10 peer communications configuration, 11 application program development – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 38 of 103

3.10 PEER COMMUNICATIONS CONFIGURATION

Peer Communications allows safety-relevant data to pass between numbers of 8000
series TMR systems. When using this mechanism, as with any other, it is important to
ensure that the overall system will respond within the required PST

E

. This requirement

applies to normal operation and in the presence of faults.

For safety-related applications, it is recommended that the Peer-to-Peer
Communications use redundant networks. It should be noted that high network
bandwidth usage by non safety system equipment may cause data timeouts and
hence spurious trips, therefore separate networks for the safety data should be
considered.

The Peer-to-Peer Input boards include the configuration of a refresh timeout. This
timeout defines the maximum interval between the receipts of valid, updated data from
an associated (source) system.

This timeout period shall be set that if the fault

tolerant capabilities of the Peer-to-Peer Network, (i.e. lack of fresh data is
detected) the system can still respond within the required PST

E

. The network

propagation time must be included in the timeout period calculations, and
should be re-verified after each change to the network configuration.

The freshness of the received data is available to the application programmer as part
of the Peer-to-Peer Input board input information. This status is set to ‘TRUE’ or ‘1’
whilst updated data is received within the refresh timeout. If a timeout occurs, this
status bit is set to ‘0’. The data received from the corresponding source system will be
held in its previous state or value in the case of a timeout or go the defined fail safe
state depending on the configuration.

If hold last state is selected it is important

that the application programmer include handling of this condition, including
latching of the failure as necessary. For example, the loss of the Peer-to-Peer
Communications link may require a specific safety reaction, or may require that the
corresponding data be set to a specific states or value.

The Peer-to-Peer Output board includes a refresh period. This value defines the
interval between transmissions of the corresponding data if no state or value changes
are received from the local application program. This value shall be set to a period
shorter than that of the input board, unless changes occur constantly, otherwise the
corresponding input boards will timeout.

The Peer-to-Peer master configuration includes transmit timeout values for that
network. The Peer-to-Peer master and slave configurations include response timeout
values. These values are used to determine the link status. This link status
information may be used in addition to the freshness status to allow the source
system, or Peer-to-Peer Communications master to report link status or to act in the
event of link failure.

Release 3.5 and later, Peer to Peer transfers 32 bit values between nodes. The 32 bit
values can be 32 bit unsigned, 32 bit signed or 32 bit floating point depending on the
variable connected to the output board. The variable type used for a particular variable
must match at both the input and output board. A single input and output board pair
can use different data types on different channels provided they match on both the
input and output boards.

3.11 APPLICATION PROGRAM DEVELOPMENT

The IEC1131 Workbench may be connected either directly to the serial
communications ports local to the TMR Processor or via an Ethernet network.

Where

Ethernet is used, the network shall not be used to connect equipment not
associated with the TMR system. PCs connected to this network shall not
provide a route to access the TMR system from other networks, i.e. if they