This catalog is out of date, see note on page 1

System architecture

Redundancy with AS 235 H

Central

processing

unit I

I/O bus

Synchronization

Comparison,

cross-coupling

Comparison,

switchover

CS 275 plant bus

Central

processing

unit II

Redundant I/O bus

Comparison,

switchover

I/O bus

Central faults are detected very rapidly using a hardware com- parator. This compares the redundant bus signals for each read or write operation of the central processors operating with syn- chronous clocks. Software test programs are started in the event of a fault in order to established its location.

The synchronous signals of the redundant I/O bus are checked for equality for selective areas of up to 13 I/O modules each and converted to the single-channel I/O bus of the standard I/O mod- ules. Up to 3 selected I/O module areas can be supplied by the redundant I/O bus (A), a further 4 selected I/O module areas can be supplied by extending with a redundant I/O bus 2 (B). A strict division into fault limiting regions thus ensures that single faults can only have an effect within one selective I/O module area.

The AS 235 H system enables maintenance and repair without interfering with process operations. The corresponding partial

 

 

 

 

I/O

 

 

 

 

 

 

 

 

 

I/O

 

 

 

 

 

 

 

 

modules

 

 

 

 

 

 

 

 

 

modules

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Process level

Redundant path

Fig. 2/1 1-out-of-2 redundancy structure with AS 235 H

Redundancy with the AS 235 H automation system

￿Various system characteristics must be considered with regard to the reliability and availability of a system. The requirements for reliability are met by fault-tolerant (high-availability) systems while those for safety are met by fail-safe systems.

According to VDI/VDE 3542 the following applies:

A system is fault-tolerant if occurring faults have no effect on its function. Fail-safe is the ability of a technical system to remain in a safe mode or to switch immediately to another safe mode in the event of a fault.

The AS 235 H automation system is a high-availability system with redundant central units operating with system clocks where execution of the planned automation functions is not interrupted by system faults.

The system operates according to the fault-tolerant 1-out-of-2 principle. The AS 235 H system is equipped with 2 identical cen- tral processing units for this purpose, the master unit and the slave unit (Fig. 2/1). Each of the two CPUs contains a power sup- ply module, central processor, memory module for system soft- ware and user program as well as 1 or 2 interface modules for the I/O bus depending on the number of I/O modules con- nected. The user programs stored in the 2 memory modules are identical.

Process signals are always applied to both CPUs. Only one of these, the master unit, can output commands to the process via the I/O modules. The other operates in hot standby mode and is always able to take over smooth control of the process should the master unit fail.

The fully-synchronous mode of operation of the two partial

AS 235 H systems means that any assignment of the master is possible: master/slave or slave/master. Both partial systems are updated with the same information simultaneously because all input data are applied to both, meaning that online backup data transmission between the two partial systems is superfluous.

system, irrespective of whether it is the master or slave, is removed from the synchronous operation. The partner system then retains the master status, or is assigned it automatically, and thus handles the active process operations. The disabled, passive partial system now operates completely independently, but without the I/O modules since these are required by the mas- ter.

This simplex operation with 2 independent systems enables new user programs to be configured, loaded or tested and to operate on the process either on a trial basis or permanently. This flexi- bility prevents undesirable down times in the process when changing the automation structure.

The backup of a passive partial system (transition from simplex to duplex operation with a slave system ready for operation) is initiated by the operator and is executed without influencing the online processing of the master system. It is terminated by auto- matic synchronization. The second partial system is then the slave and is ready to accept the master status at any time.

When connected to the CS 275 bus system, the redundant AS 235 H system responds like a single participant.

The user software of the AS 235 H automation system is compat- ible with that of the AS 235 and AS 235 K systems, i.e. user con- figurations which have been generated on these systems and which function directly can also be used in the AS 235 H system without limitations.

Important note:

The AS 235 automation system has been optimized for high reliability and availability by means of fault tolerance and a non-interacting design. However, it does not belong – just like any other single or redundant programmable system – to the class of special fail-safe systems approved by independent testing authorities (e.g. TÜV).

It is therefore important when automating processes or pro- cess sections relevant to safety to ensure that suitable sub- ordinate interlocking circuits or protective systems are pro- vided for these areas in the AS 235 H system as in the

AS 235 / AS 235 K systems which make a dangerous operat- ing state impossible should faults occur in the automation system.

2/4

Siemens PLT 111 · 1999

Page 10
Image 10
Siemens appendix Redundancy with AS 235 H, Redundancy with the AS 235 H automation system, Important note