beautypg.com

Rockwell Automation AADvance Controller Safety Manual User Manual

Page 59

background image


Document: 553630
ICSTT-RM446K-EN-P Issue: 10

_C

4-3

Both input and output modules undergo regular diagnostics testing during
operation that is managed by the processor modules. The self-tests are

coordinated between modules that are configured in a fault tolerant

arrangement, to ensure that the system remains on-line even in the case of a
demand during the execution of the tests. I/O channel discrepancy and

deviation monitoring further enhances the verification and fault detection of

module or field failures.
The processor reports any detected I/O fault to the Workbench application
and provides an alarm signal for a central alarm indicator. A front panel LED

indications on the faulty module will indicate a module or field fault. In all

cases, even in the presence of a fault during this period, the system will
continue to be able to respond when configured in a fault tolerant

arrangement.

When a channel is not capable of reporting a value within a safety

accuracy specification of 1% of the full scale measurement 'safe' values are
reported by the variables. Thus, an I/O channel fault condition results in a fail-

safe state.

The maximum duration for single-channel operation of I/O modules

depends on the specific process and must be specified individually for each
application:
Input modules can operate in a simplex arrangement without time limit for

SIL3 and lower applications.
Faulty Output modules must be replaced within the MTTR used for PFD

calculations.
Faulty Processor modules must be replaced within the MTTR used for the
PFD calculations.
The application program must be designed to shut down energize to action

SIL3 safety instrumented functions if a faulty output module has not been

replaced within the MTTR.
When a module is operating in a dual mode (or is degraded to a dual mode)

and a state or value discrepancy occurs, then if no module fault is detected, the

state or value reported to the application will always be the lower of the two
states or values for a digital and analogue input module configurations.

In safety applications channel discrepancy alarms shall be monitored by

the application program and used to provide an alarm to plant operations

personnel.

Energize to Action Configurations

See also other documents in the category Rockwell Automation Equipment: