De-Energize to Trip systems

The Safety controller is part of a De-Energize to Trip system. This means that all of its outputs are set to zero when a fault is detected.

De-energize to Trip System

In addition, the Safety controller automatically sets any input values associated with faulty input modules to zero. As a result, any inputs being monitored by one of the diverse input instructions (DIN or THRS) should have the normally closed input conditioned by logic as shown here:

The exact ladder logic depends on your specific system requirements, and the functionality of the Safety input module. The result, however, should be the same: to create a Safe state of one for the normally closed input of the diverse input instructions. This example logic actually overrides the input value in the input tag.

The normally closed input of the diverse input instruction should be placed in a Safe state whenever the connection to the input module is lost, or the normally closed input point is faulted.

The input value should remain intact to represent the actual state of the field device when there is a connection and the normally closed input point is not faulted.

Failure to implement this type of logic does not create an unsafe condition, but it does result in the instruction latching an Inputs Inconsistent fault, requiring a clear fault operation to be performed.