135613-01-00模块备件

135613-01-00

证明
HIMA的安全相关自动化设备（可编程电子系统，PES）
HIMax系统已由TÜV根据以下要求进行功能安全测试和认证：
根据以下列出的标准：
TÜV莱茵工业服务有限公司
自动化、软件和信息技术
我是格劳恩·斯坦
51105 Köln
证书和测试报告
HIMax安全相关自动化设备
预期用途：用于过程控制的安全相关可编程电子系统，燃烧器
管理（BMS）、紧急停机和机械，其中要求安全状态
是断电状态。
需求状态为断电或通电状态的应用。
国际标准：
EN/IEC 61508，1-7部分：2000 SIL 3
EN/IEC 61511:2004 SIL 3
EN/ISO 13849-1:2008性能等级e
EN/IEC 62061:2005，包括1部分和2部分：2009
EN 50156-1:2006
EN 12067-2:2004
EN 298:2004+Cor 1:2006
EN 230:2005
NFPA 85:2007
NFPA 86:2007
EN/IEC 61131-2:2007
EN/IEC 61000-6-2:2005
EN 61000-6-4:20071
EN 54-2:1997/A1:2007
NFPA 72:2002
“操作要求”一章包含所有环境和EMC要求的详细列表
进行了测试。
所有装置均已获得合格标志。
要对HIMax设备进行编程，需要PADT，即运行的PC
金丝雀
编程软件。该软件帮助用户操作自动化设备和
使用功能框图（FBD）和时序图创建安全相关程序
功能图（SFC）符合IEC 61131-3。请参阅SILworX在线帮助
以及SILworX一步手册（HI 801 103 E），以了解更多详细信息。
HIMax 4处理器模块
HI 801 003 E版本4.00共64页23页
4个处理器模块
处理器模块的安全功能通过使用
两个处理器不断比较数据。如果发生故障，看门狗设置
模块转换为安全状态并报告CPU状态。
有关处理器模块的更多详细信息，请参阅手册。
4.1自检
以下章节规定了控制器安全相关处理器模块的重要自检例程：
ƒ处理器测试
ƒ记忆测试
ƒ比较器测试
ƒ具有非易失性存储器的CRC测试
ƒ看门狗测试
4.2对处理器模块故障的反应
处理器模块内的硬件比较器久性地比较处理器模块的数据
微处理器系统1与微处理器系统2的微处理器系统1不同
测试例程自动检测处理器模块、控制器中的故障
假设错误停止状态，并且看门狗信号被关闭。处理器
模块不再处理用户程序，并将输出设置为断电、关闭状态。
4.3更换处理器模块
更换处理器模块之前，确保更换不会导致静止故障
正在运行HIMax系统以停止。
特别是，这适用于按照通电跳闸模式运行的系统
道德原则此类系统的故障会导致安全功能的丧失。
冗余处理器模块可以在运行期间更换
处理器模块可用于维持安全相关操作，而另一个
模块正在更换。
注
可能会中断安全相关操作！
用点亮或闪烁的Ess LED替换处理器模块可能会导致
控制器操作的中断。
请勿卸下Ess LED亮起或闪烁的处理器模块。
点亮或闪烁的Ess LED指示系统需要处理器模块才能运行
作用
即使LED不亮或不闪烁，该处理器模块也会减少系统冗余
是的一部分，必须使用SILworX进行检查。通信连接由
还必须考虑处理器模块。
请参阅处理器模块手册（HI 801 009 E）和系统手册
（HI 801 001 E）了解有关如何更换处理器模块的更多详细信息。
5系统总线模块HIMax
24页，共64页HI 801 003 E版本4.00
5系统总线模块
系统总线模块管理两条安全相关系统总线之一。二者
系统总线彼此冗余。每个系统总线将各个
模块和基板。系统总线使用安全相关协议传输数据。
仅包含一个处理器模块的HIMax系统可以以较低的成本运行
仅使用一条系统总线的可用性级别。
5.1机架ID
机架ID标识资源中的机架，并且对于每个机架必须是一的。
机架ID是寻址单个机架和模块的安全参数
骑在他们身上！
机架ID存储在系统总线模块的连接器bioard中，必须
使用系统总线模块修改。每当必须更改机架ID时，例如：
安装新的HIMax系统时，请遵循系统手册中的说明。
系统Ma中描述了配置机架ID的步骤

135613-01-00

135613-01-00

Certification
HIMA safety-related automation devices (Programmable Electronic Systems, PES) of the
HIMax system have been tested and certified by TÜV for functional safety in accordance
with and the standards listed below:
TÜV Rheinland Industrie Service GmbH
Automation, Software und Informationstechnologie
Am Grauen Stein
51105 Köln
Certificate and test report
safety-related automation devices HIMax
Intended use: Safety Related Programmable Electronic System for process control, Burner
Management (BMS), emergency shut down and machinery, where the demand safe state
is the de-energized state.
Applications, where the demand state is the de-energized or energized state.
International standards:
EN / IEC 61508, Parts 1-7: 2000 SIL 3
EN / IEC 61511: 2004 SIL 3
EN / ISO 13849-1: 2008 Performance level e
EN / IEC 62061: 2005 Incl. Cor 1 and Cor 2: 2009
EN 50156-1: 2006
EN 12067-2: 2004
EN 298: 2004 +Cor 1: 2006
EN 230: 2005
NFPA 85: 2007
NFPA 86: 2007
EN / IEC 61131-2: 2007
EN / IEC 61000-6-2: 2005
EN 61000-6-4: 20071
EN 54-2: 1997 /A1: 2007
NFPA 72: 2002
Chapter 'Operating Requirements' contains a detailed list of all environmental and EMC
tests performed.
All devices have received the mark of conformity.
To program the HIMax devices, a PADT is required, i.e., a PC running
SILworX
programming software. This software helps the user operate the automation devices and
create safety-related programs using Function Block Diagrams (FBD) and Sequential
Function Charts (SFC) in accordance with IEC 61131-3. Refer to the SILworX online help
and SILworX First Steps Manual (HI 801 103 E) for further details. 
HIMax 4 Processor Modules
HI 801 003 E Rev. 4.00 Page 23 of 64
4 Processor Modules
The processor module's safety function is maintained by processing the user program with
two processors that constantly compare their data. If a fault occurs, the watchdog sets the
module to the safe state and reports the CPU state.
Refer to the manuals for further details about the processor modules.
4.1 Self-Tests
The following section specifies the most important self-test routines of controllers' safetyrelated processor modules:
ƒ Processor test
ƒ Memory test
ƒ Comparator test
ƒ CRC test with non-volatile memories
ƒ Watchdog test
4.2 Reactions to Faults in the Processor Module
A hardware comparator within the processor module permanently compares the data of the
microprocessor system 1 to those of the microprocessor system 2. If they are different, or if
the test routines detect failures in the processor module, the controller automatically
assumes the error stop state and the watchdog signal is switched off. The processor
module does no longer process the user program and sets the outputs into the deenergized, switched-off state.
4.3 Replacing Processor Modules
Prior to replacing a processor module, ensure that the replacement will not cause a still
running HIMax system to stop.
In particular, this applies for systems running in accordance with the energized to trip
principle. The failure of such systems causes the loss of the safety function.
Redundant processor modules can be replaced during operation, provided that at least one
processor module is available that can maintain safety-related operation while the other
module is being replaced.
NOTE
Interruption of the safety-related operation possible!
Replacing a processor module with a lit or blinking Ess LED can result in the
interruption of a controller's operation.
Do not remove processor modules with a lit or blinking Ess LED.

A lit or blinking Ess LED indicates that the processor module is required for the system to
function.
Even if the LED is not lit or blinking, the system redundancies which this processor module
is part of, must be checked using SILworX. The communication connections processed by
the processor module must also be taken into account.
Refer to the Processor Module Manual (HI 801 009 E) and to the System Manual
(HI 801 001 E) for more details on how to replace processor modules. 
5 System Bus Module HIMax
Page 24 of 64 HI 801 003 E Rev. 4.00
5 System Bus Module
A system bus module administrates one of the two safety-related system busses. The two
system busses are redundant to one another. Each system bus interconnects the various
modules and base plates. The system busses transfer data using a safety-related protocol.
A HIMax system containing only one processor module can be operated at a reduced
availability level using only one system bus.
5.1 Rack ID
The rack ID identifies a rack within a resource and must be unique for each rack.
The rack ID is the safety parameter for addressing the individual racks and the modules
mounted on them!
The rack ID is stored in the connector bioard of the system bus module and must be
modified using the system bus module. Whenever the rack ID must be changed, e.g., when
installing a new HIMax system, follow the instructions given in the system manual.
The procedure for configuring the Rack ID is described in the System Manual
(HI 801 001 E) and in the SILworX First Step Manual (HI 801 103 E).
5.2 Responsibility
Only one of the system bus modules contained in each system bus may receive the
Responsible attribute and thus be configured as Responsible for the system bus operation.
ƒ For system bus A, the Responsible attribute is reserved for the system bus module in
rack 0, slot 1.
ƒ For system bus B, the attribute can be set using SILworX.
The responsible system module must be either located in rack 0 or rack 1.
Make sure that this requirements are met prior to starting safety-related operation.
The procedure for setting the Responsible attribute is described in the SILworX First Step
Manual (HI 801 103 E).
 WARNING
Physical injury possible!
SILworX must be used to verify the configuration.
Proceed as follows:
ƒ In SILworX, log in to the system module on rack 0, slot 2.
ƒ In SILworX, log in to the system module on rack 1, slot 2.
ƒ Check the Control Panels of both system bus modules to ensure that the
Responsible attribute has only been set for the correct system bus module (see
Figure 1 and Figure 2)!

Recommended configurations:
ƒ If processor modules are only contained in rack 0, both system bus modules in rack 0
must be set to Responsible (Figure 1).
ƒ If processor modules are also contained in rack 1 (Figure 2), the following system bus
modules must be set to Responsible.
- In rack 0, the system bus module in slot 1.
- In rack 1, the system bus module in slot 2.