Response to faults – Rockwell Automation 1755-OF8 GuardPLC Controller Systems User Manual
Page 20
20
Publication 1753-UM001C-EN-P - March 2010
Chapter 1 Overview of Safety Controllers
Response to Faults
The controller also monitors the timing and consistency of the:
•
hardware self-tests and software self-tests of the controller.
•
cycle of the user program.
•
processing of the I/O signals including I/O tests.
•
run cycle of the controller.
•
transition from Run to Stop.
Type of I/O Error
Controller Behavior
Permanent
If an error occurs at an I/O point, only this I/O point is considered faulty and not the entire module.
In case of faulty input points, ‘0’ is assumed to be the safe value. Faulty output channels are de-energized. If it
is not possible to de-energize a single point, the entire module is considered to be faulty, the entire module is
de-energized, and the corresponding error status is set. The controller reports the error to the user program. If
the entire module cannot be de-energized, the controller goes to Failure_Stop.
Transient
A transient error is an error that occurs in an I/O module and then disappears by itself. If a transient error
occurs, the module performs a self test. If the test is successful, the status of the I/O module is set to ‘good’
and the module’s normal function continues.
In the process, the GuardPLC controller performs a statistical evaluation of the frequency of errors. The I/O
module is permanently set to ‘faulty’ if the pre-set error frequency is exceeded. In this case, the module does
not resume its normal function after the error has disappeared. To resume normal function, you must cycle
power or change the controller to Stop and then Run.
If an error persists for a period of time exceeding that of the multiple error occurrence time (24 hours), the I/O
module is permanently set to ‘faulty’ and does not continue normal function after the disappearance of the
error. The I/O module can only resume normal function after you cycle power or Stop/Start the controller.
For faulty modules, the controller uses safe values (0, LOW).
Controller
Upon the detection of an error, the controller goes to Failure_Stop and all output channels are set to the safe
state (value = 0).
In some cases in which a Failure_Stop occurs, a power cycle will not enable normal operation. A manual reset
from Stop to Run, using RSLogix Guard PLUS! software, is required. Cat. 4 faults typically require manual
resets.
An error in the user program is not considered an error of the controller.