Rockwell Automation Publication 1756-RM093J-EN-P - April 2018 69
Monitor Status and Handle Faults Chapter 7
Recoverable Faults
Controller faults caused by user programming errors in a safety program trigger
the controller to process the logic contained in the project’s safety program fault
handler. The safety program fault handler provides the application with the
opportunity to resolve the fault condition and then recover.
When a safety program fault handler does not exist or the fault is not recovered
by it, the controller processes the logic in the controller-scoped fault handler,
terminating safety program logic execution and leaving safety I/O connections
active, but idle.
If user logic is terminated as a result of a recoverable fault that is not recovered,
safety outputs are placed in the safe state and the producer of safety-consumed
tags commands the consumers to place them in a safe state.
If a recoverable safety fault is overridden in the controller-scoped fault handler,
only standard tasks keep running. If the fault is not overridden, the standard tasks
are also shut down.
ATTENTION: You must provide proof to your certifying agency that automatic
recovery from recoverable faults maintains SIL 3.
When the execution of safety program logic is terminated due to a
recoverable fault that is not handled by the safety program fault handler,
the safety I/O connections are closed and reopened to reinitialize safety
connections.
When using safety I/O for standard applications, safety I/O will be
commanded to the safe state if user logic is terminated as a result of a
recoverable fault that is not recovered.
ATTENTION: Overriding the safety fault does not clear it. If you override the
safety fault, it is your responsibility to prove that doing so maintains SIL 3.
To Next Page
Loading...
