Fault Reaction And Io States - Honeywell HC900 Safety Manual

HC900 Control System Fault Detection and Response - Fault Reaction and IO states

Fault Reaction and IO states

The Fault Reaction (FR) state of each IO point is the predetermined state or action the point assumes in
case of faults.
ALL outputs have a defined fault reaction (failsafe) of OFF (de-energized) / LOW.
•
All Input blocks may be configured to either Low/OFF (de-energized), High, or Hold.
•
IO fault reaction is a maximum of four times the normal IO scan time for a single Rack and five times
•
for multi-rack systems.
The time to detect a fault in HC900 with internal diagnostic and act on it is approximately one minute.
•
This is the maximum time to bring the process to the safe state when there is any hidden internal fault
that is not detected through other means.
Fault reaction and IO states are explained below:
Fault reaction
The response to faults in the Controller, application and/or IO
The fault reaction towards Controller and/or application faults is fixed.
•
The fault reaction to Input faults can be configured on a point or module level; it should be customized
•
to the application for which HC900 is used.
Loss of communications between Controller and remote racks
•
Non-redundant systems: The remote rack will drive its output module going to their failsafe state
•
OFF/ de-energized for safety outputs and the user configurable value for process outputs. Failsafe
action will be with four normal scan cycles for single rack systems, five for multi- rack systems..
Note: All other racks will continue to operate normally unless they are configured to do otherwise.
Input modules associated with the Rack will go to their programmed failsafe values.
Redundant systems: Loss of two consecutive normal scan cycle communications will result in the
•
transfer of Lead controller to the Reserve controller if the Reserve Controller has better
communications. Loss of communications to both the Lead and Reserve controllers results in the rack
going to its failsafe states similar to the Non- Redundant system above.
Fault Detection
This section describes the fault detection and reaction of the system.
The system performs continuous diagnostics on all critical parts of the system. All SIF related diagnostics
are executed with background execution task with a complete diagnostic execution within the defined
Diagnostic Time Interval.
When the system detects a fault, the diagnostic will be reported and the corresponding action is performed.
Below the system responses of safety related modules are explained
Processor module
The processor module performs diagnostic tests on all critical parts of the module like memory, processors,
address lines etc. When a fault is detected the CPU module will post the fault, reset itself and restart the
application configuration if possible.
58 HC900 Process & Safety Controller Safety Manual Revision 1.9
01/14