Fail-Safe Blocks
Interaction with Channel Drivers
For proper operation of the F_1oo2_R block when the two analog inputs are
provided by F_CH_AI channel drivers, it is important to coordinate the
configuration parameters of the channel drivers and the F_1oo2_R block. The key
is to determine a typical, expected operating value for the values feeding the
F_1oo2_R block and set all two channel drivers' SUBS_V inputs to a value that is
greater than the expected value by more than the F_1oo2_R block's DELTA input.
The channel drivers' SUBS_ON input must be set to 1 to enable outputting the
SUBS_V value when a channel fault is detected.
If one channel driver detects a failure, that F_CH_AI block will provide the
F_1oo2_R block with both the process value bad indicator (QBAD) and the
substitute value (SUBS_V). The F_1oo2_R block would set the corresponding DIS
output (since the substitute value differs from the F_1oo2_R block's current analog
output by more than DELTA). If the failed channel driver is connected to the first
F_1oo2_R input (IN1, QBAD1), the F_1oo2_R block will select the other analog
input (IN2) as its analog output.
If both channel drivers detect a failure (output their SUBS_V value and set their
QBAD to 1), the F_1oo2_R block's QBAD output will be 1 indicating that the
selected analog output V is no longer valid.
Therefore, a configuration using the F_CH_AI and F_1oo2_R blocks would have
the following connections:
•
The V outputs of the two F_CH_AI connected to the two IN inputs of the
F_1oo2_R
•
The QBAD outputs of the two F_CH_AI connected to the two QBAD inputs of
the F_1oo2_R
•
The SUBS_ON inputs of the two F_CH_AI blocks set to 1
•
The F_1oo2_R block's DELTA input set to the largest acceptable difference
from the expected value
•
The SUBS_V inputs of the two F_CH_AI blocks set larger than the F_1oo2_R
block's DELTA input
•
The F_1oo2_R block's QBAD output connected to program logic to annunciate
1oo2 failure
•
The F_1oo2_R block's two DIS outputs connected to program logic to
annunciate a sensor failure
Error Handling
In the event of an error that is critical to safety, the system function SFC F_CTRL
is called. This records the event in the Diagnostic Buffer and requests a switch to
the reserve CPU if the error occurred only on the master CPU. For non-redundant
systems or a common-cause error occurring in both CPUs, the shutdown logic can
be configured to either disable the erred F-run-time group or the entire Safety
Program.
Fail-Safe Systems
A5E00085588-03
8-99