re
- Page 53 and 54: External Communication Module Diagn
- Page 55 and 56: 4 Application Development Developme
- Page 57 and 58: Array Index Errors Infinite Loops D
- Page 59 and 60: Setting Scan Time 49 application. T
- Page 61 and 62: Sample Safety-Shutdown Programs Sam
- Page 63 and 64: Sample Safety-Shutdown Programs 53
- Page 65 and 66: When Some I/O Modules Are Safety-Cr
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Partitioned Processes Sample Safety
- Page 71 and 72: Alarm Usage Alarm Usage 61 To imple
- Page 73 and 74: A Triconex Peer-to-Peer Communicati
- Page 75 and 76: Data Transfer Time Data Transfer Ti
- Page 77 and 78: Data Transfer Time 67 A typical dat
- Page 79 and 80: Examples of Peer-to-Peer Applicatio
- Page 81 and 82: B HART Communication Overview 72 HA
- Page 83 and 84: 2008-04-01 Automation, Software and
- Page 85 and 86: 2008-04-01 HART Position Paper from
- Page 87 and 88: 2008-04-01 A possible impact to the
- Page 89 and 90: 2008-04-01 HART Position Paper from
- Page 91 and 92: C Safety-Critical Function Blocks O
- Page 93 and 94: SYS_CRITICAL_IO Accumulates the sta
- Page 95 and 96: Library Trident and Tri-GP (TRDLIB)
Operating Modes<br />
Each input or output point is considered to operate in one of four modes:<br />
• Triple Modular Redundant • Single mode<br />
• Dual mode • Zero mode<br />
Operating Modes 37<br />
The current mode indicates the number of channels controlling a point; in other words,<br />
controlling the output or having confidence in the input. For safety reasons, system mode is<br />
defined as the mode of the point controlled by the least number of channels.<br />
System variables summarize the status of input and output points. When a safety-critical point<br />
is in zero mode, the application should shut down the controlled process.<br />
You can further simplify and customize shutdown logic by using special function blocks<br />
provided by Triconex. By considering only faults in safety-critical modules, system availability<br />
can be improved. Using shutdown function blocks is essential to preventing potential false trips<br />
in dual mode and to guaranteeing fail-safe operation in single mode. For more in<strong>for</strong>mation, see<br />
Appendix C, <strong>Safety</strong>-Critical Function Blocks.<br />
A safety-critical fault is defined as a fault that prevents the system from executing the safety<br />
function on demand. <strong>Safety</strong>-critical faults include:<br />
• Inability to detect a change of state on a digital input point<br />
The controller’s diagnostics verify the ability to detect changes of state independently<br />
<strong>for</strong> each channel, typically every 500 milliseconds. For more in<strong>for</strong>mation on fault<br />
reporting time, see Calculation <strong>for</strong> Diagnostic Fault Reporting Time on page 41.<br />
• Inability to detect a change of value on an analog input point<br />
The controller’s diagnostics verify the ability to detect changes of value independently<br />
<strong>for</strong> each channel, typically every 500 milliseconds. For more in<strong>for</strong>mation on fault<br />
reporting time, see Calculation <strong>for</strong> Diagnostic Fault Reporting Time on page 41.<br />
• Inability to change the state of a digital output point<br />
The controller’s diagnostics verify the ability to control the state of each output point.<br />
• Inability of the system to:<br />
— Read each input point<br />
— Vote the correct value of each input<br />
— Execute the control application<br />
— Determine the state of each output point correctly<br />
The controller’s diagnostics verify the correct operation of all data paths between the<br />
I/O modules and the MPs <strong>for</strong> each channel independently, typically every 500<br />
milliseconds. For more in<strong>for</strong>mation on fault reporting time, see Calculation <strong>for</strong><br />
Diagnostic Fault Reporting Time on page 41.<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>