Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
18 Chapter 2 Application <strong>Guide</strong>lines<br />
— The application must check the value (of each variable written) <strong>for</strong> a valid range or<br />
limit be<strong>for</strong>e its use.<br />
• If the external computer or operator station is certified to SIL capability 3 according to<br />
IEC 61508, there must be a safety protocol to allow safe communication between the<br />
external system and the application. The communication link is considered a black<br />
channel (a communication channel without available evidence of design or validation)<br />
and it must be assumed that it can corrupt any communication. As a result, the safety<br />
protocol needs to mitigate or protect against the following errors:<br />
— Corruption—Messages may be corrupted due to one or more of the following:<br />
errors within the black channel, errors on the transmission medium, or message<br />
interference.<br />
— Unintended Repetition—An error, fault, or interference causes old un-updated<br />
messages to be repeated at an incorrect point in time.<br />
— Incorrect Sequence—An error, fault, or interference causes the predefined<br />
sequence (<strong>for</strong> example, natural numbers and time references) associated with<br />
messages from a particular source to be incorrect.<br />
— Loss—An error, fault, or interference causes a message to not be received or not be<br />
acknowledged.<br />
— Unacceptable Delay—Messages may be delayed beyond their permitted arrival<br />
time window due to one or more of the following: errors in the transmission<br />
medium, congested transmission lines, interference, or black channel components<br />
sending messages in such a way that services are delayed or denied (<strong>for</strong> example:<br />
first in, first outs—FIFOs—in switches, bridges, and routers).<br />
— Insertion—A fault or interference causes a message to be inserted that relates to an<br />
unexpected or unknown source entity.<br />
— Masquerade—A fault or interference causes a message to be inserted that relates to<br />
an apparently valid source entity, resulting in a non-safety-relevant message being<br />
received by a safety-relevant participant, which then incorrecly treats the message<br />
as safety-relevant.<br />
— Addressing—A fault or interference causes a safety-relevant message to be sent to<br />
the wrong safety-relevant participant, which then treats the reception of that<br />
message as correct.<br />
• The Modbus and TSAA protocols currently do not have safety measures <strong>for</strong> the errors<br />
described above. It is up to the system designer to mitigate against these errors in<br />
accordance with the applicable standards <strong>for</strong> their industry to meet the required SIL<br />
capability.<br />
The following table describes several measures commonly used to detect deterministic<br />
errors and failures of a communication system. Each safety measure can provide<br />
protection against one or more errors in the transmission. There is at least one<br />
corresponding safety measure, or combination of safety measures, <strong>for</strong> each error.<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>