Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ... Safety Considerations Guide for Trident v2 Systems - TUV ...
38 Chapter 3 Fault Management Also, during each execution of the control application, each channel independently verifies the: • Integrity of the data path between the MPs • Proper voting of all input values • Proper evaluation of the control application • Calculated value of each output point Module Diagnostics Each system component detects and reports operational faults. Analog Input (AI) Modules Analog input module points useforce-to-value diagnostics (FVD). Under system control, each point is sequentially forced to a test value. The forced value is maintained until the value is detected by the system or a time-out occurs. Using the integral FVD capability, each point can be independently verified for its ability to accurately detect a transition to a different value, typically every 500 milliseconds. (For more information on fault reporting time, see Calculation for Diagnostic Fault Reporting Time on page 41.) Using these diagnostics, each channel can be verified independently, thus assuring near 100 percent fault coverage and fail-safe operation under all single-fault scenarios, and most common multiple-fault scenarios. Analog Input Module Alarms Analog input module faults are reported to the control application. These alarms can be used to increase availability during specific multiple-fault conditions. Loss of field power or logic power is reported to the control application. Analog Input/Digital Input (AI/DI) Modules Analog input/digital input module points useforce-to-value diagnostics (FVD). Under system control, each point is sequentially forced to a test value. The forced value is maintained until the value is detected by the system or a time-out occurs. Using the integral FVD capability, each point can be independently verified for its ability to accurately detect a transition to a different value, typically every 500 milliseconds. (For more information on fault reporting time, see Calculation for Diagnostic Fault Reporting Time on page 41.) Using these diagnostics, each channel can be verified independently, thus assuring near 100 percent fault coverage and failsafe operation under all single-fault scenarios, and most common multiple-fault scenarios. Analog Input/Digital Input Module Alarms Analog input/digital input module faults are reported to the control application. These alarms can be used to increase availability during specific multiple-fault conditions. Loss of field power or logic power is reported to the control application. Safety Considerations Guide for Trident v2 Systems
Analog Output (AO) Modules Module Diagnostics 39 Analog output modules use a combination of comparison and reference diagnostics. Under system control, each channel is given control of the output sequentially using the 2oo3 voting mechanism. Each channel independently measures the actual state of an output value by comparing it with the commanded value. If the values do not match, a channel switch is forced by voting another channel. Each channel also compares its measured values against internal references. Using these diagnostics, each channel can be independently verified for its ability to control the analog output value, thus assuring nearly 100 percent fault coverage and fail-safe operation under all single-fault scenarios, and most common multiple-fault scenarios. Analog Output Module Alarms Analog output module faults are reported to the control application. These alarms can be used to increase availability during specific multiple-fault conditions. Loss of field power or logic power is reported to the control application. Digital Input (DI) Modules Digital input module pointsuse force-to-value diagnostics (FVD). Under system control, each point is sequentially forced to a test value. The forced value is maintained until the value is detected by the system or a time-out occurs. Using the integral FVD capability, each point can be independently verified for its ability to accurately detect a transition to the opposite state, typically every 500 milliseconds. (For more information on fault reporting time, see Calculation for Diagnostic Fault Reporting Time on page 41.) These diagnostics are executed independently by each channel, thus assuring nearly 100 percent fault coverage and fail-safe operation under all single-fault scenarios, and most common multiple-fault scenarios. Digital Input Module Alarms Digital input module faults are reported to the control application. These alarms can be used to increase availability during specific multiple-fault conditions. Loss of field power or logic power is reported to the control application. Digital Output (DO) Modules Digital output modules use output voter diagnostics (OVD). Under system control, each output point is commanded sequentially to both the energized and de-energized states. The forced state is maintained until the value is detected by the system or a time-out occurs (500 microseconds, typical case; 2 milliseconds, worst case). Using the integral OVD capability, each point can be independently verified for its ability to a transition to either state, typically every 500 milliseconds. (For more information on fault reporting time, see Calculation for Diagnostic Fault Reporting Time on page 41.) Safety Considerations Guide for Trident v2 Systems
- Page 1 and 2: Trident v2 Systems Safety Considera
- Page 3 and 4: Contents Preface vii Summary of Sec
- Page 5 and 6: Contents v Partitioned Processes. .
- Page 7 and 8: Preface This guide provides informa
- Page 9 and 10: • All other requests are handled
- Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
- Page 13 and 14: Protection Layers Methods that prov
- Page 15 and 16: Hazard and Risk Analysis Hazard and
- Page 17 and 18: Sample SIL Calculation Hazard and R
- Page 19 and 20: Safety Life Cycle Model Hazard and
- Page 21 and 22: Hazard and Risk Analysis 11 • Eac
- Page 23 and 24: CAN/CSA-C22.2 No. 61010-1-04 Safety
- Page 25 and 26: 2 Application Guidelines Overview 1
- Page 27 and 28: General Guidelines This section des
- Page 29 and 30: General Guidelines 19 Safety Measur
- Page 31 and 32: Emergency Shutdown Systems The safe
- Page 33 and 34: Safety-Shutdown Guidelines for Tric
- Page 35 and 36: Guidelines for Triconex Controllers
- Page 37 and 38: Guidelines for Triconex Controllers
- Page 39 and 40: Guidelines for Triconex Controllers
- Page 41 and 42: Guidelines for Triconex Controllers
- Page 43 and 44: 3 Fault Management Overview 34 Syst
- Page 45 and 46: System Diagnostics System Diagnosti
- Page 47: Operating Modes Each input or outpu
- Page 51 and 52: Calculation for Diagnostic Fault Re
- Page 53 and 54: External Communication Module Diagn
- Page 55 and 56: 4 Application Development Developme
- Page 57 and 58: Array Index Errors Infinite Loops D
- Page 59 and 60: Setting Scan Time 49 application. T
- Page 61 and 62: Sample Safety-Shutdown Programs Sam
- Page 63 and 64: Sample Safety-Shutdown Programs 53
- Page 65 and 66: When Some I/O Modules Are Safety-Cr
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Partitioned Processes Sample Safety
- Page 71 and 72: Alarm Usage Alarm Usage 61 To imple
- Page 73 and 74: A Triconex Peer-to-Peer Communicati
- Page 75 and 76: Data Transfer Time Data Transfer Ti
- Page 77 and 78: Data Transfer Time 67 A typical dat
- Page 79 and 80: Examples of Peer-to-Peer Applicatio
- Page 81 and 82: B HART Communication Overview 72 HA
- Page 83 and 84: 2008-04-01 Automation, Software and
- Page 85 and 86: 2008-04-01 HART Position Paper from
- Page 87 and 88: 2008-04-01 A possible impact to the
- Page 89 and 90: 2008-04-01 HART Position Paper from
- Page 91 and 92: C Safety-Critical Function Blocks O
- Page 93 and 94: SYS_CRITICAL_IO Accumulates the sta
- Page 95 and 96: Library Trident and Tri-GP (TRDLIB)
- Page 97 and 98: END_IF ; PREVIOUS_RESET := RESET ;
Analog Output (AO) Modules<br />
Module Diagnostics 39<br />
Analog output modules use a combination of comparison and reference diagnostics. Under<br />
system control, each channel is given control of the output sequentially using the 2oo3 voting<br />
mechanism. Each channel independently measures the actual state of an output value by<br />
comparing it with the commanded value. If the values do not match, a channel switch is <strong>for</strong>ced<br />
by voting another channel. Each channel also compares its measured values against internal<br />
references. Using these diagnostics, each channel can be independently verified <strong>for</strong> its ability to<br />
control the analog output value, thus assuring nearly 100 percent fault coverage and fail-safe<br />
operation under all single-fault scenarios, and most common multiple-fault scenarios.<br />
Analog Output Module Alarms<br />
Analog output module faults are reported to the control application. These alarms can be used<br />
to increase availability during specific multiple-fault conditions. Loss of field power or logic<br />
power is reported to the control application.<br />
Digital Input (DI) Modules<br />
Digital input module pointsuse <strong>for</strong>ce-to-value diagnostics (FVD). Under system control, each<br />
point is sequentially <strong>for</strong>ced to a test value. The <strong>for</strong>ced value is maintained until the value is<br />
detected by the system or a time-out occurs. Using the integral FVD capability, each point can<br />
be independently verified <strong>for</strong> its ability to accurately detect a transition to the opposite state,<br />
typically every 500 milliseconds. (For more in<strong>for</strong>mation on fault reporting time, see Calculation<br />
<strong>for</strong> Diagnostic Fault Reporting Time on page 41.) These diagnostics are executed independently<br />
by each channel, thus assuring nearly 100 percent fault coverage and fail-safe operation under<br />
all single-fault scenarios, and most common multiple-fault scenarios.<br />
Digital Input Module Alarms<br />
Digital input module faults are reported to the control application. These alarms can be used to<br />
increase availability during specific multiple-fault conditions. Loss of field power or logic<br />
power is reported to the control application.<br />
Digital Output (DO) Modules<br />
Digital output modules use output voter diagnostics (OVD). Under system control, each output<br />
point is commanded sequentially to both the energized and de-energized states. The <strong>for</strong>ced<br />
state is maintained until the value is detected by the system or a time-out occurs (500<br />
microseconds, typical case; 2 milliseconds, worst case). Using the integral OVD capability, each<br />
point can be independently verified <strong>for</strong> its ability to a transition to either state, typically every<br />
500 milliseconds. (For more in<strong>for</strong>mation on fault reporting time, see Calculation <strong>for</strong> Diagnostic<br />
Fault Reporting Time on page 41.)<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>