3 Safety Concept for Using the PES HIMatrix
Page 16 of 72 HI 800 023 E Rev. 1.01
3.1.2 Self-Test and Fault Diagnosis
The operating system of the controllers executes comprehensive self-tests at start-up and
during operation. The following components are tested:
Processors
Memory areas (RAM, non-volatile memory)
Watchdog
The individual I/O channels
If faults are detected during the tests, the operating systems switches off the defective
module or remote I/O, or the faulty I/O channel.
In non-redundant systems, this means that sub-functions or even the entire PES will shut
down.
All HIMatrix devices and modules are equipped with LEDs to indicate that faults have been
detected. This allows the user to quickly diagnose faults in a device or the external wiring, if
a fault is reported.
Further, the user program can also be used to evaluate various system variables or system
signals that report the device or module status.
An extensive diagnostic record of the system's performance and detected faults are logged
and stored in the diagnostic memory of the controllers. After a system fault, the recorded
data can be read using the PADT.
For details on how to evaluate the diagnostic messages, refer to the Manual for Compact
Systems (HI 800 141), or to the Manual for Modular Systems (HI 800 191), Chapter
Diagnosis.
For a very few number of component failures that do not affect safety, the HIMatrix system
does not provide any diagnostic information.
3.1.3 PADT
Using the PADT, the user creates the program and configures the controller. The safety
concept of the PADT supports the user in the correct implementation of the control task.
The PADT takes numerous measures to check the entered information.
The PADT is a personal computer installed with the planning tool.
For the HIMatrix system, two planning tools are available depending on the operating
system version loaded on the controller:
SILworX must be used for operating system versions beyond 7.
ELOP II Factory must be used for operating system versions prior to 7.
3.1.4 Structuring Safety Systems in Accordance with the Energize to Trip
Principle
Safety systems operating in accordance with the 'energize to trip' principle, e.g., fire alarm
and fire-fighting systems , have the following "safe states":
1. Safe state after system shutdown.
2. State entered on demand, i.e., when performing the safety function. In such a case, the
actuator is activated.
Observe the following points when structuring safety systems in accordance with the
energize to trip principle:
Ensuring the safety function in hazardous situations.
Detection of failed system components and reaction:
- Failure notification.
- Automatic switching to redundant components, if necessary and possible.
To Next Page
Loading...
Need help?
General
