GE Fanuc Critical Control Solutions

Introduction Not every customer has the same requirements for high availability and safety protection systems . That is why GE Fanuc offers a wide range of critical control solutions, from hot backup to Genius Modular Redundancy systems that meet the most stringent standards for high availability and human life safety. These solutions are based on GE Fanuc PLC and I/O technologies, which can be readily integrated for outstanding performance and reliability. GE Fanucs Series 90-30 PLC and I/O products provide a cost effective platform for applications requiring moderate levels of critical control, while the Series 90-70 PLC and Genius product lines offer the higher levels of on-line diagnostics required in human life and environmental protection systems. These controllers can be interfaced to any I/O product to form system configurations meeting the requirements of Safety Integrity Levels 0-3 as defined by ISA S84.01 and IEC 61508. No matter what level of critical control you need, you can count on GE Fanucs standards-based approach. GE Fanuc critical control products have been certified by United Laboratories (UL); European CE Mark; Canadian Standards Association (CSA), Factory Mutual Research Corporation (FM Class 1 Div. 2 hazardous equipment ratings), National Fire Protection Agency, American Bureau of Shipping (ABS), and TV.

Hot Standby CPU

Simplex CPU w/ WDT

Dual CPU Voted

Triple CPU Voted

HBR30
Non Safety Applications

X
X X

CGR772 CGR935

TMR30
Human Life Protection Systems Certified to Risk Class 6

X
X X X X X X

X
X X

GMR Fire & Gas

GE Fanuc High Availability Control

90-30 Hot Standby Redundancy

Primary CPU
C P U GG BB CC

Hot Backup CPU

C P U GG BB CC

Outstanding Diagnostic Coverage The GEF HBR30 systems includes advanced diagnostics to facilitate troubleshooting, which include:
Genius LAN A

Up to 29 I/O Drops per LAN

Genius LAN B (Optional)

Field Control BIU GG BB CC 90/30 Rack I/O Field Control I/O

GENIUS

B S M

Analog Input Out of Range CPU Off-line Loss of I/O Block System Bus Fault CPU Configuration Mismatch I/O Bus Failure

Genius I/O

HBR30 delivers an out-of-the-box solution for applications such as fuel loading, standby power generation, boiler systems, and manufacturing systems that require a modular level of critical control. Integrated with standard GE Fanuc Series 90-30 PLCs and I/O options, HBR30 software products provide the benefits of a redundant CPU system without the typical program development costs. In addition, the HBR30 offers a standard plug-and-play approach to subroutines such as synchronization of variables, redundant I/O bus control, program equivalence testing, selection of master CPU, and advanced diagnostics. As a result, it reduces the demands on the system administration and maintenance personnel. Streamlined Configuration The redundant portion of an HBR30 system consists of two GE Fanuc model 90-30 PLCs which communicate with each other and the remote I/O system over Genius LAN. The HBR30 user friendly environment allows the user to create the configuration by selecting from the available options. The configuration utility makes extensive use of dialog boxes for entering system configuration information. The utility creates a LogicmasterTM 90 teach file which automatically generates the necessary script file for entering the HBR subroutines.

HBR30 Benefits
The HBR30 system has been thoughtfully designed to offer an extensive range of benefits. Requiring no special programming or special modules, the HBR30 system delivers cost-effective functionality, backed by GE Fanuc hot line support and worldwide distribution. HBR30 advantages include: High availability. Factory standard platforms. No special programming Advanced diagnostics. Scaleable CPU performance. Fault Tolerant I/O Communications Extensive I/O options. Many HMI communications options. Microsoft Windows compatibility. Point and click configuration. Single or dual I/O busses. PLC fault history log. Flexible master switchover operation. Analog input scaling. Automatic program download.

For additional information please Reference the HBR30 User Manual # GFK-1165 (11/99)

GE Fanuc High Availability Control 90-30 Hot Standby Options

x) An a l og O u tp u t s (Ma x) Da ta S yn c h ro n iza tio n (Ma x (Ma x ) ) ts (M a n o sti c Fla gs tio n

p u ts

tp u ts

An a l o g In pu

S elec

gs

HBR30 Lite

256

64

32

12

300 Registers Up T o 8,000 Registers

90-30 35X & 36X 90-30 35X & 36X

A, B or Standard Enhanced Floating

Simplex

HBR 301

512

512

512

64

A, B or 2 Simplex Enhanced Enhanced Floating or 1 Dual

HBR 302-EX

2048 2048

1024

200

Up T o 8K A, B or 8 Simplex Registers Ethernet 364 Only Enhanced Enhanced Floating or 4 Dual

HBR30 Lite - this 90-30 Hot Standby Redundancy (HBR) package has been specially configured to provide the basic PLC user with many off-the-shelf redundancy features found in higher level systems. HBR 30 Lite provides the most cost effective redundancy platform providing a simple plug and play environment. Preconfiguration of all input and output addresses and mapping of automatically transferred system variables simplifies the task of system configuration. In addition, the user friendly Windows based programming environment allows the system engineer to get the application into operation fast. HBR 301 - features include extended I/O capability, configurable synchronized data, status and diagnostic flags, selectable master and Dual Genius LAN, all in a cost effective package. HBR301 is the workhorse of the 90-30 hot standby redundancy suite providing I/O capacities of up to 1500 points. As with all other HBR30 versions, I/O in the system can be distributed to one or more Genius LANs which operate at distances of up to 7500 feet over twisted pair cable or self healing fiber optic rings for longer distances.

HBR 302-EX- Designed with the advanced user in mind, HBR 302-EX provides configuration flexibility while maintaining ease of use. Coupled with the power and functionality of Ethernet data synchronization, HBR 302EX offers advanced features for over 5000 I/O points. The standard utility provides dialog boxes for selection system configuration details as well as on-line diagnostics reporting, communication status and I/O fault reporting. Special Functions preformed by the HBR30 include Analog input scaling, program equivalence testing , selection of master CPU and synchronization of application program variables. Diagnostics monitored by the HBR30 software include: analog input out of range, CPU off line, bus fault, invalid checksum and loss of I/O. Faults and alarms are logged automatically in to the fault history table where reference address, fault description and date and time stamp recorded for up to 32 records. A variety of communication interface modules allow for easy access by HMI and other MIS functions. For additional information please Reference the HBR30 User Manual # GFK-1165 (11/99)

Bu s T o p o lo

Dig it a l Ou

Dig it a l In

s Fla

Ma st er

S ta tu

Dia g

CPU

gy

GE Fanuc High Availability Control 9070 Plug & Play Redundancy CGR 935/772 Synchronized System
Intelligent I/O GE Fanuc intelligent I/O contributes to the high performance delivered by GE Fanuc enhanced hot standby systems. When configured for hot standby operation, I/O modules on the Genius LAN must choose between outputs from the Genius bus controller associated with the primary CPU or outputs associated with the backup CPU. If the outputs from both Genius bus controllers are available, the modules will prefer the outputs from the primary CPU. If after three consecutive Genius bus scans, there are no outputs from the primary CPU, the I/O will recognize the outputs from the backup CPU. If outputs are not available from either CPU, the I/O modules will revert to their reconfigured default (off or hold last state) value. Reliability and Ease of Use Benefits
Field Control or Versa Max I/O Genius I/O Blocks

Primary CPU

Secondary CPU

Fault Tolerant Synchronization Bus

Genius LAN
Genius BIU

90-30 Rack I/O

System Operation For applications that place a premium on process uptime, synchronized CPU redundancy is essential. CPU redundancy eliminates common mode failure (CMF), allowing critical processes to continue even after a failure occurs in any single component. GE Fanucs CGR systems achieve enhanced hot standby CPU redundancy by connecting two power supplies and two CGR CPUs to one or more Genius I/O networks. In addition to the CGR CPUs, the primary and secondary PLCs in GE Fanuc enhanced hot standby systems each have a Redundancy Communications Module and a Bus Transmitter Module. This combination provides the synchronization and bumpless transfer link between the two units. All control data defining machine status, as well as other internal data are transferred twice per sweep. If system failures are detected in the active unit, control automatically switches to the backup unit. Control can also be switched manually, either by pushing a button on the Redundancy Communications Module or by changing the setting in the application software. In this case, the CPUs switch roles. The active unit becomes the backup, and the backup unit becomes active.

Bumpless switching between redundant PLCs. Synchronization of CPUs. Redundant communications. 4.7 msec. base scan time. Single scan switching. Configurable back-up data size. On-line programming and repair No single point of failure. Different program in secondary PLC. Manual or program control switching. 256 Diagnostic status bits and fault tables. Memory parity and checksums. Supports 12k Digital I/O (any mix). Up to 8k analog I/O. 0.4 microseconds per Boolean function. 96 MHz, 80486DX4 microprocessor. Windows Based Programming. Supports 1 Mbyte of battery-backed RAM. Configurable data and program memory. Battery-backed calendar clock. Three-position operation mode switch. Password controlled access. Key switch memory protection.
For additional information please reference the Enhanced Hot Standby CPU Redundancy Users Guide GFK-1527

GE Fanuc Safety System Technology Genius Modular Redundancy (GMR)

GMR
Genius Modular Redundancy (J-nys Maj--lr Ri-dn-dn-se) 1. of, or relating to, safety system modularity. 2. use of standardized units for flexibility and variety of use. The GE Fanuc Genius Modular Redundancy (GMR) system combines the flexibility and power of the Series 90-70 PLC with the advanced functionality of Genius I/O. The result is an extremely versatile system, which allows the system designer to apply as much or as little redundancy as necessary to meet the application requirements. Simplex, fail-safe, or fault tolerant I/O configuration can be remotely linked to redundant processors providing system coverage that meets the requirements for emergency shutdown and human life protection systems. The advanced GMR executive continually executes diagnostics to detect overt and covert failures, reducing mean time to repair (MTTR) and generating automatic fault reports for maintenance or operations personnel. Other automatic diagnostic features include memory error checking as well as data and address line testing. In addition, Genius I/O, with its distributed design, allows the I/O to monitor the actions of other intelligent devices on the system and provide automatic diagnostic checks on the field loops. Genius I/O accommodates both local and remote installation requirements. Because it does not require long wiring runs, Genius I/O reduces installation costs up to 50 percent. TV Approved: GE Fanucs Genius Modular Redundancy (GMR) system was the first PLC technology flexible enough to receive a risk class 6 rating from the internationally recognized German safety testing organization TUV Rhineland.

Certification by TUV ensures the customer that the product is suitable for applications requiring maximum reliability, fault tolerance and safety by verifying proper system operation to international standards for fault insertion, environmental and electrical noise testing. In addition, GE Fanucs GMR system has been designed to comply with the demanding requirements of the Instrument Society of Americas ISA S84.01 process safety guideline and IEC 65 international standard when adopted. Approved configurations include: Triple Modular Redundancy (2oo3, 2v3) TV Risk Class 6 (SIL3) Duplex Modular Redundancy (1oo2, 2v2) TV Risk Class 6 (SIL3) Enhanced Diagnostic Redundancy (1oo2D, 2v2D) TV Risk Class 6 (SIL3) Duplex Modular Redundancy (2oo2, 1v2) TV Risk Class 4 (SIL2) Simplex with Diagnostic Redundancy (1oo1D, 1v1D) TV Risk Class 4 (SIL2) Genius Modular Redundancy Benefits The versatility and strength of Genius Modular Redundancy make it an ideal choice for rigorous emergency shutdown and human life protection systems. It is backed by GE factory support and worldwide distribution network: Approved for TV risk class 6. 486 CPU, 20 msec scan time. Flexible configuration options. Simplex, fail-safe, and fault tolerant I/O. Accommodates local and remote I/O. Advanced diagnostics. Built-in smart switch fusing. Pre-commissioning I/O verification. Self-documenting configuration utility. Fault Tolerant communications. Class 1 Div. 2 certified.
For additional information please reference the GMR Users Guide GFK-1277B

GE Fanuc Safety System Technology Genius Modular Redundancy (GMR) Failsafe/Fault Tolerant TMR 2oo3 Voted System
TUV Approved Class 6 (SIL3) - Fault Tolerant
CPU A CPU B CPU C

Distributed Voting:
Simplex Outputs Simplex Inputs Failsafe Outputs

Dual Inputs Fault Tolerant Outputs

Triplicated Inputs

In the TMR configuration, each of the three CPUs gather information from the input modules and performs 2oo3 voting on the data. Voted input state results are then transferred to the output subsystem via fault tolerant Genius bus data communications channels. Each Genius output block then performs output voting on the triplicated output data. This distributed voting technique ensures the highest levels of data integrity with system availability exceeding 99.999%

Fault Tolerant/Fail Safe Outputs

GMR Triple Modular Redundancy Benefits:

Triple Modular Redundancy - 2oo3 The most significant feature of the GMR triple modular redundancy (TMR) system is the inherent ability to eliminate any nuisance trip. Based on three isolated PLCs and extensive diagnostics, the GMR triple modular redundancy system uses two-out-ofthree voting to provide high reliability and error-free operation. Additionally, GMRs physically uncoupled design and separate leg circuit protection virtually eliminates the potential of common mode failure. Distributed Diagnostics: Discrete I/O circuits incorporate current and voltage sensors that provide loop continuity, output and load state diagnostics. In its triplicated mode, GMR identifies system faults and compensates for them automatically, allowing repair or replacement without interrupting systems operations. Faults are handled by a software alarm processor function that time-stamps and logs I/O and system faults in two diagnostic tables. These tables can be displayed by the programmer or uploaded to a host computer or other coprocessor. GMR Triple Modular Redundancy Systems meet or exceed all international standards for systems of its class. Features include: Approved for TV risk class 6. Meets ISA S84.01 and IEC 61508. Common Platform for Fire & Gas and ESD. Failsafe,FaultTolerant Design. Class 1 Div. 2 certified. On-Line Program Modification via Ethernet. Electronic fusing Accommodates local and remote I/O Base Scan Time of 20 msec.

For additional information, please see the GMR Users Guide GFK-1277B.

GE Fanuc Safety System Technology Genius Modular Redundancy (GMR) Fault Tolerant Dual 1oo2D & 2oo2D w/ Extended Diagnostics
TUV Approved Class 6 (SIL3) - Fault Tolerant
CPU A CPU B

Unlimited Shutdown Timer:

Simplex Inputs Diagnostic (D) WDT Simplex Outputs

Optional WDT (D) provides Unlimited Time-out Tolerance

Failsafe Outputs

Dual Inputs Fault Tolerant Outputs

Triplicated Inputs

Fault Tolerant/Fail Safe Outputs

To avoid shutdown, both channels in the GMR system integrate a diagnostic watchdog unit that periodically detects a heartbeat pulse transmitted through the system by the CPU. If the watchdogs interval timer is not reset within a user selectable time frame, the system outputs will be de-energized. The outputs of these secondary diagnostic channels are configured to AND/OR, with each primary logic solver output providing shutdown coverage on a channel basis. This backup or secondary means of de-energizing the outputs allows each system to operate independently and degrade with out effecting the operation of the complementary system. Dual System Benefits: GMR 1oo2D/2oo2D can be configured for fail-safe or fault tolerant operation without the limitations that affect many dual redundancy systems. Approved for TV risk class 6 (SIL3). Failsafe, Fault Tolerant Design. Meets requirements of ISA S84.01. Electronic Fusing Accommodates Local and Remote I/O. Common Platform for Fire & Gas and ESD.

Fault Tolerant vs. Failsafe: GMR 1oo2D/2oo2D systems offer the ability to configure your system for either fail safe or fault tolerant operation. Fail safe systems trip the outputs to a safe state upon detection of a field input change or diagnostic anomaly, while fault tolerant systems employ redundancy techniques to maintain the ability to operate as designed even in the presence of a diagnostic failure. In the GMR, the 1oo2D system is configured so that either of the system logic solvers can deactivate or trip the final output. In the 2oo2D mode, both logic solvers must agree for an output action to take place. The 1oo2D providing Process Safety and 2oo2D insuring process Process Uptime. The Best of Both Worlds: Historically, the downside of dual systems is that when a diagnostic fault or data discrepancy occurred, the system had to be repaired or shut down according to established time-out restrictions. GMR 1oo2D/2oo2D offers a failsafe/fault tolerant design, degrading in a 2-1-0 manner, without the compromises that affect other dual redundancy systems.

Class 1 Div. 2 certified.

Self Documenting Configuration Utility.

For additional information, please see the GMR Users Guide GFK-1277B.

GE Fanuc Safety System Technology Genius Modular Redundancy (GMR) Failsafe 1oo1D w/ Extended Diagnostic Coverage
TUV Class 4 (SIL2)
GMR Diagnostic WDT CPU

Optional WDT (D) provides Unlimited Time-out Tolerance

Simplex Inputs

LOAD Common

Simplex Outputs

The flexibility inherent in the Genius I/O and the communication subsystem allow the configuration engineer to add an additional layer of protection by implementing redundant I/O and communication channels. Distributed Diagnostics

Dual Inputs

LOAD

Failsafe Outputs

Failsafe System Design Fail-safe systems are designed to trip the outputs to a safe or de-energized state upon detection of a fault or a diagnostic anomaly. In most cases, this is accomplished through either diagnostic intervention or process input changes. In a simplex ESD system, however, special consideration must be given to the functional readiness of the system. For these applications, a single Genius Modular Redundancy CPU can be configured as a one-out-of-one (1oo1D) system by simply implementing I pattern outputs. In this configuration, a simplex CPU can be monitored by two communication channels, each receiving a heartbeat used to verify the operation of the system. The The Ipattern output is built around an intelligent I/O device that periodically detects this system wide pulse. If either of the the output modules interval timers is not reset within a pre-defined time frame, the system outputs will be de-energized. This back-up or secondary means of de-energizing the outputs allows each system to operate in an unrestricted time-out mode. The outputs of these secondary diagnostic channels are configured to OR with the primary logic solver outputs providing shutdown coverage from the field inputs, diagnostic failures, and hardware anomalies.

In addition to the continuos communication checks, all standard diagnostic features found in dual and triplicated GMR systems are active in the 1oo1D version. Furthermore, Genius I/O circuits incorporate current and voltage sensors that provide loop continuity as well as output and load state diagnostics. Faults are handled by a software alarm processor function that time-stamps and logs I/O and system faults in two diagnostic tables. These tables can be displayed by the programmer or uploaded to a host computer or other coprocessor. GMR 1oo1D Benefits GMR 1oo1D features are designed to enhance ease of operation and flexibility, making it ideally suited for a host of applications. These features include: Approved for TV Risk Class 4 (SIL2) - Failsafe. 486 CPU, 20 msec Base Scan Time. Simplex, Failsafe and Fault Tolerant I/O. Local and Remote I/O. Pre-commissioning I/O verification. Fault Tolerant communications. Class 1 Div. 2 certified.

For additional information, please see the GMR Users Guide GFK-1277B

GE Fanuc High Availability Control Genius Modular Redundancy (GMR) 1oo1D, 1oo2D, 2oo2 and 2oo3 GMR Fire & Gas Solutions
TUV Approved Class 6 (SIL3) - Fault Tolerant

Secon d& Third CPU Optio nal

Outstanding Alarm Integration GMR Fire and Gas Systems offer a number of options for managing external alarms. Operations and fire control personnel are notified of detection anomalies through matrix display panels, computer-generated displays, and audible alarms. A variety of communications links and/or physical I/O can be used to connect these ancillary devices. In addition, key-controlled interfaces can be incorporated to provide signal simulation for maintenance and system-proof testing activities.

Protection Discharge Valve

Matrix Zoned Fire & Gas Sensors

Fail Safe Outputs: 16 or 32 per group.

Simplex Outputs: 16 or 32 per group.

Extensive Diagnostics Ensure System Availability Fire and gas systems differ in design philosophy from emergency shutdown systems. They are designed to energize to trip, rather than de-energize to trip. This means that the system is normally dormant and must be tested frequently on line to ensure operation on demand. GMRs comprehensive diagnostics provides total system verification, resulting in fault tolerant system availability exceeding 99.999%.

Fire & Gas System Description GMR Fire Fighting and Gas Detection Systems continuously monitor environmental variables, including heat, smoke, break glass alarms, and UV/IR fire detectors, as well as combustible and toxic gas detectors. Through its line monitoring input technology, GMR Fire and Gas Systems gather smoke, fire, and gas sensor information in either a simple, fail-safe, or fault tolerant manner and process it through the redundant systems channels. In this way, it assures that the proper alarms are generated for fire control personnel. If any of the input variable limits are exceeded, the output subsystems are designed to automatically close operating valves and damper doors, de-energize electrical power, vent process gasses, and activate extinguishant release systems. In fire detection applications, output subsystems are configured to permit manual activation reducing the possibility of spurious extinguishant release.

GMR Fire and Gas System Benefits

Approved for TV Risk Class 6 -Fault Tolerant 486 CPU, 20 msec Scan Time. Simplex,Failsafe, and Fault Tolerant I/O. Accommodates Local and Remote I/O. Advanced Diagnostics. Built-in Smart Switch Fusing. Pre-commissioning I/O verification. Self Documenting Configuration Utility. Fault Tolerant Communications. Class 1 Div. 2 certified.
For additional information, please see the GMR Fire and Gas System Users Guide GFK-1649