6. Redundancy with NX3030 CPU
270
General Features
Redundant CPU General Features
Tolerates, at least, simple failures in doubled equipment in the
half-clusters. In specific cases, it can tolerate multiple failures.
Half-cluster 5 redundancy
states
- Not-configured: initial state, also considered when the CPU is off
or isn’t executing the MainTask;
- Starting: temporary state assumed after Not-configured, where
some tests will define the next state (Inactive, Active, Stand-by or
back to Not-configured);
- Inactive: state reached after some types of failures or for
programming maintenance;
- Active: controlling the user process;
- Stand-by: ready to switch to Active and control the user process,
in case there’s such demand (e.g. Active CPU failure).
Main failures which cause
switchover between the Active
CPU and the Reserve CPU.
The reserve CPU switches for
the Active and the Active can
go to Inactive or Not-
configured.
- Supplying failure;
- Power supply;
- CPU (stop in the MainTask execution);
- NX4010;
- Failure in both synchronism channels (NETA and NETB) and the
cause isn’t in the Reserve CPU. In this case the Reserve CPU,
besides assuming the Active state, switches the other CPU off;
- Failure of some synchronism channel (NETA and NETB) and the
cause is in the Active CPU;
- Failure in some vital PROFIBUS network.
Commands that cause
switchover between the Active
CPU and the Reserve CPU.
- Commands via redundancy control panel (PX2612);
- Commands received from MasterTool or from a SCADA system,
through this CPU (local) or the other CPU (remote);
- Commands generated by user application (e.g.: in case of other
diagnostics as Ethernet communication failure) through this CPU
(local) or the other CPU (remote).
Main failures which prevents a
CPU to go to the reserve state
or remain in it.
Such failures drive the CPU to
a Not–Configured or Inactive
state.
- Supplying failure;
- Power supply;
- CPU (stop in the MainTask execution);
- NX4010;
- Failure in both synchronism channels (NETA and NETB) and the
cause is in the Reserve CPU.
- Failure in the synchronism service for redundancy data;
- Failure in the synchronism service for the redundant forcing list;
- Total failure in some vital PROFIBUS network;
- Different project from the Active CPU, with project automatic
synchronization enabled;
- Firmware version incompatible with the Active CPU.
Commands that drive the CPU
out of the reserve state
- Commands via redundancy control panel (PX2612);
- Commands received from MasterTool or from a SCADA system,
through this CPU (local) or the other CPU (remote).
- Commands generated by user application (e.g.: in case of other
diagnostics as Ethernet communication failure) through this CPU
(local) or the other CPU (remote).
- Up to 3 cycles from the MainTask, depending on the stimulus for
state change (command or failure);
- In case of PROFIBUS network failure, 2 MainTask cycles + 500
ms
No discontinuities switchover
(bump-less)
- A switchover doesn’t cause discontinuities in the controller
outputs, nor in the inner variables.
Redundancy overhead
(MainTask cycle CPU
consuming increased by
redundancy).
- Maximum value automatically calculated by MasterTool and
informed to the user, considering an empty redundant forcing list;
- Typical average value of 60ms for 224kbytes of redundant data,
in a system with a redundant PROFIBUS network and two
redundant Ethernet HSDN networks.
- Among other diagnostics, shows the redundancy state (Active,
Stand-by, Inactive, Not-configured and Starting) together with the
CPU identification (PLCA or PLCB).
To Next Page
Loading...
General