7/27/2019 Cc Produc

1/9

GE Fanuc Critical Control Solutions

Introduction

Not every customer has the same requirements for high availability and safety protection systems .That is why GE Fanuc offers a wide range of critical control solutions, from hot backup to GeniusModular Redundancy systems that meet the most stringent standards for high availability and humanlife safety.

These solutions are based on GE Fanuc PLC and I/O technologies, which can be readily integrated foroutstanding performance and reliability. GE Fanucs Series 90-30 PLC and I/O products provide acost effective platform for applications requiring moderate levels of critical control, while the Series

90-70 PLC and Genius product lines offer the higher levels of on-line diagnostics required in humanlife and environmental protection systems. These controllers can be interfaced to any I/O product toform system configurations meeting the requirements of Safety Integrity Levels 0-3 as defined by ISAS84.01 and IEC 61508.

No matter what level of critical control you need, you can count on GE Fanucs standards-basedapproach. GE Fanuc critical control products have been certified by United Laboratories (UL);European CE Mark; Canadian Standards Association (CSA), Factory Mutual Research Corporation(FM Class 1 Div. 2 hazardous equipment ratings), National Fire Protection Agency, American Bureauof Shipping (ABS), and TV.

Hot StandbyCPU

Triple CPUVoted

Dual CPUVoted

Fire & Gas

Human LifeProtection

Systems Certifiedto Risk Class 6

GMR

HBR30

CGR772Non SafetyApplications

CGR935

TMR30

X

X

X

XX

Simplex CPU w/WDT

XX

XXX

X X

X

7/27/2019 Cc Produc

2/9

GE Fanuc High Availability Control

Genius LAN A

Genius LAN B (Optional)Up to 29 I/ODrops per LAN

Hot Backup CPU

90/30 Rack I/O Field Control I/O

CPU

GBC

GBC

CPU

GBC

GBC

Genius I/O

GENIUSField ControlBSM

BBC

G

C

G

BIU

HBR30 delivers an out-of-the-box solution forapplications such as fuel loading, standby powergeneration, boiler systems, and manufacturing systems

that require a modular level of critical control.Integrated with standard GE Fanuc Series 90-30 PLCsand I/O options, HBR30 software products provide the

benefits of a redundant CPU system without the typicalprogram development costs. In addition, the HBR30offers a standard plug-and-play approach to subroutinessuch as synchronization of variables, redundant I/O buscontrol, program equivalence testing, selection ofmaster CPU, and advanced diagnostics. As a result, itreduces the demands on the system administration andmaintenance personnel.

Streamlined Configuration

The redundant portion of an HBR30 system consists oftwo GE Fanuc model 90-30 PLCs which communicatewith each other and the remote I/O system over GeniusLAN. The HBR30 user friendly environment allows theuser to create the configuration by selecting from theavailable options. The configuration utility makesextensive use of dialog boxes for entering systemconfiguration information. The utility creates aLogicmasterTM 90 teach file which automatically

generates the necessary script file for entering the HBRsubroutines.

Outstanding Diagnostic Coverage

The GEF HBR30 systems includes advanced diagnostics tofacilitate troubleshooting, which include:

Analog Input Out of Range CPU Off-line Loss of I/O Block System Bus Fault CPU Configuration Mismatch I/O Bus Failure

HBR30 Benefits

The HBR30 system has been thoughtfully designed to offer

an extensive range of benefits. Requiring no specialprogramming or special modules, the HBR30 system deliverscost-effective functionality, backed by GE Fanuc hot linesupport and worldwide distribution.HBR30 advantages include:

High availability. Factory standard platforms. No special programming Advanced diagnostics. Scaleable CPU performance. Fault Tolerant I/O Communications Extensive I/O options. Many HMI communications options. Microsoft Windows compatibility. Point and click configuration. Single or dual I/O busses. PLC fault history log. Flexible master switchover operation. Analog input scaling. Automatic program download.

For additional information please Reference the HBR30User Manual # GFK-1165 (11/99)

90-30 Hot Standby Redundancy

Primary CPU

7/27/2019 Cc Produc

3/9

GE Fanuc High Availability Control

HBR30 Lite - this 90-30 Hot Standby Redundancy(HBR) package has been specially configured to

provide the basic PLC user with many off-the-shelfredundancy features found in higher level systems.HBR 30 Lite provides the most cost effectiveredundancy platform providing a simple plug and playenvironment. Preconfiguration of all input and outputaddresses and mapping of automatically transferredsystem variables simplifies the task of systemconfiguration. In addition, the user friendly Windows

based programming environment allows the systemengineer to get the application into operation fast.

HBR 301 - features include extended I/O capability,configurable synchronized data, status and diagnosticflags, selectable master and Dual Genius LAN, all in acost effective package. HBR301 is the workhorse ofthe 90-30 hot standby redundancy suite providing I/Ocapacities of up to 1500 points. As with all otherHBR30 versions, I/O in the system can be distributed toone or more Genius LANs which operate at distances of

up to 7500 feet over twisted pair cable or self healingfiber optic rings for longer distances.

90-30 Hot Standby Options

HBR 302-EX- Designed with the advanced user inmind, HBR 302-EX provides configuration flexibilitywhile maintaining ease of use. Coupled with the powerand functionality of Ethernet data synchronization,HBR 302EX offers advanced features for over 5000I/O points. The standard utility provides dialog boxesfor selection system configuration details as well ason-line diagnostics reporting, communication status andI/O fault reporting. Special Functions preformed by theHBR30 include Analog input scaling, program

equivalence testing , selection of master CPU andsynchronization of application program variables.Diagnostics monitored by the HBR30 software include:analog input out of range, CPU off line, bus fault,invalid checksum and loss of I/O. Faults and alarms arelogged automatically in to the fault history table wherereference address, fault description and date and timestamp recorded for up to 32 records. A variety ofcommunication interface modules allow for easy access

by HMI and other MIS functions.

For additional information please Reference the HBR30User Manual # GFK-1165 (11/99)

Dig

italI

nput

s(M

ax)

Dig

italO

utpu

ts(M

ax)

Anal

ogIn

puts(M

ax)

Anal

ogOutpu

ts(M

ax)

Dat

aSy

nchr

oniza

tion

CPU

Dia

gnostic

Fla

gs

Stat

usFl

ags

Maste

rSelectio

n

BusTo

polo

gy

HBR30 Lite 256 64 32 12

300

Registers

90-30

35X &

36X Standard Enhanced

A, B or

Floating Simplex

HBR 301 512 512 512 64

Up To

8,000

Registers

90-30

35X &

36X Enhanced Enhanced

A, B or

Floating

2 Simplex

or 1 Dual

HBR 302-EX 2048 2048 1024 200

Up To

8K

Registers

Ethernet 364 Only Enhanced Enhanced

A, B or

Floating

8 Simplex

or 4 Dual

7/27/2019 Cc Produc

4/9

GE Fanuc High Availability Control 90-70 Plug & Play Redundancy

CGR 935/772 Synchronized System

Primary

CPU

Genius LAN

Genius I/O Blocks

Fault Tolerant

Synchronization Bus

Secondary

CPU

GeniusBIU

90-30 Rack I/O

Field Control or Versa Max I/O

System Operation

For applications that place a premium on process uptime,synchronized CPU redundancy is essential. CPUredundancy eliminates common mode failure (CMF),allowing critical processes to continue even after a failureoccurs in any single component. GE Fanucs CGR systemsachieve enhanced hot standby CPU redundancy byconnecting two power supplies and two CGR CPUs to oneor more Genius I/O networks.

In addition to the CGR CPUs, the primary and secondary

PLCs in GE Fanuc enhanced hot standby systems each havea Redundancy Communications Module and a BusTransmitter Module. This combination provides thesynchronization and bumpless transfer link between the twounits. All control data defining machine status, as well asother internal data are transferred twice per sweep.

If system failures are detected in the active unit, controlautomatically switches to the backup unit. Control can also

be switched manually, either by pushing a button on theRedundancy Communications Module or by changing the

setting in the application software. In this case, the CPUsswitch roles. The active unit becomes the backup, and thebackup unit becomes active.

Intelligent I/OGE Fanuc intelligent I/O contributes to the high

performance delivered by GE Fanuc enhanced hotstandby systems. When configured for hot standbyoperation, I/O modules on the Genius LAN mustchoose between outputs from the Genius bus controllerassociated with the primary CPU or outputs associatedwith the backup CPU. If the outputs from both Genius

bus controllers are available, the modules will prefer

the outputs from the primary CPU. If after threeconsecutive Genius bus scans, there are no outputs fromthe primary CPU, the I/O will recognize the outputsfrom the backup CPU. If outputs are not available fromeither CPU, the I/O modules will revert to theirreconfigured default (off or hold last state) value.

Reliability and Ease of Use Benefits

Bumpless switching between redundant PLCs. Synchronization of CPUs.

Redundant communications. 4.7 msec. base scan time. Single scan switching. Configurable back-up data size. On-line programming and repair No single point of failure. Different program in secondary PLC. Manual or program control switching. 256 Diagnostic status bits and fault tables. Memory parity and checksums. Supports 12k Digital I/O (any mix). Up to 8k analog I/O. 0.4 microseconds per Boolean function. 96 MHz, 80486DX4 microprocessor. Windows Based Programming. Supports 1 Mbyte of battery-backed RAM. Configurable data and program memory. Battery-backed calendar clock. Three-position operation mode switch. Password controlled access. Key switch memory protection.

For additional information please reference the

Enhanced Hot Standby CPU Redundancy Users GuideGFK-1527

7/27/2019 Cc Produc

5/9

Certification by TUV ensures the customer that theproduct is suitable for applications requiring maximumreliability, fault tolerance and safety by verifying propersystem operation to international standards for faultinsertion, environmental and electrical noise testing. Inaddition, GE Fanucs GMR system has been designed tocomply with the demanding requirements of theInstrument Society of Americas ISA S84.01 processsafety guideline and IEC 65 international standard whenadopted.

Approved configurations include:

Triple Modular Redundancy (2oo3, 2v3) TV RiskClass 6 (SIL3) Duplex Modular Redundancy (1oo2, 2v2) TV RiskClass 6 (SIL3) Enhanced Diagnostic Redundancy (1oo2D, 2v2D)TV Risk Class 6 (SIL3) Duplex Modular Redundancy (2oo2, 1v2) TV RiskClass 4 (SIL2)

Simplex with Diagnostic Redundancy (1oo1D,1v1D)TV Risk Class 4 (SIL2)

Genius Modular Redundancy Benefits

The versatility and strength of Genius ModularRedundancy make it an ideal choice for rigorousemergency shutdown and human life protection systems.It is backed by GE factory support and worldwidedistribution network:

Approved for TV risk class 6.486 CPU, 20 msec scan time.Flexible configuration options.Simplex, fail-safe, and fault tolerant I/O.Accommodates local and remote I/O.Advanced diagnostics.Built-in smart switch fusing.Pre-commissioning I/O verification.Self-documenting configuration utility.Fault Tolerant communications.Class 1 Div. 2 certified.

For additional information please reference the GMR UsersGuide GFK-1277B

GE Fanuc Safety System TechnologyGenius Modular Redundancy (GMR)

Genius Modular Redundancy

(J-nys Maj--lr Ri-dn-dn-se) 1. of, or relatingto, safety system modularity. 2. use of standardizedunits for flexibility and variety of use.

The GE Fanuc Genius Modular Redundancy (GMR)system combines the flexibility and power of theSeries 90-70 PLC with the advanced functionality ofGenius I/O. The result is an extremely versatilesystem, which allows the system designer to apply asmuch or as little redundancy as necessary to meet theapplication requirements. Simplex, fail-safe, or faulttolerant I/O configuration can be remotely linked toredundant processors providing system coverage thatmeets the requirements for emergency shutdown andhuman life protection systems.

The advanced GMR executive continually executesdiagnostics to detect overt and covert failures,reducing mean time to repair (MTTR) and generatingautomatic fault reports for maintenance or operations

personnel. Other automatic diagnostic featuresinclude memory error checking as well as data andaddress line testing.

In addition, Genius I/O, with its distributed design,allows the I/O to monitor the actions of otherintelligent devices on the system and provide

automatic diagnostic checks on the field loops.Genius I/O accommodates both local and remoteinstallation requirements. Because it does not requirelong wiring runs, Genius I/O reduces installation costsup to 50 percent.

TV Approved:

GE Fanucs Genius Modular Redundancy (GMR)system was the first PLC technology flexible enoughto receive a risk class 6 rating from the internationallyrecognized German safety testing organization TUV

Rhineland.

GMR

7/27/2019 Cc Produc

6/9

Triple Modular Redundancy - 2oo3

The most significant feature of the GMR triplemodular redundancy (TMR) system is the inherentability to eliminate any nuisance trip. Based on threeisolated PLCs and extensive diagnostics, the GMRtriple modular redundancy system uses two-out-of-three voting to provide high reliability and error-freeoperation. Additionally, GMRs physically uncoupleddesign and separate leg circuit protection virtuallyeliminates the potential of common mode failure.

Distributed Diagnostics:

Discrete I/O circuits incorporate current and voltagesensors that provide loop continuity, output and loadstate diagnostics. In its triplicated mode, GMRidentifies system faults and compensates for themautomatically, allowing repair or replacement withoutinterrupting systems operations. Faults are handled bya software alarm processor function that time-stampsand logs I/O and system faults in two diagnostictables. These tables can be displayed by the

programmer or uploaded to a host computer or othercoprocessor.

GE Fanuc Safety System TechnologyGenius Modular Redundancy (GMR)

Failsafe/Fault Tolerant TMR

2oo3 Voted System

SimplexOutputs

FaultTolerantOutputs

FaultTolerant/FailSafe Outputs

FailsafeOutputs

mplexnputs

Dualnputs

cateduts

CPU ACPU B

CPU C

Distributed Voting:

In the TMR configuration, each of the three CPUsgather information from the input modules and

performs 2oo3 voting on the data. Voted input state

results are then transferred to the output subsystem viafault tolerant Genius bus data communicationschannels. Each Genius output block then performsoutput voting on the triplicated output data. Thisdistributed voting technique ensures the highest levelsof data integrity with system availability exceeding99.999%

GMR Triple Modular Redundancy Benefits:

GMR Triple Modular Redundancy Systems meet orexceed all international standards for systems of itsclass. Features include:

Approved for TV risk class 6.

Meets ISA S84.01 and IEC 61508.

Common Platform for Fire & Gas and ESD.

Failsafe,FaultTolerant Design.

Class 1 Div. 2 certified.

On-Line Program Modification via Ethernet.

Electronic fusing

Accommodates local and remote I/O

Base Scan Time of 20 msec.

For additional information, please see the GMR UsersGuide GFK-1277B.

TUV Approved Class 6 (SIL3) - Fault Tolerant

7/27/2019 Cc Produc

7/9

GE Fanuc Safety System TechnologyGenius Modular Redundancy (GMR)

Fault Tolerant Dual 1oo2D & 2oo2D

w/ Extended Diagnostics

CPU ACPU B

Diagnostic (D)

WDT

Optional WDT (D)

provides Unlimited

Time-out Tolerance

SimplexOutputs

FaultTolerantOutputs

FaultTolerant/FailSafe Outputs

FailsafeOutputs

mplexnputs

Dualnputs

cateduts

Fault Tolerant vs. Failsafe:

GMR 1oo2D/2oo2D systems offer the ability toconfigure your system for either fail safe or fault tolerantoperation. Fail safe systems trip the outputs to a safe stateupon detection of a field input change or diagnosticanomaly, while fault tolerant systems employredundancy techniques to maintain the ability to operateas designed even in the presence of a diagnostic failure.

In the GMR, the 1oo2D system is configured so thateither of the system logic solvers can deactivate or tripthe final output. In the 2oo2D mode, both logic solvers

must agree for an output action to take place. The 1oo2Dproviding Process Safety and 2oo2D insuring processProcessUptime.

The Best of Both Worlds:

Historically, the downside of dual systems is that when adiagnostic fault or data discrepancy occurred, the systemhad to be repaired or shut down according to establishedtime-out restrictions. GMR 1oo2D/2oo2D offers a fail-safe/fault tolerant design, degrading in a 2-1-0 manner,

without the compromises that affect other dualredundancy systems.

TUV Approved Class 6 (SIL3) - Fault Tolerant

Unlimited Shutdown Timer:

To avoid shutdown, both channels in the GMR systemintegrate a diagnostic watchdog unit that periodicallydetects a heartbeat pulse transmitted through the system by

the CPU. If the watchdogs interval timer is not resetwithin a user selectable time frame, the system outputs willbe de-energized. The outputs of these secondarydiagnostic channels are configured to AND/OR, witheach primary logic solver output providing shutdowncoverage on a channel basis. This backup or secondarymeans of de-energizing the outputs allows each system tooperate independently and degrade with out effecting theoperation of the complementary system.

Dual System Benefits:

GMR 1oo2D/2oo2D can be configured for fail-safe orfault tolerant operation without the limitations that affectmany dual redundancy systems.

Approved for TV risk class 6 (SIL3).

Failsafe, Fault Tolerant Design.

Meets requirements of ISA S84.01.

Electronic Fusing

Accommodates Local and Remote I/O.

Common Platform for Fire & Gas and ESD.

Class 1 Div. 2 certified.

Self Documenting Configuration Utility.

For additional information, please see the GMR Users

Guide GFK-1277B.

7/27/2019 Cc Produc

8/9

Failsafe System Design

Fail-safe systems are designed to trip the outputs to asafe or de-energized state upon detection of a fault or adiagnostic anomaly. In most cases, this isaccomplished through either diagnostic intervention or

process input changes. In a simplex ESD system,

however, special consideration must be given to thefunctional readiness of the system. For theseapplications, a single Genius Modular RedundancyCPU can be configured as a one-out-of-one (1oo1D)system by simply implementing I pattern outputs.

In this configuration, a simplex CPU can be monitoredby two communication channels, each receiving aheartbeat used to verify the operation of the system.The The Ipattern output is built around an intelligentI/O device that periodically detects this system wide

pulse. If either of the the output modules intervaltimers is not reset within a pre-defined time frame, thesystem outputs will be de-energized.

This back-up or secondary means of de-energizing theoutputs allows each system to operate in an unrestrictedtime-out mode. The outputs of these secondarydiagnostic channels are configured to OR with the

primary logic solver outputs providing shutdowncoverage from the field inputs, diagnostic failures, andhardware anomalies.

GE Fanuc Safety System TechnologyGenius Modular Redundancy (GMR)

Failsafe 1oo1Dw/ ExtendedDiagnostic Coverage

TUV Class 4 (SIL2)

The flexibility inherent in the Genius I/O and thecommunication subsystem allow the configurationengineer to add an additional layer of protection byimplementing redundant I/O and communicationchannels.

Distributed Diagnostics

In addition to the continuos communication checks, allstandard diagnostic features found in dual and triplicatedGMR systems are active in the 1oo1D version.Furthermore, Genius I/O circuits incorporate current andvoltage sensors that provide loop continuity as well asoutput and load state diagnostics. Faults are handled by asoftware alarm processor function that time-stamps andlogs I/O and system faults in two diagnostic tables.These tables can be displayed by the programmer oruploaded to a host computer or other coprocessor.

GMR 1oo1D Benefits

GMR 1oo1D features are designed to enhance ease ofoperation and flexibility, making it ideally suited for ahost of applications. These features include:

Approved for TV Risk Class 4 (SIL2) - Failsafe.

486 CPU, 20 msec Base Scan Time.

Simplex, Failsafe and Fault Tolerant I/O.

Local and Remote I/O.

Pre-commissioning I/O verification.

Fault Tolerant communications.

Class 1 Div. 2 certified.

For additional information, please see the GMR Users

Guide GFK-1277B

DiagnosticWDT

GMR

CPU

SimplexOutputs

FailsafeOutputs

SimplexInputs

Dual

Inputs

LOAD

Common

LOAD

Optional WDT (D)

provides Unlimited

Time-out Tolerance

7/27/2019 Cc Produc

9/9

GE Fanuc High Availability ControlGenius Modular Redundancy (GMR)

1oo1D, 1oo2D, 2oo2 and 2oo3

GMR Fire & Gas Solutions

Fire & Gas System Description

GMR Fire Fighting and Gas Detection Systemscontinuously monitor environmental variables, includingheat, smoke, break glass alarms, and UV/IR firedetectors, as well as combustible and toxic gas detectors.Through its line monitoring input technology, GMR Fireand Gas Systems gather smoke, fire, and gas sensorinformation in either a simple, fail-safe, or fault tolerant

manner and process it through the redundant systemschannels. In this way, it assures that the proper alarmsare generated for fire control personnel.

If any of the input variable limits are exceeded, theoutput subsystems are designed to automatically closeoperating valves and damper doors, de-energizeelectrical power, vent process gasses, and activateextinguishant release systems. In fire detectionapplications, output subsystems are configured to permitmanual activation reducing the possibility of spurious

extinguishant release.

Protection Di scharge Valve

MatrixZonedFire &GasSensors

Second &

ThirdCPUOptio

nal

Fail SafeOutputs:16 or 32

per group.

SimplexOutputs:16 or 32

per group.

Outstanding Alarm Integration

GMR Fire and Gas Systems offer a number of options formanaging external alarms. Operations and fire control

personnel are notified of detection anomalies throughmatrix display panels, computer-generated displays, andaudible alarms. A variety of communications linksand/or physical I/O can be used to connect these ancillarydevices. In addition, key-controlled interfaces can beincorporated to provide signal simulation formaintenance and system-proof testing activities.

Extensive Diagnostics Ensure System Availability

Fire and gas systems differ in design philosophy from

emergency shutdown systems. They are designed toenergize to trip, rather than de-energize to trip. Thismeans that the system is normally dormant and must betested frequently on line to ensure operation on demand.GMRs comprehensive diagnostics provides total systemverification, resulting in fault tolerant system availabilityexceeding 99.999%.

GMR Fire and Gas System Benefits

Approved for TV Risk Class 6 -Fault Tolerant486 CPU, 20 msec Scan Time.Simplex,Failsafe, and Fault Tolerant I/O.Accommodates Local and Remote I/O.Advanced Diagnostics.Built-in Smart Switch Fusing.Pre-commissioning I/O verification.Self Documenting Configuration Utility.Fault Tolerant Communications.Class 1 Div. 2 certified.

For additional information, please see the GMR Fire and

Gas System Users Guide GFK-1649

TUV Approved Class 6 (SIL3) - Fault Tolerant