Filter
Top Products
4
72 Series 90-70 Hot Standby CPU Redundancy User’s Guide – December 1993
GFK-0827
Section 6: Fault Detection and Control Actions
This section describes how faults are handled in a Redundancy system. It discusses how
faults affect the operation of the Redundancy system, describes categories of faults,
describes how faults are detected, describes the actions taken when faults are detected,
and discusses on-line repair of individual components.
Fault Detection
The Hot Standby CPU Redundancy system requires that faults or failures in all critical
components be detected and reported so that appropriate control actions may be taken.
All components that are involved in the acquisition and distribution of I/O data or are
involved in the execution of the control logic solution are considered to be critical
components.
In a Redundancy system, fault actions are not configurable as they are in a
non-redundancy (Simplex) system. A FATAL fault will cause a switch from the active to
the backup unit; a DIAGNOSTIC fault will allow the currently active system to continue
operating as the active system.
Faults within the PLC may be such that (1) the PLC has a controlled shutdown, (2) the
PLC has an uncontrolled shutdown, or (3) the PLC continues to operate. If the PLC has
detected an internal fault and has a controlled shutdown, a fault will be logged in the
fault table, the backup system will be notified of the fault and the PLC will go to stop
mode and stop driving outputs. This does not normally occur until the top of the sweep
following the failure. The exception is when the failure occurs during the input scan.
Upon notification, the backup system will immediately take over and start driving
outputs.
If the PLC has an uncontrolled shutdown the PLC will log a fault if it can and proceed as
described above. If the backup PLC detects that the active PLC has failed to
synchronize, it will assume the active unit has failed after timing out all (both) available
links. The backup will then start driving outputs and controlling the process. If a fault
exists within the PLC, but has not been detected, the system will eventually detect the
fault through the background diagnostic procedure. When the fault is detected, the PLC
will proceed with the orderly shutdown process if it can.
If the two PLCs fail to synchronize, because the timeout is set too short, then the two
systems will begin to act independently. A fault will be logged at the time
synchronization failure occurs.
Fault Categories
The detection of faults and failures falls into three basic categories:
1. faults and failures that are detected immediately;
2. faults and failures that are detected as soon as possible, but not necessarily within
the current sweep;