Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
24 Chapter 2 Application <strong>Guide</strong>lines<br />
If new data is not received within the time-out period (equal to half of the process-tolerance<br />
time), the application on the receiving node should be able to determine the action to take. The<br />
specific actions depend on the unique safety requirements of your process. The following<br />
sections summarize actions typically required by Peer-to-Peer send and receive functions.<br />
Note Due to a lack of in<strong>for</strong>mation on the reliability and safety of switched or public networks,<br />
Invensys recommends that switched or public networks not be used <strong>for</strong> safety-critical<br />
Peer-to-Peer communication between Triconex controllers.<br />
Sending Node<br />
Actions typically required in the logic of the sending application are:<br />
• The sending node must set the SENDFLG parameter in the send call to true (1) so that<br />
the sending node sends new data as soon as the acknowledgment <strong>for</strong> the last data is<br />
received from the receiving node.<br />
• The SEND function block (TR_USEND) must include a diagnostic integer variable that<br />
is incremented with each new send initiation so that the receiving node can check this<br />
variable <strong>for</strong> changes every time it receives new data. This new variable should have a<br />
range of 1 to 65,535 where the value 1 is sent with the first sample of data. When this<br />
variable reaches the limit of 65,535, the sending node should set this variable back to 1<br />
<strong>for</strong> the next data transfer. This diagnostic variable is required because the<br />
communication path is not triplicated like the I/O system.<br />
• The number of SEND functions in an application must be less than or equal to five<br />
because the controller only initiates five SEND functions per scan. To send data as fast<br />
as possible, the SEND function must be initiated as soon as the acknowledgment <strong>for</strong> the<br />
last data is received from the receiving node.<br />
• The sending application must monitor the status of the RECEIVE (TR_URCV) and<br />
TR_PORT_STATUS functions to determine whether there is a network problem that<br />
requires operator intervention.<br />
Receiving Node<br />
Actions typically required in the logic of the receiving application are:<br />
• To transfer safety-critical data, the basic rule is that the receiving node must receive at<br />
least one sample of new data within the maximum time-out limit. If this does not<br />
happen, the application <strong>for</strong> the receiving node must take one or more of the following<br />
actions, depending on requirements:<br />
— Use the last data received <strong>for</strong> safety-related decisions.<br />
— Use default values <strong>for</strong> safety-related decisions in the application.<br />
— Check the status of the TR_URCV and TR_PORT_STATUS functions to see whether<br />
there is a network problem that requires operator intervention.<br />
• The receiving node must monitor the diagnostic integer variable every time it receives<br />
new data to determine whether this variable has changed from last time.<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>