Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ... Safety Considerations Guide for Trident v2 Systems - TUV ...
52 Chapter 4 Application Development Program EX01_SHUTDOWN T#3d T#400ms CRITICAL_MODULES SYS_SHUTDOWN CI CO IO_CO OPERATIING IO_TMR TMR IO_GE_DUAL DUAL IO_GE_SINGLE SINGL IO_NO_VOTER_FLTS ZERO IO_ERROR TIMER_RUNNING MAX_TIME_DUAL TIME_LEFT MAX_TIME_SINGLE ALARM_PROGRAMMING_PERMITTED MAX_SCAN_TIME ALARM_REMOTE_ACCESS ALARM_RESPONSE_TIME ALARM_DISABLED_POINTS ERROR 001 Figure 10 EX01_SHUTDOWN Sample Program CO false indicates a programming error; for example, MAX_TIME_SINGLE greater than MAX_TIME_DUAL. The error number shows more detail. Table 9 Input Parameters for SYS_SHUTDOWN Function Block in EX01_SHUTDOWN Parameter Description CI Do not connect when all I/O modules are system-critical IO_CO Do not connect when all I/O modules are system-critical IO_TMR Do not connect when all I/O modules are system-critical IO_GE_DUAL Do not connect when all I/O modules are system-critical IO_GE_SINGLE Do not connect when all I/O modules are system-critical IO_NO_VOTER_FLTS Do not connect when all I/O modules are system-critical IO_ERROR Do not connect when all I/O modules are system-critical MAX_TIME_DUAL Maximum time with only two channels operating MAX_TIME_SINGLE Maximum time with only one channel operating MAX_SCAN_TIME 50% of the maximum response time Safety Considerations Guide for Trident v2 Systems CRITICAL_MODULES_OPERATING ALARM_PROGRAMMING_PERMITTED ALARM_REMOTE_ACCESS ALARM_RESPONSE_TIME ALARM_DISABLED_POINTS
Sample Safety-Shutdown Programs 53 Table 10 Output Parameters for SYS_SHUTDOWN Function Block in EX01_SHUTDOWN Parameter Description CO Control out OPERATING When true, all safety-critical modules are operating properly When false, the time in degraded operation exceeds the specified limits; therefore, the control program should shut down the process TMR System is operating in triple modular redundant mode DUAL At least one safety-critical point is controlled by two channels SINGL At least one safety-critical point is controlled by one channel ZERO At least one safety-critical point is not controlled by any channel TIMER_RUNNING Time left to shutdown is decreasing TIME_LEFT Time remaining before shutdown ALARM_PROGRAMMING_PERMITTED True if application changes are permitted ALARM_REMOTE_ACCESS True if remote-host writes are enabled ALARM_RESPONSE_TIME True if actual scan time is greater than MAX_SCAN_TIME ALARM_DISABLED_POINTS True if one or more points are disabled. ERROR_NUM Error Number: 0 = No error 1 = Error in maximum time 2 = I/O function block error. IO_ERROR is non-zero 3 = Function block error. System status or MP Status Safety Considerations Guide for Trident v2 Systems
- Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
- Page 13 and 14: Protection Layers Methods that prov
- Page 15 and 16: Hazard and Risk Analysis Hazard and
- Page 17 and 18: Sample SIL Calculation Hazard and R
- Page 19 and 20: Safety Life Cycle Model Hazard and
- Page 21 and 22: Hazard and Risk Analysis 11 • Eac
- Page 23 and 24: CAN/CSA-C22.2 No. 61010-1-04 Safety
- Page 25 and 26: 2 Application Guidelines Overview 1
- Page 27 and 28: General Guidelines This section des
- Page 29 and 30: General Guidelines 19 Safety Measur
- Page 31 and 32: Emergency Shutdown Systems The safe
- Page 33 and 34: Safety-Shutdown Guidelines for Tric
- Page 35 and 36: Guidelines for Triconex Controllers
- Page 37 and 38: Guidelines for Triconex Controllers
- Page 39 and 40: Guidelines for Triconex Controllers
- Page 41 and 42: Guidelines for Triconex Controllers
- Page 43 and 44: 3 Fault Management Overview 34 Syst
- Page 45 and 46: System Diagnostics System Diagnosti
- Page 47 and 48: Operating Modes Each input or outpu
- Page 49 and 50: Analog Output (AO) Modules Module D
- Page 51 and 52: Calculation for Diagnostic Fault Re
- Page 53 and 54: External Communication Module Diagn
- Page 55 and 56: 4 Application Development Developme
- Page 57 and 58: Array Index Errors Infinite Loops D
- Page 59 and 60: Setting Scan Time 49 application. T
- Page 61: Sample Safety-Shutdown Programs Sam
- Page 65 and 66: When Some I/O Modules Are Safety-Cr
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Partitioned Processes Sample Safety
- Page 71 and 72: Alarm Usage Alarm Usage 61 To imple
- Page 73 and 74: A Triconex Peer-to-Peer Communicati
- Page 75 and 76: Data Transfer Time Data Transfer Ti
- Page 77 and 78: Data Transfer Time 67 A typical dat
- Page 79 and 80: Examples of Peer-to-Peer Applicatio
- Page 81 and 82: B HART Communication Overview 72 HA
- Page 83 and 84: 2008-04-01 Automation, Software and
- Page 85 and 86: 2008-04-01 HART Position Paper from
- Page 87 and 88: 2008-04-01 A possible impact to the
- Page 89 and 90: 2008-04-01 HART Position Paper from
- Page 91 and 92: C Safety-Critical Function Blocks O
- Page 93 and 94: SYS_CRITICAL_IO Accumulates the sta
- Page 95 and 96: Library Trident and Tri-GP (TRDLIB)
- Page 97 and 98: END_IF ; PREVIOUS_RESET := RESET ;
- Page 99 and 100: Output Parameters (continued) Name
- Page 101 and 102: SYS_SHUTDOWN 91 * the safety system
- Page 103 and 104: ALARM_DISABLED_POINTS := MPX.POINTS
- Page 105 and 106: Example For shutdown examples, see
- Page 107 and 108: A abbreviations, list of viii actua
- Page 109 and 110: message errors, external communicat
Sample <strong>Safety</strong>-Shutdown Programs 53<br />
Table 10 Output Parameters <strong>for</strong> SYS_SHUTDOWN Function Block in EX01_SHUTDOWN<br />
Parameter Description<br />
CO Control out<br />
OPERATING When true, all safety-critical modules are<br />
operating properly<br />
When false, the time in degraded operation<br />
exceeds the specified limits; there<strong>for</strong>e, the<br />
control program should shut down the<br />
process<br />
TMR System is operating in triple modular<br />
redundant mode<br />
DUAL At least one safety-critical point is controlled<br />
by two channels<br />
SINGL At least one safety-critical point is controlled<br />
by one channel<br />
ZERO At least one safety-critical point is not<br />
controlled by any channel<br />
TIMER_RUNNING Time left to shutdown is decreasing<br />
TIME_LEFT Time remaining be<strong>for</strong>e shutdown<br />
ALARM_PROGRAMMING_PERMITTED True if application changes are permitted<br />
ALARM_REMOTE_ACCESS True if remote-host writes are enabled<br />
ALARM_RESPONSE_TIME True if actual scan time is greater than<br />
MAX_SCAN_TIME<br />
ALARM_DISABLED_POINTS True if one or more points are disabled.<br />
ERROR_NUM Error Number:<br />
0 = No error<br />
1 = Error in maximum time<br />
2 = I/O function block error. IO_ERROR is<br />
non-zero<br />
3 = Function block error. System status or MP<br />
Status<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>
Change language