Synchronization PCB Software - Hitachi Rail · The Synchronization PCB contains its own microprocessor, has four vital isolated inputs, two vital isolated outputs, and other I/O circuitry

SM 1D1.0030 1000 Technology Drive, Pittsburgh, PA 15219

645 Russell Street, Batesburg, SC 29006

Synchronization PCB

Software

Synchronization PCB Software

Copyright 2019 1D1.0030 Rev. 3, March 2019 2

Proprietary Notice This document and its contents are the property of Hitachi Rail STS USA, Inc. (formerly known as Union Switch & Signal Inc., and hereinafter referred to as "STS USA"). This document is furnished to you on the following conditions: 1.) That no proprietary or intellectual property right or interest of STS USA is given or waived in supplying this document and its contents to you; and, 2.) That this document and its contents are not to be used or treated in any manner inconsistent with the rights of STS USA, or to its detriment, and are not to be copied, reproduced, disclosed or transferred to others, or improperly disposed of without the prior written consent of STS USA.

Copyright © 2019, Hitachi Rail STS USA

1000 Technology Drive, Pittsburgh, PA USA 15219-3120 645 Russell Street, Batesburg, SC 29006

sts.hitachirail.com All rights reserved.

Revision History REV. ISSUE DATE REVISION DESCRIPTION

1 February 2010 Initial Release 2 April 2010 Revised per PTY comments 3 March 2019 Hitachi Rail STS Branding



1. SYNCHRONIZATION DESCRIPTION

The Synchronization PCB allows two MICROLOK II units to connect to each other in order to form a synchronized pair for a seamless redundant application. Each MICROLOK II cardfile contains a Synchronization PCB. The MICROLOK II cardfiles are linked through an Ethernet interface, receive the same physical inputs, deliver the same physical outputs, and have the same hardware and software architecture and same physical I/O. To use this PCB in a MICROLOK II system, the application software must be compiled/recompiled using a specific compiler and executive software. A specific diagnostic tool to match this executive software is also required.

2. SYNCHRONIZATION PCB

The Synchronization PCB contains its own microprocessor, has four vital isolated inputs, two vital isolated outputs, and other I/O circuitry in order to interface with two independent MICROLOK II units. Two versions of the Synchronization PCB are available: one for 12 volt operation and one for 24 volt operation.

3. INTRODUCTION Version 3.0 and higher of the MICROLOK II Certified Executive (MLKII-CC) contains enhancements to the MICROLOK II system to implement an executive based synchronized duplicate system. This document provides a system designer with basic information relating to the specification and operation of the newly implemented features in the 3.x version of the MICROLOK II Certified Executive. This document contains information relating to the new features of version 3.0 and higher of the MICROLOK II Certified Executive and does not contain information relating to existing features. Refer to STS USA service manual SM6800D for MICROLOK II Programming information.

4. EXECUTIVE VERSION MLKII-CC 3.0 Executive Version MLKII-CC 3.0 and higher adds an executive based synchronization between two MICROLOK II units to allow them to operate in a redundant configuration to increase the availability of the overall system. Both units will deliver synchronized physical outputs such that if one unit is disabled, either through a system reset, power down or other error condition, the internal and output states will remain un-altered and the installation control will continue with the remaining unit.



NOTE

If you are upgrading a lower Executive Version than MLKII-CC 3.0, you will need to install the new executive software that includes the synchronization (STS USA part number N451232-2165).

In order to achieve the synchronization between the two units, a new I/O board and new communications protocol have been added to the MICROLOK II system. The new board and protocol, along with other modifications made to the MICROLOK II executive, allow the two units to pass all application related information between the units in order to synchronize the application states.

4.1. Sync I/O Board

The Sync I/O board allows two MICROLOK II units to connect to each other in order to form a synchronized pair. There are both physical parallel I/O points and an Ethernet connection between the units.

The board definition specifies the IP Address for the physical port on the board. There are no user defined input or output variables associated with the Sync I/O board and the physical I/O points on the board are pre-defined system variables used for unit synchronization.

4.1.1. Sync I/O Board Definition

The basic specification for a Sync I/O board is shown below. BOARD: board_name <ADJUSTABLE> ENABLE: 1 TYPE: SYNC.IO

E.PORT1 <ADJUSTABLE> ENABLE: 1 <ADJUSTABLE> LOCAL.ADDRESS: "0.0.0.0"; <ADJUSTABLE> SUBNET.MASK: " nnn.nnn.nnn.nnn "; <ADJUSTABLE> E.PORT1.PEER.ADDRESS: " nnn.nnn.nnn.nnn "; <ADJUSTABLE> GATEWAY: "0.0.0.0";

The local IP and peer addresses must be configured after the units are installed since each unit in the synchronized must have the same application program yet different IP addresses. It is recommended that the IP address be set to 0.0.0.0 in the application program as this will avoid logging nuisance events associated with duplicated addresses prior to configuring the units.

As with any I/O board, the board will be given a user definable board name that will be used to reference the board status bits as well as for use in attaching the synchronization link (defined later in the application program) to the ports on the board. The user may then specify either or both of the Ethernet ports using the E.PORT1 and/or E.PORT2 keywords. Although there are two Ethernet ports on the Sync I/O board, the Sync Link must be attached to E.PORT1. The second port may be defined for diagnostic use as described in Section 4.1.3.2. The user then supplies the Ethernet



port parameters. These items may be fixed or may be adjustable through the system configuration.

Table 4-1 lists the variables and ranges associated with the Sync I/O board.

Table 4-1. SYNC I/O Board Parameters Parameter Vitality Minimum Maximum Default

Enable Vital 0 1 0 Selective.Shutdown Non-vital 0 1 0 Error System Vital In 0 1 0 .E.PORT1.ENABLED Non-vital 0 1 0 .E.PORT1.LOCAL.ADDRESS Non-vital 0.0.0.0 255.255.255.255 0.0.0.0 .E.PORT.SUBNET.MASK Non-vital 0.0.0.0 255.255.255.255 0.0.0.0 .E.PORT1.PEER.ADDRESS Non-vital 0.0.0.0 255.255.255.255 0.0.0.0 .E.PORT1.GATEWAY Non-vital 0.0.0.0 255.255.255.255 0.0.0.0 OnLine.Reset System Vital Out 0 1 0 OffLine.CPS.Reset System Vital Out 0 1 0 Input.Sync.Err System Vital In 0 1 0 Self.Sync.Err System Vital In 0 1 0 Partner.Sync.Err System Vital In 0 1 0 Partner.Status System Vital In 0 1 0 Partner.CPS System Vital In 0 1 0 ONLINE.OUT System Vital Out 0 1 0 SYNC.OUT System Vital Out 0 1 0 BACK.VCOR.IN System Vital In 0 1 0 FRONT.VCOR.IN System Vital In 0 1 0 ONLINE.IN System Vital In 0 1 0 SYNC.IN System Vital In 0 1 0 PUD System Vital In 0 1 0 QUANRANTINE System Vital In 0 1 0

A user may define only one Sync I/O board and only six Ethernet capable boards in total. For hot standby applications, this limits the allowable COMM I/O boards to five. The Sync I/O board may only be defined as one of the first six I/O boards.

4.1.2. Sync I/O Board I/O

There are four external vital physical inputs, two external vital physical outputs and an Ethernet communications link on the Sync I/O board. In addition to the external I/O points, there are two non-vital inputs controlled by switches on the Sync I/O board. These are all system level I/O points. There is no user definable I/O associated with the Sync I/O board, but there are a number of system bits, including one for each of the physical I/O points as well as other information related to the status of the unit synchronization.

All of the bits associated with the Sync I/O board are not synchronized between the two units. The bits are set independently by each MICROLOK II unit.

• <board_name>.Enabled – Board enabled bit. Set if the board is enabled through the configuration.

• <board_name>.Selective.Shutdown – Not used.



• <board_name>.Error - Input error bit – Set if the input diagnostics detect a fault in the vital input circuits. The associated input will be clear.

• <board_name>.ONLINE.RESET - System bit that will cause the On-Line unit to reset forcing a failover to the Off-Line unit. This bit is edge triggered so that the new On-Line unit will not reset as soon as it transitions from Off-Line to On-Line. Setting this bit on the Off-Line unit will have no effect.

• <board_name>.OFFLINE.CPS.RESET – System bit that will cause the Off-Line unit to reset and clear its CPS error flags allowing the CPS to be picked. This bit is set by the On-Line unit and the reset information is delivered through the synchronization link. The On-Line unit can use this bit to reset the partner unit even if it is not an active Off-Line unit as long as communications can be established. Setting this bit on the Off-Line unit will have no effect.

• <board_name>.INPUT.SYNC.ERROR - This bit is set by both the On-Line and Off-Line units when the inputs on the Off-Line unit’s physical input boards other than the Sync I/O board disagree with the values synchronized from the On-Line unit for more than 5 seconds.

• <board_name>.SELF.SYNC.ERROR - This bit is set by the unit when the inputs on the Sync I/O board disagree with the established synchronization mode for more than 5 seconds.

• <board_name>.PARTNER.SYNC.ERROR - This bit is set by the unit when the inputs on the partner's Sync I/O board disagree with the established synchronization mode for more than 5 seconds.

• <board_name>.PARTNER.STATUS - This bit is set by the unit and reflects the status of the partner unit. If the partner unit is an active unit, this bit is set.

• <board_name>.PARTNER.CPS.STATUS - This bit is set by the unit and reflects the partner units CPS error status. If the partner is capable of picking its CPS, this bit is set.

• <board_name>.ONLINE.OUT – Set by the On-Line unit. This bit is reflected in the On-Line output on the Sync I/O board.

• <board_name>. SYNC.OUT - Set by both the On-Line and Off-Line units when synchronization between the units is established. This bit is reflected in the Synchronization output on the Sync I/O board.

• <board_name>.BACK.VCOR.IN – This bit reflects the state of the Partner Back Contact (PBC) input on the Sync I/O board.

• <board_name>.FRONT.VCOR.IN – This bit reflects the state of the Partner Front Contact (PFC) input on the Sync I/O board.

• <board_name>.ONLINE.IN – This bit reflects the state of the Partner On-Line (POL) input on the Sync I/O board.

• <board_name>.SYNC.IN – This bit reflects the state of the Synchronization input on the Sync I/O board.



• <board_name>.QUARANTINE. – This bit reflects the position of the Quarantine switch on the Sync I/O board – this will always be clear as the unit will be in Quarantine mode if this bit becomes set.

• <board_name>.PUD – This bit reflects the position of the Power Up Delay (PUD) switch on the Sync I/O board.

• <board_name>.Spare.1 – Not currently used – available for future enhancements.



The I/O and status bits associated with the Sync I/O board are not synchronized between the On-Line and Off-Line units. These application variables may have, and in some cases such as the ONLINE.OUT will have, different values. These variables should only be used in the application logic for display and/or reporting purposes.

4.1.3. Sync I/O Board Connections

Mode determination and application synchronization are controlled by the cross connections of the paired units through the Sync I/O boards. Figure 4-1 shows the connections between the physical I/O of the partner units.

Unit AVCOR Front Contact Check of Unit B

VCOR Back Contact Check of Unit B

Partner Unit On-Line

Partner Synchronization

Quarantine Switch

Power-Up Delay Switch

Unit A On-Line

Synchronization Status

Unit BVCOR Front Contact Check of Unit A

VCOR Back Contact Check of Unit A

Partner Unit On-Line

Partner Synchronization

Quarantine Switch

Power-Up Delay Switch

Unit B On-Line

Synchronization Status

Inputs

Outputs

Front Panel

Switches

1D1.

0030

.300

3.00



Figure 4-1. Sync I/O Board Connections

4.1.3.1. Sync Link Ethernet Addressing

All IP Addresses must be specified in the application program as a quoted string in the format “nnn.nnn.nnn.nnn” where nnn is a valid decimal number between 0 and 255.

4.1.3.2. SYNC Board Diagnostic Support

The Sync I/O board has its own communications processor that provides the Ethernet interface as well as a web based user interface. All communications utilizing a Sync I/O board will use UDP/IP as the network protocol. The communication processor also supports network diagnostics.

The web based user interface, which provides status maintenance as well as facilities for uploading new Sync board executive software, is accessed through the ports on the Sync board. In order for a port to function properly, it must have a valid IP address. Only Port 1 on the Sync board is used for application communications.

Diagnostic access is available using the default IP address 172.025.002.254 on Com Port 2.

The password for uploading new Sync I/O software through the web interface is “USS”.

Figure 4-2 shows the password dialog box screen.

Figure 4-2. Password Dialog Box 4.2. Sync Link

The Sync Link provides the communications necessary for the transfer of data between the on-line and off-line units. All application data is synchronized by the executive with no requirement for identifying the data to be synchronized within the application.



4.2.1. Sync Link Definition

There are link parameters and a single station. The port attachment must be to Port 1 of the Sync I/O board.

COMM LINK: HS_SYNC ADJUSTABLE ENABLE: 1 PROTOCOL: SYNC.LINK ADJUSTABLE PORT: "<board_name>.E.PORT1";

ADJUSTABLE SYNC.ADDRESS: 10 ADJUSTABLE ENABLE: 1 STATION.NAME: Vital_10; ADJUSTABLE ACK.TIMEOUT: 200:MSEC; ADJUSTABLE HEARTBEAT.INTERVAL: 1000:MSEC; ADJUSTABLE INDICATION.UPDATE.CYCLE: 100; ADJUSTABLE STALE.DATA.TIMEOUT: 2400:MSEC;

Table 4-2 lists the variables and ranges associated with the Sync Link.

Table 4-2. SYNC Link Parameters Parameter Vitality Minimum Maximum Default

Link Parameters Enable Vital 0 1 No Default Port Vital Available Ports Available Ports No Default

Station Parameters Enable Vital 1 1 1 Station.Address.Type Vital 1 1 1 Sync.Address Vital 0 65534 No Default Stale.Data.Timeout Vital 500 600000 5000 Ack.Timeout Vital 50 60000 100 Heartbeat.Interval Vital 100 600000 2000 Indication.Update.Cycle Vital 1 100 100 Clock.Master Vital 0 1 0

Like with the IP address specified on the Sync I/O board, peer IP address must be configured after the units are installed since each unit in the synchronized must have the same application program yet different IP addresses. It is recommended that the IP address be set to 0.0.0.0 in the application program as this will avoid logging nuisance events associated with duplicated addresses prior to configuring the units.

4.3. Synchronization Time-Out

In order to accommodate a variety of application needs the synchronization timeout is a system configuration parameter. This value may be set between 50 ms and 1 second. This timeout specifies the maximum amount of time, once application logic has been completed, to sync the two units and deliver outputs.

CONFIGURATION SYSTEM SYNCHRONIZATION.TIMEOUT: 500:MSEC



4.4. Synchronization Operations

When operating as a redundant synchronized pair, both units must have the same application state in order to achieve seamless failover. This is achieved by designating one unit as the On-Line unit and the other unit as the Off-Line unit and updating the Off-Line unit with the application state of the On-Line unit whenever the logical state of the application changes. This is not a voting architecture. The On-Line unit will determine the logical application state based on its inputs and transfer the information to the Off-Line unit.

There are three major components of synchronization: Mode Determination, Input Synchronization and State Synchronization. Mode Determination will establish one unit as the On-Line unit and, if not prevented by other conditions, the other unit will be established as the Off-Line unit. After the units are established as active On-Line and Off-Line units the application inputs and logical state between the units must be synchronized. This is done through Input and State Synchronization. If there is no active Off-Line unit, Input and State Synchronization will not occur.

4.4.1. Mode Determination

The MLKII –CC executive version 3.0 and higher supports synchronization as an option for unit configuration. Units will still be able to operate as stand-alone units with no synchronization requirements or as part of a synchronized pair. Once a unit has been identified, through the PROGRAM TYPE (see Section 4.4.1.1), as part of a synchronized pair, there are two aspects to determining the mode of the unit. The initial unit mode will be determined as part of the system initialization. This determination is based on the state of the Sync I/O board physical I/O points and the communication status of the Sync Link. After an initial mode has been determined, the unit will complete the reset processing and proceed to normal application processing. Both an on-line and off-line unit will continue to evaluate the mode status during application processing.

There are four persistent synchronization modes:

• Stand-alone Mode – This is normal operations for units not identified as part of a synchronized pair.

• Quarantine Mode – This is a non-operational mode entered either through a user request (Quarantine input on the Sync I/O board) or when the On-Line or Off-Line Mode can not be established. There are a number of pending mode transitions that can happen during Quarantine Mode operations as the two units in a synchronized pair attempt to establish their operating modes. The front panel diagnostic port is active during Quarantine to allow for maintenance operations such as event log downloads or application program uploads.



• On-Line Mode – This is a fully operational mode for one unit in a synchronized pair. The On-Line unit determines the state of the application variables and synchronizes the information with the Off-Line unit if the Off-Line unit is available. If there is no Off-Line unit, the On-Line unit will operate the same as a Stand-alone unit other than processing the Sync I/O board I/O and Sync Link in an attempt to establish communications with the partner unit.

• Off-Line Mode – This is a reduced operational mode for one unit in a synchronized pair when the other unit is established as the On-Line unit. There can be no Off-Line unit without an On-Line unit. This unit receives all inputs, both physical and serial, from the On-Line unit. While the Off-Line unit will process the logic associated with inputs received from the On-Line unit, its logical output states will only be used if the On-Line unit resets prior to completion of the logic cycle. As long as the On-Line unit continues to operate, it will send its logical output state to the Off-Line and both units will then deliver the synchronized output states. The Off-Line unit does not communicate through the serial links or accept its own physical input changes if they conflict with the synchronized values from the On-Line unit.

4.4.1.1. Program Type

A new program type, HOT_STANDBY has been created to identify units used in synchronized pairs. This is reflected in the first line of the application program in the PROGRAM statement:

HOT_STANDBY PROGRAM <program_name>;

Only units that have been identified as HOT_STANDBY programs may use the Sync I/O board and Sync Link. Both the board and link definitions are required for units identified as HOT_STANDBY units.

For all program types other than the HOT_STANDBY, the unit will perform application processing as a stand-alone unit with no attempts to synchronize operations with a partner unit.

4.4.1.2. Synchronization Inputs

Mode determination is done using the states of the synchronization physical inputs, synchronization link communications, and unit operational status. Other than the Quarantine input and the Power-Up Delay input, the information communicated through the sync link will override the status of the physical inputs for any physical input that is de-energized. Inputs that are energized in conflict with the synchronization status will however cause a critical error. The main purpose for the physical inputs in mode determination is to allow one unit to become the On-Line unit in cases where the sync link is failed. If there is a discrepancy between the status of the physical inputs and the information relayed over the synchronization link, a warning will be logged and a status bit associated with the unit synchronization status will be set.



• Quarantine Input – This input is used to force a unit into the Quarantine mode.

If the Quarantine input on the Sync I/O board is in the active position during initial mode determination, the unit will remain in the Quarantine Mode.

If the Quarantine input becomes active while a unit is in the On-Line or Off-Line mode, the unit will transition to the Quarantine Mode.

This input must be inactive in order for a unit to enter mode arbitration with the partner unit.

• Power Up Delay (PUD) Input – The power-up delay input is used to bias the on-line selection in favor of the unit with this switch in the fast position. One unit should have the Power-Up Delay set to fast and its partner should have it set to slow. This is a non-vital input and based on other system timing will not always cause the selected unit to become the On-Line unit but does bias the selection criteria. This input is not used once the unit is confirmed in the On-Line or Off-Line mode.

If this input is set to fast during initial mode determination, the unit will attempt to establish communications with the partner unit and become the On-Line unit.

If this input is set to slow during initial mode determination, the unit will wait for the partner unit to establish communications expecting the partner to become the On-Line unit (POL). If no messages are received from the partner unit after a timeout period, this unit will attempt to establish communications with the partner unit expecting to become the On-Line and the partner to become the Off-Line unit.

• Sync Link Communications – The synchronization link is used to allow the two units to communicate information relating to the synchronization status. As long as communications are maintained, information communicated through the sync link will override the status of the physical inputs for any physical input that is de-energized. If any input is energized in conflict with the synchronization mode established by the synchronization link (i.e. the POL input is active on the On-Line unit), a critical error is logged and the unit is reset.

If communications are established, the two units will arbitrate the On-Line status. If the partner unit is already On-Line when a unit is processing the initial mode determination, it will become the Off-Line unit. If both units are processing the initial mode determination at the same time, either unit could become the On-Line unit. Once the On-Line or Off-Line status has been established, the units continue to confirm their synchronization status.

If the synchronization link is lost, the On-Line unit will continue to operate as the On-Line unit as long as the physical inputs indicate that the partner unit is not also on-line (POL and PFC inputs must be de-energized).



If the synchronization link is lost, the Off-Line unit must become the On-Line unit or transition to Quarantine mode. There can never be an Off-Line unit when the synchronization link has failed.

• Partner VCOR Front Contact (PFC) Input – When the PFC is energized, it indicates that the partner unit has already established a synchronization mode and has completed reset processing. For a unit processing initial mode determination, this can only indicate that the partner unit is the On-Line unit.

If the PFC is energized during initial mode determination, a unit can only become the Off-Line unit and then only if synchronization communications can be established. A unit will not become an active On-Line unit if this input is energized during initial mode determination.

If the PFC is de-energized during initial mode determination, it may indicate that the partner is not On-Line but may also indicate a number of error conditions. If synchronization communications cannot be established, this input along with the other Sync I/O inputs, will be used to determine the unit's mode.

If a unit is an active On-Line unit with no partner unit, the PFC must remain de-energized. If this input becomes energized, a critical error is logged and the unit is reset.

If an Off-Line unit loses communications with its On-Line unit, the PFC input must be de-energized in order to allow the unit to become the new On-Line unit. If this input is energized, the unit will transition to Quarantine mode.

• Partner VCOR Back Contact (PBC) Input – When the PBC is energized, it indicates that the partner unit does not have its CPS picked. This can indicate either that the partner unit is not On-Line or is On-Line in a CPS down mode. If this input is de-energized, it indicates that the partner unit has its CPS picked.

If the PBC is energized during initial mode determination, the partner CPS is not picked. This input must be in the energized position in order for a unit to become an On-Line unit during initial mode determination.

If communications can not be established, and the PBC input is not energized, the unit will remain in the Quarantine mode.

If the PBC is de-energized during initial mode determination, then it is possible for the unit to become the On-Line unit only if communication can be established.

If a unit has established communications with its partner unit, the state of the PBC is ignored in the continuing evaluation of the synchronization mode.

If a unit is an active On-Line unit with no partner unit, the PBC must remain energized. If this input becomes de-energized, a critical error is logged.



If an Off-Line unit loses communications with its On-Line unit, the PBC input must be energized in order to allow the unit to become the new On-Line unit. If this input is de-energized, the unit will transition to Quarantine mode.

• Partner On-Line (POL) Input – When the POL is energized, it indicates that the partner unit is established as the On-Line unit and has started normal application processing. A unit may only become an Off-Line unit when its POL input is energized.

If the POL is energized during initial mode determination, a unit can only become the Off-Line unit if synchronization communications can be established. A unit may not become an active On-Line unit if this input is energized during initial mode determination.

If the POL is de-energized during initial mode determination, it may indicate that the partner is not On-Line but may also indicate a number of error conditions. If synchronization communications cannot be established, this input along with the other Sync I/O inputs, will be used to determine the unit's mode.

If a unit is an active On-Line unit, with or without a partner unit, the POL must remain de-energized. If this input becomes energized, a critical error is logged.

If an Off-Line unit loses communications with its On-Line unit, the POL input must be de-energized in order to allow the unit to become the new On-Line unit. If this input is energized, the unit will transition to Quarantine mode.

• Self and Partner CPS Status – If synchronization communications can be established, each unit passes its CPS error status to the partner unit. There can only be an Off-Line unit when both units are operating in the same CPS mode.

If both units have the CPS in the same mode, the other factors will determine each unit’s initial mode.

If one unit is able to pick its CPS and the other unit, due to previous critical errors, can not pick its CPS, the unit capable of picking its CPS will become the On-Line unit and the other unit will remain in Quarantine mode.

A unit may only operate as an On-Line unit with no partner unit if it is capable of picking its CPS. If a unit is not capable of picking its CPS due to previous critical errors and can not establish communications with the partner unit, it will remain in Quarantine mode.

• Synchronization Input – This input indicates that the partner unit has completed a state synchronization. It is energized after the first state synchronization cycle is completed between the On-Line and Off-Line unit and de-energized by the On-Line unit if a synchronization time-out occurs. Its primary usage is to allow the On-Line unit to force the Off-Line unit into Quarantine Mode when the On-Line unit is unable to synchronize with the Off-Line unit after completing a logic cycle.



This input must be de-energized during initial mode determination in order for a unit to become established as either an On-Line unit or an Off-Line unit. If this input is energized, the unit will remain in Quarantine mode.

The On-Line unit does not use this input in its mode maintenance determination.

The Off-Line unit must transition out of the Off-Line mode to either the On-Line or Quarantine mode if this input becomes de-energized after having been energized. If this input is never energized, its status is not used in mode maintenance determination.

4.4.1.3. Initial Mode Determination

Initial Mode determination is done during the reset processing using the states of the synchronization physical inputs and communications. The critical factors in initial mode determination are:

• Quarantine Input – This input must be de-energized in order to proceed with mode determination. If this input is active, the unit will remain in Quarantine mode.

• Synchronization Input – This input can not be energized unless both units have completed initial mode determination. If this input is energized during initial mode determination, it indicates a fault condition and the unit will remain in Quarantine mode.

• Communications Established: The POL, PFC and Synchronization inputs must be de-energized in order to become the On-Line unit. The unit can become the Off-Line unit for all other input conditions.

• Communications Failed: The POL, PFC and Synchronization inputs must be de-energized, the PBC must be energized, and the unit must be capable of picking its CPS in order for a unit to become the On-Line unit.

4.4.1.4. Mode Maintenance and Failover

Once the initial synchronization mode has been determined, the states of the synchronization physical inputs and synchronization communications are continually monitored to determine if a mode transition is required. Any input that should be deenergized but is energized, will cause a critical error.

• Quarantine Input – If the Quarantine input becomes active, the unit will transition to the Quarantine mode.

• On-Line Unit – Once established as the On-Line unit, a unit will remain On-Line unless one of the following error condition occurs:

POL input indicates the partner unit is also on-line.

Synchronization link is down and the PBC contact input is not energized.



Any message is received over the synchronization link indicating that the partner unit is also On-Line.

• Off-Line Unit – Once established as the Off-Line unit a unit will remain Off-Line unless one of the following conditions occurs:

Synchronization input is de-energized after having been energized indicating that synchronization has been lost with the On-Line unit.

Synchronization communications are lost.

State Synchronization does not occur after logic processing.

When an Off-Line unit must transition to a new mode, it may become either the new On-Line unit or a Quarantined unit.

If the POL and PFC inputs are de-energized and the PBC input is energized, this unit will transition to the On-Line status.

For all other conditions, the unit will transition to the Quarantine status.

4.4.2. Quarantine Mode Displays

The displays on the front panel of the CPU, along with the RED Quarantine YES LED on the Sync board are used to indicate the current status of the initial mode determination. This can be used to troubleshoot systems that will not come out of Quarantine mode.

• RED Quarantine YES LED

On Steady – this indicates Active Quarantine mode and can only be caused by placing the Quarantine switch in the active position.

Flashing at Slow @ ~30-60 cycles per minute – This indicates normal mode determination operations.

Flashing at Fast @ ~2-3 cycles per second – This indicates an error condition that may cause the unit to remain in quarantine mode.

• CPU Display – TOP Display “QTIN”, BOTTOM Display

“ACTV” – Active Quarantine mode caused by placing the Quarantine switch in the active position.

“INIT” – No communications have been established. If the LED is flashing fast, it indicates that this unit has CPS errors and will not be able to leave Quarantine mode unless the link can be established. If the LED is flashing slow, the unit is capable of becoming an on-line unit as



long as the Sync I/O inputs indicates that there is not already an on-line unit.



“CFGE” – The unit and the partner unit do not have matching synchronization configurations (different executives, applications or vital configurations). The LED should be flashing fast and this unit will not leave Quarantine mode until the synchronization configuration conflict has been resolved.

“CPSE” – The unit has CPS errors and the partner unit is on-line with its CPS picked. The LED should be flashing fast and this unit will remain in Quarantine mode until either the CPS errors are cleared or the on-line unit resets and also enters a CPS error mode.

“WAIT” – This is a temporary state entered when both units attempt to become on-line units. This is normally caused by having both PUD switches set in the same position. There is a random delay factor to this wait state that will allow one unit to terminate the wait state first and become the on-line unit. It may take several passes through the “INIT”/”WAIT” states to resolve the timing conflicts.

“MODE” – This is a transition state after the link has been established but the mode has not yet been determined. This often happens quickly and may not be seen prior to the final mode selection.

“CPSM” – This is a transition state, similar to “MODE” bus used when the unit has CPS errors. This often happens quickly and may not be seen prior to the final mode selection. Units displaying this mode will enter either the “CPSE” mode or become part of an on-line/off-line pair with both units in CPS error mode.

The number of Boolean and Numeric variables should include all system variables. The number of Application Timers should include one timer for each block and/or table defined.

These numbers will provide an approximation of the time required to do a state synchronization. Once the application is installed, a more accurate time can be determined…….

4.4.3. Input Synchronization

All input determination, other than the inputs on the Sync I/O board and Sync Link, is done by the On-Line unit. The Off-Line unit will perform diagnostics on its physical inputs but the actual input states will be not accepted for logic processing as long as the unit is Off-Line. The Off-Line unit will also inhibit operations of the application serial links. No communication with external units, other than the partner On-Line unit, will occur while in the Off-Line mode.

Whenever the On-Line unit detects change in a physical or serial application variable, that information is synchronized with the Off-Line unit. During the time in which the



inputs are being synchronized, the On-Line unit will delay sending application serial link acknowledgements of those changes until the input synchronization is complete. Once the Off-Line unit has acknowledged receiving the input synchronization, the application serial link acknowledges will be sent.

4.4.4. State Synchronization

Whenever application logic is processed, the entire state of the application must be synchronized between the two units. This includes all information related to the physical input and outputs as well as internal states and application time delays. Once the state synchronization has been completed, both units will deliver the physical outputs and the serial outputs will become available for transmission by the On-Line unit.

The state of the system bits associated with the Sync I/O board as well as other system bits that may be different are not synchronized between the On-Line and Off-Line units.

4.5. Synchronization Notes

The synchronization between the On-Line and Off-Line units creates some conditions that must be taken into account when designing systems that will implement the synchronization features. The following sections highlight issues and concerns that should be considered in system design.

4.5.1. Reset Timing

The establishment of a synchronization mode may have a considerable impact on the amount of time required for a unit to complete its reset processing depending on a number of factors including fault conditions. Under normal conditions, this impact will be minimal, but if the system settings are not properly configured, it may take considerable time to establish the synchronization mode.

In the following sections, it is assumed that all inputs other than as identified for failed synchronization link or PUD settings are working correctly and correctly reflect the state of the partner unit.

4.5.1.1. Stand Alone Unit

If a unit is not identified as being part of a synchronized pair, there is no impact on reset processing.

4.5.1.2. Established On-Line Unit

If there is already an established On-Line unit when a unit first enters mode determination the amount of time required for it to be established as the Off-Line unit will be based on the setting of the Stale Data Time-Out (SDTO) of the Synchronization Link. The active POL input indicates that there is an On-Line partner, which will be



sending initialization messages at the rate of the SDTO. Once the initial message has been received, mode determination will add less than one second to the reset time.

Overall, mode determination may add up to the SDTO plus one second to the reset of a unit when there is already an established On-Line unit.

4.5.1.3. Simultaneous Reset of Both Units

If both units are reset at the same time, the reset timing will be dependent on the settings of the PUD input. One unit should have this switch set to the fast position and the other unit should have this switch set to the slow position.

When the PUD switches are properly set, the unit with the PUD input in the slow position will wait 10 seconds for the partner unit to start sending initialization messages. The unit with the PUD input in the fast position will start sending initialization messages at the rate of the SDTO. Once the link is operational and one unit has been established as the On-Line unit, that unit will complete reset processing with no additional delays. The unit that is to become the Off-Line unit must wait for the On-Line unit to complete its reset processing and start normal application processing prior to completing its own reset processing.

The impact of this processing on the On-Line unit will normally be less than one second. Due to slight differences in processor timing, it is possible for the first initialization message to be missed, which would add an additional SDTO period to the reset timing of the On-Line unit. The Off-Line unit, which must wait for the On-Line unit to complete reset, will have an additional delay that may be up to the original reset processing time.

If the PUD switches are not properly set, the amount of time required to establish an On-Line and Off-Line unit is variable. If both units have the PUD switch set to the slow position, each unit will wait 10 seconds for the partner unit to send an initialization message prior to attempting to send its own initialization message. Once the 10 seconds has elapsed, or if both units have the PUD switch set to the fast position, both units will attempt to become the On-Line unit. Each unit, upon seeing that the partner unit wishes to become On-Line will relinquish its own On-Line request and wait up to two seconds for the partner to confirm its On-Line status. This can lead to each unit claiming and then relinquishing the On-Line status. There are random delay factors included in the mode determination timing to allow one unit eventually to become the On-Line unit and the other to become the Off-Line unit but it may take several passes through the wait states before final mode determination occurs.

4.5.1.4. Staggered Reset of Both Units

If both units are reset, but not at precisely the same time, the reset timing will be dependent on which unit reset first and the settings of the PUD input.

If the unit that was reset first has the PUD input in the slow position, it will wait up to 10 seconds for the partner unit to initiate communications before initiating communications



itself. It will then wait an additional 10 seconds attempting to establish communications prior to proceeding as the On-Line unit with no active partner. If the unit that was reset first has the PUD input in the fast position, it will immediately begin to send initialization messages and wait 5 seconds attempting to establish communications prior to proceeding as the On-Line unit with no active partner. If the second unit enters mode determination during any of these delays, the units will proceed with mode determination in the same manner as for the simultaneous reset of both units.

Depending on the timing and order of the unit resets, the On-Line unit may take up to an additional 10 seconds to complete its reset processing and the Off-Line unit may take up to an additional 25 seconds. These times are in addition to the normal reset time of a comparable stand-alone unit.

4.5.1.5. Failed Synchronization Link

If the synchronization link is failed, there will be no active Off-Line unit. Since the Off-Line unit delivers active outputs, there can be no Off-Line unit without the ability to synchronize the application state. When the synchronization link is failed, one unit will be an On-Line unit and the other unit must remain in Quarantine mode. If the link is failed when one unit is already the On-Line unit it will remain as the on-line unit and the unit that is processing its system reset will be held in Quarantine mode due to the active POL and PFC and de-active PBC inputs.

If both units are reset at the same time with a failed synchronization link, the amount of time required to establish an On-Line unit will vary depending on the setting of the PUD switches. If configured properly, the unit with the PUD switch in the fast position will wait 5 seconds attempting to communicate with the partner unit and then become the On-Line unit. When this unit picks its CPS and energizes it On-Line output, the corresponding inputs of the partner unit will force the partner to remain in the Quarantine mode.

If both units have the PUD switch in the same position, both units may attempt to become the On-Line unit. Both units will pick their CPS, but no outputs will be delivered. As each unit’s CPS picks, it will cause the loss of the corresponding PBC contact on the partner unit. This will cause both units to transition back to the Quarantine mode and re-start the mode determination. The mode determination time-outs have a random factor included that will eventually allow one unit to complete its reset processing and pick its CPS while the other unit is still in the mode determination processing. The states of the POL, PFC and PBC inputs will now force the partner unit to remain in the Quarantine mode.

4.5.1.6. Power-Up Delay

When a unit is first powered up, it can take up to one minute for the communications processor on the Sync I/O board to complete its boot-up processing. This will present to the MLKII-CC executive as a failed synchronization link. The mode determination will proceed as indicated in the Failed Synchronization Link section. One unit will become



the On-Line unit and the other will remain in Quarantine mode. As soon as both of the of communication processors have completed their boot-up functions, the communications will be established on the synchronization link the unit currently in Quarantine mode will become the Off-Line unit.

4.5.1.7. Mode Determination Delay

Any time a unit takes more than 5 seconds to establish a synchronization mode during the reset processing, some of the system reset diagnostics must be redone prior to exiting the reset processing. This will add an additional 2-3 seconds delay to the reset processing.

4.5.2. Application Synchronization State

The data that is synchronized between the On-Line and Off-Line units is determined by the executive and there is no need to identify any information in the application beyond identifying the program as a HOT_STANDBY unit in the program statement and defining the Sync I/O board and Sync Link.

The executive will synchronize the entire state of the application processing which includes the logical state of all Boolean and numeric application variables, the current status of all application timers, and the current activation status of all coded outputs.

Once the state synchronization has been completed, both units will deliver the outputs based on the synchronized data. The physical output will be the same except for the case of coded outputs. Outputs defined as coded outputs will not be actively coded by the Off-Line unit. The current activation status, along with the active code rate, is included as part of the state synchronization but the actual coding will only be done by the On-Line unit.

4.5.3. Synchronization Time-Out

Once logic processing is complete, the application state must be synchronized between the On-Line and Off-Line units prior to either unit delivering outputs. The synchronization time-out defines the amount of time the On-Line unit will wait for the Off-Line unit to acknowledge a state synchronization message before proceeding with output delivery and forcing the Off-Line unit into Quarantine mode. The Off-Line unit, if its synchronization time-out expires, will request a state synchronization from the On-Line unit and wait an additional one second to receive it. If the state synchronization is not received in this time, the Off-Line unit will transition to the either the On-Line or Quarantine mode based on the state of the Synchronization physical I/O.

The amount of time required to complete the state synchronization is dependent on the amount of data to be synchronized and the error rate of the communications link. In order to accommodate applications of various sizes and allow for communications re-tries, the synchronization timeout is a system configurable parameter that may be set between 50 ms and 1 second.



For a fully loaded system with the maximum number of application variables, application timers and coded outputs defined, the nominal time for a synchronization cycle with no communication errors is approximately 400 ms with a message size of 20K. The actual amount of time required for a given system can be determined configuring the event logging level for the synchronization events (EVENT.THRESHOLD.43) to 2. This will cause an event to be logged each time logic is processed, recording the amount of time the unit waited between the end of the logic processing and the end of the state synchronization. This should be done only to determine the nominal time required for state synchronization. The system should not be left in this state as the system event queue may fill quickly with synchronization events, which will greatly decrease its usefulness in general system maintenance.

Prior to having an operational system, a rough approximation of the time required to perform the state synchronization can be made by calculating the anticipated size of the state synchronization message, determining its percentage of the maximum message size and taking that percentage of the maximum message time. This can be calculated as follows:

Max message size: 20,000 bytes

Max sync time: 400 ms

Application message size = (# Boolean variables) * 2 +

(# Numeric variables) * 6 +

(# Application Timers) * 12 +

(# Code Rates) * 140

The synchronization timeout and the acknowledge timeout for the Sync Link are related parameters that influence how the state synchronization operates under various conditions. The acknowledge time-out should never be set for less than the nominal time required to complete the state synchronization plus some reasonable margin based on the variations seen when logging the synchronization delays. If no message re-tries are required, the synchronization timeout can be set to the same value. If message re-tries are desired, the synchronization timeout should be set to the number of desired re-tries times the acknowledge timeout. It may not be possible for all applications to achieve the desired re-tries in an acceptable synchronization timeout but several re-tries can be obtained in the maximum one second synchronization timeout. A smaller synchronization time-out can be used but may limit the number of possible re-tries. In general, the Ethernet communications span a very short distance and the anticipated error rate will be very low. It is a good idea to allow for at least one message re-try if possible.



4.5.4. Logic Time-Out

The amount of time required to process the actual logic will not be impacted by the synchronization. However, this timeout also includes the end-of-logic processing which has been expanded to include the state synchronization. The logic timeout should therefore be expanded to include the anticipated synchronization delays. A warning will be generated by the compiler if the logic timeout is less than the sync timeout.

4.5.5. Synchronization Wait State

The time between the end of logic, and the completion of the state synchronization, is referred to the Synchronization Wait State. The On-Line and Off-Line units exhibit slightly different behavior during this time. The synchronization and logic timeouts are active during this period and limit the amount of time between the end of logic and the delivery of the associated outputs.

When in the synchronization wait state, the Off-Line unit will continue with its normal operations other than the delivery of the output states. If an additional input synchronization message is received or an internal application timer expires causing additional logic processing to be queued, the Off-Line unit will return to the logic processing state.

On-Line Unit will continue with all normal operations other than the delivery of the output states. Input processing will continue and new input values will be accepted. However, if the input changes require additional logic processing, the logic processing will be delayed until the current state synchronization is completed. Likewise, any serial link acknowledges associated with these changes will be delayed until the current state synchronization is completed. As soon as the state synchronization is complete and the associated outputs delivered, pending serial link acknowledges will be released and any pending logic will be processed and another state synchronization cycle will occur.

4.5.6. System Loading

Depending on the size of the application and the number of changes per unit time, the synchronization between the On-Line and Off-Line units may contribute significantly to the system load. For example, for a fully loaded system, the nominal time for state synchronization is approximately 400 ms. If a system is subject to a change in the inputs at a rate of one change per seconds, this can contribute to an increase in the system load, as compared to a stand-alone unit, of 25%.

System diagnostic continue to be preformed during the synchronization wait states which helps minimize the impact of the synchronization on the system load.

4.5.7. Coded Outputs vs. Flashers

State synchronization has the greatest impact on the system load imposed on a system due to the synchronized configurations. This synchronization must be completed each



time logic is processed. Any logic that runs repetitively, such as a flashing output, will require that a complete state synchronization be performed for each logical transition.

Coded outputs were designed to avoid logic processing for an output that has a steady state of flashing. These outputs will maintain the selected code rate without requiring any logic processing. Application flashers on the other hand, require logic processing each time the flasher changes state.

In order to minimize the impact of synchronization on the system load, the use of coded outputs should be considered in place of flashers created by application timers. In order to allow this technique to be used, the number of allowed coded outputs has been increased from 16 outputs to 128 outputs. The current limits of 16 toggle rates and 16 outputs that use each rate are still in force. However, in order to implement a simple flasher, each output will most likely only require two or three code rates. As long as there are no more than 16 rates define, and each rate is used by no more than 16 outputs, the actual number of outputs can now exceed the old limit of 16.

4.5.8. Delayed Serial Acknowledges

Whenever serial input changes occur, the acknowledge of the input message can not be sent until after the On-Line unit has synchronized the information with the Off-Line unit. This will cause a delay in the response to serial input messages. Nominally, this delay will be less than 100 ms but if the input change occurs at the same time as a state synchronization is about to occur, it may be additionally delayed for the length of time required to complete the state synchronization.

These factors must be taken into account when setting the no response and acknowledge time-outs for serial stations. For the polling protocols, MICROLOK and GENISYS, there may also have to be an associated increase in the stale data timeouts, as compared to comparable stand-alone systems, for links that are running with minimal margins.

4.5.9. System Availability

The intent of the synchronized system configuration is to increase system availability. Care has been taken in the design of the system such that failures of the new components, the Sync I/O board and the partner unit, will not affect the ability of the system to have at least one unit able to maintain full active control of an interlocking. Most failure conditions will result in the loss of the active Off-Line unit, downgrading the system to either a cold stand-by system when the partner unit is held in Quarantine mode or a stand-alone system if the partner is not operational.

It is not possible however to operate under all failure conditions, especially when multiple failures occur. There is a common failure mode that can cause neither of the units to be able to operate as an On-Line unit. If the sync link is failed, and previous critical errors have placed the units in selective shutdown mode, neither unit will become an On-Line unit. A unit may only become an On-Line unit without



communications with a partner unit if it is able to pick its CPS. With the synchronization link failed and the CPS down, there is no way for the units to determine the On-Line status of the partner unit and therefore no way to prevent both units from becoming On-Line units other than to prevent either unit from becoming the On-Line unit. If either unit is capable of picking its CPS, it will become the On-Line unit even with the failed synchronization link. It is only when the communications are failed and neither unit is able to pick its CPS that neither unit will become an On-Line unit.

4.5.10. Synchronization Link Connections

The synchronization link is designed to use a direct connection between the partner units with an Ethernet crossover cable for the synchronization communications. In order to minimize the communications delays, it is not intended to communicate over any type of network or use Ethernet switches or hubs. The timing of the synchronization communications is critical to the overall operations of the redundant pairs and delays due to network traffic can have a significant impact on this timing. The synchronization link will work in most network configurations but at the risk of increased synchronization time-out that will cause a temporary loss of the Off-Line unit’s availability. It is highly recommended that this link be configured as designed with a direct connection between the partner units.

4.5.11. Fail-Over

When an Off-Line unit detects that the On-Line unit has failed, it will transition to become the new On-Line unit. At that time, the new On-Line unit will activate its serial links and start communications with other systems. If a serial message was being transmitted or received at the time of the fail-over, the message may be lost but the information will be retained by the transmitting system and the message will be re-tried. All protocols allow for missed messages and there will be no loss of data or link integrity as long as the time-outs associated with the link allow for a missed message.

In addition to activation of the serial links, the new On-Line unit will now begin active coding of coded outputs. There may be a slight disruption of active code rates at the time of the fail-over, particularly for the faster code rates. The new On-Line unit will begin active coding at the already established code rates as soon as the current logic cycle is complete.

The new On-Line unit will continue to attempt to communicate with the partner unit and establish the partner unit as the new Off-Line unit.

The time required for an Off-Line unit to detect the loss of the On-Line unit and become the new On-Line unit will be based mainly on the time required to detect changes in the Synchronization inputs. The determining factor will be the amount of time it takes to detect that the PBC input has become energized allowing the unit to transition to the On-Line mode. This will take approximately 800 ms. Allowing for the additional processing required to complete the transition, it will take approximately 1 second for an Off-Line unit to assume the On-Line status.



4.5.12. Unit Compatibility

In order for two units to operate as a synchronized pair in a redundant configuration, the units must be logically identical. The units must have the same executive and application version and must have the same vital configuration. These items will be checked through the synchronization link and the link initialization will not be completed if there is a discrepancy. If both unit have reset and are doing their initial mode determination, neither unit will be able to become the On-Line unit and both will remain in Quarantine mode. If one unit is already established as the On-Line unit it will remain and the On-Line unit and the partner unit will log an error and go to complete shutdown.

The units will have different non-vital configurations. In order to verify that the application is the same, both unit will have the same default IP address for the Sync I/O board. The units must be configured in order to establish different IP addresses for the partner units. This is part of the non-vital configuration and is not checked during the initial mode determination.

4.5.13. Off-Line Data Logging

The User Data Log and the Logic Monitor are both driven by the changes that occur during the logic processing. Since the on-line unit can override or prematurely terminate the logic processing of the off-line unit, the off-line unit may not recognize all variable transactions as changes. While the off-line unit will have the application variables at the correct value, it may not identify that a change has occurred and may not properly log the data.

4.5.14. User Log

In order to avoid incomplete data log entries, the user data log of the off-line unit will not place updated data in the log. A snapshot will be logged at reset and if a failover occurs, the updates due to logic changes will be initiated by the off-line unit.

NOTE

If changes are made (through the configuration process) to the variables included in the data log, care should be taken to make sure the changes were made on both units. The user data log variables are part of the non-vital configuration as there is no executive level check to make sure those are the same for both units.

4.5.15. Logic Monitoring

Like the user data log, the information displayed through the logic monitor is based on change recognition. Since the changes may not be recorded on the off-line unit, the logic monitor may not be updated. When viewed on the off-line unit, the dynamic operation of the logic monitor is not reliable. When first initiated, the values will be correct as of that moment. However, as variable change state, some changes may not



be recognized as such by the off-line unit's list of monitored variables. If the logic monitor is not active on the on-line unit, the synchronized variables will no longer be actively updated by the off-line unit. This will not be reflected in the display by the maintenance tool. The values will simply stop updating.

The only variables that can be reliably monitored on the off-line unit are those not synchronized between the on-line and off-line units. This includes the variables associated with the Sync I/O board and some system variables such as the system load and clock variables. All other I/O and internal application variables are synchronized.

4.6. Conversion of Existing Stand-by Systems

A number of applications have implemented redundant system using features in the application logic. These fall into two basic categories. Some applications have implemented a passive stand-by unit where a reset, and subsequent loss of internal application states, is required for the off-line unit to take active control upon loss of the active on-line unit. In these systems, the stand-by unit is normally operating with the CPS down and the serial links disabled. No vital outputs are delivered but the vital inputs are read. Contacts of each unit’s VCOR are wired to a vital input on the partner unit to determine if the partner is active as an on-line unit with its CPS picked. The Delay_Reset system configuration item and QUICK.RESET system variable are used to allow failovers to occur.

Other applications have implemented an active stand-by unit where one of the application serial links is used to convey some part of the application state between the two units such that the units will deliver synchronized outputs. Both units normally have an active CPS and serial links. These systems are quite similar in operations to the new executive based synchronization with three notable differences:

• The time required for synchronization in the application based system can exceed 10 seconds whereas the executive based synchronization takes less than 1 second.

• The serial links may be active on both units in the application based systems whereas the Off-Line unit has the links disabled in the executive based synchronization.

• The application logic is considerably more complex to provide the application based synchronization.

In order to convert an existing redundant system to utilize the new executive based synchronization features, there are several common steps required as well as and evaluation of each application’s specific operations. Despite the fact that the active stand-by systems are operationally much closer to the new executive based synchronization operations, they require more extensive modifications to convert to the executive based scheme.



4.6.1. Sync Board and Sync Link Definition

The definition for the Sync I/O board and Sync Link must be added to an existing application. The Sync I/O board must reside at one of the first six I/O addresses. If more that six I/O boards are currently used or the Sync I/O board is placed before any existing I/O boards, it will require that the address select jumpers on some or all of the boards be re-configured to match the new application program.

Additional modification will be required to the application program as discussed in Section 4.6.3.

Examine the power supply requirements and make sure the existing power supply is adequate for the additional board(s).

4.6.2. Sync Board and Sync Link Connections

Any existing cross connections between the paired units used for stand-by and/or synchronization control should be removed. The physical I/O for the new Sync I/O boards should be wired as shown in Section 4.1.3. In addition, the ports identified for the use by the Sync Link should be connected using a standard Ethernet crossover cable.

One unit should be designated as the preferred On-Line unit by placing its Power-Up Delay switch in the fast position and the other unit’s Power-Up Delay switch in the slow position.

4.6.3. Application Logic Modifications

Modifications required to the application logic to support the new executive based synchronization will be dependent on the complexity of the existing stand-by scheme.

For applications implemented using the passive design as explained in Section 4.6, the modification should be minimal. Most of these systems have a small number of Boolean assign statements controlling the operations of the stand-by unit. These are the statements that assign values to CPS.ENABLE, RESET, and QUICK.RESET, which are general system bits, and <linkname>.DISABLE serial link system bits. The DELAY_RESET configuration item may be used to select the preferred on-line unit. These statements should be removed, as the functions they provided are no longer necessary. The remaining logic should be evaluated but in most cases no additional modifications will be required.

For applications implemented using the active design as explained in Section 4.6, the modification will be much more intensive. Most of these systems have a large number of Boolean assign statements providing synchronization between the units as well as utilizing one of the application serial links for communications. The application synchronization link should be removed along with all the application logic that defines and provides the synchronization operations. While the operation of these systems is quite similar to the executive based synchronization, the application required is much



simpler since the executive is now providing the synchronization interface. All the application logic must be evaluated, and possibly a significant portion of it re-written, in order to use the new executive based synchronization.

4.6.4. External Interface Modifications

As with the modification required to the application logic, some modifications may be required for the external interfaces. This will be dependent on how the existing system is designed.

The outputs from two units operating in hot standby mode must be combined in three different ways.

• The outputs can be diode OR'ed together. Make sure that the diodes are of the proper rating to handle the current and voltage requirements of the load.

• Isolation modules (STS USA N348-Series) can be used before OR'ing the outputs together

• A dual coil relay can be used

Diode OR'ing the outputs is shown in Figure 4-3. A disadvantage to this configuration is that the ability to detect a relay being energized by false energy is not possible. If an output is falsely energized past the isolation point, it cannot be detected by the MICROLOK II unit.

OUTPUT (UNIT A)

OUTPUT (UNIT B)

N12

1D1.

0030

.300

2.00

Figure 4-3. Microlok Units Driving a Common Output Through Diodes When using a dual coil relay as shown in Figure 4-4, the output is wired directly to the coil. If the coil is energized by false energy, energization of the relay will be detected by the output circuitry of the MICROLOK II unit. The MICROLOK II unit will then drop its VCOR.

1D1.

0030

.300

1.00

OUTPUT (UNIT B)N12-VCOR-B

N12-VCOR-AOUTPUT (UNIT A)

Figure 4-4. Microlok Units Driving Separate Coils of a Dual Coil relay The serial interfaces however will depend on the implementation in the current system. If the serial links of both units have the same serial address with the links being disabled



by one unit during normal operations, no additional modifications are required to the external interfaces. The new executive based synchronization has the same serial addresses for both units with the Off-Line unit operating with the links disabled. If however, the serial links are active on both units with different serial addresses, one of the logical links expected by the units to which this synchronized pair interfaces will no longer be in operation. If this link failure can be tolerated by the interface unit, no additional modifications are required. There will however, likely be some modification required to allow the interface unit to accept the link failure without generating alarms and/or error reports.





APPENDIX-A. ACCESSING THE SYNCHRONIZATION PCB A.1 Connecting a Laptop Computer Proceed as follows to access the Synchronization PCB through a laptop computer:

1. Connect the laptop to either Ethernet connector on the back of the Synchronization PCB.

2. Configure the laptop on the same sub-network as the Synchronization PCB.

3. Open a web browser (Internet Explorer, e.g.).

4. Type the Synchronization PCB IP Address in the address bar and press the enter key.

• Port 1 Address: see Figure A-1

• Port 2 Address: 172.025.002.254

5. A main menu screen shown in Figure A-1 will display. The main menu page has tabs in the upper right header section of the screen. These tabs are used to access other areas of the application.

Figure A-1. Main Menu Tabs Display 6. Select the desired tab to view the particular display.



NOTE

The Setup function is a privileged mode. Use extreme caution when working in the Setup mode.

• View Global Parameters (see Section 0)

• View Message (see Section 0)

• View Events (see Section 0)

A.2 View Global Parameters The Global Parameters tab displays SNMP and Global parameters as shown in Figure A-2.

The following Global parameters are displayed:

• Product ID

• Product Name

• Location

Figure A-2. View Global Parameters Display



A.3 View Message Display The Message View tab displays instructions on how to view the data traffic passing through the Synchronization PCB as shown in Figure A-3. This involves using HyperTerminal. Message logging can be enabled or disabled by using this display.

Figure A-3. View Messages Display

A.4 View Events Display The Event View tab displays the application events contained in the event log file on the Synchronization PCB as shown in Figure A-4. The timestamp, event code, and description for every event received from the Synchronization PCB is displayed. The most recent 100 events are displayed.



Figure A-4. View Events Display

A.5 View/Save Events Proceed as follows to view and save events:

1. Scroll up and down to view the events (Figure A-4).

2. There are two icons in the top right corner just above the Events display. One saves the log to a file and the other refreshes the page.

a. To refresh the contents of the event log, select the “refresh” icon.

b. The event log will refresh.

c. To save the contents of an event log to a file, select the “Save” icon.

d. A save menu will display



e. Specify the name and location of the new file to save.

f. Select the “Save” box.

g. The file is now saved.



A.6 Uploading Operating Software Figure A-5 shows the tab that allows the user to upload all necessary files to the Synchronization PCB. The software is maintained in a *.tar compression file.

Proceed as follows to upload the software:

3. Select Setup from the main menu. The Setup Mode Login screen shown in Figure A-6 will display.

4. Enter the password. The default password is "USS". The Setup screen shown in Figure A-5 will display.

5. Select Upload.

6. Specify file type to be uploaded.

7. Browse to the location of the desired file.

8. Click upload, this process take approximately 5 minutes depending on the size of the application. The message shown in Figure A-7 will display while the upload is in progress.

9. Cycle power after the message "upload is complete" appears.

NOTE

The .tar file contains all necessary images for the u-boot, linux, SYNCHRONIZATION PCB Application and the FPGA.

Do not power-off the board during an upload.



Figure A-5. Software Update Display



Figure A-6. Setup Mode Login Display



Figure A-7. Upload in Progress Display A.7 Configuring the Sync.IO board Proceed as follows to access the system configuration options:

1. Click on the System Configuration button on the Maintenance Tools main menu. The system displays a password dialog box that lets you specify whether you wish to view or change configuration settings.

2. Determine whether you want to examine the configuration settings, modify the non-vital settings only, or modify all settings. If you opt to examine the settings, the system will permit no changes to the displayed configuration parameters. The default selection on the form is to modify vital and non-vital settings. Click on the appropriate option.

3. If you selected the Modifying vital and non-vital settings option in step 2, click in the Password box and then enter the appropriate password. The default password is microlokii. If you selected either of the other two options in step 2, you do not have to enter a password.



4. Select the vitality option and click the OK button. If you selected one of the modify options in step 2, go to step 6.

5. Press the RESET pushbutton on the front panel of the Microlok II CPU board and then click on the OK button in the dialog box.

6. The system configuration display as shown in Figure A-8 will appear on the laptop computer screen. This display provides direct access to all of the Microlok II configuration options. You now can select from the available options to display screens that let you view/modify the configuration settings for the system in general, boards and devices, and device links.

7. The Sync.IO board will be shown in the main configuration page as shown in Figure A-8. Click on the Sync.IO board to navigate to the board configuration page.

Figure A-8. Modifying Vital and Non-Vital Settings Display



8. Once the Sync.IO board configuration page loads as shown in Figure A-9 you will see the configurable options for the Sync.IO board. Please see Table 4-1 for the valid ranges of configuration items.

Figure A-9. Sync.IO Board Configuration Display 9. Enter in any updated values into Local Address, Subnet Mask, Peer Address, and/or

Gateway. Once you are satisfied, click the Done button.

10. Any changes will be displayed in a popup window as shown in Figure A-10.

Figure A-10. Changes Display



11. Once you are done configuring the MICROLOK II unit, click on the “Done with Configuration” button. The updated values will be written to the MICROLOK II unit and the unit will be reset. The Development System will return to the main menu.



End of Module

Documents

Synchronization PCB Software - Hitachi Rail · The Synchronization PCB contains its own microprocessor, has four vital isolated inputs, two vital isolated outputs, and other I/O circuitry