4 Redundancy HIMax System
HI 801 001 E Rev. 4.01 Page 46 of 122
4 Redundancy
The conceptual design of the HIMax system is characterized by high availability. To this
end, almost all system components can be operated redundantly.
This following chapter describe redundancy aspects of the various system components.
i
Redundancy is not used to increase the Safety Integrity Level (SIL), but to increase
availability!
4.1 Processor Module
A HIMax system can be configured as mono system with only one processor module or as
highly available system with up to four redundant processor modules.
A system with redundant processor modules always requires a redundant system bus.
Processor modules can only operate redundantly if its memory contains a project with the
corresponding settings.
4.1.1 Decreasing Redundancy
A HIMax system with double to fourfold redundancy of processor modules continues its
safety-related operation even if one of the processor modules is no longer available, e.g.,
because a module failed or was removed. Safety-related operation is also ensured if
several processor modules fail.
4.1.2 Upgrading Redundancy
If a new processor module is added to a running HIMax system, it automatically
synchronizes itself with the configuration of the existing processor modules. Safety-related
operation is ensured. Requirements:
The user program run by the processor module is redundantly configured.
One slot among 4, 5, 6 on rack 0 or among 3, 4 on rack 1 is still available.
Both system busses are functional.
The mode switch of the processor module that was added is set to Stop or Run.
4.2 I/O Modules
The redundancy of input and output modules includes:
I/O module
Channel redundancy
Define the module redundancy before the channel redundancy.
Twofold or threefold redundancy can be implemented.
4.2.1 Module Redundancy
Module redundancy: Two I/O modules of the same type are defined in the programming
system as redundant to one another. They create a redundancy group.
Spare Modules
In SILworX, module that are redundant to one another can have the attribute Spare
Module. This avoids that an error message is issued if a module fails or is missing.
To Next Page
Loading...
Need help?
General
