Design and Implementation of HC900 Control System - HC900 Safety configurations
Revision 1.9 HC900 Process & Safety Controller Safety Manual 51
01/14
latched (LTCH102) output. The remaining function blocks OFDT106, NOT104, TGFF105 provides a
diagnostic warning if FB-RSTRT is not toggled after the FBFAIL signal returns to the normal LOW state
within the user configured timeout. The time out period is set in OFDT106. Digital Variable FB-RSTRT
resets the FAIL logic for the next capture. The FB-RSTRT-ON additionally provides the operator with a
flag to indicate an improper state of FB-RSTRT which if left ON would disable the VFAIL-Q signal.
The timing of this flag is set using ONDT107. Note: execution order is critical for proper operation.
Forcing
•
There can be forced blocks in the safety portion of the configuration and there can be forced blocks in
the process portion of the configuration.
•
Forcing is not allowed on safety worksheet in RUN MODE, but allowed in RUN/PROGRAM mode.
Mode changes in safety configuration
•
Changing operational mode from RUN/PROGRAM to RUN will be prevented if Forced OUPUTS exist
in the safety worksheet. A diagnostic will be posted and the controller LED will blink the proper
diagnostic code.
•
Changing operational mode from RUN/PROGRAM or RUN to PROGRAM Mode will result in ALL
physical process and safety outputs to their cleared state.
Variable writes
• Writing configuration values via designer in monitor mode is allowed in the RUN/PROGRAM mode,
but user cannot change configuration values in RUN mode. Prior to changing mode to RUN, user needs
to verify that the configuration downloaded for the safety blocks is the same as what is running.
Safety Configuration validation
•
For safety enabled configuration there is a validation check at controller level which will reject the
configuration if validation fails. There is a validation check for the configuration mismatch also and it
will alert the host of the error.
•
If user wants to change a configuration from a non-safety-configuration to a safety configuration, the
configuration must not contain function blocks that are not supported on a safety worksheet (see table
4).
Safety system startup
Below are points to be noted for system startup.
•
HC900 defines the safety failsafe state of outputs to be LOW or OFF. Process blocks may be set per the
users requirements. Any other value or state must be accomplished outside the HC900 safety control
system.
•
Output blocks with validation have a restart input function pin. This pin provides the system operator
the ability to control the startup of the failed block. When connected and the FAIL pin goes ON the
output state of the block will remain in FAILSAFE as well as the Blocks FAIL PIN until the fault is
cleared (repaired) and the pin transitions from a OFF ( Low) to ON ( High) state.
•
All the failsafe values are to be OFF in safety applications. When RIUP occurs, the validated safety
block’s restart pin will remain OFF until user enabled, the outputs will remain OFF and the blocks fail
status will remain ON until user intervenes.
•
When scanner RIUP occurs, it’s outputs remain in failsafe until the controller informs the scanner what
to drive the outputs to. The I/O channel will not resume controlling the process value until the channel is
To Next Page
Loading...
