User's Manual

Siemens PLT 111 · 1999
2/4
System architecture
Redundancy with AS 235 H
Redundancy with the AS 235 H automation system
Various system characteristics must be considered with regard
to the reliability and availability of a system. The requirements for
reliability are met by fault-tolerant (high-availability) systems
while those for safety are met by fail-safe systems.
According to VDI/VDE 3542 the following applies:
A system is fault-tolerant if occurring faults have no effect on its
function. Fail-safe is the ability of a technical system to remain in
a safe mode or to switch immediately to another safe mode in the
event of a fault.
The AS 235 H automation system is a high-availability system
with redundant central units operating with system clocks where
execution of the planned automation functions is not interrupted
by system faults.
The system operates according to the fault-tolerant 1-out-of-2
principle. The AS 235 H system is equipped with 2 identical cen-
tral processing units for this purpose, the master unit and the
slave unit (Fig. 2/1). Each of the two CPUs contains a power sup-
ply module, central processor, memory module for system soft-
ware and user program as well as 1 or 2 interface modules for
the I/O bus depending on the number of I/O modules con-
nected. The user programs stored in the 2 memory modules are
identical.
Process signals are always applied to both CPUs. Only one of
these, the master unit, can output commands to the process via
the I/O modules. The other operates in hot s
tandby mode and is
always able to take over smooth control of the process should
the master unit fail.
The fully-synchronous mode of operation of the two partial
AS 235 H systems means that any assignment of the master is
possible: master/slave or slave/master. Both partial systems are
updated with the same information simultaneously because all
input data are applied to both, meaning that online backup data
transmission between the two partial systems is superfluous.
Central
processing
unit I
Central
processing
unit II
Comparison,
switchover
Comparison,
switchover
I/O
modules
CS 275
plant bus
Synchronization
Comparison,
cross-coupling
Process level
I/O
modules
Redundant I/O bus
I/O bus I/O bus
Redundant path
Fig. 2/1 1-out-of-2 redundancy structure with AS 235 H
Central faults are detected very rapidly using a hardware com-
parator. This compares the redundant bus signals for each read
or write operation of the central processors operating with syn-
chronous clocks. Software test programs are started in the event
of a fault in order to established its location.
The synchronous signals of the redundant I/O bus are checked
for equality for selective areas of up to 13 I/O modules each and
converted to the single-channel I/O bus of the standard I/O mod-
ules. Up to 3 selected I/O module areas can be supplied by the
redundant I/O bus (A), a further 4 selected I/O module areas can
be supplied by extending with a redundant I/O bus 2 (B). A strict
division into fault limiting regions thus ensures
that single faults
can only have an effect within one selective I/O module area.
The AS 235 H system enables maintenance and repair without
interfering with process operations. The corresponding partial
system, irrespective of whether it is the master or slave, is
removed from the synchronous operation. The partner system
then retains the master status, or is assigned it automatically,
and thus handles the active process operations. The disabled,
passive partial system now operates completely independently,
but without the I/O modules since these are required by the mas-
ter.
This simplex operation with 2 independent systems enable
s new
user programs to be configured, loaded or tested and to operate
on the process either on a trial basis or permanently. This flexi-
bility prevents undesirable down times in the process when
changing the automation structure.
The backup of a passive partial system (transition from simplex
to duplex operation with a slave system ready for operation) is
initiated by the operator and is executed without influencing the
online processing of the master system. It is terminated by auto-
matic synchronization. The second partial system is then the
slave and is ready to accept the master status at any time.
When connected to the CS 275 bus system, the redundant
AS 235 H system re
sponds like a single participant.
The user software of the AS 235 H automation system is compat-
ible with that of the AS 235 and AS 235 K systems, i.e. user con-
figurations which have been generated on these systems and
which function directly can also be used in the AS 235 H system
without limitations.
Important note:
The AS 235 automation system has been optimized for high
reliability and availability by means of fault tolerance and a
non-interacting design. However, it does not belong – just like
any other single or redundant programmable system – to the
class of special fail-safe systems approved by independent
testing authorities
(e.g. TÜV).
It is therefore important when automating processes or pro-
cess sections relevant to safety to ensure that suitable sub-
ordinate interlocking circuits or protective systems are pro-
vided for these areas in the AS 235 H system as in the
AS 235 / AS 235 K systems which make a dangerous operat-
ing state impossible should faults occur in the automation
system.
This catalog is out of date, see note on page 1