ÎÎ GE Fanuc Automation Programmable Control Products t Series 90 -70 Hot Standby CPU Redundancy User’s Guide GFK-0827 December 1993
GFL–002 Warnings, Cautions, and Notes as Used in this Publication Warning Warning notices are used in this publication to emphasize that hazardous voltages, currents, temperatures, or other conditions that could cause personal injury exist in this equipment or may be associated with its use. In situations where inattention could cause either personal injury or damage to equipment, a Warning notice is used. Caution Caution notices are used where equipment might be damaged if care is not taken.
Preface This manual is a reference to the hardware components, configuration and operation of the Hot Standby CPU Redundancy system for the Series 90 -70 Programmable Logic Controller. This redundancy system is one of several redundancy alternatives that may be incorporated into a Series 90-70 Programmable Logic Controller system (see Appendix A).
Preface Series 90-70 PLC Reference Manual (GFK-0265). Reference manual which describes operation, fault handling, and Logicmaster 90-70 programming instructions for the Series 90-70 PLC. Series 90-70 Remote I/O Scanner User’s Manual (GFK-0579). Reference manual for the Remote I/O Scanner, which interfaces a drop containing Series 90-70 modules to a Genius bus. Any CPU capable of controlling the bus can be used as the host. This book describes the Remote I/O Scanner features, configuration, and operation.
Contents Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Hot Standby CPU Redundancy Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Features of the Hot Standby CPU Redundancy Product . . . . . . . . . . . . . 3 Benefits of the Hot Standby CPU Redundancy Product . . . . . . . . . . . . . 3 I/O Systems for Hot Standby CPU Redundancy Systems . . . . . . . . . . . . 4 GFK–0827 Genius I/O System . . . . . . . .
Contents Chapter 2 System Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Redundancy CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 CPU Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 CPU Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 CPU Mode Switch . . . . . . . . . . . . . . .
Contents Chapter 3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Configuring a Hot Standby CPU Redundancy System . . . . . . . . . . . . . . . . . 27 Redundancy System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Basic Redundancy System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Logicmaster 90 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Chapter 4 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Section 1: System Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Power-Up Sequence of a Redundant CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Incompatible Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Resynchronization of the Redundant CPU . . . . . . . . . . . . . . . . . . . .
Contents Section 2: Fault Detection and Control Actions . . . . . . . . . . . . . . . Appendix A 72 Fault Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Fault Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Changing Fault Category Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 PLC Fault Table . . . . . . . . . . . . . . . . . . . . . . . .
Contents Figure 1. Example of a Local I/O Configuration with Expansion Racks in a Hot Standby CPU Redundancy System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Figure 2. Synchronized Hot Standby CPU Redundancy System Configuration . . . . . . . . . . . . . 6 Figure 3. CPU 780 Locations in a Hot Standby CPU Redundancy System . . . . . . . . . . . . . . . . . . 14 Figure 4. Redundancy CPU - IC697CPU 780 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Table 1. Capacities for Redundancy CPU, IC697CPU780 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Table 2. Valid Operating Mode Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Table 3. Expansion Memory Boards for CPU 780 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Table 4. Shared I/O Data Parameters . . . . . . . . . . . . . . . . . . . . . . . . . .
restart lowapp ARestart oddapp: ARestarts for autonumbers that do not restart in each chapter. figure bi level 1, reset table_big level 1, reset chap_big level 1, reset1 Lowapp Alwbox restart evenap:A1app_big level 1, resetA figure_ap level 1, reset table_ap level 1, reset figure level 1, reset Figure 1. table level 1, reset Table 1. these restarts oddbox reset: 1evenbox reset: 1must be in the header frame of chapter 1.
1 contains all redundant Genius Bus Controllers at Serial Bus Address 31; the Secondary PLC contains all redundant Genius Bus Controllers at Serial Bus Address 30. The CPU that currently controls the system is called the active unit, the other CPU is the standby unit. If certain system failures are detected in the active unit, control is switched to the standby unit. Control can also be switched by depressing a pushbutton on the Redundancy Communications Module, or through the user’s logic program.
1 Features of the Hot Standby CPU Redundancy Product H Bumpless switching h h Synchronized CPUs h h One scan switching (in most cases) 20 millisecond scan extension (nominal). This figure is variable, depending on amount of data transferred.
1 I/O Systems for Hot Standby CPU Redundancy Systems Both Series 90-70 Local I/O and Genius I/O systems can be present in a Hot Standby CPU Redundancy control system. The two units are not required to have matching I/O systems. They may have different numbers of I/O racks, and different local I/O or option modules. Genius I/O System A Genius I/O system is the I/O system that is included in the redundancy system as shown below. The system can have multiple Genius I/O buses.
1 a47000 PRIMARY UNIT SECONDARY UNIT RACK 0 RACK 0 P C B R G I I I I I S P T C B O O O O O U M M C C B R G I I I I I P T C B O O O O O UM M C P S 30 31 * TERMINATED I/O CABLE REMOTE DROP B L O C K LOCAL I/0 CAN BE IN RACKS 0-6 B L O C K B L O C K P S I I I I I I I I S C O O O O O O O O A N N E R RACK 1 P B I I I I I I I I S R O O O O O O O O M Y RACK 6 P B I I I I I I I I S R O O O O O O O O M * I/O CABLE WITH BUILT-IN TERMINATION IC697CBL811 (10 FEET (3m)) IC697CBL826 (25 FEET (7.
1 for three consecutive Genius I/O bus scans, the outputs are then controlled by the Genius Bus Controller at serial bus address 30 (Genius Bus Controller in the Secondary PLC). If output data is not available from either bus address 31 or 30, the outputs go to their configured default (OFF or hold last state). The PLC at serial bus address 31 always has priority, therefore when the PLC with serial bus address 31 is On-line, it always has control of the outputs.
1 Redundancy CPU Module The same model of CPU must be installed in both the Primary and Secondary PLCs. This CPU, which is the only CPU that currently supports synchronized Hot Standby CPU redundancy, is the CPU 780 (catalog number IC697CPU780).
1 the two CPUs and provides the communications path for the transfer of I/O data between the two units. An RCM must be configured in both the Primary PLC and the Secondary PLC. The RCM must reside in the CPU rack (rack 0) in a system and there can be no empty slot between the RCM and the CPU (there can be other modules). Bumpless Switching Bumpless switching occurs when the active unit fails and system control is transferred to the backup unit without affecting the operation of the process under control.
1 If the switch occurs due to a controlled condition such as toggling the unit selection switch on the Redundancy Communications Module or forcing a switch in the user logic program with a SVC_REQ, or because of a fault detected by the PLC CPU, then the switch-over will occur at the beginning of the next sweep. The delay will be up to 1 sweep with the possibility of an input and an output scan after failure detection.
1 Programming Considerations There are several features in the operation of the Redundancy CPU which are not supported or are different then operation of other CPUs. These features are listed below and are described in detail in Chapter 4, ”System Operation”.
1 The Primary Unit and the Secondary Unit must be configured separately. That is, the programming device should be connected directly to either the Primary or the Secondary Unit to configure that unit. When you have completed configuring that unit, disconnect the programmer from the configured unit and move it to the other unit and proceed with configuration of the second unit.
1 Commonly Used Acronyms A list of acronyms used in this manual are defined for your convenience in the following table.
Chapter 2 2 System Components section level 1 1 figure bi level 1 table_big level 1 This chapter describes the hardware components for a Hot Standby CPU Redundancy system. It describes the modules required for the system and provides catalog numbers of the components. For detailed installation instructions for the Series 90-70 PLC, refer to GFK-0262, the Series 90-70 Programmable Controller Installation Manual.
2 PRIMARY UNIT SECONDARY UNIT P C B R G S P T C B U M M C P C B R G S P T C B U M M C 31 30 a47002 Redundancy Communications Link Redundancy Communications Link CPU 780 Genius Bus Figure 3. CPU 780 Locations in a Hot Standby CPU Redundancy System The capacities for the CPU 780 are as listed in the following table. Table 1.
2 timer is 10 milliseconds to 1000 milliseconds. The default value for the watchdog timer is 200 milliseconds. The watchdog timer resets at the beginning of each sweep. The fail wait time is included in the watchdog check. The watchdog timer should be set to allow for the expected scan plus two fail wait times. CPU Features The CPU must reside in Slot 1 in rack 0, the main (CPU) rack. An illustration of the CPU 780 is shown in the following figure, followed by a description of the CPU features.
2 CPU Mode Switch A three-position toggle switch is mounted near the top of the CPU board. This switch selects one of three operating modes for the CPU: RUN/ENABLED, RUN/DISABLED, or STOP. Although the mode of operation for the CPU can be controlled from both the switch and the programmer, the switch position restricts the ability of the programmer to put the CPU into certain modes. The following table shows the modes that can be selected by the programmer based upon the position of the CPU mode switch.
2 Memor y Protect Keyswitch The Memory Protect keyswitch is located at the top of the module and has two positions: ON and OFF. This keyswitch is used to manually lock program and configuration data. When the key is in the ”protected” (ON) position, program and configuration data can only be changed by a programmer connected for parallel communications with the CPU 780 (that is, to the Bus Transmitter Module).
2 Serial Port Connector The 15-pin D-connector at the bottom of the module provides the connection to an RS-422/RS-485 serial port. Its port provides a serial connection to the Work Station Interface (WSI) board installed in the programming computer. For applications requiring RS-232 communications, an RS-232 to RS-422 converter (IC690ACC900) or RS-232 to RS422 miniconverter (IC690ACC901) is available.
2 Redundancy Communications Module The Redundancy Communications Module (RCM), catalog number IC697RCM711, provides a communications path for sharing data between the two CPUs in the redundant system. In a synchronized system, I/O data is controlled by one unit (the active unit) but is shared between both units (active and backup units). The RCM provides the communications path between the two units. An RCM must be configured in both the Primary PLC and the Secondary PLC.
2 PRIMARY UNIT ( RACK 0 ) P S SECONDARY UNIT ( RACK 0 ) C B R G P T C B U M M C P C B R G S P T C B U M M C 31 30 a47005 Redundancy Communications Link Redundancy Communications Link Figure 6. Example of RCM Location in a Hot Standby CPU Redundancy System RCM System Status LEDS A Hot Standby CPU Redundancy system has two RCM modules, each with five LEDs and a momentary pushbutton switch for manually switching between the active and the backup units.
2 LOCAL SYSTEM ACTIVE Indicates whether the local unit is the controlling (or active) unit in a redundancy system. It is the responsibility of the local unit to set the state of this LED at least once during each sweep; if the local unit is unable to set (or fails to set) the state of the LED, the hardware will force the LED to off after the timer has timed out. REMOTE SYSTEM READY Indicates whether the remote unit is ready to become the active unit in a redundant PLC configuration.
2 Bus Transmitter Module A Bus Transmitter Module (BTM), catalog number IC697BEM713, is required in both the Primary PLC CPU rack (rack 0) and the Secondary PLC CPU rack (rack 0) in a Hot Standby CPU Redundancy system. The BTM provides a path for Redundancy communications when connected to the Redundancy Communications Module (RCM). Each PLC system (Primary and Secondary) has a BTM and an RCM in rack 0.
2 BTM Connectors There are two connectors on the front of the BTM board. The top one provides a parallel connection to a Work Station Interface (WSI) board installed in the programmer for the Series 90-70 PLC. Serial connection to Workmaster II is through a programmer cable (IC647CBL703) 10 feet (3 meters) in length (parallel connection to Workmaster is through a parallel I/O cable, IC600WD005A).
2 I/O Bus Signal Termination The I/O bus signals must be terminated at the end of the bus. In a standard PLC system this is done by installing a resistor pack, located inside of a terminator plug (catalog number IC697ACC702) on the bottom connector of the BRM module that is installed in the last I/O expansion rack in the system. In a Hot Standby CPU Redundancy system a special I/O cable with built-in termination is used. Do not use the resistor plug with the terminated cable.
2 The Hot Standby CPU Redundancy system uses a single Genius bus and requires one GBC module in the Primary PLC and one in the Secondary PLC; however there can be multiple Genius busses configured in this manner in a system. The GBCs in the Primary PLC are assigned SBA 31, and the GBCs in the Secondary PLC are assigned SBA 30. Data from SBA 31 in the Primary PLC is the ”preferred” data. The Primary PLC is normally the active unit in the redundancy system.
2 CH 1 OK The CH 1 OK LED is the middle LED. It operates identical to the Module OK LED in that it is ON after the board has successfully completed the power-up diagnostics and OFF if a failure has been detected during the power-up diagnostics, or if its bus or bus controller fails while the CPU is running (even in the STOP mode). If the failure is a bus controller failure, the LED will remain permanently off.
Chapter 3 Configuration 3 section level 1 1 figure bi level 1 table_big level 1 This chapter describes how to configure a Series 90-70 PLC system for Hot Standby CPU Redundancy. Several parameters in addition to the normally configured CPU parameters must be configured for the Redundancy CPU 780. A description of all of the parameters for a redundancy system is provided first, followed by an example of a Primary system configuration and a Secondary system configuration.
3 Redundancy System Requirements For a redundant CPU configuration using the Hot-Standby Redundancy scheme to be valid, the following requirements must be true in both the Primary Unit and the Secondary Unit in the redundancy system. H One configuration must be set to Primary; the other to Secondary. H The control strategy configurable parameter must be set to ”GHS”. H An RCM must be configured in rack 0 of each system. There can be no empty slots between the RCM and the CPU.
3 Screens for Fault Category Configuration A new Fault Category Configuration screen is displayed for the CPU 780. This new screen has two columns of fault actions for the configurable fault groups/categories. The following sample screens show the Fault Category Configuration screens as they appear in Logicmaster 90-70. To access this screen, select the F2 softkey (CPU Configuration) from the Configuration Software main menu. The CPU Configuration menu will be displayed.
3 The Fault Type is shown at the left. The first column under Fault Category (CFG) shows which faults are FATAL and which faults are DIAGNOSTIC for this CPU, when it is the only running CPU (i.e., stand-alone with no backup available). This column can be edited for each fault group/category to select FATAL or DIAGNOSTIC so that a safe shutdown or fault tolerant operation can be selected for when a failure occurs with no backup ready.
3 cable connecting the PLC to the programmer should only be plugged and unplugged when the programmer is powered up and offline. Avoid powering the parallel programmer up or down while connected to a running PLC. Configuration of a Redundancy CPU Module The redundancy CPU module, IC697CPU 780 must be configured as a rack module in rack 0, slot 1. The procedure for configuring a CPU 780 in a rack is described below.
3 The detail screen of the currently configured CPU module is displayed. The following screen shows the CPU module detail screen for the currently displayed module. To select the CPU 780 Redundancy CPU module, press the cpu softkey (F1). A list of the available CPU modules is displayed with the currently selected CPU module highlighted in reverse video. Move the cursor to the line for the Redundant CPU (catalog number IC697CPU 780), as shown below, and press Enter.
3 If the existing configuration does not require any modification to suit the redundant CPU configuration, the prompt ”REPLACE displayed module ? (Y/N)” will be displayed beneath the softkey strip instead of the message box. If you answer ”Y”, page 1 of the detail screen for the redundant CPU (IC697CPU 780) is displayed, If you were to answer ”N”, the previous CPU is displayed. For the redundant CPU configuration example, the answer is ”Y”.
3 3. In a redundant CPU system, RCMs cannot be configured in expansion racks. 4. Rack 7 cannot be seen nor edited. Redund Type This parameter specifies whether the CPU is configured as the primary controller or the secondary controller. The Redund Type has three possible choices: PRIMARY, SECNDARY, or SIMPLEX. The default value is PRIMARY. When this configuration item is set PRIMARY, all configured redundant Genius Bus Controller(GBC) Serial Bus Addresses (SBA) must be 31.
3 Constant Window Sweep Mode To change the Sweep Mode, move the cursor to the Sweep Mode field and press the Tab key until the desired mode is displayed. Below is the detail screen (page 2) of a redundant CPU configured for CNST WND (constant window) sweep mode. When a Series 90-70 redundant CPU is configured for CNST WND (constant window) mode, the window value will automatically be set to 10 msec.
3 set for SIMPLEX mode. The parameters on this screen are Ctrl Strgy (Control Strategy), Fail Wait and SHARED I/O. Ctrl Strgy This parameter specifies which type of control strategy is selected for a redundancy system. The valid entry is three ASCII characters (A...Z). The only value that is supported at this time is Genius Hot Standby (GHS). If this parameter is set to any other value, the configuration will be considered valid, but any attempt to STORE the configuration will be rejected by the PLC.
3 Table 4. Shared I/O Data Parameters I/O Parameter Description and Valid Entries %I Ref Adr Starting address for redundant %I data region. Range is %I00001...%I12288. The starting address is bit aligned. Default value is %I00001. %I LENGTH The bit length of the redundant %I data region. Range is 0...12288. Default value is 0. %Q Ref Adr Starting address for redundant %Q data region. Range is %Q00001...%Q12288. The starting address is byte aligned. Default value is %Q00001.
3 Note that the memory for the Shared I/O data that is stored at configuration must be subtracted from the amount of memory on the configured expansion memory module. The calculation for the size of the memory for Shared I/O data is (bytes of Input data transfer plus bytes of Output data transfer plus 8 Kbytes for synchronization information).
3 Configuring a CPU Expansion Memory Board To configure a CPU expansion memory board for the CPU 780, press the expbd softkey (F9) and then the memory softkey (F1). Position the cursor on the desired expansion memory board and press Enter to select that board. The detail screen for the expansion memory board and the displayed catalog list for the available CPU expansion memory boards is shown below. Press the Esc key twice to return to the Rack level display.
3 Configuration of a Redundancy Communications Module As described previously, one Redundancy Communications Module (the Local unit) must be configured in rack 0 (can be in slots 2 to 9). There must not be an empty slot between the CPU 780 module and the RCM module. If there is an empty slot, the configuration will be invalid. The following example screens show an RCM configured in slot 2 in rack 0. While in the I/O Configuration rack screen, cursor to slot 2 (currently empty) as shown below.
3 To display the RCM catalog list, press the rcm softkey (F3). The RCM catalog list is then displayed as shown below. Next, press the Enter key, the following screen is displayed to confirm that you have selected the RCM catalog entry. You have just configured the Local RCM in rack 0. The system automatically configures the RCM in the Secondary unit as being in slot 1 of rack 7 (in relation to the RCM you have just configured in the Primary unit).
3 Configuration of a Genius Bus Controller For this example, assume that a Genius Bus Controller has been configured in slot 3 of rack 0. In a Hot Standby CPU Redundancy system, the Redundancy parameter (Redund Mode) of a Genius Bus Controller can only be NONE or RED CTRL; any other value is not valid. The following screen is the GBC screen when the Redund Mode parameter is set to NONE.
3 Serial Bus Address All redundant GBCs in the Primary CPU redundant system MUST be configured at SBA 31. In the sample screen on the previous page, the rack level GBC is configured at SBA 31. The Bus level GBC is automatically configured at SBA 30. All redundant GBCs in the Secondary CPU redundant system MUST be configured at SBA 30. In our example, the rack level GBC is configured at SBA 30.
3 Configuring a Primary Redundant PLC The steps required for configuring a Primary Redundant PLC are described below. The Primary PLC and the Secondary PLC must be configured separately. An example of the configuration screens for each system is provided on the following pages. The programmer must be connected to the CPU in the Primary PLC to configure the Primary PLC and then moved to the CPU in the Secondary PLC to configure the Secondary PLC. First, the Primary PLC will be configured.
3 Select the Redundancy CPU Module Move the cursor to the line for the Redundant CPU, IC697CPU 780, and press the Enter key. A message is displayed beneath the softkey selection strip: ”REPLACE displayed module ? (Y/N)”. Press the Y key to replace the currently displayed CPU with the CPU 780. The detail screen (page 1) for the redundancy CPU module is displayed. Press the PgDn (page down) key to go to the next page of the CPU module.
3 Press the PgDn key again to go to the next page of the CPU module. The default screen for page 3 of the CPU detail screen appears as shown below: Select an Expansion Memory Board To configure a CPU expansion memory board for the CPU 780, press the expnd softkey (F9), then the memory softkey (f1). The detail screen for selection of the expansion memory board with the catalog list of the CPU expansion memory modules appears as follows: Position the cursor on the desired memory board and press Enter.
3 Press the Esc key twice to return to the rack level display, which now appears as shown below. Configure the Redundant Communications Module To configure an RCM in rack 0, slot 2, move the cursor to slot 2 and press the bem softkey (F3). The configuration screen for bus communication modules will appear. From this screen press the rcm softkey (F3). The catalog list screen for the RCM module will be displayed. Press the Enter key to select the RCM module, IC697RCM711.
3 Configure a Genius Bus Controller To configure a Genius Bus Controller module in rack 0, slot 3, position the cursor on slot 3 and press the genius softkey (F2). To display the catalog list for the Genius Bus Controller, press the gbc softkey (F1). Press the Enter key to select the Genius Bus Controller module. The Genius Bus Controller detail screen will then be displayed as shown below.
3 Press the Esc key to return to the rack level screen. From the rack level screen press the zoom softkey (F10). The following bus level screen is displayed: To view the Genius Bus Controller (block level) at SBA 30, position the cursor on BUS ADR 30 and press the zoom softkey. The Genius Bus Controller’s detail screen will appear as shown below.
3 At this point, Press the Esc key and the bus screen will appear as shown below. Configure Genius I/O Blocks We will now configure a block for Bus Address 29. Move the cursor to block 29 and configure a bus block (Discrete Input block IC660BBD110 for this example) by selecting the F1 function key (d in), then Enter. The bus block’s detail screen will appear as shown below.
3 When you have completed configuring Genius blocks, press the Esc key to go from the block level display back to the bus level display. The bus display will now appear as shown below. Configure the Bus Transmitter Module Press the Esc key to return to the rack level display. A message will be displayed reminding you to configure a Bus Transmitter Module for this rack (since it had not been configured earlier). Press Esc again.
3 Configuring a Secondary Redundant PLC This section describes the steps for configuration of a Secondary PLC. The programmer for Logicmaster 90-70 software must be connected to the Secondary PLC in order to configure the Secondary PLC. There are several ways to configure a Secondary PLC in a Hot Standby CPU Redundancy system. One method is shown here. Create a new folder for the Secondary PLC system. Copy the data from the Primary PLC system to the Secondary PLC system folder.
3 Position the cursor on rack 0, slot 1. Press the zoom softkey (F10) to zoom into the CPU module configured in slot 1. The detail screen (page 1) for the CPU module appears as shown below: Change Redund Type Change the Redund Type: parameter value from PRIMARY to SECNDARY by pressing the Tab key then the Enter key. The message ”SBAs of all redundant GBCs in a secondary system must be 30: modify (Y/N) ? will be displayed Press ”Y” at the prompt.
3 Press the Esc key twice to save the changes you have just made. This completes the process of converting a Primary PLC redundancy system configuration to a Secondary PLC redundancy system configuration. The differences between the Primary system and the Secondary system are: 1. The CPU module parameter Redund Type in a Primary system is PRIMARY and in a Secondary system is SECNDARY. 2. The Serial Bus Address (SBA) of a redundant GBC in a Primary system MUST be 31 and in a Secondary system MUST be 30.
Chapter 4 Operation 4 section level 1 1 figure bi level 1 table_big level 1 This chapter discusses: H H H H the normal operation of a Hot Standby CPU Redundancy PLC system; what happens when a fault is detected and the system does not operate normally; how to restore the system to normal operation; on-line repair procedures.
4 4. System Configuration verified. 5. System interrogated and initialized. 6. Presence of other CPU detected and RCMs initialized. 7. Complete user program verification. 8. Synchronize with the Redundant CPU. When powering up the unit configured as the Secondary Unit in a Redundant system and no remote unit (the Primary Unit) is detected, the Secondary Unit will wait up to 15 seconds to see if the remote unit will also power up.
4 Resynchronization of the Redundant CPU Whenever a CPU is attempting to get back in synchronization with the currently active CPU, a resynchronization process will occur. This resynchronization process will occur any time a CPU performs a STOP to RUN mode transition. This process will start by determining which role each CPU is to play. The Primary Unit (with Serial Bus Address 31) is always preferred and a switch will occur from the Secondary Unit anytime the primary CPU performs a resynchronization.
4 Hot-Standby Redundancy Control Strategy In the Hot-Standby Redundancy Control Strategy, the primary CPU (designated by all GBCs addressed at bus address 31), is always the preferred CPU. The secondary CPU (designated by all GBCs addressed at bus address 30) will have the outputs enabled to its GBCs at all times whether it is in control or not. This is necessary to prevent glitching of the outputs when a switch is made.
4 Synchronous Scan The figure below shows the sweep components for the active and the backup CPUs. It shows the two communication points in the sweep. The first communication point is immediately after the inputs are scanned. At this point in the sweep the newly read inputs are sent from the active CPU to the backup CPU and synchronization information is passed. In the second communication point, the rest of the data (outputs, internal references, registers) is sent from the active PLC to the backup.
4 The transfer of the redundancy data during each sweep will be in blocks with each block checked for data integrity. The transferred data will be held in a temporary area by the backup CPU until all data has been received and verified from the active unit. Then the backup CPU will copy that data from the temporary area to the actual PLC memories. The transfer is capable of being performed on either RCM link.
4 through %P0008 on the backup unit will not change. %T0002 will be set whenever the operation is successful and the data can be used.
4 If the switch occurs due to a controlled condition such as toggling the RCM unit selection switch, forcing a switch in the user logic program, or because of a fault detected by the PLC CPU, then the switch-over will occur at the beginning of the subsequent sweep. The delay will be up to 1 sweep with the possibility of an input and an output scan after failure detection.
4 %S References for CPU Redundancy There are seven special %S references which reflect the status of the Redundancy units: %S33 through %S39. The definition of these LEDs is shown in the following table. Table 7. Definition for% S Reference for Redundancy Status %S Bit Definition Nickname Description LED %S33 Primary Unit PRI_UNT Bit will be set if the local unit is configured as the primary unit: otherwise; it is cleared. For any given local unit, if PRI_UNT is set, then SEC_UNT cannot be set.
4 Redundancy CPU Considerations The Redundancy CPU (CPU 780) has several restrictions and differences in operation as compared to other Series 90-70 CPUs. The following features are not available with the CPU 780: H H H H H I/O Interrupts Timed Interrupts VME Integrator Racks. Stop I/O Scan mode Flash operation Features not Available with CPU 780 I/O Interrupts I/O Interrupts are not supported by the Redundancy CPU (CPU 780).
4 Differences in Operation for CPU 780 The following features operate differently with the CPU 780 than they do with other Series 90-70 CPUs: H H H H RUN/DISABLEDmode Configuration of Fault Actions STOP to RUN mode transition Background Window Time (default is different) RUN Disabled Mode RUN/DISABLEDmode causes all physical outputs to go to their default state in that PLC. Inputs are still scanned and logic is solved. A CPU in RUN/DISABLED mode may be the active unit.
4 Following are several examples that illustrate the above guidelines. Each example gives the role of each unit, its current operating mode, and the state of the LEDs on the RCMs. An X indicates that the corresponding LED and %S bit is ON. A. Role switches allowed on both units. Primary Unit Active RUN/ENABLED Secondary Unit Backup RUN/ENABLED X X X X X OK X LOC_RDY LOC_ACT X REM_RDY X REM_ACT OK LOC_RDY LOC_ACT REM_RDY REM_ACT B. Role switches allowed on both units.
4 E. Role switches are allowed on both units. F. Primary Unit Backup RUN/ENABLED Secondary Unit Active (see NOTE below) RUN/ENABLED X OK X LOC_RDY LOC_ACT X REM_RDY X REM_ACT X X X X OK LOC_RDY LOC_ACT REM_RDY REM_ACT Role switches are not allowed on either unit. Primary Unit Backup RUN/DISABLED Secondary Unit Active (see NOTE below) RUN/ENABLED X OK LOC_RDY LOC_ACT X REM_RDY X REM_ACT X OK X LOC_RDY X LOC_ACT REM_RDY REM_ACT G. Role switches allowed on both units.
4 Specific fault actions are described in Section 2 of this Chapter. However, you can configure whether or not a stand-alone CPU (after failure of the other CPU) will stop if another fault occurs. You can select the fault actions (either diagnostic or fatal) for when a given CPU is operating without a backup available. This will allow you to choose between fault tolerant operation and a safety system where a shutdown is preferred.
4 Background User Checksum and Background Window Timing Instructions The following information is provided to allow you to guarantee full coverage of the number of program words verified by the User Program Checksum per sweep and the Background Window Diagnostics within a certain amount of time. It is important to understand that the more checksums performed and the larger the background window, the longer the sweep will take. For example setting the number of words to checksum to 176 will add 2.
4 Where the Background Window Time is the time in milliseconds that you should set the background window timer. The other elements in the formula are described above in the calculation for words per sweep. The constants (F and C) are for the CPU 780. Background Window Time = Background Window Time = 448 0 x (100 + 176 x 0.0008 x 2) (120000 – 4480) 3.
4 Genius Bus Controller Switching Genius Bus Controllers will stop sending outputs to blocks when no data has been received from the PLC CPU for a period equal to two times the configured watchdog timeout. If the CPU on the active unit becomes inoperative in an uncontrolled fashion (for example, because of a power failure), the Genius Bus Controllers will detect this within twice the watchdog setting, and stop sending outputs to the Genius blocks.
4 Section 6: Fault Detection and Control Actions This section describes how faults are handled in a Redundancy system. It discusses how faults affect the operation of the Redundancy system, describes categories of faults, describes how faults are detected, describes the actions taken when faults are detected, and discusses on-line repair of individual components.
4 3. faults and failures that are detected in the background. Faults and failures that are detected immediately are those that are identified within the current sweep. These faults include I/O data corruption, single bit RAM failures, power supply failures, processor failures, VME bus failures, and no response from an addressed module.
4 PLC Fault Table The following table lists fault zoom Help text and messages for error codes associated with the redundancy fault group. Table 8. Fault Zoom Help Text for Redundancy Error Codes Error Code Fault Description Corrective Action Primary Unit is Active and Secondary Unit is Backup. The primary and secondary units have switched roles. None required. 2 Secondary Unit is Active and Primary Unit is Backup. The secondary and primary units have switched roles. None required.
4 Faulting RCMs, Losing Links, and Terminating Communications There are distinct differences between losing a redundant communications link, faulting an RCM, and terminating communications. Faulting the RCM module occurs only when a hardware related failure occurs such as a parity error or VME bus error. Action taken when a board is faulted: H H Module Failed fault is logged in the PLC Fault Table. H H The module fault contact is set.
4 H In this case, if the RCM is at fault, it will need to be replaced before power is restored. Terminating Communications occurs when the two units get out of synchronization. The action taken when communications is terminated is the same as when a link has timed out, except that actions are taken on both links and the Communications Terminated fault is logged rather than Link Timeout.
4 Fault Actions in a CPU Redundancy System Fault actions in the Hot Standby CPU Redundancy System are handled differently than those in a non-redundancy (Simplex) system. Whenever there is a ”ready” backup unit configured in the system, the fault actions in the active unit will not be those normally specified by the user.
4 Table 10.
4 Table 11. Non-Maskable Fault Group Descriptions Fault Group Table Type SYS_BUS_FAIL CPU System bus failure. NO_USER_PRG CPU No User ’s Program on Power-up. BAD_USER_RAM CPU Corrupted User RAM detected on Power-up. WIND_CMPL_FAIL CPU Window Completion Failure in Constant Sweep Mode (i.e., all windows failed to receive their allotted time). PASSWD_FAIL CPU PasswordAccess Failure. NULL_SYS_CNFG CPU NULL System Configuration for RUN Mode. CPU_SOFTWR CPU PLC CPU Software Failure.
4 On-Line Repair With a Hot Standby CPU Redundancy system most system component failures can be repaired by replacing the failed component while the system is on-line. These on-line repair procedures are possible because of the role switching capability of the units in the system. Status of the Primary and Secondary units is determined by observing the LEDs on the Redundancy Communications Module.
4 Power Supply The power supply has adequate internal fault detection which will cause it to automatically shut down if there is a failure. In an orderly shut down, the power supply will first assert the ACFAIL signal before it asserts the SYSREST signal. This will give the active PLC time to notify the backup PLC that it can no longer control the process.
4 If an RCM fault is detected, proceed as follows: H H H H H H STOP the unit with the suspected bad RCM. H Switch the repaired unit to RUN. Turn power off at that rack. Unplug the terminated cable from the RCM and replace the module. Reconnect the terminated cable. Power-up the rack (mode switch is still in STOP). Verify that the REMOTE ACTIVE and REMOTE READY LEDs are on, or look at the %S bits in the stopped unit. Note that the RCM LEDs only update if the board is not faulted.
4 Genius Bus Genius bus faults are not fatal to the PLC. However, if a bus fault exists, it exists for both systems. There may be situations where one controller can communicate to more blocks than the other controller can. Since both controllers are running with the same outputs and shared inputs, and both controllers are still synchronized, the blocks will choose which controller to respond to, if either can be heard.
Appendix A Redundancy Alternatives section level 1 1 figure_ap level 1 table_ap level 1 A Redundancy Alternatives There are several redundancy alternatives for the Series 90-70 Programmable Logic Controller. These redundancy options consist of implementation of the redundancy feature through a user logic program or through a redundancy product which consists of both hardware and software.
A a47009 START No HOT STANDBY (2 CPUS) OPTIONS SINGLE BUS REDUNDANT BUS ESD SYSTEM Yes Redundancy Option Key (see Table 1) FAILURE STRATEGY Fault Tolerant TRIPLEX CPUS Fail Safe 1, 2, 3 OPTIONS 1, 2 DUPLEX CPUS 5B 4 LOW COST 1B LOWEST COST 1D APPLICATION LOGIC DUPLEX CPUS 5A PRODUCT I/O COUNT >512 IN/512 OUT 1A-C, 2, 3 VME 1A-C, 2, 3 ISO/ETHERNET 1A-C, 2, 3 THERMOCOUPLE/ RTD 1C, 3C HIGH DENSITY ANALOG IN 1A, 3A Use This Guide to Select the Redundancy Option Key for the Avail
A Table 13. Redundancy Options Key PLC Scan Sync Data Sync I/O System Output Selection Method 1A 2 90-70s no Application Logic [ 90-70 (I/OScanner) Hot Standby 1B 2 90-70s no Application Logic [ Application 1C 2 90-70s no 1D 2 90-70s 2 Option Redund. Bus Redund. I/O Hot Standby yes - 2 no Higher Density Analog Inputs 90-30 (GCM+) Hot Standby yes - 2 no More competitive I/O Application Logic [ GeniusI/O Hot Standby yes - 2 no Highly distributable with diagnostics.
A Series 90-70 Redundancy Through Application Logic The following restrictions apply using the current Series 90-70 for redundancy applications requiring synchronization (these restrictions do not apply to the Hot Standby CPU Redundancy product). 88 H Do not use transitional contacts or coils since this information cannot be transferred across the link.
Index A C Acronyms, list of, 12 Cable, programmer connection, 23 Active and backup sweeps, 59 Cable, programmer connection, connecting and disconnecting, 9 Active unit, 2 , 4 , 7 , 8 , 9 , 16 , 19 , 20 , 21 , 25 , 57 , 58 , 59 , 60 , 61 , 65 , 68 , 71 , 72 , 77 , 78 , 80 Cable, terminated, 4 , 5 , 6 , 24 , 28 Appendix A, redundancy alternatives, 85 ASCII identifier for control strategy, 58 Calculations, background user checksum, background window time, 69 Checksum, program memory, 18 COM1, 18 COM2,
Index Connecting Logicmaster 90, 31 Connector, serial port, 18 Connectors, battery, 17 Considerations, programming, 10 Considerations, redundancy CPU, 64 Constant sweep mode configuration, 35 Constant window sweep mode configuration, 35 Contacts, timed, 70 Control actions, fault detection, 72 Control strategy, 5 , 58 CPU features, 15 LEDs, 17 mode switch, 16 module for redundancy, 7 serial port connector, 18 watchdog timer, 14 F Fail wait time, 8 Fail wait time configuration, 36 Failsafe operation, 2 Fault
Index Genius bus, multiple, 26 GeniusI/O, bus controller, 24 Genius I/O system, 4 Grounding, programmer, 9 Guidelines for run disabled mode, 66 H Help text, redundancy error codes, 74 Hot standby CPU redundancy, 85 Hot standby cpu redundancy basic description of, 1 benefits of, 3 features of, 3 I/Osystems geniusI/O, 4 localI/O, 4 system configuration, 6 Hot standby redundancy control strategy, 58 I Logicmaster 90 configuration, requirements, 28 Logicmaster 90 connection, 31 Logicmaster, serial COM port v
Index Operation, differences for cpu 780, 65 Operation of a cpu redundancy system, 55 OVR_PRE %S reference, 70 local system ready, 20 remote system active, 21 remote system ready, 21 pushbutton for unit selection, 21 system status LEDs, 7 Redundancy CPU considerations, 64 P Parallel bus termination, 80 PID and Timer function blocks, 70 PLC fault table, redundancy error codes, 74 Port, standard serial COM, 18 Power–up sequence, 55 Preferred unit, 25 Primary redundant plc, configuration, 44 Primary unit, 25
Index S S (%), references, 7 Scan time, effect of bumpless switching, 8 Scan, synchronous, 59 Screens for fault category, 29 Secondary unit, 25 Sequence, power-up, 55 Serial bus address 30, 4 , 6 , 9 , 25 Serial bus address 31, 4 , 6 , 9 , 25 Serial COM port, standard, 18 Sweeps, active and backup, 59 Switch to backup unit time, 8 Switching control to backup unit from user program via SVCREQ, 61 manual switch via pushbutton, 61 on a failure, 61 switching, bumpless, 8 Synchronization, 59 restrictions for ap
