Filter
Top Products
GFK-1527A Chapter 5 Fault Detection 5-5
5
Fault Response
The Enhanced Hot Standby CPU Redundancy system detects and reports failures of all critical
components so that appropriate control actions may be taken. All components that acquire or
distribute I/O data or that are involved in execution of the control logic solution are considered
critical components.
In a Redundancy system, fault actions are not configurable as they are in a non-redundancy system.
A FATAL fault in the active unit causes a switch of control to the backup unit. A DIAGNOSTIC
fault allows the currently-active system to continue operating as the active system.
Faults within the PLC may be such that:
1. the PLC has a controlled shutdown,
2. the PLC has an uncontrolled shutdown, or
3. the PLC continues to operate.
If the PLC detects an internal fault and has a controlled shutdown, a fault is logged in the fault
table, the other PLC is notified of the fault, and the faulted PLC goes to stop mode and stops
driving outputs. This does not normally occur until the top of the sweep following the failure. The
exception is when the failure occurs during the input scan. In that case, upon notification, the
backup system immediately takes over and starts driving outputs.
If the PLC has an uncontrolled shutdown, the PLC logs a fault if it can and proceeds as described
above. If the backup PLC detects that the active PLC has failed to synchronize, it assumes the
active unit has failed after timing out all (both) available links. The backup then starts driving
outputs and controlling the process. If a fault exists within the PLC that has not been detected, the
system eventually detects the fault through the background diagnostic procedure. When the fault is
detected, the PLC proceeds with the orderly shutdown process if it can.
If the two PLCs fail to synchronize, because the timeout is set too short, the two systems start to act
independently. A fault is logged at the time synchronization failure occurs.