F-BS03 (CNM)

Power Systems Control
Spectrum Power™ 4
Version 4.70
Supply and Installation of a new SCADA/EMS system for the National

Dispatch Centre, Back-up Dispatch Centre and Market Management
System
MEPSO contract no.: 02-6109 14.10.2013
SIEMENS contract no.: P.08723
Functional Specification
Computer Network Management
F-BS03 Version 1.0.0.0 November 2013

Copyright © Siemens AG 2013. All rights reserved
Spectrum Power™ 4
SCADA/EMS, BDC and MMS Computer Network Management
We reserve the right to make technical alterations. The information contained in the figures is not binding.
It is expressly forbidden to pass on or copy this document or to make use of or communicate the information it
contains without the appropriate authority to do so.
Anyone contravening this provision will be liable to pay damages.
F-BS03 Version 1.0.0.0 November 2013 2

Spectrum Power™ 4
Proprietary Notice
Spectrum Power™ 4 is a registered trademark of Siemens.
All trademarks used in this publication can be trademarks the use of which by third parties for their own
purposes could violate the rights of their owners.

Spectrum Power™ 4
Revision History
Version Date Author/ Department Approver/Department Modifications

1.0.0.0 November 2013 Christian Böhm IC EA SOL First Edition

Spectrum Power™ 4
Table of Content
1 Introduction ................................................................................................................................................ 6
2 Functional Overview................................................................................................................................... 7
3 Functional Description................................................................................................................................ 8
3.1 Computer Network Configuration Control ................................................................................................ 8
3.1.1 Server Process Modes and Server Statuses ....................................................................................... 9
3.1.1.1 Online Mode .................................................................................................................................. 9
3.1.1.2 Training Mode.............................................................................................................................. 10
3.1.1.3 Independent Mode ....................................................................................................................... 10
3.1.2 Redundancy Configurations .............................................................................................................. 11
3.1.2.1 Hot Standby Redundancy Configuration (PC-Server and SB-Server) ........................................... 12
3.1.2.2 Spare Redundancy Configuration (Spare Server)......................................................................... 12
3.1.2.3 Hardware Redundancy Configuration........................................................................................... 12
3.2 Data Synchronization and Backup ........................................................................................................ 13
3.2.1 Updating of the Database.................................................................................................................. 13
3.2.2 Data Backup ..................................................................................................................................... 13
3.3 Monitoring Features.............................................................................................................................. 14
3.3.1 LAN Monitoring ................................................................................................................................. 14
3.3.1.1 Redundant LAN ........................................................................................................................... 14
3.3.1.2 Decision for Server Runup after Connectivity Clash ..................................................................... 14
3.3.2 Program Monitoring .......................................................................................................................... 14
3.3.2.1 Monitoring the Regular End of a Program .................................................................................... 14
3.3.2.2 Testing the Reaction Capability of Programs ................................................................................ 14
3.3.2.3 Watchdog .................................................................................................................................... 14
3.3.3 Fault Detection and Automatic Recovery ........................................................................................... 15
3.4 Update and Synchronization of Date and Time ..................................................................................... 16
3.5 Server Runup and Switchover .............................................................................................................. 17
3.5.1 Startup coordination .......................................................................................................................... 17
3.5.2 Automatic Change of Server Status................................................................................................... 17
3.5.2.1 Unconditional Change of Server Status ........................................................................................ 17
3.5.2.2 Conditional Change of Server Status ........................................................................................... 17
3.5.3 Manual Change of Server Status....................................................................................................... 17
4 Redundancy Characteristics..................................................................................................................... 18
5 User Interface .......................................................................................................................................... 19
5.1 Computer Network Overview Displays .................................................................................................. 19
5.2 System Diagnosis (Supervision Utility) .................................................................................................. 19

Spectrum Power™ 4
1 Introduction
The Computer Network Management (CNM) function is responsible for the provision of different independent
process modes for on-line/ test/ training functions as well as for maintaining a high degree of reliability in the
Spectrum Power™ 4 distributed computer system.
It also ensures:
no reduction or loss of functionality and performance in case of a single failure,
no loss of data in case of a single failure,
no loss of data but reduction of functionality in case of multiple failures,
minimum switchover time by applying hot standby redundancy,
fast recovery from failures of components without hot standby capability.

Spectrum Power™ 4
2 Functional Overview
CNM provides the following features:
Computer Network Configuration Control
Server Process Modes and Server Statuses
Redundancy Configurations
Data Synchronization and Backup
Computer Network Monitoring
LAN Monitoring
Program Monitoring
Fault Detection and Automatic Recovery
Update and Synchronization of Date and Time
Startup Coordination and Switchover

Spectrum Power™ 4
3 Functional Description
3.1 Computer Network Configuration Control
The distribution of the Spectrum Power™ 4 functions to the servers of the computer network is done via
configuration according to the following considerations.
Related indivisible blocks of functionality are combined together in a server with a desired redundancy
concept.
The two servers with the same functionality in a hot standby redundancy concept belong to a “redundancy
block”.
A server which can assume the functions of a range of other servers belongs to a “spare redundancy
group”.
The following table shows an example of a server configuration with the distributed functions.
TABLE 1 Names and Functions of the Servers

Name of the Server Functions on the Server
Source Data Management (SDM) Source Data Management
Data Maintenance
Historical Data Management
Schedule System
Case Management (if no APP1-server is in the scope of supply)
Real Time Control (RTC) Data Processing
Supervisory Control
Power Applications (if this function is in the scope of supply)
Demand Side Management (if this function is in the scope of
supply)
User Interface (UI) User Interface
Application 1 (APP1)(if the server is in the Network Applications (if this function is in the scope of supply)
scope of supply) Case Management
Application 2 (APP2) Scheduling Applications (if this function is in the scope of supply)
(if the server is in the scope of supply)

Spectrum Power™ 4
3.1.1 Server Process Modes and Server Statuses

The role which a server receives in the computer network is referred to as its “Process Mode”. Server process
modes are mutually exclusive and apply simultaneously and independently each in a different service area.
In fulfilling its role a server takes on different “Statuses” according to its current activity as shown in the following
table.
Redundancy - Hot Standby Spare

Activity/Mode None Run Up Process Control Data Synchronisation
On-line NC RU PC Complete SB Complete PC with Active Tickets
Training NC RU TR Complete * - -
Independent NC - - - -
Server failure or maintenance activities cause a server status change (e.g. to NC).
The process mode can be assigned to each server either by static definition during configuration or dynamically
by the system administrator.
The connected devices (e.g. printer) can only be assigned to servers in the same process mode.
3.1.1.1 Online Mode

Online mode is assigned to the following servers:
RTC-servers (one server in PC complete status and one server in SB complete status)
SDM-server (one server in PC complete status)
UI-server (only in PC complete status)
APP1-server (one server in PC complete status)
APP2-server (one server in PC complete status)

Spectrum Power™ 4
3.1.1.2 Training Mode

Training mode allows to simulate current manual operations and process interventions on a network model. This
is the process mode of the Dispatcher Training Simulator DTS. The DTS system is configured according to its
requirements from the pool of available servers.
Within training mode all concerned servers have TR status. Data exchange only occurs between servers with
TR status.
3.1.1.3 Independent Mode

The independent mode is provided for hardware and software maintenance actions. There is neither a
connection between the servers in independent mode, nor do they have any connection to servers in other
process modes.
In independent mode software maintenance tasks (e.g. editing, off-line activities) can be performed. The servers
in independent mode can only communicate with other system components at UNIX level (e.g. file transfer).

Spectrum Power™ 4
3.1.2 Redundancy Configurations

To achieve the high availability of the Spectrum Power™ 4 System, the important parts are redundant. In case
of a server failure a fast switchover to a spare server or standby server without effecting on-line process is
provided.
A hardware failure is limited to the failed server. All other servers can continue, as long as they do not need any
service from the disturbed server.
Spectrum Power™ 4 supports a graduated redundancy concept. The following table shows the applied
redundancy for the most important functions/subsystems:
Function/Subsystem Redundancy
Base Applications Hot Standby
Power Applications (if in scope of supply)
Demand Side Management (if in scope of supply)
Historical and Future Data Management Spare
Source Data Management
Case Management
Network Applications (if in scope of supply)
Scheduling Applications (if in scope of supply)
Base Applications Hot Standby
Power Applications (if in scope of supply)
Demand Side Management (if in scope of supply)
Historical and Future Data Management
Source Data Management Spare
Case Management
Network Applications (if in scope of supply)
Scheduling Applications (if in scope of supply)
User Interface Hardware
A server with status Hot Standby (SB-server) is the reserve for the server with status PC (PC-server) and is
loaded with the same software as the PC-sever. The spare server on the other hand can be a functional reserve
for several servers.
Hot Standby Redundancy and Spare Redundancy are identical with regard to their data updating, i.e. data
modifications are performed spontaneously on the original server and on the spare server. The hot standby
server takes over process control smoothly. The spare server has to perform a new system run-up. In both
cases no information is lost, but in case of a spare run-up, the functions of the respective server are not
available as long as the spare server is in the run-up mode.

Spectrum Power™ 4
3.1.2.1 Hot Standby Redundancy Configuration (PC-Server and SB-Server)

According to the Hot Standby Redundancy concept the server in status PC (PC-server) performs the current
process’s needs and the server with status SB (SB-server) imitates the primary’s work without doing any
output1.
The SB-server is updated by the PC-server in several steps during the run-up phase and is continuously
synchronized up to the end of the run-up. During hot standby process, manual entries (manual updating of
switching positions, acknowledgments in summaries, etc.) are inserted parallel to the SB server, i.e. that the
operations, which are displayed as executed on the SDM server, have been entered into the databases of the
PC server and the SB server.
In hot standby process mode the databases are kept parallel and, additionally, all programs are started and run
on the standby server in the same way as on the process controlling server. The Telecontrol Interface TCI
supplies both servers (PC and SB) with the same process data via two different information channels. In case of
a switchover between PC-server and SB-server there is no switchover from the point of view of TC and the
information channels from TC to the RTC servers are continuously supplied. This means there is no loss of
incoming process information, the switchover of the RTC servers occurs smoothly, the switchover of the output
channels occurs automatically.
3.1.2.2 Spare Redundancy Configuration (Spare Server)

A spare server needs a runup, when the server takes over its new target function. Contrary to the simple
hardware reserve, the spare server can substitute more than one server.
Spare redundancy configuration can be so configured that it is not necessary to return to the original server
configuration when the server with the failure is available again.
The spare server can assume off-line tasks, while keeping the redundancy up. In case of a switchover. i.e.
taking over the original function in status PC, the off-line tasks should be finished as soon as possible, to evade
eventual reactions to system control.
The switchover between spare server and original server may also be triggered manually.
To support ORACLE® databases on a server pair, the following method is implemented to ensure the
redundancy of the databases. The ORACLE databases which shall be kept redundant are maintained in a
configuration file.
Delta Backup Recovery
This method implements a software redundancy. The startup of the ORACLE databases and the cyclic update
between PC and spare server are provided, applying the Delta-Backup-Recovery supported by ORACLE. After
once copying the database during a spare startup, only the respective data modifications are transferred to the
spare server.
3.1.2.3 Hardware Redundancy Configuration

Hardware Redundancy means providing a number of devices dedicated to do the same functions. This
redundancy can only be used for servers which do not store any process data (e.g. the UI server). The
database is updated by the SDM server.
1
Exceptions are heart beat and life check procedures, see also chapter 3.3.3
Fault Detection and Automatic Recovery

Spectrum Power™ 4
3.2 Data Synchronization and Backup

3.2.1 Updating of the Database
At each server run-up the server determines its data source depending on the type of data and the state of the
own database area.
The SDM server is the master for all servers (provided that it is in the same process mode). If no SDM server or
SDM spare server is available, a server runs up with own data after the timeout time has expired.
3.2.2 Data Backup

Data Backup in Spectrum Power™ 4 is done in four steps:
Data is not only stored on the RTC-PC server, but also on the RTC-SB server. If the RTC-PC server has a
failure, the RTC-SB server takes over the process.
Important data1 are backed up on the SDM server.
Data of the operational database (ODB) and data of the source database (SRC) are transferred to the SDM
server. They are also transferred to a SDM spare server, if existing. In case both RTC servers fail, then the
operational database and the source database are updated from the SDM server.
Data of the operational database (ODB) and data of the source database (SRC) on the SDM server can be
transferred to an external storage medium. If a complete system breakdown occurs, the database of the
SDM server can be restored using this external storage medium. Afterwards both RTC servers can runup
and be updated from the SDM server. Data are not always the most recent ones, as this item is planned
only for emergency cases.
Transferring Data to an External Storage Medium
Data Backup is executed cyclically (cycle and time can be parameterized), but it can also be activated
manually. Backup is done on-line without interruption the normal process.
If the SDM server fails during a Data Backup, Data Backup is repeated on the spare server, if existing.
Data consistency is ensured by coordination with the SDM system.
Start, end or break of a Data Backup are displayed in the General Summary2.
Data Retrieval from an External Storage Medium
The retrieval of backup data is initiated by the system administrator and is done off-line on the SDM
server After retrieval the SDM-server and the other concerned servers must perform a complete run-up.
1
e.g. substitute values of analog values, contenets of summaries, notes, etc.
2
see Functional Specification User Interface, F-UI01

Spectrum Power™ 4
3.3 Monitoring Features

3.3.1 LAN Monitoring
The LAN is monitored within the transport layer by ‘heart beat’ telegrams. If no telegram has been received
until the expiry of the monitoring time, then the LAN connection is closed.
At user level, i.e. in the Spectrum Power™ 4 system the LAN is monitored additionally, as a disturbed
transmission layer is not always able to inform the user system about the linkage disconnection. The
connection is considered to be disturbed by the Spectrum Power™ 4 system, if no user data, life-check
telegrams or acknowledgments are received within the monitoring time.
3.3.1.1 Redundant LAN

Telegrams transmitted via LAN are marked with an unequivocal sequence number. All telegrams have to be
acknowledged with the corresponding sequence number. The first try is done at the master LAN; if the telegram
is aborted with indications or if the telegram is not acknowledged, then the telegram is sent again at the second
LAN, if available. Telegrams are identified by their sequence number. Only the first received telegram of a
sequence number is handled. All double telegrams will be dismissed by the receiver.
3.3.1.2 Decision for Server Runup after Connectivity Clash

A conflict arises, after the connection between two servers has been restored and both servers have kept their
old status. (Server 2 is dead as seen from server 1, but server 2 sees himself alive.)
This conflict is resolved by CNM in procedure Connectivity Check when a connection is restored by shutting
down and restarting one of the two servers. As long as there is no connection server 2 cannot influence the rest
of the system.
When only two servers are active, the decision for the server startup is derived from parameters, which enable
one server to appear more important than the other. When more than two servers are involved, the defective
server(s) are determined by majority formation.
3.3.2 Program Monitoring

3.3.2.1 Monitoring the Regular End of a Program
CNM checks cyclically if programs crashed (i.e. did not end regularly) within the last cycle. The missing of a
program is transmitted as message with a priority code, corresponding to an error message number.
3.3.2.2 Testing the Reaction Capability of Programs

Within the servers selected process relevant programs are tested with life check telegrams. These programs
must always be available. The tested programs must respond actively to show that they do not run within a
continuous loop.
3.3.2.3 Watchdog
A watchdog is loaded with a monitoring time. If this watchdog is not reset by the CNM within its monitoring time,
a reboot action is activated.

Spectrum Power™ 4
3.3.3 Fault Detection and Automatic Recovery

The Spectrum Power™ 4 software is designed to recognize faults as early as possible. All function (subroutine)
calls deliver an error flag as a return code to the calling program. These error flags are evaluated by the calling
program and logged. The reaction of CNM depends upon the severity of the error. Certain failures may be
handled differently depending upon whether redundancy is currently available. Furthermore, periodic checks are
performed to verify the health of components which are not used continuously (e.g. spare devices).
Error Classes
Spectrum Power™ 4 provides error classes. Each class has an assigned error weighting factor and with it the
corresponding reaction. Beside the local output of the error at the User Interface server, the local error
messages of all servers are collected centrally on the SDM server.

Spectrum Power™ 4
3.4 Update and Synchronization of Date and Time

Spectrum Power™ 4 includes a clock device, broadcasting time telegrams to every server connected to the
LAN. The clock device itself gets synchronized by an external clock module which can receive date/time
telegrams by radio.
If the external signal fails, the SINEC real-time transmitter switches to its internal time base, and an error
message is generated.
To synchronize the time, the clock device in broadcasting operation cyclically sends a time telegram to all
servers. All servers simultaneously receive the synchronization telegram, determine the time deviation to their
own internal clocks and then perform a smooth adaptation of their internal time.
After failure of the clock device a message is generated. Following a fixed, stated hierarchy the server with the
highest rank takes over broadcasting of the time telegrams to all other servers, based on its internal server
clock. Therefore synchronism of all servers is guaranteed.
Daylight Saving Time
The synchronization is not affected by time shift situations (e.g. daylight saving time), because Spectrum
Power™ 4 and UNIX maintain a Universal Time continuum. Date/time representation is localized only when
displaying (e.g. local time = MEZ).

Spectrum Power™ 4
3.5 Server Runup and Switchover

CNM operates without external device intervention and is controlled by algorithms that provide a high level of
security throughout the network.
3.5.1 Startup coordination

Spectrum Power™ 4 run up (or startup) is controlled by predefined operations and performed in phases. Its
duration depends on system size and database age. Possible startup conflicts are considered by the CNM
software. The database is updated by copying data from the PC (PCT) server based on startup goals.
If the PC server fails during runup of the SB server, then the SB reacts with a new runup. This is independent of
the current runup phase.
In the extreme case, the updating procedure might have been finished already, but a new runup has the
advantage that the former PC gains time to become PC itself.
3.5.2 Automatic Change of Server Status

In on-line mode the system initiates the reactions (e.g. error message, server stop, server switchover, server
runup) automatically depending on the occurred software error.
The system also realizes, if a component (software or hardware) necessary to the process has failed partially or
totally. In this case the concerned server is set to the status NC and a server switchover is initiated.
The following status changes need no server run-up:

PC ---> NC and SB ---> PC
The following automatic changes of server status can be configured:
3.5.2.1 Unconditional Change of Server Status

The automatic server switchover occurs immediately, no conditions are to be taken to account. In hot standby
redundancy server configuration a change of server status is always unconditional. But an unconditional change
of server status is also configured for spare redundancy server configuration.
3.5.2.2 Conditional Change of Server Status

The status change occurs only if at least one of the following conditions is fulfilled:
The number of the attempted runups is larger than the configured number
The runup time is larger than the configured runup time
A condition for a server status change is configured for a spare redundancy server configuration.
3.5.3 Manual Change of Server Status

The system administrator can initiate a change of server status. Both servers check, if they can agree to the
switchover, and acknowledge correspondingly. The acknowledgment may be refused, if for instance a switching
procedure is being performed or if an updating routine is running on a server with the same service area.
Some status changes can be performed without a new server run-up. These are:
PC ---> SB and at the same moment SB ---> PC
For all other manual status changes, a server stop, a new run-up is necessary.

Spectrum Power™ 4
4 Redundancy Characteristics
There are no special redundancy characteristics for CNM.

Spectrum Power™ 4
5 User Interface
5.1 Computer Network Overview Displays
Information of the computer network is displayed in the following displays1:
System Configuration Display
The one-line diagram shows a symbol for each device, such as: LAN, clock, server, DA, etc. Each symbol
contains text describing the assignment of the device and the status of the device.
System Resource Summary Display
The System Resource Summary display contains the server runup messages and the statuses of the
computer network
System Resource Alarms Summary Display
The System Resource Alarms display contains the status changes of the computer network
5.2 System Diagnosis (Supervision Utility)

The Supervision Utility allows to display:
Server Status
Statistics
The table is built from the information of the history files. The history file contains the old status and the
cause of the last failure. After each server failure, a new record is generated in the history file.
Via the Supervision Utility manual operations in the running system are possible (reconfiguration).
1
For details see Functional Specification User Interface, F-UI01


F-BS03 (CNM)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

F-BS03 (CNM)

Uploaded by

Copyright:

Available Formats

Power Systems Control

Supply and Installation of a new SCADA/EMS system for the National

MEPSO contract no.: 02-6109 14.10.2013

SIEMENS contract no.: P.08723

F-BS03 Version 1.0.0.0 November 2013

Anyone contravening this provision will be liable to pay damages.

F-BS03 Version 1.0.0.0 November 2013 2

F-BS03 Version 1.0.0.0 November 2013 3

Version Date Author/ Department Approver/Department Modifications

F-BS03 Version 1.0.0.0 November 2013 4

F-BS03 Version 1.0.0.0 November 2013 5

F-BS03 Version 1.0.0.0 November 2013 6

F-BS03 Version 1.0.0.0 November 2013 7

TABLE 1 Names and Functions of the Servers

F-BS03 Version 1.0.0.0 November 2013 8

3.1.1 Server Process Modes and Server Statuses

Redundancy - Hot Standby Spare

3.1.1.1 Online Mode

F-BS03 Version 1.0.0.0 November 2013 9

3.1.1.2 Training Mode

3.1.1.3 Independent Mode

F-BS03 Version 1.0.0.0 November 2013 10

3.1.2 Redundancy Configurations

F-BS03 Version 1.0.0.0 November 2013 11

3.1.2.1 Hot Standby Redundancy Configuration (PC-Server and SB-Server)

3.1.2.2 Spare Redundancy Configuration (Spare Server)

Delta Backup Recovery

3.1.2.3 Hardware Redundancy Configuration

F-BS03 Version 1.0.0.0 November 2013 12

3.2 Data Synchronization and Backup

3.2.2 Data Backup

F-BS03 Version 1.0.0.0 November 2013 13

3.3 Monitoring Features

3.3.1.1 Redundant LAN

3.3.1.2 Decision for Server Runup after Connectivity Clash

3.3.2 Program Monitoring

3.3.2.2 Testing the Reaction Capability of Programs

F-BS03 Version 1.0.0.0 November 2013 14

3.3.3 Fault Detection and Automatic Recovery

F-BS03 Version 1.0.0.0 November 2013 15

3.4 Update and Synchronization of Date and Time

Daylight Saving Time

F-BS03 Version 1.0.0.0 November 2013 16

3.5 Server Runup and Switchover

3.5.1 Startup coordination

3.5.2 Automatic Change of Server Status

The following status changes need no server run-up:

The following automatic changes of server status can be configured:

3.5.2.1 Unconditional Change of Server Status

3.5.2.2 Conditional Change of Server Status

3.5.3 Manual Change of Server Status

F-BS03 Version 1.0.0.0 November 2013 17

F-BS03 Version 1.0.0.0 November 2013 18

5.2 System Diagnosis (Supervision Utility)

F-BS03 Version 1.0.0.0 November 2013 19

You might also like