4 ensuring network integrity – Rockwell Automation 57C570 AutoMax PC3000 User Manual User Manual

18Ć9

18.4

Ensuring Network Integrity

WARNING

THE AutoMax NETWORK IS DESIGNED TO CONTINUE OPERATING IF ONE OR

MORE DROPS ON THE NETWORK FAILS OR IS TAKEN OFFLINE. IF CERTAIN

DATA MUST BE TRANSFERRED RELIABLY TO ENSURE SAFE OPERATION, THE

USER MUST ADD SOFTWARE HANDSHAKING IN THE APPLICATION PROGRAM

THAT WILL DETECT LOSS OF COMMUNICATION. FAILURE TO OBSERVE THIS

PRECAUTION MAY RESULT IN BODILY INJURY.

WARNING

THE USER MUST PROVIDE AN EXTERNAL, HARDWIRED EMERGENCY STOP

CIRCUIT OUTSIDE OF THE CONTROLLER CIRCUITRY. THIS CIRCUIT MUST

DISABLE THE SYSTEM IN CASE OF IMPROPER OPERATION. UNCONTROLLED

MACHINE OPERATION MAY RESULT IF THIS PROCEDURE IS NOT FOLLOWED.

FAILURE TO OBSERVE THIS PRECAUTION COULD RESULT IN BODILY INJURY.

In the event of a network failure, i.e., a drop becomes unable to

communicate with the master for any reason, controls must be in

place to ensure the system reacts in a predictable, controlled

manner. Each Network interface contains bits that indicate

communication status. These bits must be used in the application

program to generate faults indicating communication failure.

Application programs in the other racks determine how the system

will react to a particular drop going offline. The application program

must ensure that properly functioning units on the network can

continue to run with the states of I/O and process variables

controlled in a predictable and safe manner.
If the network is installed correctly, the drops will communicate with

essentially no errors at all. It is a normal occurrence in a system like

this to periodically have an error, but the frequency should be very

low. You may notice the error registers, over the period of a day or

two, will log one or two errors. The system is designed to work

around these occasional errors.
Each time the master transmits a message, it expects a response

from the targeted drop. If there is no response, the master will

retransmit the message up to three more times. In these instances,

retransmitting the message will fix the momentary problem.

However, if the master has failed to receive a response after

transmitting a message four times, the drop will go offline for a

minimum of 120 ms. This indicates something is seriously wrong.

The cause of the communication failure should be investigated and

corrected before the system is allowed to continue operating.
Using the circuit shown in figure 18.3 in your ladder program will

record the fault status and enable the operator to determine that the

network has been established, the application software is running,

and the data is safe to use before restarting the system.