HIMA HIMax Safety Related Controller System

HIMA HIMax Safety Related Controller System

HIMax is a high-performance safety related control system launched by HIMA, designed to meet the stringent requirements of continuous operation and maximum availability in the process industry. The system adopts a modular design, distributing core functions such as processing, input/output, and communication on pluggable modules. Users can flexibly configure customized controllers by selecting appropriate modules and baseboards according to specific application needs. The HIMax system can support safety applications up to SIL 3 level, comply with IEC 61508 standard, and can be used in situations that comply with EN 954-1 Cat.4 and ISO 13849-1 PL e.

A HIMax system consists of at least one baseboard (baseboard 0) and can expand up to 15 expansion baseboards, forming a powerful system with up to 16 baseboards. The system bus interconnects all baseboards through Ethernet cables to ensure efficient and reliable data transmission. HIMax provides excellent safety performance and availability, whether used for process controllers, protection systems, burners, or machine controllers.

System architecture and core components

2.1 Base plate and module

The HIMax system offers three types of baseboards: 10 slot, 15 slot, and 18 slot, to accommodate I/O requirements of different scales. Each slot can accommodate one module and its corresponding connection board. The system bus module must be installed in the two slots on the left side of each backplane (slots 1 and 2) to manage redundant system buses A and B. The processor module must follow specific rules to be installed in the designated slots of backplane 0 and backplane 1 (such as slots 3-6), and can support up to 4 processor modules for redundancy. All unused slots must be plugged into empty modules to ensure ventilation and heat dissipation inside the system.

2.2 System Bus

The core of the HIMax system is its dual redundant system bus (system bus A and B). These two buses run inside the motherboard and are managed through the system bus module. The system bus module manages bus A in slot 1 and bus B in slot 2. When both modules are used, the communication is conducted on both buses at the same time, and the failure of any module will not affect the connection of other modules.

The system bus is connected between the baseboards through Ethernet jumpers. When connecting, the "UP" port of one motherboard must be connected to the "DOWN" port of the next motherboard, and system buses A and B must not be cross connected.

System bus expansion: Based on Ethernet technology, the system bus can be extended over long distances using components such as fiber optics, with a maximum distance of 19.6 kilometers. This is crucial for the integration of distributed production lines or vast factory areas. During design, strict calculation of signal delay is required to ensure that the delay between redundant processor modules does not exceed 10 microseconds, and the delay between processor modules and the farthest I/O module does not exceed 50 microseconds.

Redundant design: the cornerstone of high availability

The conceptual design of the HIMax system is characterized by high availability, and almost all system components can operate redundantly. Redundancy does not increase the level of security integrity, but it can significantly improve system availability.

3.1 Redundancy of processor modules

The system can be configured in single processor mode or multiple redundancy mode (up to four).

Reduce redundancy: When any processor module in a redundant system fails or is removed, the remaining modules can seamlessly take over, ensuring continuous safe operation.

Increase redundancy: When a new processor module is inserted into the running system, it will automatically synchronize its configuration with the existing module. The premise is that the user program has been configured as redundant, has available slots, and both system buses are working properly.

3.2 I/O module and channel redundancy

Module redundancy: Two or three I/O modules of the same type can be defined as redundant with each other in programming tools. You can also set the 'backup module' attribute to avoid triggering error messages due to module failure or missing.

Channel redundancy: On the basis of module redundancy, channels with the same channel number can be defined as redundant. The programming tool will automatically assign a global variable to the corresponding channel of the redundant module. For input channels, users can specify how the controller combines the signals of two redundant channels into a final value.

Redundant connection board: To simplify wiring, special redundant connection boards can be used. This connection board occupies two adjacent slots and can allocate the signal of one sensor to two redundant input modules, or merge the signals of two redundant output modules and output them to one actuator. Only one on-site wiring is required.

3.3 Communication and Power Redundancy

Communication redundancy: SafeEthernet communication connections can be configured as redundant in SILworX, meaning there are two identical physical transmission paths. The redundancy of standard protocols such as Modbus and PROFIBUS needs to be managed by user programs.

Power redundancy: The system supports connecting two redundant 24 VDC power supplies, which are respectively connected to L1+/L1- and L2+/L2- terminal blocks. Each module supports decoupling of two power sources internally.

Programming and Variable Management

4.1 Programming System

The HIMax system uses the SILworX programming tool to create user programs on personal computers. The user program consists of functional blocks that comply with the IEC 61131-3 standard, user-defined functional blocks, as well as variables and connections. A controller can load up to 32 user programs and can set priorities for simultaneous processing.

4.2 Variables and System Parameters

Variable types: Supports multiple types such as local variables, global variables, input/output variables, etc., and can assign safe initial values to any variable. When the source of the variable's value from the physical input or communication interface fails, the variable will adopt this initial value to ensure a safe state.

System variables and parameters: System variables are predefined and used to handle the properties or states of the HIMax system in user programs. System parameters are used to configure the behavior of the controller, such as safety time, watchdog time, automatic start, mandatory permission, and other key parameters. These parameters are configured in the detailed view of SILworX's resource properties dialog box or hardware editor.

4.3 Mandatory Function

Forcing is the process of replacing the current value of a variable with a forced value, used to test user programs or simulate unavailable sensors. Mandatory can run at two levels: global (all applications) or local (individual user program). Time limit can be set, and the force will automatically stop after timeout. The use of mandatory functions requires the consent of the organization responsible for acceptance testing, and additional technical and organizational measures must be taken to ensure process safety.

Diagnosis and Event Recording

5.1 LED indicator light

The front panel of the HIMax module provides rich LED indicator lights, divided into multiple groups such as module status, redundancy status, system bus status, rack connection status, slot status, fault status, maintenance status, I/O status, fieldbus status, Ethernet status, and communication status, providing intuitive information for rapid on-site diagnosis.

5.2 Diagnostic History Record

Each HIMax module maintains a diagnostic history that stores faults or other events that occur in chronological order. The diagnostic history is divided into short-term diagnosis and long-term diagnosis, and the storage capacity varies depending on the module type (for example, X-CPU 01 can store 2500 long-term events and 1500 short-term events). SILworX can read, mix, filter, and save these historical records, providing a basis for in-depth analysis of problems.

5.3 Alarm and Event Sequence Recording

The HIMax system is capable of recording alarm and event sequences. An event is a factory or controller status change with a timestamp, and an alarm is an event indicating an increase in risk level.

Boolean event: The state change of a Boolean variable (such as a numerical input) can be arbitrarily assigned between alarm and normal states.

Scalar event: Exceeding the limit defined for scalar variables (such as INT, REAL), two upper limits and two lower limits can be set.

Events can be created by processor modules or specific I/O modules and stored in non-volatile buffers (with a capacity of 5000 events), which are then read by X-OPC servers and transmitted to third-party systems for evaluation or display.

Installation and maintenance

6.1 Environmental and Grounding Requirements

Environment: Operating temperature 0 to 60 ° C, storage temperature -40 to+85 ° C, pollution level II, altitude<2000 m, protection level IP20.

Grounding: The system can operate with floating or L-grounding. The grounding resistance should be ≤ 2 Ω. The control cabinet must use large-area functional grounding connections to ensure electromagnetic compatibility.

6.2 I/O connection method

HIMax provides flexible on-site wiring solutions to meet different application requirements:

Direct connection: Use a single or redundant connection board with screw terminals to directly connect sensors/actuators.

Through FTA connection: Use on-site terminal assembly board and connect to the connection board through system cables. This method facilitates the separation of on-site wiring from the controller, such as installation in a separate wiring cabinet.

6.3 Heat dissipation considerations

Due to the high integration of electronic components, heat dissipation is crucial. The system must be installed on a suitable fan rack above the base plate to ensure ventilation. All unused slots must be inserted with empty modules to ensure airflow channels. The heat dissipation of the control cabinet needs to be calculated based on power consumption, effective surface area, and installation type.

6.4 Startup steps

The first time starting the HIMax system, strict steps need to be followed, including setting the IP address and SRS of the system bus module through the MAC address, setting the "responsible" system bus module, setting the IP address and SRS of the processor module, interconnecting the backplane, logging into the system, loading projects, and starting.