A
April 4, 1995
Configuration worksheets are available for all I/O block types in the Genius I/O Discrete and Analog Blocks User's Manual
Configuration Protect must be Enabled in each block.
The HHM must be configured to use serial bus address 0 (the default).
The following configuration options must be disabled and the HHM keyswitch must be set to ªMONº and the key removed: Change Block ID, Change Block Baud Rate, Change Block Configuration, Circuit Forcing, Clear Block Faults
All Series 90±70 instructions can be used in the non±safety portion of the user program, but the following instructions must not be used in the safety relevant portion of the user program: VME_CFG_RD, VME_CFG_WRT, PIDISA, PIDIND, DO_IO, SUSIO, ALL SFC functions,
COMMREQ, DATA_INIT_COMM, CALL SUB, CALLEXTERNAL.
SVCREQ functions #1, #3, #4, #6, #8, #14 and #19 may not be used.
The NON±safety relevant portion of a program must be ªde±coupledº or segregated from the safety relevant portion by using separate program blocks or subroutines. In addition there must be no overlap of I/O reference addresses in the two separate portions of the program. Control algorithms must NOT be in any way integrated with the safety relevant portion of the program.
No forces or overrides can be present in the system. This is checked by verifying system variables %S0012 (FRC_PRE) and %S0011 (OVR_PRE) are equal to 0. The application program must include code that issues a warning to the operator, via a redundant PLC output, if %S0012 or %S0011 are in the on state in any of the three PLCs.
The application program must include code that issues a warning to the operator to indicate that a fault (any fault) exists in the system, via a redundant PLC output, if system variable %SC0009 (ANY_FLT) is in the on state in any of the three PLCs.
The GMR control bits, %M12258 (IORES), %M12259 (PLCRES) and %M12264 (PLCRESG), must not be driven by the application automatically. They must be driven only under control of an operator (Operator interface or hard wired push± button inputs).
A status report must be produced by setting the GMR REPORT bit (%M12262). The resultant information must be checked verified against the configuration printout.
Two backup copies of the system configuration and application program must be made for documentation and backup purposes. These backups must be verified to be identical to what resides in the PLCs by use of the Logicmaster 90±70 software.
Inputs from other systems to any part of the safety relevant portion of the application program must be made via the safety relevant inputs of the GMR system. If a software interface, it must be made through that group of input addresses reserved for the safety relevant portion of the application. In addition, it must be verified that any non safety inputs cannot override a demand made to an output by the safety relevant portion of the program or prevent any field input to the safety relevant portion of the program.
Manual trips and overrides must be executed exclusively during maintenance of the system. The specific requirements are described in the document ªMaintenance Override, Version 2.2, Sept. 8, 1994, which is reprinted in GFK±0787B.
The Force Logon control bit must be set via a hard wired input device, as described in chapter 7 of GFK±0787B. PLC force logon is to be considered a maintenance override and shall be subject to requirements described in the document ªMaintenance Override, Version 2.2, Sept. 8, 1994, which is reprinted in GFK±0787B.
The Cancel I/O Shut Down control bit (%M12265 ± SD_CAN) must left in the off (0) state and must not used in any portion of the application program.
When the final commissioned application program is stored to the PLCs, all program data including reference tables must be stored. The procedures in document
GeniustModular Redundancy Flexible Triple Modular Redundant (TMR) System |
| |
| User's Manual ± March 1995 |
|
