Safety Considerations Guide for Trident v2 Systems - TUV ...

More documents

Recommendations

Info

18 Chapter 2 Application Guidelines — The application must check the value (of each variable written) for a valid range or limit before its use. • If the external computer or operator station is certified to SIL capability 3 according to IEC 61508, there must be a safety protocol to allow safe communication between the external system and the application. The communication link is considered a black channel (a communication channel without available evidence of design or validation) and it must be assumed that it can corrupt any communication. As a result, the safety protocol needs to mitigate or protect against the following errors: — Corruption—Messages may be corrupted due to one or more of the following: errors within the black channel, errors on the transmission medium, or message interference. — Unintended Repetition—An error, fault, or interference causes old un-updated messages to be repeated at an incorrect point in time. — Incorrect Sequence—An error, fault, or interference causes the predefined sequence (for example, natural numbers and time references) associated with messages from a particular source to be incorrect. — Loss—An error, fault, or interference causes a message to not be received or not be acknowledged. — Unacceptable Delay—Messages may be delayed beyond their permitted arrival time window due to one or more of the following: errors in the transmission medium, congested transmission lines, interference, or black channel components sending messages in such a way that services are delayed or denied (for example: first in, first outs—FIFOs—in switches, bridges, and routers). — Insertion—A fault or interference causes a message to be inserted that relates to an unexpected or unknown source entity. — Masquerade—A fault or interference causes a message to be inserted that relates to an apparently valid source entity, resulting in a non-safety-relevant message being received by a safety-relevant participant, which then incorrecly treats the message as safety-relevant. — Addressing—A fault or interference causes a safety-relevant message to be sent to the wrong safety-relevant participant, which then treats the reception of that message as correct. • The Modbus and TSAA protocols currently do not have safety measures for the errors described above. It is up to the system designer to mitigate against these errors in accordance with the applicable standards for their industry to meet the required SIL capability. The following table describes several measures commonly used to detect deterministic errors and failures of a communication system. Each safety measure can provide protection against one or more errors in the transmission. There is at least one corresponding safety measure, or combination of safety measures, for each error. Safety Considerations Guide for Trident v2 Systems
General Guidelines 19 Safety Measure Description Protects Against Sequence Number A sequence number is integrated into messages exchanged between message source and message sink. It may be realized as an additional data field with a number that changes from one message to the next in a predetermined way. Time Stamp In most cases, the content of a message is only valid at a particular point in time. The time stamp may be a time, or time and date, included in a message by the sender. Time Expectation During transmission of the message, the message sink checks whether the delay between two consecutively received messages exceeds a predetermined value. In this case, an error has to be assumed. Connection Authentication Messages may have a unique source and/or destination identifier that describes the logical address of the safety-relevant participant. Feedback Message The message sink returns a feedback message to the source to confirm reception of the original message. This feedback message has to be processed by the safety communication layers. Data Integrity Assurance The safety-related application process shall not trust the data integrity assurance methods if they are not designed from the point of view of functional safety. Therefore, redundant data is included in a message to permit data corruption to be detected by redundancy checks. • Unintended Repetition • Incorrect Sequence •Loss • Insertion • Unintended Repetition • Incorrect Sequence • Unacceptable Delay Unacceptable Delay (required in all cases) • Insertion (used only for sender identification; only detects insertion of an invalid source) • Masquerade •Addressing • Corruption (effective only if the feedback message includes original data or information about the original data) •Loss • Insertion • Masquerade Corruption Safety Considerations Guide for Trident v2 Systems
Page 1 and 2: Trident v2 Systems Safety Considera
Page 3 and 4: Contents Preface vii Summary of Sec
Page 5 and 6: Contents v Partitioned Processes. .
Page 7 and 8: Preface This guide provides informa
Page 9 and 10: • All other requests are handled
Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
Page 13 and 14: Protection Layers Methods that prov
Page 15 and 16: Hazard and Risk Analysis Hazard and
Page 17 and 18: Sample SIL Calculation Hazard and R
Page 19 and 20: Safety Life Cycle Model Hazard and
Page 21 and 22: Hazard and Risk Analysis 11 • Eac
Page 23 and 24: CAN/CSA-C22.2 No. 61010-1-04 Safety
Page 25 and 26: 2 Application Guidelines Overview 1
Page 27: General Guidelines This section des
Page 31 and 32: Emergency Shutdown Systems The safe
Page 33 and 34: Safety-Shutdown Guidelines for Tric
Page 35 and 36: Guidelines for Triconex Controllers
Page 43 and 44: 3 Fault Management Overview 34 Syst
Page 45 and 46: System Diagnostics System Diagnosti
Page 47 and 48: Operating Modes Each input or outpu
Page 49 and 50: Analog Output (AO) Modules Module D
Page 51 and 52: Calculation for Diagnostic Fault Re
Page 53 and 54: External Communication Module Diagn
Page 55 and 56: 4 Application Development Developme
Page 57 and 58: Array Index Errors Infinite Loops D
Page 59 and 60: Setting Scan Time 49 application. T
Page 61 and 62: Sample Safety-Shutdown Programs Sam
Page 63 and 64: Sample Safety-Shutdown Programs 53
Page 65 and 66: When Some I/O Modules Are Safety-Cr
Page 67 and 68: Sample Safety-Shutdown Programs 57
Page 69 and 70: Partitioned Processes Sample Safety
Page 71 and 72: Alarm Usage Alarm Usage 61 To imple
Page 73 and 74: A Triconex Peer-to-Peer Communicati
Page 75 and 76: Data Transfer Time Data Transfer Ti
Page 77 and 78: Data Transfer Time 67 A typical dat
Page 79 and 80:
Examples of Peer-to-Peer Applicatio
Page 81 and 82:
B HART Communication Overview 72 HA
Page 83 and 84:
2008-04-01 Automation, Software and
Page 85 and 86:
2008-04-01 HART Position Paper from
Page 87 and 88:
2008-04-01 A possible impact to the
Page 89 and 90:
2008-04-01 HART Position Paper from
Page 91 and 92:
C Safety-Critical Function Blocks O
Page 93 and 94:
SYS_CRITICAL_IO Accumulates the sta
Page 95 and 96:
Library Trident and Tri-GP (TRDLIB)
Page 97 and 98:
END_IF ; PREVIOUS_RESET := RESET ;
Page 99 and 100:
Output Parameters (continued) Name
Page 101 and 102:
SYS_SHUTDOWN 91 * the safety system
Page 103 and 104:
ALARM_DISABLED_POINTS := MPX.POINTS
Page 105 and 106:
Example For shutdown examples, see
Page 107 and 108:
A abbreviations, list of viii actua
Page 109 and 110:
message errors, external communicat
Page 112:
Invensys Operations Management 5601
show all

Safety Considerations Guide for Trident v2 Systems - TUV ...

Create successful ePaper yourself

Delete template?

Save as template?