Safety Function Muting
Safety functions are temporarily suspended, or muted, during the following scenarios:
- Qualification of the redundant chassis pairTIP: When the safety function is muted, the percent complete shown on the RMCT Synchronization Status tab in the redundancy module properties is 30%. When the percent complete reaches 35%, the safety function is no longer muted even though qualification is still in progress.TIP: Once qualification is completed, the Monitor tab in the safety task properties shows the total time that the safety function was muted. The muting time appears in the Max Interval time field. To record future safety function muting times, you must reset this statistic.
- Loss of redundancy, such as during disqualification of the redundant chassis pair or a switchover
- Lock for update, such as during the Redundancy System Update (RSU) process
The following tables define the maximum duration of time that the safety function is muted depending on the scenario and controller that you are using. In most cases, the muting time is less than the maximum time shown in the following tables.
Scenario | Muting Time |
|---|---|
Qualification | Up to 1 second + 1 safety task period. |
Loss of redundancy | The muting time depends on the duration of the safety task period:
|
Lock for update | Up to 2 seconds + 1 safety task period. |
IMPORTANT:
Muting time impacts safety reaction time in high-demand applications.
Low Demand Considerations
The Logix SIS reliability model considers safety function muting time. The PFD calculations conservatively assume that a system encounters 120 loss-of-redundancy events per year or an average of 10 per month. As a result, low demand safety functions do not need to account for muting time in overall safety reaction time calculations.
ATTENTION:
If your redundant chassis pair encounters more than 120 loss-of redundancy events per year, the PFD numbers in this manual are not valid, and you must include safety function muting time in your safety reaction time calculations.
PFD calculations consider a failed qualification attempt that reaches at least 30% to be a loss of redundancy event, which mutes the safety function.
High Demand Considerations
Because high demand safety functions use PFH as a safety performance target, you must include safety function muting time in your safety reaction time calculations. The amount of muting time to add to your calculations depends on the following scenarios:
- To account for a possible loss of redundancy, you must always add the loss of redundancy muting time to your calculations for high-demand safety functions.
- If the Auto-synchronization parameter in your redundancy module is set to Always or Conditional, you must add the qualification muting time to your calculations.
- If you do not use auto-synchronization, but rely on the safety function when you use the Synchronize Secondary redundancy command, you must add the qualification muting time to your calculations.TIP: If you can design your system so that safety demands do not occur during synchronization, then you may be able to omit the qualification muting time from your safety reaction time.
- If you use the RSU feature and rely on the safety function during the lock for update process, you must add the lock for update muting time to your calculations.
Provide Feedback