Description of the Process Safety Time
The process safety time (PST) is an essential measure of a process executed by a safety loop. It is defined as the period between the occurrence of a failure in equipment under control (EUC) and the occurrence of a hazardous event if the safety function is not performed (i.e. if the safe state is not achieved).
Description of the System Reaction Time
The system reaction time is the sum of the PAC reaction time, plus the reaction times for both the selected sensor (TS) and the selected actuator (TA).
For each safety loop, verify that the system reaction time is less than the process safety time.
System reaction time is illustrated below:
The components of the system reaction time can include the following:
Component |
Description |
Estimated Worst Case Value |
|---|---|---|
TS |
Reaction time required by the selected sensor to react to a process event. |
Device specific. |
TI |
Maximum time required by the input module to sample and confirm a sensor event. It includes:
|
6 ms |
TCOMM_IN |
Input communication delay. Its components are described in the topic Application Response Time in the Modicon M580 Standalone System Planning Guide for Frequently Used Architectures, and include the following (numbers refer to the ART calculation in the referenced topic):
|
– |
TCPU |
The CPU and coprocessor reaction time, which equals the sum of the delay caused by pending higher priority tasks (the FAST task) plus two SAFE task scan times – the first being a missed scan, the second being a successful scan: TMULTITASK_JITTER +2* TSAFE. |
|
TMULTITASK_JITTER |
The maximum delay caused by execution of pending tasks with higher priority. In this case the FAST task. TMULTITASK_JITTER = TFAST. |
– |
TSAFE |
The configured SAFE task period. |
– |
TFAST |
This value is included because the FAST task execution takes priority over the SAFE task. NOTE: To simplify the formula, it is assumed that no system
task is in an overrun condition. Thus, this value equals the configured
FAST task period, or 0 if the FAST task is not configured.
|
– |
TCOMM_OUT |
Output communication delay. Its components are described in the topic Application Response Time in the Modicon M580 Standalone System Planning Guide for Frequently Used Architectures, and include the following (numbers refer to the ART calculation in the referenced topic):
|
– |
TO |
Equal to the sum of the following times:
|
6 ms |
TA |
Reaction time for the selected actuator. |
Device specific. |
Description of the PAC Reaction Time
For I/O placed in the local main rack (with the CPU) the PAC reaction time is the sum of the related reaction times for both the selected input module (TI) and the selected output module (TO), plus the CPU & Copro reaction time (TCPU):
PAC reaction time (local) = TCPU + TI + TO
If the I/O are located in a remote rack, the PAC reaction time also includes input communication delay (TCOMM_IN) and output communication delay (TCOMM_OUT) times:
PAC reaction time (remote) = TCPU + TCOMM_IN + TI + TCOMM_OUT +TO
Description of the CPU & Copro Reaction Time
The CPU & Copro reaction time is directly impacted by both the SAFE task period and the FAST task period. Verify that safety logic will be executed within the SAFE task period.
Because a signal may appear just at the beginning of the execution cycle when the signals have already been processed, two SAFE task cycles may be necessary to react to the signal.
Because the FAST task takes priority over the SAFE task, you also need to consider the time to execute the FAST task when estimating jitter.
This leads to the following equation for the maximum (i.e. worst case) reaction time:
CPU & Copro reaction time = 2 x TSAFE + TFAST
Description of the Time for Input Modules
The maximum times (worst case) for the safety digital input module and for the safety analog input module TI are 6 ms.
Description of the Time for Output Modules
The maximum time TO for the safety digital output module is estimated to be 6 ms.
A fallback safety timeout S_TO needs to be configured for both the digital output module and the digital relay output module. Depending on the configured SAFE task period (TSAFE), the value for S_TO needs to be configured as follows:
If (2.5 * TSAFE) ≤ 40 ms, set S_TO to a minimum of 40 ms.
If (2.5 * TSAFE) > 40 ms, set S_TO to a minimum of (2.5 * TSAFE) ms.
| NOTICE | |
|---|---|
RISK OF UNINTENDED EQUIPMENT OPERATION Set the fallback safety timeout (S_TO) for a safety output
module to, at least, a value greater than the greater of 40 ms or
(2.5 * TSAFE), where TSAFE equals the configured
SAFE task period. Failure to follow these instructions can result in equipment damage. | |
For Hot Standby applications, consider the impact on the fallback safety timeout (S_TO) parameter of additional time (TSWAP) required by a swap, and of additional time TSWITCH required by a switchover.
Computation of System Reaction Time
Knowing the required process safety time (PST) and the maximum reaction time of the sensors and actuators, you are able to calculate the maximum system reaction time (SRT) tolerable in your process.
The maximum (i.e. worst case) system reaction time can be computed as follows:
For systems with I/O in remote drops:
Max SRT = TS + TI + 2 x TCRA + TRPI + 2 x TSAFE + TFAST + TO +TA.
or
Max SRT = 16 ms + TS + 2.5 x TSAFE + TFAST + TA.
For systems with local I/O:
Max SRT = TS + TI + 2.5 x TSAFE + TFAST + TO +TA.
or
Max SRT = 15 ms + TS + 2.5 x TSAFE + TFAST + TA.
While an unexpected event and a switchover occurs, maximum safety reaction time could increase by adding the component TSWITCH to the above calculations.
While the system operator performs a swap, maximum safety reaction time could increase with an additional component TSWAP to the above calculations.
System Reaction Time During a Swap
A swap is the operator-initiated action on a Hot Standby system, which causes the primary and standby PACs to exchange roles. A swap consumes additional time, because during the swap no information may be lost and all system outputs need to be safely timed out.
The added swap time component is added to the TCPU time following the normal TJITTER component, as shown below:
The TSWAP time component is added to the TCPU time following the normal TJITTER component. This sequence is displayed below. Except for the inclusion of the swap component, the system reaction time description is the same as described above:
The TSWAP time component is the sum of the following:
TADDITIONAL_JITTER + TTRANSFER
The swap-specific components are described as follows:
Component |
Description |
Estimated Worst Case Value |
|---|---|---|
TADDITIONAL_JITTER |
Jitter introduced by the multi-task system to restart the task on the new PAC. Hence, TADDITIONAL_JITTER = TSAFE. |
– |
TTRANSFER |
During the diagnostics of the MAST task, the PAC accepts the Swap command and begins to perform the transfer of all the latest data for each task. |
Refer to the formula, below. |
TTRANSFER can be calculated as follows:
K3 x (MASTKB + 2 x SAFEKB + FASTKB) + K4 x (MASTDFB + 2 x SAFEDFB + FASTDFB) / 1000
Where:
TASKKB = Size of the data (in Kbytes) exchanged for the TASK between the primary PAC and standby PAC.
MASTDFB = The number of DFBs declared in the TASK.
K3 and K4 are constants with values determined by the specific CPU module used in the application, as follows:
Coefficient |
BMEH582040S |
BMEH584040S or BMEH586040S |
|---|---|---|
K3 |
46.4 μs/kB |
14.8 μs/kB |
K4 |
34.5 μs/DFB instance |
11.0 μs/DFB instance |
If the system operator wants to perform a swap without safety module outputs going into their fallback state, set the fallback safety timeout parameter of the safety output modules (S_TO) to, at least, a value greater than: TMULTITASK_JITTER + TSWAP + TSAFE.
System Reaction Time During a Switchover
A switchover occurs when the standby PAC in a Hot Standby system becomes the primary PAC in response to an unexpected event, for example, when hardware in the primary PAC suddenly becomes non-operational. The goal of the switchover is for the new primary PAC to seamlessly replace the old one, and begin operations at the point where the old primary PAC ceased to function. Nevertheless, the last cycle may be re-executed. The system target is to achieve the fastest possible recovery.
The TSWITCH time component is added to the TCPU time following the normal TJITTER component. This sequence is displayed below. Except for the inclusion of the switchover component, the system reaction time description is the same as described above:
The TSWITCH time component is the sum of the following:
TDETECT + TADDITIONAL_JITTER
The switchover-specific components are described as follows
Component |
Description |
Estimated Worst Case Value |
|---|---|---|
TDETECT |
Time used by the standby PAC to detect and confirm the primary PAC has become non-operational. |
15 ms |
TADDITIONAL_JITTER |
Jitter introduced by the multi-task system to restart the task on the new PAC. Hence, TADDITIONAL_JITTER = TSAFE. |
– |
Unlike a swap, no additional time is needed to perform a data transfer.
To allow the system to respond to an unexpected event and perform a switchover without safety module outputs going into their fallback state, set the fallback safety timeout parameter of the safety output modules (S_TO) to, at least, a value greater than: TJITTER + TSWITCH + TSAFE.
Configuring the Maximum CPU SAFE and FAST task Periods
The M580 safety PAC can perform only periodic execution for the SAFE and FAST tasks (cyclic execution is not supported for these tasks).
The SAFE task and the maximum allowed CPU settings are configured in the tab of the dialog. The safety digital output settings are configured in the tab for the output module.
Similarly, the FAST task and the maximum allowed CPU settings are configured in the tab of the dialog.
Permissible SAFE task period settings range is 10...255 ms, with a default value of 20 ms.
Permissible FAST task period settings range is 1...255 ms, with a default value of 5 ms.
Permissible watchdog settings range is 10...500 ms, with a default value of 250 ms.
Permissible digital output fallback timeout settings range is 0...65535 ms, with a default value of 500 ms.
Verify that the watchdog setting is greater than the SAFE task period.
Check your CPU SAFE task period setting when commissioning your project. At this time, Control Expert Safety provides the real time values from the PAC.
You can find this information in Control Expert Safety in the tab using the menu entry .
| WARNING | |
|---|---|
RISK OF EXCEEDING THE PROCESS SAFETY TIME Set the maximum CPU SAFE task period by taking into account
your process safety time. Your CPU SAFE task period must be less than
your project process safety time. Failure to follow these instructions can result in death, serious injury, or equipment damage. | |
The following drawing illustrates the execution of each task in a multi-task system, and depicts the preemption of CPU resources depending on the task priority:
Calculating the Impact of Task Execution Periods on CPU Bandwidth
Each configured task consumes a portion of CPU processing time, or bandwidth. The estimated percentage of CPU bandwidth consumed by a task is the result (or quotient) of the estimated execution time required by a task (ETASK) divided by the configured execution period for that task (TTASK), and can be presented as follows:
Task bandwidth = ETASK / TTASK.
Thus, the total percentage of CPU bandwidth consumed by an application is the sum of consumed CPU bandwidth percentages for all tasks.
The following table presents two applications, and indicates the impact of high priority tasks (FAST and SAFE) on total CPU bandwidth usage:
# |
FAST |
SAFE |
MAST |
AUX0 |
Total |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Per |
Exe |
BW% |
Per |
Exe |
BW% |
Per |
Exe |
BW% |
Per |
Exe |
BW% |
||
1 |
5 ms |
1 ms |
20% |
20 ms |
5 ms |
25% |
50 ms |
18 ms |
35% |
200 ms |
30 ms |
15% |
96% |
2 |
7 ms |
1 ms |
14% |
25 ms |
5 ms |
20% |
60 ms |
18 ms |
30% |
200 ms |
30 ms |
15% |
79% |
Per = Task period (TTASK) Exe = Execution time required for the task (ETASK) BW% = Task bandwidth. |
|||||||||||||