DESCRIPTION AND OPERATION
Hardware Module Security Functions
I-E96-211A
2 - 5
As a background idle task, the module status check constantly
verifies ROM and NVM checksums. If a discrepancy is found in
any checksum, the error is displayed on the front panel LEDs
and the module stops immediately.
Control Software Security
The control software is responsible for Local I/O problems,
remote I/O problems, station problems, and redundancy
errors.
Local and remote I/O errors cause the MFC to assign a bad
status to the slave signals. Local errors occur when:
•
An I/O signal or voltage reference is out of range.
•
The MFC is unable to drive analog or digital outputs to cor-
rect values.
•
The MFC's own status is bad (i.e., the MFC is no longer
functioning).
•
A slave status is bad.
All I/O points that have any of the preceding errors are tagged
by the MFC as bad quality. Bad quality stays with the point no
matter where it goes (e.g., in the MFC, on the module bus, or
the communication highway.
If you select to run the process using bad quality data, the
MFC uses the last valid value it had for the process point
before the quality went bad. The MFC then writes the bad qual-
ity information to its module status bytes and activates an OIS
or MCS alarm.
Station and redundancy failures are also noted in the module's
status bytes. Since the status bytes are always available to the
communication module (in the same PCU as the MFC), it is
also available to the OIS or MCS console. The console operator
can be aware of the problem and correct it before a fatal error
can occur.
I/O Security
For safety reasons, slave module outputs always go to known
states in the event of a failure. Default states (e.g., power up
value, hold at current value) are given in the product instruc-
tions for the related MFC slave modules. Refer to these docu-
ments for specifics.
