12HFA51A42H This step can be necessary to achieve the required SIL. If the components are no longer operating redundantly due to a failure, repair of the failed component must be ensured at the earliest opportunity. It is not required to design the safety system components redundantly if, in the event of a safety system failure, the required safety level can otherwise be achieved, e.g., by implementing organizational measures, . Detection of Failed System Components The safety systems recognizes that components are not functioning and activates the redundant components. This is done with Self-tests of the HIMax modules. Line monitoring (short-circuits and open-circuits) with input and output modules. The modules must be configured accordingly. Additional inputs for monitoring the actuators, if required by the project. 3.2 Time Parameters Important for Safety These are: Fault tolerance time Watchdog time Safety time Response time 3.2.1 Fault Tolerance Time (FTT) The fault tolerance time (FTT) is a property of the process and describes the span of time during which the process allows faulty signals to exist before the system state becomes dangerous. 3.2.2 Resource Watchdog Time The watchdog time is set in the dialog for configuring the resource properties. This time is the maximum permissible duration of a RUN cycle (cycle time). If the cycle time exceeds the preset watchdog time, the processor module adopts the error stop state. When determining the watchdog time, the following factors must be taken into account: Time required by the application, e.g., the duration of a cycle in the user program. Time required for process data communication. Time required to synchronize the redundant processor modules. Time internally required to perform a reload. The setting range for the watchdog time of the resource ranges from 6 ms to maximum 7 500 ms. The default setting is 200 ms. When setting the watchdog time, the following must apply: watchdog time ≤ ½ * safety time HIMax 3 Safety Concept for Using the PES HI 801 003 E Rev. 4.00 Page 17 of 64 i To ensure sufficient availability, HIMA strongly recommends the following setting: 2 * watchdog time + max. CPU cycle time + 2 * I/O cycle time ≤ safety time If no reliable assessment of the max. CPU cycle time can be made, the safety time must be set such that: 3 * watchdog time + 2 * I/O cycle time ≤ safety time The I/O cycle time is equal to 2 ms. The watchdog time for a project is determined by a test on a complete system. During the test, all the processor modules are inserted in the base plate. The system operates in RUN mode with full load. All communication links are operating (safeethernet and standard protocols). To determine the watchdog time 1. Set the watchdog time high for testing. 2. Use the system under the maximum load. In the process, all communication connections must be operating both via safeethernet and standard protocols. Frequently read the cycle time in the Control Panel and note down the variations or load peaks of the cycle time. 3. In succession, remove and reinsert every processor module in the base plate. Prior to removing one processor module, wait that the processor module that has just been inserted is synchronized. i When a processor module is inserted in the base plate, it automatically synchronizes itself with the configuration of the existing processor modules. The time required for the synchronization process extends the controller cycle up to the maximum cycle time. The synchronization time increases with the number of processor modules that have already been synchronized. For more information on how to insert and remove a processor module, refer to the X-CPU 01 (HI 801 009 E). 4. In the diagnostic history for the non synchronized module, read the synchronization time from n to n+1 processor modules in every synchronization process and note it down. The greatest synchronization time value is used to determine the watchdog time. 5. Calculate the minimum watchdog time from the longest synchronization time + 12 ms spare + spare for the noted variations of the cycle time. 6. Calculate the watchdog time TWD using the following equation: TWD = .TSync + TMarg + TCom + TConfig + TLatency + TPeak where TSync Time determined for the processor module's synchronization TMarg Safety margin 12 ms TCom The configured system parameter: Max. Com.Time Slice ASYNC [ms] TConfig The configured system parameter: Max. Duration of Configuration Connections [ms] TLatency The configured system parameter: Maximum System Bus Latency [µs] * 4 TPeak Observed load peak of the user programs This equation allows one to calculate a suitable value for the watchdog time. i In particular cases, the watchdog time calculated as described above might be too short for performing a reload. 3 Safety Concept for Using the PES HIMax Page 18 of 64 HI 801 003 E Rev. 4.00 TIP The determined watchdog time can be used as maximum cycle time in the safeethernet configuration, see Communication Manual (HI 801 101 E). 3.2.3 Watchdog Time of the User Program Since each user program has its own watchdog and watchdog time. The watchdog time for the user program cannot be set directly. To calculate the watchdog time for a user program, HIMax uses the resource-specific parameter Max. Watchdog Time and the parameter Maximum Number of Cycles. Refer to Chapter 10.2.3 and Chapter 10.2.11 for more details. Make sure that the calculated watchdog time is not greater than the resulting reaction time, which is required for the process portion processed by the user program. 3.2.4 Safety Time (of PES) The safety time is the maximum permissible time within which the PES must react to a safety requirement event. Safety requirement events include: Changes in input signals from process. Faults occurring in the controller. In HIMax controllers, the safety time can be set anywhere between 20 ms and 22 500 ms. Within the safety time of the controller, the self-test facilities detect whether there are any potentially dangerous faults. They trigger predefined fault reactions that set the faulty components to a safe state. When determining the safety time, the effects of the following factors must be taken into account: If input modules are used, consider the following: Time-on/time-off delay settings for input channels: enter maximum delay time setting in μs + 2* cycle time of the I/O module Noise blanking also needs time reserves. Choose a safety time that is long enough to account for the most significant factor mentioned above, but still lower than the FTT of the process. It is important not to neglect the sensor and actuator time parameters for the safety function. The safety time for the controller is: Safety time > 2 * watchdog time + maximum cycle time + 2 * cycle time of the I/O modules In the actual application, the user should measure the maximum cycle time by replacing a redundant processor module. Enter the maximum cycle time determined for the entire system into the above formula. The cycle time of the I/O modules is equal to 2 ms. This ensures maximum availability for the system. 3.2.5 Safety Time of the User Program The safety time for the user program cannot be set directly. To calculate the safety time for a user program, HIMax uses the resource-specific parameter Max. Safety Time and the parameter Maxi |
