Reliability, Availability and Safety of Electronic Control Systems
S5-115F Manual
Availability can also be enhanced by reducing the mean time to repair. Such measures include, for
instance:
•
The stocking of spare parts
•
The training of operating personnel
•
Fault indicators on the devices
•
Higher memory and software overhead for implementing programmed diagnostic functions
9.2.2
Availability of the S5-115F Programmable Controller
The priority of the S5-115F is safety: it cuts out in the event of a fault. The hardware and the
operating system are designed accordingly. The following have been included in the design of the
S5-115F in order to increase availability:
•
Passivation of I/O modules
•
SINEC L1 LAN redundancy
You can improve the availability of your system by networking several S5-115Fs with the same
function via the SINEC L1 LAN.
Passivation of I/O modules ( Vol 1, 10.16)
You have the choice of four variations on I/O module error tolerance:
•
Variation 1: All I/O module errors cause the PLC to stop, just like central errors.
•
Variation 2: An I/O module error causes passivation (shutdown) of all I/O modules belonging
to the same signal group as the defective module. Your program recognizes the passivation
and can respond to it by activating a reserve signal group.
•
Variation 3 and 4: An I/O module error causes an error message. This variation is only
permissible during supervised operation and if two message paths are assured.
Example:
Burner control with passivation of the I/O module (variation 2 to 4)
A boiler has several groups of burners with four burners to a group. If four burner controls are
contained in an S5-115F controller, each burner is assigned a different signal group number and
program block number. All burners can be active in normal mode. In the event of an I/O module
error, the defective burner is switched off, or a reserve burner can be activated if available. Even if
the inputs and outputs of a given signal group are not only distributed among different modules
but also accomodated in different racks and assigned different load power supplies, each burner
can still be shut down both physically and in software terms. Your program queries all signal
groups and skips processing when it finds a passivated status.
To simplify the example, it should be possible to set all outputs immediately to zero when a burner
is passivated. If not, a signal group number must be defined for both the operation program and
the shutdown program.
SINEC L1 LAN redundancy
If you are operating several S5-115F controllers linked together, shutdown of the PLCs due to a
failure of the SINEC L1 LAN would be a disadvantage.
The redundant arrangement of the SINEC L1 LAN solves this problem. In the event of a LAN fault B,
the mailbox transfer FB 253 MBXT transfers the relevant Receive mailbox of the SINEC L1 LAN A to
Receive mailbox B.
9-4
EWA 4NEB 811 6148-02