HIMA HIMax - Redundancy; Processor Module; I;O Modules

To Next Page

To Previous Page

4 Redundancy HIMax System

HI 801 001 E Rev. 4.01 Page 46 of 122

4 Redundancy

The conceptual design of the HIMax system is characterized by high availability. To this

end, almost all system components can be operated redundantly.

This following chapter describe redundancy aspects of the various system components.

Redundancy is not used to increase the Safety Integrity Level (SIL), but to increase

availability!

4.1 Processor Module

A HIMax system can be configured as mono system with only one processor module or as

highly available system with up to four redundant processor modules.

A system with redundant processor modules always requires a redundant system bus.

Processor modules can only operate redundantly if its memory contains a project with the

corresponding settings.

4.1.1 Decreasing Redundancy

A HIMax system with double to fourfold redundancy of processor modules continues its

safety-related operation even if one of the processor modules is no longer available, e.g.,

because a module failed or was removed. Safety-related operation is also ensured if

several processor modules fail.

4.1.2 Upgrading Redundancy

If a new processor module is added to a running HIMax system, it automatically

synchronizes itself with the configuration of the existing processor modules. Safety-related

operation is ensured. Requirements:

 The user program run by the processor module is redundantly configured.

 One slot among 4, 5, 6 on rack 0 or among 3, 4 on rack 1 is still available.

 Both system busses are functional.

 The mode switch of the processor module that was added is set to Stop or Run.

4.2 I/O Modules

The redundancy of input and output modules includes:

 I/O module

 Channel redundancy

Define the module redundancy before the channel redundancy.

Twofold or threefold redundancy can be implemented.

4.2.1 Module Redundancy

Module redundancy: Two I/O modules of the same type are defined in the programming

system as redundant to one another. They create a redundancy group.

Spare Modules

In SILworX, module that are redundant to one another can have the attribute Spare

Module. This avoids that an error message is issued if a module fails or is missing.

Related product manuals