PACSystems Hot Standby CPU Redundancy User`s Manual, GFK
Contents
1. IEEE d k Hardware Reference View g Rack o qc Report Ctd T D gt Logic m Reference View Add Rack Ut Supplemental Fi E an aaa a c Mirror to Secondary Hardware Configuration Gd Data Watch Lists Import from File E ge Ethernet Global Export to File Redundancy To configure a Hot Standby CPU Redundancy system using the wizards 1 Run the Set up Primary Hardware Configuration for CPU Redundancy wizard This wizard configures a redundancy CPU in slot 1 of the main rack and allows you to select the location of the RMX modules used for redundancy links 2 For RX7i systems run the Add GBCs for Genius Redundancy wizard to configure Genius bus controllers in the primary unit For RX3i systems configure the Genius bus controllers in Hardware Configuration Complete configuration of all parameters for the primary unit When you have finished configuring the primary unit run the Generate Secondary Hardware Configuration from the Current Configuration wizard This wizard copies the primary hardware configuration to the secondary configuration and adjusts appropriate parameters for the secondary configuration 5 Edit the configuration parameters for each item in the secondary unit s hardware configuration that is unique for the secondary unit for example the secondary unit s direct IP address and the CPU s SNP ID 4 2 PACSystems Hot Standby CPU Redundancy User s Manual July2. A network error was detected on the fiber optic link that connects the two RMX modules This includes data checks on mismatches protocol errors and rogue packets Failure of the other CPU to rendezvous at the next synchronization point within the Fail Wait time The following actions are taken when a redundancy link communications failure occurs 1 Either a Redundant Link Communications Failure or Fail Wait Time Exceeded fault is logged in the PLC Fault Table of both units The LINK OK LEDs on both RMX modules are turned off The fault locating references that correspond to the module are set i e the SLOT 00XX fault contact is set where XX is the slot number for the RMX module The corresponding redundancy link is no longer used If the other link is still operating that link is used for all further data transfer and the units can remain in synchronization If the other redundancy link is not available and either unit is in Run mode that unit operates as a non synchronized active unit If the RMX modules OK LEDs are still ON the link can be restored to service by power cycling either unit or storing a hardware configuration to either unit If either OK LED is OFF power must be cycled on the rack to restore that RMX module to service PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F s Fault Actions in a CPU Redundancy System Fault actions in the Hot Standby CPU Redundancy System are ha
3. AQ00 The limit configured for AQ references is The starting address for the range of AQ 001 based on values provided in the Memory references that are synchronized between tab The value of the beginning reference the redundant CPUs address plus the value of the length must be less than or equal to the configured limit AQ Length 0 0 through AQul AQref 1 where The number of AQ reference addresses Aqul the upper limit of AQ memory that are synchronized between the configured on the Memory tab and redundant CPUs The limit configured for Aqref the value set in the AQ AQ references is based on values Reference parameter provided in the Memory tab The value of the beginning reference plus the value of the length must be less than or equal to the configured limit R Reference R000 The limit configured for R references is The starting address for the range of R 01 based on values provided in the Memory references that are synchronized between tab The value of the beginning references the redundant CPUs plus the value of the length must be less than or equal to the configured limit R Length 0 0 through Rul Rref 1 where Rul the The number of R reference addresses that upper limit of R memory configured on are synchronized between the redundant the Memory tab and Rref the value set CPUs The limit configured for R in the R Reference parameter references is based on values provided in th
4. 0x05 0x3C Dual RMS aborted user commanded loss of communications failed download to a controller whose redundant partner does not have a pending dual RMS The controller will abort the RMS and delete any new application data that had been stored Dual RMS aborted user commanded loss of communications failed download to a controller whose redundant partner has a pending dual RMS Both controllers will abort the RMS and delete any new application data that had been stored Loss of synchronization in a dual RMS where only one controller has a pending dual RMS The controller will abort the RMS and delete any new application data that had been stored Loss of synchronization in a dual RMS where both controllers have a pending dual RMS Both controllers will abort the RMS and delete any new application data that had been stored The two controllers determine that the newly stored transfer lists are not compatible Both controllers will abort the RMS and delete any new application data that had been stored One or both of the units determine that there is a problem with one of the components downloaded during the run mode store Both controllers will abort the RMS and delete any new application data that had been stored A loss of synchronization occurs after the activation of the new components begins but before it completes Both units complete the activation of newly stored applicatio
5. GENIUS 1DB 3iRC 1085BA Redundant Controller 10 Remote I O Devices 1 Dual Genius Bus GENIUS 2DB 3iRC 2085BA Redundant Controller 20 Remote I O Devices 2 Dual Genius Buses How to Choose a Template Steps to choose a template 1 Decide between a simplex controller and a redundant controller 2 Determine the number of Genius remote UO devices in your system Choose a template that supports the number of remote devices or greater 3 Determine how many Dual Genius Buses are in your system GFK 2308F Appendix A RX3i Dual Genius Bus Overview A 3 a RX3i Dual Bus Genius Functionality A 4 Dual Bus Genius provides cable redundancy from the controller s to the remote I O devices This is achieved by two GBOs in the PLC or two in each PLC for Redundant PLCs Each GBC has an associated cable network that connects to all the remote I O devices The remote UO devices are connected to both cable networks through a single interface that decides which cable network to communicate on The remote I O devices automatically switch from one cable network to the other if communication is lost on the first cable network Additionally the PLC can be programmed to command the remote I O devices to switch to the other cable network The PLC has status bits for each remote I O device indicating if a remote UO device is on one or the other cable network Inputs and Outputs can be configured to Hold Last State or go to zero if
6. PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Redundancy Parameters Parameter Default Choices Description Redundancy Primary Primary Specifies whether the current Hardware Mode Secondary Configuration is Primary or Secondary Read only when the Dual Note When the Dual HWC target HVC target property is set Property is set to True one Hardware to True Configuration is automatically set to Primary and the other to Secondary Control HSB HSB Selects the HSB control strategy Strategy Fail Wait 60 60 through 400 ms in The maximum amount of time this CPU Time increments of 10 ms waits for the other CPU to reach a synchronization point For recommendations on setting Fail Wait time see chapter 5 Redundancy Determined by Read only The number of redundancy links Links number of 0 The CPU behaves as a configured for this unit Each redundancy redundancy links redundancy CPU without a link is a pair of RMX modules one in configured for this backup each unit that have the Redundancy Link unit 1 The CPU behaves as a parameter set to Enabled redundancy CPU with one redundancy link 2 The CPU behaves as a redundancy CPU with two redundancy links Strongly Recommended Redundancy Link 1 Rack 0 Read only 0 The rack location of the first RMX Number module Shown only if the Redundancy Links parameter is 1 or 2 Slot Number
7. Units Are Not Fully Synchronized Due to actions taken by the user the two units in a CPU redundant system are not fully synchronized This means the backup unit is not executing with the same inputs and or outputs as the active unit while the units are synchronized due to data transfers being disabled Disable the logic that executes SVC_REQ 43 14 Redundant link communication failure Communications with the other CPU over this link has failed If the other unit failed or lost power power cycle it Verify one CPU is configured for primary and the other for secondary Check the cable connections between the two RMX modules If the fault is accompanied by a Loss of Module fault see corrective action for Loss of Module fault Otherwise contact Technical Support 15 Fail Wait time exceeded The other CPU failed to rendezvous at a synchronization point within the Fail Wait time Increase the configured Fail Wait time 17 Could not synchronize The remote unit is unable to synchronize Attempt to synchronize after the with remote with the local unit because it is remote unit completes its RMS performing an RMS GFK 2308F Chapter 6 Fault Detection s Other Fault Groups The following table lists messages descriptions and corrective actions for error codes associated with redundancy in other fault groups error Group 2 pu Messag
8. X X X X where x ranges from 1 to 255 This IP address also known as the direct IP address always applies only to this unit The IP Address should be assigned by the person responsible for your network TCP IP network administrators are familiar with these sorts of parameters and can assign values that work with your existing network If the IP address is improperly set your device may not be able to communicate on the network and could disrupt network communications Redundant IP Disable Disable Enable Enabling this feature allows the Ethernet Interface to share an IP address with the corresponding Ethernet Interface in the other unit When this parameter is enabled a Redundant IP Address must be entered Redundant IP Address 0 0 0 0 X X X X where x ranges from 1 to 255 Available only when the Redundant IP parameter is set to Enable The IP address shared by two Ethernet Interfaces that are connected to the same network and reside in separate units one in the primary unit and the other in the secondary unit Although the redundant IP address is shared by both Ethernet Interfaces only the Interface in the active unit responds to this IP address This IP address is assigned in addition to the device s primary IP address For a pair of Ethernet Interfaces the redundant IP address must be the same value on the primary and secondary units Note The redundant IP address must not be the same as th
9. backup between the two units and must be repaired If a fatal fault has been logged in the secondary unit the indicated fault must be repaired Power may have to be cycled on one of the units in order to re establish communications and return to a synchronized system 8 Unable to Switch An attempt to switch redundancy roles None required Redundancy Roles was made when it was not possible to perform the switch 6 2 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Error Code Message Fault Description Corrective Action 9 Primary and secondary This unit could not be placed into RUN Correct the configurations so that the units are incompatible mode because the configurations were not compatible CPUs have compatible transfer lists and the same point faults enabled setting 10 CPU to CPU communications terminated Synchronization protocol has been violated Contact Technical Support If the fault is accompanied by a Loss of Module fault see corrective action for Loss of Module fault The link can be restored to service by power cycling either unit or storing configuration to either unit 11 Redundant Link has timed out The CPU has timed out while waiting on communications from the other unit Contact Technical Support The link can be restored to service by power cycling either unit or storing configuration to either unit 12
10. configured differently for redundancy CPUs 3 3 Fault detection 6 1 Fault groups configurable 6 8 non configurable 6 9 Fault messages for redundancy 6 2 Fault response 6 5 G Genius blocks configuring 4 13 installing on same end of bus 3 17 Genius bus controller 3 5 Genius Duplex output mode 3 17 Index 1 Index Index 2 Genius HSB operation 3 11 Genius I O 3 11 output control 3 11 RX3i dual bus overview A 1 H Hot Standby HSB CPU redundancy 1 1 features 1 2 defined 1 4 Genius operation 3 11 Genius output control 3 11 Hot Swap RX3i 6 11 RMX modules 3 4 UO scan sets 5 19 UO systems description 3 5 IEC Transitionals 5 7 Input data transfer 5 7 Interrupts not available with Redundancy CPUS 3 3 L LEDs operation when link is removed 5 3 RMX 3 4 Links failing 6 6 removed 5 3 Local I O 3 5 M Multiple I O scan sets 5 19 Non configurable fault groups 6 9 Non redundant operation 3 3 configuring 4 1 Non synchronized active units NSAU conditions 4 20 5 3 5 4 5 7 defined 1 4 split control 5 21 6 10 repairing 6 12 O Offset 5 24 Online programming 1 3 Online repair 1 3 description 6 10 Output control Genius 3 11 Output data transfer 5 7 P Parameters 4 4 PID function blocks 5 19 Powerup 5 2 Preferred master 5 16 Primary unit defined 1 4 powerup sequence 5 2 Produce in backup mode 5 24 Programming online 1 3 Q Quic
11. defined 1 4 Background Window timer configuring 4 5 different for redundancy CPUs 3 3 disabling 5 18 Backup Unit defined 1 4 switching control to 5 15 commanding from program 5 15 switching times 5 15 validating the input scan 5 14 validating the logic solution 5 14 Bus Controller Genius 3 5 configuring 4 13 dual GBCs at same end of bus 3 17 switching 5 20 C Communications terminating 6 6 Configurable fault groups 6 8 Configuration hardware 4 4 storing downloading 4 16 Constant Sweep mode 4 4 Contacts timed 5 19 CPU parameters 4 4 Faults 4 6 Redundancy 4 7 Settings 4 4 Transfer List 4 8 CPU Redundancy defined 1 4 Critical component defined 1 4 Index D Data transfer 5 7 from backup to active unit 5 11 inputs 5 7 outputs 5 8 ranges configuring 4 8 time 5 8 variables configuring 4 14 Definitions 1 4 Diagnostics 6 1 Disable data transfer copy in backup unit 5 12 Downloading configuration 4 16 Dual Bus defined 1 4 Duplex Genius output mode 3 17 Error checking and correction ECC 3 3 5 18 fault configuration 4 6 Ethernet controller configuring communications window 4 4 Ethernet global data consumption 5 24 produce in backup mode 5 24 production 5 23 redundant IP addresses 5 21 Ethernet Interface parameters 4 11 Ethernet network interface unit NIU 3 5 Ethernet remote UC 3 6 F Fail Wait time 4 7 5 6 Fault actions 6 7 configuration 6 7
12. is also sent Sweep Time Synchronization During the first transfer the active unit automatically sends a synchronizing message to the backup unit This message contains the Start of Sweep Time The CPUs stay synchronized because the active unit waits for the backup CPU to respond to the synchronizing message before starting its logic execution The Start of Sweep Time message transfer repeatedly coordinates the elapsed time clocks upon which timers are based in the redundant CPUs The system time is continuous as long as one of the two systems is running When a switchover occurs the same time continues to be kept in the new active unit Transition Contacts and Coils PACSystems supports two types of Transition contacts and coils m Legacy Transition contacts and coils POSCON NEGCON POSCOIL and NEGCOIL m IEC Transition contacts and coils PTCON NTCON PTCOIL and NTCOIL The essential difference between the two types of instruction is that each IEC transitional used in logic has its own associated instance data The instance data gives the state ON or OFF of the BOOL variable associated with the contact or coil the last time it was executed For additional information on Transition contacts and coils refer to the PACSystems CPU Reference Manual GFK 2222 For any redundant transfer data item placed in a transfer list that is located in a discrete reference table or in the symbolic discrete reference region the associated Override
13. the backup unit waits for a synchronization request from the active unit If the backup unit does not receive the request within its configured Fail Wait time it transitions to NSAU operation If the backup unit receives a synchronization request within the Fail Wait time it waits to receive the synchronization data If it receives the data within 60ms synchronization completes If it does not receive the data the backup unit operates as a NSAU Dual Synchronization Dual Synchronization occurs when both CPUs transition to Run at the same time The primary unit becomes the active unit and the secondary unit becomes the backup unit Non retentive data is cleared and the FST_SCN reference and 4FST EXE bits are set to 1 Resynchronization Resynchronization occurs when one unit is already in Run mode and the other unit is put into Run mode The unit already in RUN mode remains the active unit and the transitioning unit becomes the backup unit The behavior is the same whether the unit going to RUN is the primary unit or the secondary unit At this point the active unit sends the output transfer data and the input transfer data to the backup unit In addition to the configured redundancy transfer data the FST SCN 96S reference as well as internal timer information and FST EXE for each common logic block are transferred from the active unit to the backup unit Only the internal timers and FST_EXE data for program blocks with the same name
14. 1 6 Openthe restored project Assign IP addresses to all the Ethernet modules In assigning IP addresses consider the following functions RX3i Configuration Ethernet Interface Function ETMO01 in Slot 6 Programmer connection to your PC Requires a Redundant IP address which should be the same IP Address for both the Primary and Secondary rack systems ETMO01 in Slot 7 Private network LANA for Ethernet IO exchanges ETMO01 in Slot 8 Private network LANB for Ethernet IO exchanges RX7i Configuration Ethernet Interface Function Embedded CPU Ethernet Port Programmer connection to your PC Requires a Redundant IP address which should be the same IP Address for both the Primary and Secondary rack systems ETMO01 in Slot 5 Private network LANA for Ethernet IO exchanges ETMO01 in Slot 6 Private network LANB for Ethernet IO exchanges The hardware configuration should appear similar to the following figure which shows an RX3i configuration Hardware Configuration provided by the Ten ENIU Controller Template Project 2 2 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 EE NH HE E CS Produced Exchanges Cil Hardware Configuration Primary e Rack 0 1c695CH5012 Ali Slot 0 IC695P5A140 Slot 1 Used With Slot 0 H slot 2 IC695CRU320 Slot 3 Used With Slot 2 H slot 4 IC695RMX128 Bl slot 5 IC695RMx128 slot 6 IC695ETMO01
15. 550 501 550 2 2201 2400 2201 2400 551 600 551 600 3 2401 2600 2401 2600 601 650 601 650 4 2601 2800 2601 2800 651 700 651 700 5 2801 3000 2801 3000 701 750 701 750 6 3001 3200 3001 3200 751 800 751 800 7 3201 3400 3201 3400 801 850 801 850 8 3401 3600 3401 3600 851 900 851 900 9 3601 3800 3601 3800 901 950 901 950 10 3801 4000 3801 4000 951 1000 951 1000 The default addresses for I O are provided for convenience All four addresses and the lengths can be changed in the configuration for the remote I O The only rules are e Each reference address type for a given remote I O device must use contiguous addressing e Addresses must be in the range of 1 7500 for l and 1 3200 for Al e Discrete address l and Q must start on byte boundaries e l and Q lengths must be a multiple of 8 e The address for a remote I O device should not conflict with other remote I O devices Note The same output addresses can be used in multiple remote I O devices if the application so requires A 2 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Available Templates GENIUS 1DB S3iRC 2S8BA This template is intended for demo use It is a fully functional Redundant Controller 2 Remote I O Devices 1 Dual Genius Bus template GENIUS 1DB 3iSC 10SBA Simplex Controller 10 Remote I O Devices 1 Dual Genius Bus GENIUS 2DB 3iSC 20SBA Simplex Controller 20 Remote UO Devices 2 Dual Genius Buses
16. Exchanges set of EGD configuration data is used to Name exehgX create EGD configuration files for both the Exchange ID X primary and secondary controllers When TE gt TAEAE Name exchgY Machine Edition creates the EGD exchange Exchange Y files for download to the secondary Produce in Backup TRUE controller it adds the secondary offset to the Exchange ID for each exchange configured to produce in backup Download EGD Download EGD Configuration Configuration Note For non dual HWC systems it is the to Primary to Secondary user s responsibility to ensure that the same offset value is specified in PLC Primary PLC Secondary both the primary and secondary Exchange ID X Exchange ID X target projects Exchange ID Y ER ID Y offset Exchange ID Offset in Dual HWC HSB System Ethernet Global Data Consumption 5 24 Both the active and backup units consume EGD exchanges in RUN mode regardless of whether or not the units are synchronized It is recommended that all consumption exchanges be configured identically for both units In addition these exchanges must be configured as multicast or directed to the Redundant IP address The consumption of multicast exchanges occurs independently on the two units The Ethernet modules obtain a copy of multicast exchanges at the same time but reading of that exchange in the two CPUs may be phased by one sweep This can result in t
17. Initiate a dual RMS 5 f necessary perform a role switch so that the primary unit is the active unit The unit whose logic had already been stored in run mode will receive only the new transfer list The other unit will receive the new transfer list and new logic EGD PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F RMS Operational Errors Certain operational errors can occur only when performing a dual RMS to two synchronized controllers and performing simultaneous activation of new application data The table below outlines possible modes of failure and the system operation when the failure occurs Error Mode System Operation User requests a normal store single RMS not dual RMS when the transfer list has changed The programmer will not attempt the run mode store and will display an error message User requests a dual RMS on a controller that is not synchronized to a redundant partner The dual store will not be completed The programmer will display the following controller error message The requested action could not be completed because the target is not synchronized with another controller 0x05 Ox3E User requests a dual RMS on a controller whose redundant partner does not support dual RMS The dual store will not be completed The programmer will display the following controller error message The firmware for the remote redundant controller does not support the operation
18. LAN 2 The Redundant IP feature is enabled for the Ethernet interfaces on LAN 1 because it handles general communications EGD exchanges used for general CPU communications are not produced in backup mode Each controller uses a separate Ethernet interface for communication on each remote I O LAN one for LAN 2 and another for LAN 3 The remote I O EGD exchanges are configured on the Ethernet interfaces for the appropriate LAN Primary Unit Secondary Unit O O O o 25 xx V l e gt px a lalz MEA S 2 Elle a O m ju tu o E m uuu O O O O High speed Fiber Optic Link High Speed Fiber Optic Link Ethernet LAN 1 D Ethernet LAN 3 H RX3i ENIU Remote UO RX3i ENIU Remote UO PWS NIU ETM ETM PWS NIU ETM ETM PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Genius Hot Standby Operation In a Genius Hot Standby CPU redundancy system the Genius outputs are controlled by only one unit the active unit The inputs are shared between both units One unit is the Primary unit and the other is the Secondary unit The Primary unit contains all externally redundant Genius Bus Controllers at SBA 31 the Secondary unit contains all externally redundant Genius Bus Controllers at SBA 30 The Genius output devices are n
19. Module BSM is required to connect the initial block in the Genius block daisy chain to the dual bus Sample RX7i Dual Genius Bus Redundancy System Secondary Unit Primary Unit E xXx o o E RXTi 3 amp ESCH 2 gt xlxl olo Rack 0 EES 15 85 5 9 a o Required fan fh assembly not shown 30 30 31 31 I High speed fiber optic link I High speed fiber optic link I I I Genius Bus A l 1 1 1 I Genius Bus B I Ig D EI em em em rm pm mm mm rm mn en mm em rn rm rm Legend CPU RX7i CPU Bus Switching RMX Redundancy Memory Xchange Module Module i j GBC Genius Bus Controller Genius I O Blocks Sample RX3i Dual Genius Bus Redundancy System Secondary Unit Primary Unit Oo Oo Oo Oo o Jes ke iom e 2 X x 2 9 9 M Q t Q amp 6 amp u o 5 amp 6 e uo o 30 30 e E 31 31 d I High speed Fiber Optic Link I I High Speed Fiber Optic Link I I Ethernet LAN I Genius Bus A Genius Bus B wem mmm mm mn mmm mmm mmm mmm e mm mm mm mm mm rm mn mmm mmm mm mm rs da Bus Switching Module built into VersaMax VersaMax Genius PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F When using dual bus Genius networks in a Hot Standby CPU Redundancy system two Bus Controllers for the bus pair m
20. STOP to RUN mode transition has two separate paths 1 If the unit performing the transition is doing so alone or both units are transitioning to Run at the same time a normal STOP to RUN mode transition is performed clear non retentive memory and initialize FST_SCN and 4FST EXE If the other unit is active when this unit performs a STOP to RUN mode transition non retentive references will be cleared followed by a resynchronization with the active unit RUN Disabled Mode RUN DISABLED mode causes all physical outputs to go to their default state in that PLC Inputs are still scanned and logic is solved A CPU in RUN DISABLED mode may be the active unit The following guidelines apply to using RUN DISABLED mode with the HSB control strategy 1 If a unit is in RUN DISABLED mode its LOC RDY S reference and the other unit s REM RDY 958 reference are not set and the corresponding LEDs on the RMX modules are OFF This indicates that the unit with LOC_RDY reference off is not available to drive outputs If a unit is in RUN ENABLED mode and the other unit is in RUN DISABLED mode the unit in RUN ENABLED mode does not use its synchronized fault action table Instead it uses the user configurable fault actions since there is no backup available to drive outputs When outputs used for Remote IO are specified in the output transfer list outputs are transferred from the active unit to the backup unit and if outputs are enabled on
21. SVC_REQ 43 SVC_REQ 43 cannot be used to disable output data transfer on the primary unit when outputs are enabled on the primary unit If that is attempted the SVC_REQ 43 is rejected The first time SVC_REQ 43 is used a fault is logged as a warning that the PLCs are not completely synchronized The reverse data transfer if any is unaffected by SVC_REQ 43 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Enabling logic should be used with SVC_REQ 43 A contact with a non transferred reference should be part of this enabling logic That will allow the service request to be turned on off directly without being overwritten by the value from the active unit If the service request is invoked multiple times in a single sweep the last call is the one that determines the action taken Successful execution occurs unless m The values in the command block are out of range m The service request is invoked when the two units in a redundant system are not synchronized m The service request is issued on the active unit m The service request is issued on the primary unit while the primary unit s outputs are enabled If the service request is unsuccessful it will not pass power flow to the right Command Block for SVC REQ 43 The command block for SVC_REQ 43 has two words Address 0 Address 1 1 Disable input and output copies 2 Disable output copy only Example In the following example when 96T0
22. and legacy style Transition data is transferred as part of that list However the instance data associated with IEC transitionals is not synchronized For this reason IEC transitionals should not be used in redundancy if the application requires that this data be synchronized IEC transitionals must be used with symbolic data no legacy style transition data exists for symbolic data Chapter 5 Operation 5 7 Output Data Transfer to the Backup Unit After the input data transfer both units operate independently until the end of the program logic solution Before the output scan starts a second automatic data transfer occurs At this time the active unit transfers the output transfer data to the backup unit This includes the selected ranges within l Q 96AI AQ R 96M G and W memories as well as transferred variables For discrete data the status override and legacy transition information is transferred If point faults are configured point fault data is also sent After the output data transfer the active and the backup units independently perform their output scans and run their communications and background windows They continue to operate independently until they synchronize again after the next input scan Estimating Data Transfer Time 5 8 When a system is synchronized there are additions to the sweep time compared to a similar non redundant CPU model for transferring data from one unit to the other The data transf
23. communication is lost In the event of a remote UO device switching from one cable network to the other the Inputs and Outputs will Hold Last State while the switch over occurs After a selectable timeout of 2 5 or 10 seconds the inputs and outputs will go to Hold Last State or Zero if communication is not re established Point Faults When point fault references are enabled in the controller s hardware configuration the RX3i Dual Bus Genius templates support a subset of the functionality that is available with PACSystems controller rack I O If communication is lost to a remote I O device the Point Faults for all Inputs configured for that remote I O device will be set The functionality of setting a Point Fault for a specific Input Point such as an Analog Input if it has an alarm is not supported Automatic Role Switch for Redundant Controllers only The RX3i Dual Bus Genius templates can be set up to request a role switch when the active controller can not communicate with all the remote I O devices AND the backup controller can communicate with all the remote I O devices The role switch will make the backup controller the active controller If this behavior is desired this option must be explicitly enabled in the template s logic PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F GFK 2308F OVR_PRE 3 3 5 4 S references 5 4 OVR_PRE 3 3 A Active unit defined 1 4 non synchronized
24. communications and remote I O data transfer exist on separate Ethernet LANs and thus do not contend for network bandwidth This keeps remote I O performance from being degraded The Redundant IP feature is enabled for the Ethernet interface in both controllers to permit general communications Any EGD exchanges used for general CPU communications are not produced in backup mode The produced EGD exchanges that are used for remote I O data transfer are configured as Produce in backup mode so that they will be produced in both active and backup mode For easier configuration each EGD exchange marked as Produce in backup is configured with the Exchange ID value used by the Primary unit The Programmer automatically generates a unique Exchange ID value for the Secondary unit by adding the configured Secondary Produced Exchange Offset value to the configured Exchange ID value For details on the exchange offset see Ethernet Global Data Production in chapter 5 Primary Unit Secondary Unit RX7i Rack 0 Power Supply CRE RMX Power Supply High Speed Fiber Optic Link High Speed Fiber Optic Link Ethernet LAN 1 Ethernet I OLAN RX3i ENIU Remote IO GFK 2308F Chapter 3 System Configuration 3 7 3 8 RX3i Dual Controller Single LAN System In this architecture general communications and remote I O data transfer exist on separate Ethernet LANs and thus do not contend for network bandwidth This keeps
25. do not support the PACMotion module IC695PMM335 m RX7i redundancy controllers do not support the 14 point interrupt module IC697MDL671 m RX7i redundancy controllers do not support VME integrator racks The following features operate differently with the redundancy CPUs than they do with other PACSystems CPUs m Error checking and correction ECC is enabled m RUN DISABLED mode This is explained in Chapter 5 Operation m User configurable fault actions are not used when the CPUs are synchronized m STOP to RUN mode transition For details see Synchronizing Redundant CPUs in chapter 5 m Background Window Timer in Normal Sweep mode default is 5ms It is highly recommended that the Background Window Timer be set to the same value for both CPUs making up a redundancy pair m By default Ethernet Global Data EGD is produced only by the active unit The backup unit can produce individual EGD exchanges that are configured for production in backup mode Also be aware that instance data associated with IEC transitionals PTCOIL NTCOIL PTCON and NTCON is not synchronized between the two CPUs For details refer to Data Transfer in chapter 5 Using the Redundancy CPU for Non redundant Operation The Redundancy CPU can be used for both redundant and non redundant applications The functionality and performance of a Redundancy CPU configured for non redundant operation is the same as for a unit that is configure
26. in the primary unit becomes inoperative in an uncontrolled fashion for example because of a power failure the Genius Bus Controllers detect this within twice the watchdog setting and stop sending outputs to the Genius devices After three Genius UO bus scans of not receiving data from the Genius Bus Controllers at Serial Bus Address 31 the Genius devices start driving data from Serial Bus Address 30 the secondary unit if available For example if the system has a 200ms watchdog timeout and 5ms Genius bus scan time and the primary unit main rack loses power the Genius Bus Controllers in expansion racks will wait 400ms and then stop updating outputs on Genius devices After 15ms the devices will begin driving outputs based on data from the secondary unit Note that any Genius Bus Controllers in the main rack would stop driving outputs immediately since they would also lose power Genius devices on these buses would begin driving data from the secondary unit within 15ms Note For fastest switching all Genius Bus Controllers in the Hot Standby CPU Redundancy system should be installed in the main rack This causes the Genius Bus Controllers to lose power at the same time that the CPU loses power This in turn allows the secondary unit to gain full control of the I O as soon as possible For single bus Genius networks if outputs are not available on Serial Bus Address 30 or 31 the devices outputs revert to default or hold last state as c
27. location the ECC bits are set on every non cached memory write and checked on every non cached memory read If you are comfortable with the level of integrity checking that the ECC function provides you may chose to disable the additional background RAM tests entirely by setting the Background Window Timer value to O PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Timer and PID Functions Timer and PID function blocks remain in lock step between two synchronized units provided A Enabling logic for each function is identical on both units This includes power flow how often the block is called and so forth B The block in which the function occurs has the same name in both units Note that MAIN is always common C Reference registers 3 for timers 40 for PID enabling references and reset references for each timer and PID function block are included in the data transfer lists For example if the following ladder logic appears in the MAIN block on both units 9 6M100 R250 R251 and R252 must all be included in the output data transfer list to keep this timer synchronized between the two units M00100 MR SEC M00100 R00250 Timed Contacts When both systems are synchronized timed contacts 9683 9684 9685 S6 have exactly the same value in both units For example whenever T SEC is on in one unit it also is on in the other unit as long as both units are synchronized Multiple I O Sca
28. logged but the unit will stay in RUN mode and continue to control the process 3 If the first unit is repaired and then transitions to Run the second unit with the failed expansion rack will stay in RUN mode and will remain in control of the process To prevent this situation you may want to include logic to shut down the less healthy unit or request a role switch Also a unit with the fault actions set to diagnostic may be placed in RUN mode and become the active unit even though it may have a diagnostic fault which would be logged as fatal in a synchronized system For example if an expansion rack fails while in STOP mode or while transitioning to RUN mode a diagnostic fault is logged However the unit will still transition to RUN In addition if you have programmed a Preferred Master algorithm this unit will become the active unit To prevent this situation you may want to include logic to shut down the less healthy unit or modify the role switch logic GFK 2308F Chapter 6 Fault Detection 6 7 s Configurable Fault Groups The table below shows the configurable faults and their fault actions There are three fault actions Fatal Diagnostic and Conditionally Fatal Fatal always stops the PLC Diagnostic never stops the PLC and Conditionally Fatal stops the PLC depending on other information in the fault Non Synchronized Synchronized Fault Action Table Fault Action fixed Fault Group
29. the active unit the switchover does not normally occur until the next sweep The exception is when the active unit detects a fatal fault during the input scan In that case the two units switch roles just before performing the input data transfer If the CPU has an uncontrolled shutdown the CPU logs a fault if it can and proceeds as described above When the backup CPU detects that the active CPU has failed either by receiving notification by detecting that both redundancy links have failed or by detecting failure of the active CPU to rendezvous at the next synchronization point within the Fail Wait time it becomes an unsynchronized active unit If the two CPUs lose synchronization for other reasons due to Fail Wait time set too short or failure of both redundancy links both units log faults and proceed as non synchronized active units In this case both units attempt to control the process independently The redundant Genius outputs will prefer the output values sent by the primary unit When using the redundant IP feature the application should take steps to ensure that the CPU that owns the redundant IP address is the same CPU that maintains control of the outputs This becomes an issue when both CPUs are operating as non synchronized active units NSAU since both units attempt to control the process independently Running both CPUs as NSAUs is not recommended and should be fixed as soon as possible Refer to On Line Repair Recomm
30. 0035 is on the input and output copies are disabled GFK 2308F Chapter 5 Operation 5 13 Validating the Backup Unit SVC REQ 43 DVC REQ 43 can be used to determine if the backup unit is collecting inputs properly that is validate the input scan It can also be used to determine whether the backup unit is calculating outputs and internal variables properly that is validate the logic solution Validating the Backup Unit s Input Scan To determine whether the backup PLC is collecting inputs properly follow these steps 1 Activate SVC_REQ 43 on the backup CPU passing the values 0 and 1 to disable the input and output data transfer copies Monitor the backup unit s input references and input variables The values presented correspond to the inputs that the backup is currently collecting Visually compare the backup unit s input references and input variables with those presented by the active unit Pay special attention to the references and variables that are included in the input transfer When you are satisfied that the backup unit is collecting inputs properly disable the rung that calls SVC_REQ 43 Validating the Backup Unit s Logic Solution To determine whether the backup unit is calculating outputs and internal variables properly follow these steps 1 5 14 Activate SVC_REQ 43 on the backup CPU passing the values 0 and 2 to disable the output data transfer copy Monitor the backup unit s output referenc
31. 2010 GFK 2308F Synchronizing the Hardware Configurations To synchronize the two configurations after making changes to the primary configuration or uploading a different primary configuration right click Hardware Configuration choose Redundancy and Mirror to Secondary Hardware Configuration This command copies the primary hardware configuration to the secondary configuration and adjusts appropriate parameters for the secondary configuration Note You can control whether the contents of specific slots in the primary configuration are copied to the secondary configuration If the Mirror to Secondary property for a slot is set to True default the configured module in that slot in the primary configuration overwrites the corresponding slot in the secondary configuration I O variables associated with a module in the primary configuration are copied to the corresponding module in the secondary configuration To prevent a slot from being mirrored set this property to False ER RX7i ES Data Watch Lists Ef EET E Dm Rack 0 IC698CHS017 Set as Selected HWG Bl Slot 0 ICe98PsA350 7 5 Slot 1 IC698CRE020 Hardware Reference View E Ethernet Report Ctrl T Slot 2 Used With Slot 1 Add Rack Bl Slot 3 IC698RMX016 Bl Slot 4 IC698RMX016 Redundancy Wizard I Slot 5 IC697MDL240 f i Mirror to Secondary Hardware Configuration Slot 6 Used With Slot 5 Impor bo D 3o70 Export to File GFK 2308F Chap
32. Determined by slot Read only The slot location of the first RMX module location of RMX Shown only if the Redundancy Links module parameter is 1 or 2 Redundancy Link 2 Rack 0 Read only 0 The rack location of the second Number redundancy link Shown only if the Redundancy Links parameter is 2 Slot Number Determined by slot Read only The slot location of the second location of RMX redundancy link Shown only if the module Redundancy Links parameter is 2 GFK 2308F Chapter 4 Configuration Requirements 4 7 Transfer List 4 8 Use this tab to select the ranges of references that will be transferred from the active unit to the backup unit If the program logic requires identical input values for the two units those references must be included in the input transfer list A maximum of 2Mbytes of data can be included in the transfer list The amount of data transferred is also limited by the amount of user memory consumption Overrides and Legacy style Transitions are transferred for any specified discrete transfer data as well as point fault information for transferred discrete and analog data if Point Faults are enabled Transferred data along with user program configuration and reference memory size etc all count against the user memory size and contributes to the CPU scan time Because the redundancy transfer list is part of hardware configuration the transfer lists in both units must be the same for synchroni
33. GE Intelligent Platforms Programmable Control Products PACSystems Hot Standby CPU Redundancy User s Manual GFK 2308F July 2010 GFL 002 Warnings Cautions and Notes as Used in this Publication Warning notices are used in this publication to emphasize that hazardous voltages currents temperatures or other conditions that could cause personal injury exist in this equipment or may be associated with its use In situations where inattention could cause either personal injury or damage to equipment a Warning notice is used Caution notices are used where equipment might be damaged if care is not taken Note Notes merely call attention to information that is especially significant to understanding and operating the equipment This document is based on information available at the time of its publication While efforts have been made to be accurate the information contained herein does not purport to cover all details or variations in hardware or software nor to provide for every possible contingency in connection with installation operation or maintenance Features may be described herein which are not present in all hardware and software systems GE Intelligent Platforms assumes no obligation of notice to holders of this document with respect to changes subsequently made GE Intelligent Platforms makes no representation or warranty expressed implied or statutory with respect to and assumes no responsibility for the
34. H slot 7 ICe95ETMOO1 H slot 8 IC695ETM001 H 3e90 H Slot 100 H slot 110 H slot 120 Cfi Hardware Configuration Secondary cilii Rack 0 1c695cHs012 Bu Slot 0 IC695P5A140 Slot 1 Used with Slot 0 Bl slot 2 ICe95CRU320 Slot 3 Used with Slot 2 Bl slot 4 IC695RMX128 slot 5 IC695RMX128 H slot 6 ICe95ETMOO1 H slot 7 IC695ETM001 Bl slot 8 IC695ETM001 H et ap H slot 100 J slot 110 GFK 2308F 7 Use Fiber Optic cable to connect each RMX module in the Primary Rack to the corresponding RMX module in the Secondary Rack the module in the same Slot number as described below Using an LC compatible multimode fiber optic cable connect the RMX module s TX connector to the RX connector of the other RMX module Connect the fiber optic cable from other RMX module s TX to the RX connector see diagram at right When the fiber optic transceiver detects a signal on the network the SIGNAL DETECT indicator will be on RMX Module in Primary Rack TX RX TX RX RMX Module in Secondary Rack 8 In PME close the Controller project and restore the ENIU project from the ten ENIU template set Open the project and on target ENIU 01 open the Hardware Configuration Set the IP addresses of the ETMOO1 modules taking into consideration that the ETMOO 1 in Slot 4 will be on a private network called LANA connected to LANA of the Redundancy CPUs an
35. I O variables see the PACSystems CPU Reference Manual GFK 2222 Settings Wiring Channel H Channel 2 Channel t3 Channel t4 Power Consumption Terminals Module Node Variable Address Description Bl Slot 11 ICE975LG320 B Reference Address Baw ALG320 Q1 40W0 11 0 1 Channel 1 Oawa Expand All Collapse All Mapping Hardware I O Variables Example Using I O Variables in a Redundancy System 4 12 In a redundancy system the mapping of I O variables must be the same in both units It is possible to have different modules configured in each unit as long as the modules that differ do not have I O variables assigned to them When an I O variable is added moved or deleted in one hardware configuration Machine Edition performs the same action on the other hardware configuration If you move a module with I O variables to a different rack location the variables in the corresponding module in the other hardware configuration are disassociated causing an I O Variable Mismatch error If an UO variable is assigned to a module in one unit without a corresponding UO variable on a module of the same type in the other unit an I O Variable Mismatch error will be generated upon validation UO variables can be configured as transferred variables in either or both the input and output transfer lists For details see Adding Individual Variables to the Transfer Lists on page 4 14 PACSyste
36. Secondary units Close 10ENIU CRU DLDI ENIUs 1 10 project in PME and again open project 10ENIU CRU DLDI Controller Right click on the Primary Hardware Configuration node and select Set as Selected HWC Connect to the Primary CPU store the application and put the CPU in run mode Disconnect from the Primary CPU Right click on the Secondary Hardware Configuration node and select Set as Selected HWC Connect to the Secondary CPU store the application and put the CPU in run mode Right click on the Reference View Tables node and select New Double click on the RefViewTable10 node just created In the address box enter Q1 In the next address box below Q00001 enter l1 Right click into the Values area just to the left of the Address boxes and select Format View Table Check the box labeled Apply to Whole Table Select Word for the Display Type select Hex for the Display Format and click OK Enter values into the Q00001 values area and notice that the same values are displayed at 96100001 because of the loopback logic in the ENIU This quick start procedure demonstrates setup of a PACSystems Redundancy Controller pair controlling one ENIU remote IO station This basic setup can be used to learn about other CPU Redundancy features such as Role Switching Transfer Lists Non Synchronized Active Unit NSAU and Redundant IP For details on the operation of CPU Redundancy systems refer to the other chapters in this manu
37. Type Description Default Configurable LOSS RACK 1 PLC Loss of or Missing Rack Diagnostic Yes Fatal LOSS_IOC 2 UO Loss of or Missing UO Diagnostic Yes Fatal Controller LOSS IO MOD 3 y o Loss of or Missing I O Diagnostic Yes Diagnostic Module LOSS OTHR MOD 4 PLC Loss of or Missing Option Diagnostic Yes Diagnostic Module SYS BUS ERROR 12 PLC System Bus Error Fatal Yes Fatal IOC FAULT 9 y o IOC or I O Bus Fault Diagnostic Yes Conditionally Fatal CNFG_MIS_MTCH 11 Both System Configuration Fatal Yes Diagnostic Mismatch IOC SOFTWR 15 y o IOC Software Failure Diagnostic Uses LOSS IOC Conditionally Fatal setting OVER_TMP 24 PLC CPU Over Temperature Diagnostic Yes Fatal LOC_MEM_ERROR PLC Recoverable Local Memory Diagnostic Yes Diagnostic 38 Error Evenif the non synchronized fault action for the LOSS IOC fault group is configured as Fatal the PLC will not go to STOP FAULT mode unless both Genius Bus Controllers of a dual bus pair fail Conditionally Fatal When the units are synchronized the two fault groups IOC FAULT and IOC SOFTWR faults are fatal if the Genius Bus Controller reports the fault as Fatal When a GBC logs one of these faults it notifies the PLC whether or not it can continue by placing Fatal or Diagnostic in the fault action of the fault entry 6 8 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F s Non Configurable Fault Gr
38. UM PLC Program Block Checksum Mismatch Fatal LOW BATTERY PLC Low Battery in the System Diagnostic CNST SW EXCD PLC Constant Sweep Exceeded Diagnostic PLC_FTBL_FULL PLC PLC System Fault Table Full Diagnostic IO FTBL FULL PLC I O Fault Table Full Diagnostic APPLICATION FLT PLC User Application Fault Diagnostic Fatal Faults on Both Units in the Same Sweep It is very unlikely that a fatal fault would occur on both units in the same sweep If that should happen however the first CPU to detect a fatal fault will use the synchronized fault action table The other CPU will use the non synchronized fault action table This allows one of the GFK 2308F units to stay in Run mode when the synchronized fault action is Fatal and the non synchronized fault action is diagnostic Chapter 6 Fault Detection 6 9 s Online Repair and System Upgrade With a Hot Standby CPU Redundancy system most system component failures can be repaired by replacing the failed component while the system is online You may choose to replace components for other reasons such as upgrading to a new model of a module CPUs in both units must have the same model types and firmware version On Line Repair Recommendations Note If the LOCAL ACTIVE LEDs are ON and the REMOTE ACTIVE LEDs are OFF on 6 10 both units the system is operating under split control that is with both units operating as NSAUs Do not use this procedure if this condition ex
39. When the program logic will be the same for both units it is recommended that you use a Dual HWC Target When you select a Redundancy CPU the programming software automatically presents the Dual HWC Target The remainder of this chapter assumes a Dual HWC Target If you do not want to use the same logic in both units you should create two separate targets and set the target property Dual HWC to FALSE in each target If both units are configured as primary or as secondary they will not recognize each other If this happens in an RX7i system the GBCs report SBA conflict faults and blink their LEDs If this happens in an RX3i system the GBCs only blink their LEDs and no fault is reported Correct the configuration of both units before placing either unit in Run mode Note The Redundancy CPU can be used for redundant and non redundant applications For non redundant applications set the Dual HWC for the Target to False and do not configure any redundancy links 4 1 Using the Redundancy Wizards Machine Edition software provides redundancy wizards to create a hardware configuration with the correct parameter settings for the redundancy scheme that you choose See Configuration Parameters for details on parameters specific to redundancy systems To launch the wizard go to the Navigation window right click Hardware Configuration point to Redundancy and then choose Wizard SR RXTi Gd Data Watch Lists E az Ethernet Global Data
40. able from the ENIU module s COM1 or COM2 port to one of your PC s COM ports or install an additional ETM001 module to the ENIU rack to provide connectivity via Ethernet With the template folder open in PME connect to the ENIU either by a COM port or by Ethernet Store the ENIU_01 application to the ENIU and put the ENIU into run mode Connect Ethernet cables between the Redundancy CPUs and the ENIU rack system RX3i Connections Connect one Ethernet cable from ETMOO01 in Primary Rack Slot 7 to ETM001 in ENIU Rack Slot 4 Connect one Ethernet cable from ETMOO 1 in Primary Rack Slot 8 to ETMO001 in ENIU Rack Slot 5 Connect one Ethernet cable from ETMOO1 in Secondary Rack Slot 7 to ETMOO1 in ENIU Rack Slot 4 Connect one Ethernet cable from ETM001 in Secondary Rack Slot 8 to ETMO001 in ENIU Rack Slot 5 RX7i Connections Connect one Ethernet cable from ETMOO01 in Primary Rack Slot 5 to ETM001 in ENIU Rack Slot 4 Connect one Ethernet cable from ETMOO 1 in Primary Rack Slot 6 to ETMO001 in ENIU Rack Slot 5 Connect one Ethernet cable from ETMOO1 in Secondary Rack Slot 5 to ETMOO1 in ENIU Rack Slot 4 Connect one Ethernet cable from ETM001 in Secondary Rack Slot 6 to ETMO001 in ENIU Rack Slot 5 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F 13 14 Connect Ethernet cables between an Ethernet switch connected to your PC and the ETM001 modules assigned as Programmer connections in both the Primary and
41. accuracy completeness sufficiency or usefulness of the information contained herein No warranties of merchantability or fitness for purpose shall apply indicates a trademark of GE Intelligent Platforms Inc and or its affiliates All other trademarks are the property of their respective owners Copyright 2010 GE Intelligent Platforms Inc All Rights Reserved Contact Information If you purchased this product through an Authorized Channel Partner please contact the seller directly General Contact Information Online technical support and http support ge ip com GlobalCare Additional information http Awww ge ip com Solution Provider solutionprovider ip ge com Technical Support If you have technical problems that cannot be resolved with the information in this guide please contact us by telephone or email or on the web at www ge ip com support Americas http support ge ip com 1 780 420 2010 if toll free 800 option is unavailable Technical Support Email support ip ge com Europe the Middle East and Africa Online Technical Support http support ge ip com 4352 26 722 780 if toll free 800 option is unavailable or if dialing from a mobile telephone Asia Pacific support jp ip 2 ge com ini i 21 3217 4826 su cn i i customercare cn ip ge com China iii PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Contents de e E EE 1 1 Hot Standby CPU Redundan
42. al For details on configuring an RX3i Genius dual bus redundancy system refer to Appendix A GFK 2308F Chapter 2 Hot Standby Redundancy Quick Start with Ethernet I O 2 5 Chapter System Configuration 5 This chapter describes the hardware components for a Hot Standby CPU Redundancy system and describes system configurations for the basic redundancy schemes supported by PACSystems controllers For installation instructions refer to PACSystems RXTi Installation Manual GFK 2223 PACSystems RX3i System Manual GFK 2314 Components of a Hot Standby Redundancy System System Racks Redundancy CPU Redundancy Memory Xchange modules Redundant I O System System Racks GFK 2308F RX3i Systems In an RX3i redundancy system an RX3i IC695CHSOxx Universal Backplane must be used as the CPU rack which is also referred to as Rack 0 For specific backplane versions required refer to the Important Product Information document provided with your redundancy CPU Any RX3i expansion rack or any Series 90 30 expansion rack that is supported by RX3i can be used in an RX3i redundancy system RX7i Systems In an RX7i redundancy system any RX7i IC698CHSxxx rack can be used as Rack 0 Any Series 90 70 expansion rack that is supported by RX7i can be used except for the VME Integrator racks IC697CHS782 and IC697CHS783 3 1 Redundancy CPU Modules To use the features described in this manual an RX7i Redundancy CPU module must
43. all ENIUs are taking outputs from one CPU normally it will be the Primary on LAN A it is preferable to take the Redundancy CPU that is not currently controlling outputs offline jfit has been determined that the problem is due only to a failed fiber cable you can choose to take the CPU not controlling outputs offline If there are some ENIUs taking outputs from one CPU and some taking outputs from the other CPU or you need to take the CPU that is currently controlling outputs offline for example if it contains the failed RMX module take the desired CPU offline Since the Redundancy CPUS are not synchronized taking a CPU offline may cause a disruption in the outputs You must be prepared to handle this condition GFK 2308F Chapter 6 Fault Detection 6 13 Final Steps for All Systems RX7i Systems When a module has failed the CPU will have to be taken offline by powering off the rack RX3i Systems Because the RX3i system supports Hot Swap of modules the CPU can be taken offline by either powering off the rack or by stopping the CPU After taking the Redundancy CPU offline replace the defective RMX module or cable and bring the CPU back online He CPU was powered off and retained its logic and configuration and is configured to Run after a power cycle the Redundancy CPUS will automatically re establish the redundancy links and resynchronize fthe CPU was stopped use the programmer to download logic and configuratio
44. ansfer time for memory ranges RX3i Formulas Data transfers less Estimated transfer time for memory 0 00005705959 x Total Transfer Data Size than 56K bytes ranges ms 0 212556909 Data transfers greater Estimated transfer time for memory 0 00004790867 x Total Transfer Data Size than 56K bytes ranges ms 0 341614952 RX7i Formulas Data transfers less Estimated transfer time for memory 0 00018355 x Total Bytes Transferred 0 184 than 28K bytes ranges ms Data transfers greater Estimated transfer time for memory 0 00013738 x Total Bytes Transferred 1 954 than 28K bytes ranges ms Analysis of the linear curve resulting from the measurement of various data points yielded a break point around 28K resulting in the two linear equations stated above Using the proper equation for the amount of transfer data will yield a minimum amount of error when doing the calculation The actual data transfer time may vary slightly from the estimated time most systems will see slightly better performance than the estimated value In addition the estimated data transfer time is based on a redundant system with two redundancy links in a steady state non error condition without CPU serial communications activity Genius bus faults or other high backplane interrupt activity Calculate the total number of bytes and number of symbolic variables in the transfer list This information is obtained from the variable transfer
45. are transferred Therefore the FST_SCN and amp FST EXE bits for common blocks are not set on the first scan of the transitioning unit Operation when a Redundancy Link is Removed GFK 2308F When one of the links in a system with dual redundancy links is lost for example when the fiber optic cable is removed from one RMX module and the CPUs remain synchronized with one link the redundancy status LEDs Local Ready Local Active Remote Ready Remote Active on the RMX modules associated with the failed link will continue to be updated Chapter 5 Operation 5 3 S References for CPU Redundancy 96833 through 96839 and SB18 reflect the status of the redundancy units The table below describes these 96S references and shows their expected states assuming the primary unit is active and the secondary unit is backup Expected State S Bit Definition Name Description Primary Secondary Unit Unit S33 Primary Unit PRI_UNT Set to 1 if the local unit is configured as the ON OFF primary unit otherwise it is cleared For any given local unit if PRI UNT is set SEC UNT cannot be set S34 Secondary Unit SEC_UNT Set to 1 if the local unit is configured as the OFF ON secondary unit otherwise it is cleared For any given local unit if SEC_UNT is set PRI UNT cannot be set 96935 Local Unit Ready LOC_RDY Set to 1 if local unit is in Run mode with outputs ON ON enabled Othe
46. ary unit in the Target properties Connect to the CPU Make sure the CPU is in Stop mode Download PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Run Mode Stores PACSystems releases 5 5 and later support run mode store RMS of the redundancy transfer list This capability allows you to add delete or modify transfer list entries without stopping the controllers If two redundant units are synchronized the RMS must be performed as a dual operation However when a redundant unit is not synchronized to another unit the redundancy transfer list can be stored in a single RMS This facilitates the commissioning phase of a redundancy System where the redundant partner may not be in place yet Do not attempt to synchronize a unit while an RMS is in progress to a non synchronized active unit If the unit attempting to synchronize in this case is taken to run mode both units will be non synchronized active units An RMS of the transfer list requires two copies of the redundancy configuration to be resident on the PLC for a short time During that period both copies of the transfer list are charged against the user memory limit If there is not enough user space available for both copies along with any new logic or EGD data that is part of the RMS the store will fail Dual RMS with Simultaneous Activation In Redundant Systems A synchronous RMS of invalid user logic or configuration such as would cause a watch
47. ations Window Timer Communications Window Mode is Limited 10 Complete There is no time limit Window Mode is Limited 0 through 255 ms Complete Read only There is no time limit Controller Communications Window per scan Backplane Limited Limited Time sliced The Available only when Sweep Mode is Communications maximum execution time for set to Normal Execution settings for Window Mode the Backplane the Backplane Communications Communications Window Window per scan is specified in the Backplane Communications Window Timer parameter Complete The window runs to completion There is no time limit Backplane 10ms for Limited Limited Valid range 0 Available only when Sweep Mode is Communications Window Timer ms mode through 255 ms Complete Read only There is no time limit set to Normal The maximum execution time for the Backplane Communications Window per scan This value can be greater than the value for the watchdog timer It is highly recommended that this parameter be set to the same value for both CPUs in a redundancy pair Background Setting the background window time Window Timer sms 0 through 255ms to zero disables the background RAM tests Sweep Timer ms 100ms 5 through 2550ms in Available only when Sweep Mode is increments of 5 If the value typed is not a multiple of 5ms it is rounded to the next highest valid value set to Co
48. be installed in rack 0 slot 1 of both the primary and secondary units RX3i Redundancy CPUs can be installed in any slot in rack O Note A given feature may not be implemented on all PACSystems CPUs To determine whether a feature is available on a given CPU model and firmware version please refer to the Important Product Information PI document provided with the CPU The CPU provides configurable reference memory limits for AI Analog Input AQ Analog Output R Register and W bulk memory area reference memory as well as symbolic discrete reference memory and symbolic non discrete reference memory For additional CPU features and performance specifications refer to the PACSystems CPU Reference Manual GFK 2222 Operation of the CPUs can be controlled by the three position RUN STOP switch or remotely by an attached programmer and programming software Program and configuration data can be locked through software passwords The LEDs on the front of the module indicate CPU and Ethernet interface status The CPUs have two configurable ports COM 1 RS 232 and COM2 RS 485 The RX7i CPUs contain an embedded Ethernet interface board that controls two 10 BASE T 100 BASE TX ports and a configurable Station Manager RS 232 port PACSystems CPUs support the following Ethernet interface features m Redundant IP address m Production of selected EGD exchanges in backup mode m RX7i controller data monitoring over the web Supports a co
49. by CPU Redundancy User s Manual July 2010 GFK 2308F Contents Fault Actions in a CPU Redundancy System ssssssssssseeeenn nene 6 7 Configuration of Fault ACtiONS nennen nnns 6 7 Configurable Fault Groupe 6 8 Non Configurable Fault Groups cccccceeeceeeeeeeeeeeeeeeeeseeeeeceaeeeseneeseaeeesaeeesaeeeeeees 6 9 Fatal Faults on Both Units in the Same Sweep sssesssssesssessrssrrssrrssrrssrssrrssrrnssns 6 9 Online Repair and System Upgrade sss 6 10 On Line Repair Recommendations esses 6 10 Hot Swapping of Modules RX3i Systems On 6 11 System CPU Upgrade cit e eter t P c ab rate e askean Taan 6 11 Online Repair of the Genius BUS nnne 6 12 Repair of a Non Synchronized Active Unit NSAU Split Control System 6 12 RX3I Dual Genius BUS OVerVieW oc tra ro ta E x3 e so Sad CE ana EES CRUCE CER CERN FaENE A 1 EE Eege Sates cuore eet ee ege ee A 1 Templates tad e eta RE Landi t bati fus A 1 Available Templates eeeeesieessesseeseeneee ener tenente tenen nenas A 3 How to Choose a Template eene entente nnne A 3 RX3i Dual Bus Genius Functionality essssseeseneeeeen enne A 4 GFK 2308F Contents vii Chapter Introduction 1 This manual is a reference to the hardware components configuration programming and operation of Hot Standby CPU redundancy for the PACSystems RX3i and RXTi controllers The information in this manual is in
50. ces in the logic execution time and other phases must also be considered when selecting a Fail Wait time Some applications limit the possible difference during the communications window by using Constant Sweep mode or Constant Window mode or by setting the system communications window to Limited and selecting a small window time If the Communications Window mode is set to Complete run to completion the controllers could lose synchronization particularly during RMS using a rack based Ethernet module PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Data Transfer The data is transferred in blocks Each block is checked for data integrity The backup CPU holds the transferred data in a temporary area until all the data has been received and verified Then the backup CPU copies the data into the actual PLC memories If the full transfer fails to complete properly the backup unit becomes an NSAU and discards the data in the temporary area Synchronization and Data Transfer Process Input Data and Synchronization Data Transfer to the Backup Unit GFK 2308F Immediately after the input scan the active unit sends the selected input data to the backup unit This includes the selected ranges within l Q Al AQ R 96M G and W memories as well as transferred variables For discrete data the status override and legacy style transition information is transferred If point faults are configured point fault data
51. cluded in the transfer list For special situations you can adjust the Target property Genius Output to generate a warning instead Parameter Default Choices Description Input Output Transfer Point 9el Reference 9610000 This address must be byte aligned that is The starting address for the range of l 1 it must have a value of 8n 1 Example references that are synchronized between 96100025 where 25 8 3 1 the redundant CPUs l Length 0 0 through 32 768 lref 1 in increments The number of l references that are of 8 where lref the value set in the l synchronized between the redundant CPUs Reference parameter Q Reference 96Q000 This address must be byte aligned that is The starting address for the range of Q 01 it must have a value of 8n 1 Example references that are synchronized between Q00049 where 49 8 6 1 the redundant CPUs Q Length 0 0 through 32 768 Qref 1 in The number of Q references that are increments of 8 where Qref the value synchronized between the redundant CPUs set in the Q Reference parameter M Reference 96MOOO This address must be byte aligned that is The starting address for the range of M 01 it must have a value of 8n 1 Example references that are synchronized between 96M00121 where 121 8 15 1 the redundant CPUs M Length 0 0 through 32 768 Mref 1 in The number of M referenc
52. cy sse eee nennen nnne nnne nennen 1 1 PACSystems HSB Redundancy Feature Summary sse 1 2 Online Program DEET EE 1 3 On Line Repair and System Uoorade enne 1 3 Rule le 1 4 E Ee Mel ele 1 5 Hot Standby Redundancy Quick Start with Ethernet l O 2 1 System Gonflguratloli e ees 3 1 Components of a Hot Standby Redundancy System sss 3 1 System Racks eite t o Ete D tih Needles tin des 3 1 Redundancy CPU Modules sess enne nnne en 3 2 Redundancy Memory Xchange Modules AA 3 4 Redundant HH Systeris iade deo te ee ie ee m Tee 3 5 Eocal e iit aite i e o d te pe e t e ts 3 5 CPU Redundancy Using Ethernet NIU Remote WO 3 6 Dual Controller Single LAN Systems eee 3 6 Dual Controller Dual LAN Systems sss 3 9 Genius Hot Standby Operation 3 11 Genius Output Control 3 11 Basic CPU Redundancy Using Genius WO 3 11 Configuration Requirements ecciesie eseeeee eene eene nennen nean nnnnn nana nennen anna 4 1 Using the Redundancy Wizards AA 4 2 Synchronizing the Hardware Confiogurations seen 4 3 Hardware Configuration Parameters sese 4 4 GPU Parameters 2 tee mm eie ee aea eile teas 4 4 Redundancy Memory Xchange Module Parameters AAA 4 10 Ethernet Interface Parametere 4 11 Rack Module Configuration Parameters sse 4 12 Genius Bus Configuration essssssssssss
53. d for redundant operation with no backup available This includes the redundancy informational messages such as those generated when a unit goes to Run mode Refer to Configuring the Redundancy CPU for Non redundant Operation in Chapter 4 GFK 2308F Chapter 3 System Configuration 3 3 Redundancy Memory Xchange Modules RMX LEDs 3 4 The RMX modules provide a path for transferring data between the two redundancy CPUs A complete communications path consists of one RMX in the primary unit one RMX in the secondary unit and two high speed fiber optic cables connecting them to each other This must be a two node ring no other reflective memory nodes are allowed to be part of this fiber optic network We strongly recommend that two redundancy links for a total of four RMX modules be configured and installed Optionally systems can be configured for a single redundancy link for a total of two RMX modules RMX modules must be installed in the main rack rack 0 The RMX module has a toggle switch that can be used to manually request a role switch Eight LEDs described in the following table provide indication of module status Note For RXTi systems it is recommended that the RMX modules be installed in slots 3 and 4 of the main rack This gives VME interrupt request priority to the RMX modules Although this configuration is recommended it is not required that the RMX modules be located in slots 3 and 4 Note The RX3i RMX128 mod
54. d of the data structure PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Using the Variable Transfer List Report The report provides the total number of variable bytes the total whole bytes and the total partial bytes included in the input and the output transfer lists To access this report right click the Target and select Report In the Available Reports list select Variable Transfer List Report and click OK Variable Transfer List Report Target Example Input List Remove all variables from list Total Variables 7 Jump to output list Name Type Address Publish Description ALG320 1 INT 9 QWO 8 0 1 ALG320 2 INT QWO 8 0 2 ALG320 Q3 INT 9 QWO 8 0 4 ALG320 4 INT 35 QWDO0 8 0 3 xYZ1 BOOL ag BYTE xYz3 WORD Total Variables in Input List 7 Total Variable Bytes Transferred rounded up 15 Whole Bytes Transferred 12 Entries Containing Only Whole Bytes 6 Partial Bytes Transferred 3 Entries Containing Partial Bytes 3 GFK 2308F Chapter 4 Configuration Requirements Storing Downloading Hardware Configuration A PACSystems control system is configured by creating a configuration file in the programming software then transferring downloading the file from the programmer to the CPU via the Ethernet Interface or serial por
55. d the ETMOO in Slot 5 will be on a private network called LANB connected to LANB of the Redundancy CPUs The hardware configuration should appear similar to the following figure which shows an RX3i configuration Hardware Configuration provided by the Ten ENIU Template Project ENIU 01 E Ba Data Watch Lists CH a EGDExchangeStatus DI Diagnostic Logic Blocks amp Active Blocks DI Inactive Blocks 2 RB Ethernet Global Data o BE Consumed Exchanges D CS Produced Exchanges 2 BD Hardware Configuration fff Rack 0 Ic695cHs012 fla Slot 0 IC695PSA040 un d d Slot 1 Used With Slot 0 Slot 2 ICG95NIUO01 Slot 3 Used With Slot 2 Slot 4 IC695ETMO01 Slot 5 IC695ETMOO1 Slot 6 Slot 7 Slot 8 Slot 9 Slot 10 Slot 11 Slot 12 Q GFK 2308F Chapter 2 Hot Standby Redundancy Quick Start with Ethernet I O 2 4 9 10 11 12 Add IO loopback logic to confirm data transfer between ENIU and Redundancy CPUs Under the Logic node in PME open the Program Block Local User Logic Add the logic shown below to loop outputs Q1 Q16 back to inputs 96I1 96116 Add any application specific logic that needs to run in the ENIU here 100001 Install a Power supply RX3i ENIU IC695NIU001 and two ETM001 modules into an RX3i backplane as shown the hardware configuration in step 6 Apply power to the system Connect your PC to the ENIU via a Serial c
56. does not require redundant I O busses When using single bus Genius networks in a Hot Standby CPU Redundancy system one Genius Bus Controller for the bus must be located in the primary unit and one in the secondary unit There can be multiple Genius busses in the system The bus controllers in the primary unit are assigned Serial Bus Address 31 The bus controllers in the secondary unit are assigned Serial Bus Address 30 3 12 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Genius output devices will use outputs from Serial Bus Address 31 in preference to outputs from Serial Bus Address 30 Outputs are determined by the active unit regardless of which bus controller provides the outputs since all redundant Genius outputs are transferred from the active unit to the backup unit Any type of Genius device can be connected to the network Each Genius network can have up to 30 additional Genius devices connected to it You may want to reserve one Serial Bus Address for the Hand Held Monitor As a safety feature a watchdog timer protects each Genius I O link The bus controller periodically resets this timer If the timer expires the bus controller stops sending outputs If this happens in a Single Bus Genius network of a CPU Redundancy system the paired GBC in the other unit drives the outputs of the Genius devices The cause of the failure must be remedied to re establish communications Hardware Configuration for RX7i S
57. dog or processor exception could cause both units to fail To mitigate the risk of such application errors the procedure Initial RMS Followed by Dual RMS on page 4 18 is recommended To modify EGD application logic and or the redundancy transfer list using RMS and have the controllers simultaneously activate the changes you must perform independent downloads to both controllers The two controllers then negotiate when to activate the new items The initial store can be done to either the primary or the secondary unit Note that a dual RMS does not have to include transfer lists It may include only EGD and or logic GFK 2308F Chapter 4 Configuration Requirements 4 17 When you command an RMS to one of the units you will be given the option of selecting synchronized activation of the redundant controllers Run Mode Store Are you sure you want to proceed with the download while the target is running Choose how the memory allocated for new symbolic variables will be initialized Cleared all values set to zero C Setto initial value of associated variable Review variables involved before committing the download v Do synchronized activation of redundant controllers DK Cancel Help ee Hee If you select Do synchronized activation of redundant controllers the first unit defers application of the newly stored application data until the following actions have occurred 1 You disconnect from the first uni
58. e For details on using these templates refer to Appendix A RX3i Dual Genius Bus Overview and the PACSystems RX3i Dual Genius Bus Quick Start Guide which is provided with the RX3i Dual Bus Templates PACSystems CPU Redundancy implements a floating master algorithm If an application requires a preferred master algorithm see Implementing Preferred Master in chapter 5 In an RX3i CPU Redundancy system when a GBC is configured as Redundant Controller External all its outputs are redundant GFK 2308F Chapter 3 System Configuration 3 11 Single Bus Networks This type of network uses a single bus with one Genius bus controller in each PLC Sample RX7i Single Genius Bus Redundancy System Secondary Unit Primary Unit m E B m w xix o wull o Ee s s S laa 3 i 30 31 High Speed Fiber Optic Link High Speed Fiber Optic Link Ethernet LAN J Genius IO Blocks Sample RX3i Single Genius Bus Redundancy System Secondary Unit Primary Unit e Oo Oo Re 2 X Ix QO e 2 X K 9 L lz IE IO c IS GIE Io a O u O amp O x xc uUo Oo o Oo 30 ii 81 High speed Fiber Optic Link High Speed Fiber Optic Link Ethernet LAN 1 1 1 DN Genius IO Blocks Genius Bus The single bus setup is suitable if the application
59. e Fault Description Corrective Action Loss of IOC 2 none Loss of or missing IO The CPU generates this error Install the missing controller when it cannot communicate module or correct the with an I O Controller and an configuration entry for the IOC exists in the Otherwise replace configuration file the module and contact Technical Support Loss of Option various Loss of or missing The module is missing or the Install the missing Module 4 option module CPU has determined that the module or correct the or module has failed configuration Otherwise replace Redundant link hard the module and failure occurred contact Technical Support UO Bus Fault 9 none SBA conflict RX7i The bus controller has detected Verify that one CPU only that another device on the is configured for Genius network is already using primary and one for the same serial bus address secondary Correct the configuration of the Genius devices PLC Software 135 148 Units contain The redundant CPUs have Upgrade the CPUs mismatched different firmware revision So that they have the firmware update levels Having different same revision of recommended revisions of firmware in the firmware according CPUs is intended for short term to the firmware synchronization only as some upgrade procedure change in the behavior of the system may be experienced when mixing revisions Configuration Mismatch 11 75 ECC jumper should When redundancy firmwa
60. e Memory tab The value of the beginning address plus the value of the length must be less than or equal to the configured limit W Reference 96WO000 The limit configured for W references is The starting address for the range of W 01 based on values provided in the Memory references that are synchronized between tab The value of the beginning reference the redundant CPUs address plus the value of the length must be less than or equal to the configured limit W Length 0 0 through Wul Wref 1 where The number of W references that are Wul the upper limit of W memory synchronized between the redundant CPUs configured on the Memory tab and The limit configured for W references is Wref the value set in the W based on values provided in the Memory Reference parameter tab The value of the beginning reference address plus the value of the length must be less than or equal to the configured limit Redundancy Memory Xchange Module Parameters Parameter Default Choices Description Redundancy Link Enabled Enabled Disabled If the RMX module is being used as a redundancy link this parameter must be set to Enabled An RMX module being used as a redundancy link cannot be used as a general purpose reflective memory module All the reflective memory parameters are unavailable and the Interrupt parameter is set to Disabled 4 10 PACSystems Hot Standby CPU Redundancy User s Ma
61. e available to configure these architectures Architecture Templates for Templates for Proficy Machine Edition Proficy Process Systems Dual RX3i CRU Controllers 10 ENIUs 10 ENIUs Dual LAN 20 ENIUs 20 ENIUs Dual RX7i CRE Controllers 10 ENIUs 10 ENIUs Dual LAN 24 ENIUs 20 ENIUs RX7i Dual Controller Dual LAN System In this system architecture the remote I O stations each have two Ethernet modules to provide the stations with redundant LAN connections to the controllers LAN 3 acts as a backup to LAN 2 The Redundant IP feature is enabled for the Ethernet interfaces on LAN 1 because it handles general communications EGD exchanges used for general CPU communications are not produced in backup mode Each controller uses a separate Ethernet interface for communication on each remote I O LAN one for LAN 2 and another for LAN 3 The remote I O EGD exchanges are configured on the Ethernet interfaces for the appropriate LAN Primary Unit Secondary Unit ri RX7i A S Rack 0 3 5 Required fan assembly not shown ii High Speed Fiber Optic Link 8 end Speed Fiber Optic Link ethernet LANT LAN 1 i Ethernet LAN 2 IK GFK 2308F Chapter 3 System Configuration 3 9 3 10 RX3i Dual Controller Dual LAN System In this system architecture the remote I O stations each have two Ethernet modules to provide the stations with redundant LAN connections to the controllers LAN 3 acts as a backup to
62. e direct IP address of either Ethernet Interface The redundant IP address must be on the same sub network as the direct IP address and Gateway IP address if used For more information about Ethernet redundancy see TCP IP Ethernet Communications for PACSystems GFK 2224 GFK 2308F Chapter 4 Configuration Requirements 4 11 Rack Module Configuration Parameters 1 0 Interrupts 1 0 Variables Interrupts cannot be ENABLED when the configured CPU is a Redundancy CPU When a redundant CPU is configured any interrupts enabled in the configuration are DISABLED An I O variable is a symbolic variable that is mapped to a terminal in the hardware configuration for individual modules A terminal can be one of the following a physical discrete or analog I O point on a PACSystems module or on a Genius device a discrete or analog status returned from a PACSystems module or Global Data The use of I O variables allows you to configure hardware modules without having to specify the reference addresses to use when scanning their inputs and outputs Instead you can directly associate variable names with a module s inputs and outputs UO variables can be used any place that other symbolic variables are supported such as in logic as parameters to built in function blocks user defined function blocks parameterized function blocks C blocks bit in word references and transitional contacts and coils For additional information on the use of
63. econdary unit first If either unit is powered up after the other unit is already in Run mode communications between the two units are established If the unit being powered up goes to Run mode a resynchronization occurs Synchronization of the Time of Day Clocks At the point when the two units establish communications the primary unit s time of day clock is copied to the secondary unit PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Synchronizing Redundant CPUs When synchronization is initiated the CPUs exchange information about their configurations If a transitioning CPU detects that the configurations are not in agreement that CPU will not transition to RUN mode if both CPUs are transitioning at the same time neither CPU transitions to RUN mode The following items must be in agreement in order to synchronize 1 Both CPUs must be configured for the same redundancy control strategy 2 Both CPUs must have identical transfer lists 3 lf l Q Al or AQ references are included in the transfer list the Point Fault References configuration parameter must be identical on both units During synchronization the active unit sends a synchronization request to the backup unit and waits for a response from the backup unit If the active unit does not receive a response from the backup unit within its configured Fail Wait time it operates as a non synchronized active unit NSAU During synchronization
64. ecution of the Component control logic solution Genius Dual Bus The use of two Genius busses to control the same I O devices The busses are linked to the I O devices by one or more Bus Switching Modules BSMs A BSM will automatically switch to the other bus if the active bus has a failure Genius Hot A feature of Genius devices whereby the device prefers output data from the Bus Standby Controller at SBA 31 When outputs from that Bus Controller are not available the device takes output data from the Bus Controller at SBA 30 If outputs from neither Controller are available the device places its outputs in the designated default state Hot Standby A system where the backup standby unit is designated before any critical component failure takes place and any necessary state control information is passed to this designated backup unit so that it can take control quickly in the event of a critical component failure Non Synchronized A unit in a Redundancy System that is in Run mode but not synchronized with a backup Active Unit unit The backup unit is either offline in Stop mode powered off or failed or there are NSAU no functional redundancy links between the units Primary Unit The preferred unit to control the process in a Redundancy System For redundant Genius I O the Genius Bus Controllers in the primary unit are configured for serial bus address SBA 31 Redundancy The use of multiple elements con
65. edundancy User s Manual July 2010 GFK 2308F Location of GBCs and Blocks For fastest switching all Genius Bus Controllers in the Hot Standby CPU Redundancy system should be in the main rack This will cause the Genius Bus Controller to lose power at the same time that the CPU loses power and allow the backup unit to gain full control of the UO as soon as possible Each GBC has an output timer that it resets during every output scan If the GBC determines that the CPU in its PLC has failed it will stop sending outputs to its Genius devices This allows the other GBC to take control of the I O For single and dual bus Genius networks the Genius bus controllers should be placed at the same end of the bus as shown on page 3 14 In particular the secondary unit should be placed at one end of the bus and the primary unit must be placed between the secondary unit and the Genius devices No I O blocks or other devices should be located on the bus between the bus controllers In the case of dual bus networks placing the bus controllers and devices in this manner minimizes the risk of a bus break between the two units A bus break between the units could result in only some devices switching busses and make the other devices inaccessible to one of the units It also allows the primary unit to continue to control the I O in bus failure conditions that might otherwise result in loss of inputs and unsynchronized control of outputs Since the recommended c
66. edundant IP Addresses Ethernet Global Data in an HSB Redundancy System 5 1 Powerup of a Redundancy CPU 5 2 When a redundant CPU is powered up it performs a complete hardware diagnostic check and a complete check of the application program and configuration parameters This causes the powerup time of a redundancy CPU to be longer than a non redundancy CPU If the primary and secondary units power up together the primary becomes the active unit and the secondary unit becomes the backup unit When the secondary unit powers up if it does not detect the primary unit the secondary unit waits up to 30 seconds for the primary unit to power up If the primary unit has not completed its powerup sequence within 30 seconds the secondary unit assumes the primary unit is not present In this case if the secondary unit is configured to transition to Run on powerup it becomes an active unit without a backup unit If the primary unit completes its powerup sequence before the secondary unit the primary unit waits a few seconds for the secondary unit to complete its powerup sequence If the primary unit is set up to transition to Run on powerup and does not detect the secondary unit within this time it becomes an active unit without a backup Note If the system should be fully redundant upon powerup the secondary unit must complete power up first but no more than 30 seconds before the primary unit To be sure that this happens apply power to the s
67. either Redundancy CPU the Remote IO devices will receive the output values calculated by the active unit There is one exception to this It is described by item 4 Note When a Genius output is connected to both Redundancy CPUs that output should always be included in the output transfer list If Outputs from Active Unit Only is enabled in an ENIU placing the active controller in RUN DISABLED mode will result in that ENIU s outputs being held in their last state Note Ifthe backup unit is in RUN DISABLED mode the backup unit continues NOT to GFK 2308F drive outputs upon failure of the active unit and therefore is not a complete backup Chapter 5 Operation 5 17 Error Checking and Correction 5 18 Error checking and correction ECC allows the CPU firmware to detect errors in memory and correct some of them on the fly This added layer of checking differs from parity checking in that it can correct a single bit error If the ECC error is a single bit corrected error the CPU generates a diagnostic fault and sets SA0006 so that you can know of a possible impending problem and take corrective action If the ECC error is a multi bit error which cannot be corrected the CPU logs a fatal fault and goes to Stop Halt mode The Error Checking and Correction function of the memory controller is enabled on the redundancy CPU regardless of the Background Window Timer setting This provides parity like checking on the contents of every RAM
68. endations on page 6 10 GFK 2308F Chapter 6 Fault Detection 6 5 s Redundancy Link Failures There are distinct differences between losing a redundancy link and faulting an RMX module Redundancy Memory Xchange Module Hardware Failure Failures such as VME bus errors are considered hardware failures of the RMX module The following actions are taken when such an error is detected Either a Loss of or Missing Option Module or a Redundant Link Hard Failure Occurred fault is logged in the PLC Fault Table A Redundant Link Communications Failure fault is logged in both units All LEDs on the RMX module are turned OFF The fault locating references that correspond to the module are set i e the SLOT 00XX fault contact is set where XX is the slot number for the RMX module The corresponding redundancy link is no longer used If the other link is still operating that link is used for all further data transfer and the units can remain in synchronization If the other redundancy link is not available and either unit is in Run mode that unit operates as a non synchronized active unit Power must by cycled on the rack to restore a faulted RMX module to service Redundancy Link Communications Failures The following errors are reported as failures of the redundancy link 6 6 The other unit has lost power or failed such that it can no longer communicate One or both cables between the two RMX modules have failed or are disconnected
69. er time includes the time for the active unit to read the data from the appropriate reference memory type as specified in the configured redundancy transfer list move it from the CPU memory across the backplane with appropriate data integrity information into the RMX on board memory The data is then transferred from the RMX module in the active unit to the backup unit s RMX module via a high speed fiber optic link On the backup unit the data is moved from the RMX on board memory over the backplane into the CPU memory A data integrity check is performed and assuming the integrity checks pass the transfer data is written to the appropriate reference memory in the backup unit These additions to the sweep time can be estimated using the data and equations given in this section 1 Calculate the total number of bytes configured as memory ranges in the CPU configuration s Transfer List Reference Reference Size If Point Faults are If Point Faults are Enabled Type Disabled K Bit l length x 3 4 8 l length x 4 8 SAI Word AI length x 2 AI length x 3 Q Bit Q length x 3 8 Q length x 4 8 M Bit M length x 3 8 G Bit G length x 3 8 AQ Word AQ length x 2 AQ length x 3 R Word R length x 2 SW Word W length x 2 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F 2 Usethe following formulas to estimate the data tr
70. es output variables and internal variables The values presented correspond to the values that the backup is currently calculating Visually compare the backup unit s output references output variables and internal variables with those presented by the active unit Pay special attention to the references and variables that are included in the output transfer When you are satisfied that the backup unit is calculating outputs and internal variables properly disable the rung that calls SVC_REQ 43 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Switching Control to the Backup Unit Control switches from the active unit to the backup unit if The active unit detects a fatal fault The active unit is placed in Stop mode 1 2 3 The active unit fails or is powered off 4 The toggle switch on an RMX module is activated 5 A switch is commanded from the application program These two types of requests are not honored if they occur within 10 seconds of the previous request Switching Times and Impactto Sweep Time The amount of time needed to switch control from the active unit to the backup unit depends on the reason for the switch There are two ways that the backup unit detects that the active unit has failed or lost power A Failure of all remaining redundancy links This type of failure has negligible impact on the controller sweep time B Failure of the active unit to rendezvous at a sync
71. es that are increments of 8 where Mref the value synchronized between the redundant CPUs set in the M Reference parameter G Reference 96G000 This address must be byte aligned that is The starting address for the range of G 01 it must have a value of 8n 1 Example references that are synchronized between 96G00081 where 81 8 10 1 the redundant CPUs G Length 0 0 through 7 680 Gref 1 in increments The number of G references that are of 8 where Gref the value set in the G synchronized between the redundant CPUs Reference parameter Al Reference 96AI000 The limit configured for AI references is The starting address for the range of Al 01 based on values provided in the Memory references that are synchronized between tab The value of the beginning references the redundant CPUs plus the value of the length must be less than or equal to the configured limit 96AI Length 0 0 through Alul Alref 1 where The number of AI references that are Aiul the upper limit of Al memory synchronized between the redundant CPUs configured on the Memory tab and Airef the value set in the Al Reference parameter In an RX3i CPU Redundancy system when a GBC is configured as Redundant Controller External all its outputs are redundant GFK 2308F Chapter 4 Configuration Requirements 4 9 Parameter Default Choices Description AQ Reference
72. eseeee eene nennen 4 13 Adding Individual Variables to the Transfer Let 4 14 Using the Variable Transfer List Report 4 15 Storing Downloading Hardware Configuration ssessseeeeeene 4 16 R n Mode Stores x ide iced e addo y vedete ae een ava US 4 17 Dual RMS with Simultaneous Activation In Redundant Systems 4 17 Initial RMS Followed by Dual RMS nennen enne 4 18 RMS Operational Errors sss eee entere nnns 4 19 Behavior of EQD in a Dual DM 4 20 Hardware Configuration and Logic Coupling eene 4 20 GFK 2308F V Contents rjj eee 5 1 Powerup of a Redundancy CRU 5 2 Synchronizing Redundant CPUS sess enne nnne 5 3 Dual ele TE le IT 5 3 Hesynchronization tees eite ne dade a deae e ca edad 5 3 Operation when a Redundancy Link is PHemoved 5 3 S References for CPU PRedundamcy enne 5 4 Scan Synchronization ANERER 5 5 Fail Wait Time eeu ie AE e ME 5 6 Data Transe ege Eet e bate Ge Pe th tole teet stt td 5 7 Synchronization and Data Transfer Process eeseeeseeeeesieerieeriesrrerrrrssrresrresre 5 7 Estimating Data Transfer Time 5 8 Programming a Data Transfer from Backup Unit to Active Unit SVC_REQS 27 and 28 sse enne enne 5 11 Disabling Data Transfer Copy in Backup Unit SVC REQ 493 5 12 Validating the Backup Unit SVC_REQ A 5 14 Switching Control to the Backup Un 5 15 Switching Times and Impact to Sweep Time 5 15 Com
73. eters All Genius devices that are connected to both units must be configured as redundant Note Devices that are connected to just one unit may use any available setting n an RX3i CPU Redundancy System when a GBC is configured as Redundant Controller External all its outputs are redundant GFK 2308F Chapter 4 Configuration Requirements 4 13 Adding Individual Variables to the Transfer Lists Individual variables can be configured as transferred variables in the input transfer list and or the output transfer list Mapped managed symbolic and I O and function block instance variables can be transferred This is the only way that managed and function block instance 4 14 variables can be transferred The following types of variables cannot be transferred m Mapped BOOL variables with bit in word addresses Elements of BOOL arrays that are mapped to word memories R W Al AQ Aliases to variables The Input Transfer List and Output Transfer List properties for a variable are set to False by default To add or remove a variable to or from the variable transfer list edit the Properties for that variable In most cases a variable should be part of the input or output transfer but not both In some unusual cases where there is a need to update a variable at both transfer points in the sweep the variable may be configured for both lists Mapped Variables An advantage of configuring mapped variable
74. failure excluding failures of Genius devices and bus stubs Online repair of failed component Survives any one single point of failure excluding failures of Genius devices and bus stubs Online repair of failed component Role switching Manual toggle switch for switching control between active and backup units Application initiated role switching Manual toggle switch for switching control between active and backup units Application initiated role switching Bumpless switching from active unit to backup unit Synchronized CPUs One scan switching Configurable transfer data size up to 2Mbytes Synchronized CPUs One scan switching Configurable transfer data size up to 2Mbytes Redundancy status monitoring RMX128 module has five redundancy status LEDs Link OK Local Ready Local Active Remote Ready Remote Active Redundancy status bits and message logging RMX016 module has five redundancy status LEDs Link OK Local Ready Local Active Remote Ready Remote Active Redundancy status bits and message logging Online programming Supported Supported Diagnostics Background diagnostics Memory error checking and correction ECC with single bit corrections and multiple bit checking Background diagnostics Memory error checking and correction ECC with single bit corrections and multiple bit checking Maximum fiber optic cable distance supported between two RMX module
75. he ability of the two units to derive the same results from the same inputs In all cases the data is still transferred over the redundancy link every sweep and the synchronization points are still met The effect of SVC_REQ 43 is to disable the copy of the data from the transfer to the actual reference memories on the backup unit When SVC REQ 43 is in effect the backup unit still takes control of the system in event of a failure or role switch Switches to the backup unit may cause a momentary interruption of data on the outputs because the two units may not be generating the exact same results While SVC_REQ 43 is in effect you should consider disabling outputs on the backup unit Disabling outputs on the backup unit eliminates the risk of an unsynchronized switch of control which can cause a momentary interruption of data in the outputs if the active unit fails or loses power while the input output copies are disabled If the active unit fails or loses power while outputs are disabled on the backup unit the system s outputs will go to their default settings A secondary effect of disabling outputs on the backup unit is that the non synchronized fault action table is used by the active unit to determine which faults are fatal Note If the CPU is already in RUN ENABLED mode a command to disable its outputs will not take effect until one sweep after the command is received Therefore disable the outputs at least one sweep before you enable
76. he redundant I O system A failure in the Local I O system will affect the unit as described in the PACSystems CPU Reference Manual GFK 2222 GFK 2308F Chapter 3 System Configuration 3 5 CPU Redundancy Using Ethernet NIU Remote I O This section discusses sample system architectures using Ethernet remote I O with CPU hot standby redundancy systems These sample system architectures support both general communications such as a programmer connection and remote LO data transfers Remote UO data transfers use EGD to and from the ENIUs For general communication in a hot standby redundancy system the Redundant IP feature must be enabled for the Ethernet interface In general communication only the active CPU produces EGD exchanges When a redundancy role switch occurs the backup CPU becomes active and begins producing EGD The formerly active CPU switches to backup and stops producing EGD For remote UO operation the active and backup CPUs simultaneously process remote I O EGD exchanges for each ENIU For architectures using redundant remote I O LANs the CPUS process separate remote I O EGD exchanges on each LAN All EGD exchanges that can simultaneously occur on a network must have unique Exchange IDs Hence remote I O exchanges that are produced by both the primary and secondary units must have different Exchange ID values Remote I O EGD production continues across CPU role switches The application logic in the ENIU selects which EGD re
77. he two units seeing different values for the same exchange in a given sweep Only the active unit consumes exchanges directed to the Redundant IP address If data from the exchanges must be seen identically on the two units the reference data for the exchanges can be transferred from the active unit to the backup unit during the input data transfer That transfer occurs shortly after the EGD consumption portion of the CPU sweep Exchange variables transferred must be placed into l or Al memory to participate in the input data transfer PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Chapter Fault Detection 6 This chapter describes how faults are handled in a Redundancy system m Fault Detection m PLC Fault Table Messages for Redundancy m Fault Response m Redundancy Link Failures m Fault Actions in a CPU Redundancy System m Online Repair Fault Detection The detection of faults and failures falls into three basic categories 1 Faults and failures that are detected immediately 2 Faults and failures that are detected as soon as possible but not necessarily within the current sweep 3 Faults and failures that are detected in the background Faults and failures that are detected immediately are those that are identified within the current sweep These faults include UO data corruption single and multiple bit memory failures power supply failures processor failures and VME transfer failures Faul
78. hronization point within the Fail Wait time An example of this type of failure is the CPU not responding because the user logic is in an endless loop If the redundancy links are still operational the increase to the sweep time will equal the Fail Wait Time For these two cases the switchover occurs immediately For all other cases the switchover occurs just before the next input data transfer The maximum delay is 1 sweep There may be an input and an output scan between detection of the fatal fault and the switch Commanding a Role Switch from the Application Program SVC REQ 26 The application program can use SVC_REQ 26 to command a role switch between the redundant CPUs active to backup and backup to active As long as the units remain synchronized the switch occurs just before the input data transfer of the next sweep When SVC_REQ 26 receives power flow to its enable input the PLC is requested to perform a role switch Power flow from SVC_REQ 26 indicates that a role switch will be attempted on the next sweep Power flow does not indicate that a role switch has occurred or that a role switch will definitely occur on the next sweep The role switch request is not valid if it occurs within 10 seconds of a previous request The 10 second limitation guarantees that only a single switch occurs if both units make a request at approximately the same time SVC_REQ 26 ignores the PARM parameter however the programming software requires that a
79. ingle Bus Network For RX7i targets the hardware configuration for single bus networks can be created by selecting Redundant Controllers Two PLCs in the Redundancy Wizard The GBCs must be configured with the following settings Redundancy Mode Redundant Controller Paired GBC External SBA 31 primary unit or 30 secondary unit The redundant devices must be configured for Hot Standby mode For example use the following settings for a Genius block Programming software Redundancy YES Hand Held Monitor CPU Redundancy HOT STBY MODE Hand Held Monitor BSM Present NO Hardware Configuration for RX3i Single Bus Network For RX3i targets the hardware configuration for single bus networks is created by adding a GBC and adding Genius devices to that GBC The GBCs must be configured with the following settings Redundancy Mode Redundant Controller External SBA 31 primary unit or 30 Secondary unit The Genius devices must be configured for Hot Standby mode For example use the following settings for a Genius block Hand Held Monitor CPU Redundancy HOT STBY MODE Hand Held Monitor BSM Present NO GFK 2308F Chapter 3 System Configuration 3 13 Dual Bus Networks This option provides redundancy of both the PLC and the I O bus This type of system uses dual busses with bus controllers in each PLC The Dual Bus network is suitable if the application requires redundancy of the PLC and the I O bus A Bus Switching
80. ists since neither unit has the backup role Additionally in a system that uses ENIU I O there is no guarantee that all ENIUs are taking outputs from the same controller See Repair of a Split Control System on page 6 12 To replace a component online it is strongly recommended that you follow this procedure 1 om mr wD Make sure the unit to be repaired is the backup unit The LOCAL ACTIVE LED should be OFF and the REMOTE ACTIVE LED should be ON You can also confirm this by viewing the Redundancy tab of the programmer s online status dialog box If the unit to be repaired is already in Stop mode skip this step If the unit to be repaired is active activate the Role Switch on the RMX module Power off the unit to be repaired Replace the defective component On the CPU of the repaired unit place the Run Stop switch in the Stop position Power on the repaired unit After several seconds verify that the LINK OK LEDs are ON for all RMX modules in both units If the LINK OK LEDs are not on see the PLC Fault Table If the repaired CPU is in Stop Fault mode verify that there are no unexpected faults and then clear the Fault Tables Place the repaired unit into RUN mode by putting the Run Stop switch in the Run position PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F s Hot Swapping of Modules RX3i Systems Only RX3i redundancy systems support hot swapping of modules to the same extent a
81. itch roles the active unit becomes the backup unit and the backup unit becomes active The system runs synchronously with a transfer of all control data that defines machine status and any internal data needed to keep the two CPUS operating in sync Critical control data plus all redundant outputs must be included in the output data transfer The transfer of data from the active unit to the backup unit occurs twice per sweep once before the logic is solved and once after the logic is solved These CPU to CPU transfers are checked for data integrity The Primary and Secondary units in a redundancy system must be in the same controller family An RX3i and an RX7i controller can not function as a redundant pair 1 1 PACSystems HSB Redundancy Feature Summary Feature RX3i Redundancy System RX7i Redundancy System Redundancy CPU IC695CRU320 IC698CRE020 CREO30 or CRE040 Redundancy links Two IC695RMX128 modules per link Two links four RMX modules recommended per system Two IC698RMX016 modules per link Two links four RMX modules recommended per system Redundancy I O systems supported Single and redundant Ethernet remote I O LANs through ENIU Single Bus and Dual Bus Genius networks Single and redundant Ethernet remote l O LANs through ENIU Single Bus and Dual Bus Genius networks Expansion and remote racks Supported Supported Failure recovery Survives any one single point of
82. its become non synchronized active units this can occur if no redundancy links are functioning for each redundant pair the Ethernet Interface that owns the redundant IP address will produce exchanges through the Redundant IP address If Redundant IP is not enabled the Ethernet Interfaces in both units produce exchanges through their direct IP addresses The Producer ID as well as all production exchanges should be identical for both units This allows the consumer to continue consuming exchanges from the redundant system when the backup unit becomes active Configuring Exchanges to be Produced in Backup Mode In Machine Edition to configure a production exchange to be produced in backup mode go to the Project view expand the Ethernet Global Data folder select the exchange and set its Produce in Backup Mode property to True To change the offset from the default value of 1000 select the Ethernet Global Data folder and set the Secondary Produced Exchange Offset property to the desired value GFK 2308F Chapter 5 Operation 5 23 For exchanges that are produced in backup Dual HWC Redundancy Target mode an offset must be added to the Exchange ID This ensures that the Exchange ID is unique for those exchanges Lebel EE 40 c 0 that are produced simultaneously by the Secondary Produced Exchange Offset offset active and backup controllers Ethernet Global Data For an HSB system using dual HWC one Produced
83. ituation where a failed rack controls the outputs occurs when the failed RMX module is contained in the same rack as the CPU that is currently controlling Remote Device outputs The procedures given in this section discusses ways to reduce the chance of defaulting outputs on some of the Remote IO devices controlled by the Redundancy CPU pair Although these procedures might prevent defaulting outputs they might also involve a short disruption in the outputs as the Remote IO devices switch to taking outputs from the other CPU It is incumbent on the user to know which CPU is controlling outputs on a specific Remote IO Device and determine whether it is acceptable to allow those outputs to default or to be disrupted Initial Steps for All Systems Determine the source of the Redundancy link failure which can either be the fiber optic cable or a failed RMX module 1 Checkthe OK LEDs on the RMX modules If the RMX s OK LED is off the RMX module has failed If there is a failed RMX module the rack containing the module will have to be taken offline in order to do the repair 2 If all RMX OK LEDs are on check the Signal Detect LEDs on the RMX modules If the Signal Detect LED is off it might indicate that the fiber optic cable connected to the RX input has failed If there is a failed fiber optic cable you will need to choose which CPU to take offline to recover the redundancy link s Before taking one of the Redundancy CPUS offline follo
84. kstart 2 1 R Racks backplane version required for RX3i redundancy 3 1 for redundancy systems 3 1 RX7i redundancy does not support VME racks 3 1 Redundancy configuration wizards 4 2 defined 1 4 memory usage 4 8 parameters CPU 4 7 Redundancy CPUs description 3 2 differences from other CPUs 3 3 powerup 5 2 Redundancy link defined 1 4 failures 6 6 removed 5 3 Redundancy Memory Xchange RMX module description 3 4 faulting 6 6 parameters 4 10 Redundant IP addresses 5 21 defined 1 4 References 1 5 Repair online 1 3 Resynchronization 5 3 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F GFK 2308F Role switch commanding 5 15 defined 1 4 sweep impact 5 15 Run mode store RMS 1 3 4 17 Run Disabled mode 5 17 different for redundancy CPUs 3 3 S Scan sets multiple 5 19 Scan synchronization 5 5 Secondary unit defined 1 4 powerup sequence 5 2 Service requests 26 Implementing preferred master 5 16 26 Role switch from program 5 15 27 Write to reverse transfer area 5 11 28 Read from reverse transfer area 5 11 48 Backup qualification 5 14 48 Disable data transfer copy in backup unit 5 12 Split control 5 21 6 10 repair of 6 12 Status bits redundancy 5 4 Stop I O Scan mode not available with Redundancy CPUS 3 3 Stop to Run mode transition 5 17 different for redundancy CPUs 3 3 Storing configuration 4 16 Sweep time synchroni
85. list report For details see Using the Variable Transfer List Report in chapter 4 Size of transfer list Total Variable Bytes Transferred in Input List Total Variable Bytes Transferred in Output List Entries Containing Only Whole Bytes in Input List Entries Containing Partial Bytes in Input List Entries Containing Only Whole Bytes in Output List Entries Containing Partial Bytes in Output List Number of entries 4 Use one of the following formulas to estimate the total transfer time for symbolic variables CRU320 Transfer time for variables 0 00003923 x size of transfer list 0 000177916 x number of entries 0 61871745 CRE020 Transfer time for variables 0 000130992 x size of transfer list CRE030 Transfer time for variables 0 000376524 x number of entries 2 1 0 000111019 x size of transfer list 0 000249549 x number of entries 1 9 CRE040 Transfer time for variable 0 0000940902 x size of transfer list 0 0000783293 x number of entries 1 4 GFK 2308F For a negative result use a value of 0 Chapter 5 Operation 5 9 5 10 5 Addthe following quantities RX3i Formula Synchronization base sweep addition additional amount of time 3 238 ms required to synchronize the CPUs with 0 Data Transfer ms Total transfer time for memory ranges step 2 ms Total transfer time for transferred symbolic variables step 4 ms Total e
86. llowed in non redundant systems Modules that support hot swapping can be removed and replaced in the RX3i main rack and in ENIU remote racks while the rack is powered up Hot Swapping RMX 128 Modules The RX3i RMX128 module supports hot insertion and removal However the redundancy communication link associated with a hot swapped RMX module will not be restored automatically The LINK OK indicator on both RMX modules in the link will be OFF To restore the link while the system is in operation first determine which unit is the backup unit and if possible cycle power or store hardware configuration to that unit If either RMX module s OK indicator is OFF power must be cycled on the rack to restore the RMX module to service System CPU Upgrade If you are upgrading your redundancy system with new CPU models you will need to replace the CPUs in both units To replace the CPUs in your redundancy system follow the steps in On Line Repair Recommendations When you have replaced the CPU in the backup unit and returned it to RUN mode activate the Role Switch on the RMX module and repeat steps 1 8 for the other unit During normal operation the primary and secondary units in an HSB redundancy system must have the same CPU model type Extended operation with dissimilar CPU types is not allowed Continued use of dissimilar CPU types may result in timing issues during synchronization The primary and secondary units with dissimilar CPU
87. manding a Role Switch from the Application Program GVC REQ 26 5 15 Implementing Preferred Master Using SVC_REQ 26 sss 5 16 STOP to RUN Mode Transition essssssssseseeeen eee nennen 5 17 RUN Disabled Mode 3 rti a a da cd Ee efe a 5 17 Error Checking and Correction sssssssssssssseeeee enne enne nennen 5 18 Timer and PID Functions e a E a a a A A nennen nnns 5 19 Rue Breu Le 5 19 Multiple O Scan Selts rne re HD GRE ene e iode tede eai heaps 5 19 Genius Bus Controller Switching sssssseeeeenennene nennen 5 20 Redundant P Addresses 5i dete eai ete he eie 5 21 Ethernet Global Data in an HSB Redundancy Gvstem 5 23 Ethernet Global Data Production 5 23 Ethernet Global Data Consumption esses 5 24 Fault DOtTCCUON Dolor iiec aida Mais clacitaM hoi vetera csi cO HR PIRA S qud Ede 6 1 Fault Detection rient ito ete Due de e ee dele deed e an ege 6 1 PLC Fault Table Messages for PHedundamcy nens 6 2 Redundancy Fault Group 329 6 2 Other Fault Groups crt ione cei egere a d D Te hated de zen 6 4 Fault RESPONSE tiii unen gege BERE ee 6 5 Redundancy Link Failures eriiic andaran ans u aa arana NE Oean INR eene errem 6 6 Redundancy Memory Xchange Module Hardware Failure 6 6 Redundancy Link Communications Failures ccccccsceceeseeeeseeeeeneeseeeeessaeeeteneeees 6 6 vi PACSystems Hot Stand
88. mbined total of up to 16 web server and FTP connections m Upto 255 Ethernet Global Data EGD exchanges with up to 100 variables per exchange m EQD upload and selective consumption of EGD exchanges m Upload and download of an Advanced User Parameter AUP file which contains user customizations to internal Ethernet operating parameters m Run mode store of EGD PACSystems releases 5 5 and later which allows you to add delete or modify EGD exchanges without stopping the controller For details on using this feature refer to TCP IP Ethernet Communications for PACSystems GFK 2224 3 2 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Redundancy CPUs Compared to Other PACSystems CPUs The following features are not available m UO and module interrupts This includes the single edge triggered interrupts from the discrete input modules the high alarm and low alarm interrupts from the analog input modules and interrupts from VME modules A program that declares I O Interrupt triggers cannot be stored to a Redundancy CPU m Interrupt Blocks I O timed module Logic that contains interrupt blocks cannot be stored to the CPU m Stop I O Scan mode If an attempt is made to place the PLC in this mode the PLC will reject the selection and return an error m OVR_PRE 968 reference which indicates whether one or more overrides are active is not supported and should not be used m RX3i redundancy controllers
89. model types can be synchronized for a limited time for the purpose of system upgrade only Fail wait times for the higher performance CPU in a dissimilar redundant pair may need to be increased to allow synchronization It does not matter whether the newer model is in the primary or secondary unit GFK 2308F Chapter 6 Fault Detection 6 11 s Online Repair of the Genius Bus Single Bus Networks The Genius bus of a single bus network can be repaired without disturbing power to either unit However repairing the bus without taking the entire Hot Standby CPU Redundancy system offline is not recommended because all devices on that bus will be disconnected from the controllers while the bus is being repaired Dual Bus Networks The Genius bus of a dual bus network can be repaired without disturbing power to either unit It is recommended that you disconnect the failed bus from the GBCs before you attempt to repair it Repair of a Non Synchronized Active Unit NSAU Split Control System 6 12 When Redundancy CPUS lose all redundancy links and become NSAUS there is a possibility of split control or of a failed rack controlling outputs In a split control situation some of the Remote IO devices are taking outputs from one Redundancy CPU and the other Remote IO devices are taking outputs from the other CPU In this situation turning off one of the controllers could result in defaulting the outputs of some of the Remote IO devices A s
90. mote I O output exchanges to consume for controlling outputs If the active controller transitions to Run IO Disabled mode it continues to receive inputs from the ENIU However the ENIU no longer receives outputs from the controller The ENIU s status words can be monitored to detect communication activity For details on the status words refer to PACSystems RX3i Ethernet NIU User s Manual GFK 2439 Note These architectures are based on the template sets provided for use with Proficy Machine Edition and Proficy Process Systems programmers The templates are set up with coordinated references and coordinated parameters for 10 20 or 24 ENIUs For systems with other numbers of ENIUS select the template with the next larger number of ENIUs and delete the extra ENIUs For details about the ENIU configuration and operation and use of the ENIU templates refer to the PACSystems RX3i Ethernet NIU User s Manual GFK 2439 Dual Controller Single LAN Systems The following template sets are available to configure these architectures Architecture Templates for Templates for Proficy Machine Edition Proficy Process Systems Dual RX7i CRE Controllers 10 ENIUs 10 ENIUs Single LAN 20 ENIUs 20 ENIUs Dual RX3i CRU Controllers 10 ENIUs 10 ENIUs Single LAN 20 ENIUs 20 ENIUs 3 6 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F RX7i Dual Controller Single LAN System In this architecture general
91. ms Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Genius Bus Configuration Bus Controller Configuration Parameters m When configuring the PRIMARY PLC all GBCs configured for external redundancy must have Serial Bus Address 31 m When configuring the SECONDARY PLC all GBCs configured for external redundancy must have Serial Bus Address 30 Note Itis possible to configure Genius networks in which there is not a redundant bus controller in the other unit For such networks it is not necessary for the serial bus addresses to be 31 in the primary unit and 30 in the secondary unit m For single Genius bus networks in RX7i targets the GBCs Redundancy Mode parameter must be configured for Redundant Controller with the redundant pair set to External m For single Genius bus networks in RX3i targets the GBCs Redundancy Mode parameter must be configured for Redundant Controller External m For Dual Bus Genius networks in RX7i targets the GBCs must be configured for Dual Bus Redundant Controller m For Dual Bus Genius networks in RX3i targets the GBCs must be configured for Redundant Controller External Note Dual Bus Genius networks in RX3i targets need to be configured manually and l and Al references on Genius bus B must have offsets The l offset is 10000 and the Al offset is 5000 Note GBCs for networks that are connected to just one unit may have any setting Genius Device Configuration Param
92. n and put the CPU into Run mode This will cause the CPUs to re establish the redundancy links and resynchronize After the CPUs are resynchronized the steps given in On Line Repair Recommendations on page on page 6 10 can be followed to fix any other failed modules in the Redundancy CPU racks 6 14 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Appendix A RX3i Dual Genius Bus Overview This chapter provides an overview of PACSystems RX3i Dual Bus Genius Please refer to the PACSystems RX3i Dual Genius Bus Quick Start Guide provided with the RX3i Dual Bus Templates for more information RX3i Dual Bus Genius is provided by a set of program blocks that coordinate the operation of UO on Dual Genius Buses to provide cable redundancy Templates PME folders are available on the GE IP Support Website as a starting point to implement applications using RX3i Dual Bus Genius Note The current offering supports only VersaMax Genius Network Interface Units GNIUs Features e Simplex and redundant controller support e Support for 2 dual Genius buses e Upto 29 remote I O devices per dual Genius bus e Upto 7500 discrete inputs and 7500 discrete outputs e Upto 3200 analog inputs and 3200 analog outputs e Templates to facilitate system configuration e Support for VersaMax Genius Network Interface Units GNIU Templates Template names are of the form GENIUS_1DB_3iSC_10SBA 1DB indicates one dual bu
93. n data and run as non synchronized active units A fatal error stop halt occurs after the activation of the new components begins but before it completes Both units complete the activation of newly stored application data If only one unit has a fatal error the other unit will run as a non synchronized active unit A power loss occurs on one of the units after activation of the new components begins but before it completes The unit maintaining power will complete the activation and continue as a non synchronized active unit If the other unit is powered back on assuming a good battery it will either have the newly stored application or the original The firmware will attempt to ensure that this unit has the new application so that it can synchronize to the other unit without a download but it will not be guaranteed If the units match they can synchronize without a download If the unit that lost power does not contain the new application data a Primary and secondary units are incompatible fault fault 9 in group 138 will be generated User attempts to go to programmer mode on a PLC that already has a pending dual RMS You will be prompted to either abort the dual RMS or stay in monitor mode GFK 2308F Chapter 4 Configuration Requirements Error Mode System Operation User requests a role switch via logic or the User commanded role switches do not impact the ability to do physical switch o
94. n Sets GFK 2308F The Redundancy CPU supports the configuration of multiple scan sets However it is strongly recommended that the redundant UO be configured in the default scan set Scan set 1 which is scanned every sweep The I O scan set feature allows the scanning of I O points to be more closely scheduled with its use in user logic programs If an I O Scan set is not scanned every sweep it is not guaranteed to be scanned in the same sweep in the Primary and Secondary CPUs For example if the Primary and Secondary CPUs each have a scan set that is scanned every other sweep that is PERIOD 2 the Primary CPU might scan its scan set in one sweep and the Secondary CPU scan its scan set in the next Use of non default scan sets can cause variance in the time the units get to the rendezvous points This should be considered when determining the Fail Wait time Chapter 5 Operation 5 19 Genius Bus Controller Switching 5 20 In the HSB control strategy Genius outputs are always enabled for both units unless explicitly disabled so that bumpless switching is possible regardless of which unit is currently the active unit Because of the way Genius Hot Standby operates all redundant Genius outputs must be included in the output transfer lists Genius Bus Controllers stop sending outputs to Genius devices when no output data has been received from the PLC CPU for a period equal to two times the configured watchdog timeout If the CPU
95. n entry be made for PARM You can enter any appropriate reference here it will not be used GFK 2308F Chapter 5 Operation 5 15 Example In this example a pushbutton switch on a control console is wired to input 9610002 In the program logic the reference for 9610002 is used as the input to the SVC_REQ 26 function block When the button is pressed logic power flows to SVC_REQ 26 causing a role switch to be requested The PRM reference is not used and can have any value 100002 SVC REQ M00001 Implementing Preferred Master Using SVC_REQ 26 5 16 The HSB control strategy implements a floating master algorithm This means that when one unit is put into Run mode while the other unit is already in Run mode the transitioning unit always becomes the backup unit If an application requires a preferred master algorithm where the primary unit always becomes the active unit when placed in Run mode the logic can use the Role Switch service request SVC_REQ 26 as shown in the sample LD rung below This logic must be included in the primary unit and may also be included in the secondary unit PRI UNT LOC_RDY REM_ACT SVC REO i 26 DUU SC RODO01 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F STOP to RUN Mode Transition A resynchronization will occur at all STOP to RUN mode transitions The time to perform this resynchronization may be larger than STOP to RUN transitions on non redundancy CPUs The
96. n the RMX module a dual RMS The role switch may be deferred for one sweep at most if it coincides with the simultaneous activation Dual RMS may fail in Normal sweep mode with When RMS of a large file is performed with the CPU in this the Backplane Communication Window Mode sweep mode the CPU tries to complete the RMS in a single set to Complete Synchronization is lost and scan causing the sweep time to exceed the Fail Wait time both units transition to NSAU operation To avoid this failure set the Backplane Communication Window Mode to Limited or select the Constant Window or Constant Sweep mode Behavior of EGD in a Dual RMS Added exchanges will begin consumption production shortly after the activation of logic that is part of the RMS Deleted exchanges will cease consumption production shortly before the activation of logic that is part of the RMS Modified exchanges will be offline for a short time during the activation of new logic that is part of the RMS For general information about the behavior of this feature in a simplex system refer to Run Mode Store of EGD in TCP IP Ethernet Communications for PACSystems GFK 2224 Unlike activation of the transfer list and logic activation of EGD changes is not guaranteed to be simultaneous between the two units in a dual RMS Even in cases where hardware configuration and logic are identical on the two units it cannot be guaranteed that production consumption of dele
97. ndled differently than fault actions in a non redundant system Whenever the units are synchronized the types of faults that are considered to be FATAL i e cause the CPU to stop are not configurable The following types of faults are considered FATAL when the units are synchronized m Any fault that causes loss of control of UO m Any fault that degrades performance Note In a CPU redundancy system a Fatal fault from a Genius Bus Controller causes a synchronized unit to transition to STOP FAULT mode All Diagnostic faults allow the CPU to remain in Run mode Configuration of Fault Actions You can configure whether certain faults are considered fatal when the CPUs are not synchronized The following should be considered when configuring the fault actions for a redundancy CPU For a given fault that is fatal for the synchronized case if you set the non synchronized fault action to be diagnostic there is a chance that a less healthy unit could remain the active unit even after a more healthy backup unit is placed in Run mode For example if you were to configure Loss of or Missing Rack failures as diagnostic the following sequence of events could occur 1 If an expansion rack fails when the units are synchronized the unit with the rack failure will transition to STOP FAULT mode and the other unit will become a non synchronized active unit 2 If an expansion rack fails in the non synchronized active unit a diagnostic fault will be
98. nit to the backup unit The transfer list is selected in the hardware configuration for the Redundancy CPU PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Related Publications PACSystems CPU Reference Manual GFK 2222 PACSystems RX7i Installation Manual GFK 2223 TCP IP Ethernet Communications for PACSystems GFK 2224 PACSystems RX7i User s Guide to Integration of VME Modules GFK 2235 PACSystems Memory Exchange Modules GFK 2300 PACSystems RX3i System Manual GFK 2314 PACSystems RX3i Ethernet NIU User s Manual GFK 2439 Series 90 30 Ethernet NIU User s Manual GFK 2296 Genius I O System User s Manual GEK 90486 1 Genius Discrete and Analog Blocks User s Manual GEK 90486 2 Series 90 70 Genius Bus Controller User s Manual GFK 2017 Proficy Machine Edition Logic Developer PLC Getting Started GFK 1918 VersaMax Genius NIU User s Manual GFK 1535 PACSystems RX3i Dual Genius Bus Quick Start Guide provided with the RX3i Dual Bus Templates For the most recent versions of PACSystems and related documentation visit the Support website GFK 2308F Chapter 1 Introduction 1 5 Chapter Hot Standby Redundancy Quick Start with Ethernet I O e This chapter provides an overview of the steps needed to configure and operate a basic RX3i or RX7i Hot Standby HSB CPU Redundancy system with one Ethernet Remote IO ENIU using a ten ENIU Machine Edition template Notes The Primary and Secondary units in a redundancy sys
99. nstant Sweep The maximum overall PLC scan time This value cannot be greater than the value for the watchdog timer Some or all of the windows at the end of the sweep might not be executed The windows terminate when the overall PLC sweep time has reached the value specified for the Sweep Timer parameter GFK 2308F Chapter 4 Configuration Requirements Parameter Default Choices Description Window Timer ms 10 3 through 255 in increments of 1 Available only when Sweep Mode is set to Constant Window The maximum combined execution time per scan for the Controller Communications Window Backplane Communications Window and Background Communications Window This value cannot be greater than the value for the watchdog timer Number of Last Scans 0 5 Should be set to 0 The number of scans to execute after the PACSystems CPU receives an indication that a transition from Run to Stop mode should occur Note In a redundancy system this parameter should be set to 0 default Using a non zero value would allow a unit to stay in RUN mode for a few sweeps after detecting a fatal fault Fault Parameters 4 6 Parameter Default Choices Description Recoverable Local Memory Error Diagnostic Diagnostic Fatal Redundancy CPUS only Determines whether a single bit ECC error causes the CPU to stop or allows it to continue running
100. nual July 2010 GFK 2308F Ethernet Interface Parameters Each unit contains at least one Ethernet interface that is assigned a direct IP address used to directly access the specific unit A third redundant IP address can be assigned to the pair of Ethernet interfaces in both the primary and secondary units The redundant IP address is active on the Ethernet interface in only one of the units at a time the active unit All data sent to the redundant IP address including EGD produced to the redundant IP address is handled by the active unit When active the Ethernet interface always initiates communications using the redundant IP address When the unit is not active all communications are initiated through the direct IP address For more information about the Redundant IP address refer to Redundant IP Addresses in chapter 5 You can have up to four Ethernet interfaces in each rack including the embedded Ethernet interface in an RX7i CPU Each Ethernet interface can be set up as part of a pair for the purposes of redundant IP You can also include Ethernet interfaces in the unit that are not part of a redundant IP pair When an Ethernet Interface is configured to produce Ethernet Global Data EGD you must configure a redundant IP address in addition to the direct IP address For more information about using EGD in a redundancy system see chapter 5 Parameter Default Choices Description IP Address 0 0 0 0
101. o so the unit that was backup will not be able to activate the redundant IP address When using the redundant IP feature the application should take steps to ensure that the CPU that owns the redundant IP address is the same CPU that maintains control of the outputs This becomes an issue when both CPUs are operating as NSAUs known as split control since both units attempt to control the process independently Running both CPUs as NSAUs is not recommended and should be fixed as soon as possible Refer to On Line Repair Recommendations in chapter 6 Chapter 5 Operation 5 21 5 22 The Ethernet interface monitors the status of the CPU If the Ethernet interface determines that it can no longer communicate with the CPU it deactivates the redundant IP address The Ethernet interface also deactivates the redundant IP address when notified by CPU that the active unit has transitioned to backup When the Ethernet interface deactivates the redundant IP address it transitions to the backup state In the backup state the Ethernet interface no longer responds to the redundant IP address but forwards any packets received by the interface destined for the redundant IP to the Ethernet interface in the active PLC If the backup unit continues to receive packets destined for the redundant IP address it will send additional ARP messages on behalf of the active unit and after a number of time periods it will log an exception that will be recorded in
102. odules are handled in the Controller and Backplane Communications windows Because these requests can be sent in large volumes there is the potential for either of these windows to be processing requests for a significant amount of time One way to reduce the risk of one CPU failing to rendezvous at a synchronization point with the other CPU is to configure the Controller and Backplane Communications windows for Limited Window mode This sets a maximum time for these windows to run Other options are to configure the CPU sweep mode as Constant Window or Constant Sweep The CPU will then cycle through the communications and background windows for approximately the same amount of time in both units PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Parameter Default Choices Description Sweep Mode Normal Normal For details on sweep modes refer to Constant Window the PACSystems CPU Reference Manual GFK 2222 Constant Sweep Controller Limited Limited Time sliced The Available only when Sweep Mode is Communications maximum execution time for set to Normal Execution settings for Window Mode the Controller the Controller Communications Communications Window Window per scan is specified in the Controller Communications Window Timer parameter Complete The window runs to completion There is no time limit Controller Controller Controller Communications The maximum execution time for the Communic
103. onfiguration for single and dual bus networks still has the possibility of a bus breaking between the two CPUs you may want to program the application to monitor the status of the busses from the unit configured at the end of the busses and request a role switch or bus switch dual bus network only if loss of bus is detected Duplex Genius Output Mode Although it is not common you can configure your Genius I O system for duplex mode meaning that they will receive outputs from both bus controllers 30 and 31 and compare them Only devices that have discrete outputs can be configured for Duplex mode If the controllers at SBAs 30 and 31 agree on an output state the output goes to that state If the controllers at SBAs 30 and 31 send different states for an output the device defaults that output to its pre selected Duplex Default State For example Commanded State Commanded State Duplex Default Actual Output from Device from Device State in the Block State Number 31 Number 30 or I O Scanner On On Don t Care On Off On Off Off Off Off Don t Care Off On Off On On If either controller 30 or 31 stops sending outputs to the device outputs will be directly controlled by the remaining controller GFK 2308F Chapter 3 System Configuration 3 17 Chapter Configuration Requirements 4 GFK 2308F This chapter defines the special configuration requirements of a Hot Standby CPU Redundancy system
104. onfigured For dual bus networks if outputs are not available on Serial Bus Address 30 or 31 the BSM will switch to the other bus If outputs are not available on either bus then the block s outputs revert to default or hold last state as configured PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Redundant IP Addresses GFK 2308F Each unit contains at least one Ethernet interface that is assigned a direct IP address which is used to directly access the specific PLC A third redundant IP address can be assigned to the pair of Ethernet interfaces in the primary and secondary PLC units All data sent to the redundant IP address including EGD produced to the redundant IP address is handled by the active PLC When active the Ethernet interface always initiates communications using the redundant IP address When the PLC is in the backup state all communications are initiated through the direct IP address Each Ethernet interface in the system can be set up as part of a pair that shares a redundant IP address Each unit can also include Ethernet interfaces that are not part of a redundant IP pair Immediately after configuration neither Ethernet interface responds to the redundant IP address When notified by the CPU that the unit has become active the Ethernet interface determines whether the redundant IP address is in use on the network If the address is not in use on the network the Ethernet interface acti
105. ormally configured for Genius Hot Standby redundant operation With this configuration the devices choose between outputs from the Genius Bus Controller at SBA 31 and the Genius Bus Controller at SBA 30 If outputs from both Genius Bus Controllers are available the devices will use outputs from SBA 31 If there are no outputs from SBA 31 for three consecutive Genius I O bus scans the devices will use the outputs from SBA 30 If outputs are not available from either SBA 31 or 30 the outputs go to their configured default OFF or hold last state Genius Output Control In a Genius Hot Standby CPU Redundancy system the active unit determines the values of the Genius outputs Both the primary and secondary units send outputs regardless of which one is active The user is responsible for ensuring that all redundant Genius outputs are included in the output data transfer Because the same output values will then be sent to the GBCs in both units the devices will receive the same output values from SBA 31 and SBA 30 There is no data interruption on switchover because both units are always sending Genius outputs Basic CPU Redundancy Using Genius UO Hot Standby CPU Redundancy supports two types of bus schemes for the Genius networks m Single bus networks m Dual bus networks Note For RX3i systems Dual Genius Bus support is provided by a set of logic blocks Templates for Rx3i Dual Genius Bus support can be downloaded from the Support web sit
106. oups The table below shows the non configurable faults and their fault actions There are two fault actions Fatal and Diagnostic Fatal faults always stop the PLC Diagnostic faults never stop the PLC Table Fault Fault Group Type Description Action SYS BUS FAIL PLC System bus failure Fatal NO USER PRG PLC No User s Program on Power up Diagnostic BAD USER RAM PLC Corrupted User RAM detected on Power up Fatal WIND CMPL FAIL PLC Window Completion Failure in Constant Sweep Mode e all Diagnostic windows failed to receive their allotted time PASSWD FAIL PLC Password Access Failure Diagnostic NULL SYS CNFG PLC NULL System Configuration for RUN Mode Diagnostic CPU SOFTWR PLC PLC CPU Software Failure Fatal SEQ STORE FAIL PLC Communication failure during a store operation by the programmer Fatal This fault results when the start of store sequence was received but not an end of store sequence ADD RCK PLC Addition of Extra Rack Diagnostic ADD IOC y o Addition of or Extra IOC Diagnostic ADD IO MOD yo Addition of or Extra UO Module Diagnostic ADD OTHR MOD PLC Addition of Reset of or Extra Option Module Diagnostic IO MOD FAULT UO UO Module Fault Diagnostic CPU HARDWR PLC CPU Hardware Failure Fatal MOD HARDWR PLC Module Hardware Failure for example Serial Port Failure on PCM Diagnostic MOD OTHR PLC Option Module Software Failure Diagnostic SOFTWR PRG BLK CHKS
107. r wise set to 0 S36 Local Unit Active ZLOC ACT Set to 1if local unit is currently the active unit ON OFF otherwise it is cleared For any given local unit if LOC ACT is set REM ACT cannot be set S37 Remote Unit Ready REM_RDY Set to 1 if remote unit is in Run mode with ON ON outputs enabled Otherwise set to 0 S38 Remote Unit Active 4REM ACT Setto 1 if remote unit is currently the active OFF ON unit otherwise it is cleared For any given local unit if REM ACT is set LOC ACT cannot be set S39 Logic Equal LOGICEQ Set to 1 if the application logic for both units in ON ON the redundant system is the same Otherwise set to 0 SB18 Redundancy RDN_MSG Set if a redundancy informational message was logged It can be cleared Informational in reference tables logic or by clearing the fault tables Message Logged S references can be read from the application program but cannot be altered or overridden These references are always OFF when no configuration has been stored Anytime a configuration is stored the states of these S references are updated in both STOP and RUN modes The four redundancy status LEDs on the RMX Module correspond to the S35 S36 96837 and S38 references The programming software summarizes the state of the redundancy system on the Redundancy tab of the Show Status dialog box accessed from Online commands Additionally external indicators can be used to monitor the state of any status
108. re is Set the ECC jumper be enabled but is installed in the CPU module to the enabled disabled the ECC jumper must be in the position jumper on enabled position both pins See the instructions provided with the firmware upgrade kit Recoverable Local Memory 1 Recoverable local A single bit error was The CPU may need Error 26 memory error encountered and corrected to be replaced SA00006 is set Contact Technical Support CPU Hardware 13 169 Fatal local memory Multiple bit ECC error Replace the CPU and contact Technical Support 6 4 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F s Fault Response The Hot Standby CPU Redundancy system detects and reports failures of all critical components so that appropriate control actions may be taken All components that acquire or distribute UO data or that are involved in execution of the control logic solution are considered critical components A FATAL fault in the active unit causes a switch of control to the backup unit A DIAGNOSTIC fault allows the currently active system to continue operating as the active system Faults within the unit may be such that 1 The CPU has a controlled shutdown 2 The CPU has an uncontrolled shutdown or 3 The CPU continues to operate If the CPU detects an internal fault and has a controlled shutdown it logs a fault goes to Stop Fault mode and notifies the other CPU If the fault was detected on
109. reference If the two CPUs are in Run mode but lose synchronization due to Fail Wait time set too short or failure of both redundancy links both units log faults and proceed as NSAUs In this case both units attempt to control the process independently both units set their LOC_ACT status to 1 and clear the REM_RDY REM_ACT and LOGICEQ status flags OVR_PRE S Reference Not Available The OVR_PRE reference S00011 which indicates whether one or more overrides is active is not supported by the Redundancy CPU and should not be used 5 4 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Scan Synchronization The figure below shows the sweep components for the active and the backup CPUS Backup CPU Housekeeping Input Scan Input Scan Send Input Ur ao Data Riese Inputs an a Synchronize Synchronize n Housekeeping Logic Solution Logic Solution n Send Output Transfer Receive Qutputs m Other Data Output Scan Windows and Run Time Diagnostics Windows and Run Time Diagnostics Input data transfer Output data transfer There are two synchronization points in the sweep The input transfer point occurs immediately after the inputs are scanned At this point in the sweep the newly read inputs are sent from the active unit to the backup unit At the output transfer point the rest of the data outputs internal references registers is sent from the active unit to the backup uni
110. remote I O performance from being degraded The Redundant IP feature is enabled for the Ethernet interface in both controllers to permit general communications Any EGD exchanges used for general CPU communications are not produced in backup mode The produced EGD exchanges that are used for remote I O data transfer are configured as Produce in backup mode so that they will be produced in both active and backup mode For easier configuration each EGD exchange marked as Produce in backup is configured with the Exchange ID value used by the Primary unit The Programmer automatically generates a unique Exchange ID value for the Secondary unit by adding the configured Secondary Produced Exchange Offset value to the configured Exchange ID value For details on the exchange offset see Ethernet Global Data Production in chapter 5 Primary Unit Secondary Unit O o o O e s PS M ES ES o 5 x x ZIA SE 2 BEE IE a m e m den e ee i o O o High speed Fiber Optic Link High Speed Fiber Optic Link Ethernet LAN 1 Ethernet I O LAN RX3i ENIU Remote UO RX3i ENIU Remote UO PWS NIU ETM PWS NIU ETM PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Dual Controller Dual LAN Systems The following template sets ar
111. s Choices are 1 2 3iSC indicates RX3i Simplex Controller Choices are Simplex SC Redundant RC 10SBA indicates 10 remote UO devices Choices are 2 10 20 Note All SBAs in the templates are VersaMax GNIUs The templates support up to 7500 discrete inputs and up to 3200 analog inputs The quantity of discrete outputs and analog outputs is determined by the amount of Q and AQ the remote UO can accommodate GFK 2308F A 1 The templates come with a target for the controller s and a target for each remote I O device The GBOCs in the RX3i are preconfigured with the number of GNIUs in the template Default addressing for Inputs and Outputs is preconfigured Templates with 10 GNIUs have all the GNIUS on a single Dual Genius Bus Templates with 20 GNIUS have 2 Dual Genius Buses and 10 GNIUs are on each dual bus The default I O addressing used in the templates is in the following table Default addressing for Inputs and Outputs i ee Bus l Q Al AQ 1 1 200 1 200 1 50 1 50 2 201 400 201 400 51 100 51 100 3 401 600 401 600 101 150 101 150 4 601 800 601 800 151 200 151 200 5 801 1000 801 1000 201 250 201 250 6 1001 1200 1001 1200 251 300 251 300 7 1201 1400 1201 1400 301 350 301 350 8 1401 1600 1401 1600 351 400 351 400 9 1601 1800 1601 1800 401 450 401 450 10 1801 2000 1801 2000 451 500 451 500 pci d Pus l Q AI AQ 1 2001 2200 2001 2200 501
112. s must be configured with the following settings Redundant Mode Dual Bus Redundant Controller Paired GBC External and Internal SBA 31 primary unit or 30 Secondary unit The redundant devices must be configured for Hot Standby and dual bus mode For example use the following settings for a Genius block Programming Software Redundancy YES Hand Held Monitor CPU Redundancy HOT STBY MODE Hand Held Monitor BSM Present YES Hand Held Monitor BSM Controller YES if BSM is mounted or NO GFK 2308F Chapter 3 System Configuration 3 15 3 16 Hardware Configuration for RX3i Dual Bus Network The hardware configuration for this type of network can be created by adding two GBOs one for each bus and adding the Genius devices to both GBCs See the PACSystems RX3i Dual Genius Bus Quick Start Guide for more information The GBCs must be configured with the following settings Redundancy Mode Redundant Controller External SBA 31 primary unit or 30 secondary unit The GBCs must be configured with the following settings The Genius devices must be configured for Hot Standby and dual bus mode For example use the following settings for a VersaMax GNIU Programmer CPU Redundancy HOT Standby Programmer BSM Present YES Programmer BSM Controller YES Note Templates for RX3i Dual Bus Genius come with the VersaMax GNIUs already configured for the correct Genius network settings PACSystems Hot Standby CPU R
113. s this way instead of including them in the CPU s Transfer List is that the transfer properties are tied to the variable not the memory location If you need to relocate a variable you do not risk accidentally moving it out of the transfer area Mapped variables must be assigned to one General Inspector Variable Rx i_Redund Name ALG320 91 E Description Output Transfer List Publish Internal Array Dimension 1 D Data Source GE FANUC PLC Ref Address 2 w 8 0 1 Input Transfer List False Data Type Current Value Initial Value 0 Default Display Format Decimal gt of the memory ranges allowed for redundancy transfer l AI Q AQ R M W or G Note If a mapped variable within a range specified in the CPU hardware configuration Transfer List page 4 8 is also configured as a transferred variable it will be transferred twice Arrays Arrays can be configured as Mixed transferred variables allowing individual elements to be included in the input transfer list and or the output transfer list If the top level of the array variable is set to True or False for either list all elements in the array are set to the top level value for that list Instance Data Structure Variables All elements of instance data structure variables such as those associated with a function block are transferred according to the setting of the hea
114. s used in redundancy link 1000 feet 304 8 meters 1000 feet 304 8 meters 1 2 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Online Programming On line changes to the application program are permitted in both the active unit and the backup unit The programming device must be connected to the unit in which changes are to be made in order to make any on line changes PACSystems releases 5 5 and later support run mode store RMS of the redundancy transfer list This capability allows you to add delete or modify transfer list entries without stopping the controllers Run mode stores are performed independently on both controllers However in a synchronized system the optional Dual RMS with Simultaneous Activation feature can be used to defer activation of the newly stored application data until an RMS has been performed on both units Because the PLC sweeps are synchronized both units will activate the new logic and transfer lists on the same sweep For additional information about the use of this feature refer to Run Mode Stores in Chapter 4 On Line Repair and System Upgrade A Hot Standby CPU Redundancy system permits online repair of failed components without disrupting the control application A failed component can be replaced in either unit after first removing power from the rack in which it is installed After replacing the component returning power to the rack and placing
115. se Transfer Area This command copies eight bytes of data from the reference in the backup unit specified by the PARM parameter Note that SVC_REQ 27 only works when its CPU is the backup unit When its CPU is the active unit SVC_REQ 27 has no effect The active unit stores the transferred data in a temporary buffer The program in the active unit must execute SVC_REQ 28 Read from Reverse Transfer Area which copies the eight bytes of data from the temporary buffer to the reference specified by the PARM parameter DVC REQ 28 only works in the active unit It has no effect when its CPU is the backup unit There is always a one sweep delay between sending data from the backup unit using DVC REQ 27 and reading the data at the active unit using SVC_REQ 28 This data copied from the buffer is not valid in the following cases m During the first scan after either unit has transitioned to RUN m While the backup unit is in STOP mode m If the backup unit does not issue SVC REQ 27 The data should not be used if REM_RDY is off or if REM_RDY is transitioning to on Reverse Data Transfer Example The following rungs would be placed in the program logic of both units In this example the backup unit would send P0001 through P0004 to the active unit The active unit would read the data into P0005 through P0008 P0001 through P0004 on the active unit and P0005 through P0008 on the backup unit would not change T0002 would be set to indicate tha
116. stimated transfer time ms RX7i Formula Synchronization base sweep addition additional amount of time 3 234 ms required to synchronize the CPUs with 0 Data Transfer ms Total transfer time for memory ranges step 2 ms Total transfer time for transferred symbolic variables step 4 ms Total estimated transfer time ms Tips for Reducing Transfer Time Transferred BOOL variables and non byte aligned BOOL arrays will increase transfer time For these you can create an array of BOOLs and transfer the entire array for efficiency You can alias individual array elements to make logic more readable Data structures that contain non contiguous members of different data types can be created You can also create arrays of these structures This feature allows you to put individual members of a data structure or the entire structure on one or both of the transfer lists Placing arrays of structures in the transfer list has the potential to significantly increase the number of entries in the transfer list which will impact user space charged and transfer time PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Programming a Data Transfer from Backup Unit to Active Unit SVC REQs 27 and 28 The program logic can be used to transfer eight bytes four registers of data from the backup unit to the active unit before the next logic solution To initiate this transfer the backup unit executes SVC_REQ 27 Write to Rever
117. t These data transfers are automatic they require no application program logic but do require proper configuration Data can be transferred on either redundancy link If one link fails the transfer switches to the other link without causing a loss of synchronization GFK 2308F Chapter 5 Operation 5 5 Fail Wait Time 5 6 The active and backup CPUs synchronize their execution twice each sweep once before logic execution and once afterwards Certain failures of one CPU such as an infinite loop in the logic are detected by the other CPU as a failure to reach the next synchronization point on time The maximum time to wait for the other CPU is known as the Fail Waittime The duration of this time must be specified during configuration of both the Primary and Secondary Units and can range from 60 ms to 400 ms in increments of 10 ms with the default being 60 ms The configured Fail Wait time for the system must be based on the maximum expected or allowable difference in the two CPUs reaching a synchronization point For example if one CPU might spend 20ms in the communications phase of the sweep and the other unit might spend 95ms in communications in the same sweep the Fail Wait time must be set to at least 80ms 80 95 20 to prevent loss of synchronization In addition Fail Wait Time must be greater than the sum of the Controller Communications Window Backplane Communications Window and Background Window timer settings Differen
118. t The CPU stores the configuration file in its non volatile RAM memory In the programming software all online operations including downloading a folder are performed on the PLC that is the selected hardware configuration You must download the hardware configuration to each PLC in the redundancy system in a separate operation e 4 16 ch 9v gros 9 If both units are configured as primary or as secondary they will not recognize each other If this happens in an RX7i system the GBCs report SBA conflict faults and blink their LEDs If this happens in an RX3i system the GBCs only blink their LEDs and no fault is reported Correct the configuration of both units before placing either unit in Run mode Make sure the primary HWC is selected D fir Hardware Configuration Primary T6 Se logt S EE o HI Hardware Configuration Sec configuration right click J Logic El RX7i ES Data Watch Lists Set as Selected HWC E Hardware Reference View on Hardware DI n Reference View Tables Report Ctrl T Configuration and choose H Supplemental Files Set as Selected HWC __ Add Rack j Redundancy L If not already done set the physical port parameters for the primary unit in the Target properties Connect to the CPU Make sure the CPU is in Stop mode Import from File Export to File Download Go offline Select the secondary HWC If not already done set the physical port parameters for the second
119. t connect to the other unit and command an RMS to that unit 2 The programmer performs the RMS to the second unit 3 Both units validate that the new application data is compatible in the two units Because the PLC sweeps are synchronized both units will activate the new logic and transfer lists on the same sweep If a power loss occurs on one of the units after activation of the new components begins but before it completes the unit maintaining power will complete the activation and continue as a non synchronized active unit When the other unit is powered back on assuming a good battery it will either have the newly stored application or the original application If the units match they can synchronize without a download If the unit that lost power does not contain the new application data a Primary and secondary units are incompatible fault fault 9 in group 138 will be generated Initial RMS Followed by Dual RMS 4 18 The following procedure is recommended to avoid the risk of both units failing due to logic errors in a dual RMS 1 Perform an RMS of the new application data only to the backup controller prior to modifying the transfer list Do synchronized activation of redundant controllers is not selected 2 Perform a role switch to make the modified controller active 3 Add any variables that require synchronization to the transfer list See Adding Individual Variables to the Transfer Lists on page 4 14 4
120. t the operation was successful and that the data could be used REM_RDY T00001 3 CS UU ER REM ACT M00001 SVC REQ Poo001 T00001 T00002 SVC REQ GFK 2308F Chapter 5 Operation 5 11 Disabling Data Transfer Copy in Backup Unit SVC REQ 43 5 12 To instruct the backup unit to bypass the copy of the transfer data from the active unit use DVC REQ 43 This operation can be used to determine if the active and backup units are arriving at the same results This function is valid only when issued in the backup CPU It is ignored if issued when the units are not synchronized or if it is issued in the active unit DVC REQ 43 disables the copy of data for one sweep beginning with the output data transfer and ending with the input data transfer of the next sweep The copy can be disabled for multiple sweeps by invoking SVC_REQ 43 once each sweep for the appropriate number of sweeps The resynchronization data transfer always occurs even if SVC_REQ 43 is invoked in the first sweep after synchronization this data transfer includes all inputs outputs and internal data that must be exchanged since the resynchronization data transfer occurs before the start of logic execution This service request can be set up to disable the copies for all transfers or just the output transfers If just the output copy is disabled the two units can still use the same set of inputs on each unit This makes it possible to test t
121. ted or modified exchanges will stop on the same PLC sweep Likewise it cannot be guaranteed that production consumption of added or modified exchanges will resume on the same PLC sweep This is consistent with normal operation of EGD in a redundancy system Hardware Configuration and Logic Coupling 4 20 If I O Variables are used an RMS must include both logic and hardware configuration If I O Variables are not used you can choose whether to RMS logic hardware configuration or both If you choose hardware configuration or both all portions of hardware configuration that can be stored in run mode will be included If there are portions of hardware configuration that are not equal and cannot be stored in run mode a warning will be generated PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Chapter Operation 5 This chapter discusses aspects of PACSystems CPU operation that function differently in a redundancy system For general details of CPU operation refer to the PACSystems CPU Reference Manual GFK 2222 GFK 2308F Powerup of a Redundant CPU Synchronizing Redundant CPUs HSB Control Strategy S References for CPU Redundancy Scan Synchronization Fail Wait Time Data Transfer Switching Control to the Backup Unit Error Checking and Correction Timer and PID Functions Timed Contacts Multiple I O Scan Sets Stop to Run Mode Transition RUN Disabled Mode Genius Bus Controller Switching R
122. tem must be of the same type An RX3i and an RX7i controller cannot function as a redundant pair 1 Install one Redundancy CPU one or two RMX modules and three Ethernet modules each into two rack systems One Rack system will be designated the Primary rack and the other will be designated the Secondary rack 2 With the CPU battery disconnected apply power to the racks When power is applied to the RMX module an internal loopback test occurs the OWN DATA and SIGNAL DETECT indicators turn on briefly during this test When the RMX module and the CPU are powered up and functioning properly the RMX module s OK indicator is on 3 Connect a battery to each redundancy CPU The redundancy CPUs support Error checking and correction ECC memory which must be initialized at least one time with the battery disconnected Once ECC memory is initialized the CPU can be power cycled with the battery connected 4 Download and unzip the appropriate template set for your system Templates for redundancy systems are available from the Support website On the website select Downloads then select the Developer Files category For a list of available template sets refer to the PACSystems RXSi Ethernet NIU User s Manual GFK 2439 Each template set consists of a controller template and an ENIU template 5 Using the Machine Edition Logic Developer software restore the controller project from the appropriate ten ENIU template set GFK 2308F 2
123. tended to supplement the system installation programming and configuration information contained in the manuals listed under Related Publications on page 1 5 Hot Standby CPU Redundancy GFK 2308F Hot Standby CPU Redundancy allows a critical application or process to continue operating if a failure occurs in any single component A Hot Standby system uses two CPUS an active unit that actively controls the process and a backup unit that is synchronized with the active unit and can take over the process if it becomes necessary The two units are synchronized when both are in Run Mode the backup unit has received the latest status and synchronization information from the active unit via a redundancy link and both are running their logic solution in parallel Each unit must have a redundancy CPU and one or two Redundancy Memory Xchange RMX modules The redundancy communication paths are provided by one or two pairs of RMX modules Note We strongly recommend using two pairs of RMX modules configured as dual redundancy links This practice eliminates the possibility of a single point of failure that using only one pair of RMX modules presents Control automatically switches to the backup unit when a failure is detected in the active unit You can initiate a switch of control by activating a toggle switch on the RMX module or activating a service request in the application program When a user initiated switch of control occurs the CPUs sw
124. ter 4 Configuration Requirements 4 3 Hardware Configuration Parameters CPU Parameters This section discusses only the parameters that apply to redundancy systems For information on all the CPU parameters see the PACSystems CPU Heference Manual GFK 2222 Settings Parameter Default Choices Description Stop Disabled N A Always Disabled for a Redundancy CPU Mode UO Scanning Watchdog 200 10 through 1000 in The watchdog timer which is designed to detect failure to Timer increments of complete sweep conditions is useful in detecting abnormal ms 10ms operation of the application program which could prevent the Requires a value PLC sweep from completing within a specified time period The that is greater than CPU restarts the watchdog timer at the beginning of each sweep the program sweep The watchdog timer accumulates time during the sweep time Note In a CPU redundancy system the watchdog timer should be set to allow for the maximum expected scan time plus two fail wait times The Fail Wait parameter is set on the Redundancy tab Furthermore the watchdog timer setting must allow enough time for the CPU to complete one input data transfer and two output data transfers Scan Parameters 4 4 Communications Window Considerations The redundancy CPU supports the use of high speed communications modules such as the Ethernet Interface Requests from devices attached to these communications m
125. the CPU in Run mode the repaired unit synchronizes with the currently active unit Upon successful synchronization the repaired unit becomes the backup unit RX7i Systems Only The Redundancy CPU in each unit can be replaced with a different model in a similar manner For example you may want to replace the CRE020 models with CREOSO or CRE040 models or CREO30 models with CREO40 models During normal operation the primary and secondary units in an HSB redundancy system must have the same CPU model type Extended operation with dissimilar CPU types is not allowed Continued use of dissimilar CPU types may result in timing issues during synchronization The primary and secondary units with dissimilar CPU model types can be synchronized for a limited time for the purpose of system upgrade only Fail wait times for the higher performance CPU in a dissimilar redundant pair may need to be increased to allow synchronization Either model can be in the primary or secondary unit Online repair and system CPU upgrade are described in more detail in chapter 6 GFK 2308F Chapter 1 Introduction 1 3 Definitions Active Unit The unit that is currently controlling the process Backup Unit The unit that is synchronized with the active unit and able to take over the process CPU Redundancy A system with two PLC CPU units cooperating to control the same process Critical Components that acquire or distribute I O data or that are involved in ex
126. the PLC CPU fault table as a LAN System Software Fault Additional details on the operation of the Ethernet Interface can be found in TCP IP Ethernet Communications for PACSystems GFK 2224 PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Ethernet Global Data in an HSB Redundancy System Note that two redundant units are not guaranteed to consume a given exchange on the same PLC sweep when using redundant IP When using Produce In Backup mode the backup unit is not guaranteed to produce data on the direct IP at exactly the same time the active unit produces data on the redundant IP for a given exchange Ethernet Global Data Production By default only the active unit produces EGD exchanges This reduces the amount of traffic on the Ethernet network and simplifies the handling of the exchanges by the consumer In particular the consumer is able to consume exchanges from the redundant system in the same way it consumes exchanges from non redundant systems Individual exchanges can be configured for produce in backup mode The backup unit produces these exchanges through the Ethernet module s direct IP address If the PLC is set to Stop IO Disabled mode outputs are disabled on the active unit and neither unit produces EGD In an Ethernet Interface pair with Redundant IP enabled a newly active Ethernet interface arbitrates for the redundant IP address and delays EGD production accordingly If both redundant un
127. trolling the same process to provide alternate functional channels in case of failure Redundancy Link A complete communications path between the two CPUS consisting of one RMX in the primary unit one RMX in the secondary unit and a high speed fiber optic cable connecting them to each other Redundant IP An IP address that is assigned to the pair of Ethernet interfaces in the primary and Address secondary units All data sent to the redundant IP address including EGD produced to the redundant IP address is handled by the active unit Role Switch User initiated switch of control where the active unit becomes the backup unit and the backup unit becomes the active unit Secondary Unit The unit configured to control the process in a Redundancy System when the primary unit is unavailable or otherwise marked as not controlling the process For redundant Genius UO the Genius Bus Controllers in the secondary unit are configured for SBA 30 Synchronized Condition where both units are in Run Mode and the backup unit has received the latest status and synchronization information from the active unit via a redundancy link When the two units are synchronized they run their logic solution in parallel If the active unit goes offline control of the redundancy outputs is switched bumplessly without interruption to the backup unit Transfer List The ranges of references that will be transferred from the active u
128. ts and failures that are detected as soon as possible but not necessarily within the current sweep include a group of faults that are not detected by the CPU itself These faults are typically detected within one second Genius faults circuit faults loss of device and so forth fall into this category During the background window additional memory tests are continuously performed These tests can also detect single and multiple bit memory failures GFK 2308F 6 1 s PLC Fault Table Messages for Redundancy The following table lists messages descriptions and corrective actions for error codes associated with the redundancy fault group These error codes can be viewed in the Fault Tables provided by Machine Edition The entire fault data including these error codes can also be accessed using SVC_REQ 15 and 20 Redundancy Fault Group 138 Error Code Message Fault Description Corrective Action 1 Primary unit is active The primary and secondary units have None required and secondary unit is switched roles the secondary backup transitioned to Run after the primary or both units transitioned to Run at the same time 2 Secondary unit is active The secondary and primary units have None required and primary unit is switched roles or the primary backup transitioned to Run after the secondary 3 Primary unit is active no The primary unit has transitioned to Run To have a synchronized system the backup unit a
129. ule supports hot insertion and removal However the redundancy communication link associated with a hot swapped RMX module will not be restored automatically The LINK OK indicator on both RMX modules in the link will be OFF To restore the link refer to Online Repair in Chapter 6 LED Label Description OK ON indicates the module is functioning properly LINK OK When used as a redundancy link ON indicates the link is functioning properly LOCAL READY ON indicates the local unit is ready LOCAL ACTIVE ON indicates the local unit is active REMOTE READY ON indicates the remote unit is ready REMOTE ACTIVE ON indicates the remote unit is active OWN DATA ON indicates the module has received its own data packet from the network at least once SIGNAL DETECT ON indicates the receiver is detecting a fiber optic signal SIG DETECT PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Redundant UO Systems Ethernet Network Interface Unit ENIU CPU based ENIU modules can be used to interface the RX7i or RX3i Redundancy CPU to remote I O stations through Ethernet LANs These devices which include IC695NIUOO1 and IC693NIU004 make it possible to use PACSystems RX3i and Series 90 30 I O remotely on an Ethernet network An identical set of EGD exchange definitions is downloaded to both the primary and secondary controllers An ENIU can consume EGD exchanges from two controllers sim
130. ultaneously However when used with redundant controllers the ENIU automatically switches to the standby controller if the active controller becomes unavailable For sample redundancy systems using EGD see page 3 6 For details on EGD operation in a redundancy system see Ethernet Global Data in an HSB Redundancy System in chapter 5 For details on the operation of ENIUs see the PACSystems RX3i Ethernet NIU User s Manual GFK 2439 Genius Bus Controller and Genius Devices Local UO The Genius Bus Controller interfaces the Redundancy CPU to a Genius I O bus The bus controller scans Genius devices asynchronously and exchanges UO data with the CPU An HSB CPU Redundancy system can have multiple Genius I O bus networks Any Genius device can be placed on the bus Genius blocks Field Control Remote I O Scanner VersaMax I O etc The Genius outputs are determined by the active unit The Genius Bus Controller in the primary unit has a Serial Bus Address of 31 the Genius Bus Controller in the secondary unit has a Serial Bus Address of 30 For sample redundancy systems using Genius I O see page 3 11 Note For RX3i systems with Dual Genius Buses only VersaMax UO Genius Network Interface Units GNIU are supported at this time For non Dual Genius Buses any Genius device can be placed on the bus Genius blocks Field Control Remote I O Scanner VersaMax I O etc Local I O can be included in either unit however it is not part of t
131. ust be located in the primary unit and two more in the secondary unit There can be multiple dual bus pairs The bus controllers in the primary unit are assigned Serial Bus Address 31 The bus controllers in the secondary unit are assigned Serial Bus Address 30 Genius output devices will use outputs from Serial Bus Address 31 in preference to outputs from Serial Bus Address 30 Outputs are determined by the active unit regardless of which bus controller provides the outputs since all redundant Genius outputs are transferred from the active unit to the backup unit Any type of Genius device can be connected to the network Each Genius network can have up to 30 additional Genius devices connected to it You may want to reserve one Serial Bus Address for the Hand Held Monitor As a safety feature a watchdog timer protects each Genius I O link The bus controller periodically resets this timer If the timer expires the bus controller stops sending outputs If this happens in a Dual Bus Genius network of a CPU Redundancy system the paired GBC in the other unit drives the outputs of the Genius devices If the GBC in the other unit is not available the BSMs switch to the other bus The cause of the failure must be remedied to re establish communications Hardware Configuration for RX7i Dual Bus Network The hardware configuration for this type of network can be created by selecting Dual Bus Redundant Controllers in the Redundancy Wizard The GBC
132. vailable mode or secondary unit was put into secondary unit must be placed in RUN Stop mode The primary unit is running mode with a compatible configuration without a backup 4 Secondary unit is active The secondary unit has transitioned to To have a synchronized system the no backup unit available RUN mode or primary unit was put into primary unit must be placed in RUN Stop mode The secondary unit is mode with a compatible configuration running without a backup 5 Primary unit has failed The primary unit has recorded a fatal If primary unit has also logged the fault secondary unit is active fault or the secondary has lost Secondary Unit Has Failed Primary w o backup communications with the primary The Unit is Active w o Backup then secondary unit is running without a communications is broken between the backup two units and must be repaired If a fatal fault has been logged in the primary unit the indicated fault must be repaired Power may have to be cycled on one of the units in order to re establish communications and return to a synchronized system 6 Secondary unit has The secondary unit has recorded a fatal If secondary unit has also logged the failed primary unit is fault or the primary unit has lost fault Primary Unit Has Failed active w o backup communications with the secondary Secondary Unit is Active w o Backup The primary unit is running without a then communications has been broken
133. vates the redundant IP address and sends out an address resolution protocol ARP message to force all other Ethernet devices on the network to update their ARP cache This ARP message is sent so that communications to the redundant IP address will be directed to the newly active unit At this point the Ethernet interface responds to both the redundant IP address and its direct IP address When commanded to begin EGD production by the CPU the Ethernet interface in the active unit verifies that it has successfully obtained the redundant IP address EGD production does not begin until the Ethernet interface obtains the redundant IP address If the redundant IP address is in use by another device on the Ethernet network the Ethernet interface periodically attempts to verify that the address is not in use The Ethernet interface attempts to verify the redundant IP address until it determines the redundant IP address is no longer in use on the network or until the Ethernet interface transitions to backup due to either a notification from the CPU that the unit has become the backup unit or a failure that results in the Ethernet interface transitioning to backup This means that if all redundancy links between the two units fail and the units become non synchronized active both units will attempt to use the redundant IP address but only one will succeed If one of the two units was already active and responding to the redundant IP address it will continue to d
134. w the steps given below for the particular I O system PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F s Genius UO Systems If the Genius Bus Controllers on both the Primary and Secondary CPUs are OK and actively sending outputs to the Genius devices it is preferable to power off the Secondary CPU rack because the Genius devices prefer the Primary CPU f an RMX module has failed the rack containing the failed module must be powered off even if it is the Primary CPU rack If it has been determined that the problem is due to a failed fiber cable only you can choose to take the Secondary CPU offline Note lf there is a problem with Genius Bus Controller connectivity to any of the Genius I O Devices this should be fixed before proceeding to the next steps Since the Redundancy CPUs are not synchronized taking a CPU offline may cause a disruption in the outputs You must be prepared to handle this condition ENIU UO Systems 1 Using the ENIU status data you should determine whether all ENIUs have network connectivity to both Redundancy CPUs For details on using the ENIU status information refer to the PACSystems RX3i Ethernet NIU User s Manual GFK 2439 Note f there is a problem with network connectivity to either CPU from any ENIU this should be fixed prior to proceeding to the next steps 2 Using the ENIU status data determine which CPU is controlling outputs on each ENIU f
135. zation 5 7 Switchover time 5 15 Synchronization operation 5 3 scan 5 5 Synchronized defined 1 4 System Communications Window 4 4 System upgrades CPU types 1 3 6 11 T Technical Support See page iii Templates 2 1 3 6 Timed contacts 5 19 Timer function blocks 5 19 Transfer List data transfer 5 7 defined 1 4 individual variables 4 14 memory used 4 8 ranges 4 8 report 4 15 Index Index Transfer time estimating 5 8 reducing 5 10 Transferred variables 4 14 Transition contacts and coils 5 7 W Watchdog timer Genius bus 3 13 3 15 setting 4 4 Wizards 4 2 Index 3
136. zation to occur Note Individual variables can also be configured as transferred variables in either or both the input and output transfer lists For details see page 4 14 To view the amount of memory used for transfer data redundancy memory usage go online and store the configuration Then right click the Target choose Online Commands and select Show Status In the status dialog box select the Redundancy tab Program PIDTESTS1 PLC State Run Enabled E x General Memory Refere Protection Sweep r CPLI Information Redundancy Mode Primary Current State Active Synchronized Redundancy Memory Usage 52992 bytes m Redundancy Status Local Unit Ready True Remote Unit Ready True Logic Equal True Local Unit Active True Remote Unit Active False Cancel Help PACSystems Hot Standby CPU Redundancy User s Manual July 2010 GFK 2308F Genius HSB If the program logic requires identical input values for the two units those references including Genius inputs must be included in the input transfer list You must include all redundant Genius outputs i e those Q and AQ references tied to redundant Genius devices in the output transfer list Failure to do so will result in the primary unit always determining the output values even when it is the backup unit By default Machine Edition generates an error and prevents storing of the configuration if a redundant output is not in
Download Pdf Manuals
Related Search