Deep Analysis of HIMA HIMax Safety Control System: Architecture, Redundancy, and Engineering Application Guidelines

Deep Analysis of HIMA HIMax Safety Control System: Architecture, Redundancy, and Engineering Application Guidelines

1.Introduction: Overview of HIMax System

HIMax is a safety related control system designed by HIMA for continuous operation and maximum availability. As a highly modular system, HIMax distributes processing, input/output (I/O), and communication functions in pluggable modules installed on one or more baseboards. By connecting the motherboard through Ethernet cables, the system has strong scalability and can easily adapt to the expansion needs of future process flows.

This system not only complies with the IEC 61508 SIL 3 standard, but also supports multiple configuration modes from single machine non redundant to highly redundant, making it an ideal choice for critical safety tasks in the fields of process automation and factory automation.

2. Hardware architecture and system bus

2.1 Modular Base Plate Design

The core physical foundation of HIMax is the baseboard, which provides various types of baseboards according to the number of slots to meet different installation requirements:

10 slots (X-BASE PLATE 10 01): suitable for flat base installation.

15 slots (X-BASE PLATE 15 01/02): suitable for backplane installation or 19 inch cabinet installation.

18 slots (X-BASE PLATE 18 01): Suitable for backplane installation, providing maximum density.

Each slot can accommodate one module and one connection board. The slots 1 and 2 on the left side of the motherboard are reserved for the system bus module, while the remaining slots are used for processors, I/O, or communication modules.

2.2 Redundant System Bus

The HIMax system operates on two redundant system buses: System Bus A and System Bus B.

Communication mechanism: The module is inserted into the motherboard and connected to the system bus. If both buses are running, communication will occur simultaneously on both buses.

Scalability: The system bus is based on Ethernet technology, allowing the system to span vast production lines. When using fiber optic components, the maximum extension distance of the HIMax system can reach 19.6 kilometers.

Isolation: The system bus connection between the module and the motherboard is electrically isolated, ensuring at least 1500 V insulation voltage between the processor module and each I/O module.

3. Safety standards and operating principles

3.1 Safety Integrity Level (SIL)

HIMax safety related controllers are certified for the following high standard applications:

SIL 3 (compliant with IEC 61508)

Category 4 (compliant with EN 954-1)

PL e (compliant with ISO 13849-1)

3.2 Operating Principles

The system design follows the following core security principles:

Loss of excitation trip: The system design conforms to the principle of "loss of excitation trip", which means that no electricity is required to perform safety functions. Once a malfunction occurs, the input and output signals will enter a disabled safe state.

Power on trip: HIMax can also be used for "power on trip" applications (such as fire alarm systems), but it must meet the corresponding application standards (such as line diagnosis).

Fault tolerance time (FTT): When implementing safety related communication, it is necessary to ensure that the overall response time does not exceed the fault tolerance time.

4. High availability: comprehensive redundancy design

The conceptual design of HIMax is centered around high availability. Redundancy is only used to improve availability, not to increase SIL level.

4.1 Redundancy of processor modules

The system can be configured as a standalone system or a highly available system (supporting up to 4 redundant processor modules).

Downgrading and upgrading: Even if a processor module fails or is removed, the system can continue to operate safely. When adding a new processor module during operation, it will automatically synchronize with the existing module without interrupting security related operations.

4.2 I/O module and channel redundancy

Module redundancy: Two or three I/O modules of the same type can be defined as mutually redundant.

Channel redundancy: Channels with the same number can be defined as redundant. For input channels, users can specify how the controller combines signals from two redundant channels (such as 2oo3 voting).

Connection board: In order to save wiring workload, a special connection board allows two redundant modules to be inserted into adjacent slots, while on-site connections only need to be created once.

5. Engineering and Programming: Based on SILworX

The user program is created through a programming system (PADT) consisting of a PC with SILworX tool installed.

5.1 Multi task processing

HIMax supports processing up to 32 user programs simultaneously within the processor module.

Multi tasking mode:

Mode 1: Utilize unused execution time to reduce CPU cycle time (fastest response).

Mode 2: Allocate unused time from low priority programs to high priority programs (high availability mode).

Mode 3: Wait for unused time to expire in order to maintain a fixed CPU cycle time (constant cycle).

5.2 Variables and System Parameters

Variable types: Supports local variables (VAR) and global variables (VAR_GLOBAL). Global variables allow data exchange between program organizational units (POUs).

Initial value: All variables that receive values from physical inputs or communications must be assigned an initial value as a safe value.

5.3 Online modification

Reload: Load modified project configurations without interrupting security related operations. This includes changing user program logic, parameters, etc., provided that the overload conditions are not violated (such as adding new variable assignments that typically require a download).

Forcing: allows replacing the current value of a variable with a forced value, used for testing programs. Attention: Forcing values may result in output errors and prolong cycle time, and must be authorized by the testing agency and used within time limits.

6. Diagnosis and maintenance

6.1 Diagnosis of LED indicator lights

The LED on the front panel of the module provides a quick overview of the system status:

Module status: RUN (green), ERROR (red), STOP (yellow), Initiat (yellow).

Redundancy status: ESS (yellow, critical module), RED (yellow, running redundantly).

System bus: Display the connection status with buses A and B (green indicates normal, flashing indicates fault).

Maintenance instructions: Force, Test, Prog.

6.2 Diagnostic History Record

Each HIMax module maintains a historical record of faults or events, divided into:

Short term diagnosis: Circular buffer, new entries overwrite old entries.

Long term diagnosis: Store user actions and configuration changes. If the entry exceeds 3 days, the new entry will overwrite the old entry; If it does not exceed 3 days, the new entry will be rejected and marked.

6.3 Temperature Monitoring

The module monitors its own temperature. The state variables display the following range:

Normal:<40 ° C

Threshold 1 exceeds: 40... 60 ° C

Threshold 2 exceeds:>60 ° C

7. Lifecycle Management: Installation and Startup

7.1 Installation and Grounding

Mechanical installation: The base plate is installed in the control cabinet, ensuring sufficient heat dissipation (it is recommended to use a fan bracket).

Grounding (PE): Functional grounding must be implemented for electromagnetic compatibility (EMC). All surfaces of HIMax components (except for pluggable modules) are conductive and must be connected to the cabinet frame through a grounding wire (such as a 16mm ² or 25mm ² yellow green wire).

7.2 Startup Process

Hardware installation: Complete all module and cable connections.

Set IP and SRS: Log in to the system bus module and processor module through SILworX, and set the System. Rack. Plot address and IP address.

Load project: Execute Download or Reload.

Start running: Set the mode switch to RUN.

7.3 Maintenance and Repair

Preventive maintenance: It is recommended to regularly replace the controller fan.

ESD protection: Only personnel with knowledge of ESD (electrostatic discharge) protection can replace modules.

Power redundancy: Supports the connection of two redundant 24 VDC power units, powered through terminals L1+/L1- and L2+/L2-.

8. System specifications and delineation

To ensure the rationality of project design, engineers need to comply with the following system boundary restrictions:

Number of resources (controllers): 1... 65534 per project

Number of baseboards: 1... 16 per resource

Processor modules: 1... 4

User program: 1... 32

Event definition: 0... 20000

I/O modules: 0... 200

SafeEthernet connection: 0... 255

Non volatile event buffer size: 5000 events

Model Supplement

X-BASE PLATE 10 01 

X-BASE PLATE 15 01 

X-BASE PLATE 15 02

X-BASE PLATE 18 01 

X-CPU 01 (processor module)

X-SB 01 (System Bus Module)

X-COM 01 (Communication Module)

X-AI 32 01

X-AI 32 02

X-AI 32 02 SOE

X-DI 16 01

X-DI 32 01

X-DI 32 02 (for proximity switch)

X-DI 32 03

X-DI 32 04

X-DI 32 04 SOE

X-DI 32 05 (for proximity switch)

X-DI 32 05 SOE

X-DI 64 01

X-CI 24 01

X-AO 16 01

X-DO 12 01

X-DO 12 02

X-DO 24 01

X-DO 24 02

X-DO 32 01

X-FTA AI 32 01 01

X-FTA DI 32 01 01

X-FTA DI 32 02 01

X-FTA DO 12 01 01

X-FTA DO 24 01 01

X-FTA 001 01

X-FTA 001 02

X-FTA 002 01

X-FTA 002 02

X-FTA 003 02

X-FTA 005 02

X-FTA 006 01

X-FTA 006 02

X-FTA 007 02

X-FTA 008 02

X-FTA 009 02

X-CB 008 01 

X-CB 008 02

X-CB 008 03 

X-CB 008 04