User manual
76 Publication 1756-RM093F-EN-P - January 2010
Chapter 7 Monitor Status and Handle Faults
Recoverable Faults
Controller faults caused by user programming errors in a safety
program trigger the controller to process the logic contained in the
project’s safety program fault handler. The safety program fault
handler provides the application with the opportunity to resolve the
fault condition and then recover.
When a safety program fault handler does not exist or the fault is not
recovered by it, the controller processes the logic in the
controller-scoped fault handler, terminating safety program logic
execution and leaving safety I/O connections active, but idle.
If user logic is terminated as a result of a recoverable fault that is not
recovered, safety outputs are placed in the safe state and the producer
of safety-consumed tags commands the consumers to place them in a
safe state.
If a recoverable safety fault is overridden in the controller-scoped fault
handler, only standard tasks keep running. If the fault is not
overridden, the standard tasks are also shut down.
ATTENTION
You must provide proof to your certifying agency that automatic
recovery from recoverable faults maintains SIL 3.
IMPORTANT
When the execution of safety program logic is terminated due
to a recoverable fault that is not handled by the safety program
fault handler, the safety I/O connections are closed and
reopened to reinitialize safety connections.
TIP
When using safety I/O for standard applications, safety I/O will
be commanded to the safe state if user logic is terminated as a
result of a recoverable fault that is not recovered.
ATTENTION
Overriding the safety fault does not clear it. If you override the
safety fault, it is your responsibility to prove that doing so
maintains SIL 3.