Failures, Use Cases and typical Reaction Time¶
The AC500 High Availability system performs a switch-over when the primary PLC is powered off, crashed or stopped or if the primary PLC loses fieldbus communication completely while the secondary still has it. In the following the different use cases and reaction times are outlined.
Ha use cases – Failures
| Case | Use case | Reaction | Diagnosis message on *) |
|---|---|---|---|
| 1 | Primary PLC power off, crash or stop | Switch over to secondary PLC. CI52x outputs are frozen during switch over period | Secondary |
| 2 | Secondary PLC power off, crash or stop | No switch over, process continues | Primary |
| 3 | Primary PLC loses connection to fieldbus CI52x modules while secondary still has connection. | Switch over to secondary PLC. CI52x outputs are frozen during switch over period | Primary |
| 4 | Secondary PLC loses connection to one or more CI52x modules | No switch over, process continues | Secondary |
| 5 | CI52x bus module is stopped/ powered off | No switch over, process continues | Primary and secondary |
| 6 | Connection lost in Field ETHERNET network | Depending on ETHERNET network structure, and redundancy mechanisms used a reconfiguration time exists | Depending on Sync or lifecom2 routing via the same network: case 4 and/ or case 7 may result |
| 7 | Sync and/ or lifecom2 broken | No switch over, process continues | Primary and secondary |
| 8 | Primary PLC loses connection to SCADA | SCADA is responsible to detect and switch over | |
| 9 | Secondary PLC loses connection to SCADA | SCADA is responsible to detect and switch over | |
| 10 | SCADA is broken | SCADA is responsible to detect and switch over | |
| Manual switch over by user | Switch over to secondary PLC. CI52x outputs are frozen during switch over period | ||
| *) Detailed diagnosis, see function block description | |||
Note
If lifecom2 is lost and if the PLC is in STOP mode: RUNTIME ERROR will not be TRUE. This is because Modbus is still responding even if PLC is in STOP mode.
The networks for larger systems are often seen as a separate entity and done by a separate company. Make sure to have the redundancy status information of the network at least in SCADA, to repair in time.
If the I/O field network responsibility is with the automation/ PLC part, the redundancy status should be also monitored by the PLC. A warning to initiate repair may be created from the managed switches in the I/O field network.
Examples:
- Alarm output(s) wired e.g. to a CI52x input and related settings of the switch(-es)
- Settings of the switch(-es) to send e.g. SNMP traps, which can be received in PLC (AC500 SNMP library)
- Use of “automation switches” which can also communicate their status directly via Modbus.
Note
Normally the HA-Modbus TCP library takes care of communication supervision, nevertheless if communication is cut completely, the I/O clusters have to react on their own to achieve a bumpless or desired behaviour: The following parameters for the CI clusters and I/O modules need to be considered:
CI52x: parameter “Timeout for Bus supervision: 2)
Allows to detect errors from CI side as well and take action to ensure a fail safe behavior if communication is cut. It can be set in 10 ms steps, if set to 0 no bus supervision is active [proposed value: 50 = 500 ms = default in Bulk data manager).
“Behaviour Outputs” at “Timeout for Bus supervision” 1), 2)
This fail-safe parameter has to be consciously set: separate settings are possible for each module (and CI): “off”; “last” or “substitute”: 5 s, 10 s, ¥ s 1)
Remarks:
1) The parameters “Behaviour Outputs at comm. Error” is only analyzed if the Failsafe-mode is ON.
2) Both are CI52x parameters set e.g. via Bulk data manager in the program.