High Availability PDF 4.89MB - Schneider Electric

How can I …implement a high-availabilitysystem?System Technical GuideHigh Availability solutionsDevelopyour project

DisclaimerThis document is not comprehensive for any systems using the given architectureand does not absolve users of their duty to uphold the safety requirements for theequipment used in their systems or compliance with both national or internationalsafety laws and regulations.Readers are considered to already know how to use the products described in thisdocument.This document does not replace any specific product documentation.3

1-Introduction1.3. PrerequisitesWe recommend the reader have knowledge of the following SoCollaborativesoftware:• Unity Pro• Vijeo CitectWe also recommend the reader become familiar with the System Technical Note:“How can I increase the Availability of a system” and to have knowledge of thePremium/Quantum/M340 Schneider PACs.1.4. Project MethodologyThis STG describes the project methodology and includes the following phases:Selection, Design, Configuration, Implementation and Performance.This guide is illustrated using 2 architectures (Premium and Quantum). Their featuresare described in the Selection phase. Each architecture shows a specific featurenecessary of Hot-Standby application.Beginning with process analysis and user requirements, we identify and developcommon functionalities for all the architectures. These key functions are explained inthe Design, Configuration and Implementation phases.Finally, the Performance phase summarizes the results of different tests performedon the 2 architectures.Here are the phases described in this document:• I. Selection: In this phase, the selection procedure to define a redundantarchitecture is presented:• Basic of redundancy• Operational Principles• Description of architectures• II. Design: This phase covers the operational principles of the differentcomponents of high availability architecture:• SCADA system• Network• PAC Station• Quantum and Premium8

2-Selection10

2-Selection2. SelectionDuring the selection phase, an optimal architecture is chosen as well as the mostappropriate components of the project, according to your specific requirements.Several architectures and systems are presented in this chapter in order to address awide range of functions and needs. Also, the way to select among these architecturesgiven project needs is presented.The following illustration summarizes our project development approach:11

2-Selection2.1. Redundancy BasicsThis chapter describes redundancy general principles and its application in anautomation system.The following PlantStruxure architecture is a representative example to illustrate thedifferent layers where redundancy can be implemented.SCADA ClientsEthernetData ServersEthernetControl NetworkPACs StationPAC PAC PACField NetworkEthernetProfibus DPEthernetField DevicesThe diagram also represents a wide range of hardware setups demonstrating theability to achieve various redundancy levels.2.1.1. Redundancy LayersAvailability can be increased in an automation system at different layers:• SCADA system:The SCADA system has to handle data acquisition, graphics, events, alarms, trends,and reports. SCADA server redundancy enhances the likelihood these services willcontinue to operate without loss of data in case of system interruption. Differentsoftware and hardware configurations allow different levels of availability.• Control Network:A well defined topology and management of the control network increase networkavailability and reliability. Thus, in turn, makes communication between the SCADAsystem and the PAC stations more reliable. Several network topologies and network12

2-Selectionprotocols are available to achieve the optimal level of availability and to fit the wholesystem needs.• PAC station:According to your needs in terms of I/O number and topology, you can choose amonga Quantum or a Premium Hot-Standby PAC system. The field network type is also anelement to consider before choosing the PAC station, as well as the I/O system (localor distributed).• Field Network:Redundancy can also be applied to the field network. As was the case for the controlnetwork, a well defined topology and management of the network increase fieldnetwork availability. Device redundancy is also implemented to increase availability ofthe field equipment.2.1.2. Redundancy levelWe can differentiate several levels of redundancy according to their performances interm of availability. A summary of these levels is presented in the following table:Redundancy Level State of the standby system Switchover performanceNo redundancy No standby system Not applicableCold StandbyWarm StandbyHot-StandbyThe standby system is only powered upif the default system becomesinoperative.The standby system switches fromnormal to backup mode.The Standby system runs together withthe default system.Several minutesLarge amount of lost dataSeveral secondsSmall amount of lost dataSeveral millisecondsNo lost data13

2-Selection2.2. Operational PrinciplesDepending on the level of availability required, redundancy is applied in various ways.This chapter discusses Hot-Standby applications and describes the basics ofredundancy in each layer of an automation system. Moreover the chapter describesthe various options available in terms of redundancy and availability.The selected architectures used in the following parts of this STG are described in theChapter 2.4.2.2.1. SCADAThe main operating principles of the different SCADA servers are described in thefollowing paragraphs.General PrinciplesThe different servers of the SCADA system (Alarm, Report, Trends, and I/O servers)can either be installed on the same computer or on different computers allowing formore reliability. For a redundant configuration, each server (Primary) is associatedwith its redundant server (Standby) installed on a different computer.For example, the picture below describes servers installed on redundant computers(Primary and Standby)14

2-SelectionI/O Server redundancyIn a redundant SCADA system, an I/O device is associated with the Primary andStandby servers. The Primary server accesses periodically the I/O device to read andwrite tags. The Standby server only checks the communication with the I/O device.At startup, if the Primary I/O server can not establish a connection with the I/O device,the SCADA system switches to the Standby I/O server.During operation, if the Primary I/O server stops communicating with the I/O devices,the system then switches to the Standby I/O server. The following diagrams illustrate2 cases: a broken network cable and a server that has stopped communicating.When the I/O server defined as Primary returns to operational state, the SCADAsystem returns control back to the Primary server.Alarms / Trends / Reports Servers (ATR) redundancyThe management of the Alarms, Trends and Report servers (ATR servers) by theSCADA system follows the steps listed below:If the Primary ATR server stops operating, the system switches to the Standby ATRserver.When the ATR server defined as Primary returns to operational state, any clientsconnected to the Standby ATR server remain connected to the Standby server.15

2-SelectionFor example, the following picture describes a server reconfiguration initiated by aswitchover: I/O, Trends and Reports servers are working on the Primary SCADAserver, and the Alarms server is working on Standby SCADA server.16

2-Selection2.2.2. NetworkVarious topologies and protocols are used to increase the availability of the network(control or field network). The principle is to create different paths to access devices.In case of a network element on the main path stops functioning, another path isused.The following table illustrates the main network topologies.Architecture Limitations Advantages DisadvantagesBusThe traffic must flow serially,Cost-effective solutionIf a switch becomestherefore the bandwidth is notinoperative,used efficiently.communication is lost.StarEfficient use of theIf the main switchbandwidth, as the traffic isbecomes inoperative,spread across the star.communication is lost.TreeCable ways and distancesPreferred topology whenthere is no need forredundancy.RingAuto-configuration if usedThe availability of auto-with self-healing protocol.configuration dependsPossible to couple otheron the protocol used.Dual RingBehavior similar to Bus.rings for increasingredundancy.Ring topologies are mainly used to increase the level of network availability. Networkredundancy management protocols, such as Hiper-ring or MRP, are used for networkrecovery in case of part of the network cease to function.17

2-Selection2.2.3. PAC StationHot-Standby DefinitionA Hot-Standby system is used when downtime cannot be tolerated. It delivers highavailability through redundancy and always consists of two units with identicalconfigurations. One of the two units acts as the Primary CPU controller, and the otheracts as the Standby CPU controller. One controller must be set in the Primary CPUstate and the other must be in the Standby CPU state or offline. The redundant unittakes the control when the main one encounters an anomaly.The Primary PAC updates inputs, manages Hot-Standby, runs the program whiletransferring data to the Standby PAC and updates outputs. Thus, the switchoverbetween the Primary and the Standby PAC occurs without any loss of data.As described on the diagrams above, for each execution cycle, the outputs updateonly takes place when the data transfer AND the program execution are completed.Therefore, it is important to properly define the amount of data to be transferred fromthe Primary to the Standby PAC to minimize the wait time induced by a data transferlonger than the execution time of the program execution.On the diagram on the left, the cycle execution is optimized: the data transfer isperformed faster than the program execution.On the diagram on the right, the longer data transfer induces a wait time that slowsdown the cycle execution.18

2-SelectionPrimary and Standby PACsAssuming that the configuration of the system is correct, the first PAC to be poweredup is automatically recognized as the Primary one. Therefore, you can define thePACs role by controlling the sequence order in which they are powered up.When two redundant CPU PACs are switched on simultaneously, the firmwareautomatically affects the Primary status according to the MAC address. The PAC withthe lower MAC address is defined as the PAC A, that is the Primary at the poweringup of the system.19

2-SelectionHot-Standby System Programming ElementsThis paragraph describes programming basics, useful to know when implementing aHot-Standby system.System Words• %SW60: Command RegisterThe command register defines the operating parameters of a Hot-Standby applicationfor both the Primary and Standby CPU.The System Word %SW60 can be used to read and write the command register ofHot-Standby System.• The diagram below illustrates the Quantum System Word %SW60:Disables LCD Invalidate Keypad - bit0 = 0Enables LCD Invalidate Keypad - bit0 = 1Sets Controller A to OFFLINE mode - bit1 = 0Sets Controller A to RUN mode - bit1 = 1Sets Controller B to OFFLINE mode - bit2 = 0Sets Controller B to RUN mode - bit2 = 1Forces Standby offline if there is a logic mismatch - bit3 = 0Does not force Standby offline if there is a logic mismatch - bit3 = 1Allows exec upgrade only after application stops - bit4 = 0Allows exec upgrade without stopping application - bit4 = 1MSB 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 LSBbit5 = 0 - No application program transferbit5 = 1 - Application program transfer requestedbit8 = 0 - Swaps Modbus port 1 adress during switchoverbit8 = 1 - Does not swap Modbus port 1 adress on a switchoverbit9 = 0 - Swaps Modbus port 2 adress during switchoverbit9 = 1 - Does not swap Modbus port 2 adress on a switchoverbit10 = 0 - Swaps Modbus port 3 adress during switchoverbit10 = 1 - Does not swap Modbus port 3 adress on a switchover• The diagram below illustrates the Premium System Word %SW60:Sets Controller A to OFFLINE mode - bit1 = 0Sets Controller A to RUN mode - bit1 = 1Sets Controller B to OFFLINE mode - bit2 = 0Sets Controller B to RUN mode - bit2 = 1OS versions Mismatch (this bit can be used to permittemporary differences between the firmware versions on therespective Hot-Standby PACs)MSB 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 LSB20

2-Selection• %SW61: Status RegisterThe Hot-Standby Status Register is a readable register located at system word%SW61 and is used to monitor the current status of the Primary CPU and StandbyCPU.• The following diagram illustrates the Quantum System Word %SW61:This PAC in OFFLINE mode - bit1= 0 . bit0= 1This PAC running in primary CPU mode - bit1= 1 . bit0= 0This PAC running in standby CPU mode - bit1= 1 . bit0= 1Other PAC in OFFLINE mode - bit3= 0 . bit2= 1Other PAC running in primary CPU mode - bit3= 1 . bit2= 0Other PAC running in standby CPU mode - bit3= 1 . bit2= 1The remote PAC is not accessible - bit3= 0 . bit2= 0PACs have matching logic - bit4 = 0PACs do not have matching logic - bit4 = 1This PAC's switch set to A - bit5 = 0This PAC's switch set to B - bit5 = 1MSB 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 LSBbit7 = 0 - Same PAC OS versionbit7 = 1 - Different PAC OS versionbit8 = 0 - Same copro OS versionbit8 = 1 - Different copro OS versionbit12 = 0 - Information given by bit13 is not relevantbit12 = 1 - Information given by bit13 is validbit13 = 0 - NOE address set to IPbit13 = 1 - NOE address set to IP+1bit15 = 0 - The hot standby has not been activedbit15 = 1 - The hot standby is active21

2-Selection• The following diagram illustrates the Premium System Word %SW61:This PAC in OFFLINE mode - bit1= 0 . bit0= 1This PAC running in primary CPU mode - bit1= 1 . bit0= 0This PAC running in standby CPU mode - bit1= 1 . bit0= 1Other PAC in OFFLINE mode - bit3= 0 . bit2= 1Other PAC running in primary CPU mode - bit3= 1 . bit2= 0Other PAC running in standby CPU mode - bit3= 1 . bit2= 1The remote PAC is not accessible - bit3= 0 . bit2= 0No application Program or Unity Pro configuration Checksummismatch beetween Remote PAC - bit4 = 0Application Program or Unity Pro configuration Checksummismatch beetween Remote PAC - bit4 = 1This PAC set as Unit A - bit5 = 0This PAC set as Unit B - bit5 = 1CPU-sync link OK - bit6 = 0CPU-sync link NOK - bit6 = 1No processor OS version mismatch - bit7 = 0Main processor OS version mismatch - bit7 = 1No Copro OS version mismatch - bit8 = 0Copro OS version mismatch - bit8 = 1MSB 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 LSBbit10 = 0 - No monitored ETY OS version mismatchbit10 = 1 - Monitored ETY OS version mismatchbit13 = 0 - Configured IP or Modbus Adressbit13 = 1 - Configured IP or Modbus Adress +1bit15 = 0 - The hot standby has not been activedbit15 = 1 - The hot standby is activebit9 = 0 - All in-rack (Monitored and no-monitored)ETY modules have the minimun versionbit9 = 1 - At least one ETY does not have the minimunversion22

2-Selection• %SW62…65: Reverse Register:System Words %SW62/63/64/65 are reverse registers reserved for the reversetransfer process. The reverse registers can be written in the application program (firstsection) of the Standby CPU controller and are transferred at each scan to thePrimary CPU controller.Non-Transfer AreaThe Non Transfer Area is a defined memory zone which is not transferred during theupdate of the Standby CPU controller.The Premium PAC has a 100 words predefined zone (%MW0 to %MW99) whereasthe Quantum PAC the size of the zone is defined by the user (%MW1 to %MWx).First Section (section 0)In a PAC redundancy system, the execution of the application program is differentaccording to the PAC in which the execution takes place. The main difference is thatthe whole application program is executed in the Primary PAC whereas the StandbyPAC only executes the first section (section 0). This point is very important as manysettings of the system are defined in the section 0.Hot-Standby ManagementSwitchover ConditionsA Hot-Standby system is designed to provide uninterrupted service. This featurerequires continuous monitoring of different equipment.Note: Concerning both Premium and Quantum, the switchover is performed only ifthe Standby PAC is operational and ready to take over control from the Primary PAC.A Hot-Standby system continuously monitors the key components in order to detectany stoppage in operation. Additional monitoring is performed by the application formore specific requirements.The monitoring by the system initiates a switchover on the following occurrences:• Premium system• Fault on power supply• Fault CPU (firmware, hardware)• Halt, Stop, Offline CPU• Fault Monitored ETY module (firmware, hardware)23

2-Selection• Quantum System• Fault power supply• Fault CPU (firmware, hardware)• Halt, Stop, Offline CPU• Fault CRP moduleFor the Premium and Quantum Hot-Standby architectures presented in this guide,additional equipment (Network Controller and Device Network) are monitored by theapplication in order to increase the availability.To perform this specific monitoring, we need to develop Derived Function Blocks(DFBs) that monitor the system, control and process the anomalies, and handle theswitchover.DFBs LibrariesThe Unity Pro Quantum system library offers EFBs to manage a Hot-Standby system.These EFBs allow the handling of command (%SW60), status (%SW61) and reverse(%SW62 to 65) registers.The Unity Pro Premium library does not include pre-designed EFBs. Consequently,we have developed a user-defined Hot-Standby DFBs library. This library is describedin the next chapter.Network monitoring is integrated in our architectures. This functionality is handledneither by the Premium PAC nor by the Quantum PAC (except for the Monitored ETYmodule on a Premium system). Therefore, we have developed a specific Hot-StandbyDFBs library for each configuration:• Premium• ETY_Monitor (Ethernet)• Quantum• NOE_Monitor (Ethernet)• PTQ_Monitor (Profibus)We have developed an events synthesis block that processes the output of theseDFBs, while offering the possibility to mask some defaults, and a switchovermanagement block which controls the availability of the Standby PAC before initiatinga switchover.24

2-Selection2.3. Selection CriteriaVarious levels of performance can be attained with different architectures and usingdifferent components. It is crucial to select the right configuration that most closely fitsyour needs in terms of availability, cost and maintenance.Before implementing a high-availability system, consider the following points:• What is the general availability level to reach for the whole system?• How many devices can stop functioning, yet have the system remain operational?• What is the maximum allowed downtime for the entire system?• Are there any constraints (existing system, topology) that imply the use of specifictools and equipment?• What is the size of the system and are additional extensions planned?• What is the topology? Centralized? Distributed?• Are there some areas of the process with priority needs?2.4. Selected ArchitectureWe have selected two representative architectures to illustrate in this guide, one forQuantum PAC and one for Premium PAC. All the other layers are common for thetwo architectures. These architectures are intended to represent a medium rangeautomation system with high availability needs in terms of process control andmedium availability in terms of SCADA and network control.Each layers in the system can tolerate one non-operating device and still remainoperational. The implementation of the different layers is described in the followingchapters.2.4.1. SCADAThe resources used by our application are moderate, so all the servers (Alarms,Trends, Reports and I/O) can be installed on one computer. In order to withstand onenon-functioning device, the redundant servers are installed on a second computer.Two clients connected to the network allow the control and monitoring of the process.This configuration is adapted to our needs in terms of performance and redundancylevel.25

2-Selection2.4.2. Control NetworkThe ring architecture is chosen for its redundancy capability. Four ConneXiumswitches handle the ring architecture. One switch or cable segment can ceaseoperating with no impact on the communication through the network. The MRPredundancy management protocol is chosen for its performance in recovery time.26

2-Selection2.4.3. PAC stationThe Hot-Standby architecture allows that one PAC stops operating without loss ofdata. As was the case with the control network, if the Primary PAC ceases to operate,the Standby PAC takes over from the Primary.The following diagram sums up the selection of the PAC station according to specificrequirements of the application.Time CriticalApplication ?NYIn-RackI/O Stations only !Application requiringmultiple and/or scatteredI/O Stations ?NIn-Rack and/or distributed I/OsystemYRemote I/OStationsLocal I/OStationRedundantI/O Modulesrequired ?YNPremium orQuantum HSBYQuantumHSBYPremium orQuantum HSBYPremiumHSBYThe selected architectures, Premium and Quantum, are detailed in the followingparagraphs.Note: The number of In-Rack I/Os in the process is decisive for dimensioning thesystem. As a Premium Hot-Standby system does not handle extension racks, the useof In-Rack I/Os is limited. This means that, beyond a given number of In-Rack I/Os, aQuantum PAC that handles Remote I/Os will be used instead of a Premium PAC.Note: Only the Quantum PAC station provides redundancy solutions for a Profibusnetwork.27

2-SelectionPremiumThe chosen redundant PAC station is a Premium Hot-Standby architecture withredundant analog and digital inputs and outputs. The 2 units are synchronized via anEthernet link.From Control NetworkPAC AIP:172.20.101.57MASK: 255.255.0.0PAC BIP:172.20.101.58MASK: 255.255.0.0Sync-linkIP:172.20.104.5MASK: 255.255.0.0IP:172.20.104.6MASK: 255.255.0.0JM ConceptModules2500Analog OutputAnalog InputABE7ConnectionBlocksABE7ABE7Digital OutputDigital InputTo Ethernet Field Network28

2-SelectionQuantumThe chosen redundant PAC station is a Quantum Hot-Standby architecture with ashared Remote I/Os module. The 2 units are synchronized via an optical fiber link(Sync link).2.4.4 Field NetworkProfibus DPThe first part of the field network is composed of a Profibus DP daisy chain managedby 2 redundant Profibus Master modules. Each extremity of the daisy chain isconnected to a redundant Quantum PAC. The control of the device on the chain ispossible even if one of the PACS ceases to operate. The Standby Profibus masterPAC then handles the control of the chain.29

2-SelectionEthernetThe second part of the field network is built around an Ethernet ring to bringredundancy to the field devices. The Ethernet ring is built in the same manner than forthe control network. 3 Connexium switches run MRP on the ring and connect differentdevices connected on Ethernet.30

2-Selection2.5. ConclusionThe 2 following diagrams present the whole Quantum and Premium architecturesfrom the SCADA to the field network. These architectures will be used subsequentlyin the document to illustrate redundancy runtime principles and performance reviews.The second part of this document will use the same architectures, but including dualring structures and dual attachment.31

2-SelectionRedundant PremiumArchitectureSERVER 1 SERVER 2IP: 172.20.101.30Client 1IP: 172.20.101.1 IP: 172.20.101.2SW1SW2ManagerIP: 172.20.101.31Client 2SW3SW4PAC AIP:172.20.101.57MASK: 255.255.0.0PAC BIP:172.20.101.58MASK: 255.255.0.0Sync-linkIP:172.20.104.5MASK: 255.255.0.0IP:172.20.104.6MASK: 255.255.0.0JM ConceptModules2500Analog OutputAnalog InputABE7ConnectionBlocksABE7ABE7Digital OutputDigital InputIP: 172.20.104.10IP: 172.20.104.11SW10ManagerSW12SW11IP: 172.20.104.21IP: 172.20.104.12IP: 172.20.104.20IP: 172.20.104.34IP: 172.20.104.2232

2-SelectionRedundant QuantumArchitectureSERVER 1 SERVER 2IP: 172.20.101.30IP: 172.20.101.1 IP: 172.20.101.2IP: 172.20.101.31Client 1SW1SW2ManagerClient 2SW3SW4PAC AIP:172.20.101.110MASK: 255.255.0.0PAC BIP:172.20.101.111MASK: 255.255.0.0Remote I/OIP:172.20.104.1MASK: 255.255.0.0IP:172.20.104.2MASK: 255.255.0.0IP: 172.20.104.10SW10ManagerSW12SW11IP: 172.20.104.21IP: 172.20.104.11IP: 172.20.104.12IP: 172.20.104.20IP: 172.20.104.34IP: 172.20.104.2233

2-Selection34

3-Design3. Design3.1. IntroductionThe design part of the STG covers the operational principles of the differentcomponents of high availability architecture.After a short review of the SCADA set up, the following points concerning the PACstation will be detailed:• What is a Hot-Standby System (Premium and Quantum)• Parts and tools of a Hot-Standby System (Premium and Quantum)• Specifications and constraints of a Hot-Standby System (Premium and Quantum)• Distributed and In-Rack I/Os (Premium and Quantum)We will also describe the DFBs used in our Hot-Standby library and why they havebeen developed.The SCADA and Network parts are more detailed in the Configuration chapter3.2. SCADA System3.2.1. Architecture PresentationThe architecture is composed of 2 redundant Vijeo Citect servers, 2 clients and 2 Hot-Standby PACs (Quantum or Premium). The communication between thesecomponents is achieved through an Ethernet ring.Each Vijeo Citect server handles I/O, Alarms, Trends and report server functionalities.In our hardware configuration, we choose to install the IO and ATR (Alarm, Trends,and Reports) servers on one computer. The performance of these computers issufficient in terms of CPU and disk space to handle our application.Only one cluster is configured to manage all servers.35

3-Design3.3. Premium Hot-Standby SystemThis chapter describes the different features and specifications of a redundantPremium system.3.3.1 Premium PAC SpecificationsPrimary and Standby PACsThe Primary PAC executes the application program, controls Ethernet network andIn-Rack I/Os and synchronizes the Standby PAC at the beginning of each programcycle.The Standby PAC does not run the whole program but only the first section (section0). Moreover, it does not handle the redundant In-Rack and Ethernet I/Os but justchecks the state of the Primary PAC.In case of an anomaly, the Standby PAC takes over the control from the Primary PAC(see switchover time measurements in Performance chapter).Primary and Standby PACs permanently exchange data in order to check the systemintegrity via the synchronization link.A Premium Hot-Standby system necessarily comprises Monitored ETY modules (onein each rack). These modules handle the diagnosis of Premium CPU redundancyconfiguration status. This diagnosis is achieved through Sync ETY link.Note: Sync ETY and Synchronization link are different and are not used for the samepurpose.36

3-DesignMonitored ETY modulesAs for the CPUs, the position in the rack and the firmware version of the Ethernetmodules must be identical.Note: A firmware version 4.0 or earlier is required.The monitored ETY module allows the swap of the Ethernet services as well as theautomatic permutation of the IP addresses between Primary and Standby TSX ETY.ETY modules are linked with Ethernet switches (one switch per ETY) or via anEthernet crossover cable. An optical connection is also possible in the case of a longdistance communication.Sync ETY link also allows handling of Ethernet I/O devices with the proper EthernetI/O Scanning service configuration.In order to initiate a switchover when a Sync ETY link stops operating on the PrimaryPAC, Ethernet I/O Scanning service must be configured on the monitored ETYmodule. In addition to the service activation, an I/O Scanning line must also bedeclared. If the service is not configured in the monitored ETY module, a switchoverwill not occur if a Sync ETY ceases to operate.In case a monitored ETY module ceases to function, the CPU sends a statusmodification command to all the configured ETY modules populating the X-Bus andthe monitored ETY module populating the Standby PAC to switch their IP addresses.37

3-DesignHardware ConstraintsThe following table lists the only modules that can be used in a Premium Hot-Standbyconfiguration:Power SupplyRackEthernetCommunicationAll available power supply modulesNon-expendable Racks onlyTSX ETY4103 or TSX ETY5103 (firmware version v4.0 or earlier)- Modbus communication module TSX SCY21601 (firmwareversion 2.3 or earlier) equipped with multiprotocol communicationboard TSX SCP114 (firmware version 1.7 or earlier) (slave ormaster)ModbusCommunicationDigital I/OsAnalog I/Os- Modbus communication module TSX SCY21601 (firmwareversion 1.1 or earlier) (Master Modbus only)Note: The TSX SCY 21601 associated with multiprotocolcommunication board TSX SCP114 allows the redundantPremium PAC systems to run as Modbus Slave or Master. Thisconfiguration allows using Modbus Masters from other suppliers.TSX SCY 11601 module can only be used in Modbus Master.No restrictions applyNo restrictions apply38

3-DesignSoftware ConstraintsThe following constraints apply at the application level• The use of event tasks is not recommended. An event might be lost if it occurs justbefore or during the switchover.• The use of FAST tasks handling dedicated outputs is not recommended as outputstatus modifications might be lost during the switchover.• The use of counting modules is not recommended. Following the frequency, somepulses might be lost during the switchover.• The use of fronts is not recommended. They might not be accounted during theswitchover.• The use of the SAVE_PARAM function is not recommended in a CPU redundancyapplication. This function erases the initial value of a module parameter saved in theprogram code. This code is not transferred from the Primary PAC to the Standby.More generally, explicit instructions like WRITE_CMD and WRITE_PARAM must bewell defined before use.• Initial values declared with a recorded attribute (for example DFB variables) cannot be replaced with actual values: Do not use%S94 bit.• Following inherited functions blocks can not be used:PL7_COUNTERPL7_DRUMPL7_MONOSTABLEPL7_REGISTER_32PL7_REGISTER_255PL7_TOF, PL7_TON, PL7_TPPL7_3_TIMERThe use of TON, TOFF and TP blocks is not allowed in the first section39

3-Design3.3.2. Premium Hot-Standby DFBs LibraryThe following table summarizes the different DFBs created for our application.DFBFUNCTIONHSBY_RDReading Command word (%SW60) hot-standby systemSYSTEM HSBY_WRWriting Command word (%SW60) hot-standby systemHSBY_STReading Status word (%SW61) hot-standby systemETHERNET ETY_MONITOR Monitoring ETY Ethernet ModuleSYNTH_FAULTSynthesis Fault monitored elementsSYNTHESIS SYNTH_OR_ETY Synthesis Fault ETY module (Logic OR)SYNTH_AND_ETY Synthesis Fault ETY module (Logic AND)SWITCHOVER SWITCH_MANG Switchover ManagmentSystem DFBsIn order to manage the different registers of a Premium Hot-Standby system, we havecreated blocks that allow reading and writing registers %SW60 and %SW61.• HSBY_RD_P: Read the command register %SW60HSBY_RD_PPLCA_RUNPLCB_RUNOffline_if_OS_MismatchBOOLBOOLBOOLRun Mode Controller ARun Mode Controller BOS Versions Mismatch• HSBY_WR_P: Write the command register %SW60Manual Control BOOL Manual_Control_EnableCommand Run Mode Controller A BOOL PLCA_RUNCommand Run Mode Controller B BOOL PLCB_RUNHSBY_WR_PForced Command OS no Mismatch BOOL Offline_if_OS_MismatchThis block allows sending switch commands from the program (PLCA_RUN,PLCB_RUN), also, in order to be able to update the CPU OS, the ETY module or thecoprocessor, it allows to set the OS mismatch bit to 1 to avoid switching in offlinemode.A dedicated input allows sending switch orders for example, during maintenanceactivities.40

3-Design• HSBY_ST_P: Hot-Standby system, status checkThis block allows to process data from register %SW61. It gives information abouteach PAC role (Primary, Standby, and Offline), OS version, and so on.HSBY_ST_PHSBY_ActiveTHIS_ISATHIS_ISBTHIS_OFFTHIS_PRITHIS_SbyREMT_UNDEFREMT_OFFREMT_PRIREMT_SBYLOGIC_OKCPU_SyncLink_OKCPU_OS_OKCopro_OS_OKETY_minVersionMon_ETY_OS_OKBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLBOOLHot-Standby System activeThis Pac is PAC AThis Pac is PAC BThis Pac is OfflineThis Pac is PrimaryThis Pac is StandbyRemote state Pac undefinedRemote Pac is OffilineRemote Pac is PrimaryRemote Pac is StandbyIdentical Logic Pac A et Pac BCPUs synchronizedSame CPUs OSSame Copro OSETY version okMonitored ETY OS Mismatch41

3-DesignEthernet link monitoring DFBsETY_Monitor: Ethernet module monitoringETY_MonitorExternal default, Ethernet cable unplugged BOOL BLK Fault BOOL Module FaultModule Error BOOL MOD_ERRORCommand Run Mode Controller A (T_COM_X103) IODDT COM_ETY5103 COM_ETY5103 IODDTMonitoring Rate value INT Monitoring_Rate Enable BOOL Reading Pulse READ_STS functionPulse computer in the Standby Section BOOL PulseMonitoring Rate current value INT RateEt RateEt INTThe “ETY_Monitor” DFB monitors the status of the Ethernet link provided by the TSXETY 5104 (or TSX ETY 4103). We use as inputs the BLK and MOD_ERRORinformation from IODDT T_GEN_MOD.• BLK: external default, Ethernet cable unplugged• MOD_ERROR: Module errorThe IODDT T_GEN_MOD is updated by the READ_STS function. This function readsthe status word of a ETY module. The execution rate is controlled by the MonitoringRate parameter configured by the user (see Chapter 5: Implementation).ETY_MonitorBOOL BLK Fault BOOLBOOL MOD_ERRORIODDT COM_ETY5103 COM_ETY5103 IODDTREAD_STSINT Monitoring_Rate Enable BOOL Reading Pulse READ_STS function EN ENOBOOL Pulse %CHx.X.MOD CHINT RateEt RateEt INTThe structure of the IODDT T_GEN_MOD is detailed in the table on the next page:42

3-DesignETY3_StateT_GEN_MOD+ MOD_ERROR BOOL Module errorEXCH_STSINT Exchange statusSTS_IN_PROGR BOOL Status parameter read in progressEXCH_RPTINT Channel reportSTS_ERRBOOL Error while reading module statusMOD_FLTINT Module FaultsMOD_FAILBOOL Internal fault: Module failureCH_FLTBOOL Faulty channel(s)BLKBOOL External fault: Terminal BlockCONF_FLTBOOL Hardware or software configuration faultNO_MODBOOL Module absent or power downEXT_MOD_FLT BOOL FIPIO extension module faultMOD_FAIL_EXT BOOL Internal fault: Module failure (only FIPIO extension)CH_FLT_EXTBOOL Faulty channel(s) (only FIPIO extension)BLK_EXTBOOL External fault: Terminal Block (only FIPIO extension)CONF_FLT_EXT BOOL Hardware or software configuration fault (only FIPIO extension)NO_MOD_EXT BOOL Module absent or power down (only FIPIO extension)The MOD_ERROR bit is set to 1 when an ETY module ceases operation. Onefrequent cause is the cessation of communication of a device on the I/O Scanningwhich, in our case, should not initiate a switchover. Therefore, in order to filter thisoccurrence, we use the T_COM_X103 function to monitor the I/O Scanning statusand validate the MOD_ERROR value.When implementing a Hot-Standby system, this block is used once for each ETYmodule in the configuration.43

3-DesignSwitchover ManagementSYNTH_FAULT: Performs the defaults synthesisSYNTH_FAULTSynthesis Fault ETY Module BOOL Faulty_ETYSynthesis Fault SCY Module BOOL Faulty_SCYSynthesis Fault Scada BOOL Faulty_SCADAFault Mask word WORD Fault_MaskFault_Synth INT Synthesis Fault WordFault BOOL OS Versions MismatchThis block aims at processing the faults that would lead to a switchover. We find ininput the results of the ETY and SCY modules failure detection. “Faulty_SCADA” isan input pin in the case of the communication between the SCADA and the PAC ismonitored.This DFB also processes:• Battery faults• %S67 = application memory card battery• %S68 = processor battery• %S75 = data storage memory card battery• CPU fault• %S12 = CPU running• General In-Rack I/O fault• %S119 = fault of one or several I/O modules in the rack• Slots 3 to 10 fault• %SW160 = operating status of Premium modules installed on station 1The faults processing is performed using the mask value set on the input pin“Fault_Mask”. This mask allows to select which fault to take into account accordingthe configuration and to the user’s settings.44

3-DesignEach fault corresponds to one bit of the “Fault_Synthesis” word:BIT Element monitoredBit 0 Battery FaultBit 1 Fault CPUBit 2 General In-Rack I/O faultBit 3 Fault on Slot 3Bit 4 Fault on Slot 4Bit 5 Fault on Slot 5Bit 6 Fault on Slot 6Bit 7 Fault on Slot 7Bit 8 Fault on Slot 8Bit 9 Fault on Slot 9Bit 10 Fault on Slot 10Bit 11 Ethernet Adapter(s) ETY FaultBit 12 MODBUS Adapter(s) SCY FaultBit 13 SCADA FaultThe result of this synthesis is saved in a word and set as an output on the“Fault_Synth_Plc” pin. If there is at least one fault, the output pin “Fault” is set to 1.During the implementation of the system, this block is used twice: once for thePrimary PAC and once for the Standby PAC.In order to be able to compute the status of several ETY modules, logical “OR” and“AND” processing DFBs have been created:SYNTH_AND_ETYBOOL FLT_ETY_1 FAULT_ETY BOOLBOOL FLT_ETY_2BOOL FLT_ETY_3SYNTH_OR_ETYBOOL FLT_ETY_1 FAULT_ETY BOOLBOOL FLT_ETY_2BOOL FLT_ETY_345

3-DesignSWITCH_MANAG: Approve or deny a switchoverSynthesis Fault word Primary INT PRIM_DIAGSynthesis Fault word Standby INT STBY_DIAGSWITCH_MANAGSwitchover Number Reset BOOL SWITCH_NB_Reset SWITCH_NB UNIT Switchover requestManual Switchover BOOL FORCE FORCE BOOL Manual SwitchoverThe “Switch_Manag” DFB manages and counts switchover queries. The switchoverapproval is computed from the Primary and Standby PACs diagnosis coming from the“Fault_Synthesis” DFBs as seen above.A switchover is allowed if:• The Standby PAC diagnosis is OK.• More than 30s have elapsed since the previous switchover.Note: The time delay before the switchover takes place can be adjusted usingvariables of the DFB (Delay_Time_Before_Switchover). This delay is set to 1s bydefault.The switchover counter can be reset using the input pin “Switch_N_Reset”.For maintenance reasons, the input pin FORCE allows a manual switchover of thesystem.During the implementation, this block is used only once.Switchover TimeSwitch_Over_TimeRemote Pac is Primary BOOL Remote_is_Primary Sw_Timer TIME Switchover TimeThis Pac is Primary BOOL This_is_PrimaThe time gap during the switchover is a very important feature of the Hot-Standbysystem. A DFB has been defined to measure this time. The principle is based on themeasurement of the time when the Primary PAC loses its Primary status and whenthe Standby turns Primary. This block, placed in the section 0, processes the systemword %SW61 information and uses the ITCNTRL block function which allows eventtime measurements. The accuracy of the switchover time depends on the PAC scantime, for more accuracy, other measurement can be performed as described in theperformance chapter.46

3-Design3.3.3. In-Rack I/O SystemThis paragraph describes the management of the I/Os populating the main rack.Inputs acquisition is performed locally by both Primary and Standby PACs, whereasthe Primary PAC outputs are mirrored on the Standby PAC (provided that there is nospecific action programmed in the section 0).Redundant Digital I/Os ImplementationDigital input and output signals are connected to the PAC through an ABE7connection block. These signals are multiplexed/de-multiplexed by a Telefastconnection device as seen on the above diagram (ABE7 ACC11 for the inputs andABE7 ACC10 for the outputs). Exceptions detected on Digital inputs cannot initiate aswitchover.The digital I/Os implementation is illustrated on the diagram below.Digital Outputs in the section 0As the Standby PAC executes the first section (section 0) of the application programand then applies the object image %Q received from the Primary PAC, it isimportant not to modify the redundant output status in this section. Amodification of the output bits in the section 0 can lead to an inconsistent status of theoutputs as they are modified twice in the same MAST task.47

3-DesignDigital Outputs fall-back modeIn general, the outputs fall-back mode must be similar to their current mode in orderto avoid an operation discrepancy during the switchover.Pulse Triggered ActuatorsDigital output redundancy implies a distortion of the command signal. Output modulesare connected in parallel of the physical output, via a connection block. The result of acommand is based on the length of the pulse and the delay after which the pulse isapplied on the Standby PAC.These mechanisms have to be taken into account in order to handle In-Rack digitaloutput redundancy.Positive pulse triggerAs shown on the above diagram, the length of the output is longer than the PulseTime. This does not have any impact on the device behavior.In the case where the delay is greater than the pulse length and using an actuatorwith a low response time, the signal received by the actuator might be composed of 2commands, as shown on the diagram below:48

3-DesignNegative pulse triggerAs shown on the above diagram, the length of the output is shorter than the PulseTime. This does not have any impact on the device behavior unless it cannot handlea shorter command.The following diagram presents the case where the delay is greater than the pulsetime of the output signal:Because the delay is greater than the Pulse Time, the device will not receive anycommand.49

3-DesignAnalog Inputs implementationAnalog signals are connected to the PACs through a signal duplicator. For ourapplication, we use a JMConcept TELIS9000U2 module (which replaces referenceJK3000N2)The table below describes the signal range handled by the TELIS9000U2:INPUTSCurrent (continuous)Voltage (continuous)ProbeThermocouplePotentiometerResistanceSensor Power SupplyStandard scales0/1mA; 0/10mA; 4/20mA; +/-1mA; +/-10mA; +/-20mAUser defined scalesfrom -22mA to 22mAStandard scales0/100mV; 0/1V; 0/5V; 1/5V; 0/10V; 2/10V; 2/10V; 0/50V0/100V; 0/200VUser defined scalesfrom -110mV to 110mV; from 2V to 11V; from -200V to 220VPT100; PT1000Ni100; Ni1000J, K, R, S, T, E, B, N, W3, W5, NiMofrom 100Ω to 100kΩ0/200Ω; 0/1kΩ; 0/10kΩ;2 or 3 wires, 24V - 29mA maxOUTPUTSOutput 1 CurrentOutput 1 VoltageOutput 2 CurrentOutput 2 VoltageDigital OutputRelay Output0/20mA; 4/20mA; from 0 to 20mA0/10V; +/-10V - from 0 to 10V0/20mA; 4/20mA; from 0 to 20mA0/10V; +/-10V - from 0 to 10VUSB connector in front panelRS485 Modbus Jbus isolated from input and output 1Relay: 1RT; 2RT; 3RT; 4T; 1RT & 1TAs seen on the next figure the signal from the process is duplicated and wired on bothPACs thanks to the JMConcept module.50

3-DesignAnalog InputAnalog Outputs implementationThe implementation is handled by a low-level commutation interface, in our case aJMConcept GK3000D1 module.The principle is to select the output coming from the Primary PAC. This selection isperformed by 2 relays controlled by a PAC digital output. The management of therelays can be performed either by 1 non-redundant output or by 2 redundant outputsto increase reliability. In our architecture, we choose to manage the relays with 2redundant digital outputs.The following table describes the GK3000D1 interface relays logical operation:Relay A 1 0 1 0Relay B 0 1 1 0Output Channel Analog Input 1 Analog Input 2 last correct channelAnalog Input 1Analog Input 24/20 mA4/20 mAINPUTSDigital Input 1Digital Input 2Analog OutputDigital Outputon optocoupler 30V maxon optocoupler 30V maxOUTPUTS4/20 mARS 485 isolated from inputModbus, JbusDigital link allows programing of the moduleDigital link allows acquisition of the measurements51

3-DesignAnalog Outputs controlled by non-redundant Digital OutputsThe 2 PACs analog outputs are connected to a GK3000 D1 module. This module,controlled by digital signals, routes to its output, using 2 relays, one of its 2 inputs.In our case, the digital signals that control the GK3000D1 module are 2 digital outputsof the PACs. The main benefit of this solution is that it only uses 1 digital output toroute analog outputs.A wiring example is presented in the diagram below:Analog OutputDigital OutputThe Primary PAC must set to 1 the digital output that controls the relay in order toroute its own analog output to the output channel of the commutation interface. TheStandby PAC then sets to 0 the digital output that controls the other relay.Note: This logical operating principle must be coded in section 0. The fall-back modeof the digital output module must be set to 0.For example, according to the diagram above, if PAC_A is the Primary PAC, thedigital output connected on the relay A is set to 1 while PAC_B digital outputconnected to relay B is set to 0. This leads to route the analog signal A on the outputof the communication interface.Note: This solution is not used in our architecture.52

3-DesignAnalog Outputs controlled by redundant Digital OutputsAnalog OutputDigital OutputAn analog output redundancy is performed, thanks to a GK3000D1 communicationinterface and redundant digital outputs, using 2 digital outputs per PAC. Each relay ofthe GK3000D1 interface is connected to a digital output.If…PAC A is PrimaryPAC B is PrimaryThen…Digital output number 0 is set to 1 (relay A)Digital output number 1 is set to 0 (relay B)Digital output number 0 is set to 0 (relay A)Digital output number 1 is set to 1 (relay B)Note: This logical operating principle must not be coded in the first section (section 0).For example, according to the diagram above, if PAC_A is the Primary PAC, thedigital output No 0 (relay A) is set to 1 and the digital output No 1 (relay B) is set to 0.Thus, the analog signal ANA_ A is routed to the output of the communicationinterface.Note: This solution is used in our architecture.53

3-Design3.4. Quantum Hot-Standby SystemThis chapter describes the different features and specifications of a redundantQuantum PAC system.3.4.1. Quantum PAC SpecificationsPrimary and Standby PACsPrimary PAC runs the whole application program including the first section. It handlesremote I/Os and updates the redundant PAC after each program cycle.If the Primary PAC stops, the Standby PAC takes over the control from the PrimaryPAC in one cycle.Standby PAC only runs the first section of the application program, checks the CPUand CRP modules availability and does not handle remote I/Os.Note: CRP modules are needed in a Quantum Hot-Standby configuration, even if thesystem does not use remote I/Os. In this case, the two CRP modules are linked formonitoring purposes.Local I/Os can be configured and used in a Hot-Standby Quantum system. However,they are not saved on the Standby system. They can be written in the Standbysystem with different values using the first section of the program (section 0).Moreover, the output modules management can only be performed using variablesthat are not transferred from Primary to Standby PAC.Hardware Constraints• Non-compatible modules:The following modules can not be used in a Quantum Hot-Standby configuration:140N WM 100 00140N OC 771 00Note: Modules 140NOE77100 and 140NOE77110 are not available anymore.• Local I/Os:The term “local I/Os” refers to the I/O modules located in the local rack, which do nottake part in the redundancy system.When no programming has been specified, the Standby CPU outputs state isimposed by the Primary CPU. Standby CPU outputs can be programmed in thesection 0 (which is the only section executed in the Standby CPU) and they take thespecified status unless they are forced in the Primary CPU.54

3-DesignStandby CPU inputs status (%l readable in the application and from the animationtable) does not reflect the hardware Standby CPU inputs status, but instead is relatedto the Primary CPU inputs status.The Standby module byte status indicates:- the Primary module status in the case of a mixed module- the Standby module status in the case of an output module (DDO)It is important to manage the locals I/Os in the section 0 only by using the %MWwords of the non transfer area.• Remote I/Os:Communication modules cannot be used in a Remote I/O rack within a Hot-Standbyapplication.Software ConstraintsWe recommend not using TIMER events as they are not synchronized in QuantumHot-Standby applications.3.4.2. Quantum Hot-Standby DFBs LibraryThe following table summarizes the different DFBs created for the Quantumapplication.DFBFUNCTIONETHERNET NOE_MONITOR Monitoring NOE Ethernet ModulePROFIBUS PTQ_MONITOR Monitoring PTQ Ethernet ModuleSYNTH_FAULTSynthesis Fault monitored elementsSYNTH_OR_NOESynthesis Fault NOE module (Logic OR)SYNTHESIS SYNTH_AND_NOE Synthesis Fault NOE module (Logic AND)SYNTH_OR_PTQSynthesis Fault PTQ module (Logic OR)SYNTH_AND_PTQ Synthesis Fault PTQ module (Logic AND)SWITCHOVER SWITCH_MANG Switchover Managment55

3-DesignEthernet link monitoring DFBsNOE_MonitorNOE_MonitorBOOL MSTR_ACTIVE MSTR_ACTIVE BOOLBOOL MSTR_DONE MSTR_DONE BOOLBOOL MSTR_ERROR MSTR_ERROR BOOLINT RateEt RateEt INTINT Error_Count Error_Count INTARRAY[0..9]OF INT MSTR_Control MSTR_ControlMSTR_DataBufBYTE Slot Data_TCP DIAG_TCPINT MonitoringRate LED_APPL BOOLINT Retries LED_LINK BOOLBOOL Pulse LED_RUN BOOLNOE_Failure BOOLCFG_PORT BOOLETH_100M BOOLOPTICFIB BOOLFULL_DUP BOOLFAULT BOOLEQUP_TYP UINTARRAY[1..9]OF INTARRAY[1..37]OF WORDThe NOE_Monitor DFB monitorsthe Ethernet link hosted by the NOEmodule.The monitoring is managed by theMBP_MSTR block functionintegrated in the NOE_MonitorDFB. The MBP_MSTR block allowsperforming operations oncommunication networks, forexample, the extraction of the localstatistics of the NOE module.IP_AD_1IP_AD_2IP_AD_3IP_AD_4MAC_ADD_1MAC_ADD_2MAC_ADD_3MAC_ADD_4MAC_ADD_5MAC_ADD_6INTINTINTINTWORDWORDWORDWORDWORDWORDMBP_MSTRENABLE ACTIVEABORTERRORSUCCESSCONTROLDATABUFThis extraction rate is controlled by the “Monitor Rate” parameter configured by theuser. Extracted data is available on output pins as shown on the diagram on the left.56

3-DesignNOE Local statisticsIn order to diagnose the health status of the NOE module, we check the status of themodule and the link thanks to respectively Led RUN and Led Link. The number offaults is given by the MPB_MSTR. This number is compared to the “retries” value, ifthe number of faults is greater or equal than the “retries” value the NOE_Failure is setto 1.57

3-DesignThe block implementation is associated to a data structure NOE_Monit.NOE_MonitStruct+ MSTR_Active BOOLMSTR_Done BOOLMSTR_Error BOOLMSTR_RateEt INTMSTR_Error_Count INTFailureBOOLFaultBOOLLed_ApplBOOLLed_Cfg_Port BOOLLed_Eth_100M BOOLLed_Full_Dup BOOLLed_LinkBOOLLed_Ooptic_Fib BOOLLed_RunBOOLEQUP_TYP BOOLMAC_ADD_1 WORDMAC_ADD_2 WORDMAC_ADD_3 WORDMAC_ADD_4 WORDMAC_ADD_5 WORDMAC_ADD_6 WORDIP_AD_1INTIP_AD_2INTIP_AD_3INTIP_AD_4INTEQUIP_TYPE UINT+ MSTR_Control ARRAY[1..9] OF INT+ MSTR_DataBuf ARRAY[0..37] OF WORD+ MSTR_Data Diag_TCPDuring the implementation the block is used as many times as the number of NOEmodules.58

3-DesignProfibus link monitoring DFBsPTQ_MonitorPTQ_MonitorFault Timeout TIME Fault_Timeout PTQ_FAULT BOOL General PTQ faultMaster PTQ Status WORD Master_Status Faulty_Active BOOL Active PTQ faultMaster PTQ Operating WORD Master_Operating_StateActive PTQ Status BYTE Active_Status Faulty_Passive BOOL Passive PTQ faultNb slaves seen by active PTQ BYTE Active_NbSlavePassive PTQ Status BYTE Passive_Status Faulty_Passive_UDP BOOL Passive PTQ fault via UDPNb slaves seen by passive PTQ BYTE Passive_NbSlavePassive PTQ Status via UDP BYTE PassiveP_Status_UDPNb slaves seen by passive PTQ via UDP BYTE Passive_NbSlave_UDPA Quantum Hot-Standby system does not handle automatically the PTQ-PDPMV1module redundancy. However, this module provides enough information about thehealth status of the Active and Passive Master (Active = Primary and Passive =Standby) to be able to develop a DFB to manage redundancy.The health status information circulates through the Profibus network. That meansthat, if the Profibus link is lost, the modules are not able to communicate their healthstatus. Therefore, we use the Ethernet UDP capability (“PTQ Link Message”) to setup the PTQ module redundancy function. An Ethernet crossover cable is needed tolink the two modules. Thus, the Primary module can access the health status of theStandby module even if the communication link is lost.Note: The link between the 2 PTQ modules can also be established using anEthernet switch. In that case, the user can transfer the module configuration withoutunplugging the cable. This solution is also used when the distance between the 2PACs is too important.59

3-DesignData used by the PTQ_Monitor DFB1. Data circulating through the Profibus network• ProfibusCRC32: Profibus Master configurationThis word describes the configuration of the Profibus parameters and of the slavedevices.• PTQModuleCRC32: PTQ-DPPMV1 configuration.This word describes the configuration of the PTQ module (mapping, and so on).• Profibus Master Operating StateThis word describes the status of the master module.0x00000x40000x80000xC000OfflineStopClearOperate• ProfibusMasterModuleStatus: Profibus master module’s operating statusBit 2Application StatusBit 8Data exchangeBit 9Slave input frozen/clearedBit 12Reset0 - Application Stopped1 - Application Running0 - There is no data exchange with any of the assignedslaves1 - There is Data Exchange with at least one of theassigned slaves0 - A slaves inputs in the IN area are cleared in a slaveis not in Data Exchange1 - A slave's inputs in the IN area are frozen if a slave isnot in Data Exchange0 - No action1 - A reset is requested by the PROFIBUS Mastermodule because a new database has been downloaded60

3-Design• HSBY Passive Status (Byte) – from Profibus interfaceBit 0 = PAThis bit indicates the state of the localmaster.Bit 1 = SOThis bit indicates if the local masterrecognizes any of its assigned slaves as"offline".Bit 2 = CEThis bit indicates if the local master hasrecognized an exception response.Bit 3 = DBThis bit indicates if the local master hasdetected a database mismatch.Bit 4 = ODThis bit indicates when the data in theoutput data area of the DPRAM isupdated after a switch over.0 - Active master. Master is controlled bythe Primary PAC1 - Passive master. Master controlled bythe Standby PAC0 - At least one slave is "offline"1 - All slaves OK0 - No exception response active1 - At least one exception responseactive0 - Database OK1 - Database mismatch0 - Output data is not updated1 - Output data is updated (Once this bitis set, it remains set for the remainingsession until the any bus is either reset orHSBY state changes to "Not Connected")Bit 5 – 6 = not usedBit 7 = COMThis bit indicates if the counterpart ispresent0 - Counterpart not present1 - Counterpart is present• HSBY Passive number of slaves (Byte) - from PROFIBUS interfaceSlave number seen by the Passive module• HSBY Active Status (Byte) - from PROFIBUS interfaceBit 7 = HSThis bit indicates that the Hotstandbyfunctionality is enabled.0 HSBY disabled. Module operates as "standalone" master or HSBY state equals "Notconnected".1 HSBY enabledBit 0 to 6 are identical as for HSBY Passive Status (as seen above)61

3-Design2. Data circulating through UDP mailerThe data available via UDP mailer only apply to the Passive module. It is identical tothe data found on Profibus network:• HSBY Passive Status UDP - from UDP HSBY Server• HSBY Passive number of slaves UDP - from UDP HSBY Server• HSBY Passive PROFIBUS CRC32 UDP - from UDP HSBY Server• HSBY Passive User Configuration CRC32 UDP - from UDP HSBY Server3. OperationThe Active PTQ module is declared non-operational in the following cases:• exception response• application discrepancy• inactive Hot-Standby system• module in “Run” state• loss of communication with the slave devices• Master Operating State equals “ 0xC000=Operate”The Passive PTQ module is declared non-operationel in the following cases:• Exception response (Profibus and UDP) and Passive_number_of_slaves_UDPequals 0• missing Counter part (Profibus and UDP) and Passive_number_of_slaves_UDPequals 0• module in Active mode and Passive_number_of_slaves_UDP equals 0The Ethernet link which supports the UDP service is also monitored. If the status wordPTQ_Passive_UDP equals 0, we consider the link as non-operationalIn short, our DFB asks for a switchover when the Active module is non-operationaland the Passive one is operating normally.While implementing the Hot-Standby system, this DFB is used as many times as thereare PTQ modules.62

3-DesignSwitchover ManagementDefaults SynthesisSYNTH_FAULTSynthesis Fault NOE Module BOOL Faulty_NOESynthesis Fault PTQ module BOOL Faulty_PTQSynthesis Fault Scada BOOL Faulty_SCADAFault Mask word WORD Fault_MaskFault_Synth INT Synthesis Fault WordFault BOOL OS Versions MismatchThis block aims at processing the faults that would lead to a switchover. We find ininputs the results of the NOE and PTQ modules failure detection. “Faulty_SCADA” isan input pin in the case of the communication between the SCADA and the PAC ismonitored.This DFB also processes:• Battery events• %S67 = application memory card battery• %S68 = processor battery• %S75 = data storage memory card battery• CPU non-operating• %S12 = CPU running• General In-Rack I/O non-operating• %S119 = event of one or several I/O modules in the rack• Slots 3 to 10 non-operating• %SW180 = operating status of Quantum modules installed on station 1The faults processing is performed using the mask value set on the input pin“Fault_Mask”. This mask allows to select which event to take into account accordingto the configuration and the user’s settings.63

3-DesignEach exception corresponds to one bit of the “Fault_Synthesis” word:BITElement monitoredBit 0 Battery ExceptionBit 1 CPU ExceptionBit 2 General In-Rack I/O ExceptionBit 3 Exception on Slot 3Bit 4 Exception on Slot 4Bit 5 Exception on Slot 5Bit 6 Exception on Slot 6Bit 7 Exception on Slot 7Bit 8 Exception on Slot 8Bit 9 Exception on Slot 9Bit 10 Exception on Slot 10Bit 11 Ethernet Adapter(s) NOE ExceptionBit 12 PROFIBUS Adapter(s) PTQ ExceptionBit 13 SCADA ExceptionThe result of this synthesis is saved in a word and set as an output on the“Fault_Synth_Plc” pin. If there is at least one exception response, the output pin“Fault” is set to 1.During the implementation of the system, this block is used twice: one for the PrimaryPAC and one for the Standby PAC.In order to be able to compute the status of several NOE or PTQ modules, logical“OR” and “AND” processing DFBs have been created:SYNTH_AND_NOEBOOL FLT_NOE_1 FAULT_NOE BOOLBOOL FLT_NOE_2BOOL FLT_NOE_3BOOL FLT_NOE_4BOOL FLT_NOE_5BOOL FLT_NOE_6SYNTH_AND_PTQBOOL FLT_PTQ_1 FAULT_NOE BOOLBOOL FLT_PTQ_2BOOL FLT_PTQ_3BOOL FLT_PTQ_4BOOL FLT_PTQ_5BOOL FLT_PTQ_6SYNTH_OR_NOEBOOL FLT_NOE_1 FAULT_NOE BOOLBOOL FLT_NOE_2BOOL FLT_NOE_3BOOL FLT_NOE_4BOOL FLT_NOE_5BOOL FLT_NOE_6SYNTH_OR_PTQBOOL FLT_PTQ_1 FAULT_NOE BOOLBOOL FLT_PTQ_2BOOL FLT_PTQ_3BOOL FLT_PTQ_4BOOL FLT_PTQ_5BOOL FLT_PTQ_664

3-DesignSwitch ManagementSWITCH_MANAGSynthesis Fault word Primary INT PRIM_DIAGSynthesis Fault word Standby INT STBY_DIAGSwitchover Number Reset BOOL SWITCH_NB_Reset SWITCH_NB UNIT Switchover requestManual Switchover BOOL FORCE FORCE BOOL Manual SwitchoverThe “Switch_Manag” DFB manages and counts switchover queries. The switchoverapproval is computed from the Primary and Standby PACs diagnosis coming from the“Fault_Synthesis” DFBs as seen above.A switchover is allowed if:• The Standby PAC diagnosis is OK.• More than 30s elapsed since last switchover.Note: The time delay before the switchover takes place can be adjusted usingvariables of the DFB (Delay_Time_Before_Switchover). This delay is set to 1s bydefault.The switchover counter can be reset using the input pin “Switch_N_Reset”.For maintenance reasons, the input pin FORCE allows a manual switchover of thesystem.During the implementation of a Quantum Hot-Standby system, this block is used onlyonce.Remote I/OsThe use of Remote I/Os in a Hot-Standby system allows to work with redundant I/Os.It is important to configure the “drop hold up time” according to the cycle time and tothe application. This parameter is the time during which I/O values are maintainedwhile a switchover occurs.The Remote I/O stations are monitored using the following system words%SW535This word stores the start-up error code. This word is alwaysset to 0 when the system is running; in the event of error,the PLC does not start up, but generates a stop status code.%SW536 to %SW538 Communication error words on cable A.%SW539 to %SW541Communication error words on cable B65

3-Design%SW542 to %SW544%SW545 to %SW640These words are the global communication error words.Dedicated to the global station. That means these wordscan refer to Primary PAC as well as Standby PAC.These words are used to describe the status of thedecentralized stations. Three status words are used for eachstation.Our Remote I/Os are configured on the Drop2. We therefore use the following systemwords:%SW545.0 to 7 = retry totalizer counter%SW545.8 to 11 = lost communicationscounter%SW548: displays the globalcommunication status for station 2%SW545.13 = 1, communication oncable B operating correctly%SW545.14 = 1, communication oncable A operating correctly%SW545.15 = 1, communicationoperating correctly%SW549: global event totals for cable Astation 2%SW550: global event totals for cable Bstation 2most significant bit: counts the errorsdetectedleast significant bit: counts "nonresponses".most significant bit: counts the errorsdetectedleast significant bit: counts "nonresponses".66

3-DesignSwitchover TimeSwitch_Over_TimeRemote Pac is Primary BOOL Remote_is_Primary Sw_Timer TIME Switchover TimeThis Pac is Primary BOOL This_is_PrimaThe time gap during the switchover is a very important feature of the Hot-Standbysystem. A DFB has been defined to measure this time. The principle is based on themeasurement of the time when the Primary PAC loses its Primary status and whenthe Standby turns Primary. This block, placed in the section 0, processes the systemword %SW61 information and uses the ITCNTRL block function which allows eventtime measurements. The accuracy of the switchover time depends on the PAC scantime, for more accuracy, other measurement can be performed as described in theperformance chapter.67

3-Design68

4-Configuration4. Configuration4.1. SCADAThe configuration of the different components of our high-availability system isdescribed in this chapter.In the first part, the configuration of the redundant SCADA system, using MODNETand OFS communication protocols, is detailedWe next describe the set-up of the Premium and Quantum Hot-Standby CPU andcorresponding modules.The Ethernet configuration is also addressed, in particular, the configuration of themanageable Ethernet switches, main component of the Control and Field Network.The case of the Profibus network managed by a PTQ module in a Quantum Hot-Standby system will also be described.69

4-Configuration4.1.1 Servers ConfigurationWe use Citect Project Editor to perform the following different server configurationsteps:• Creation of a cluster• Servers Mapping• Creation of the I/O and ATR serversClustersFrom the Servers menu, Click on Clusters and create a cluster called “HighAv”ServersAs described in the Design chapter, we use a Primary and a Standby server.Therefore, still from the Servers menu, click on Network Addresses and create 2servers with the following parameters:• Server1 (Primary Server): IP Address: 172.20.101.1SN Mask: 255.255.0.070

4-Configuration• Server2 (Standby Server): IP Address: 172.20.101.2SN Mask: 255.255.0.0Alarm / Trend / Report ServersOnce server1 and server2 are created, we can create Primary and Standby ATRservers.Each ATR server is related to a cluster, a network address (Server1 or Server2) andan operational mode (Primary or Standby).From the Servers menu, select Alarm Servers.• Alarm1 (Primary Server):71

4-Configuration• Alarm2 (Standby Server):Proceed the same way for the Reports and Trends Servers (Report1, Report2,Trend1 and Trend2).I/O ServersLike ATR servers, I/O Servers also are related to a Cluster and a network address(Server1 or Server2). The operational mode (Primary or Standby) is linked to themachine mode (Server1 or Server2).From the Servers menu, select I/O Servers.• IOServer1 (Primary I/O Server)• IOServer2 (Standby I/O Server)72

4-Configuration4.1.2 Communication ConfigurationCommunication configuration consists of Boards, Ports and I/O Devices set up.The above diagram illustrates the communication principle between the SCADAsystem and an I/O Devices.Cluster: HiAvI/O Server #1IOServer1Eth Addr #1Server1172.20.101.1BOARDBOARD1TCPIP – Address 0I/O Server #2IOServer2Eth Addr #1Server2172.20.101.2BOARDBOARD1TCPIP – Address 0TCP/IPPORT #1PORT1_BOARD1-I172.20.101.110 -P0 -TTCP/IPPORT #1PORT1_BOARD1-I172.20.101.110 -P0 -TEth module #1Eth module #1PrimaryPriority 1PrimaryPriority 2I/O DevicePACIn order to make this set up easier, you can use the “Express Wizard” accessed fromthe Communication menu.73

4-ConfigurationExpress Communications WizardThis tool helps to configure the I/O Devices that communicate with the SCADAsystem.For a redundant SCADA system, a single I/O Device is configured twice: Once foreach server (Primary and Standby).StepAction1 Start the Express Wizard and click on Next2 Select IOServer1 and click on NextCreate the I/O Device “PAC”3Select “External I/O Device”474

4-ConfigurationIf using Modnet, apply step 5 and 6.If using OFS, go to step 7.This step consists of selecting the I/O Device reference and thecommunication protocol. Here is the configuration for Modnet:• If using a Premium PAC, select Modbus/TCP(Ethernet) – SpeedLinkCapable from the Premium list and click on Next.5• If using a Quantum PAC, select Modbus/TCP(Ethernet) – SpeedLinkCapable from the Quantum list and click on Next.Note: Modbus/TCP – SpeedLink is chosen instead of Modbus/TCPbecause it supports the importing of PAC variables directly from theprogram file “.stu”75

4-ConfigurationConfigure the IP address of your I/O Device.The diagram below shows the IP address of the Quantum Hot-Standbysystem6Click on Next and go to step 9.If using OPC:The software OPC Factory Server (OFS) acts as a gateway betweenI/O Devices and the SCADA system.Select OPC from the OPC Factory Server list and click on Next776

4-ConfigurationConfigure the OPC server address. You can use the default address:Schneider-Aut.OFS.8Click on Next.The step setting up the link between the I/O Device and an externaldatabase will be detailed in the Implementation Chapter.Click on Next.77

4-ConfigurationThe communication configuration between the Server1 (Primary) and theI/O Device is completed. Click on Finish.9To configure the communication between the Server2 (Standby) and the I/O Device,follow the same steps using IOServer2 during step 2.The I/O Device name is the same (PAC) as in the previous configuration.We will now check the components (Boards, Ports, I/O Devices) that have beenconfigured by the “Express Communications Wizard”. The following dialogs areaccessed from the Communication Menu78

4-ConfigurationBoards ConfigurationThe component Board is used to declare the communication type (TCPIP, OPC andso on) used by the network components of the machine-server.Concerning Modnet protocol, the wizard has created a board named BOARD1, usingTCPIP, at address 0, on IOServer1 and IOServer2:Concerning OPC protocol, the wizard has created a board named BOARD1, usingOPC, at address 0, on IOServer1 and IOServer2:Ports ConfigurationThe component Port represents the link between the SCADA system and the I/ODevice.The wizard has configured a first port on the IOServer1 named PORT1_BOARD1which represents the link between the I/O Device IP 172.20.101.110 (the QuantumPAC in our case) and IOServer1, and a second one associated with IOServer2.79

4-ConfigurationI/O Devices ConfigurationIn the I/O Devices configuration window, we find the device name, its number, theport to which it is associated and its communication protocol.The “Startup Mode” and “Priority” fields (press F2 key to get the complete window)are blank. In an Hot-Standby architecture, these fields have to be configured in orderto define the Primary and Standby I/O Devices as well as their priority.For our architecture, we have configured the I/O Device related to IOServer1 inPrimary mode with a Priority set to 1. The I/O Device related to IOServer2 has beenset in Standby mode with a Priority of 2• I/O Device MODNET Configuration80

4-Configuration• I/O Device OPC Configuration81

4-Configuration4.2. Control and Field NetworkThe aim of this chapter is to describe the configuration of the switches of the “ControlNetwork” and “Field Network” using MRP (Media Redundancy Protocol) asredundancy management protocol.The MRP principle is to have one switch of the ring defined as the RedundancyManager (Media Redundancy Manager). The Redundancy Manager handles theresponse of the non-operational ring devices or network segments.82

4-Configuration4.2.1. Switch ConfigurationThe configuration of a switch is done via its embedded web server (ConneXiumTCESSM Web Server) accessed by typing its IP address in the address bar of anInternet browser. The IP address of the switch has been set using the “EthernetSwitch” software provided with the switch.The following Login and Password are required to log in to the web server:• Login: admin• Password: private83

4-ConfigurationOnce logged in, the system page opens, presenting the visual aspect of the switchand its name. The different configuration tools of the server are accessible via themenu on the left.The configuration of the Control Network switches is detailed through the followingscreenshots. In our configuration, switch #2 is set as the Redundancy Manager. Fromthe Redundancy menu, click on Ring Redundancy to access the MRP configurationof the switch.84

4-ConfigurationNote: To avoid loops during the switch configuration, do not connect the redundantpath until you have completed the Ring Redundancy configuration.So it is important to unplug cable from port 2 and connect the computer on the port 3.Also, set the dipswitches on Ethernet switch front panel, labeled “RM” and “Stand”, tothe ON (rightmost) position to enable software ring configuration (via Web Interface).The following table describes each step of the switch #2 configuration:StepAction• Select the type of redundancy protocol - HIPER-Ring / MRP1Select the MRP radio button.• Selection of Ring PortsEnter Port numbers corresponding to the ports assigned to the ringconnection, namely 1 and 2, respectively in Ring Port 1 and 2 areas2Note: When the ring is operational, the Port Status is displayed. At thisstage no information is presented. Port status values include thefollowing:forwarding: port is switched on and hosts a link.inactive: port is blocked and hosts a linkactive : port is operationaldisabled: port is blocked switched offnot-connected: port has no link• Enable Redundancy Manager3Select the On radio button in Redundancy Manager area.85

4-Configuration• Validate Advanced Mode for fast switching time4Click on Advanced Mode check box in Configuration RedundancyManager area• Switch on operationValidate the On radio button in Operation area to allow the validation ofthe modifications.5• Validate 200 ms Ring RecoveryRing Recovery group box presents 2 selections:Standard Recovery (500 ms) or Accelerated Recovery (200 ms) for theswitch activated as the Redundancy Manager.6Select the accelerated recovery 200 ms radio button.• Disable VLAN Assignments on ring ports7Assuming no VLAN is required, set VLAN ID 0 in VLAN area8• Validation of the configurationClick on Set button for configuration changes86

4-Configuration• Configuration savingThe modified configuration is only present in the switch #2 dynamicmemory.To preserve these changes in the event of a power cycle, theconfiguration must be saved:9Click on menu entry Basic Settings, then on Load/Save entrySelect to Device radio button in Save area.Then click on the Save button.The configuration of switch # 2 is now completed.To configure the other switches, the procedure is the same as above except that theRedundancy Manager parameter must be set to Off and the Advanced Mode mustbe de-selected. A summary of the configuration is shown in the screenshot below:87

4-Configuration4.3. Premium Hot-Standby PAC StationThis chapter describes the configuration from Unity Pro of the key parameters ofPremium Hot-Standby system. The configuration of an Ethernet ring dedicated to fielddevices is also illustrated.4.3.1 ArchitectureThe figure below illustrates the redundant PAC architecture composed of PremiumHot-Standby PACs. This paragraph describes:• how to configure a Premium Hot-Standby system• how to implement the management of digital and analogic I/Os• how to manage 2 Ethernet rings using Ethernet ETY 5103 modulesRedundant Premium ArchitecturePAC AIP:172.20.101.57MASK: 255.255.0.0PAC BIP:172.20.101.58MASK: 255.255.0.0Sync-linkIP:172.20.104.5MASK: 255.255.0.0IP:172.20.104.6MASK: 255.255.0.0JM ConceptModules2500Analog OutputAnalog InputABE7ConnectionBlocksABE7ABE7Digital OutputDigital InputIP: 172.20.104.10IP: 172.20.104.11SW10ManagerSW12SW11IP: 172.20.104.21IP: 172.20.104.12IP: 172.20.104.20IP: 172.20.104.34IP: 172.20.104.2288

4-Configuration4.3.2. Hardware ConfigurationThe hardware setup used in this guide is illustrated below. It is composed of a Hot-Standby CPU, digital and analog I/Os modules, and 2 Ethernet TSX ETY 5103communication modules for the management of the control and field networks. Atleast one Ethernet ETY module is needed to allow Hot-Standby capability.4.3.3. CPU ConfigurationIn Unity Pro, concerning the CPU, from the Configuration tab, the address rangeused for the application is defined (State of global address fields).89

4-Configuration4.3.4. Hot-Standby ConfigurationAlso from the CPU, in the Hot-Standby tab, we set the Hot-Standby runtimeparameters.Monitored ETY moduleAs seen in the Design Chapter, at least one monitored ETY module is required in aHot-Standby system.In the Topological address of the monitored Ethernet module, choose a ETYmodule that will be declared as Monitored.• Select Rack Slot 0.590

4-ConfigurationLogic MismatchThis parameter defines the PAC mode if a program mismatch is detected betweenthe Primary and the Standby.• Select OfflineNon-Transfer AreaThe non-transfer area cannot be defined by the user on a Premium Hot-Standbysystem. An area of 101 word is set by default (%MW0-%MW100). The words locatedin this area are not transferred to the Standby PAC.4.3.5. Ethernet Modules – TSX ETY 5103This part describes the ETY modules configuration to set up the communication withthe SCADA system and the Ethernet devices.Controller Ethernet NetworkOnly the IP configuration needs to be configured in order to set up the communicationbetween the SCADA system and the ETY module. No specific service is required.• IP ConfigurationIP address: 172.20.101.57Subnetwork mask: 255.255.0.0The IP configuration is summarized on the screenshot on the next page.91

4-ConfigurationDevices Ethernet NetworkThis module is dedicated to communicate with I/O Devices such as ATV71, TesysT,Advantys STB, Quantum, M340 and so on.IO Scanning service is used to communicate between the controller and the devices.The ETY module communicates with the I/O Devices via an Ethernet ring managedby MRP. The configuration of the ring is the same as the one described for theControl Network (see Chapter 4.2)92

4-Configuration• IP ConfigurationIP address: 172.20.104.5Subnetwork mask: 255.255.0.0• Module UtilitiesThe I/O Scanning service drives the communication between the module and the I/Odevices.From Module Utilities area, select Yes for IO Scanning.IO ScanningSet up of the I/O Scanning lines associated to I/O Devices:- Switch SW10:ATV71: 172.20.104.10STB: 172.20.104.11ETG100: 172.20.104.12- Switch SW11:ATV71: 172.20.104.20STB: 172.20.104.21- Switch SW12:Quantum: 172.20.104.22M340: 172.20.104.34The I/O Scanning configuration is presented on the screenshot on the next page.93

4-Configuration4.3.6. Redundant Digital I/ORedundant digital I/Os implementation is performed, as described in the Designchapter, thanks to Telefast connection equipments (ABE7 ACC11 for inputs, ABE7ACC10 for outputs).Digital I/Os management does not require any specific configuration. Nevertheless, itis important to choose the proper output fallback mode according to the process.For this STG, it has been decided to maintain the outputs state before the default.94

4-Configuration4.3.7. Redundant Analog I/ORedundant analog I/Os implementation is performed, as described in the Designchapter, thanks to JM Concept connection equipmentsThis paragraph describes the analog I/Os and JM Concept modules configuration inorder to set up redundant analog inputs and outputs.Analog InputThe measurement input is a voltage signal +/-10V. The original signal is duplicatedand converted in 0-10V by a JMC module and these 2 signals are connected to bothPACs (Primary and Standby) via TSXAEY414 modules.• TELIS 9000U2 (JMConcept) Configuration.Set the configuration switches according to the input signal type: Voltage 0-10V.INPUT SWITCH 1 2 3 4 5 6Input 1 - Current ■ ■ □ □ □ □Input 2 - Current ■ □ □ □ □ ■Voltage input < 10V Thermocouple □ ■ □ □ □ □Voltage input > 10V ■ □ ■ □ □ □PT100- PT1000 - Ni100 - Ni1000 □ ■ □ □ ■ □Sensor Power supply ■ ■ □ ■ □ □Resistance ■ □ □ □ ■ □Potentiometer □ ■ □ □ ■ □• On the module, from the menu, and using the user guide set the input signaltype, then the output signal type.ANALOG InputMode : 1 channelType : VoltageScale : +/-10vANALOG OutputScale : 0-10VMinimum Display : 0Maximum Display : 10000Decimal Point : « 00000 »Minimum scale : 0Maximum scale : 10000Resolution : 1 Pt95

4-Configuration• TSX AEY414 ConfigurationIn Unity Pro, from the TSXAEY414 module configuration tab, set a voltage input 0-10V.• select a 0..10V range on the channel 0• select a scale value of 0…10000Analog OutputThe output signal generated by the PAC via a TSXASY410 module is a 4..20mAcurrent signal.This type of signal is used because it is the only one accepted by the GK 3000 D1communication interface for inputs. The signal is sent for outputs on the channel A orB according to the communication relays.The set up of the commutation relays is detailed in the Implementation chapter.96

4-Configuration• TSX ASY410 ConfigurationIn Unity Pro, from the TSXASY410 module configuration tab, set an 4..20 mA outputcurrent.• Select a 4..20mA range on the channel 0• The signal has to be maintained on a default so, de-selectFallbackThe scale value is locked to 0 -10000• GK 3000 D1 (JMConcept) Configuration.• On the module, from the menu, only the high and low limits of theinput signal can be defined.97

4-Configuration4.4. Quantum Hot-Standby PAC Station4.4.1 ArchitectureThis chapter describes the configuration from Unity Pro of the key parameters ofQuantum Hot-Standby system. The configuration of an Ethernet ring dedicated tofield devices and Profibus network is also illustrated.As seen in the previous chapters, our architecture comprises a Quantum Hot-Standbysystem linked to:• 2 Ethernet rings via NOE modules• a Profibus network via a PTQ module• a Remote I/O station98

4-Configuration4.4.2. Hardware ConfigurationThe hardware setup used in this guide is illustrated below. It is composed of a Hot-Standby CPU, 2 Ethernet modules 140 NOE 771 11 for the management of thecontrol and field networks. A 140 PTQ PDP MV1 module handles the Profibusnetwork. The control of the Remote I/O station is performed by RIO Drop Head 140CRP 931 00 and RIO Drop End communicator 140 CRA 931.00 modules.4.4.3. CPU ConfigurationIn Unity Pro, from the Configuration tab, we define the address range used for theapplication (State RAM).For a Hot-Standby application, it is recommended to check the “Online modification inRUN” option. This allows, while staying online, to add or to delete discrete or analogmodules, and parameters modification.Note: This option is supported only with a firmware version v2.0 ir12 or earlier for theCRP module and with a firmware version v2.0 ir6 or earlier for the CRA module.99

4-ConfigurationThe following screenshot sums up the CPU configuration:4.4.4. Hot-Standby ConfigurationIn the Hot-Standby tab of the CPU configuration, we set the Hot-Standby runtimeparameters.100

4-ConfigurationCPUs Run ModeIn the Run Mode area, we define which PAC will be the Primary at the system powerup. If the 2 PACs are declared “Online", the PAC with the lower MAC address takesthe Primary role.• Controller A, select Online• Controller B, select OnlineLogic MismatchThis parameter defines the PAC mode if a program mismatch is detected betweenthe Primary and the Standby.• Select OfflineKeypadThe Invalidate Keypad parameter allows inhibiting keypad commands sent from theHot-Standby menu.• Do not select the optionSwap AddressThis parameter allows CPU memory swapping in case of a switchover.101

4-ConfigurationNon-Transfer AreaThis area is defined by the user. Words located in this area will not be transferred tothe Standby PAC. This area is used for specific operations performed by the Primaryand must not impact the Standby.• For our application, we set a 2000 words zone from %MW100.HSBY Configuration Options on RIO busThe implementation of a Quantum Hot-Standby system implies the use of CRPmodules. Therefore, if I/O devices over Ethernet are used, the No RIO drop optionhas to be selected.Once a RIO drop is declared, the No RIO drop is automatically grayed102

4-Configuration4.4.5. RIO ConfigurationIt is important to set up properly the Drop hold up time parameter. This is themaximum time the RIO bus can be offline before triggering an exception event (1200ms by default).• In configuration part, right click on Remote IO Quantum Drop and selectOpen.103

4-Configuration4.4.6. Ethernet Modules – 140 NOE 771 11This part describes the NOE modules configuration to set up the communication withthe SCADA system and the Ethernet devices.Controller Ethernet NetworkOnly the IP configuration has to be set in order to set up the communication betweenthe SCADA system and the NOE module. No specific service is required.• IP ConfigurationIP address: 172.20.101.10Subnetwork mask: 255.255.0.0104

4-ConfigurationDevices Ethernet NetworkThis module is dedicated to communicate with I/O devices such as ATV71, TesysT,Advantys STB, Quantum, M340 and so on.The I/O scanning service is used for I/O device communication.The NOE module communicates with the I/O devices via an Ethernet ring managedwith MRP. The configuration of the ring is the same as the one described for thecontrol network (see chapter 4.2)IP ConfigurationIP address: 172.20.104.1Subnetwork mask: 255.255.0.0Module UtilitiesThe I/O Scanning service drives the communication between the module and the I/Odevices.From Module Utilities area, select Yes for IO Scanning.105

4-ConfigurationIO ScanningSet up of the I/O Scanning lines associated with I/O devices:- Switch SW10:ATV71: 172.20.104.10STB: 172.20.104.11ETG100: 172.20.104.12- Switch SW11:ATV71: 172.20.104.20STB: 172.20.104.21- Switch SW12:Quantum: 172.20.104.22M340: 172.20.104.34A summary of the I/O Scanning configuration is presented on the following screenshot:106

4-Configuration4.4.7. Profibus Module – 140 PTQ-PDPMV1PTQ-PDPMV1 is a Profibus DP communication module. Its configuration is madethrough the Prosoft configuration software and transferred into the module via a serialor Ethernet link.This software is used to configure the Profibus master/slaves and also to map the I/Ovariables. It also allows importing variables and structures associated with the project.Prosoft Configuration Builder (PCB)Creation of a new project:• from PCB, Click on File and Select New• right Click on Default Module and select Choose Module Type• in Product Line Filter area, select PTQ• choose module type PTQ-PDPMV1• select Enable Hot-Standby• click on OK107

4-ConfigurationPTQ Profibus Master DPV1 configuration• From PTQ module created, in the tree list, right click on PTQ ProfibusMaster DPV1 and select Configure• Type “7” in the text zone Slot Number. This value corresponds to the slotnumber in which the PTQ module is located on the Quantum rack.• Mapping of Unity Pro I/O variables: We fill in the fields Output Start Registerand Input Start Register with the address values used in Unity Pro:Intput Start Register: 1025 (%IW) (size: 768)Output Start Register: 4097(%MW) (size: 768)• Ethernet port speed is set to 100MB/full-duplex.Note: In our Hot-Standby configuration, we connect the 2 PTQ modules with anEthernet cross cable. This link allows network and modules monitoring via a UDPmailer.108

4-ConfigurationIn the case of the PTQ modules linked using an Ethernet switch, the Duplex/SpeedCode parameter must be set to Auto-negotiate.In the case of the PTQ modules linked using an Ethernet crossover cable, theDuplex/Speed Code parameter must be set to 100Mb/full-duplex.109

4-ConfigurationProfibus DP configurationThe following table describes the configuration of the Baud Rate and the Host Delaytime of the bus.StepActionFrom Profibus DP, right click on Configure.1Click on Configure Profibus Button2From the Bus Configuration Windows, Right Click on the pictureMaster HSBY and select Object properties3110

4-ConfigurationFrom the tab PROFIBUS, after having configured the master address,configure the Baud Rate, Profile and Host Delay Time.- Baud Rate: 1500kBit/sec (en fonction de la technologie desesclaves configurés sur bus)- Profile: User defined- Host Delay Time: 300ms4Click on OK5 The setup is now completeVariables and Variable Structures exportFrom the PDPMV1 Profibus Master Setup window, the mapping of the variables canbe displayed and export files of these variables can be created. This file has to beimported in Unity Pro later.StepActionIn the Processor Network Memory Map area, Click on Show UnityMap.1111

4-ConfigurationFrom Unity Memory Map Window, click on Export Processor Files,and save the .xsy file in the directory of your choice.23Close the windows Unity Memory Map and PDPMV1 Profibus MasterSetup.Loading of the Profibus configuration into the PTQ moduleThe serial port of the module is used to perform the transfer, the procedure is detailedin the table below:StepActionRight Click on PTQ-PDPMV1-HSBY and select Download From PC toDevice.1112

4-Configuration2 Connect the serial cross cable on the PC and the PTQ module.3 Select the connection type (Ethernet or Serial).The transfer is performed only if the Quantum CPU is in Stop mode.Therefore, set the PAC in Stop mode using the keyboard on the CPUand click on DOWNLOAD.4Once the transfer is complete in the first module, a message boxprompts you to connect the cable on the second module. Click on OKwhen the cable is properly plugged.Note: Set back the configured PAC in Run Mode and set the PAC to beconfigured in Stop mode (See step 4).5113

4-ConfigurationThe transfer is now complete. Click on OK.Save and Close the PCB application.6You can now import in Unity Pro the variables file (.xsy) you created with PCB.4.5 Advantys STB Ethernet I/OsIt is necessary to set up the digital outputs in a redundant system when usingEthernet I/Os. During a switchover, outputs must maintain their current state.The Holdup Time parameter is the time during which the outputs state is not modifiedduring a switchover.If, after this time, the outputs did not receive any commands, they assume theFallback mode status previously defined by the user.In our case, the Holdup Time is set to 5000ms (the setting can be made via the NIPmodule webserver).114

5-Implementation5. Implementation5.1. Premium PACThis chapter describes the way to define a program for a Hot-Standby system withUnity Pro. We will then detail the monitoring DFBs implementation presented in theDesign chapter. The finalization of the I/O devices implementation with Vijeo Citectwill also be described in a last part.This paragraph details the implementation of the monitoring elements in bothPremium Primary and Standby sections as well as the switchover management. Themanagement of redundant analog outputs is also described in a last paragraph.5.1.1. Monitoring Elements in the Primary SectionEthernet Control Ring MonitoringThe Ethernet Control Ring is managed by a TSX ETY5103 Ethernet communicationmodule. The DFB ETY_Monitor, associated to the function READ_STS, that allowsto read the module status words, performs the monitoring of the Ethernet link.The DFB and the function are both presented in the Design Chapter.• DFB ETY_Monitor implementationPrim_ETY_Ring_1ETY_MonitorETY1_State.BLK BLK Fault Prim_ETY1_FaultETY1_State.MOD_ERROR MOD_ERRORETY1 COM_ETY5103 COM_ETY5103READ_STS2 Monitoring_Rate Enable EN ENOpulse Pulse ETY1_State CHPrim_ETY1_RateEt RateEt RateEt Prim_ETY1_RateEtStepAction1 Instantiate the READ_STS function115

5-ImplementationCreate and connect the variable ETY1_State on the pin CH of the DFB.2:3 Instantiate the DFB ETY_Monitor under the name Prim_ETY_Ring_1.4Create and connect the variable ETY1 on the pin COM_ETY5103 of the DFB.5678With the previously created structure ETY1_State, connect the bitETY1_State.BLK on the pin BLK, and the ETY1_State.MOD_ERROR on thepin MOD_ERROROn the Pulse pin, connect the variable pulse computed at the beginning of theprimary section (see next paragraph). This pulse indicates each cyclebeginning.For the pin named Monitoring Rate, enter the value “2”, This means that therate at which the local statistics are extracted from the READ_STS function isevery 2 cycles.Connect a variable Prim_ETY1_RateEt (INT) located in the non-transfer area,on the pins RateEt.The execution of the function READ_STS is performed at the rate defined bythe Monitoring_Rate of the DFB.Activate the execution option of the function READ_STS. Right click on theblock and select Properties.Tick the box Show EN/ENO. This enable a pin EN as input of the block and apin ENO as output9116

5-Implementation1011On the pin EN, connect the output pin ENABLE of the DFB. This pin is updatedat the Monitoring Rate.On the output pin Fault, connect the variable Prim_ETY1_Fault (bool) locatedin the non transfer area. This one will be used for the default synthesis.Devices Ethernet Ring MonitoringThe Devices Ethernet Ring is also managed by a TSX ETY5103 Ethernetcommunication module. The same manner as for the Ethernet Control Ring, the DFBETY_Monitor performs the monitoring of the Ethernet link.• DFB ETY_Monitor implementationPrim_ETY_DevicesETY_MonitorETY2_State.BLK BLK Fault Prim_ETY2_FaultETY2_State.MOD_ERROR MOD_ERRORETY1 COM_ETY5103 COM_ETY5103READ_STS2 Monitoring_Rate Enable EN ENOpulse Pulse ETY2_State CHPrim_ETY1_RateEt RateEt RateEt Prim_ETY2_RateEtStepAction1 Instantiate the READ_STS function2Create and connect the variable ETY2_State on the pin CH of the DFB.:3 Instantiate the DFB ETY_Monitor under the name Prim_ETY_Devices.4Create and connect the variable ETY2 on the pin COM_ETY5103 of the DFB.5With the previously created structure ETY2_State, connect the bitETY2_State.BLK on the pin BLK, and the ETY2_State.MOD_ERROR on thepin MOD_ERROR6 For the pin named Monitoring Rate, enter the value “2”,117

5-Implementation78Connect a variable Prim_ETY2_RateEt (INT) located in the non-transfer area,on the pins RateEt.Activate the execution option of the function READ_STS. Right click on theblock and select Properties.9 Tick the box Show EN/ENO.1011On the pin EN, connect the output pin ENABLE du DFB. This pin is updated atthe Monitoring Rate.On the output pin Fault, connect the variable Prim_ETY2_Fault (bool) locatedin the non transfer area. This one will be used for the default synthesis.Monitoring Rate PulseHSBY_STENR_TRIGENOCLK Q PulseHSBYTHIS_OFFHSBY_CONF_OKTHIS_OFFLINEINCGTTHIS_PRY THIS_PRIMARY EN ENO EN ENOMOVETHIS_SBY THIS_STANDBY CycleNb INOUT INOUT CycleNb CycleNb IN1 OUT EN ENOREMT_OFF REMOTE_OFFLINE 1 IN2 0 CLK Q CycleNbREMT_PRY REMOTE_PRIMARYREMT_SBY REMOTE_STANDBYLOGIC_OKTHIS_ISATHIS_ISBIn order to control the ETY_Monitor block monitoring rate (execution of theREAD_STS function), a pulse signal is implemented. This pulse signal is a trigger atthe beginning of each program cycle. Therefore the monitoring rate varies accordinglywith the cycle length of the application.118

5-ImplementationFault SynthesisThe fault synthesis comprises 3 parts. In a first time, a synthesis of the ETY modulesfaults is performed. Then, the same operation is done with the SCY modules in thenext STG. Finally, a global faults synthesis is performed using a mask allowing thesuppression of specific defaults.To implement this synthesis, we use the DFBs presented in the Design chapter:SYNTH_OR_ETY and SYNTH_FAULT.PRIM_ETY_FAULT_SYNTHSYNTH_OR_ETYPRIM_SYNTHESE_FAULTSYNTH_FAULTPrim_ETY1_Fault FLT_ETY_1 FAULT_ETYFaulty_ETYPrim_ETY2_Fault FLT_ETY_2 False Faulty_SCYFalse FLT_ETY_3 False Faulty_SCADA2#0000_1110_1110_1011 Fault_MaskFault_SynthFaultPRIM_SYNTH_FLT_PLCPRIM_FAULT_PLC• Part 1: ETY SynthesisStep123ActionInstantiate the DFB SYNTH_OR_ETY under the namePRIM_ETY_FAULT_SYNTH.Connect the variable Prim_ETY1_Fault previously computed by thePRIM_ETY_Ring_1 DFB on the pin FLT_ETY_1.Connect the variable Prim_ETY2_Fault previously computed by thePrim_ETY_Devices DFB on the pin FLT_ETY_2.4 Connect a False variable (unlocated) on all the other pins.119

5-Implementation• Part 2: FAULT SynthesisStep12ActionInstantiate the DFB SYNTH_FAULT under the namePRIM_SYNTHESE_FAULT.Link the input pin Fault_ETY to the output pin Fault_ETY of thePRIM_ETY_FAULT_SYNTH DFB.3 On the Fault_SCY pin, connect a False variable.4On the Fault_Scada pin, connect a False variable. Our application does notinclude blocks dedicated to SCADA system monitoring.We now have to define which fault will initiate a switchover. The table belowis used to “compose” the mask and define the monitoring filter to apply as aninput of the DFB.5BitElementsFault_MaskDefinitionBit 0 Battery fault 1Bit 1 Fault CPU 1Bit 2 General I/O Rack fault 0Bit 3 Fault on slot 3 1Bit 4 Fault on slot 4 1Bit 5 Fault on slot 5 0Bit 6 Fault on slot 6 1Bit 7 Fault on slot 7 1Bit 8 Fault on slot 8 0Bit 9 Fault on slot 9 1Bit 10 Fault on slot 10 1Bit 11 Ethernet Adapter(s) ETY Fault 1Bit 12 Modbus Adapter(s) SCY Fault 0Bit 13 SCADA Fault 0Bit 14 - 0Bit 15 - 0The mask value to be set on the Fault_Mask pin is 2#0000111011011011.67On the Fault_Synth_Plc pin, connect the variable PRIM_SYNTH_FLT_PLClocated in non-transfer area. This word represents the Primary configurationfault synthesis after the Fault_Mask filter. It will be used in the determinationof the switchover.On the Fault pin, connect the variable PRIM_FAULT_PLC located in nontransferarea. This boolean information indicates a fault detection after theFault_Mask filter.120

5-Implementation5.1.2. Monitoring Elements in the Standby SectionIn this section, which is the only one executed by the Standby PAC, we find the sameelements as for the Primary section.ETY_Monitor DFB implementation• DFB ETY_Monitor implementationStby_ETY_Ring_1ETY_MonitorETY1_State.BLK BLK Fault Stby_ETY1_FaultETY1_State.MOD_ERROR MOD_ERRORETY1 COM_ETY5103 COM_ETY5103READ_STS2 Monitoring_Rate Enable EN ENOpulse Pulse ETY1_State CHStby_ETY1_RateEt RateEt RateEt Stby_ETY1_RateEtStepAction1 Instantiate the READ_STS function2Connect the previously created variable ETY1_State, on the CH pin of theDFB.3 Instantiate the DFB ETY_Monitor under the name Stby_ETY_Ring_1.45Connect the previously created variable ETY1, on the COM_ETY5103 pin ofthe DFB.With the previously created structure ETY1_State, connect the bitETY1_State.BLK on the pin BLK, and the ETY1_State.MOD_ERROR on thepin MOD_ERROR.6 For the pin named Monitoring Rate, enter the value “2”.78Connect a variable Stby_ETY1_RateEt (INT) located in the non-transfer area,on the pins RateEt.Activate the execution option of the function READ_STS. Right click on theblock and select Properties.9 Select the box Show EN/ENO10 On the pin EN, connect the output pin ENABLE of the DFB.11On the output pin Fault, connect the variable Stby_ETY1_Fault (bool) locatedin the non transfer area. This one will be used for the default synthesis.121

5-Implementation12To verify that only the Standby PAC executes the Stby_ETY_Ring_1 DFB,add a condition on its execution.Right click on the block and select Properties.Select the box Show EN/ENO. This enable a pin EN as input of the DFB anda pin ENO as output.1314On the pin EN, connect the bit 0 of the status register %SW61. This bitindicates whether the PAC is Primary or Standby (see the Design chapter).Devices Ethernet Ring Monitoring• DFB ETY_Monitor implementationStby_ETY_DevicesETY_MonitorETY2_State.BLK BLK Fault Stby_ETY2_FaultETY2_State.MOD_ERROR MOD_ERRORETY1 COM_ETY5103 COM_ETY5103READ_STS2 Monitoring_Rate Enable EN ENOpulse Pulse ETY2_State CHStby_ETY1_RateEt RateEt RateEt Stby_ETY2_RateEt122

5-ImplementationStepAction1 Instantiate the READ_STS function2Connect the previously created variable ETY2_State on the pin CH of theDFB.3 Instantiate the DFB ETY_Monitor under the name Stby_ETY_Devices.45Create and connect the previously created variable ETY2 on the pinCOM_ETY5103 of the DFB.With the previously created structure ETY2_State, connect the bitETY2_State.BLK on the pin BLK, and the ETY2_State.MOD_ERROR on thepin MOD_ERROR.6 For the pin named Monitoring Rate, enter the value “2”.78Connect a variable Stby_ETY2_RateEt (INT) located in the non-transfer area,on the pins RateEt..Activate the execution option of the function READ_STS. Right click on theblock and select Properties.9 Select the box Show EN/ENO.10 On the pin EN, connect the output pin ENABLE du DFB.11On the output pin Fault, connect the variable Stby_ETY1_Fault (bool) locatedin the non transfer area. This one will be used for the default synthesis.12 To verify that only the Standby PAC executes the Stby_ETY_Devices DFB,add a condition on its execution.Right click on the block and select Properties.13 Select the box Show EN/ENO.14 On the pin EN, connect the bit 0 of the status register %SW61.123

5-ImplementationFault SynthesisThe fault synthesis comprises 3 parts. Initially, a synthesis of the ETY modules faultsis performed. Next, the same operation is performed with the SCY modules. This willbe developed in a following release of the STG. Finally, a global events synthesis isperformed using a mask allowing the suppression of specific defaults.To implement this synthesis, we use the DFBs presented in the Design Chapter:SYNTH_OR_ETY, and SYNTH_FAULT.STBY_ETY_FAULT_SYNTHSYNTH_OR_ETYSTBY_SYNTHESE_FAULTSYNTH_FAULTStby_ETY1_Fault FLT_ETY_1 FAULT_ETYFaulty_ETYStby_ETY2_Fault FLT_ETY_2 False Faulty_SCYFalse FLT_ETY_3 False Faulty_SCADA2#0000_1110_1110_1011 Fault_MaskFault_SynthFaultStby_SYNTH_FLT_PLCStby_FAULT_PLC• Part 1: ETY SynthesisStep123ActionInstantiate the DFB SYNTH_OR_ETY under the nameSTBY_ETY_FAULT_SYNTH.Connect the variable Stby_ETY1_Fault previously computed by theSTBY_ETY_Ring_1 DFB on the pin FLT_ETY_1.Connect the variable Prim_ETY2_Fault previously computed by theStby_ETY_Devices DFB on the pin FLT_ETY_2.4 Connect a False variable (unlocated) on all the other pins.124

5-Implementation• Part 2: FAULT SynthesisStep12ActionInstantiate the DFB SYNTH_FAULT under the nameSTBY_SYNTHESE_FAULT.Link the input pin Fault_ETY to the output pin Fault_ETY of theSTBY_ETY_FAULT_SYNTH DFB.3 On the Fault_SCY pin, connect a False variable.4567On the Fault_Scada pin, connect a False variable. Our application does notinclude blocks dedicated to SCADA system monitoring.Set the Fault_Mask value with the same value as for the Primary section,which is 2#0000111011011011.On the Fault_Synth_Plc pin, connect the variable STBY_SYNTH_FLT_PLClocated in non-transfer area.On the Fault pin, connect the variable STBY_FAULT_PLC located in nontransferarea. This boolean information indicates a fault detection after theFault_Mask filter.5.1.3. Switchover ManagementOnce the monitoring DFB implemented and the fault synthesis computed in thePrimary and Standby sections, it is necessary to process the obtained data and to setthe switchover management rules.To set the management rules, we use the DFB Switch_Manag previously describedin the Chapter Design. This DFB is instantiated in the Primary section.125

5-Implementation• DFB Switch_Manag implementationHSBY_SWITCHSWITCH_MANAGPRIM_SYNTH_FLT_PLCSTBY_SYNTH_FLT_PLCPRIM_DIAGSTBY_DIAGSwitch_Nb_Reset SWITCH_NB_Reset SWITCH_NB Switch_NbForce_Switchover FORCE FORCE Force_SwitchoverStepAction1 Instantiate the DFB SWITCH_MANAG under the name HSBY_SWITCH234Connect the variable PRIM_SYNTH_FLT_PLC (Primary PAC Faultsynthesis) on the pin PRIM_DIAG.Connect the variable STBY_SYNTH_FLT_PLC (Standby PAC Faultsynthesis) on the pin STBY_DIAG.Connect a variable Switch_Nb_Reset, located in the non-transfer area, onthe Switch_Nb_Reset pin.5 Connect a variable Force_Switchover on the pin FORCE,6On the output pin Switch_NB, connect a variable Switch_NB located in nontransferarea.The Ethernet redundant links management of the Premium Hot-Standby system isnow complete.126

5-Implementation5.1.4. Redundancy Analog output ManagementIn the Primary section, it is necessary to implement the code that handles theswitchover of the analog signals communication interface.The principle is to drive the communication interface in order to set, as output, thesignal coming from the Primary PAC.The implementation is performed with the HSBY_ST_P block that provides the statusof the Hot-Standby system. It is then possible to compute which PAC is the Primary(THIS_ISA or THIS_ISB). Then, depending on the result, the Primary PAC controlseither relay A or B.StepAction1 Instantiate the DFB HSBY_ST_P under the name HSBY_ST223Instantiate a first AND block. Link the pins THIS_ISA and THIS_PRIM of theHSBY_ST2 block.Instantiate a second AND bloc. Link the pins THIS_ISB and THIS_PRIM ofthe HSBY_ST2 block.Instantiate a RS block under the name CMD_RELAY_A.4Link the output of the first AND block on the input pin S.Link the output of the second AND block on the input pin R1.5 Instantiate a RS block under the name CMD_RELAY_B.Link the output of the first AND block on the input pin R1.Link the output of the second AND block on the input pin S.6 Connect a PAC digital output with the name JMC_GK_CH_A on the outputpin Q1 of the block CMD_RELAY_A.7 Connect a PAC digital output with the name JMC_GK_CH_B on the outputpin Q1 of the block CMD_RELAY_B.The diagram of the HSBY_ST_P block is presented on the next page.127

5-ImplementationHSBY_ST2HSBY_ST_PHSBY_ActiveTHIS_ISATHIS_ISBTHIS_OFFTHIS_PRITHIS_SbyREMT_UNDEFREMT_OFFREMT_PRIREMT_SBYANDCMD_RELAY_AIN1 OUT S Q1 JMC_GK_CH_AIN2R1ANDCMD_RELAY_BIN1 OUT S Q1 JMC_GK_CH_BIN2R1RSRSLOGIC_OKCPU_SyncLink_OKCPU_OS_OKCopro_OS_OKETY_minVersionMon_ETY_OS_OK128

5-Implementation5.2. Quantum PACThis sub-section details the implementation of the monitoring elements in bothQuantum Primary and Standby sections as well as the switchover management.5.2.1. Monitoring Elements in the Primary SectionEthernet Control Ring MonitoringThe Ethernet control ring is managed by a 140 NOE 771 11 Ethernet communicationmodule. The DFB NOE_Monitor, using the variables structure NOE_Monit, performsthe monitoring of the Ethernet link.The DFB and the variables structure are both presented in the Design chapter.129

5-ImplementationNOE_Monitor DFB implementationPRIM_NOE_RING1NOE_MonitorPRIM_NOE_CTRL.MSTR_active MSTR_ACTIVE MSTR_ACTIVE PRIM_NOE_CTRL.MSTR_activePRIM_NOE_CTRL.MSTR_done MSTR_DONE MSTR_DONE PRIM_NOE_CTRL.MSTR_donePRIM_NOE_CTRL.MSTR_error MSTR_ERROR MSTR_ERROR PRIM_NOE_CTRL.MSTR_errorPRIM_NOE_CTRL.MSTR_RateEt RateEt RateEt PRIM_NOE_CTRL.MSTR_RateEtPRIM_NOE_CTRL.MSTR_ErrorCount Error_Count Error_Count PRIM_NOE_CTRL.MSTR_ErrorCountPRIM_NOE_CTRL.MSTR_Control MSTR_Control MSTR_ControlMSTR_DataBufPRIM_NOE_CTRL.MSTR_ControlPRIM_NOE_CTRL.MSTR_Databuf4 Slot Data_TCP PRIM_NOE_CTRL.MSTR_data2 MonitoringRate LED_APPL PRIM_NOE_CTRL.Led_Appl2 Retries LED_LINK PRIM_NOE_CTRL.Led_LinkPulse Pulse LED_RUN PRIM_NOE_CTRL.Led_RunNOE_Failure PRIM_NOE_CTRL.FailureCFG_PORT PRIM_NOE_CTRL.Led_Cfg_PortETH_100M PRIM_NOE_CTRL.Led_Eth_100MOPTICFIB PRIM_NOE_CTRL.Led_OpticFibFULL_DUP PRIM_NOE_CTRL.Led_Full_DupFAULT PRIM_NOE_CTRL.FaultEQUP_TYP PRIM_NOE_CTRL.EQUIP_TYPEIP_AD_1IP_AD_2IP_AD_3IP_AD_4MAC_ADD_1MAC_ADD_2MAC_ADD_3MAC_ADD_4MAC_ADD_5MAC_ADD_6PRIM_NOE_CTRL.IP_AD_1PRIM_NOE_CTRL.IP_AD_2PRIM_NOE_CTRL.IP_AD_3PRIM_NOE_CTRL.IP_AD_4PRIM_NOE_CTRL.MAC_AD_1PRIM_NOE_CTRL.MAC_AD_2PRIM_NOE_CTRL.MAC_AD_3PRIM_NOE_CTRL.MAC_AD_4PRIM_NOE_CTRL.MAC_AD_5PRIM_NOE_CTRL.MAC_AD_6StepAction1 Instantiate the DFB NOE_Monitor under the name PRIM_NOE_RING_1.2Instantiate the variables structure NOE_Monit under the namePRIM_NOE_CTRL.3 Connect the variables of the structure on the DFB pins.45For the pin named Slot, enter the value “4”. This corresponds to the NOEmodule slot number in the hardware configuration.On the Pulse pin, connect the variable pulse computed at the beginning of theprimary section (see next paragraph). This pulse indicates each cyclebeginning.For the pin named Monitoring Rate, enter the value “2”, This means that therate at which the local statistics are extracted from the MBP_MSTR function isevery 2 cycles.130

5-Implementation6For the pin named Retries, enter the value “2”, this corresponds to themaximum number of unsuccessful attempts to extract the local statistics fromthe MBP_MSTR before issuing an exception response.Devices Ethernet Ring MonitoringThe devices Ethernet ring is also managed by a 140 NOE 771 11 Ethernetcommunication module. The same manner as for the Ethernet control ring, the DFBNOE_Monitor, using the variables structure NOE_Monit, performs the monitoring ofthe Ethernet link.• DFB NOE_Monitor implementationPRIM_NOE_DEVNOE_MonitorPRIM_NOE_DEVICES.MSTR_active MSTR_ACTIVE MSTR_ACTIVE PRIM_NOE_DEVICES.MSTR_activePRIM_NOE_DEVICES.MSTR_done MSTR_DONE MSTR_DONE PRIM_NOE_DEVICES.MSTR_donePRIM_NOE_DEVICES.MSTR_error MSTR_ERROR MSTR_ERROR PRIM_NOE_DEVICES.MSTR_errorPRIM_NOE_DEVICES.MSTR_RateEt RateEt RateEt PRIM_NOE_DEVICES.MSTR_RateEtPRIM_NOE_DEVICES.MSTR_ErrorCount Error_Count Error_Count PRIM_NOE_DEVICES.MSTR_ErrorCountPRIM_NOE_DEVICES.MSTR_Control MSTR_Control MSTR_ControlMSTR_DataBufPRIM_NOE_DEVICES.MSTR_ControlPRIM_NOE_DEVICES.MSTR_Databuf6 Slot Data_TCP PRIM_NOE_DEVICES.MSTR_data2 MonitoringRate LED_APPL PRIM_NOE_DEVICES.Led_Appl2 Retries LED_LINK PRIM_NOE_DEVICES.Led_LinkPulse Pulse LED_RUN PRIM_NOE_DEVICES.Led_RunNOE_Failure PRIM_NOE_DEVICES.FailureCFG_PORT PRIM_NOE_DEVICES.Led_Cfg_PortETH_100M PRIM_NOE_DEVICES.Led_Eth_100MOPTICFIB PRIM_NOE_DEVICES.Led_OpticFibFULL_DUP PRIM_NOE_DEVICES.Led_Full_DupFAULT PRIM_NOE_DEVICES.FaultEQUP_TYP PRIM_NOE_DEVICES.EQUIP_TYPEIP_AD_1IP_AD_2IP_AD_3IP_AD_4MAC_ADD_1MAC_ADD_2MAC_ADD_3MAC_ADD_4MAC_ADD_5MAC_ADD_6PRIM_NOE_DEVICES.IP_AD_1PRIM_NOE_DEVICES.IP_AD_2PRIM_NOE_DEVICES.IP_AD_3PRIM_NOE_DEVICES.IP_AD_4PRIM_NOE_DEVICES.MAC_AD_1PRIM_NOE_DEVICES.MAC_AD_2PRIM_NOE_DEVICES.MAC_AD_3PRIM_NOE_DEVICES.MAC_AD_4PRIM_NOE_DEVICES.MAC_AD_5PRIM_NOE_DEVICES.MAC_AD_6StepAction1 Instantiate the DFB NOE_Monitor under the name PRIM_NOE_DEV.2Instantiate the variables structure NOE_Monit under the namePRIM_NOE_DEVICES located in the non-transfer area.131

5-Implementation3 Connect the variables from the structure on the DFB pins.4 For the pin named Slot, enter the value “6”.5 For the pin named Monitoring Rate, enter the value “2”.6 For the pin named Retries, enter the value “2”.To manage the Hot-Standby system, the FAULT output of this DFB is used as aninput in the Fault synthesis. This operation is described further.Monitoring Rate PulseHSBY_STENR_TRIGENOCLK Q PulseHSBYTHIS_OFFHSBY_CONF_OKTHIS_OFFLINEINCGTTHIS_PRY THIS_PRIMARY EN ENO EN ENOMOVETHIS_SBY THIS_STANDBY CycleNb INOUT INOUT CycleNb CycleNb IN1 OUT EN ENOREMT_OFF REMOTE_OFFLINE 1 IN2 0 CLK Q CycleNbREMT_PRY REMOTE_PRIMARYREMT_SBY REMOTE_STANDBYLOGIC_OKTHIS_ISATHIS_ISBIn order to control the NOE_Monitor block monitoring rate (execution of theMBP_MSTR function), a pulse signal is implemented. This pulse signal is a trigger atthe beginning of each program cycle. Therefore the monitoring rate varies accordinglywith the cycle length of the application.Profibus Fieldbus MonitoringThe Profibus network is managed by a PTQ PDP MV1 communication module. Themonitoring of the fieldbus is performed using the DFB PTQ_Monitor described in theDesign Chapter.• DFB PTQ_Monitor implementationPTQ_PRIMARYPTQ_Monitort#300ms Fault_Timeout PTQ_FAULT BOOL General PTQ faultPTQPDPMV1HSBY_StatIn.ModuleStatus_ProfibusMasterModuleStatus Master_Status Faulty_Active BOOL Active PTQ faultPTQPDPMV1HSBY_StatIn.ModuleStatus_ProfibusMasterOperatingState Master_Operating_StatePTQPDPMV1HSBY_StatIn.ModuleStatus_HSBYActiveStatus Active_Status Faulty_Passive BOOL Passive PTQ faultPTQPDPMV1HSBY_StatIn.ModuleStatus_HSBYActivenumberofslaves Active_NbSlavePTQPDPMV1HSBY_StatIn.ModuleStatus_HSBYPassiveStatus Passive_Status Faulty_Passive_UDP BOOL Passive PTQ fault via UDPPTQPDPMV1HSBY_StatIn.ModuleStatus_HSBYPassivenumberofslaves Passive_NbSlavePTQPDPMV1HSBY_StatIn.ModuleStatus_HSBYPassiveStatusUDPPTQPDPMV1HSBY_StatIn.ModuleStatus_HSBYPassivenumberofslavesUDPPassiveP_Status_UDPPassive_NbSlave_UDP132

5-ImplementationStepAction1 Instantiate the DFB PTQ_Monitor under the name PTQ_Primary.234Connect the variables coming from the PTQPDPMV1HSBY_StatIn structureon the input pins. This structure is imported during the PTQ moduleconfiguration.For the pin Fault_Timeout enter a “Time” formatted value, for ourapplication, 300ms. This value is the time length after which the module willdeclare a PTQ_FAULT in response to an exception.For the output pins, connect the variables PTQ_FAULT, Prim_PTQ_Fault,Stby_PTQ_Fault and UDP_PTQ_Fault located in the non-transfer area.To manage the Hot-Standby system, the PTQ_FAULT output of this DFB is used asan input in the Fault synthesis during the switchover determination. TheStby_PTQ_Fault is used in the Fault synthesis in the Standby section.Fault SynthesisThe fault synthesis comprises 3 parts. In a first time, a synthesis of the NOE modulesfaults is performed. Then, the same operation is done with the PTQ modules. Finally,a global faults synthesis is performed using a mask allowing to inhibit specificdefaults.To implement this synthesis, we use the DFBs presented in the Design Chapter:SYNTH_OR_PTQ, SYNTH_OR_NOE and SYNTH_FAULT.PRIM_NOE_FAULT_SYNTHSYNTH_OR_NOEPRIM_SYNTH_FAULTSYNTH_FAULTPRIM_NOE_CTRL_Fault FLT_NOE_1 FAULT_NOEFaulty_NOEPRIM_NOE_DEVICES_Fault FLT_NOE_2 Faulty_PTQFalse FLT_NOE_3 False Faulty_SCADAFalse FLT_NOE_4 2#0001_1100_1101_1111 Fault_MaskFalse FLT_NOE_5 Fault_Synth PRIM_SYNTH_FLT_PLCFalse FLT_NOE_6 Fault PRIM_FAULT_PLCPRIM_PTQ_FAULT_SYNTHSYNTH_OR_PTQPTQ_FaultFalseFalseFalseFalseFalseFLT_PTQ_1FLT_PTQ_2FLT_PTQ_3FLT_PTQ_4FLT_PTQ_5FLT_PTQ_6FAULT_NOE133

5-Implementation• Part 1: NOE SynthesisStep123ActionInstantiate the DFB SYNTH_OR_NOE under the namePRIM_NOE_FAULT_SYNTH.Connect the variable PRIM_NOE_CTRL_FAULT previously computed by thePRIM_NOE_RING1 DFB on the pin FLT_NOE_1.Connect the variable PRIM_NOE_DEVICES_FAULT previously computed bythe PRIM_NOE_DEV DFB on the pin FLT_NOE_2.4 Connect a False variable (unlocated) on all the other pins.• Part 2: PTQ SynthesisStep12ActionInstantiate the DFB SYNTH_OR_PTQ under the namePRIM_PTQ_FAULT_SYNTH.On the FLT_PTQ_1 pin, connect the variable PTQ_FAULT previouslycomputed by the PTQ_PRIMARY DFB.3 Connect a False variable (unlocated) on all the other pins.• Part 3: FAULT SynthesisStepAction1 Instantiate the DFB SYNTH_FAULT under the name PRIM_SYNTH_FAULT.234Link the input pin Fault_NOE to the output pin Fault_NOE of thePRIM_NOE_FAULT_SYNTH DFB.Link the input pin Fault_PTQ to the output pin Fault_PTQ of thePRIM_PTQ_FAULT_SYNTH DFB.On the Fault_Scada pin, connect a False variable. Our application does notinclude blocks dedicated to SCADA system monitoring.134

5-ImplementationWe now have to define which event will initiate a switchover. The table belowis used to “compose” the mask and define the monitoring filter to apply as aninput of the DFB.5BitElementsFault_MaskDefinitionBit 0 Battery fault 1Bit 1 Fault CPU 1Bit 2 General I/O Rack fault 1Bit 3 Fault on slot 3 1Bit 4 Fault on slot 4 1Bit 5 Fault on slot 5 0Bit 6 Fault on slot 6 1Bit 7 Fault on slot 7 1Bit 8 Fault on slot 8 0Bit 9 Fault on slot 9 1Bit 10 Fault on slot 10 1Bit 11 Ethernet Adapter(s) NOE Fault 1Bit 12 Profibus DP Adapter(s) Fault 0Bit 13 SCADA Fault 0Bit 14 - 0Bit 15 - 0The mask value to be set on the Fault_Mask pin is 2#0001110011011111.67On the Fault_Synth_Plc pin, connect the variable PRIM_SYNTH_FLT_PLClocated in non-transfer area. This word represents the Primary configurationfault synthesis after the Fault_Mask filter. It will be used in the determinationof the switchover.On the Fault pin, connect the variable PRIM_FAULT_PLC located in nontransferarea. This boolean information indicates a fault detection after theFault_Mask filter.135

5-Implementation5.2.2. Monitoring Elements in the Standby SectionIn this section, which is the only one executed by the Standby PAC, we find the sameelements as for the Primary Section except for the DFB in charge of the PTQ modulemonitoring. Indeed, the PTQ module is active only if the PAC on which it is installed isthe Primary. Therefore, during the Standby Section fault synthesis, we use thepassive module status information computed from the PTQ_Monitor DFB in thePrimary section.Controler Ethernet Ring Monitoring• DFB NOE_Monitor implementationSTBY_NOE_RING1NOE_MonitorSTBY_NOE_CTRL.MSTR_active MSTR_ACTIVE MSTR_ACTIVE STBY_NOE_CTRL.MSTR_activeSTBY_NOE_CTRL.MSTR_done MSTR_DONE MSTR_DONE STBY_NOE_CTRL.MSTR_doneSTBY_NOE_CTRL.MSTR_error MSTR_ERROR MSTR_ERROR STBY_NOE_CTRL.MSTR_errorSTBY_NOE_CTRL.MSTR_RateEt RateEt RateEt STBY_NOE_CTRL.MSTR_RateEtSTBY_NOE_CTRL.MSTR_ErrorCount Error_Count Error_Count STBY_NOE_CTRL.MSTR_ErrorCountSTBY_NOE_CTRL.MSTR_Control MSTR_Control MSTR_ControlMSTR_DataBufSTBY_NOE_CTRL.MSTR_ControlSTBY_NOE_CTRL.MSTR_Databuf4 Slot Data_TCP STBY_NOE_CTRL.MSTR_data2 MonitoringRate LED_APPL STBY_NOE_CTRL.Led_Appl2 Retries LED_LINK STBY_NOE_CTRL.Led_LinkPulse Pulse LED_RUN STBY_NOE_CTRL.Led_RunNOE_Failure STBY_NOE_CTRL.FailureCFG_PORT STBY_NOE_CTRL.Led_Cfg_PortETH_100M STBY_NOE_CTRL.Led_Eth_100MOPTICFIB STBY_NOE_CTRL.Led_OpticFibFULL_DUP STBY_NOE_CTRL.Led_Full_DupFAULT STBY_NOE_CTRL.FaultEQUP_TYP STBY_NOE_CTRL.EQUIP_TYPEIP_AD_1IP_AD_2IP_AD_3IP_AD_4MAC_ADD_1MAC_ADD_2MAC_ADD_3MAC_ADD_4MAC_ADD_5MAC_ADD_6STBY_NOE_CTRL.IP_AD_1STBY_NOE_CTRL.IP_AD_2STBY_NOE_CTRL.IP_AD_3STBY_NOE_CTRL.IP_AD_4STBY_NOE_CTRL.MAC_AD_1STBY_NOE_CTRL.MAC_AD_2STBY_NOE_CTRL.MAC_AD_3STBY_NOE_CTRL.MAC_AD_4STBY_NOE_CTRL.MAC_AD_5STBY_NOE_CTRL.MAC_AD_6StepAction1 Instantiate the DFB NOE_Monitor under the name STDBY_NOE_RING_1.2 Instantiate a new structure NOE_Monit under the name STBY_NOE_CTRL.3 Connect the structure variables on the pins of the DFB.4 On the pin Slot, enter the value “4” (position of the NOE module on the rack)136

5-Implementation5 On the pin Monitoring Rate, enter the value “2”.6 On the pin Retries, enter the value “2”.7To verify that only the Standby PAC executes this block, we add a conditionon its execution.Right click on the block and select Properties.Select the box Show EN/ENO. This enable a pin EN as input of the DFB anda pin ENO as output.89On the pin EN, connect the bit 0 of the status register %SW61. This bitindicates whether the PAC is Primary or Standby (see the Design chapter).137

5-ImplementationDevices Ethernet Ring Monitoring• DFB NOE_Monitor implementationSTBY_NOE_DEVNOE_MonitorSTBY_NOE_DEVICES.MSTR_active MSTR_ACTIVE MSTR_ACTIVE STBY_NOE_DEVICES.MSTR_activeSTBY_NOE_DEVICES.MSTR_done MSTR_DONE MSTR_DONE STBY_NOE_DEVICES.MSTR_doneSTBY_NOE_DEVICES.MSTR_error MSTR_ERROR MSTR_ERROR STBY_NOE_DEVICES.MSTR_errorSTBY_NOE_DEVICES.MSTR_RateEt RateEt RateEt STBY_NOE_DEVICES.MSTR_RateEtSTBY_NOE_DEVICES.MSTR_ErrorCount Error_Count Error_Count STBY_NOE_DEVICES.MSTR_ErrorCountSTBY_NOE_DEVICES.MSTR_Control MSTR_Control MSTR_ControlMSTR_DataBufSTBY_NOE_DEVICES.MSTR_ControlSTBY_NOE_DEVICES.MSTR_Databuf6 Slot Data_TCP STBY_NOE_DEVICES.MSTR_data2 MonitoringRate LED_APPL STBY_NOE_DEVICES.Led_Appl2 Retries LED_LINK STBY_NOE_DEVICES.Led_LinkPulse Pulse LED_RUN STBY_NOE_DEVICES.Led_RunNOE_Failure STBY_NOE_DEVICES.FailureCFG_PORT STBY_NOE_DEVICES.Led_Cfg_PortETH_100M STBY_NOE_DEVICES.Led_Eth_100MOPTICFIB STBY_NOE_DEVICES.Led_OpticFibFULL_DUP STBY_NOE_DEVICES.Led_Full_DupFAULT STBY_NOE_DEVICES.FaultEQUP_TYP STBY_NOE_DEVICES.EQUIP_TYPEIP_AD_1IP_AD_2IP_AD_3IP_AD_4MAC_ADD_1MAC_ADD_2MAC_ADD_3MAC_ADD_4MAC_ADD_5MAC_ADD_6STBY_NOE_DEVICES.IP_AD_1STBY_NOE_DEVICES.IP_AD_2STBY_NOE_DEVICES.IP_AD_3STBY_NOE_DEVICES.IP_AD_4STBY_NOE_DEVICES.MAC_AD_1STBY_NOE_DEVICES.MAC_AD_2STBY_NOE_DEVICES.MAC_AD_3STBY_NOE_DEVICES.MAC_AD_4STBY_NOE_DEVICES.MAC_AD_5STBY_NOE_DEVICES.MAC_AD_6StepAction1 Instantiate the DFB NOE_Monitor under the name STDBY_NOE_DEV2Instantiate a new structure NOE_Monit under the nameSTBY_NOE_DEVICES located in the non-transfer area.3 Connect the structure variables on the pins of the DFB.4 On the pin Slot, enter the value “6”.5 On the pin Monitoring Rate, enter the value “2”.6 On the pin Retries, enter the value “2”.7Repeat the preceding steps for the block execution and connect the bit 0 ofthe status register %SW61 on the pin EN.As for the Primary Section, the FAULT output of this DFB is used as an input in theFault synthesis.138

5-ImplementationFault SynthesisSTBY_NOE_FAULT_SYNTHSYNTH_OR_NOESTBY_SYNTH_FAULTSYNTH_FAULTPRIM_NOE_CTRL_Fault FLT_NOE_1 FAULT_NOEFaulty_NOEPRIM_NOE_DEVICES_Fault FLT_NOE_2 Faulty_PTQFalse FLT_NOE_3 False Faulty_SCADAFalse FLT_NOE_4 2#0001_1100_1101_1111 Fault_MaskFalse FLT_NOE_5 Fault_Synth STBY_SYNTH_FLT_PLCFalse FLT_NOE_6 Fault STBY_FAULT_PLCSTBY_PTQ_FAULT_SYNTHSYNTH_OR_PTQSTBY_PTQ_FaultFalseFalseFalseFalseFalseFLT_PTQ_1FLT_PTQ_2FLT_PTQ_3FLT_PTQ_4FLT_PTQ_5FLT_PTQ_6FAULT_NOE• Part 1 : NOE SynthesisStep123ActionInstantiate the DFB SYNTH_OR_NOE under the nameSTDBY_NOE_FAULT_SYNTH.On the pin FLT_NOE_1, connect the variable STBY_NOE_CTRL_FAULTpreviously computed by the DFB STBY _NOE_RING1.On the pin FLT_NOE_2, connect the variable STBY_NOE_DEVICES_FAULT previously computed by the DFBSTBY_NOE_DEV.4 Connect a False variable (unlocated) on all the other pins.• Part 2 : PTQ SynthesisStep12ActionInstantiate the DFB SYNTH_OR_PTQ under the nameSTDBY_PTQ_FAULT_SYNTH.On the pin FLT_PTQ_1, connect the variable Stby_PTQ_Fault previouslycomputed by the DFB PTQ_PRIMARY in the Primary section.3 Connect a False variable on all the other pins.139

5-Implementation• Part 3 : FAULT SynthesisStep12345678ActionInstantiate the DFB SYNTH_FAULT under the nameSTDBY_SYNTH_FAULT.Link the input pin Fault_NOE to the output pin Fault_NOE of the DFBSTDBY _NOE_FAULT_SYNTH.Link the input pin Fault_PTQ to the output pin Fault_PTQ of the DFBSTDBY_PTQ_FAULT_SYNTH.On the Fault_Scada pin, connect a False variable. Our application does notinclude blocks dedicated to SCADA system monitoring.Set the Fault_Mask value with the same value as for the Primary section,which is 2#0001110011011111.On the Fault_Synth_Plc output pin, connect the variableSTBY_SYNTH_FLT_PLC. This word represents the Standby configurationfault synthesis after the Fault_Mask filter. It will be used in the determinationof the switchover. Therefore, this variable is located on the reverse register%SW62 that allows writing from Standby to Primary.On the Fault pin, connect the variable STBY_FAULT_PLC located in nontransferarea. This boolean information indicates a fault detection after theFault_Mask filter.For each of these blocks, activate the execution option and connect the bit 0of the status register %SW61 on the pin EN.140

5-Implementation5.2.3. Switchover ManagementOnce the monitoring DFB is implemented and the fault synthesis is computed in thePrimary and Standby sections, it is necessary to process the obtained data and to setthe switchover management rules.To set the management rules, we use the DFB Switch_Manag previously describedin the Design chapter. This DFB is instantiated in the Primary section.• DFB Switch_Manag implementationHSBY_SWITCHSWITCH_MANAGPRIM_SYNTH_FLT_PLCSTBY_SYNTH_FLT_PLCPRIM_DIAGSTBY_DIAGSwitch_Nb_Reset SWITCH_NB_Reset SWITCH_NB Switch_NbForce_Switchover FORCE FORCE Force_SwitchoverStepAction1 Instantiate the DFB SWITCH_MANAG under the name HSBY_SWITCH234Connect the variable PRIM_SYNTH_FLT_PLC (Primary PAC Faultsynthesis) on the pin PRIM_DIAG.Connect the variable STBY_SYNTH_FLT_PLC (Standby PAC Faultsynthesis) on the pin STBY_DIAG.Connect a variable Switch_Nb_Reset, located in the non-transfer area, onthe Switch_Nb_Reset pin.5 Connect a variable Force_Switchover on the pin FORCE,6On the output pin Switch_NB, connect a variable Switch_NB located in nontransferarea.The Ethernet and Profibus redundant links management of the Quantum Hot-Standbysystem is now complete.141

5-Implementation5.3. ConclusionThe implementation of all the elements for the Hot-Standby system is now complete.The system is ready to be used and tested with the provided Vijeo Citect application.This application enables monitoring of the status of the PAC station and the VijeoCitect servers.In Green, the Primary PAC Counter incremented everyIn White, the Standby PACseconds to monitor the systemactivityName of the active I/O Server142

6-Performance6. PerformanceOnce the systems configured and implemented, performance tests are performed onboth architectures (Premium and Quantum) in order to measure the actual switchovertimes.To test a wide range of cases that could be encountered in industry, differentoperating exceptions have been simulated.6.1. Performance test protocolsThe tests have been performed at two different layers of the system architecture:• between PAC and field device (test 1)• between SCADA Server and PAC (test 2)6.1.1. PAC – field deviceTo measure the performance of the system when an event occurs between the PACand a field device, different tests have been performed:• Stop CPU• Crash CPU• CRP fault (for Quantum only)• Broken Ethernet link (Control network)The Ethernet cable is unplugged between the switch SW3 and the PAC A.• Broken Ethernet link (Device network).The Ethernet cable is unplugged between the PAC A and the Advantys STB islandwith IP address 172.20.104.11.The system is designed to initiate a switchover on each of these cases, so theparameter measured is the switchover time, defined by the time length between thestart of the simulation event and when the system becomes operational again.The criterion to declare the system operational is when a communication isestablished between the PAC and the STB Island with IP address 172.20.104.112 sets of parameters (scan time and volume of data) are used in order to quantify theperformance with different loads of the system:• Scan time 40ms – Data exchanged 130 kb for Quantum and 100 kb for Premium• Scan time 130ms – Data exchanged 130 kb for Quantum and 100 kb for Premium143

6-PerformanceThe establishment of the communication between the PAC and the Advantys STBIsland is detected with the wireshark software (http://www.wireshark.org) which is anetwork protocol analyzer.We are thus able to monitor the switchover time very accurately by measuring theIOScanning communication between the PAC and the Advantys STB Islandconnected directly on the network.6.1.2. SCADA Server – PACIn this part we measure the performance of the system when an event occursbetween the PAC and an IO Server of the SCADA system. Different tests have beenperformed.• Stop CPU• Crash CPU• CRP fault (for Quantum only)• Broken Ethernet link (Control network)The Ethernet cable is unplugged between the switch SW3 and the PAC A.• Broken Ethernet link (Device network).The Ethernet cable is unplugged between the PAC A and the Advantys STB islandwith IP address 172.20.104.11.In this case, the criterion to declare the system operational is the establishment of thecommunication between the IOServer1 and the PAC.We performed tests on OFS and Modnet between I/O server and I/O device (100tags) on the Quantum architecture and tests on Modnet between I/O server and I/Odevice (100 tags) on the Premium architecture (Results for OFS will be included inthe next issue of the document).Wireshark software is also used to perform these tests as indicated on the nextdiagrams.144

6-Performance6.2. Premium PAC ArchitectureThis paragraph describes the results of the tests performed on the Premiumarchitecture represented on the figure below.2500ABE7ABE7145

6-PerformanceTest 1: Measurement of the connection time between the PAC and a field device (STB) after a switchover.Scan Time : 40msExchanged Data : 100kbytesScan Time : 130msExchanged Data : 100kbytesSwithoverSystemStop Primary PACUnexpected stop of thePrimary PAC (Crash)115ms743ms325ms943msSwitchover byapplicationDisconnection EthernetLink NOE Scada ringDisconnection EthernetLink NOE Devices ring112ms491ms331ms653msTest 2: Measurement of the connection time between the IOServer 1 and the PAC after a switchover.Scan Time : 40msModnet DriverOFSSwithoverSystemStop Primary PACUnexpected stop of thePrimary PAC (Crash)3,374s X2,866s XSwitchoverbyapplicationDisconnection EthernetLink NOE Scada ringDisconnection EthernetLink NOE Devices ring4,416s X4,324s X146

6-Performance6.3. Quantum PAC ArchitectureThis paragraph describes the results of the tests performed on the Quantumarchitecture represented on the figure below.SERVER 1 SERVER 2WiresharkTest 2IP: 172.20.101.30IP: 172.20.101.1 IP: 172.20.101.2IP: 172.20.101.31Client 1SW1SW2ManagerClient 2SW3SW4PAC AIP:172.20.101.110MASK: 255.255.0.0PAC BIP:172.20.101.111MASK: 255.255.0.0Remote I/OIP:172.20.104.1MASK: 255.255.0.0IP:172.20.104.2MASK: 255.255.0.0WiresharkTest 1IP: 172.20.104.10SW10ManagerSW12SW11IP: 172.20.104.21IP: 172.20.104.11IP: 172.20.104.12IP: 172.20.104.20IP: 172.20.104.34IP: 172.20.104.22147

6-PerformanceTest 1: Measurement of the connection time between the PAC and a field device (STB) after a switchover.Scan Time : 40msExchanged Data : 130kbytesScan Time : 130msExchanged Data : 130kbytesStop Primary PAC819ms849msSwithoverSystemUnexpected stop of thePrimary PAC (Crash)367ms343msPrimary CRP Fault473ms661msSwitchover byapplicationDisconnection EthernetLink NOE Scada ringDisconnection EthernetLink NOE Devices ring679ms545ms313ms878msTest 2: Measurement of the connection time between the IOServer 1 and the PAC after a switchover.Scan Time : 40msModnet DriverOFSSwithoverSystemStop Primary PACUnexpected stop of thePrimary PAC (Crash)Primary CRP Fault3s 1,6s3,6s 1,7s3,9s 1,9sSwitchoverbyapplicationDisconnection EthernetLink NOE Scada ringDisconnection EthernetLink NOE Devices ring4,1s 3,1s2,3s 2s148

Schneider Electric Industries SASHead Office89, bd Franklin Roosvelt92506 Rueil-Malmaison CedexFRANCEDue to evolution of standards and equipment, characteristics indicated in texts and imagesin this document are binding only after confirmation by our departmentsPrint:www.schneider-electric.comVersion 1.0 – 07 2010