FC310x - Profibus PCI fieldbus card

Master redundancy

It is possible to start the DP master in redundancy mode in order to assemble a redundant control system. In this case, the DP master only listens to the bus, but is not active on it.

To assemble a redundant control system, two masters are on the PROFIBUS (both have identical configurations): the primary master, which performs communication under normal circumstances, and the redundancy master, which only listens to the bus without transmitting. The only difference in the PROFIBUS configuration between primary and redundant master should be in the settings Redundancy Mode and SetPrm Unlock before DP-Start-Up or SetPrm-Unlock at Shutdown (TwinCAT 2.8: see PROFIBUS tab of the master, TwinCAT 2.9: see Fault Settings dialog) and perhaps the device watchdog (TwinCAT 2.8: see FC310x tab of the master, TwinCAT 2.9: see Fault Settings dialog).

Primary-Master: the Redundancy Mode is not active. The settings of SetPrm-Unlock before DP Start-Up and of SetPrm-Unlock at Shutdown should be deactivated, if there is to be no interaction on the DP slaves when the primary master starts or stops (outputs remain unchanged). In addition, the device watchdog must be set (TwinCAT 2.8: see FC310x tab of the master, TwinCAT 2.9: see Fault Settings dialog), to ensure that the primary master logs off the bus in the event of a PC crash.

Redundancy Master: the Redundancy Mode is active. The settings of SetPrm-Unlock before DP Start-Up and of SetPrm-Unlock at Shutdown should be deactivated, if there is to be no interaction on the DP slaves when the primary master starts or stops (outputs remain unchanged).

There are also three counters and a StartRedundancyMasterFlag as interfaces to the PC:

 
 fc310x_redundancy
Counter and StartRedundancyMasterFlag

Counter[2] (ReceivedTelegram-Counter): This counter is incremented every time a valid PROFIBUS telegram is received

Counter[3] (ReceivedTelegramFromPrimary-Counter): This counter is incremented every time a valid PROFIBUS telegram is received from the primary master (which has the same station address as the redundancy master)

Counter[4] (ClaimTokenTimeout-Counter): This counter is incremented every time the redundancy master detects a timeout on the bus after it has taken over bus activity under normal circumstances, i.e. with Redundancy mode deactivated. (ClaimTokenTimeout time = (6 + 2 * station address of the DP master) * slot time).

StartRedundancyMasterFlag: This can be used to start or stop the redundancy master.

The application (PLC task or other program) is therefore responsible for diagnosing a failure of the primary master (by detecting that the ReciveTelegram-Counter and the ReceivedTelegramFromPrimaryMaster-Counter no longer increment, that the ClaimTokenTimeout-Counter increments or the user-specific monitoring of the two PCs is triggered). The redundancy master only becomes active at the bus when the StartRedundancyMaster flag is set (the startup takes approx. 10 times the min. slave interval (TwinCAT 2.8: see PROFIBUS tab of the master, TwinCAT 2.9: see Bus Parameters dialog). If the StartRedundancyMaster flag is reset, the redundancy master stops its bus activity when the next token is sent (at the end of the DP cycle, but no later than the Estimated Cycle Time (see "FC310x" tab (for TwinCAT 2.8 or TwinCAT 2.9) of the device)), without interrupting the connection to the slaves (irrespective of the setting SetPrm-Unlock at Shutdown).

When setting the DP slave's DP watchdog (see the box's PROFIBUS tab) it is important to ensure that the DP watchdog time is longer than the application's monitoring time for the primary master plus the start-up time of the redundancy master, so that the redundancy master can take over the DP slave without interactions.

The redundancy master, furthermore, does not update any process data as long as it is only listening to the bus. The DpState of the boxes should be evaluated when it starts; if this is 0, the process data is also up-to-date.