HIMA HIMatrix series compact safety controller

HIMA HIMatrix series compact safety controller

The HIMatrix Compact System is a series of safety related controllers launched by HIMA, featuring a compact structural design that integrates a safety related processor system, multiple input/output channels, and communication interfaces within a metal casing. In addition to the controller, the HIMatrix compact system also includes remote I/O, which can be connected to the controller via safeEthernet to expand additional input and output channels.

These safety related controllers can be applied to applications up to SIL 3 level and comply with IEC 61508, IEC 61511, and IEC 62061 standards; For railway applications, it can also reach SIL 4 level and comply with EN 50126, EN 50128, and EN 50129 standards. The HIMatrix system has been certified for process controllers, protection systems, burner controllers, and machine controllers.

The design of the HIMatrix system follows the principle of "power outage tripping" - the system does not require any power supply to perform safety functions. Therefore, in the event of a malfunction, the input and output signals adopt a power-off safety state. Meanwhile, the controller can also be used for applications that follow the principle of "power on trip".

System variants and programming tools

The HIMatrix system is divided into different variants based on hardware layout and operating system version:

Programming Tools Processor Operating System Communication Operating System Hardware Layout

SILworX CPU-OS V8 and above COM-OS V13 and above L3

SILworX CPU-OS V7 and above COM-OS V12 and above L2

ELOP II Factory CPU-OS V7 and below COM-OS V12 and below L2

Important precautions:

The devices with hardware layout L3 have extension functions, such as multitasking or overload capabilities

The operating system for layout L3 cannot be used for layout L2 devices, and vice versa

Projects created using ELOP II Factory cannot be edited using SILworX, and vice versa

Safety functions and operational requirements

3.1 Expected and Unintended Uses

The HIMatrix controller can only be used for intended applications under specified environmental conditions and can only be used in conjunction with approved external devices. When security related data is transmitted through public networks (such as the Internet), additional security measures such as VPN tunnels or firewalls must be taken. The fieldbus interface cannot ensure safety related communication.

3.2 Operating Environment Requirements

Requirement type, requirement content

The protection level complies with Level III of IEC/EN 61131-2

Pollution level complies with Level II of IEC/EN 61131-2

Altitude<2000 meters

The enclosure protection standard is IP20, and it can be installed in higher protection level enclosures as needed

Working temperature: 0 ° C to+60 ° C (test limit: -10 ° C to+70 ° C)

Storage temperature -40 ° C to+85 ° C

Power supply 24 VDC, -20% to+25%, requires SELV or PELV power supply

3.3 ESD protection measures

Attention: Electrostatic discharge may damage electronic components within the HIMatrix system! Only personnel with ESD protection knowledge can modify or expand the system or replace modules. When operating, ensure that the work area is free of static electricity and wear an ESD wristband. When not in use, ensure that the module is protected against electrostatic discharge, such as storing it in its original packaging.

3.4 Residual Risks

The HIMatrix compact system itself does not pose any direct danger. Residual risks may arise from:

Malfunctions related to engineering design

Malfunctions related to user programs

Wiring related faults

Equipment monitoring function

4.1 Working voltage monitoring

The device continuously monitors the 24 VDC voltage during operation and takes corresponding measures based on the voltage level:

Voltage level equipment response

Normal operation at 19.3-28.8 V

<18.0 V alarm status (internal variable written and provided to input/output)

<12.0 V input and output shutdown

The Power Supply State system variable is used to evaluate the operating voltage state through programming tools or user programs.

4.2 Temperature status monitoring

One or more sensors are used to measure the temperature at relevant locations within a device or system. The temperature state [BYTE] system variable value changes as follows:

Temperature Range Temperature Status

<60 ° C is normal (0x00)

High temperature range of 60 ° C to 70 ° C (0x01)

>70 ° C very high (0x03)

If the "very high" temperature state frequently occurs, HIMA recommends improving the system's heat dissipation conditions to maintain the longevity of the HIMatrix system.

Event recording function - L3

The HIMatrix system is capable of recording alarm and event sequences.

5.1 Event Types

Boolean event: a change in the state of a Boolean variable, such as a change in numerical input. Alarm and normal states can be assigned arbitrarily.

Scalar event: Exceeding the limit defined for scalar variables. Scalar variables have numerical data types, such as INT and REAL. Two upper limits and two lower limits can be set.

5.2 Event Recording and Transmission

The processor system collects events and stores them in a buffer. A buffer is a part of non-volatile memory with a capacity of 1000 events. If the event buffer is full, new events cannot be stored until they are read and marked as overwritten.

The X-OPC server reads events from the buffer and transfers them to third-party systems for evaluation or notification. Up to 4 X-OPC servers can simultaneously read events from one processor module.

Communication system

6.1 Ethernet and Integrated Switches

The HIMatrix controller and remote I/O are equipped with Ethernet switches with RJ-45 connectors, which can be used to connect other devices. Switches have the following characteristics:

Automatically learn and generate address/port allocation tables

Automatically switch between 10 and 100 MBit/s transmission rates

Automatically switch between full duplex and half duplex connections

The 'automatic crossover' function can recognize crossed cables and automatically adjust them

6.2 SafeEthernet Security Protocol

SafeEthernet is a transmission protocol based on Ethernet technology used to transmit safety related data up to SIL 3 level. It implements the following fault detection and safety response mechanisms:

Data transmission corruption (duplicate, lost, and altered bits)

Invalid message addressing (sender, receiver)

Incorrect data sequence (duplicate, lost, swapped)

Invalid timing (delay, echo)

SafeEthernet adopts the black channel method, uses insecure data transmission channels (Ethernet), and monitors both the sender and receiver through security related protocol mechanisms. This allows users to use common Ethernet network components such as hubs, switches, and routers in security related networks.

Warning: Operators are responsible for ensuring that the Ethernet used for SafeEthernet is adequately protected to prevent manipulation. The type and scope of measures must be jointly agreed upon with the responsible testing agency.

6.3 Communication with PADT

The HIMatrix controller communicates with PADT (programming and debugging tool) via Ethernet. PADT is a computer with programming tools (SILworX or ELOP II Factory) installed. Programming tools must be compatible with the operating system version of the controller:

Version 7 and above using SILworX

Use ELOP II Factory for versions 7 and below

A controller can communicate with up to 5 PADTs simultaneously. At this point, only one programming tool can have write access to the controller, while the others can only read information.

Operating System and User Programs

7.1 Processor Operating System Functions

The operating system includes all the basic functions of the HIMatrix controller. The application functionality is specified by the user program. The code generator converts the user program into machine code, and the programming tool transfers this machine code to the controller's flash memory.

7.2 Fault response behavior

Permanent input/output faults:

The fault channel does not affect the overall controller, and the operating system only considers the fault channel as a fault

Fault input channel: The operating system sends a safe value of 0 or an initial value for processing

Fault output channel: The operating system sets it to a power-off state

If the I/O module failure persists for more than 24 hours, the controller will permanently shut down the affected I/O module

Temporary input/output faults:

After the fault disappears on its own, the operating system resets the fault state and resumes normal operation

The operating system calculates and evaluates the frequency of faults, and if the specified fault frequency is exceeded, the module status will be permanently set to fault

Internal malfunction:

Processor operating system version V.6.44 and above: HIMatrix controller automatically starts. If an internal fault is detected again within one minute after startup, the controller will remain in STOP/INVALID CONFIGURATION state.

7.3 Operating Mode of Processor System

Operating mode description

The secure state of the Initiate processor system during the initialization phase, performing hardware and software testing

STOP/VALID CONFIGURATION processor system security status, not executing user programs, all outputs reset

STOP/INVALID CONFIGURATION is a safe state after no configuration loading or system failure, and can only be restarted through PADT

RUN processor system activity, user program loop running, I/O signal processing

7.4 Multi tasking - with L3

Multi tasking refers to the ability of the HIMatrix system to process up to 32 user programs within a processor module. This allows the sub functions of the project to be separated from each other. Each user program can start, stop, and load independently, including execution through overload functionality.

Key parameters:

Maximum duration per cycle [μ s]: The time allowed to execute user programs within a CPU cycle

Program ID: The ID used to identify the program when displayed in SILworX

Watchdog time: Resource watchdog time

Target cycle time [ms]: required or maximum cycle time

Multi tasking mode: a way to use unused execution time of user programs

Multi task processing mode:

Mode 1: Unused time is used to reduce CPU cycles. After the user program is fully processed, it immediately starts processing the next user program, reducing the total cycle time.

Mode 2: The unused time of lower priority user programs is allocated to higher priority user programs to ensure high availability.

Mode 3: Do not use unexecuted time to execute user programs, but wait for the maximum duration of each cycle of the user program, and then start processing the next user program, generating CPU cycles of the same duration.

7.5 Overload Function - with L3

If the user program is modified, the changes can be transmitted to PES during runtime. The operating system checks and activates the modified user program, which then takes over control tasks.

Successful overloading requires planning sufficient reserves when the watchdog time is determined, or temporarily increasing the controller's watchdog time reserve. Any temporary increase in watchdog time must be coordinated with the responsible testing agency.

When overloaded, global and local variables are assigned the values of the corresponding variables from the previous project version. Renaming and deleting variables, as well as creating new variables, have the same effect and can lead to the initialization process.

Mandatory feature management

Forcing refers to the process of replacing the current value of a variable with a forced value, used to test user programs or simulate unavailable sensors.

8.1 Mandatory Warning

Warning: Mandatory values may cause personal injury! Existing mandatory restrictions can only be removed with the consent of the testing agency responsible for final system acceptance testing. Mandatory values can only be obtained with the consent of the testing agency. When mandatory, the responsible person must take further technical and organizational measures to ensure that the process is adequately monitored in terms of safety.

Attention: Mandatory values may compromise security integrity! Forcing values may result in incorrect output values. Forcing an extension of the cycle time may result in the watchdog time exceeding the limit.

8.2 Mandatory time limit - CPU-OS V7 and above

Different time limits can be enforced globally or locally. After the time limit expires, the controller stops forcing values. The behavior when the time limit expires can be defined:

Global forcing: Resource stops or continues to run

Local forcing: User program stops or continues to run

8.3 Forcefully disabling system variables

The Force Deactivation system variable can be assigned to a digital input connected to a key switch to immediately stop forcing:

Layout effect description

L3 Force Deactivation prevents global and local forced startup and stops the ongoing forced process

L2 Force Deactivation prevents global forced start and stops the ongoing forced process; Suppress the command to edit local process values, but do not reset the changed local variables to their previous process values

Startup and Configuration

9.1 Installation and Wiring

Installed on a horizontal DIN rail, maintain a minimum distance of 100mm between the top and bottom of the equipment

Connect input and output circuits through pluggable terminals

Grounding: Installed on a grounded DIN rail to ensure sufficient grounding connection; There is also a grounding screw on the upper left side of the shell

Power supply: Use a 24 VDC power supply with safety isolation, compliant with SELV or PELV requirements, and externally protected by a 10A delay fuse

9.2 SILworX Configuration - CPU-OS V7 and above

Resource allocation parameters (partial):

System ID [SRS]: Unique value in the network

Safety Time [ms]: Safety time, 20-22500 ms

Watchdog Time [ms]: Watchdog time, 8-5000 ms

AutoStart: Does the user program automatically start after connecting to the power supply

Global Forcing allowed: Is global forcing allowed

Multitasking Mode: Multitasking Mode (L3 only)

Hardware system variables:

Force Deactivation: Used to prevent coercion and immediately stop it

Emergency Stop 1-4: Emergency Stop Switch

Reload Deactivation: Block execution of overload (L3 only)

User LED 1-2: Activate the corresponding LED (L3 only)

9.3 Reset button function

If the compact system is turned on while holding down the reset button, it will restart and reset the connection parameters and user account to default values. After restarting with the reset button released, the original values will be used.

Diagnosis and maintenance

10.1 LED indicator light

RUN: Running status indicator

ERROR: Error stop status indication

PROG: Configure loading status indication

Fault: I/O fault indication

OSL/BL: Operating System Emergency Loader Status

10.2 Diagnostic History

Diagnostic history records various states of the processor and communication system, and stores them in non-volatile memory. The number of entries depends on the hardware layout and processor operating system version:

L3: 700 long-term diagnoses (CPU)/300 short-term diagnoses (COM), 700 short-term diagnoses

CPU-OS V7 and above: 300/230 long-term diagnoses, 210/655 short-term diagnoses

CPU-OS V7 and below: 500/200-250 long-term diagnoses, 300/700-800 short-term diagnoses

10.3 Maintenance Measures

Operating system loading: Use programming tools to load a new operating system, and the controller must be in STOP state

Switching between ELOP II Factory and SILworX: requires loading the corresponding processor operating system, communication operating system, and OSL