Transfer between active and standby modules, Trusted, Module t8444 – Rockwell Automation T8444 Trusted TMR Pulse Generator and Monitoring Module User Manual
Page 34
Trusted
TM
Module T8444
Issue 09 Apr 10
PD-T8444
34
5.7. Transfer between Active and Standby Modules
The TMR Processor is responsible for managing a pair of I/O modules through an active/standby
changeover. The following rules apply to active/standby changeovers, though the TMR Processor and
not the I/O module enforce them:
Under normal conditions, an active/standby changeover will only occur if the new active module is
fault-free. Under some circumstances, it is desirable to be able to force a changeover to a known
faulted module. This can be accomplished by opening the Module Removal switches on the currently
active module and pressing the push-button reset on the TMR Processor. This will force the
changeover to proceed even if the new active module is not fault free
• The user must define the primary, and optionally the secondary, I/O module location for
each I/O module pair. Each primary module location must be unique and is defined as
part of the complex equipment definition within the IEC1131 TOOLSET. Secondary
module locations can be unique or shared between multiple secondary modules and are
defined within the module’s section within the System.INI file. The system will
automatically determine the secondary module position if the primary module is installed
and is operable.
• On initial start-up, if the primary module is installed, it will become the active module by
default. If the secondary module has been defined within the System.INI file and no
primary module is present, and if the secondary module location is unique, the
secondary module will become the active module by default. If the secondary module is
installed with no primary module present, and the secondary module location is not
unique (as in a SmartSlot configuration), then NO module for that module pair will
become active.
• In order for a module to become the active module, the TMR Processor will verify that
the module is the correct I/O module type and that both Module Removal levers (and
hence micro switches) are closed. At this point the I/O module is configured and
eventually placed in the active state.
• A module in the active state should never be removed.
• When a fault occurs on the active module, the TMR Processor will be informed. Once it
becomes aware of the fault, the TMR Processor will attempt an active/standby
changeover.
• An active/standby changeover starts with the TMR Processor checking to see if a
standby I/O module is installed. If no standby I/O module is available, the TMR
Processor will continue to utilise the active module and will continue to check for an
available standby I/O module. Once a standby module is found, the TMR Processor will
verify that the I/O module is of the correct type, that both Module Removal switches are
closed, and that the I/O module is a part of the correct module pair by using the
SmartSlot link. At this point, the TMR Processor will configure the standby I/O module
with the same configuration information as the currently active I/O module and place the
standby I/O module into the standby state. The active module is then placed in the
maintain state (which suspends field loop testing), and any module specific changeover
data is transferred. The educated light flashes amber before the active/standby
changeover takes place, to indicate transfer of dynamic change over data (COD). The
previous standby module then becomes the active module and the original module
becomes standby. If the currently active module does not successfully complete the
self-tests, the TMR Processor will revert it to the standby state, and the module in the
maintain state will revert back to the active state.
• When both Module Removal switches are opened on an active module, regardless of the
module fault status, the TMR Processor will treat it as a request to perform an
active/standby changeover.