beautypg.com

Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

Page 88

background image

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 67 of 103

7.1.3 TX and DX Low Density module types in Safety
applications.

When Using DX and TX Low Density I/O Structures certain defensive measures are
needed. These structures provide discrepancy and error information but do not take
any cognisance of Second Fault occurrence time. If these structures are used in a
safety function it is required that the logical state of each channel be defaulted to a safe
state within the logic. In the case of DX modules this time must be less than the
systems process safety time. In the case of TX modules this must be less than the
second fault occurrence time.

In safety related applications it is recommended where 2-oo-3 fault tolerance is required,
three SX modules should be used, and the 2-oo-3 vote performed in the application
program. Within the application the vote must detect discrepancies on a per channel
basis and cause the discrepant channel to default gracefully to a safe state. In the event
that an input fails to the energised state and is declared as discrepant it must be forced
to a safe state within the voter logic. Should a second input go to the energised state,
and not be confirmed by the third within the defined time period, that input will also be
forced to a safe state thus preventing energisation of the logic until a reset is operated.
Below is a function which performs this logic. There are many implementations which
can be used but the functionality should be retained.

Figure 5 – 2-oo-3 voting logic with discrepancy reporting

&

A

B

C

&

&

>=1

Voted State

&

&

&


>=1

&

DLY 0n
5 Sec

Discrepancy

&

&

&

DLY On
5 Sec

DLY On
5 Sec

DLY On
5 Sec

Latch

Latch

Latch

Reset