The 140 CPU 671 60S Quantum Safety CPU module is certified for use in Hot Standby SIL3 solutions compliant with the 61508 IEC standard. For more details about to the safety certifications, refer to the Modicon Quantum Safety PLC Safety Reference Manual.
In the Standalone Safety CPU, the Ethernet port is used to communicate with other devices using a normal Ethernet cable.
In the Hot Standby Safety CPU, the connection used to exchange data between the Primary CPU and the Standby CPU controller is a fiber optic link. Because the fiber optic link is not part of the Safety loop, the PFD and PFH values of the Hot Standby CPU are the same as those of the Standalone CPU.
Each Safety CPU can include a PCMCIA memory card, but its use and presence is not mandatory.
NOTE: This CPU cannot be used in a Quantum Ethernet I/O Hot Standby system.
Description of a Safety Hot Standby Configuration
The Hot Standby configuration contains two identical local racks and at least one remote I/O drop because I/Os cannot be placed in the local rack of a Safety Hot Standby configuration.
Besides a power supply module (there must be at least one 140 CPS 124 20 or one 140 CPS 22 400), each local rack must contain:
-
140 CPU 671 60S module
-
140 CRP 932 00 module
Besides a power supply, I/O modules (including at least one 140 CPS 124 20 or one 140 CPS 22 400), the remote drop(s) must include a 140 CRA 932 00 module.
Description of the Operating Modes
-
Safety Mode: This is the default mode. It is a restricted mode in which modifications and maintenance activities are prohibited.
-
Maintenance Mode: This is a temporary mode for modifying the project, debugging and maintaining the application program.
State Compatibility with Safe and Maintenance Modes
A Quantum Hot Standby system has two states:
-
Redundant (1 CPU is Primary, 1 is Standby)
The Standby CPU controller mode follows the Primary CPU controller mode. For example, if you switch the Primary CPU controller from Safety to Maintenance mode, the Standby CPU controller switches from Safety to Maintenance mode at the start of the next cycle.
-
Non-redundant (at least 1 CPU Offline)
The two controllers are independent, one can be in Safety mode and the other one in Maintenance mode. For example, the Run Primary controller can be in Safety mode while the Stop Offline controller is in the Maintenance mode.
Impact of the PLC Switchover on the Process Safety Time
If the Primary CPU detects an internal or external problem, it stops exchanging data with the Standby CPU and stops processing the I/O. As soon as the Standby CPU detects that there are no longer exchanges with the Primary CPU, it takes over the role of the Primary CPU, executing the user logic and processing the I/O. Therefore, the output modules must filter the lack of exchange with the Primary CPU to avoid glitches when a Switchover occurs. This is achieved by configuring the output module time-out. As a result, the PLC reaction time is greater than the time-out configured in the output module, thereby influencing the process Safety time.
NOTE: The behavior of the Hot Standby Safety CPU is equivalent to a Standalone Safety CPU.
In case of a detected error, the Safety PLC enters:
Availability of the Hot Standby Functions
In addition to the standard Hot Standby functions, you can use an EFB to program an automatic Switchover between Primary CPU and Standby CPU to verify the ability of the Standby CPU to take over from the Primary CPU. That means that the Standby CPU periodically becomes the Primary CPU and the Primary CPU becomes the Standby CPU.
It is recommended to avoid using the USB link during a Switchover.
The following table lists the available Hot Standby functions in Maintenance and Safety modes:
|
Function
|
Maintenance Mode
|
Safety Mode
|
|
Hot Standby
|
yes
|
yes
|
|
Switchover
|
yes
|
yes
|
|
EFB Swap
|
no
|
yes
|
|
Keypad
|
yes
|
yes
|
|
Application mismatch
|
yes
|
no
|
|
OS Upgrade
|
yes, if Standby CPU is in Stop Offline
|
no
|
|
Application Transfer
|
yes
|
no
|
NOTE: Applying the power simultaneously to Primary CPU and Standby CPU is allowed, but we recommend to do it sequentially.
CAUTION 