Safety Mechanisms
Fail-Safe Systems
3-6 A5E00085588-03
When a hazardous fault is detected, the logical program execution check performs
the following:
• In a non-redundant system or in a situation that is a common cause (e.g. both
CPUs encounter fault). The Safety Program will be disabled.*
• In a redundant system, if the failure is detected on the master CPU, a switch to
the Standby will occur. If the failure is on a reserve CPU or if the failure is on
both CPUs, a switch will not be performed and a portion or all of the Safety
Program will be disabled.*
*This is configurable by the shutdown logic. If a fault is detected in an F-run-time
group, depending on the configured response in the shutdown logic, the F-run-time
group will be disabled or the entire Safety Program will be disabled and all
associated outputs revert to the safe state.
Time-Based Program Execution Monitoring
Time-based program execution monitoring takes place through monitoring of the F
cycle time by the F_CYC_CO within each OB3x.
• Monitoring of the F Cycle Time
The maximum F cycle time (cyclic interrupt time for OBs with F-run-time groups) is
assigned in CFC as an input parameter of the F-Block F_CYC_CO. An F_CYC_CO
F-Block must be present in each F cycle (i.e. in each cyclic interrupt OB with F-
Blocks). This Block is placed automatically during compilation.
In the event of an F cycle time overrun, the associated F-run-time groups will
become disabled causing all associated outputs to revert to the safe state.
Live Monitoring During Safety-Related Communication
The Safety Program communicates cyclically with the F-I/Os and with Safety
Programs on other CPUs using special safety protocols. The receivers implement
the fault reaction function in the event of a problem:
• F output modules switch the outputs off.
• The fail-safe blocks F_RCVBO and F_RCVR in Safety Programs on other
CPUs output parameterizable substitute values.
• The fail-safe blocks F_R_BO and F_R_R used for RTG to RTG
communications, output parameterizable substitue values.
After the problem has been eliminated, user acknowledgment on the F channel
driver block or the F-Block F_RCVBO or F_RCVR or a Restart of the Shutdown
Logic is required. The fail-safe blocks F_R_BO and F_R_R, used for RTG to RTG
communications, are automatically reintegrated.
See Also
Interconnecting F Cycle Time Monitoring
F_PLK_O, F_PLK, F_CYC_CO
To Next Page
Loading...
Need help?
General
