The MicroNet Plus control system uses redundant CPU5200/CPU5200L modules that must be located in the first and last VME slots (A1 and A8 / A14). The chassis has a single motherboard and houses 2 power-supplies, 2 CPUs, and 12 I/O slots. One Single share data path between VME and CPU Modules.
The CPU5200 module offers high processing capability in features like dual Ethernet, dual Real Time Network ports, dual CAN, and a configurable RS-232/RS-422/RS-485 serial port. Module operating temperature limits are –40 °C to +85 °C.
The communication for health between CPU modules do by VME and for control of bus. What is SYSCON, System controller which is in good helath and gain control of IO modules first. The other CPU is always STANDBY. The SYSCON sends all necessary state information to the backup CPU, allowing it to take control of the I/O modules if the SYSCON fails.
The following reasons will cause a failover from the SYSCON CPU to STANDBY CPU:
• CPU module power supplies when fail
• when anything mentioned fail of the processor core, RAM, flash, oscillator, etc.
• If communications fail between the processor and the FPGA.
• A reset of the SYSCON CPU, due to front panel or remote Resets
• An application requested failover
• An application stop due to any unexpected reason.
• A watchdog timeout between the CPU module and the FPGA. This mean that devices did not respond to the other device within time limit.
Redundant Power Supplies
Two load sharing power supplies provide redundant power to the motherboard, CPU and I/O modules. The MicroNet Plus power supplies are 2-slot wide each and are located at each end of the chassis in the designated PS1 and PS2 slots.
Redundant Inputs and Outputs
Two levels of redundancy are available. The first involves wiring two external input devices to two separate input channels. In the event of a failed sensor or a failure in the connection from the sensor to the control, a valid input is still available
Redundant Sensors
The wiring of two external input devices to two s I/O modules. Valid input still will be available for system when any sensor fails and
wire signal disconnected.
Redundant Inputs
This process can be expanded for triplicated inputs. With triplicated inputs, redundant inputs are available if an input fails. It is also possible to determine which input is not valid when using triplicated inputs.
Redundant Outputs
By adding external relay, we can use redundant outputs. For discrete outputs, this would require four relays for each output. For the actuator outputs, a dual coil actuator can be used. The dual coils will allow one coil to operate the actuator in the event of a failure.
The value of redundancy is dependent on the ability of the application to detect the failure. For analog and actuator outputs, current and/or voltage readback is provided. For any fault detection of discrete output , relay contact information must be updated.
MicroNet Plus Redundant Operation
To use the MicroNet Plus for redundant operation, a CPU must be in the first VME slot (slot A1) and a CPU must be in the last VME slot (slot A14). In the GAP application select the MICRONET14 or MICRONET8 chassis type and place a CPU5200/CPU5200L CPU module in both A1 and A14 / A8 slots (corresponding GAP block is CPU_M5200 or CPU_ML5200).
Start-up
• Load and start the application on each CPU using AppManager.
• If the CPUs are started within 20 seconds of each other they will boot in the “Redundant” mode.
• If the CPUs are not started within 20 seconds of each other the first CPU started will become the master and the second CPU will have to re-sync to the running CPU.
• If the applications are not the same and both CPUs are started together, CPU1 (located in slot A1) will be the SYSCON and the backup CPU will be failed.
Redundant Network
If one CPU fails, the ports on the other CPU are still available to the application running on the CCS. The communication clients (PDW) can perform a fail-over to a port (i.e. an IP number) that is still available on the other CPU, and continue communicating.
If one network fails (a switch between a client and the CCS), the communication client can fail-over to a port on the other network (i.e. another IP number) and continue communicating.
If the ports 2 on each CPU are not used there is no possibility of any MAC address collision if traffic crosses over between the Green and Yellow networks. In that case, if a network path is broken in the Yellow Network and a network path is broken in the Green Network, traffic is still possible between all nodes, as the traffic can cross over between the networks. The Yellow and Green networks are separated on the CCS network level. Cross over occurs through the high level PAN switch that connects the two networks.
Example of Network Redundancy
As per above mentioned figure, when switch A (Yellow) is connected to switch B (Green) on a high level layer, so even if the Yellow path of node 1 and the Green path of node 2 will break, they are still able to talk to each other. Because the Yellow and Green CCS networks connect to the networks the CCS nodes will be able to communicate to each other through the network in case of failure of two paths.
If the ports 2 of both CPUs are connected to the switches, the traffic of the MicroNet Plus CPUs cannot be allowed to cross over. In that case the above described dual fault resilience mechanism is not available. It still is available to traffic that does not involve the MicroNet.
The added ports allow for other fault recovery methods and other recoverable fault modes, but generally these require the communication master to be able to fail over to more than one IP address. This is likely to be beyond the capabilities of most masters. It is recommended to not use the ports 2 on both CPUs.
Redundant Inputs
Way cool! Some extremely valid points! I appreciate you
writing this write-up and the rest of the website is also really good.