Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
42 Chapter 3 Fault Management<br />
Input/Output Processing<br />
The I/O processor is protected by an independent watchdog that verifies the timely execution<br />
of the I/O processor firmware and I/O module diagnostics. In addition, the I/O processor<br />
reports its sequence of process execution to the MP. If an I/O processor fails to execute correctly,<br />
the MP and the I/O processors enter the fail-safe state and the I/O bus <strong>for</strong> the faulting channel<br />
is disabled, leaving all outputs under control of the remaining healthy channels.<br />
The integrity of the I/O bus is continuously monitored and verified independently by each<br />
channel of the system. A catastrophic bus fault results in affected I/O module channels<br />
reverting to the fail-safe state in less than 500 milliseconds (0.5 seconds), worst case, or less than<br />
10 milliseconds, typically.<br />
I/O Module Alarms<br />
Loss of communication with an I/O module is reported to the control application and can be<br />
used to increase availability during specific multiple-fault conditions.<br />
Main Processor and TriBus<br />
Each Main Processor (MP) module uses memory data comparison between itself and the other<br />
MPs to ensure that the control application executes correctly on each scan. Each MP transfers its<br />
input data to the other two MPs via the TriBus during each scan. Each MP then votes the input<br />
data and provides voted data to the control application. The results of the control application<br />
(outputs), including all internal variables, are transferred by the TriBus. If a mis-compare is<br />
detected, special algorithms are used to isolate the faulting MP. The faulting MP enters the failsafe<br />
state and is ignored by the remaining MPs. Background diagnostics test MP memory and<br />
compare control application instructions and internal status.<br />
The integrity of the TriBus is continuously monitored and verified independently by each MP.<br />
All TriBus faults are detected within the scan associated with the TriBus transfer. Fault isolation<br />
hardware and firmware causes the MP with the faulting TriBus to enter the fail-safe state.<br />
An independent watchdog ensures that the control application and diagnostics execute within<br />
0.5 seconds. If an MP fails to execute the scan, the watchdog <strong>for</strong>ces the MP to the fail-safe state.<br />
The I/O processor adds a sequential element to the MP watchdog. If an MP fails to report the<br />
proper sequence of execution, the I/O processor causes the MP to enter the fail-safe state.<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>