High-Integrity Control System (HICS)TMR for Process Control

RTP Corp. • 1834 SW 2nd Street • Pompano Beach, Florida 33069PHONE (954) 974-5500 • FAX (954) 975-9815 • EMAIL rtpinfo@rtpcorp.com • WEB: www.rtpcorp.com

Product Highlights� Triple Modular Redundancy� Family of Fault-Tolerant Control Systems� High-Integrity Validation

RTP2300 High-Integrity Control System

Error checking on the bus (I/O chassis backplane)ensures no corruption of data going to, or from, theCPU. On the card level, the line (field wiring) issupervised to ensure continuity to the field, plus on-board diagnostics perform read-back of outputs andeven calibration checks on the A/D converters! Forcritical operations, such as program changes, specialroutines check and recheck the program validity.Lastly, in TMR configurations, outputs from all threeprocessors are sent to the I/O chassis, where thedata validation occurs, as close to the process aspossible.

High-Integrity Control System OverviewThe unique RTP High-Integrity Control System(HICS) protects your process as well as providingcontinuous access to process data with a combina-tion of multiple levels of redundancy and datavalidation that can be configured to meet yourprecise requirements.

Triple Modular Redundancy: For mission-criticalprocesses and applications, there is no substitute forTriple Modular Redundancy (TMR). Following thisphilosophy, RTP has developed a high integritycontrol system with TMR architecture specificallyfor process control. Data validity checking routinesensure your process is protected and downtimeeliminated.

The RTP approach provides added design flexibilitycompared to traditional TMR systems. Where pastTMR systems were limited by their dependence onhardware interconnections between processors tomaintain adequate synchronization and local I/O, RTPhas applied advanced communications technologiesand a fast, Ethernet-based I/O bus. As a result, thethree controllers that comprise an RTP TMR systemcan be housed separately to ensure survivability in acatastrophe such as a fire. I/O chassis can be locatedremotely eliminating the high cost and complexity oflong field wiring to the controllers. To further protectdata availability, chassis with dual power supplies canbe used at both the processor and the I/O levels.

High-Integrity Validation: Redundancy protectsagainst hardware failure to ensure high systemavailability, but what about error checking? An RTPHICS is perfectly suited for high-integrity, faulttolerant applications. The CPUs are validated toensure proper CPU performance, memory integrityand calculation integrity. Communications arevalidated using advanced built-in CRC routines onboth the host and the I/O communications bus. Itshigh-integrity chassis controllers validate systeminformation to ensure error-free performance, whileproviding the assurance of hardware availability.

Tired of the rest – try the best!RTP NetSuite includes all the tools you will everneed to design, simulate, test, integrate, andmaintain your industrial control applications.Following the IEC 61131 standard, NetSuite is afully integrated software workbench thatdramatically reduces the time it takes to develop,deploy, commission and maintain your controlapplication.

RTP engineers each NetSuite module so it workstogether seamlessly as a single solution: thepowerful, networked RTPView HMI; NetArraysgraphical configurator; data archives; alarms;trending; and global tag management database–allinteract seamlessly. NetArrays includes advancedcontrols (e.g. Fuzzy Logic, robust PID controlblocks) and powerful online commissioning tools.Favorite application or custom software? NetSuiteincludes an OPC server for a common interfaceto diverse process control applications.

RTP’s Hassle-Free Software Policy provides anunrestricted site license with free upgrades for aone-time registration fee, no maintenance fees,regardless of tag count or number of seats.Contact RTP at www.RTPCorp.com for your freedemonstration CD-ROM.

HICS ArchitectureThe RTP HICS architecture is based upon a family of controlsystems that combine peer-to-peer communications, acommon chassis design and the powerful RTP NetSuitemonitoring and control software.

• RTP2300T: For the highest level of integrity and availabil-ity, the RTP2300T Triple Modular Redundant systemfeatures data validation and communications validationwith triple, dual or common I/O, to provide the level ofredundancy required for the most economical cost.

• RTP2300D: Built on the same advanced technology asRTP2300T for a dual-redundant solution. The high-integrity dual-redundant solution uses advanced diagnos-tics to assist in results adjudication. The RTP2300Dfeatures dual-redundant processors, triple, dual orcommon I/O as required, and up to 32 remote I/Ochassis, all built upon the same components and configu-ration environment (RTP NetSuite) as the RTP2300T.Both the RTP2300T and RTP2300D support a medium tolarge, distributed control system architecture of up to10,000 I/O points per node.

The RTP High-Integrity Control System architecture is extremely scalable and incorporates multiple levels of redundancy. This unique design is builtupon a set of standard hardware and software components that supports multiple factory-configured applications. These standard components(processors, chassis, power supplies, I/O and configuration environment) are utilized to construct systems in Triple-Modular Redundant (T), Dual-Redundant (D) and Single (S) configurations. The figure above shows—from bottom up—(a) the I/O chassis; (b) the RTP2300T, RTP2300D andMicro2000D Series High-Integrity systems integrated over a redundant Fast Ethernet network; and (c) a supervisory domain comprised of the RTPNetSuite Integrated Software Environment.

• Micro2000 Series: For smaller systems, theMicro2000D Series HICS provides a high-integritysolution using dual processors and dual I/O. TheMicro2000D Series uses a subset of the same compo-nents as the RTP2300T and RTP NetSuite software.

• RTP NetSuite software: PC-based control and monitor-ing software for control logic, archiving, alarming,trending and HMI, a central tag database; PC-basedsimulation and OPC and DDE servers. Requires no keysor licenses. Powerful RTPView HMI and SCADA systemsoftware included with every copy of NetSuite.

RTP Family of High-Integrity SystemsRTP2300T HICSThe RTP2300T HICS is a TMR system that supports anycombination of triple-redundant, dual-redundant and singleI/O, in up to a total of 32 I/O chassis. It includes threeRTP2300 processors; factory-configured for TMR, in threephysically separate chassis (target nodes).

Target Node: Each RTP2300T Target Node is hosted in oneof an available 32 I/O chassis. The Target Node consists ofan embedded controller, common communications card

(CCC) and I/O option cards for almost unlimited I/Opossibilities.

Unique to RTP is the use of separate processor modules toachieve unparalleled system flexibility and performance. TheRTP2300 embedded controller is responsible for all systemfunctions with the exception of I/O scanning and voting.Each I/O chassis, including the chassis that hosts theRTP2300 controller, has a Common Communications Cardthat executes the I/O scanning, floating point conversion, andresults voting. RTP has chosen to place results voting at theI/O chassis to minimize the opportunity for data corruptionand maximize system response, which is so critical in processcontrol. This design allows RTP to take advantage of anadvanced multi-processor (up to 99 processors in a 32-chassis system) parallel processing architecture in a trulydistributed fashion unlike prior generation TMR systems.

The standard RTP2300T chassis can accommodate up to16hot-swappable analog, digital and special function I/O cards.The optional dual-powered chassis can accommodate 12 I/Ocards.

Embedded Controller: The Intel-architecture embeddedcontroller includes nonvolatile (disk-on-chip) memory, whichcontains the Target Node’s real-time run-time executive(Viking Engine) and the downloaded control application. Uponpower-up or reset, the embedded controller initializationroutines copy the contents from the disk-on-chip memoryinto its executable RAM before entering its run state.

The embedded controller utilizes advanced technology suchas parallel processing, math co-processors and synchronousDMA mode support, resulting in high-speed logic solvingwhile simultaneously performing error checking and valida-tion, I/O calls, peer-to-peer communications and communi-cating with the SCADA/HMI operator stations. All I/O valuesare reported with each scan to provide a higher level ofintegrity than report by exception routines. Peer-to-Peercommunications report by exception to reduce networktraffic; however, the user can define refresh time intervalswhere all peer variables are reported. This allows the user tomanage network integrity by balancing network traffic anddata integrity.

The embedded controllers contain a total of four Ethernetprocessors that are factory-configured to support securehigh-speed communications, such as host, interprocessor andI/O bus networking. Each communications port is trulyredundant all the way to the processor. If a communicationsinterface fails, the network interface will use another one ofthe multiple paths available. Additionally, RTP built advancederror-checking routines into the host, interprocessor and I/Obus structure, ensuring secure and accurate communications.

The I/O bus incorporates the latest, direct-connect Ethernetnetwork topology (shown in the diagram). This ensures thatprivate, dedicated lines carry all field connections–ensuringsecure transmissions with the convenience of standard

Ethernet connectivity. Multiple I/O chassis can be placedthroughout the plant, close to field devices. The benefits ofthis approach are reduced field wiring and installation costs,the utilization of fiber optic isolation, and a truly distributedarchitecture.

TMR Data Integrity: The RTP2300T is factory-configuredfor TMR application to support two-out-of-three output datavoting that ensures the highest levels of integrity and availabil-ity. Each RTP2300T target node solves the logic and sendsthe resultant outputs to the associated I/O chassis. Within theI/O chassis, the CCC processor performs data validationchecking prior to driving the outputs. Each I/O chassisperforms an independent two-out-of-three voting for itsassociated outputs. Therefore, if the systems outputs arelocated in multiple I/O chassis, the voting is distributed overthese chassis.

Distributed voting, performed as close as possible to theprocess, enhances integrity by moving potential fault variablesout of the response. Furthermore, results voting at the I/Ochassis level results in a much more responsive, high-speedsystem. High-speed processing means more data adjudica-tions per second, resulting in higher resolution and greaterintegrity.

Results deviations are recorded as “soft” errors, or faults, andwill not lead to a controller shutdown. This fault-tolerantcapability allows for continued TMR system operation duringspurious “soft” errors, while protecting the process. If anydeviation in hardware or network operation is detected, theoperator is notified immediately and the offending controller istaken offline. Meanwhile, the application continues to rununaffected on the remaining two controllers. While this is anabnormal state for the RTP2300T, the system now performsas a dual-redundant system, continuing to provide highintegrity and high availability. The RTP2300T can withstandanother failure and continue plant operation while operatoraction restores the system integrity.

The RTP2300T is designed to put you in control; in control ofthe process and in control of the system response (adjudica-tion). The RTP2300T was designed to compensate for thevagaries of process control to keep the plant operating–safely.

Non-Intrusive Initialization: RTP’s hot-swappable compo-nents and “easy out” power supplies, coupled with additionallayers of available redundancy, allow for a quick return to ahigh-integrity solution. When the error condition is clearedthrough online maintenance activities, non-intrusive reinitial-ization of the restored controller takes place, and theRTP2300T is again available as a fully functional TMR node.Non-intrusive reinitialization occurs incrementally usingadvanced data compression techniques, so as not to interruptthe process.

Signal Validation: Signal validation routines are supported inall of the RTP High-Integrity Control Systems from theRTP2300T to the Micro2000S. RTP signal validation routines

Superior ReliabilityRTP products are designed and qualified under thedemanding Class 1E Nuclear Safety guidelines forsuperior reliability, minimal downtime andmaintenance, and a high return on investment.

Optimized for Process ControlRTP2300 HICS’s are optimized for process controland monitoring. While they may appear to sharemany features with certified safety systems, RTPCorp. does not intend or suggest that they be usedin a system requiring IEC 61508 certification.

Trademark acknowledgments: RTP is a registered trademark of RTP Corp. All other product or service names mentioned herein are trademarks oftheir respective owners. Specifications subject to change without notice.

© 2004 RTP Corp. Not for reproduction in any printed or electronic media without express written consent from RTP Corp.All information, data, graphics and statements in this document are proprietary intellectual property of RTP Corp. unless otherwise indicated and are to beconsidered RTP Corp. confidential. This intellectual property is made available solely for the direct use of potential or licensed RTP Corp. customers in theirapplication of RTP Corp. products, and any other use or distribution is expressly prohibited. If you have received this publication in error, immediatelydelete, discard or return all copies to RTP Corp.

allow for the control of one logical input producedfrom up to four redundant inputs (three hardwareand one additional logic). There are six algorithmsthat the user can select to calculate the logicalvariable from the three physical field variables. TheRTP2300T supports both I/O card redundancy andsensor redundancy, which is field-configurable.

Triple Redundant I/O: An RTP2300T node supportsup to 32 RTP2316, RTP2312 or RTP2308 I/Ochassis. These I/O chassis accommodate one CCCprocessor and either 16, 12 or 8 I/O cards. Thesechassis can be configured as common (non-redun-dant), dual-redundant or triple-redundant I/O chassis.

Chassis specified as a redundant I/O pair or aredundant I/O triplet, must have their I/O cardsidentically configured with their field wiring con-nected to the same physical input or output point, orto identical redundant input sensors. The primarycontroller determines which redundant I/O chassis isthe primary chassis. Only the primary redundant I/Ochassis drives its analog outputs, the outputs on thesecondary and tertiary chassis are armed but isolatedfrom the field device. However, inputs are monitoredfrom all redundant I/O chassis. The CCC in eachredundant I/O chassis independently performs thetwo-out-of-three voting to ensure continued dataintegrity. In the event of a power failure or cardfailure in the primary I/O chassis, the controller willtake that chassis offline and select another redundantI/O chassis as the primary. The pre-armed outputs ofthe secondary chassis will be automatically connectedto the field device for a bumpless transfer. A control-ler failure does not degrade or cause the switchoverof an I/O chassis.

High Performance I/O: RTP’s specialized I/O cardssupport high-integrity applications and/or line super-vision for mission-critical applications. Fast scanrates, true 16-bit A/D precision, high CMRR (Com-mon Mode Rejection Ratio), over voltage isolationprotection, and superior construction are several ofthe advantages that hallmark RTP I/O. RTP allowstighter, more accurate control of the process, with apositive impact on the quality of your product.

RTP I/O cards provide a full range of I/O choices:from 5V to 240V AC, 5V to 125V DC, low levelmillivolt to +10V, 4-20 mA, thermocouples, RTDs,relays and others. Communications cards supportModbus Master and Slave serial communications,and Modbus TCP for connectivity to devices andother systems.

RTP2300D HICSThe RTP2300D HICS is a dual-redundant version ofthe RTP2300T, which performs data validationtesting from two sources. The RTP2300D has thesame capabilities as the RTP2300T with the excep-tion of data validation from three sources.

Dual Redundant Data Integrity: In theRTP2300D, if any deviation in the hardware ornetwork operation is detected, the operator is notifiedimmediately while the system determines the cause ofthe deviation through the use of comprehensivediagnostics. Once the system determines the cause ofthe deviation, the offending control is taken offline. Ifthe primary controller was determined to be at fault,a switchover to the secondary will occur, whichneither interrupts the normal high-speed I/O scan-ning, nor suspends the execution of the runningcontrol application. Regardless, at this point thesystem remains in control in a stable, albeit degradedstate. This degraded state still exhibits a level ofintegrity and availability in excess of single CPUsystems that are installed in countless process controlapplications! The difference, however, is that theoperator is aware of a malfunction and can takecorrective action before any process interrupt.

Micro2000D Series HICSThe Micro2000D Series HICS is dual-redundant,stand-alone high-integrity and high-availabilitysolution for small systems. Functionally, theMicro2000D series has the same data integritycapability as the RTP2300D. The difference is thatthe Micro2000D series is designed for small-to-medium size (400 I/O points or less), stand-alonehigh-integrity systems and can only be configuredwith dual-redundant I/O. The High-Integrity ControlSystem figure on the previous page shows theMicro2016D and the Micro2008D; the Micro 2012Dwith the dual-powered chassis is not pictured.