Operating mode management .1 Definitions

Computer modes: the computer operates in the modes that follow:

• Initialisation mode

• Operational mode

− Normal mode

− Downgraded mode

• Maintenance mode

• Test mode

• Faulty mode

• Halt mode Computer faults include:

• Anomaly: a fault that causes a downgrade in the behaviour of the computer. There are hardware and/or software anomalies, as follows:

− Board failure

− Loss of synchronisation

− Loss of communication.

• Software fault: a major software error causes a software fault, that causes the computer to go into the Faulty mode.

• Vital hardware fault: a fault that causes a software halt, that causes the computer to stop the application software. Vital hardware faults include:

− CPU fault

− Power supply fault

− Bus fault

− Permanent interruption fault 2.1.2 Initialisation mode

After a power on or a manual reset event occurs, the computer goes into the initialisation mode. The initialisation mode does not exceed one minute. The computer performs different types of tests and checks, as follows:

• Vital hardware tests

Flash memory test: in event of a problem, the computer tries to repair this flash memory. If a vital hardware test fails, the computer goes out of the initialisation mode and into the Halt mode.

• Non-vital hardware tests

The computer performs non-vital hardware tests only on those boards installed in the computer, and on the peripheral devices connected to the computer:

− Input and output boards:

To determine the number and the type of the installed input and output boards To do a check for the presence of the previously installed input and output boards and to determine if a board is absent

To do a check for the serviceability of the installed input and output boards and to determine if a board is unserviceable

− Communication boards: the computer performs this test within the communication protocol

− Displays, such as the LCD and LEDs: the computer does a single test for the presence of the HMI board

− Peripheral devices, such as the printer, external clock, and so on: the computer uses timeouts to do a check for the presence of the peripheral devices.

If one of these non-vital hardware tests fails, the computer goes into the related downgraded mode.

• Software tests (database coherency tests)

At each restart of the computer, the computer performs these database coherency tests.

These tests make sure that the database is compatible with the hardware and with the software of the computer, and that the database does not contain incoherent configuration data. The database coherency tests include:

• Check for the presence of a database

• Check of the DB/ software compatibility

This check makes sure that the computer software and the database are coherent and compatible. The computer contains in its static data, a database version number and revision number that indicate which version of the database it can interpret. The database must have the same version number and revision number for the computer to accept it.

• Check of the DB/ equipment compatibility

This check makes sure that the database is compatible with the device on which it was downloaded. The computer compares the type and the number of the device contained in the heading of the database, with the type and the number of the device contained in the static data of the software.

• Check of the validity of the data of the database

This check makes sure that the configured inputs and outputs are present and that the number of devices and signals, such as bays, digital inputs, and so on, stays within acceptable limits.

If any one of these checks fails, the computer goes into the Maintenance mode.

2.1.3 Operational mode

This mode includes two sub-modes: Normal mode and Downgraded mode.

2.1.3.1 Normal mode

This is the nominal operating mode of the active computer. In this mode the computer activates the watchdog relay and all of the computer functions are available. A detection of an error and in agreement with the cause and the severity of the failure, can cause the computer to go into the related Downgraded mode, to the Faulty mode or to the Halt mode.

In the Normal mode, you can use the local Human Machine Interface (HMI) or upper level maintenance request, to request a transition to the Maintenance mode.

In the Normal mode, you can use the local (HMI) or upper level simulation request, to request a transition to the Test mode.

In the Normal mode, you can do these database operations:

• Download a standby database

• Swap the databases: the computer automatically restarts

• Modify a database

• Show database information.

The computer transmits the results of the Test mode to the local HMI and to the upper level remote control point (RCP).

2.1.3.2 Downgraded mode

In event of an anomaly, the computer goes into the Downgraded mode. In this mode, the operation of the computer is not very disturbed because only few functions are degraded.

The computer activates the watchdog relay.

The type of downgraded mode depends on the hardware configuration of the computer. The different events that cause a downgraded mode include:

• Operation without DO on a board

• Operation without DI on a board

• Operation without AI on a board

• Operation without communication with some relays

• Operation without communication with some station devices

• A combination of two, or more, of these events.

When you or the computer resolve the cause of the transition into the Downgraded mode, the computer returns to the Normal mode.

2.1.4 Maintenance mode

In Maintenance mode, the station bus (SBUS) operates: you can communicate on the SBUS to manage the database. The Maintenance mode shows on the local HMI (LED and LCD) and on the upper level.

The computer deactivates the watchdog relay..

In this mode, you can manage the database:

• Download a database

• Swap the databases

• Modify a database

• Show database information

In the Maintenance mode, you can use the local Human Machine Interface (HMI) or upper level active request, to request a transition to the Operational mode. The Operational mode includes the Normal mode and the Degraded mode.

2.1.5 Test mode = DSPIO Maintenance Mode

To simulate the function of distributed automatic events, such as interlocks, you request to set the computer to Test mode. In Test mode, the computer operates normally but the output relays are not active. When you send a command, the computer does not activate the output relay: instead, if the command is valid, the computer sends a TEST OK message to the substation control point (SCP). If the command is not valid, the computer sends a TEST NOK message to the SCP.

NOTE: To perform the tests, you must manually force BI or Measurements on different computers to create the test conditions. When you see the test conditions, you can send a command. Look at the SCP level (HMI) to see if the result is the expected result.

The Test mode shows on the local HMI (LED and LCD) and on the upper level.

In the Test mode, you can use the local HMI or upper level end-of-simulation request, to request a transition to the Operational mode. The Operational mode includes the Normal mode and the Degraded mode.

The behavior of the CPU and the DSP in agreement with the C264 mode shows in the table that follows. This table is true only if there is no Programmable Scheme Logic (PSL), managed by the CPU, between the start/operate BI and the DSPIO trip relay.

Computer CPU Operating Mode versus Commands Received by the CPU

2.1.6 Faulty mode

In any mode, when a fault occurs to prevent the proper operation of the software, the computer goes into the Faulty mode.

When the computer detects a failure on the DO boards, and if the configuration allows, the computer goes into the Faulty mode. Each time the computer goes into the Faulty mode, an internal counter increments.

There are only two ways to go out of the Faulty mode:

• A transition to the Initialisation mode and an automatic reset of the counter

• A transition to the Halt mode.

If the value of the internal counter remains lower than the Max_Fault parameter defined during the configuration step, the computer goes into the Initialisation mode. When the elapsed time since the last increment of the internal counter equals the value Fault_Detection_Lasting parameter defined during the configuration step, the value of the counter automatically resets

When the value of the internal counter reaches Max_Fault, the computer goes into the Halt mode.

2.1.7 Halt mode

In this mode, the computer deactivates the watchdog relay and all the output relays. The computer does not operate anymore. The only way to go out of this mode is to perform a manual reset.

2.1.8 Summary of modes, tests, transitions, and faults

The different modes, tests, transitions, and faults of the computer show in the figure that follows:

FAULTY automatic

reset manual reset

HALT TEST

simulation request

end of simulation major hardware fault or software fault

OPERATIONAL MAINTENANCE

INITIALISATION

Init OK

hardware test OK and coherency not OK

maintenance request

Counter of faults = Max_Fault

vital hardware fault vital

hardware fault

DB/software compatibility not OK or

DB/equipment compatibility not OK or

data of database not valid

C0288ENa

2.1.9 Redundancy Mode management

Two identical computers with the same hardware and the same database versions manage the main 1 rack redundancy.

• For the C264 Multirack system:

The two SCADA connections, one to the main 1 rack and one to the main 2 rack, are completely independent. For these two connections, there is no synchronisation of protocols, and each of these racks can have a different station address. The principle here is different from the standard redundant function, where the sequence of the messages on each connection are synchronised and where each rack has the same station address.

In the redundant configuration, the main 1 rack does not manage direct acquisitions, controls, or IED connections.

The main 1 rack and the main 2 rack have a single address on one of the two SCADA connections. This allows the main 1 rack and the main 2 rack to manage two different networks.

The main 1 rack operates when:

− The communication was set up on the main 1 rack connection to the SCADA. The GI request (ASDU 100) message confirms the set-up of the connection.

− The main 2 rack was in operation, a failure occurred, and the main 1 rack received a GI request.

When the SCADA detects a communication failure, the main 1 rack in operation becomes the main 2 rack. The SCADA must stop to communicate with one rack when it decides to communicate with the other rack.

For more details, please refer to the figure that follows:

C0447ENa

The main 1 rack:

• Manages the communications with the SCADA

• Receives all of the data acquired on the extension rack and updates the archives (SOE, slow waveform)

• Transmits all of the data acquired on the extension rack through the SCADA

• Manages the database downloads through the SCADA connection

• Receives the database through the SCADA connection or from the CAT and distributes the new configuration to all of the other racks, including the main 2 rack

• Manages the controls received through the active SCADA connection and sends them to the extension racks

The main 2 rack:

• Receives all of the data acquired on the extension rack and updates the archives (SOE, slow waveform)

• In event of a SCADA connection reset (GI Request), the main 2 rack does the functions of the main 1 rack

• Receives the configuration database from the main 1 rack and updates its own configuration database

To communicate the status of the main 1 rack and main 2 rack to the SCADA, you can wire the watchdog relays to the standard DI of one extension rack.

For the C264:

The two redundant computers are the main 1 computer and the main 2 computer. The computer that performs the bay management is the active computer; the other one is the standby computer. In this configuration, the redundant computer can be:

• Main 1 computer in active mode

• Main 1 computer in standby mode

• Main 2 computer in active mode

• Main 2 computer in standby mode.

During the boot time, and if both computers operate, the main 1 computer is the active computer.

The two computers perform the same functions at the same time: inputs acquisition and processing; archiving; automation; but at a given time, only the active computer sends controls to the electrical process or on the SBUS. A PACiS IEC-61850 client receives data from the two computers: this client processes only the data it received from the computer in the active mode. Only the computer in the active mode manages the communication with IED or SCADA.

This switch from the active mode to the standby mode, and from the standby mode to the active mode, is performed automatically as follows:

FIGURE 1: REDUNDANCY MANAGEMENT The two computers exchange data with:

• The SBUS, to give their internal status (IS)

• 2 pairs of DI/DO of the BIU board:

− DI1/DO1 to indicate the Active Status: DO1 is closed if the computer is Active

− DI2/DO2 to indicate a Station Bus failure: DO2 is open in event of failure

A value is given to each type of computer failure: the computer IS is calculated by summing all failure values. The healthiest computer has the minimal internal status. The healthiest computer is active.

Computer failure Value DOU board failure 0x20 CCU board failure 0x10 CT/VT board failure 0x08 DIU board failure 0x04 BIU board failure 0x02 AIU board failure 0x01

The algorithm to elect the Active computer shows in the table that follows.

The initial state is “Initialisation” (state 0) and the “DI1≠1” event is generated.

“L_IS” is the internal status of the computer, “R_IS” is the internal status of the redundant one.

The “confirmed DI2 ≠ 1” event is a detection of a Station Bus failure on the other computer (DI2 = 0) confirmed during 20 seconds.

T1 is the timer of Active status confirmation during the computer initialisation (default value:

5 seconds for the Main 1 computer, marked in configuration, 30 seconds for the Main 2 computer). T2 is the timer of master election (default value: 5 seconds).

The switching time is less than 30 seconds.

State 0:

Initialisation

State 1:

Waiting end of initialisation / T1 timer on going

State 2:

If (L_IS>R_IS) then conditions to enter standby mode are not true anymore then

2.2 Database management

In document C264_EN_O_C80 (1) (Page 99-110)