HIMA H41q and H51q series programmable electronic systems (PES)

HIMA H41q and H51q series programmable electronic systems (PES)

The HIMA H41q and H51q system families are third-generation programmable electronic systems that have been field validated and designed specifically for safety critical applications in the process industry. These two system families are based on the same hardware and software platform, mainly used to control process flows with extremely high safety and availability requirements such as chemical plants, refineries, and power plants.

The core design philosophy of HIMA PES is to balance safety and usability. HIMA PES can be configured as a single channel or dual channel (redundant) system based on the required safety level (requirement levels AK 1 to 6 in accordance with DIN V 19250 standard) and availability requirements. This flexibility is not only reflected in the central module, but also applies to input/output modules and I/O buses, providing users with a complete solution from basic safety to the highest availability safety system.

The system configuration uses the ELOP II programming system to input, compile, load, test, and monitor user programs through a personal computer. All HIMA modules comply with the requirements of the EU EMC Directive 89/336/EWG and bear the CE mark, ensuring electromagnetic compatibility in harsh industrial environments.

System Architecture and Design Philosophy

The HIMA H41q and H51q system families offer multiple models based on the redundancy level of the central module, I/O bus, and I/O module to meet different safety levels and availability requirements.

2.1 H41q Compact System

The H41q series is a highly integrated compact system, with all components including the central unit, power supply, fuses, power distribution, and input/output modules installed in a 5U height 19 inch subrack. This integrated design simplifies system integration and saves control cabinet space.

H41q-M/MS: Single channel central module and single channel I/O bus. The MS model adopts a dual processor central module (F8652), certified by T Ü V, and can reach the highest requirement level AK 6.

H41q-H/HS: Redundant central module and single channel I/O bus, used to improve availability. The HS model also adopts a dual processor redundant central module, which combines high availability and security.

H41q HR/HRS: Redundant central module and redundant dual channel I/O bus designed for maximum availability requirements. The HRS model has been certified by T Ü V and meets AK 6 level.

2.2 H51q Modular System

The H51q series adopts a modular design, consisting of a 5U high central rack and up to 16 4U high I/O sub racks, which can support up to 256 I/O modules and is suitable for large distributed control systems.

H51q-M/MS: Single channel central module and single channel I/O bus. The MS model is equipped with a dual processor central module (F8650), suitable for applications with the highest level of security.

H51q-H/HS: Redundant central module and single channel I/O bus, balancing high availability and economy.

H51q HR/HRS: Redundant central module and redundant dual channel I/O bus, achieving the highest system availability and fault tolerance. The HRS model has been certified by T Ü V AK 6.

2.3 Safety shutdown concept

The core safety mechanism of HIMA PES is to drive the process to a safe state when a fault occurs. For systems with defined safety states, this is usually the lowest energy state. The system performs different levels of shutdown based on the location and severity of the fault:

Module shutdown: A testable output module with integrated safety shutdown function will automatically switch to a safe power-off state when an internal fault is detected.

Group shutdown: Up to 10 testable output modules can be defined as a group through the H8-STA-3 function block in the user program. When any module in the group fails, the user program can trigger the shutdown of the whole group.

Watchdog shutdown: When an I/O bus failure, dual failure of output modules, or central module failure occurs, the associated central module will cut off its watchdog signal, causing all related output modules to shut down safely.

Central module and core processing unit

The H41q and H51q system families are based on two core central modules: F8652/F8650 (secure, dual processor) and F8653/F8651 (non secure, single processor).

3.1 Safe central module F8650/F8652

Specially designed for safety related applications, with T Ü V certification.

Dual processor architecture: Two microprocessors with synchronized clocks run in parallel, one processing real data and programs, and the other processing reverse data and programs.

Testable hardware comparator: compares all external accesses of two processors. Once a difference is detected, the watchdog is immediately put into a safe state and sends out a processor status signal.

Program memory: using Flash EPROM, supporting at least 100000 write cycles, used to store operating systems and user programs.

Data storage: sRAM is protected against power failure by the lithium battery on the central module and has monitoring function.

Interface: Provides 2 electrically isolated RS-485 interfaces with a maximum transmission rate of 57600 bps.