Master redundancy
It is possible to start the DP master in redundancy mode in order to assemble a redundant controller system. In this case, the DP master only listens to the bus, but is not active on it.
To assemble a redundant controller system, two masters are on the PROFIBUS. The primary master, which performs communication under normal circumstances, and the redundancy master, which only listens to the bus without transmitting, both have identical configurations. The only difference in the PROFIBUS configuration between the primary and redundancy masters should be the setting of the Redundancy Mode and of SetPrm-Unlock before DP Start-Up or SetPrm-Unlock at Shutdown (TwinCAT 2.8: see the master's PROFIBUS tab, TwinCAT 2.9: see master's Fault-Settings dialog), and possibly of the Watchdog of the device (TwinCAT 2.8: see the master's FC310x tab, TwinCAT 2.9: see master's Fault-Settings dialog).
Primary-Master: the Redundancy Mode is not active. The settings of SetPrm-Unlock before DP Start-Up and of SetPrm-Unlock at Shutdown should be deactivated, if there is to be no interaction on the DP slaves when the primary master starts or stops (outputs remain unchanged). It is also necessary for the Watchdog to be set on the device's "FC310x" tab (for TwinCAT 2.8 and TwinCAT 2.9), so that if the PC crashes, the primary master will log itself off the bus.
Redundancy Master: the Redundancy Mode is active. The settings of SetPrm-Unlock before DP Start-Up and of SetPrm-Unlock at Shutdown should be deactivated, if there is to be no interaction on the DP slaves when the primary master starts or stops (outputs remain unchanged).
There are also three counters and a StartRedundancyMasterFlag as interfaces to the PC:
Counter[2] (ReceivedTelegram-Counter): This counter is incremented every time a valid PROFIBUS telegram is received.
Counter[3] (ReceivedTelegramFromPrimary-Counter): This counter is incremented every time a valid PROFIBUS telegram is received from the primary master (which has the same station address as the redundancy master).
Counter[4] (ClaimTokenTimeout-Counter): This counter is incremented every time the redundancy master detects a time-out on the bus after it has taken over bus activity under normal circumstances, i.e. with Redundancy mode deactivated. (ClaimTokenTimeout time = (6 + 2 * station address of the DP master) * slot time).
StartRedundancyMasterFlag: This can be used to start or stop the redundancy master.
The application, which may be the PLC task or another program, is therefore itself responsible for diagnosing the failure of the primary master. This might, for instance, seen from the fact that the ReceivedTelegram Counter and the ReceivedTelegramFromPrimaryMaster Counter are no longer being incremented, the ClaimTokenTimeout Counter is incremented, or because the application-specific monitoring in the two PCs triggers. The redundancy master only becomes active on the bus when the StartRedundancyMaster flag is set. Starting takes approximately 10 x the minimum slave interrupt (TwinCAT 2.8: see the master's PROFIBUS tab, TwinCAT 2.9: see master's Bus-Parameter dialog). When the StartRedundancyMaster flag is reset again, the redundancy master ends its bus activity the next time a token is sent. This will be at the end of the DP cycle, and at the latest after the Estimated Cycle Time (see the device's "FC310x" tab (for TwinCAT 2.8 and TwinCAT 2.9)). The connection to the slave is not removed (independently of the SetPrm-Unlock at Shutdown setting).
When setting the DP slave's DP watchdog (see the box's PROFIBUS tab) it is important to ensure that the DP watchdog time is longer than the application's monitoring time for the primary master plus the start-up time of the redundancy master, so that the redundancy master can take over the DP slave without interactions.
The redundancy master, furthermore, does not update any process data as long as it is only listening to the bus. The DpState of the boxes should be evaluated when it starts; if this is 0, the process data is also up-to-date.