Professional Documents
Culture Documents
UOC UserGuide
UOC UserGuide
RELEASE 516
-2-
Contents 3
Chapter 1 - About this guide 12
1.1 Revision history 12
1.2 Related documents 12
1.3 Terms and definitions 15
Chapter 2 - Overview of UOC features 19
2.1 Native Experion Integration 19
2.2 ControlEdge 900 Form Factor 19
2.3 FTE Uplink Connectivity 20
2.4 Ethernet I/O Connectivity 20
2.5 ControlEdge 900 21
2.6 Field Device Manager 22
2.7 EtherNet/IP Connectivity to I/O, Devices, and Controllers 22
2.8 CEE Control Processing 22
2.9 Control Builder Strategy Configuration 22
2.10 I/O Points and I/O Reference Blocks 23
2.11 Simulation 23
2.12 Control Redundancy 23
2.13 Peer-To-Peer Communication 24
2.14 Alarms and Events 25
2.15 Time Synchronization 25
2.16 Security 25
2.17 Licensing 25
2.18 vUOC 26
Chapter 3 - Networking 29
3.1 Uplink FTE Network 29
3.2 Downlink I/O Network Topology 30
3.2.1 HSR Ring Topology with 900 I/O 31
3.2.2 Redundant Star (PRP) Topology with 900 I/O 34
3.2.3 DLR Ring Topology with EtherNet/IP and 900 I/O devices 35
3.2.4 Non-Redundant Star to 900 I/O and EIP Devices 38
3.2.5 EtherNet/IP in Experion 40
-3-
Chapter 4 - Installation 43
4.1 Hardware Considerations 43
4.2 Firmware Considerations 43
4.2.1 Converting PLC CPM to UOC CPM 44
4.2.2 Upgrading UOC CPM to New Firmware Version 48
4.2.3 Upgrading UOC EPM to new Firmware Version 48
Chapter 5 - Configuration 52
5.1 Configuration Studio 52
5.2 Define and add assets in your enterprise model 52
5.3 Control Building 52
5.4 Specifying a Time Server 52
5.5 FTE Device Index 52
5.6 Creating UOC Platform block 53
5.6.1 Method 1: Using the File Menu 53
-4-
5.16 Licensing Model 107
5.16.1 I/O Analog/Digital point(s) license 107
-5-
7.5.1 Rules 128
7.5.2 I/O Module Creation 128
-6-
8.4.1 Scaling Configuration Tab 187
8.4.2 Configuration 188
8.4.3 To view and modify the scaling parameters in EtherNet/IP generic device
instances 188
-7-
10.2.3 Status LED 207
10.2.4 Redundancy Role LED 211
-8-
11.6.2 OPM-related notifications - RDNOPMSTATUS parameter 245
-9-
13.7 vUOC Deployment 282
13.7.1 Reconfigure Network Assignments 289
- 10 -
16.1.4 Certificate Management 313
16.1.5 Secure Communications using IPSec 313
16.1.6 Secure Commuincations Using TLS 314
16.1.7 Secure Boot 314
- 11 -
CHAPTER
- 12 -
Chapter 1 - About this guide
Document Description
Firmware This document describes the tool used for loading
Manager User firmware to hardware modules of the UOC system and for
Guide_EPDOC- uploading diagnostics information from them.
X470.pdf
- 13 -
Chapter 1 - About this guide
Document Description
511A.pdf configuration, and load the new switch configurations to
the switches. It also briefly describes creating and saving
projects using the tool.
Control Building The procedures in this guide are intended to give you the
User’s Guide_ ability to perform basic tasks within the Control Builder
EPDOC_XX19_ application such as configuring hardware devices,
en-511A.pdf continuous control strategies, and sequential control
strategies. Only representative forms are shown to
illustrate a procedure/concept.
Virtualization This guide gets you started with the Honeywell Premium
with the Platform for Experion Virtualization Solutions.
Premium
Platform
EPDOC-X455-
en-B.pdf
- 14 -
Chapter 1 - About this guide
Term Definition
AI Analog Input
AO Analog Output
CA Certificate Authority
CM Control Module
CMCC Certificate Manager Configuration Console
DI Digital Input
DO Digital Output
Downlink Shorthand term use to refer to one of two possible types of I/O
and device network that a UOC controller connects to.
- 15 -
Chapter 1 - About this guide
Term Definition
Files which define the communication properties of devices
capable of connecting to EtherNet/IP networks.
EtherNet/IP EtherNet/IP™
HW Hardware
IIS Internet Information Services
I/O Input/Output
IP Internet Protocol
IPSec Internet Protocol Security
Local I/O I/O rack with Control Processor Module installed (non-
rack redundant)
NIC Network Interface Controller
- 16 -
Chapter 1 - About this guide
Term Definition
NVS Non-Volatile Storage
PC Personal computer
Peer Server Data sourcing service provided by the Experion Process Server
Responder node which allows controllers like the UOC to access any data
presented by the Server’s data points via peer communication
over the supervisory network.
Redundancy Module used with a CPM within a 1 I/O Slot Rack to implement
- 17 -
Chapter 1 - About this guide
Term Definition
Module Dual Rack Redundancy.
(RM)
SW Software
User Goals What users are hoping to achieve at a high level and why. Independent of
system implementation. Should be able to be linked to stakeholder business
goals and SRS use cases.
User Scenarios Specific examples that elaborate on user goals in a context. Told in the form of
stories. Independent of system implementation.
- 18 -
CHAPTER
The Unit Operations Controller (UOC) is a high value, low cost, rack-based process controller that
can be applied to any process control application in any industry. Its form factor, cost profile and
licensing model make it especially well-suited to industries that prefer to limit the scope of a single
controller to a single process unit, and to industries that require powerful batch enablers.
The UOC is paired with a virtualized controller called the virtual Unit Operations Controller
(vUOC).The vUOC provides a set of functions parallel to those of the UOC except that they are
deployed within a server hosted virtual machine.
Summary descriptions of UOC and vUOC features are presented within this section. Additional
details may be found elsewhere within this document and within the overall Experion document
set.
- 19 -
Chapter 2 - Overview of UOC features
Component Description
CPM Control Processor Module
Referred to as UOC-CPM.
Host processor of control and communications supporting
redundant and non-redundant configurations. Provides two
uplink Ethernet ports for connectivity to FTE. Provides two
downlink Ethernet ports for connectivity to an I/O and device
network.
I/O Racks Five possible non-redundant racks which hold an EPM or a non-
redundant CPM together with 1, 4, 8 or 12 I/O Modules. Three of
the racks accommodate non-redundant power supplies. The 8
and 12 slot racks are available with redundant power supplies
and a power status module.
Detailed information on the installation, planning and general characteristics of ControlEdge 900
HW components can be found in ControlEdge 900 Platform Hardware Planning and Installation
Guide_HWDOC-X430.pdf.
- 20 -
Chapter 2 - Overview of UOC features
Additional I/O modules will be made available in future releases of the Experion PKS.
NOTE : For Module AI16-100MS, the Model Number should be 900A16-0103 and the
firmware version should be 1.39 for the 100 ms scan rate support.
For below IO modules, there can be Model number mismatch between the IO module hardware
and the IO module reports.
- 21 -
Chapter 2 - Overview of UOC features
- 22 -
Chapter 2 - Overview of UOC features
o I/O Reference Blocks are basic blocks instantiated in Control Modules to make an I/O
signal available for connection to algorithm blocks.
o They are bound to I/O Points though named references independent of particular
channels in particular I/O Modules.
o They support a simulation mode that allows for strategy checkout to be done in the
absence of I/O Modules.
o They complement I/O Points by serving as the reference end of the connection to the
I/O Point.
o In addition to referencing I/O channels, they can be used to reference key parameter
data which do not correspond to actual I/O channels.
UOC’s I/O Points and I/O Reference Blocks provide key enablers of the Lean Execution of
Automation Projects (LEAP) methodology supported by Experion.
2.11 Simulation
UOC may be used for both control and strategy-check-out simulation without the need to deploy a
special purpose simulation application. Simulation behaviors of strategies are controlled through
the SIMMODE parameter of I/O Reference blocks within the Control Module under test.
- 23 -
Chapter 2 - Overview of UOC features
UOC uses Experion native CDA protocol for communication with peer partners as well as level 2
server and station nodes. Parameter reads are supported under a cyclic publication paradigm.
Parameter writes are supported under an acyclic store paradigm.
Within CMs and SCMs, the configuration of peer references is transparent to the application
engineer. They are specified by configuring fully qualified parameter names such as
“TT101.DATAACQ.PV” in expressions, inputs pins or selected output pins, without concern as to
whether the parameter is in the same UOC or in a different controller.
UOC’s CDA peer connections may also be used to reference data from SCADA points by virtue of
Experion Peer Server Responder capability.
The Experion node types with which UOC supports CDA peer-to-peer communication are listed in
the following table. This set will be expanded in future releases.
Responding Node
UOC vUOC C200E C200
Initiating Node
C300
UOC ü ü ü ü ü
vUOC ü ü ü ü ü
C300 ü ü ü ü ü
ACE ü ü ü ü ü
C200E ü ü ü ü ü
NOTE 1: The C200 controller can respond to CDA peer communications from a UOC or vUOC
but cannot initiate them.
l Exchange Blocks
- 24 -
Chapter 2 - Overview of UOC features
UOC supports a library of blocks which enable communication with third party PLCs and devices
via protocols which were originated by Rockwell Allen Bradley and now support transport over
Ethernet. Blocks within the EXCHANGE library allow initiation of and response to read and write
requests for flags, numeric and string arrays. EXCHANGE blocks support two protocols: the
Common Industrial ProtocolTM (CIP) and Programmable Controller Communication Commands
(PCCC).
l PCDI Blocks
UOC supports a library of blocks called Peer Control Data Interface (PCDI) which enable
communication with third party PLCs and devices via the Modbus TCP/IP protocol. Blocks within
the PCDI library allow initiation of read and write requests through a device proxy block to flag,
numeric and string arrays in a Modbus-capable peer controller.
2.16 Security
UOC has built in enablers to provide for the secure and robust operation of its control and I/O
configurations. This includes an uplink firewall that limits message types to those appropriate to
the mission of the FTE network. It includes a downlink firewall that limits message types to those
appropriate to the missions of 900 I/O and EtherNet/IP communication. UOC also supports
mechanisms of signed firmware and secure boot which insure only Honeywell authorized
firmware to be executed within the device.
2.17 Licensing
UOC systems are delivered under a licensing model which allows HW and SW components to be
deployed in the manner that most naturally fits the process control problem to be solved. Indirect
cost penalties for good design practices are avoided. The bulk of the cost associated with deploying
a UOC system is proportional to the count of Analog and Digital I/O points put into service. There is
little additional cost if a good design dictates the deployment of small, per unit controllers. Similarly,
there is little additional cost if the design dictates the deployment of small, modularized control
strategies.
For more information on Licensing refer to Licensing Model section.
- 25 -
Chapter 2 - Overview of UOC features
2.18 vUOC
As noted above, the virtual UOC provides a set of functions nearly equivalent to those provided by
the ControlEdge 900 based UOC. It is well suited to supervisory batch applications, lab applications
and control strategy checkout before strategies are deployed to a ControlEdge UOC
Differences between the two are driven by the nature of their hosting platforms and, to a certain
extent, by particular strengths that their respective deployments provide. Key differences are
highlighted by the following table.
- 26 -
Chapter 2 - Overview of UOC features
- 27 -
Chapter 2 - Overview of UOC features
Users familiar with the Experion portfolio of controllers and simulators may be tempted to interpret
the vUOC in terms of things they are already familiar with. There are indeed similarities that can be
noted. But there are also significant differences which prevent vUOC from being equated with
previous offerings. This point is highlighted by the following table.
SIM- SIM-
Attribute UOC vUOC C300 ACE
C300 ACE
Hosting on Server No Yes No Yes Yes Yes
- 28 -
CHAPTER
3 NETWORKING
- 29 -
Chapter 3 - Networking
UOC utilizes an existing FTE network, native to Experion PKS. It has a dual connection to Level 2
Yellow and Green FTE switches. No third party firewalls are required.
The number of levels of FTE switches above the UOC may be one, as shown in the diagram above,
two or three.
vUOC’s deployment within an FTE network follows Experion guidance for virtual machines. For
further information, see the vUOC section in this document.
Like existing CEE controllers, UOC requires the presence of a Process Server to function within an
Experion system.
When connecting to FTE, the UOC CPM gets its IP address from the Experion BOOTP service
running on the Engineering Station node. Its IP address is constructed by combining the CPM’s
FTE Device Index with the subnet base address configured through Control Builder and known to
the BOOTP server. Rotary switches of the UOC CPM are located on the module and are used to set
the FTE Device Index. They must be set before the module is inserted into its slot.
ATTENTION
Ensure that the Device Index is set before you place a module in a rack.
Note that, in the special circumstance that a PLC CPM received from the factory is being converted
to a UOC CPM, considerations on IP addressing are different initially. For further information on
converting a PLC CPM to a UOC, see the Converting PLC CPM to UOC CPM section.
Care must be taken in the assignment of FTE device indices to a UOC’s rotary switches. In a
redundant controller rack, the left hand UOC must be assigned an odd numbered device index
while the right hand UOC must be assigned an odd + 1 device index. The odd + 1 position is
reserved and must not be used for other than redundant partner. Non-redundant UOCs must
always be assigned odd numbered device indices. For more information on how to set the FTE
device index see the FTE Device Index section.
The L2 FTE switches to which UOC connects are managed switches which must be configured
using the FTE Switch Configuration Tool. Any ports to which UOCs connect must be configured as
“Other Auto” using this tool. For further information on the FTE Switch Configuration Tool, see the
Switch Configuration Tool Users Guide_EPDOC-X246-EN-511A.pdf.
Except for specific considerations noted within this document, all FTE installation and
maintenance practices for the UOC and vUOC must be done in a fashion consistent with Experion
and FTE guidelines. For further information, see Fault Tolerant Ethernet Overview and
Implementation Guide EPDOC-XX37-en-511A.pdf, Fault Tolerant Ethernet Installation and Service
Guide EPDOC-XX36-en-511A.pdf, and Network and Security Planning Guide EPDOC-XX75-en-
511A.pdf.
- 30 -
Chapter 3 - Networking
ATTENTION
Uplink and downlink subnets must be unique. The Downlink subnet mask must be limited to
the number of addresses expected in that subnet.
For example, if a max of 64 addresses is expected, you could use a mask of 255.255.255.192.
- 31 -
Chapter 3 - Networking
Considerations for components that connect to a UOC’s downlink HSR ring network are
summarized in the following table.
- 32 -
Chapter 3 - Networking
Component
Comments
Type
ControlEdge The UOC CPM must be connected to the downlink I/O ring
UOC CPM such that even numbered ports always connect to odd
numbered ports. Important properties of UOC CPM
communications on the downlink network are configured on
the UOC Platform Block in Control Builder. This includes
configuration of the UOC DHCP server for assigning EPM IP
addresses. It also includes setting the Downlink Network
Configuration to Ring-HSR. For complete information on
configuring the downlink network properties on the UOC
Platform Block, see the UOC Platform Block section.
ControlEdge An EPM must be connected to the downlink I/O ring such that
900 I/O even numbered ports always connect to odd numbered ports.
Racks with Before it is inserted into its slot, the 100X rotary switch on the
EPMs EPM board must be set to indicate I/O network connectivity.
This is done by setting it to position 3. The IP address of the
EPM is assigned by the UOC CPM based on the module
number set on the 10X and 1X rotary switches. Ensure that the
values within the range of 1-12 are used, as these are the valid
values. This too must be set before the EPM is inserted into its
slot. For complete information see the ControlEdge 900 I/O
Device Connectivity section.
- 33 -
Chapter 3 - Networking
ATTENTION
The UOC does not support downlink network topologies containing both PRP and non-
redundant connected devices. If your UOC downlink network connection type is configured
for redundant star, you should only connect PRP-capable devices to the downlink network.
The UOC does not support star topologies which mix redundant and non-redundant connectivity.
Downlink star networks must be set up as exclusively redundant or exclusively non-redundant.
- 34 -
Chapter 3 - Networking
Component
Comments
Type
ControlEdge Important properties of UOC CPM communications on the
UOC CPM downlink network are configured on the UOC Platform Block in
Control Builder. This includes configuration of the UOC DHCP
server for assigning EPM IP addresses. It also includes setting
the Downlink Network Configuration to “Non-redundant” in the
case of a non-redundant star network or “Star-PRP” in the case
of a redundant star network. For complete information on
configuring the downlink network properties on the UOC
Platform Block, see the UOC Platform Block section.
ControlEdge Before it is inserted into its slot, the 100X rotary switch on an
900 I/O EPM board must be set to indicate I/O network connectivity.
Racks with For a non-redundant or redundant star network, this is done by
EPMs setting it to position 4. The IP address of the EPM is assigned
by the UOC CPM based on the module number set on the 10X
and 1X rotary switches. Ensure that the values within the range
of 1-12 are used, as these are the valid values. This too must be
set before the EPM is inserted into its slot. For complete
information see the ControlEdge 900 I/O Device Connectivity
section.
Unmanaged 900 I/O racks with EPM gateways have been qualified to
Switches communicate with UOC through unmanaged switches.
Managed switches may not be used. For information on
qualified switches see the ControlEdge 900 Hardware and
Installation Guide.
3.2.3 DLR Ring Topology with EtherNet/IP and 900 I/O devices
Device Level Ring (DLR) is layer 2 data link layer protocol that provides media redundancy, faster
network fault detection, and network fault resolution in a ring topology.
Advantages:
l DLR reduces the number of external components and associated cabling, which eases design
and installation. It also reduces the cost.
l When a ring breaks, DLR detects it and provides alternate routing of the data to help recover
the network at extremely fast rates.
l Line faults of bidirectional rings can be reconfigured quickly, as switching happens at a high
level, and thus the traffic does not require individual rerouting.
On network with only DLR devices, one device act as an active ring supervisor and other devices
form ring nodes. DLR network contain a maximum 50 IP address nodes (This is Honeywell
specification).
DLR network should have at least one node configured as ring supervisor. If there are multiple
nodes configured as supervisor, then the node with highest supervisor precedence value becomes
active supervisor, others will be backup Supervisors.
- 35 -
Chapter 3 - Networking
The active ring supervisor cyclically sends out Beacon Frames and Announce Frames on both
ports. They are received on one port of a ring node, processed and passed on to the next ring node
via the other port.
DLR ring topology which provides redundancy protection against a single network ring fault.
Installation and maintenance of a downlink EtherNet/IP network must be done in accordance with
the best practices of Ethernet networking in general and EtherNet/IP in particular.
In this topology, UOC connects directly to the ring through downlink ports ETH3 and ETH4. EPM
connects through their ETH1 port and ETH2 port directly to ring networks.
An example of a DLR Ring network is shown in the following diagram.
Installation and maintenance practices for the UOC’s downlink EtherNet/IP network generally
follow those described in the EtherNet IP User's Guide. Additional considerations for components
that connect to the EtherNet/IP network are summarized in the following table.
- 36 -
Chapter 3 - Networking
Component
Comments
Type
ControlEdge The UOC CPM connects to a downlink EtherNet/IP network
UOC CPM through its ETH3 and ETH4 ports. Important properties of
UOC CPM communications on the downlink network are
configured on the UOC Platform Block in Control Builder. This
includes configuration of the UOC DHCP server for assigning
EPM IP addresses. It also includes Downlink Network
Configuration to Non-redundant.
ControlEdge When 900 I/O is used, the EPM in the I/O rack serves the role
900 I/O of communication gateway into the I/O rack. When an EPM is
Racks with connected, ETH1 port and ETH2 port are directly connected to
EPMs an EtherNet/IP network. Before it is inserted into its slot, the
100x rotary switch on the EPM board must be set to indicate
the type of network connectivity in use. This is done by setting
it to position 4.
The IP address of the EPM is assigned by the UOC CPM based
on the module number set on the 10X and 1x rotary switches.
These switches must also be set before the EPM is inserted
into its slot.
For complete information on the use of ControlEdge EPM and
900 I/O, see ControlEdge 900 I/O section.
- 37 -
Chapter 3 - Networking
Component
Comments
Type
Allen Bradley The Rockwell Allen Bradley OPC Server from MatrikonOPC can
OPC Server be installed on the Engineering Station in systems which
from incorporate UOC. The Matrikon OPC Server enables one of two
MatrikonOPC methods whereby ControlLogix tag names can be used to
make UDT references in a UOC strategy. For further
information, see EtherNet IP User's Guide_EPDOC-X399-en-
511A.pdf.
Studio 5000 Studio 5000 Logix Designer Software from Rockwell Allen
Logix Bradley is used in conjunction with UOC configurations to
Designer configure IP addresses of Rockwell Allen Bradley EtherNet/IP
Software devices. It can also be used to export a file which defines
ControlLogix tag names so that they can be used in Control
Builder to construct UDT data references from UOC. For
further information, see EtherNet IP User's Guide_EPDOC-
X399-en-511A.pdf.
ATTENTION
While using DLR (Device Level Ring) on Stratix 5700 Switch, DO NOT CONNECT a DLR
network to a Non-DLR port on the Switch. DLR should be connected only to the DLR ports
on the switch. Doing this will result in the entire downlink network going down. The recovery
is to only remove the DLR connection from the switch.
Installation and maintenance of a downlink EtherNet/IP network must be done in accordance with
the best practices of Ethernet networking in general and EtherNet/IP in particular.
In this topology, CPMs connect through their ETH3 downlink port with ETH4 port disconnected.
EPMs connect through their ETH1 port with ETH2 port disconnected. An example is shown in the
diagram below.
- 38 -
Chapter 3 - Networking
Installation and maintenance practices for the UOC’s downlink EtherNet/IP network generally
follow those described in EtherNet IP User's Guide_EPDOC-X399-en-510A.pdf for topology 2, “C300
Through EtherNet/IP”. Additional considerations for components that connect to the EtherNet/IP
network are summarized in the following table. ControlLogix PLCs and EtherNet/IP I/O and Devices
are equivalent to those for DLR ring networks.
- 39 -
Chapter 3 - Networking
Component
Comments
Type
ControlEdge The UOC CPM connects to a downlink EtherNet/IP network
UOC CPM through its ETH3 and ETH4port. Important properties of UOC
CPM communications on the downlink network are configured
on the UOC Platform Block in Control Builder. This includes
configuration of the UOC DHCP server for assigning EPM IP
addresses. It also includes Downlink Network Configuration to
Non-redundant.
ControlEdge When 900 I/O is used, the EPM in the I/O rack serves the role
900 I/O of communication gateway into the I/O rack. When an EPM is
Racks with connected to an EtherNet/IP network, its ETH1 port is
EPMs connected to the switch while its ETH2 port is left
disconnected. Before it is inserted into its slot, the 100x rotary
switch on the EPM board must be set to indicate the type of
network connectivity in use. This is done by setting it to position
4. The IP address of the EPM is assigned by the UOC CPM
based on the module number set on the 10X and 1x rotary
switches. These switches must also be set before the EPM is
inserted into its slot. For complete information on the use of
ControlEdge EPM and 900 I/O, see ControlEdge 900 I/O
Device Connectivity section.
Unmanaged 900 I/O racks with EPM gateways have been qualified to
Switches communicate with UOC through unmanaged switches. EPMs
may not be connected through managed switches. For
information on qualified switches see ControlEdge 900 Platform
Hardware Planning and Installation Guide_ HWDOC-X430.pdf.
Stratix EIP I/O, devices and PLCs may be connected to UOC through
Switches qualified, Stratix managed switches. For further information on
how to deploy and configure Stratix switches, see EtherNet IP
User's Guide_EPDOC-X399-en-511A.pdf.
- 40 -
Chapter 3 - Networking
Summary
# Connectivity Description
Name
1 SCADA SCADA The Experion SCADA Server supports
Server To Server connectivity to Rockwell Allen Bradley
EtherNet/IP ControlLogix PLCs which are attached to
|
an EtherNet/IP network. The SCADA
FTE Network Server connects to the L2 FTE network
which provides a path through an L2.5
|
or L3 Router and through non-
L2.5 or L3 redundant Ethernet links, to an
Router EtherNet/IP-capable, Stratix switch.
| Access Lists of the router must be
configured as a security boundary
Ethernet between the FTE and EtherNet/IP
Link networks.
|
EtherNet/IP-
capable
Switch
|
EtherNet/IP
Network
|
PLCs
- 41 -
Chapter 3 - Networking
NOTE
Users who wish to use UOC with secure communications should be aware that considerable
planning and configuration is required in its setup. For further information, see section
Configuring a Secure Connection for Experion Integration.
- 42 -
CHAPTER
4 INSTALLATION
For more information, see ControlEdge 900 Platform Hardware Planning and Installation Guide_
HWDOC-X430.pdf.
- 43 -
Chapter 4 - Installation
Firmware update and CPM conversion are done using an application called Firmware Manager.
For detailed information on using Firmware manager, see Firmware Manager User Guide_EPDOC-
X470.pdf.
ATTENTION
l Once the PLC is converted into a UOC, it should not be reconnected to a PLC system
as it requires Experion PKS infrastructure to operate.
l The PLC’s ControlEdge Builder is not used to perform PLC-to-UOC conversion.
Manually attempting to load UOC firmware to a PLC-CPM with the PLC’s Control
Edge Builder may result in controller firmware corruption.
l UOC-to-PLC conversion is currently not supported. Manually attempting to load PLC
firmware to a UOC-CPM may result in controller firmware corruption.
l Do not install the PLC’s ControlEdge Builder software on either an Experion node
type or a Bench laptop or PC that has Firmware Manager installed. These
applications have similar controller communication infrastructure that are not
designed to co-exist resulting in Firmware Manager to module communication
breakage.
The main distinction of a Bench System it that it uses a laptop or PC that is not an Experion PKS
node type. The Bench laptop or PC requires a one-time install of Bench System Firmware Manager
from Experion PKS installation media. The special nature of this install is that it also installs the
UOC firmware in addition to the Firmware Manager application used to load the UOC firmware to
the PLC-CPM. Refer to Firmware Manager User Guide_EPDOC-X470.pdf for how to create a Bench
System laptop or PC.
To complete the Bench System, a ControlEdge controller rack with a power supply must be
procured. Either a redundant or non-redundant rack may be used. For information on rack types,
see ControlEdge 900 Platform Hardware Planning and Installation Guide_HWDOC-X430.pdf.
After the Bench system has been set up, it includes the components as shown here.
- 44 -
Chapter 4 - Installation
Figure 4.1 PLC CPM to UOC CPM Conversion using Bench System
A PLC-CPM can be converted using an Experion PKS node that has an installation of Firmware
Manager together with an off-process ControlEdge controller rack that is part of the Experion
system. The necessary system components are summarized in the following diagram.
- 45 -
Chapter 4 - Installation
Figure 4.2 PLC CPM-UOC CPM Conversion using Firmware Manager on Experion System
A PLC-CPM can be converted using a laptop that has an Bench installation of Firmware Manager
together with an off-process ControlEdge controller rack that is part of an Experion system. This
hybrid method is similar to using a Bench system but it is not required to deploy a separate
controller rack and power supply. The necessary system components are summarized in the
following diagram.
- 46 -
Chapter 4 - Installation
Figure 4.3 PLC CPM-UOC CPM Conversion using Firmware Manager on Laptop
An important consideration in converting a PLC into a UOC is whether the site requires spares.
If spares are needed, a conscious decision must be made as to whether a spare is stored as a PLC
or as UOC.
If a spare is maintained as a PLC, and if a conversion Bench System is preserved for ongoing use,
then the CPM can be converted to a UOC at any time. However, the process of conversion is not
instantaneous. If it is desired to have a UOC available for quick use in an emergency, then it must
be converted ahead of time.If no bench system is set up to support future conversions and instead
a temporarily available controller rack is used, it is recommended to create the desired number of
spare UOC CPMs before the rack is put on-line. Doing so makes them available for quick use in
case of an emergency.
If additional UOC-CPMs are needed later and no bench system has been set up for conversion,
then a means will have to be found to use existing equipment. Given that a CPM is needed, the
system may have a controller rack which is already off-line. If so, that rack may be used to do the
conversion. If not, then a CPM will have to be taken off-line in order to do the conversion.
TIP
After the CPM has been converted into an UOC, please affix the UOC label over the CPM
mode switch as described in Hardware Considerations. This facilitates a quick UOC
replacement, as the label indicates that the unit has been converted to a UOC
- 47 -
Chapter 4 - Installation
After a CPM has been converted from PLC firmware to UOC firmware, updates are done on an
Experion system using Firmware Manager. Either the Application Image, the Boot Image, or both
can be loaded.
When updating UOC firmware, only one Firmware Manager client at a time may load firmware to
the UOC. In addition, the total number of Firmware Manager clients that may connect to a UOC at
one time, for monitoring node status or for loading firmware, is limited to 4.
The UOC must be running in the application (RDY) to upgrade the recovery image and in recovery
(ALIVE) to upgrade the application. Synchronization must be disabled before attempting firmware
upgrade. The firmware manager will place the UOC in the proper state for loading each image.
Care must be taken when upgrading the firmware of a redundant UOC pair. As of R511.1, on-
process firmware upgrade of a redundant UOC is not supported. The controller must first be taken
off-line by setting the CEE state to Idle. In addition, synchronization between the primary and
secondary partners must be disabled so that the UOC does not attempt to switchover during the
firmware upgrade process. Upgrade the firmware in the backup, then the firmware in the primary.
New firmware images are frequently received with major Experion releases. They can also be
received via download from the HPS website.
For instructions on how to load firmware using Firmware Manager see Firmware Manager_EPDOC-
X404.pdf.
The two images play the same role within the EPM as do the corresponding images in the CPM.
Unlike the CPM, these firmware images are of the same type as those used by the ControlEdge
PLC, though they may be at different version levels.
NOTE
To know the latest EPM Firmware version, refer to the SCN document.
NOTE
When loading firmware to an EPM, the firmware obtained with the Experion installation
- 48 -
Chapter 4 - Installation
must always be used. Firmware that might have been obtained from a ControlEdge PLC
installation must not be used.
NOTE
Update EPM only after updating UOC (if needed).
For a UOC system, updates of EPM firmware are done on an Experion system using Firmware
Manager.
The load of firmware to EPM works by sending the firmware packets to the CPM which then
forwards them to the EPM. The parent CPM of an EPM must be known to Firmware Manager in
order for the load to take place. Firmware Manager supports a means whereby the EPM children of
a CPM can be specified.
When updating EPM firmware, only one Firmware Manager client at a time may load firmware to
the EPM through its parent UOC. In addition, the total number of Firmware Manager clients that
may connect to a UOC at one time, for monitoring node status or for loading firmware, is limited to
4.
New images are sometimes received with major releases of Experion. They can also be received via
download from the HPS website.
For instructions on how to load firmware using Firmware Manager, see Firmware Manager_
EPDOC-X404.pdf.
Upgrading the UOC EPM
The procedure used to upgrade EPM firmware varies depending on the downlink network protocol
in use. In one case, the selected protocol must be temporarily changed during the course of
upgrade. In some cases, network redundancy must be temporarily disabled during the course of
upgrade.
NOTE
For PRP networks, redundant network connectivity should be left disconnected during the
process of EPM firmware upgrade.
1. Set the 100x switch position of the EPM as per the desired UOC downlink network protocol
(position 4 for Nonredundant or PRP).
2. Connect Ethernet Port 1 of the EPM to the UOC download link network, leaving Ethernet Port
2 disconnected.
3. Insert the EPM into the IO rack, causing it to reboot.
4. Upgrade EPM Firmware using Firmware Manager.
- 49 -
Chapter 4 - Installation
NOTE
For PRP networks, redundant network connectivity should be left disconnected during the
process of EPM firmware upgrade.
1. Temporarily set the 100X switch position of the EPM to 4 (PRP protocol).
2. Connect Ethernet Port 1 of the EPM to the UOC downlink network, leaving Ethernet port of
EPM disconnected.
3. Insert the EPM into the IO rack, causing it to reboot.
4. Upgrade EPM Firmware using Firmware Manager.
5. Change the 100x switch to position 5 (DLR).
6. Insert the EPM into the IO rack, causing it to reboot.
7. Connect the Ethernet Port 1 and Port 2 of the EPM to the UOC downlink network, closing the
DLR ring.
For detailed instructions on the use of Firmware Manager see the Firmware manager User Guide.
For information on which version of EPM firmware is supported in the current release see the
Software Change Notice (SCN).
NOTE
When loading firmware to a UI/OM, the firmware obtained with the Experion installation
must always be used. Firmware that might have been obtained from a ControlEdge PLC
installation must not be used.
NOTE
Update I/OM only after updating UOC and EPM (if needed).
For a UOC system, updates of UI/OM firmware are done on an Experion system using Firmware
Manager.
The load of firmware to UI/OM works by sending the firmware packets to the CPM which then
forwards them to the EPM which in turn forwards them to the UI/OM. The parent EPM of a UI/OM
must be known to Firmware Manager in order for the load to take place. Firmware Manager
supports a means whereby the UI/OM children of an EPM can be specified.
When updating UI/OM firmware, only one Firmware Manager client at a time may load firmware to
the UI/OM through its parent UOC. In addition, the total number of Firmware Manager clients that
may connect to a UOC at one time, for monitoring node status or for loading firmware, is limited to
4.
- 50 -
Chapter 4 - Installation
New Application Images are sometimes received with major releases of Experion. They can also be
received via download from the HPS website.
For instructions on how to load firmware using Firmware Manager, see Firmware Manager_
EPDOC-X404.pdf.
- 51 -
CHAPTER
5 CONFIGURATION
- 52 -
Chapter 5 - Configuration
l The primary controller (of a redundant controller pair) always configured with an odd
numbered Device Index.
l A non-redundant controller is only configured with an odd numbered Device Index.
l The secondary controller of a redundant controller pair is configured with the even Device
Index that is consecutive with its primary partner’s Device Index (i.e. primary controller Device
Index plus 1).
Set the Device Index (FTE DEVICE INDEX) by turning the three rotary decimal switches (range 001
to 509). The leftmost switch on top is used for setting the hundreds digit, the right switch on top is
used for setting the tens digit, and the bottom switch sets the ones digit.
Example: For a redundant pair, the primary and secondary indexes respectively could be 001, 002;
111, 112; 507, 508 and so on. In a non-redundant setup, the index could be: 001 or 111 or 507 and
so on.
Failure to replicate the UOC Device Control Index according to their Control Builder configured
Device Indexes will lead to failure in establishing Control Builder - controller communication
thereby preventing configuration load.
For in-rack redundancy, the left controller is recommended to be configured as the odd device
index and the right controller as the event device index (of the consecutive device index pair).
Redundancy communication between a pair of redundant UOC is not possible if their device
indices are not set to a consecutive odd/even pair.
In the non-redundant case, the odd+1 address is reserved for future redundancy. It must not be
assigned to any other function.
- 53 -
Chapter 5 - Configuration
- 54 -
Chapter 5 - Configuration
Tab Description
Main tab
This tab is used to configure the UOC block. This tab also displays important
state information and supports generation of commands to the CEE via
parameter writes. The screenshots below show descriptions and names of
each parameter that appears on the configuration form of the Main tab. For
further information about each parameter, consult the Control Builder
Parameter Reference Guide_EPDOC-XX18-en-511A.pdf.
Take note of the following considerations when configuring the Main tab of
the UOC Platform block.
The DHCP address range used by EPMs on the downlink is configured from
the “Downlink Address Configuration” section. The UOC’s DHCP server assigns
IP addresses based on the module number set on the 10X and 1X rotary
switches of the EPM board. The address range can cover up to 12 addresses
with EPM module number 1 being mapped into the start address of the range.
If an EPM module number is set outside the DHCP address range, it will not
receive an IP address and will not be able to communicate. Care must be taken
to ensure that the address range has been configured correctly before going
on process. If the address range needs to be changed, it can only be done by
reloading the UOC platform block while the UOC is off process.
The Connection Type configured in the “Downlink Network Configuration”
section changes the way the UOC behaves with respect to downlink network
redundancy. For more information refer to to 3.2 Downlink I/O Network
Topology.
NOTE
Two screens in all the following tabs show Parameter Names”
checked/unchecked.
- 55 -
Chapter 5 - Configuration
Tab Description
Tab Description
Statistics tab
This tab shows a variety of statistics parameters that can be monitored to learn
about the processing load and operating conditions of the UOC. Such
information includes CPU utilization, hardware temperature and
communications sub- system (CDA) statistics. The screenshots below show
descriptions and names of each parameter that appears on the form of the
Statistics tab. For further information about each parameter, see Control
Builder Parameter Reference Guide_EPDOC-XX18-en-511A.pdf.
- 56 -
Chapter 5 - Configuration
Tab Description
Hardware Information tab
This tab contains data describing the UOC module including firmware and
hardware version information. The parameters provided here are used for
maintenance, troubleshooting and problem description purposes. All
parameters on this form are read-only. Note that the Hardware Information
Tab displays several parameters related to UOC retention restart. These are as
follows. The screenshots below show descriptions and names of each
parameter that appears on the form of the Hardware Information tab. For
further information about each parameter, see Control Builder Parameter
Reference Guide_EPDOC-XX18-en-511A.pdf.
- 57 -
Chapter 5 - Configuration
Tab Description
l RetentionMediaError – Retention restart was vetoed due to invalid
retention memory detected by the controller. Possible causes for invalid
retention memory are as follows:
l SD card missing.
l SD card not inserted fully or not inserted properly.
l SD card format not recognized.
l SD card locked for read-only access.
- 58 -
Chapter 5 - Configuration
Tab Description
FTE tab
This tab contains statistics related to Fault Tolerant Ethernet (FTE)
communications and performance. The FTE tab features parameters
associated with the MAC Address Resolution Table (MART) which deals with
on- line media access control (MAC) address mapping. All parameters of the
FTE tab are read-only. The screenshots below show descriptions and names of
each parameter that appears on the form of the FTE tab. For further
information about each parameter, see Control Builder Parameter Reference
Guide_EPDOC-XX18-en-511A.pdf.
- 59 -
Chapter 5 - Configuration
Tab Description
Downlink tab
This tab shows statistics and configuration parameters related to downlink
Ethernet communications.
For DLR, the Primary defaults to ring supervisor. The supervisor parameters
are exposed and default to values appropriate for, when UOC is the only
supervisor.
The supervisor precedence must be configured as highest precedence value so
that UOC takes the active supervisor role.
NOTE
l Downlink connection type can be changed from disabled to any
NOTE
If a Rapid Fault condition is detected, manual intervention is needed
to clear the state in Control Builder or Station. This fault occurs when
a series of rapid ring faults is detected, typically with a ring fault and
recovery cycle of 5 times in 30 seconds.
NOTE
To detect the fault location in a ring network, you must clear the first
fault in the ring and click Update Locate fault .This will re-initiate the
search and locate the next fault location in the ring, if any.
For further information about each parameter, see Control Builder Parameter
Reference Guide_EPDOC-XX18-en-511A.pdf.
- 60 -
Chapter 5 - Configuration
Tab Description
Tab Description
UDP/TCP tab
This tab displays statistics related to open UDP and TCP connections
associated with this UOC controller. All parameters on this form are read-only.
The screenshots below show descriptions and names of each parameter that
appears on the form of the UDP / TCP tab. For further information about each
parameter, see Control Builder Parameter Reference Guide_EPDOC-XX18-en-
511A.pdf.
- 61 -
Chapter 5 - Configuration
Tab Description
IP/ICMP tab
This tab displays statistics related to IP and ICMP protocol messages
associated with (i.e. originating in or received by) this UOC controller. These
types of messages are generally associated with maintenance and status
operations on the network. All of the parameters shown on this form are
read-only.
The screenshots below show descriptions and names of each parameter
that appears on the form of the IP / ICMP tab. For further information
about each parameter, see Control Builder Parameter Reference Guide_
EPDOC-XX18-en-511A.pdf.
- 62 -
Chapter 5 - Configuration
Tab Description
Soft Failures tab
This tab indicates which soft failure conditions, if any, are active. Users
typically navigate to this form after receiving a general indication that at
least one soft failure is present, such as a soft failure notification. All
parameters shown on this form are read-only.
The screenshots below show descriptions and names of each parameter
that appears on the form of the Soft Failures tab. For further information
about each parameter, see Control Builder Parameter Reference Guide_
EPDOC-XX18-en-511A.pdf.
NOTE
The HSR/PRP LAN ID soft failure is only cleared by resetting
statistics (See Statistics tab). This will clear the LAN ID error
counts and the soft failure.
- 63 -
Chapter 5 - Configuration
Tab Description
Security tab
This tab allows for the disabling of optional protocols. As an additional
security measure, Honeywell recommends disabling protocols which are
not required in a particular UOC deployment. Most UOC protocols are
required for proper function in all deployments. HART / IP can be disabled
when not in use. HART/IP must be enabled when FDM is used.
- 64 -
Chapter 5 - Configuration
Tab Description
Server History tab
This tab is common to all configuration forms for tagged blocks in Control
Builder. This form allows users to specify individual parameters of the
block which are to be collected for history recording.
ATTENTION
The configuration settings you make for Server Load Options on
the System Preferences dialog determine whether or not the data
entered on the Server History tab is loaded to the Experion Server.
See Control Building User Guide for information about setting
system preferences.
- 65 -
Chapter 5 - Configuration
Tab Description
Server Displays tab
This tab is common to all configuration forms for tagged blocks in Control
Builder. It allows users to associate Point Detail, Group Detail, Associated
and Trend displays with the block.
The screenshots below show descriptions and names of each parameter
that appears on the form of the Server Displays tab. For further information
about each parameter, see Control Builder Parameter Reference Guide_
EPDOC-XX18-en-511A.pdf.
- 66 -
Chapter 5 - Configuration
Tab Description
Control Confirmation tab
This tab is common to all configuration forms for tagged blocks in Control
Builder. If you have an optional Electronic Signature license, you can
configure electronic signature information for the tagged block through
this tab on the block's configuration form in Control Builder. Please refer
to the Server and Client Configuration Guide for information about the
data on this tab.
The Electronic Signature function aligns with the identical Electronic
Signatures function that is initiated through Quick Builder and Station for
Server points. When this block is loaded to a controller, its control
confirmation configuration (electronic signatures) is also loaded to the
Server. This means you can view the control confirmation configuration for
this tagged object in Station and also make changes to it. If you make
changes through Station, you must initiate an Upload or Upload with
Contents function through the Controller menu in Control Builder for the
object in the Monitoring tab to synchronize changes in the Engineering
Repository Database (ERDB). The screenshots below show descriptions
and names of each parameter that appears on the form of the Control
Confirmation tab. For further information about each parameter, see
Control Builder Parameter Reference Guide_EPDOC-XX18-en-511A.pdf.
- 67 -
Chapter 5 - Configuration
Tab Description
QVCS tab
This tab is common to all configuration forms for tagged blocks in Control
Builder. If you have a Qualification and Version Control System (QVCS)
license, this tab shows current QVCS information for the selected UOC
block. Please refer to the Qualification and Version Control System User's
Guide for more information about the data on this tab The screenshots
below show descriptions and names of each parameter that appears on the
form of the QVCS tab. For further information about each parameter, see
Control Builder Parameter Reference Guide_EPDOC-XX18-en-511A.pdf.
NOTE
It is mandatory to use the Revert Label feature for template based EIP I/OMs (E.g:
Generic Device Modules or Generic I/O Modules) to perform QVCS Revert operations.
Failure to apply a common label to the template and the corresponding instance will
lead to a deadlock situation if performing Revert Version operations. It is mandatory that
the template and the corresponding instance must have the same version label. This
can be achieved by applying the same label to both the template and its corresponding
instance.
- 68 -
Chapter 5 - Configuration
Tab Description
Identification tab
This tab is common to all configuration forms for tagged blocks in Control
Builder. It allows users to record information about the intended purpose
and maintenance history of the block.
The screenshots below show descriptions and names of each parameter
that appears on the form of the Identification tab. For further information
about each parameter, see Control Builder Parameter Reference Guide_
EPDOC-XX18-en-511A.pdf.
- 69 -
Chapter 5 - Configuration
Tab Description
Main tab
This tab of the Secondary UOC Block configuration form does not contain the
‘Module is redundant’ or ‘Secondary Tag Name’ fields. All other parameters
contained on the Primary's Main tab are present on the secondary's Main tab.
Parameters in the Advanced Configuration subgroup are copied from the
primary block to the secondary block and are view only on the secondary's
form.
NOTE
Two screens in all the following tabs show Parameter Names”
checked/unchecked.
Redundancy tab
This tab of the Secondary UOC block contains the parameter ‘Last Block
Migrated’ (LASTOPMNAME) which is not applicable on the Primary UOC block.
NOTE
The UOC’s CEE block is sometimes called the “CEE UOC” block to highlight the fact that it
has some differences from the CEE block of other controllers such as the C200, C200E,
C300. However, its major characteristics are consistent with those of other CEE controllers.
- 70 -
Chapter 5 - Configuration
Tab Descripton
Main tab
This tab is used for the configuration of the CEE block. The configuration steps
are defined in Control Building User’s Guide (Control Building User’s Guide_
EPDOC-XX19-en-511A.pdf). This tab also displays important state information
and allows the store of some runtime parameters. The screenshots below show
descriptions and names of each parameter that appear on the configuration
form of the Main tab. For further information about each parameter, see
Control Builder Parameter Reference_EPDOC-XX18-en-511A.pdf.
For secondary platform block, refer section Secondary UOC Platform Block.
NOTE
Two screens in all the following tabs show Parameter Names”
checked/unchecked.
- 71 -
Chapter 5 - Configuration
Tab Description
Peer Configuration tab
This tab contains information about user-defined peer connections for the
CEE block. The Peer Configuration tab displays information about peer
connections established by this CEE. It allows a global default subscription
period for peer reads to be established and also allows different subscriptions
to be established for particular peer environments. The screenshots below
show descriptions and names of each parameter that appear on the form of
the Peer Configuration tab. For further information about each parameter, see
Control Builder Parameter Reference_EPDOC-XX18-en-511A.pdf.
Tab Description
Statistics tab
This tab displays a variety of statistical information characterizing different
types of communication mechanisms used by the CEE. The screenshots below
show descriptions and names of each parameter that appear on the form of
the Statistics tab. For further information about each parameter, see Control
Builder Parameter Reference_EPDOC-XX18-en-511A.pdf.
- 72 -
Chapter 5 - Configuration
Tab Description
CPU Loading tab
This tab is organized as a set of 4 arrays, each one indexed by the number of
CEE processing cycles, 0 through 39. Statistics values which characterize a
particular cycle are shown at its corresponding cycle number.
The first column shows average CPU used for each cycle. The second shows,
for each cycle, the maximum CPU usage since the time of last UOC statistics
reset. The third and fourth columns together show the quantity of data sent
from primary to secondary, for the particular cycle, as part of redundancy
synchronization communication. Each column reflects a different redundancy
synchronization mechanism.
Each array also shows a value for index 40, indicating the value normalized
over cycles 0 through 39. In the case of CPU cycle average array, element 40
shows the average across all cycles. In the case of the 3 maximum arrays,
element 40 shows the maximum across all cycles.
The screenshots below show descriptions and names of each parameter that
appears on the form of the CPU Loading tab. For further information about
each parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
- 73 -
Chapter 5 - Configuration
Tab Description
CPU Overruns tab
This tab is organized as a set of 2 arrays, each one indexed by the number of
CEE processing cycles, 0 through 39. Statistics values which characterize a
particular cycle are shown at its corresponding cycle number.
The first column shows the count of CEE processing cycle overruns that have
occurred so far in the current hour. The second column shows the count of
CEE processing cycle overruns that occurred in the previous hour. The current
hour counts in the first column accumulate until the end of the hour and then
get transferred into the second column. Start and end times for the hourly
intervals are not correlated with wall clock time.
Each array also shows a value for index 40, indicating the sum of all overrun
counts over cycles 0 through 39.
The screenshots below show descriptions and names of each parameter that
appear on the form of the CPU Overruns tab. For further information about
each parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
- 74 -
Chapter 5 - Configuration
Tab Description
EtherNet/IP Statistics tab
This tab shows the IP address and connection status of each UOC downlink
connection to an EtherNet/IP device. For bridged connections to modular I/O
stations, it also shows the slot number corresponding to each I/O module. This
form displays only read-only parameters.
The screenshots below show descriptions and names of each parameter that
appear on the form of the EtherNet/IP Statistics tab. For further information
about each parameter, see Control Builder Parameter Reference_EPDOC-XX18-
en-511A.pdf.
Tab Description
CLX Statistics tab
This tab presents information about UOC’s downlink EtherNet/IP
communication with ControlLogix PLCs. Information displayed includes
counts of tagged data reads and writes initiated by the UOC, IP addresses of
connected PLCs, status of each PLC connection and transactions per second
to each PLC. This form shows only read-only parameters.
The screenshots below show descriptions and names of each parameter that
appear on the form of the CLX Statistics tab. For further information about
each parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
- 75 -
Chapter 5 - Configuration
Tab Description
Batch tab
This tab shows information related to batch processing being carried out by
the UOC. This includes configurable parameters for Batch Event Settings and
Activity Configuration. It also includes 4 read-only arrays which indicate
whether any Control Recipe cycles have been skipped and for what period of
time.
The screenshots below show descriptions and names of each parameter that
appear on the form of the Batch tab. For further information about each
parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
Tab Description
Memory tab
This tab presents information on UOC memory usage within CEE’s user
memory pool. Of most interest to end users are statistics indicating used and
free memory. These are shown in units of both kilobytes and bytes. Also shown
are all descriptor counts and block counts which provide information related
to internal memory management within CEE.
The screenshots below show descriptions and names of each parameter that
appear on the form of the Memory tab. For further information about each
parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
- 76 -
Chapter 5 - Configuration
Tab Description
Peer Connections tab
This tab contains data indicating the number of peer connections for both
initiator and responder types between this UOC controller and other peer-
capable nodes. All parameters on this tab are read-only.
The screenshots below show descriptions and names of each parameter that
appear on the form of the Peer Connections tab. For further information about
each parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
Tab Description
Peer Communications tab
This tab contains information about peer connections. It gives statistics for
connections initiated by the CEE block and connections to which the CEE
responds. The screenshots below show descriptions and names of each
parameter that appear on the form of the Peer Communications tab. For
further information about each parameter, see Control Builder Parameter
Reference_EPDOC-XX18-en-511A.pdf.
- 77 -
Chapter 5 - Configuration
Tab Description
Exchange Communications tab
This tab contains information about exchange connections between the UOC
controller and a target controller or programmable logic controller. It gives
statistics for connections initiated by the CEE block. The screenshots below
show descriptions and names of each parameter that appear on the form of
the Exchanges Communications tab. For further information about each
parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
Tab Description
Display Communications tab
This tab contains information about display connections to the UOC from
Control Builder, Direct Stations and Engineering Station.
The screenshots below show descriptions and names of each parameter that
appear on the form of the Display Communications tab. For further
information about each parameter, see Control Builder Parameter Reference_
EPDOC-XX18-en-511A.pdf.
- 78 -
Chapter 5 - Configuration
Tab Description
Block Types Info tab
This tab shows the name of block types supported by the CEE together with
the size and count of the corresponding block instances. All parameters on
this form are read-only.
Note that certain IOREF block configurations internally execute either a Type
Convert or a Push block. These blocks will be counted against the block types
when IOREF blocks are downloaded.
The screenshots below show descriptions and names of each parameter that
appear on the form of the Block Types Info tab. For further information about
each parameter, see Control Builder Parameter Reference_EPDOC-XX18-en-
511A.pdf.
Identification tab
This tab is common to all configuration forms for tagged blocks in Control
Builder.
- 79 -
Chapter 5 - Configuration
5.10.1 Introduction
This section describes the functionalities and user interface of the UOC CEE RETENTIONTRIG
Block system.
CAUTION
During retention data save, controller outputs hold, but no control or communication
processing is performed. The duration of the freeze is 40 seconds or less. An overrun count
gets added to the cycle overrun statistics. Display or peer data access with the controller
performing retention save is delayed for the duration of the retention save that may result
in.
1. Server or Console Connection TIMEOUT alarms with the controller performing the
retention save, and
2. Loss-of-control related alarms for peer connections with the controller performing
the retention save.
The UOC Retention-restart behaviors are set up by instantiating the RETENTIONTRIG block within
a Control Module (CM) strategy. It works by sensing the status of external power fed to a backup
Power Source, typically a site wide UPS, which can provide output power for a time after it's
external input power has been lost. The concept is illustrated by the following diagram.
ATTENTION
The RETENTIONTRIG block must sense the status of external power fed to a backup power
source. In addition to the backup power source, this requires:
- 80 -
Chapter 5 - Configuration
1. A means for the controller to sense the binary input signal. For example, a digital
input IOPOINT.
2. Wiring from external power (or from the backup power source) to the controller’s
binary input signal.
Specific deployments of a CM with the RETENTIONTRIG block can differ in detail from the overview
scheme depicted above. For example, depending on the number of Power Sources and how they
are connected, there might be two External Power Good signals rather than just one, each with its
own delay configuration. But, the basic principles captured above always apply.
- 81 -
Chapter 5 - Configuration
The UOC-CPM uses its Secure Digital (SD) card as the non-volatile memory for the storage of
retention save data. The virtual UOC saves its retention data to its local hard disk. Both UOC
variants are different from controller designs which use battery-backed RAM as their non-volatile
storage medium.
ATTENTION
Retention NVS is the generic term used throughout this document for UOC-CPM SD card
memory and virtual UOC local disk retention memory.
The UOC-CPM supports the three SD card types: SD Standard Capacity (SDSC), SD High Capacity
(SDHC), and SD Extended Capacity (SDXC).
The recommended SD card format is FAT32.
CAUTION
Upon SD card detection at either startup or insertion under power, the UOC formats the SD
card if it is not the expected format. Therefore, the SD card’s prior contents may be erased.
Users not planning on employing UOC retention restart support do not need to insert an SD card
into the UOC-CPM. The SD card is only required if the user enables UOC retention restart support.
To enable UOC retention restart support, configure a RETENTIONTRIG block within a Control
Module (CM) and load the CM to the UOC’s CEE. This is the only step required for the virtual UOC
because the virtual UOC saves its retention data to its local hard disk. The UOC-CPM hardware
requires the additional step of inserting an SD card into the UOC-CPM. If the controller is
configured as redundant, insert an SD card in both the primary and secondary UOC-CPM. When
the RETENTIONTRIG block is loaded, the non-redundant or primary UOC generates a
“NVS/Retention Restart Media Error” soft failure notification if the SD card is absent (from the
UOC-CPM) as described in section NVS/Retention Restart Media Error.
To disable UOC retention restart support, delete the RETENTIONTRIG block from the UOC. The SD
card(s) may optionally be removed from the UOC-CPM(s); they are not used without the
RETENTIONTRIG block loaded to the UOC.
- 82 -
Chapter 5 - Configuration
CAUTION
Do not insert or remove the SD card when the UOC-CPM is powered unless the area is
known to be non-hazardous.
The UOC-CPM hardware supports SD Card removal and insertion under power (RIUP). However, it
is recommended that the SD card be inserted and not removed for the life of the controller
because:
l Retention Save is not possible when the SD card is removed.
l SD card removal during retention save results in an incomplete retention save; the partial
retention data set cannot be used for retention startup.
The UOC and vUOC save retention data to enable the preservation of configuration and
operational data across a loss of external power. This allows them to automatically return to
normal operation after external power is recovered.
The data saved has a finite lifetime consistent with the above objective. It is not persisted
indefinitely. Instead, it is deleted after a controlled interval to prevent it from becoming
inconsistent with changes to the controller configuration. Retention data is deleted after 48 hours
from the last time it was saved. Upon deletion, the Retention Data Attendance parameter,
RETENDATAATTND, is updated to indicate retention data is absent.
Furthermore, consider the following scenario. If the controller performed retention save at time
T1, the user then added or deleted a strategy at time T2, and the controller power-cycled at time
T3, without having done a new retention save, then the retention restore following T3 would use
the data saved at time T1 which was missing the configuration changes applied at time T2. To
avoid the potential for unexpected behavior, this type of scenario is prevented by deleting
retention data when a control strategy is added, deleted, or reloaded. Upon deletion, the Retention
Data Attendance parameter, RETENDATAATTND, is updated to indicate retention data is absent.
retention data is absent.
It is not possible to reuse retention data with a different firmware version. Retention data cannot
be persisted across firmware upgrade.
Once retention data save is performed, the UOC or vUOC generates a hash value per retention
data file (to later validate file integrity on retention restart). For security reasons, each hash value
is signed using a unique private key to ensure it was not tampered while at rest. As a consequence,
the retention data saved on a SD Card is only valid for the controller that performed the retention
save because it is the only controller with the unique private key to validate the retention data was
not tampered.
Retention data on a SD card cannot be used for retention restart after UOC-CPM device
replacement.
Retention data is deleted on controller transition to the Fail State. This ensures controller recovery
from the Fail State in case the retention data is not corrupt but it was saved with an illogical
condition that results in controller failure.
Configuration changes to the platform block are retained independently from the retention data
saved by the retention trigger block. Platform block changes are saved when they are received by
the controller via parameter stores. Consider the following scenario with a non-redundant
controller (for simplicity).
- 83 -
Chapter 5 - Configuration
On startup, the controller performs retention restore but the control strategy is restored as it was
saved at T1, discarding the setpoint changes at time T3. However, the platform block is restored
with the changes made at time T2.
States
The way a UOC behaves over the course of power loss can be different depending on
circumstances. Differences result from how long backup power might last and from the
configuration choices made by the application engineer.
The state diagram below illustrates key events that take place over the course of a power loss
event.
- 84 -
Chapter 5 - Configuration
Configuration Decisions
There are several configuration decisions an application engineer makes that impact how a UOC
progresses through the states described above. These decisions are summarized below. More
detailed descriptions of configuration options are provided in subsequent sections.
l How long should the UOC wait after loss of external power before triggering a data save?
This delay time is configured in minutes via parameters SAVEDELAY1 and optionally
SAVEDELAY 2, depending on the power configuration. The value must be short enough
that that the user is confident a data save will start and complete, after loss of external
power, and before backup power has been exhausted.
l After data has been saved the first time, should the UOC go through a restart cycle?
An application engineer may use this option to force outputs to their configured fail-safe
values after the initial data save. Under default configuration, this option is disabled. When
enabled, it is not possible to enable repetitive saves while backup power lasts. This option is
configured via parameter FORCERESTART.
l After data has been saved the first time, should the UOC repeat the data save operation, at
intervals, while backup power lasts?
An application engineer may use this option to either save once after loss of external
power or to periodically save after loss of power. If data is saved only once after power loss
but backup power lasts for a significant time thereafter, the data used for restart of the
UOC could become somewhat stale. This doesn’t matter if the only data of interest is
configuration data. Configuration data generally does not change during a power loss
event. But if there could be operational data, such as setpoints or modes, which need to be
as fresh as possible at the time of restart, then the application engineer can set the save
operation to be repeated while backup power lasts.
Every time a save is done, control processing freezes for up to 40 seconds. Thus, if the
period of repetitive save were set to 10 minutes, a save and corresponding control freeze
up to 40 seconds would occur every 10 minutes. The period of repeated saves, or the
option to not repeat at all, is configured via parameter RESAVEPERIOD.
- 85 -
Chapter 5 - Configuration
When a data save is repeated, with a previous data set already present and available in
retention NVS, the new save completes as normal. But only the most recently saved data is
used when the controller restarts after power up. Also, data is always saved in such a
fashion that, were power lost in the middle of a save, the previously saved and complete
data set is the one which will be used upon next restart.
l After the UOC completes startup processing, how should the CEE resume execution?
CEE restart behavior is configured via the CEE parameter RRRCEESTATE. Several
variations in behavior are selectable via this parameter but the main decision it presents is
whether the CEE should go to Idle (not executing control algorithms) or return to the state
it had just before power down (typically Run, where control algorithms are executed). For
further information on RRRCEESTATE see CEESTATE Transitions During Count Down to
Save.
The state diagram above assumes that RRRCEESTATE has been configured to return to
Run and normal control execution. The restart behavior driven by RRRCEESTATE could
occur on two different transitions. One is the transition from 6)External Power, Starting Up
to 1)External Power, Normal. The other is the transition from 4)Backup Power, Starting Up
to 2) Backup Power, Counting Down. However, the latter transition is optional. It does not
occur if the application engineer elects not to enable a restart operation following the first
data save.
Examples of state transition sequences that might occur upon UOC loss of power are shown in the
tables below. Note that, in each example cited, it is assumed that CEE has been configured to
return to its last state before power down and that this state was Run.
- 86 -
Chapter 5 - Configuration
Assumptions
l SAVEDELAY1 and SAVEDELAY2 are configured with nonzero
values.
l FORCERESTART has been left at its default value of OFF.
l RESAVEPERIOD is configured with a non-NaN value.
l External power returns before backup power has been
exhausted.
State Comment
Note that the above sequence is one that could occur if configuration options are left at their
default values. The values of SAVEDELAY1 and SAVEDELAY2 default to 10 minutes but they
typically need to be customized to each UOC deployment. Application engineers should check
default values and change them as needed.
- 87 -
Chapter 5 - Configuration
l One save with restart, external power returns before loss of backup power.
Assumptions
l SAVEDELAY1 and SAVEDELAY2 are configured with nonzero
values.
l FORCERESTART has been set to ON.
l RESAVEPERIOD is configured to NaN, indicating that no
repeated saves are done.
l External power returns before backup power has been
exhausted.
State Comment
- 88 -
Chapter 5 - Configuration
Assumptions
l SAVEDELAY1 and SAVEDELAY2 are configured with nonzero
values.
l FORCERESTART has been left at its default value of OFF.
l RESAVEPERIOD is configured with a non-NaN value.
l Backup power is exhausted before external power returns.
State Comment
Note that the above sequence is one that could occur if configuration options are left at their
default values. The values of SAVEDELAY1 and SAVEDELAY2 default to 10 minutes but they
typically need to be customized to each UOC deployment. Application engineers should check
default values and change them as needed.
- 89 -
Chapter 5 - Configuration
l One save with restart, backup power exhausted before return of external power
Assumptions
l SAVEDELAY1 and SAVEDELAY2 are configured with nonzero
values.
l FORCERESTART has been set to ON.
l RESAVEPERIOD is configured to NaN, indicating that no
repeated saves are done.
l Backup power is exhausted before external power returns.
State Comment
- 90 -
Chapter 5 - Configuration
Summary of Options
There are several different arrangements of power flow from a Power Source to the UOC’s
Controller Power Supply or Power Supplies. The configuration of the RETENTIONTRIG block must
be consistent with the chosen deployment. Configuration is done through parameter
POWERCONNOPT. Possible values of POWERCONNOPT are listed below.
l Single (Single Power Source)
A single Power Source connects to the controller module’s power supply for either a non-
redundant controller or a pair of redundant controllers, irrespective of the number of
power supplies associated with each controller module.
This applies only to non-redundant controller modules with 2 power supplies. Two power
sources are used, each connected to one of the controller module’s two supplies. Each of
the two power sources is sensed with its own External Power Good signal.
The types of connection arrangements used with each value of POWERCONNOPT are illustrated in
the following sections.
For vUOC, POWERCONNOPT is always set to either Single or Dual2PerModule because the vUOC
does not support application redundancy as required for the Dual1PerModule configuration.
This power connection option can be used with a non-redundant UOC or with a redundant UOC
pair. The diagram below shows the non-redundant usage, applied to either the single power
supply case or the double power supply case.
- 91 -
Chapter 5 - Configuration
The diagram below shows how a single power source can be used with a redundant controller pair.
Rack options do not support two power supplies per controller in this case.
The configuration of POWERCONNOPT changes the way the RETENTIONTRIG block responds to
loss of external power. Behavior for configuration Single is summarized below.
l Loss of external power when POWRECONNOPT = Single
o The RETENTIONTRIG block in the non-redundant or primary controller reads the
External Power Good Signal from the configured connection. Parameter PWRGOOD1
indicates current status of the signal.
o If PWRGOOD1 is negated, then the TIMETOSAVE1, previously initialized to
SAVEDELAY1 starts to count down. At any point in time, parameter TIMETOSAVE1
indicates the remaining time until data save.
o If the countdown expires, the block triggers platform services to do the retention save.
Control processing freezes for up to 40 seconds during the data save. Depending on
the configuration of FORCERESTART, it may also trigger the UOC to disable
synchronization if redundant and do a restart following the retention data save.
o If the PWRGOOD1 is asserted before TIMETOSAVE1 has reached zero, then no save is
done and TIMETOSAVE1 is reset to the configured delay value, SAVEDELAY1.
ATTENTION
RETENTIONTRIG block load with Dual2PerModule configuration results in load error when
the UOC rack does not have redundant power supplies.
With this power option, a separate power source is used for each power supply of a non-redundant
controller. Rack options do not support redundant controllers in this case. The connection
arrangement is illustrated by the diagram below.
- 92 -
Chapter 5 - Configuration
ATTENTION
RETENTIONTRIG block load with Dual1PerModule configuration results in load error when
the UOC is configured as non-redundant.
With this power option, a separate power source is used for the power supply of each redundant
partner. The External Power Good signals, 1 or 2, are connected as prescribed by the Device Index
of each redundant partner.
- 93 -
Chapter 5 - Configuration
o If PWRGOOD2 is negated, then the TIMETOSAVE2 starts counting down from its
initialization value of SAVEDELAY2.
a. If controller B with the even device index is a synchronized primary, the
primary triggers switchover without retention save when TIMETOSAVE2
reaches 0. If PWRGOOD2 is asserted before expiration of the count down, then
TIMETOSAVE2 is reset to SAVEDELAY2 without taking any action.
b. If controller B with the even device index is an unsynchronized primary, the
primary triggers retention save followed by a restart (depending on the
configuration of FORCERESTART) when TIMETOSAVE2 reaches 0. If
PWRGOOD2 is asserted before expiration of the count down, then
TIMETOSAVE2 is reset to SAVEDELAY2 without taking any action.
c. If controller B with the even device index is the secondary controller, the
primary controller A with the odd device index immediately disables and inhibits
synchronization without waiting for TIMETOSAVE2 to reach 0. The redundant
controller remains unsynchronized until external power is recovered for the
secondary controller.
The following subsections summarize the controller redundancy behavior that occurs for the
various RETENTIONTRIG power source connection options.
When a single power source is used for a redundant controller, loss of external power affects both
modules in the redundant controller pair.
- 94 -
Chapter 5 - Configuration
Redundancy behaviors for this configuration on loss of external power are as follows.
l When the RETENTIONTRIG is configured with FORCERESTART = OFF:
o PWRGOOD1 is negated and TIMETOSAVE1 countdown expires.
o The primary controller performs a retention save. Control processing freezes for up to
40 seconds during the data save.
o The controllers remain in their previous synchronization state during the retention
save. If RESAVEPERIOD is non-NaN, additional retention saves continue to occur at
the RESAVEPERIOD until backup power has been exhausted or external power
recovers.
When a separate power source is used module associated with the power source experiencing the
loss of external power.
- 95 -
Chapter 5 - Configuration
Redundancy behaviors for this configuration on loss of external power are as follows.
l Loss of external power to a synchronized primary.
o Assume that Controller A with the odd device index is the primary controller as a
starting condition to this sequence.
o PWRGOOD1 is negated and TIMETOSAVE1 countdown expires.
o The primary controller A triggers a switchover with no retention save.
o The original primary controller A restarts in the secondary role.
o The new primary controller B (with even device index) inhibits synchronization until
external power is restored to the secondary controller.
- 96 -
Chapter 5 - Configuration
- 97 -
Chapter 5 - Configuration
Parameters exposed on the configuration form of the RETENTIONTRIG block are described below.
For further information, see Parameter Reference Dictionary.
l POWERCONNOPT / “Power Conn. Option”
This parameter configures the behavior of the UOC upon loss of external power so that it is
appropriate for the power connectivity that has been established by the UOC deployment.
Possible values are Single, Dual2PerModule, and Dual1PerModule. The configuration of this
parameter affects whether configuration ports in boxes “Power Source 1” and “Power Source
2” are enabled for editing. When POWERCONNOPT = Single, only the ports of box “Power
Source 1” are enabled for editing. For further information, see section Power Connection
Options.
l DEVICEIDX / “Device Index”
This read-only parameter shows the FTE device index of the UOC in a redundant pair that is
currently executing as primary. Its value affects the data save behavior of the UOC when
POWERCONNOPT = Dual1PerModule. If DEVICEIDX is odd, the configuration in box “Power
Source 1” determines UOC behavior. If DEVICEIDX is even, the configuration in box “Power
Source 2” determines UOC behavior. For further information, see section Power Connection
Options.
l SAVEDELAY1 / Retention Save Delay(m), SAVEDELAY2 / Retention Save Delay(m)
These parameters configure the delay until first data save that starts counting down after the
corresponding external power source has gone bad. Units are in minutes. The default value for
each of these parameters is 10 minutes.
- 98 -
Chapter 5 - Configuration
- 99 -
Chapter 5 - Configuration
All the configuration parameters are exposed on the faceplate by default. Parameters PWRGOOD1
and PWRGOOD2 are exposed by default as pins for connection. They are read only parameters and
may not be stored directly.
Notice how the block shows an inversion bubble on the PWROGOOD1 pin when INVPWRGOOD1 is
set ON. The same applies for the PWROGOOD2 pin when INVPWRGOOD2 is set ON.
Critical monitoring parameters are exposed on the faceplate. The user can add additional
configuration parameters to the monitor faceplate as per his interest.
The RETENTIONTRIG block supports a feature that makes it easier to test block configuration and
corresponding UOC retention save behaviors before a power loss occurs. This feature can be used
by an application engineer as part of validating the trigger strategy. Also, if so configured by an
application engineer, it can be used by an operator as a means to preview what a power loss event
would look like through system HMI.
- 100 -
Chapter 5 - Configuration
l TESTDATASAVE
This is a read-only parameter which receives a signal by input connection from another block.
It would typically be used with connection to a FLAG block. When TESTDATASAVE transitions
from OFF to ON, it triggers a subset of the UOC’s data save behaviors without delay.
The FLAG block or other strategy used to assert TESTDATASAVE remains in the asserted state
until it is negated but only a single retention save is performed on the OFF to ON transition.
TESTDATASAVE must transition from ON to OFF to ON to trigger a new retention save.
Behaviors triggered by the OFF to ON transition of the TESTDATASAVE parameter are these:
l Save of data to retention NVS with accompanying freeze of control processing.
Note that when POWERCONNOPT = Dual1PerModule and the redundant pair is synchronized,
TESTDATASAVE assertion does not trigger switchover but instead triggers a retention save with
accompanying freeze of control processing.
l Report of the “Control Freeze for Retention Data Save” soft failure. The soft failure returns to
normal when the data save completes.
Note that, although some similar behaviors are associated with parameter TESTDATASAVE and
parameters PWRGOOD1 and PWRGOOD2, the two sets of parameters are completely independent.
Behaviors associated with PWRGOOD1 and PWRGOOD2 occur as specified regardless of whether
TESTDATASAVE is left in an ON or OFF state.
The diagram below shows how connections might look if, TESTDATASAVE were enabled in the
trigger CM. A connection to PWRGOOD1 or both PWRGOOD1 and PWRGOOD2 always exists when
the RETENTIONTRIG block is used. When TESTDATASAVE is used, there is typically also a
connection from a FLAG block to the TESTDATASAVE input pin.
- 101 -
Chapter 5 - Configuration
If there is a switchover after loss of external power and before retention save, or if there is a
switchover during the count down to a data save that is to be repeated, the following applies:
l The new primary resumes the countdown from where the old primary left off rather than
starting the count over again.
l In the case of the first save, this means that TIMETOSAVE1 and TIMETOSAVE2 resumes their
countdowns rather than starting over.
l In the case of a save to be repeated, this means that TIMETORESAVE resumes is count down
rather than starting the count over again.
If the user changes the SAVEDELAY during countdown to save, the behavior will be as follows:
l If the new value is less than TIMETOSAVE, then SAVEDELAY will be set to the new value and
TIMETOSAVE will be adjusted to the new value. (The rationale is that the user might have
identified a need to initiate the operation sooner than it was configured early).
l If the new value is greater than TIMETOSAVE, then TIMETOSAVE will not be adjusted to the
new value, but SAVEDELAY will be set to the new value.
Only one RETENTIONTRIG block instance is allowed to be loaded to a UOC controller. If the
application engineer configures more than one RETENIONTRIG instance, then load of the second
instance onward fails.
If the application engineer attempts to load a trigger CM in which the RETTENTIONTRIG block does
not have connections established to the necessary Power Good pins, then activation after load
fails. More specifically, this means the following:
l POWERCONNOPT = Single
If PWRGOOD1 is not connected, activation after the load fails.
l POWERCONNOPT = Dual2PerModule
Unless both PWRGOOD1 and PWRGOOD2 are connected, activation after the load fails.
l POWERCONNOPT = Dual1PerModule
Unless both PWRGOOD1 and PWRGOOD2 are connected, activation after the load fails.
During normal operation, a UOC has its CEE in the Run state. However, if CEESTATE is changed
from Run to Idle after external power has been lost, then the countdown timing continues while
the CEE is in Idle. More specifically, this means the following:
- 102 -
Chapter 5 - Configuration
l If a countdown starts before the UOC goes to Idle and the backup capacity of the Power Source
runs out during Idle, then the UOC shuts down with no data having been saved to retention
NVS.
l If a countdown starts before the UOC goes to Idle and then the UOC’s CEE is returned to Run
before the backup up capacity of the Power Source runs out, then the countdown continues.
Data save occurs either at expiration of the count down , or immediately upon transition to Run
if the countdown expired during Idle. Alternatively, if external power has been recovered by the
time of transition to Run then the countdown is reset and no data save occurs.
The above descriptions apply equally to the countdown to first data save associated with
TIMETOSAVE1 and TIMETOSAVE2, and to the countdown to resave associated with
TIMETORESAVE.
During normal operation, EXECSTATE of the trigger CM is Active. However, if its EXECSTATE is
changed from Active to Inactive after external power has been lost, then the countdown timing
continues while the CM is in Inactive. More specifically, this means the following.
l If a countdown starts before the CM goes Inactive and the backup capacity of the Power
Source runs out during Inactive, then the UOC shuts down with no data having been saved to
retention NVS.
l If a countdown starts before the CM goes Inactive and then the CM is returned to Active before
the backup up capacity of the Power Source runs out, then the countdown continues. Data
save occurs either at expiration of the count down , or immediately upon transition to Active if
the countdown expired during Inactive. Alternatively, if external power has been recovered by
the time of transition to Active then the countdown is reset and no data save occurs.
The above descriptions apply equally to the countdown to first data save associated with
TIMETOSAVE1 and TIMETOSAVE2, and to the countdown to resave associated with
TIMETORESAVE.
To load a configuration change to an ControlEdge 900 IOM, the IOM must be inactivated during
which time any existing active IOPOINTs go to their inactive state. If the CE900 IOM to be
inactivated has an existing IOPOINT for the RETENTIONTRIG block’s PWRGOOD1 or PWRGOOD2,
the PWRGOOD1/PWRGOOD2 parameter goes OFF. This results in false detection of external
power loss when the associated INVPWRGOOD1/INVPWRGOOD2 is OFF as the normal good state
of PWRGOOD1/PWRGOOD2 set ON transitions to OFF on IOM reconfiguration. It is recommended
to inactivate the CM containing the RETENTIONTRIG block when reconfiguring IOMs that have
IOPOINTs for the PWRGOOD1/PWRGOOD2 inputs.
ATTENTION
It is recommended to inactivate the CM containing the RETENTIONTRIG block when
reconfiguring IOMs that have IOPOINTs for the PWRGOOD1/PWRGOOD2 inputs to prevent
false detection of external power loss on IOM inactivation.
- 103 -
Chapter 5 - Configuration
NOTE
UOC supports only Auto Negotiate mode. Ensure all the devices in the ring are set to
Auto Negotiate mode.
- 104 -
Chapter 5 - Configuration
NOTE
A restart is required if there is a change in Connection Type after loading the
configuration into controller, either from HSR/PRP/non-redundant to DLR or vice
versa . To restart, on the Main tab, under the Command / State section, select Restart,
from the Module Command drop-down list.
- 105 -
Chapter 5 - Configuration
5.14.1 Prerequisites:
l Control Builder is running and project/monitor tree windows are open.
l A redundant partner UOC is properly installed at the even device index.
l The UOC hardware and firmware must be identical for both controllers in a redundant pair.
- 106 -
Chapter 5 - Configuration
5.15.1 Prerequisites
l Control Builder is running and project/monitor tree windows are open.
l Make sure that the current primary UOC is physically configured with the odd Device Index. If
not, enable synchronization, wait for initial-sync to complete, and manually command
switchover.
- 107 -
Chapter 5 - Configuration
NOTE
I/O Analog/Digital point(s) License and Composite Device Point(s) License are applicable
only for UOC system.
NOTE
Process Point license is not applicable for UOC and won’t be counted on any entities.
NOTE
Unassigned channels are not counted against I/O Analog/Digital point(s) license.
NOTE
Users migrating from R510 needs to perform Load Server Points operation from monitoring
side on Control Builder. This operation needs to be performed after migration.
NOTE
The maximum number of I/O connections per device should not exceed 250 connections.
- 108 -
Chapter 5 - Configuration
- 109 -
CHAPTER
6 LOAD CONFIGURATION
This section includes information about tasks associated with loading UOC configuration using
Control Builder.
An important difference between the Project and Monitoring views of UOC data is that any change
to the Project view is stored in the off-line repository whereas any change to the Monitoring view
is stored directly to the controller.
The following commands are included in the Control Builder Controller menu to synchronize data
in the loaded database with the data in the Project/master database.
l Upload/Update to Project: This command applies only to the block which has been selected, It
gives options to cause data within the controller and / or server to be uploaded to the Monitor
database and then, if desired, to be updated from the Monitor database to the Project
database.
l Upload/Update to Project with Contents: This command provides the same upload and update
options as the above command but applies to the selected block and all of its child blocks.
- 110 -
Chapter 6 - Load Configuration
Both commands invoke the Load Dialog box. The Load command applies only to the selected block
whereas the “Load with Contents” command applies to the selected block and all of its child blocks.
The following figure shows a sample Load Dialog box invoked for a load with contents operation for
a CPM. It provides a brief description of the dialog box features for quick reference. The
appearance of the dialog box will vary depending on the current load circumstances such as
whether this is an initial load or a re-load operation.
CAUTION
The load operation is inherently an offline function. The Load Dialog box provides the ability
to automatically inactivate a component during a load and then return the component to its
active state. Do not use this automatic inactivate/activate function if your process cannot
tolerate a temporary suspension of control processing. If such is the case, first make sure
the process units to be affected are put into a state where they can tolerate the temporary
suspension of control.
- 111 -
Chapter 6 - Load Configuration
For more information, see Setting system preferences section in the Control Building User's Guide.
* Please refer to the Control Building Guide for more information about
loading these components.
NOTE
Loading the UOC platform block from project without contents will
load the associated CEE block. All blocks must be configured before
loading.
ATTENTION
Changes to parameters in the controller can be made from the Monitoring tab. See the
Changing Parameters while Monitoring section in the Control Building Guide.
- 112 -
Chapter 6 - Load Configuration
2. Click Tools- > Load. Or, click the load button in the toolbar.
You can also right-click on the UOC block icon to select Load. The Load Dialog box is
displayed.
Ensure that for a redundant controller both primary and secondary blocks are loaded.
- 113 -
Chapter 6 - Load Configuration
NOTE
Selecting the UOC block for load, automatically selects the associated CEE block.
3. Ensure the Load check box is checked and click the OK button.
4. This initiates the load to the UOC and calls up the load progress dialog.
TIP
If errors are detected, they will be displayed in the Load progress dialog and you will
- 114 -
Chapter 6 - Load Configuration
be asked if you want to continue the load or cancel, depending on the nature of the
error. It is recommended that you cancel the load and identify and fix the errors.
Each message contains a brief description and includes an error code in
parentheses. Note the last number in the string. In some cases, more information
about the code number may be included in the Control Builder Notifications
Reference document.
5. After the load completes and the dialog box closes, click the Monitoring tab.
6. UOC icon now appears in the Monitoring tab. The default state for a loaded UOC is IDLE or
color code blue.
7. Repeat this procedure for other control components as required.
- 115 -
Chapter 6 - Load Configuration
3. Click Tools- > Load. Or, click the load button in the toolbar.
4. This calls up the Load Dialog box
5. Ensure the Load check box is checked and click OK.
6. This initiates the load to the CEE block and calls up the load progress dialog.
TIP
If errors are detected, they will be displayed in the Load progress dialog and you will
be asked if you want to continue the load or cancel, depending on the nature of the
error. It is recommended that you cancel the load and identify and fix the errors.
The following illustration shows how error messages are typically displayed. Each
message includes an error code in parentheses. Note the last number in the string.
In some cases, more information about the code number may be included in the
Control Builder Notifications Reference document.
- 116 -
Chapter 6 - Load Configuration
7. Once the load completes and the dialog box closes, click the Monitoring tab.
8. CEE icon now appears in Monitoring tab. The default state for a loaded CEE is inactive/idle or
color code blue.
9. Activate CEE to set the CEE to its RUN state. When this happens, the UOC Platform Block
proceeds to its CEERUN state.
10. CEE icon turns green when active.
11. Repeat this procedure for other control components as required.
- 117 -
Chapter 6 - Load Configuration
Block to be Re-
Conditions or Restrictions
Loaded
UOC with l The following blocks are re-loaded unless they are de-
Contents selected in the Load dialog.
l UOC Block
l The CM is ACTIVE.
Each command allows the user to select whether he only wants controller and server data to be
uploaded to the Monitoring side of the ERDB or also updated to Project side of the ERDB as well.
Refer to the Using Upload Command section in the Control Building Guide for procedures to
upload component data.
- 118 -
CHAPTER
This document covers characteristics of the CEE blocks which represent 900 I/O modules and
interface adaptors. It does not describe the characteristics of I/O Points, I/O Reference blocks or
other objects used directly within CEE control strategies to interface to 900 I/O. For information
on I/O Points and I/O References, see the Control Builder Components Theory guide.
The physical EPM and IO modules used by the UOC are the same as those used with the Control
Edge PLC product.
- 119 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
NOTE
For AI16-100MS module, model Number should be 900A16-0103 and the firmware version
should be 1.39 for the 100 ms scan rate support.
NOTE
Below table represents the model numbers mismatch between the IO module hardware and
the IO module reports.
- 120 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
R51 X X X
0
R51 X X X
0
R51 X X X X X X X X
0
The UOC must always be enabled as a DHCP server to communicate with 900 I/O through EPMs in
remote racks.
The Connection Type is configured as "Non-redundant" when connecting to a downlink-
EtherNet/IP network through ETAPs. It is configured as a 'Ring-HSR" when connecting to a down-
link network with 900 I/O only.
- 121 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 122 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
7.3.1 Rules
l Assignment is restricted to non-redundant UOCs. In other words, a CONTR_RACK can only be
assigned to a non-redundant controller.
l Enabling redundancy is prohibited while a CONTR_RACK is assigned to the UOC.
l There can be only one CONTR _RACK per UOC.
l The CONTR _RACK’s rack number is always zero and cannot be changed.
l The CONTR _RACK cannot contain more I/O modules than the rack type indicates.
l The rack type cannot be changed to a lesser value while the CONTR _RACK contains more I/O
modules than the current rack type.
l The rack type can be changed to a greater value at any time without restriction but must be
reloaded to apply the change.
- 123 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
After it is configured, the CONTR_RACK can be found in the project view under “Unassigned”. To
assign the CONTR_RACK, drag the block into the UOC’s CEE. If an I/O group doesn’t yet exist
under the CEE, it will be created automatically.
- 124 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
As stated in the rules section, the rack number is always static for the Controller Rack. The rack
type must be set to match the physical hardware.
NOTE
It is the user’s responsibility to ensure that the configured rack type and the physical rack
type match.
- 125 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
See the Installation documentation for information regarding the setting of the rotary switches on
the EPM module.
7.4.1 Rules
l There can be up to twelve I/O RACKs per UOC.
l An I/O RACK must have a unique rack number when assigned to a UOC.
l Attempting to load with a default rack number of “blank” will be rejected.
l The I/O RACK cannot contain more I/O modules than the rack type indicates.
l The rack type cannot be changed to a lesser value while the I/O RACK contains more I/O
modules than the current rack type.
l The rack type can be changed to a greater value at any time without restriction but must be
reloaded to apply the change.
l An I/O Rack moved to unassigned will retain its rack number and child modules.
- 126 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
In the Library Containment panel, expand the CE900_I/O group, and drag and drop the I/O_RACK
item on to a UOC’s CEE.
- 127 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Possible
Error Cause User Recommended Action(s)
(s)
I/O Rack soft EPM is l Check EPM is installed in the rack.
failures/alarms not l Check EPM is powered on.
present
No Response l Check rack number is configured on the EPM.
EPM is offline It must match the physical rack number.
l Ensure that the communication pathway
between UOC and EPM is properly connected
and not broken. See the installation guide for
proper connectivity.
7.5.1 Rules
l The associated rack number is set automatically to the parent rack number it is assigned to and
is automatically changed on reassignment.
l The slot number must be unique within that parent rack.
l The slot number cannot be greater than the rack type of the current or targeted parent rack.
l If the I/O module is unassigned, the slot number is retained.
l When an I/O module is moved to unassigned, its rack number will be set to blank.
From the “Library – Containment” panel, under the CE900_I/O group, drag and drop the desired
module on to the target rack.
- 128 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 129 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
7.6 Channel
1. Open the module properties by either double clicking the module in the “Project –
Assignment” panel or by right-clicking the module and selecting “Module Properties...”.
2. Select the tab labeled “Channel Configuration”.
3. Select the channel type from the combo box in the “Channel Point Type” column.
- 130 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 131 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
This method provides the added benefit of setting Channel Type for multiple channels at
once. To select multiple channels, hold the Shift key while selecting the desired channels.
Release the shift key and right-click any of the selected channels to access the “Channel
- 132 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
AO Channel Configuration
See the Parameter Reference Dictionary for more information on parameters/configurable fields.
If Fault Option is set to UserFaultValue, you must specify the Fault Value.
AO Channel Monitoring
- 133 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
AI Channel Configuration
See the Parameter Reference Dictionary for more information on parameters/configurable fields.
This figure does not show all the configuration parameters for the AI channel.
AI Channel Monitoring
DO Channel Configuration
See the Parameter Reference Dictionary for more information on parameters/configurable fields.
- 134 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
DO Channel Monitoring
DI Channel Configuration
See the Parameter Reference Dictionary for more information on parameters/configurable fields.
DI Channel Monitoring
- 135 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Module The configured Check the installed I/O module on the I/O rack and the
module type does not configuration. Then replace the I/O module if the type of
Type
match the type the installed module is not expected, or change the I/O
Mismatch physically installed in module type in the configuration if the configured type is
the slot. not correct.
I/O
module
type
mismatch
Watchdog Internal module Restart the I/O module by powering it off and powering it
Reset Watchdog Timer back ON. Replace I/O module if error persists.
timeout
- 136 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 137 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Open Wire The field device (Analog/ Digital Input l Check field connections and
Detected or Digital Output) connection to the ensure device is properly
I/O module is open. connected to the I/O Module.
l Make sure necessary signal
conditioning resistors for OWD
are used and connected as
specified.
l Fix any connection issues found,
or disable OWD.
Short Circuit The field device (Digital Output) Check field cable and device for a
Detected connection to the I/O module is short circuit. Investigate and fix the
shorted. connection.
I/O Hardware Internal Hardware fault Replace I/O module and call GTAC
Failure
Failure in OP Analog/ Digital output channel is l Check field connections from I/O
circuit/field unable to drive desired output current module terminals to the device
wiring detected to the connected device. and fix if necessary.
l If field connection is correct and
the problem persists, work with
GTAC to replace the module.
Burnout The field device(Thermocouple/ RTD/ Check field connections from I/O
Detected milli volt source) connect to I/O module terminals to the device and fix
module is open. it.
- 138 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
7.7.1 Maintenance
Displays firmware versions, hardware revision and hardware model number. This form is static.
- 139 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
For common Configuration/Monitoring tabs applicable to all modules, see Common CE900 Module
Configuration/Monitoring Tab.
See the Parameter Reference Dictionary for more information on parameters/configurable fields.
For tabs of specific module type, refer below:
- 140 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Maintenance Tab
- 141 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 142 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 143 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
QVCS Tab
- 144 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Identification Tab
DI Configuration Tab
- 145 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 146 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
AI Configuration Tab
- 147 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 148 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 149 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
DI Configuration Tab
- 150 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 151 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 152 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 153 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
DI Configuration Tab
- 154 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 155 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 156 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
DI Configuration Tab
- 157 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 158 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 159 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 160 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
AO Configuration Tab
- 161 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 162 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
AI Configuration Tab
- 163 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 164 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
AO Configuration Tab
- 165 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
Main Tab
- 166 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
DI Configuration Tab
- 167 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
l Open Wire
l ON
l OFF
l Short Circuit
To enable Numur support on the UIO DI channel, user should select the NAMUR Enable
parameter under the “DI configuration tab”.
- 168 -
Chapter 7 - ControlEdge 900 I/O Device Connectivity
- 169 -
CHAPTER
UOC controller supports EtherNet/IP device connectivity. The EtherNet/IP interface facilitates a
comprehensive integration between UOC controllers and the EtherNet/IP compatible nodes and
I/O devices. This integration also supports accessing User-Defined Tags (UDT) from the
ControlLogix control system, and referencing the tags in Experion strategies (for read and write
operations).
To enable easy integration between UOC and the ControlLogix control system, Control Builder
provides options to create data blocks that match the various ControlLogix UDT structures.
Control Builder also provides options to create new I/O block types for EtherNet/IP compatible I/O
devices.
NOTE
During a switchover, UOC holds the last value for a maximum of 3 seconds. During this
period, it reconnects to the EtherNet/IP I/O devices. If for reasons, such as third-party
issues or network issues, the reconnection from the new primary UOC controller is not
completed within 3 seconds, an alarm will be raised.
Note that the Configuring ArmorPoint I/O module blocks section describes a specific
example. You can use a similar procedure to configure modular I/O blocks of other types.
Note that Configuring PowerFlex drive blocks describes a specific example. You can use a
similar procedure to configure drives of other types.
Note that Configuring E3 relay blocks describes a specific example. You can use a similar
- 170 -
Chapter 8 - EtherNet/IP Device Connectivity
- 171 -
Chapter 8 - EtherNet/IP Device Connectivity
- 172 -
Chapter 8 - EtherNet/IP Device Connectivity
3. Provide the slot number of device or I/OM as 0 to allot the generic device to slot 0.
- 173 -
Chapter 8 - EtherNet/IP Device Connectivity
1. Click File > New > Ethernet IP Devices > GenAdapter-EtherNet/IP Generic Adapter.
2. The GenAdapter configuration form appears.
For a non-consolidated connection, the Target > Originator RPI and Originator >Target
RPI are disabled and these options are enabled in I/OM block under the GenAdapter.
3. On the Main tab, specify the details for the adapter block which include the following:
l Tag Name — For example, GENADAPTER_200
l IP address of the device — For example, 11.1.11.91. For more information about
configuring the IP address of the adapter, see “Configuring the IP address of an
EtherNet/IP device”.
l Chassis Size
ATTENTION
An attempt to communicate with the I/O module may fail if the chassis size entered
does not match the physical configuration.
Therefore, ensure that the chassis size matches the number of the physically
installed I/O modules and the adapter (chassis size = number I/O modules + one for
the adapter).
For example, if the number of I/O modules is 10, the chassis size must be 11.
4. If you want to consolidate connections for a group of I/O modules which are assigned to the
adapter, under Network Configuration, select the Consolidate Connections check box.
5. For more information about Consolidating connections, see “Consolidate connections”.
- 174 -
Chapter 8 - EtherNet/IP Device Connectivity
6. If you select the Consolidate Connections option, type the following details for the Requested
Packet Interval (RPI). RPI specifies the rate at which data is updated during a connection. The
RPI specified is applicable for all the I/O modules associated to the adapter.
l Target > Originator RPI (ms) — For example, 100
l Originator >Target RPI (ms) — For example, 100
7. The Name is specified when the adaptor block is used in a C300 to configuration. When used
in a UOC configuration, it is left blank.
8. Complete the required details on all the other tabs and click OK. For more information about
the parameters on the Main tab and the other tabs, see Control Builder Parameter Reference.
Results
The GenAdapter is configured and appears in the Unassigned category of the Project Tree.
Next steps
After creating the adapter block, you must assign it to the CEE. For more information, see
Assigning EtherNet/IP GenAdapter to the CEE UOC block.
Consolidate connections
The GenAdapter provides the Consolidate Connections feature which is also referred to as Rack
Connections or Gateway Connections.
This feature consolidates connections for a set of I/O Modules and releases a single connection
instead of creating one connection per I/O Module. The data for all I/O Modules participating in a
Consolidate Connection is communicated on a single connection which reduces the number of
packets on the network, and hence optimizes the usage of network bandwidth.
You can enable this feature using the GenAdapter block configuration form.
- 175 -
Chapter 8 - EtherNet/IP Device Connectivity
To enable the Assembly connection feature, select the Consolidate Connections check box on the
adapter block configuration form. If you select this option, also provide the Requested Packet
Interval (RPI) details. RPI is used to indicate the rate at which the data is updated when connected.
The RPI details will be applicable for all the I/O modules which are assigned to the adapter.
Ensure that the RPI value is a multiple of the base cycle of the controller. If that is not the case, a
warning message informing you that the value is clamped appears during loading.
Assembly Configuration for Consolidate Connection
An Assembly Configuration consists of Connection Parameters and the Slot Assembly Map.
Connection Parameters consists of the Assembly Instance Number and the Size (Bytes) of Config,
Input and Output Assemblies. The Slot Assembly Map consists of data byte, bit offsets and bit sizes
of Input and Output Assembly data produced and consumed by the EtherNet/IP Adapter. Assembly
Configuration values for a specific family of EtherNet/IP adapter will be provided in the User
Manual of the Adapter. Project Engineers must update the values carefully after reading the User
Manual.
To configure the assembly configuration for the consolidated connection, follow these steps:
1. After you have configured the consolidated connection to the EtherNet/IP GenAdapter, select
the Assembly Configurations tab.
NOTE
The EtherNet/IP GenAdapter supports only zero configuration size for consolidate
connection.
- 176 -
Chapter 8 - EtherNet/IP Device Connectivity
Field Description
Connection Parameters
Bit offset (input) Enter the bit offset for input of I/O
module.
Bit size (input) Enter the bit size for input of I/O
module.
- 177 -
Chapter 8 - EtherNet/IP Device Connectivity
1. After configuring the consolidated connection to the EtherNet/IP GenAdapter, click the Slot
Status Configurations tab.
2. Enter information in the Slot Status configuration details as listed below. Every parameter on
this table helps you program how to determine communication failure with a module in the
chassis when participating in an assembly/gateway or adaptor connection.
- 178 -
Chapter 8 - EtherNet/IP Device Connectivity
Fields Description
Enable Slot Select this to enable the slot status processing
Status
Processing
Data type Select the data type of the slot status as defined by
the vendor manual
Byte offset Enter the byte offset of input for I/O module
Bit offset Enter the bit offset of input for I/O module
Good value Enter the good value for the specific slot.
Current value Is the value per the defined data type picked from the
specified Byte and Bit offsets.
It is then compared with the good value and
depending upon the comparison (equal or unequal),
the I/OM in a slot is informed whether or not it faces
a diagnostic – which in this case is communication
failure.
Prerequisites
l The default IP address of the device
l Web browser
Results
The IP address of the device is configured.
- 179 -
Chapter 8 - EtherNet/IP Device Connectivity
Prerequisites
l Install the GenAdapter I/O device.
ATTENTION
You can also create an instance of the device by using a template from the library.
3. On the Main tab, specify the required details which include the following:
l Tag name — For example, 1738E_IB16M_1234
l Item Name — For example, Armorpoint_IB16M_1234
l IP address of the device — Type the required IP address of the device. For example,
10.10.10.1.
4. For more information about configuring the IP address of the adapter, see Configuring the IP
address of an EtherNet/IP device.
5. Specify the Requested Packet Interval (RPI) values. RPI specifies the rate at which data is
updated when connected.
ATTENTION
If the RPI value does not adhere to the following, then the value will be rounded
down to the nearest base cycle and this warning will be displayed while loading:
l Ensure that the RPI value is a multiple of the base cycle of the controller and in
multiples of 50.
l Ensure that you enter a value in the following range for ArmorBlock I/O
modules — 50 ms and 750 ms.
ATTENTION
l For ArmorBlock 1732E-IF4M12, the Originator >Target RPI value must be 500
ms or 750 ms.
l For ArmorBlock 1732E-IT4IM1, the Originator >Target RPI value must be 500
ms or 750 ms.
6. If the EtherNet/IP I/O communication is through EIM, select the EIM Name through which
the EtherNet/IP I/O communication will happen.
7. Complete the required details on all the other tabs and click OK. For more information about
the other tabs, see the “Channel Configuration tab” and “Alarms tab” sections in the Control
Building User’s Guide.
- 180 -
Chapter 8 - EtherNet/IP Device Connectivity
ATTENTION
In the Data/Status tab of the configuration form, the row number of the grid starts
from 0. The row number does not indicate the channel number. It indicates that
the row number of the grid starts from 0.
In ArmorBlock output modules, when there is a channel fault, an alarm or event is
not generated by default.
However, you can configure to generate an alarm by using a flag block.
For more information about the parameters on all the tabs, see Control Builder Parameter
Reference.
Results
The I/O block is configured and appears in the Unassigned category of the Project Tree.
Next steps
After configuring the I/O block, assign it to the CEE UOC block.
ATTENTION
You can optionally use SmartBuilder to bulk assign the EtherNet/IP devices and I/O
modules to the CEE. For more information, see Bulk Configuration Tool Help.
The module category EtherNet/IP DEVICES appears under the CEEUOC block.
To assign the I/O devices to the GenAdapter block
Drag the configured I/O module block from the Unassigned category to the EtherNet/IP adapter
block, under EtherNet/IP DEVICES.
ATTENTION
You can optionally use SmartBuilder to bulk assign the EtherNet/IP devices and I/O
modules to the CEE. For more information, see Bulk Configuration Tool Help.
- 181 -
Chapter 8 - EtherNet/IP Device Connectivity
Default: NaN
Config Load:
Residence: CEE
Related
Parameters:
Remarks:
- 182 -
Chapter 8 - EtherNet/IP Device Connectivity
Description:
Generic Device
Default: NaN
Config Load:
Residence: CEE
Related
Parameters:
Remarks:
- 183 -
Chapter 8 - EtherNet/IP Device Connectivity
Description:
Default: 1
Config Load:
Residence: CEE
Related
Parameters:
Remarks:
- 184 -
Chapter 8 - EtherNet/IP Device Connectivity
Description:
Default: 0
Config Load:
Residence: CEE
Related
Parameters:
Remarks:
- 185 -
Chapter 8 - EtherNet/IP Device Connectivity
Description:
Default: 0
Config Load:
Residence: CEE
Related
Parameters:
Remarks:
Where ‘PARAMNAME’ is the Custom parameter name and ‘Index’ is the index of arrayed custom
parameter.
NOTE
Scaling of numeric values (including floating point) alone is supported.
- 186 -
Chapter 8 - EtherNet/IP Device Connectivity
2. For the Output direction, use this formula to calculate RAWVALUE from the FLOATVALUE
(which is typically written through the strategy):
The formula is the same as with Input scaling solved for 'Raw value'.
The process value that is received from field is converted to digital form by the A/D converter.
LOWRANGE and HIGHRANGE values define the normal operating range of the RAW value.
RAW value in the output direction is the final output value sent to the device in the output
assembly. This is the linearly scaled value (with some scale factor multiplied and bias added) of the
OP (which is in percentage) within the LOWRANGE and HIGHRANGE operating range of the RAW
value.
l Parameter name: It is the custom parameter defined for input, output and configuration
assemblies.
l Type: It defines the parameter data type.
- 187 -
Chapter 8 - EtherNet/IP Device Connectivity
l Low Range: It defines the lowest limit for the parameter value.
l High Range: It defines the highest limit for the parameter value.
l Scale Factor: It defines the ratio of the value for scaling
l Bias: It defines the calibrated engineering units.
8.4.2 Configuration
Configure custom parameters using the PDE (Parameter Definition Editor) tool.
By default, scaling parameters are not available in the configuration form. To display them in the
configuration form, manually add the scaling parameters in the form layout of the EtherNet/IP
generic device PDE.
- 188 -
Chapter 8 - EtherNet/IP Device Connectivity
NOTE
You can modify scaling parameters from the configuration form.
l Reading the User-Defined Tags (UDTs) from the ControlLogix Programmable logic controller
(PLC).
l Referencing the UDTs in Experion strategies.
l Writing the updated UDTs to the ControlLogix PLC.
The UOC can read and write both multi-parameter (aggregate) UDTs and single-parameter
(scalar) UDTs.
Control Builder provides configuration options which facilitate the integration of UOC and the
ControlLogix control system. The following table lists high-level tasks for configuring the UOC and
ControlLogix integration.
- 189 -
Chapter 8 - EtherNet/IP Device Connectivity
Task Description
Step 1: “Configuring the To establish a connection between UOC controllers
ControlLogix Gateway and ControlLogix PLCs, you must configure the
block” in the Control required connection settings.
Building User’s Guide.
Step 4: “Using After creating an instance of the UDT block, you can
Aggregate or Scalar Tag connect it to other required blocks to perform a
Instance for Read and read or write operation. Load the Control Module
Write Operations” in the configuration.
Control Building User’s
Guide.
- 190 -
CHAPTER
The goal of controller redundancy is to improve the availability of the controller to perform its
assigned control functions. This is done by providing a pair of controllers (primary and backup) so
a component failure in one controller switches the handling of the assigned control functions to
the other controller. In this redundant arrangement, the active or primary controller is considered
to have a redundant partner or backup controller which is available to take over control functions
of the primary controller in the event of a switchover. This is considered a dual-redundant system
which is characterized by the following two main redundancy states.
l Primary - Refers to the active controller executing the assigned control mission.
l Backup or Secondary - Refers to the controller in some state of readiness to assume the
responsibilities of the Primary.
UOC supports two forms of redundancy. One is node redundancy, when two controllers are
deployed as redundant partners. The other is network redundancy, wherein the controller
participates in redundant network communications on its uplink, downlink or both. This section
focuses on node redundancy.
Redundancy communication between a pair of redundant UOCs is not possible if their device
indices are not set to a consecutive odd/even pair.
- 191 -
Chapter 9 - UOC Node Redundancy Operation
device index N, the partner module must have the even device index (N+1). Otherwise, if this
module has an even device index M, the partner module has to have the odd device index (M-
1).
- 192 -
Chapter 9 - UOC Node Redundancy Operation
- 193 -
Chapter 9 - UOC Node Redundancy Operation
NOTE
Currently 1-slot I/O rack option is not available for PLC controllers.
NOTE
You can also use two Fiber Optics modules between the Redundancy Modules to extend the
distance to 500m (Multi-mode Transmission Distance) or 10Km (Single-mode Transmission
Distance). As an option you can use 3rd party COTS Fiber Optic modules.
- 194 -
Chapter 9 - UOC Node Redundancy Operation
RDNCMPT parameter for the reason the partner is not compatible. When a compatible partner is
found, the controller transitions from the No Partner state to the Partner Visible state. Initial-sync
is the act of performing first time transfer of synchronization data; during this time the controllers
are in the Sync in Progress state. The redundant controller pair enters the Synchronization
Maintenance state upon initial-sync completion. While in the Synchronization Maintenance state,
the secondary is a viable replacement for the primary controller, and only that configuration data
that is changed and the control data that changes as a consequence of primary controller
execution is synchronized to the secondary controller.
- 195 -
Chapter 9 - UOC Node Redundancy Operation
- 196 -
Chapter 9 - UOC Node Redundancy Operation
Inhibit Sync
Description
Reason
Startup In Initial sync is not allowed until after the controller has
Progress completed system startup. This is a transient inhibit sync
reason that is usually not seen.
Auto Sync Initial sync is inhibited while the Auto Sync state is set to
State disabled. This is a persistent inhibit sync reason that is
canceled via the Enable Sync command.
Initial Sync After 3 failed attempts to perform initial-sync, the Auto Sync
Fail state is automatically set to disabled and the inhibit sync
reason is set to this persistent value. Refer to the redundancy
history for the reasons why initial-sync failed, correct any
anomalies, and issue the Enable Sync command to attempt
initial-sync again.
- 197 -
Chapter 9 - UOC Node Redundancy Operation
Inhibit Sync
Description
Reason
FTE Cable The secondary inhibits sync due to dual-FTE-cable disconnect.
Status This persistent inhibit sync reason can only be canceled by
restoring FTE communications with the secondary.
- 198 -
Chapter 9 - UOC Node Redundancy Operation
NOTE
Only the first link is active when downlink is configured in non-redundant mode.
l Shutdown command issued from the secondary controller platform function block.
l Secondary controller loss of input power.
l Secondary controller failure.
l Secondary controller firmware update.
l Removing the powered secondary controller from its IOTA/Rack.
l Time taken for initial synchronization (from Sync Start to Completion) exceeds 600 seconds.
l Secondary controller loss of communication with a configured 900 I/O rack when the primary
controller is successfully communicating with the same rack.
- 199 -
Chapter 9 - UOC Node Redundancy Operation
Secondary
Indication
controller state
Not Cannot assume the primary state. This is a state of non-
synchronized readiness. The only exception is the Become Primary
command which only applies to the unsynchronized
secondary controller in the absence of a primary controller.
Synchronizing Cannot assume the primary state. In this state, the secondary
controller is copying database information from the primary.
Synchronized Can assume the primary state upon switchover. In this state,
the database in the secondary is aligned with the database in
the primary. The secondary closely tracks database changes
to maintain its synchronization with the database of the
primary.
Standby Can assume the primary state upon switchover. In this state,
the secondary controller contains a database that was
previously synchronized with the primary controller but the
secondary is no longer receiving synchronization-data
updates from the primary controller. Upon switchover into the
primary role with this stale database, the UOC CEE execution
state is forced to Idle to ensure operator intervention.
- 200 -
Chapter 9 - UOC Node Redundancy Operation
ATTENTION
Controller redundancy protects against all single faults and some dual faults.
Primary UOC loss of communication with a Rack switchover triggers are dual faults
(in the presence of redundant downlink communication) and cannot be detected
until after some control may have been back-initialized with failsafe data. Although
these faults can affect control, switchover may provide automatic recovery that does
not require the operator to diagnose the downlink network anomaly.
ATTENTION
UOC switchover may take 500 msec to 2.5 sec due to EtherNet/IP priming. For more
information see EtherNet IP User's Guide_EPDOC-X399-en-511A.pdf.
NOTE
Only the first link is active when downlink is configured in non-redundant mode.
- 201 -
Chapter 9 - UOC Node Redundancy Operation
For this
switchover Controller redundancy operation
consideration
FTE device The FTE device indices are fixed physical hardware identifiers
index and do not transition from primary controller to the secondary
number controller based on redundancy role.
Floating The UOC use a floating downlink IP address that does change
Downlink IP with redundancy role.
Address
The lower (odd) IP address is used on the primary controller
and the higher (even) IP address is used on the secondary
controller.
- 202 -
CHAPTER
10 OPERATION
In the diagram, user visible states are shown in green and yellow. The green states (Backup,
NotLoaded, Idle, CEERun) can be read via CDA access to the UOC platform block parameter,
CPMSTATE. They can be seen from the UOC platform block detailed display, the UOC platform
block monitoring form in CB and the CB monitoring tree. They can also be seen from Firmware
Manager, though NotLoaded is shown there under the name NoDB.
The yellow states (Alive, Failed, Ready) only occur within parent states which support no CDA
communication. They can be seen from the user view provided by the Firmware Manager. For
more information, see Firmware Manager_EPDOC-X404.pdf.
The visible states are organized under parent states that indicate key properties of their child
states. These parent states are not explicitly visible within an operating UOC system. The parent
states are Executing Application Image (orange), Inoperative (blue), and Executing Boot Image
(blue). Blue states do not support CDA communication.
- 203 -
Chapter 10 - Operation
UOC has a transient state shown in gray called Executing Boot Loader. This state is also not visible
within an operating UOC system.
Characteristics of UOC states are summarized in the following table.
Normal
State Visibility Description
Operation
NotLoaded CDA Yes UOC is waiting for first time load of its
platform block. It is the primary partner of a
redundant pair or is non-redundant. UOC
has no CEE database. UOC can be shut down
from this state.
- 204 -
Chapter 10 - Operation
Normal
State Visibility Description
Operation
the Firmware Manager when this state
occurs. Can only be exited by power cycle or
firmware load.
Executing None Yes All associated child states occur when the
Application Application Image is being executed within
Image the UOC CPM. UOC always executes within
this state unless the Application Image is
missing or corrupted. See Note 1.
NOTE
CPMs received from the factory must be loaded with the UOC Application Image and the
UOC Boot Image before they can be used as UOCs. See the “Converting PLC CPM to UOC
CPM” section for a description of how to convert a PLC CPM into a UOC CPM.
- 205 -
Chapter 10 - Operation
NOTE
Each of the UOC’s Ethernet ports have two associated LEDs whereas Experion Series 8
modules such as the C300 have only a single LED for each FTE connector.
- 206 -
Chapter 10 - Operation
l LED colors
l Green LED indicates primary or non-redundant redundancy state.
l Orange LED indicates secondary redundancy state.
l Red LED indicates startup in progress or maintenance operations only or device
failure.
As a general rule, the LEDs display solid green or orange when running in an optimal state.
l The primary UOC has a solid green Status LED and a solid green Redundancy Role LED to
indicate that the primary is on control without any fault conditions detected.
l The secondary UOC has a solid orange Status LED and a solid orange Redundancy Role LED to
indicate that the secondary is synchronized without any fault conditions detected.
See Status LED and Redundancy LED sections below for specific LED behavior descriptions.
NOTE
Status LED and Redundancy Role LED tables were previously updated. All new R511
behaviors are described correctly.
- 207 -
Chapter 10 - Operation
LED Summary
Detailed Description
Indication Description
GREEN Primary, on control l UOC operating as the primary of a
Solid redundant pair or as a non-
redundant controller.
l UOC on control.
- 208 -
Chapter 10 - Operation
LED Summary
Detailed Description
Indication Description
redundancy private path.
- 209 -
Chapter 10 - Operation
LED Summary
Detailed Description
Indication Description
Every 5 settings from from the server (BOOTP request).
Seconds server l The device will continue startup after
FTE settings are received from the
server (BOOTP reply).
l If FTE settings are not received within
60 seconds, the device may continue
startup using last known FTE settings
(when valid in non-volatile storage).
- 210 -
Chapter 10 - Operation
LED
Summary Description Detailed Description
Indication
Green Primary, synchronized l Redundancy is enabled.
or l Partner is missing
- 211 -
Chapter 10 - Operation
LED
Summary Description Detailed Description
Indication
Orange Secondary, l Redundancy is enabled.
Blinking synchronization in
l Redundancy role is secondary.
Strongly progress
l Synchronization is in progress.
or l Partner is missing
- 212 -
Chapter 10 - Operation
Stage Description
1 l The Redundancy Role LED briefly displays all colors of RED,
GREEN and AMBER and then turns off until start up completes.
l The Status LED briefly displays all colors of RED, GREEN and
AMBER. It then remains solid RED until the Power-On Self-Test
(POST) completes.
l POST execution halts on the first test that finds a faulty piece of
hardware.
l If a fault is detected, the Status LED remains solid RED and the
code of any failed test is held until UOC reset. If the module fails
repeatedly every time start up is attempted, it must be returned to
Honeywell for analysis.
l Step 2: Requesting FTE settings from server – The UOC obtains its
base IP address from the Experion system’s BOOTP server.
- 213 -
Chapter 10 - Operation
After a UOC has obtained its uplink IP Address and its NTP server IP address, it retains them until
its Device Index is changed or its firmware is reloaded.
The UOC does not acquire its downlink IP address from a BOOTP or DHCP server upon startup.
The downlink address is assigned by configuration. For further information, see the Ethernet
Downlink Connectivity section.
- 214 -
Chapter 10 - Operation
Primary
Main tab
- 215 -
Chapter 10 - Operation
Redundancy tab
FTE tab
- 216 -
Chapter 10 - Operation
Downlink tab
Checkpoint tab
- 217 -
Chapter 10 - Operation
Secondary
- 218 -
Chapter 10 - Operation
Main tab
Main tab
- 219 -
Chapter 10 - Operation
Redundancy tab
FTE tab
- 220 -
Chapter 10 - Operation
Downlink tab
Checkpoint tab
- 221 -
Chapter 10 - Operation
- 222 -
Chapter 10 - Operation
Main tab
Redundancy tab
- 223 -
Chapter 10 - Operation
FTE tab
Downlink tab
- 224 -
Chapter 10 - Operation
Checkpoint tab
- 225 -
Chapter 10 - Operation
Main tab
- 226 -
Chapter 10 - Operation
Main tab
- 227 -
Chapter 10 - Operation
Main tab
- 228 -
Chapter 10 - Operation
- 229 -
CHAPTER
11 TROUBLESHOOTING
This section provides guidance and background information about the causes and remedies for
failures which may occur in the UOC controller. The following topics are presented here.
The syntax for a typical Control Builder error message is as follows: “Connection to device is not
open EPKS_E_CL_NOCONN(6L.101.3326). In this syntax, the error code is the last four digits in
the message (3326 in this example).
See the Control Builder Error Codes Reference for applicable error code information.
- 230 -
Chapter 11 - Troubleshooting
- 231 -
Chapter 11 - Troubleshooting
Item Description
Diagnostic The LEDs on the controller module are off.
Check
In the Monitoring tab, the UOC icon turns red.
Cause 1 Main power source has been disconnected or shut down either
manually or temporarily by brownout or blackout condition.
Solution Push the module into the rack and screw it in place.
- 232 -
Chapter 11 - Troubleshooting
Item Description
Diagnostic Module does not complete startup because a critical hardware
Check feature is non-functional.
Cause POST has detected a failure that does not allow startup to
continue or complete.
Solution Cycle power on the rack. If UOC does not come back, replace it.
- 233 -
Chapter 11 - Troubleshooting
Item Description
Diagnostic The Link Present and Activity LEDs associated with one or both
Check uplink Ethernet ports (ETH1 and ETH2) are off.
Cause 1 No connection.
Solution Swap known good cable with suspect cable. Replace bad cable.
Solution Swap CPMs to identify defective port. Replace CPM that contains
defective port.
- 234 -
Chapter 11 - Troubleshooting
Item Description
Diagnostic The Status LED on the front panel of the UOC controller turns
Check RED.
The ‘LAN_A’ or ‘LAN_B’ indicator for the faulted port turns RED.
The indicators are found on the FTE tab of the UOC Block
configuration form.
An alarm is generated by the UOC controller that indicates “FTE
Port A Receive Fault” or “FTE Port B Receive Fault”.
Solution Unless you suspect that one of the causes described above exists
and is resulting in a spurious indication, you must replace the
UOC controller Module exhibiting this diagnostic at your earliest
convenience. When this fault exists, network redundancy for this
node no longer is working.
- 235 -
Chapter 11 - Troubleshooting
Item Description
Diagnostic Primary controller cannot synchronize with backup.
Check
In the Monitoring tab, double-click the primary UOC icon to call
up its Parameters configuration form. Click the Redundancy tab
to display it and check the “Inhibit Sync Reason –
RDNINHIBTSYNC” parameter for a description for the controller
not achieving synchronization.
Troubleshoot to correct condition for inhibiting sync.
Solution Insure that the module is firmly inserted and the mounting
screws are snug.
- 236 -
Chapter 11 - Troubleshooting
Item Description
Diagnostic In the Monitoring tab, the UOC controller icon turns red.
Check
Cause The controller software has detected a failure that does not allow
operation to continue. There can be many causes for a failure
including hardware.
Power cycle the module to see if it can come back. If not, replace
it. If it does, tag it in case the problem happens again.
Solution Cycle power for the UOC to restart the controller. If error persists,
replace the controller.
Check the Trace log for breadcrumbs that occurred prior to the
event. See “Using Firmware Manager to capture diagnostic data”
for more information. Provide the results of the trace log to
Honeywell Solutions Support Center (SSC) for analysis.
- 237 -
Chapter 11 - Troubleshooting
Item Description
Diagnostic The Primary controller determines whether or not to initiate a
Check switchover. If the Secondary was known to be in better condition
than the Primary at the time of fault determination, then the
Primary should fail so the Secondary will switchover. But, the new
Secondary (old Primary) still cannot restore FTE
communications.
When both the FTE cables are removed, secondary UOC does not
reboot. In addition, the secondary controller does not synchronize
in the presence of this fault condition. FTE communication has to
be restored to the secondary controller for initial sync to be
attempted.
Item Description
Diagnostic All nodes will stop tracking cable status for the detected duplicate
Check Device Index value. Communications will continue and will not
impact system performance until there is a cable fault. This fault
will also be detected by the FTE System Management Tool.
A duplicate Device Index could cause a duplicate IP Address. In
most cases, the duplicate IP Address would be detected first and
prevent the FTE diagnostic messages from being sent.
Cause 1 Device Index switches on the two modules is set to the same
value.
- 238 -
Chapter 11 - Troubleshooting
- 239 -
Chapter 11 - Troubleshooting
- 240 -
Chapter 11 - Troubleshooting
Factory Data The Factory Data block Replace the controller module
Error corrupted which may and return faulty module to the
cause failure of Boot factory.
Image download or
Application Image
download during a
subsequent controller
restart.
2. Physically inspect
the installation
and correct any
airflow problems.
- 241 -
Chapter 11 - Troubleshooting
- 242 -
Chapter 11 - Troubleshooting
FTE Network Possible error on FTE. See the error indications on the
Error FTE tab for details.
Partner Not Indicates that the Fault See “Isolated (lonely) Node” in
Visible On FTE Tolerant Ethernet (FTE) this section.
communications with
redundant controller
partner and FTE network
are lost.
- 243 -
Chapter 11 - Troubleshooting
External Power When all external power Once external power is recovered,
Failure feeding the UOC’s power the soft failure returns to normal.
supply(s) is lost (as
detected through signals
PWRGOOD1 and / or
PWRGOOD2) then the
“External Power Failure”
soft failure is reported by
the non-redundant or
primary UOC.
Note that if the UOC is
redundant with
POWERCONNOPT =
Dual1PerModule and all
external power feeding
the power supply(s) of
the secondary is lost,
then no power loss soft
failure is reported.
Instead, the redundant
pair is forced to drop
synchronization and a
loss of synchronization
notification is reported.
- 244 -
Chapter 11 - Troubleshooting
- 245 -
Chapter 11 - Troubleshooting
- 246 -
Chapter 11 - Troubleshooting
- 247 -
Chapter 11 - Troubleshooting
- 248 -
Chapter 11 - Troubleshooting
The Errlog_n.txt log provides a running list of Control Builder detected errors in chronological
order. The “n” represents any number that is assigned to the most recent log.
To check the log, navigate to this file location on the server: C:\Documents and Settings\All
Users\Application Data\Honeywell\Experion\Errlog_n.txt.
- 249 -
Chapter 11 - Troubleshooting
Various indications on the controller's front-panel or the state of the Control Builder icon that
represents the UOC controller (if the controller had been loaded previously) are described that
point to an abnormal condition.
There are six tables that detail the abnormal conditions for both redundant and non-redundant
controller configurations and whether or not the controller memory has been retained via battery
backup.
Corrective actions for resolving these conditions are found below the tables, (see “Secondary UOC
Controller with Memory Retention” ).
- 250 -
Chapter 11 - Troubleshooting
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
Status Blinking No communication on Internal UOC OFFNET “Secondary
LED Red FTE network UOC
Controller
FTE Off Controller does not
with
LEDs complete startup.
Memory
CB Red Retention”
icon
- 251 -
Chapter 11 - Troubleshooting
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
UOC appears to startup
normally but Control
Builder cannot
communicate with the
UOC controller and
therefore attempts to
load or reload UOC fail. If
UOC was loaded before a
power cycle, its
associated icons in the
Monitor tab will be Red.
FTE Blinking
LEDs Green
CB Grey
icon
FTE Blinking
LEDs Green
CB Yellow
icon
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
Status Blinking No communication on None UOC OFFNET “Secondary
LED Red FTE network. When FTE and UOC
CDA Controller
Controller does not
communication with
complete startup.
is established: Memory
Retention”
UOC Not
Synchronized
- 252 -
Chapter 11 - Troubleshooting
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
Battery
FTE Off Undervoltage
LEDs
CB Red
icon
CB Red
icon
- 253 -
Chapter 11 - Troubleshooting
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
communicate with the
UOC controller and
therefore attempts to
load or reload UOC fail.
If UOC was loaded
before a power cycle, its
associated icons in the
Monitor tab will be Red.
FTE Blinking
LEDs Green
CB Grey
icon
FTE Blinking
LEDs Green
CB Yellow
icon
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
Status Blinking No communication on None None “Secondary
LED Red FTE network. UOC
Controller
FTE Off
with
LEDs
Memory
CB Red Retention”
icon
- 254 -
Chapter 11 - Troubleshooting
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
CB Red >
icon Blue
FTE Blinking
LEDs Green
CB Grey
icon
- 255 -
Chapter 11 - Troubleshooting
UOC
Controller Block
Problem Station Alarm Resolve
Faceplate Time
Source
FTE Blinking
LEDs Green
CB Yellow
icon
NOTE
Perform the following quick checks:
Are the server nodes turned on and properly connected to the network on which the UOC
controller resides? Are CDA and system services running on the designated nodes?
NOTE
Perform the following quick checks:
l Is the timeserver node powered and running?
l Check the value configured in Control Builder Tools > System Preferences >
Embedded FTE
l Compare this to the value found on the UOC controller FB Form’s System Time
tab when opened from the Monitor tab in Control Builder or the System Time
tab of the UOC controller FB Detail Display.
NOTE
Perform the following quick checks:
l Is the Experion node running CDA Server powered and running?
- 256 -
Chapter 11 - Troubleshooting
- 257 -
CHAPTER
The Control Execution Environment (CEE) is a platform for executing control applications and
interfacing with I/O modules (EtherNet/IP and CE900 I/O). A CEE-based controller has a base
software layer called Infrastructure Services. These include Scheduling and Communication
Services. They set up an environment in which the execution and communication requirements
of control strategies can be met.
UOC allows for the creation of large batch strategies with a user block memory of 32 MB (128 MB
for vUOC). Function block libraries hosted by UOC are listed in the following table.
Block Library
AUXILIARY
CONTROLLOGIX
DATAACQ
DEVCTL
EIP_ARMOR_BLOCKI/O
EIP_ARMOR_POINTI/O
EIP_DRIVE
EIP_I/OCHANNEL
EIP_RELAY
ETHERNET_IP
I/OPOINTS
I/OREFERENCES
LOGIC
MATH
PCDI
POWERGEN
REGCTL
SYSTEM
UTILITY
- 258 -
Chapter 12 - Control Execution Environment
l The CEE supports the execution of function blocks available in the Control Builder libraries
shown in the following table
CEE in UOC supports 50 ms base period. CEE in vUOC supports 50 and 500 ms base period.
- 259 -
CHAPTER
13 VUOC
13.1 Introduction
The Virtual UOC, or vUOC, is a virtualized Unit Operations Controller that can be deployed on a
VMWare ESXi 6.0 or higher hypervisor. It has a Control Execution Engine (CEE) and is capable of
executing the same Experion PKS control strategies as the UOC CPM.
vUOC can communicate with EtherNet/IP devices and ControlEdge 900 I/O modules over
Ethernet networks.
UOC CPMs connect to a Level 2/1 FTE Network, (Downlink I/O Network) for connecting to I/O
devices, and a Private Path network (for future use). How those networks are deployed will vary
based on project needs and goals for availability, performance, and scalability.
The networks for I/O and Private Path always exist in the Virtual Machine Definition. So, when the
application does not require an external connection to EtherNet/IP or ControlEdge 900 I/O
hardware, (Peer to Peer implementations, and all cases for Private Path) those networks should
be mapped to an internal host only network.
13.1.1 vUOC controllers with Private Path and Downlink I/O adapters
Figure 13.1 vUOC controllers with Private Path and Downlink I/O adapters connected to virtual
networks with no external network access
- 260 -
Chapter 13 - vUOC
l FTE Yellow vSwitch – represents both Level 2 and 1 FTE primary network connections.
l FTE Green vSwitch – represents both Level 2 and 1 FTE secondary network connections.
l Private Path vSwitch – represents a private network connection, reserved for a future function
use (migration).
l Downlink I/O vSwitch – represents connections for I/O networks. Without devices, this can be
shared across controllers.
When the application calls for a vUOC to be connected to EtherNet/IP or ControlEdge 900 I/O
hardware, two network configurations are supported:
l Flat-network only approach where isolation is achieved through physical separation of
networking equipment.
l VLAN-tagged approach where one or more networks share physical networking equipment
and isolation is achieved through the use of VLAN-tagging in both the VMWare and physical
switch environments.
Advantages:
- 261 -
Chapter 13 - vUOC
l Simple approach.
l Network Isolation.
Disadvantages:
l Operational Costs
o Dedicated host NIC required for each vUOC to support connections to I/O Devices.
o Individual network lines – Physical cabling requirements between virtual host (Control
Room) and I/O Devices.
l Scalability
o Limited by number of NIC ports available in virtual host.
o Lower vUOC density per host.
- 262 -
Chapter 13 - vUOC
Disadvantages:
l Requires at least one free virtual host NIC to establish a Downlink I/O Network connection.
l Increase bandwidth requirements on virtual host NICs and connected switches.
l Increase scope of loss when faults occur in common physical network equipment.
- 263 -
Chapter 13 - vUOC
Disadvantages:
l Increase bandwidth requirements on virtual host NICs and connected switches.
l Increase scope of loss when faults occur in common physical network equipment.
vUOC requires an Experion Virtualization Host Environment with connection to the Level 2/1 Fault
Tolerant Ethernet (FTE) network and available networks for connections to the Downlink I/O
Networks. Before implementing a new solution, you should review any existing connection
requirements. Consult the Experion Virtualization Planning and Implementation Guide to
implement the Virtualization Host environment itself, Security requirements, and the connections
to the FTE Network. When complete, return to this document to configure the connections for the
Downlink I/O Network.
Configurations utilizing a VLAN Tagged Network I/O Topology approach must use a different
unique VLAN ID for each Downlink I/O Network (per controller).
l Use of VLAN IDs require that it be defined consistently throughout the network in all devices
between the controller and I/O connections.
l A frequent practice is to implement VLAN ID’s at lower values and increment up from there.
l Network designers need to evaluate any existing Port Groups defined, any VLAN IDs currently
in use, and plan accordingly.
l There are IDs that are reserved, so first consult the table below for IDs that should not be used
and your Switch Vendor’s documentation for any additional reservations:
- 264 -
Chapter 13 - vUOC
101 Configured by Honeywell for FTE networks and should not be used
for other networks.
3969 - Range used internally by Cisco Nexxus switches for Virtual Device
4094 Contexts (VDCs), to provide:
- 265 -
Chapter 13 - vUOC
- 266 -
Chapter 13 - vUOC
# Task
1 On the Home screen choose Hosts and Clusters.
2 On the left pane, click the Host that will host the Virtual Controller.
3 In the middle screen, click the Manage Tab, then click Networking tab in
the sub-menu:
- 267 -
Chapter 13 - vUOC
# Task
Choose “Virtual Machine Port Group for a Standard Switch” and click
Next.
- 268 -
Chapter 13 - vUOC
# Task
6 Select Target Device Appears:
- 269 -
Chapter 13 - vUOC
# Task
8 Create a Standard Switch is displayed:
On left side, select the NIC you wish to use for the I/O Connection and
click OK.
9 You are returned to the prior dialog, now showing your NIC selection:
Click Next
10 If you have not yet made a connection to the nic (not yet active), you may
be presented with the following dialog:
- 270 -
Chapter 13 - vUOC
# Task
Rename the Network Label to something that makes sense for you to
associate this network with. Then Click Next.
Click Finish
- 271 -
Chapter 13 - vUOC
- 272 -
Chapter 13 - vUOC
# Task
1 On the Home screen choose Hosts and Clusters.
2 On the left side the screen, click on the Host where you wish to define the
port group:
3 In the middle screen, verify the networking sub-tab is clicked under the
Manage Tab:
- 273 -
Chapter 13 - vUOC
# Task
Choose “Virtual Machine Port Group for a Standard Switch” and click Next.
- 274 -
Chapter 13 - vUOC
# Task
Verify the vSwitch chosen in the “Select an existing standard switch” and
click Next.
In the Network label, assign a name to something that makes sense for you
to associate this network with. Assign the appropriate VLAN ID, and click
Next.
- 275 -
Chapter 13 - vUOC
# Task
NOTE
The example below assumes a two level topology and integration with FTE. However the
commands in this chapter can be mixed and match to support any required network
topology. Care should be taken to map and only allow access to the required ports that are
necessary for any particular network.
The network connections from the VMWare Hosts to the physical switch and any downstream
switch inter-connect need to be defined as Trunks when supporting VLANs. Consult the diagram
for the example switch location to which these configuration statements apply:
- 276 -
Chapter 13 - vUOC
Run the example set of Cisco I/Os commands to configure the switch to support the example
topology.
Enable the switch to support more than just a single VLAN (the default) by configuring a VLAN
database by setting the mode for the VLAN Trunking Protocol (VTP) and defining each VLAN ID
required to support the I/O devices. In the example below, VLAN IDs 201, 202, 203, and 204 are
declared for downlink I/O networks. Add or subtract as many as required based on the site's
requirements.
NOTE
If the switch is supporting FTE, a VLAN ID of 101 may likely already exist. It is repeated here
to show all VLANs supported by the switch and will not be an issue if defined again.
!
! Configure VLAN Database
!
vtp mode transparent
vlan 101
vlan 201
vlan 202
vlan 203
vlan 204
!
To prevent a possible security threat, we are going to configure a default tag for any packet
exchange between the VMWare Host and Switch that was not tagged previously. However, to
accomplish this, we must configure an interface for it. The example below defines this with a VLAN
tag ID of 999:
!
interface vlan 999
no ip address
no shutdown
!
- 277 -
Chapter 13 - vUOC
The next Step is to configure the ports used for connections to the VMWare Hosts. By default, it will
be configured as an access port. To use VLANs, it now needs to be defined as a Trunk Port.
(Note the assignment of ID 999 as the Native VLAN.)
The commands below changes two ports; 9 and 10, to trunk ports:
!
interface FastEthernet0/9
switchport mode trunk
switchport trunk allowed vlan all
switchport trunk native vlan 999
no ip address
!
interface FastEthernet0/10
switchport mode trunk
switchport trunk allowed vlan all
switchport trunk native vlan 999
no ip address
!
If the endpoints for communication exist on downstream switches, then the port used to
interconnect the two switches together must also be defined as a Trunk Port.
Care should be taken to only allow the traffic that is necessary to be sent to the appropriate
connection.
To allow for support of other nodes and Experion Network Management functions, VLAN 101
should also be allowed (besides any I/O VLANs). Some of that traffic (based on its origin) may not
be tagged. Setting a native VLAN will tag untagged traffic to 101.
The remaining allowed IDs represent the I/O VLANs.
The interface definition assumes this is using a Gigabit interlink port.
!
interface GigabitEthernet0/1
switchport trunk native vlan 101
switchport trunk allowed vlan 101,201,202,203,204
switchport mode trunk
switchport nonegotiate
no ip address
no cdp enable
- 278 -
Chapter 13 - vUOC
Run the example set of Cisco I/Os commands to configure the switch to support the example
topology.
Enable the switch to support more than just a single VLAN (the default) by configuring a VLAN
database by setting the mode for the VLAN Trunking Protocol (VTP) and defining each VLAN ID
required to support the I/O devices. In the example below, VLAN IDs 201, 202, 203, and 204 are
declared for downlink I/O networks. Add or subtract as many as required based on the sites
requirements.
NOTE
If the switch is supporting FTE, a VLAN ID of 101 may likely already exist. It is repeated here
to show all VLANs supported by the switch and will not be an issue if defined again.
!
! Configure VLAN Database
!
vtp mode transparent
vlan 101
vlan 201
vlan 202
vlan 203
vlan 204
!
The port used to interconnect the two switches together must also be defined as a Trunk Port.
Care should be taken to only allow the traffic that is necessary to be sent to the appropriate
connection.
- 279 -
Chapter 13 - vUOC
To allow for support of other nodes and Experion Network Management functions, VLAN 101
should also be allowed (besides any I/O VLANs). Some of that traffic (based on its origin) may not
be tagged. Setting a native VLAN will tag untagged traffic to 101.
The remaining allowed IDs represent the I/O VLANs.
The interface definition assumes this is using a Gigabit interlink port.
!
interface GigabitEthernet0/1
switchport trunk native vlan 101
switchport trunk allowed vlan 101,201,202,203,204
switchport mode trunk
switchport nonegotiate
no ip address
no cdp enable
interface FastEthernet0/1
switchport access vlan 201
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 201
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 201
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 201
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
- 280 -
Chapter 13 - vUOC
interface FastEthernet0/5
switchport access vlan 202
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 202
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 203
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 204
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
interface FastEthernet0/1
switchport access vlan 201
switchport mode access
switchport voice vlan dot1p
no ip address
no cdp enable
spanning-tree portfast
- 281 -
Chapter 13 - vUOC
13.6 Download
The Virtual UOC software is distributed as an Open Virtual Appliance (OVA) image file. This file can
only be obtained electronically through one of two methods:
l For Experion PKS General Releases (e.g. R511.1) - The image can be retrieved via download
link received with purchase of an “Electronic Download Experion PKS” license. See the General
Release README for more details.
l For Experion PKS Maintenance Releases, Updates, and Patches (e.g. R511.1) - The Virtual UOC
image can be retrieved from the Honeywell Process Solutions website
(http://www.honeywellprocess.com). See the associated Software Change Notice (SCN) for
more details.
Only one version of the Virtual UOC software image is required for deployment. For example, to
deploy the R511.1 Maintenance Release version of the Virtual UOC, it is not required to first
download and deploy the R511.1 General Release software image.
NOTE
It is strongly recommended to verify the integrity of software downloads using the Honeywell
Software Download Manager.
File Description
VirtualUOC_ The OVA file containing the VirtualUOC software image. This
<part file will be imported into a VMWare vCenter system when
number>.ova deploying a vUOC.
# Task
1 Login in to the VSphere Web Client.
- 282 -
Chapter 13 - vUOC
# Task
- 283 -
Chapter 13 - vUOC
# Task
NOTE
If you get a message about having to install the Client Integration
Plugin, install it and repeat the process.
4 Click Browse.
Navigate to the location where you stored the downloaded ova file and
select it.
5 Click Open.
It should return you to the previous screen with the OVA selected.
6 Click Next.
The Review details page appears.
- 284 -
Chapter 13 - vUOC
# Task
7 Click Next.
The Select name and folder page appears.
Update Name to something that will aid you in uniquely identifying the
virtual machine later. It can be helpful to include the following types of
properties: Type = For example, vUOC, Execution Cycle = 50 ms or 500 ms ,
FTE Index value = For example, 103.
Select a folder or datacenter location from the tree.
8 Click Next.
The Select a resource page appears.
- 285 -
Chapter 13 - vUOC
# Task
If necessary, expand the tree presented and select where the VM will be
hosted.
NOTE
If Fault Tolerance is intended, then a shared storage device should
be selected.
Storage devices presented will contains both local and shared
disks.
- 286 -
Chapter 13 - vUOC
# Task
The Setup networks page appears.
- 287 -
Chapter 13 - vUOC
# Task
12 Click Finish.
When the virtual machine has been deployed, a completion message
appears in the Recent Tasks display of the client.
- 288 -
Chapter 13 - vUOC
# Task
# Task
2 On the left hand side, locate and click the VM you wish to modify.
- 289 -
Chapter 13 - vUOC
# Task
In the center area, click the Manage Tab. With the VM Hardware selected,
click Edit.
3 Edit Settings:
Click the Dropdowns next to each adapter and select the appropriate Switch
or Port Group. Once Completed, click OK.
- 290 -
Chapter 13 - vUOC
The vUOC CEE block "Base Execution Period" field in Control Builder must be configured
to match this selection or attempts to load the vUOC controller from Control Builder will
fail indicating "BASEPERIOD: Selected value is not supported by the CEE personality".
2. A device index which the vUOC will use to request an IP address from the Experion Cluster.
The IP address will be assigned based on the base IP address of the Cluster and the selected
device index.
This information is only entered once and cannot be changed. Simply delete the vUOC and re-
deploy with the desired settings, if needed.
# Task
1 Power on the vUOC and open its display console.
3 The startup sequence will pause and prompt for a device index.
Enter the device index for this vUOC and press Enter.
- 291 -
Chapter 13 - vUOC
# Task
4 Upon startup completion, the vUOC will present a status display indicating:
l Local date and time
l Device index
l Application version
5 When the vUOC has obtained an IP address from the Experion PKS FTE
Community BOOTP service, it will be reflected in the ‘fte’ network adapter
status details.
- 292 -
Chapter 13 - vUOC
# Task
- 293 -
Chapter 13 - vUOC
The following is a step-by-step example for moving a running vUOC to another ESXi host, for
reference:
# Task
NOTE
- 294 -
Chapter 13 - vUOC
# Task
NOTE
4 The destination network should not have to be changed if same port group
definitions are defined on the target.
If destination network will be changed, ensure that the new destination
network is associated with a vSwitch that is connected to the same physical
network as the source network and its associated vSwitch. Otherwise
observable service interruption to the vUOC will occur.
Click Next.
NOTE
Click Next.
6 On the Ready to complete screen, review selections and click Finish to move
the vUOC VM to the new compute host.
- 295 -
Chapter 13 - vUOC
# Task
Once the vUOC VM and other critical VMs have been moved to another ESXi host maintenance of
the original ESXi host may begin.
The following is a step-by-step example for enabling FT on a vUOC VM, for reference:
# Task
- 296 -
Chapter 13 - vUOC
# Task
2 Choose the storage location for the Configuration, Tie Breaker, and three
Hard disks of the secondary vUOC by clicking Browse, selecting from the list
of available datastores, and clicking OK.
When finished, click Next.
NOTE
Click Next.
- 297 -
Chapter 13 - vUOC
# Task
- 298 -
Chapter 13 - vUOC
# Task
1 Identify the vUOC VM for which FT will be disabled, right-click, navigate to
Fault Tolerance, and select Turn Off Fault Tolerance.
2 A dialog will appear warning that turning off Fault Tolerance on the vUOC
VM will remove it from fault protection.
Click Yes.
- 299 -
CHAPTER
Constraint Specification
Uplink FTE Communications
UOC Configuration
- 300 -
Chapter 14 - Performance and Capacity Considerations
Constraint Specification
Total I/O Point 2048
Connection Count
(Across All I/O Types)
Multi-Parameter UDTs 65
Per UOC
(To All Peer Controllers)
- 301 -
Chapter 14 - Performance and Capacity Considerations
Constraint Specification
(To All Peer Controllers)
Profinet
- 302 -
Chapter 14 - Performance and Capacity Considerations
Avg. CPU Used per Cycle CPUCYCLEAVG CEE Block, CPU Loading tab
CPU Free Low Alarm (%) CPUFREELOWLM UOC Platform Block, Main
tab
Max. Redun. Count per RDNCNTCYCMAX CEE Block, CPU Loading tab
Cycle
Load
Parameter Description Parameter Name
Limit
CPU Free, core 0 (%) CPU0FREEAVG >=
20%
Average unused capacity in the UOC’s core 0 CPU.
- 303 -
Chapter 14 - Performance and Capacity Considerations
Note that the overall performance specifications for vUOC are the same as those for UOC.
For further information on the parameters noted above, as well as general guidance on how to
monitor and correct UOC performance issues, see the sections below.
Note that in a redundant UOC, cycle N-1 has an impact on the processing load of cycle N. This is
because data produced in cycle N-1 is transferred to the secondary during cycle N. As a result, if an
overrun occurs on cycle N, it may be necessary to consider the CMs which execute on both cycle N
and cycle N-1. If changing the execution cycle of CMs or SCMs does not eliminate the overruns, it
may be necessary to reduce the load by reducing the CM or SCM processing speed (increasing the
configured PERIOD) or by eliminating some CMs or SCMs from the configuration.
In addition to overrun counts, parameter CPUCYCELAVG may be observed to get a sense of the
processing load on CEE execution cycles. Indices 0 through 39 of this parameter ( CPUCYCLEAVG
[0] through CPUCYCLEAVG[39] ) give the time averaged CPU consumed on CEE cycles 0 through
39. Index 40 of this parameter ( CPUCYCLEAVG[40] ) give the average of CPUCYCLEAVG[ ] across
cycles 0 through 39. As noted above, CPUCYCLEAVG[40] should be kept at 60% or lower.
The UOC uses a CPU with two processing cores, core 0 and core 1. The condition for generation of
a CPU free low alarm is the following.
l The time averaged, free CPU on Core 0 is below CPUFREELOWLM
l Or, the time averaged, free CPU on Core 1 is below CPUFREELOWLM.
To correct a CPU free low alarm, the application engineer must examine CPU0FREEAVG,
CPU1FREEAVG and may also examine CPUFREEAVG which is the average of the other two. Based
on observations of these parameters, the following considerations apply.
l If Core 1 CPU is too low, it may mean that the CEE block processing load is too heavy. CEE block
processing is executed only on Core 1. A heavy load there could indicate that the configuration
is approaching the point where overruns might start to occur. Consider reducing the count or
execution speed of CMs and SCMs.
- 304 -
Chapter 14 - Performance and Capacity Considerations
l If Core 1 CPU is too low, it might also mean that the 900 I/O communication load is too heavy.
900 I/O communication processing is done only on Core 1. If there is a heavy 900 I/O
communication load present, consider reducing the quantity of I/O data being accessed or the
rate at which the I/O data is being collected.
l If Core 1 CPU is not too low but the Core 0 CPU is too low, consider the overall communication
load the UOC is experiencing. On the downlink, EtherNet/IP communication contributes to
Core 0 CPU consumption. On the uplink, CDA, PCDI blocks and Exchange blocks contribute.
Consider whether the volume or rate of any such communications can be reduced.
To correct a redundancy throughput high alarm, examine the per cycle redundancy throughput
statistics shown by parameter RDNCNTCYCMAX. Determine whether there are particular cycles
where the redundancy throughput is particularly high. If so, consider rebalancing or reducing the
count of CMs and SCMs that execute on those particular cycles.
- 305 -
CHAPTER
15.1 General
The UOC uses a “defense in depth” security strategy. Implementation of defense in depth
requires not only device and system security measures, but also physical and organizational
security measures to be taken.
The UOC is well-tested for security robustness. Network protection is addressed by
communication filters and storm protective communication handling is incorporated in the uplink
networking firewall.
System designers must always maintain an awareness of security vulnerabilities that might arise
when setting up network connections and must always follow Honeywell’s recommended security
best practices.
For more information on recommended security practices within Experion, see Network_and_
Security_Planning_Guide_EPDOC-XX75-en-511A.pdf.
Considerations with respect to physical security apply equally to a UOC’s uplink network (FTE),
downlink, and redundancy networks.
- 306 -
Chapter 15 - Security Guidelines for UOC
One of the most prevalent threats to a computer system’s security comes from within the user’s
organization. If end users do not remain vigilant or become complacent regarding physical
security, the UOC may become vulnerable to security attacks. Periodic inspection and validation of
the networks and equipment attached to the UOC is a security focus end-users need to consider.
The UOC also initiates and receives communications with Honeywell peer controllers, such as
UOCs and C200 controllers. The complement of peer communications involving a particular UOC
is determined by the control and system configuration.
All Experion recommended practices must be followed with regard to user accounts and access
privileges. In addition, due diligence must be applied to the deployment of all networking
equipment. For example, switch configuration must disable unused ports and such configuration
must be secured from tampering with password protection.
Excessively high traffic on the FTE uplink to which a UOC connects could be an indication of a
Denial of Service (DOS) attack. Honeywell recommends the use of Honeywell Risk Manager or
SolarWinds to detect unintended and excess network traffic.
- 307 -
Chapter 15 - Security Guidelines for UOC
Users should be aware that the use of movable equipment can give rise to switch ports which are
left unconnected for long periods of time. Such ports are typically used only when special purpose
equipment must be connected for particular phases of a production cycle. Physical security must
be managed so that such open ports cannot be accessed for purposes of network penetration.
Specific procedures to follow for UOC configuration files imported into Experion include the
following:
l Ensure that an approved antivirus application is installed on the node used to import any third
party files.
Examples of third party files include, for example, EDS files used in connection with the UOC
application image.
l Ensure that all third party files are stored under one of these folder trees.
l Default path: C:\ProgramData\Third Party Files\
l Custom installation path: <Experion Runtime Data Folder Path>\Third Party Files\
- 308 -
Chapter 15 - Security Guidelines for UOC
- 309 -
CHAPTER
l Encrypted communications to other nodes (Windows nodes or peer controller nodes such as
other UOCs or C300s) on the FTE network
l Cleartext communication to other nodes on the FTE network
l Cleartext communication to devices on the downlink network
This may require dozens or hundreds of cleartext policies to be configured on a redundant UOC
pair, depending on the number of devices being used.
For Windows nodes
For each UOC that will be operating in secure communications mode:
l Encrypted communications to the UOC must be explicitly configured
l Certain protocols/services must be explicitly configured as cleartext (aka exceptions)
No explicit configuration is required to communicate with nodes that are not using secure
communications.
Phases of UOC Set-up
- 310 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
There are four main phases in the set-up of each UOC before IPSec can be enabled. Some of the
configuration data is included in the synchronization from Primary to Secondary modules and
some is not.
l Setting Enrollment Information
l Enrolling for TLS communication (required for the next step)
l Enrolling for IPSec communication (uses TLS)
l Setting and activating security policies
This chapter details how to create a standalone root CA which can be used to issue certificates for
Engineering Station and Direct Stations, as well as for ControlEdge UOC. It also details how to
request certificates from this CA for two different purposes:
l Internet Protocol Security (IPSec) – for use with secure communications between the
Engineering Station, and any other Windows nodes that communicate with the ControlEdge
UOC
l Certificate Manager Configuration Console (CMCC) – to facilitate a secure connection when
configuring the ControlEdge UOC
In addition this chapter will provide details on how to install the certificate on each Engineering
Station and then how to enable IPSec policy to secure communications between the Engineering
Station and the ControlEdge UOC. To support secure communications between the Engineering
Station/Console, the ControlEdge UOC and redundant ControlEdge UOC, network layer security
provided by IPSec policies will be employed. To achieve this, UOC and the Server node need a
certificate issued by a certification authority (CA) trusted by both.
Points to note
l Accurate system time and time synchronization are essential to the operation of secure
communications. All certificates created during the set-up process are time-stamped at the
time of creation. Therefore all nodes times must be accurate and in sync from the very
beginning, even at the time the Certificate Authority is installed.
l IP address configuration should be completed before secure communications have been set-
up. Changes to the system, especially to IP addresses, after secure communications has been
set-up may cause significant re-work. For example:
o Using a Certificate Authority at a different IP address will invalidate all certificates that
have been created with the original CA. All set-up steps, including enrollment, on the
UOCs will have to be backed out and re-done.
o Changing the uplink (FTE) IP address of a module will require that all of the steps to
set-up the module for secure communications be backed out and re-done. This
includes the case where index switches are changed from their original setting.
o Changing the downlink IP address of a module will require the modification and re-
application of the relevant security policies. Enrollment will not have to be redone in
this case.
l There are certain important restrictions to how the Certificate Authority is deployed:
o Cannot be installed on domain controllers
o Must be installed only when logged in as the Administrator account.
o Node time must be set or synchronized correctly when the CA is installed.
o IP address must be set correctly when the CA is installed.
o Will not work across split subnet network in L2 FTE. Each network requires its own
Certificate Authority.
- 311 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
There are two windows nodes and 2 ControlEdge UOCs deployed at this site. Windows node 1 is
participating with the ControlEdge UOCs (at 192.168.0.3 and 192.168.0.5) in Secure
Communications. Windows node 2 is excluded from this due to its network placement or
interoperability reasons from this setup. Additionally, the diagram depicts the level of secure
communication expected (annotated as Cleartext and Encrypted). Refer to the following sections
for further technical information on implementation of Honeywell Secure Communications
solution.
- 312 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. Install IPSec configuration application and prime it for use with UOC - See "Installing
Certificate Manager Configuration Console" for more information.
5. Prime the Windows node and UOC for IPSec configuration – See "Setup certificates and IPSec
policy in UOC" for more information.
6. Configure IPSec policies (access control based on IP addresses) – See "Setup certificates and
IPSec policy in UOC" for more information.
7. Configure Windows IPSec (access control based on IP addresses) – See "Enable IPSec policy
on PCs" for moreinformation.
8. Enable IPSec on UOC and Windows nodes – See "Enable IPSec policy rules in the UOC" for
more information.
HART-IP IPSec
- 313 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
Subsequent to establishing trust, IPSec security constructs selected for securing communication
are
l Deny all communication unless explicitly granted
l ESP mode only, no AH • AES-GCM 128 bit message authentication, NULL encryption
l AES-GCM 128 bit message authentication and encryption
The above security constructs apply to a “security area”, a structural grouping of nodes used to
establish Secure Communications relationships. The below policies are options for all nodes that
form a security area:
l No Communication: to prevent explicit communication
l Cleartext Communication: no security measures intended for interoperability scenarios
l Authentication and Encryption (Message Integrity and Data Confidentiality): Full encryption
that helps preserve confidentiality
- 314 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
For the purposes of this guide, a sample system is taken into account as shown below:
From this diagram it can be seen that IPSec encryption will only be used between Windows nodes
and the UOC.
Clear text communications will be permitted:
1. Between RDP Client and all Windows nodes in the control system subnet for RDP connections
only, as RDP traffic is already encrypted.
2. Between the Engineering Station and the UOC as this device does not support any other form
of communications.
3. Between the CA Server and the ControlEdge UOC, as this communication will be via an HTTPS
connection.
4. Between the ControlEdge Builder node with the CMCC tool to the UOC, as this connection will
utilise a TLS encrypted socket for the bulk of the communication.
5. Between the CA Server and the Windows nodes in the control system, as the PFX certificate
files are password protected.
6. Between all Windows nodes in the control system subnet.
- 315 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
This document will guide you through the process of configuring a CA Server, issuing certificates
for PCs, configuring IPSec on PCs and enrolling and configuring IPSec on the ControlEdge UOC.
CAUTION
The Certificate Authority is a critical asset from security perspective and should be restricted
from physical access within the network. Only authorized individuals should be allowed
access for all operations on this node.
CAUTION
The node's permanent IP address should be configured before the CA is installed. Once the
CA is installed it will not work properly if the node IP is subsequently changed.
- 316 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
CAUTION
All nodes participating in secure communications must have synchronized clocks. If not,
then the certificates that are created and exchanged as part of these procedures (either
manually or automatically) may fail validation and may cause errors in subsequent steps.
This PC should not be used for any other purpose. This is a Windows Server node running
Windows Server 2016, and the screenshots and PowerShell scripts included in this document
were developed using Windows Server 2016
These instructions will create a standalone root Certificate Authority (CA) that can work in both a
domain and workgroup environment. It will also configure the CA to support Network Device
Enrollment Scheme (NDES) which is Microsoft’s implementation of Simple Certificate Enrollment
Protocol (SCEP) which allows network devices (such as the ControlEdge UOC) to enroll for a
certificate.
This CA needs to be on the same network as the UOC and Experion Node, ideally the CA Server
would always be available, but as a minimum it needs to be available for initial enrollment with
IPSec for all PCs and UOCs. If the CA Server is not available on an ongoing basis this will impact
the ability for the PCs and UOCs to receive updated Certificate Revocation Lists and for the UOC to
auto- renew its certificate when it gets close to expiry.
Take UOC as an example:
CAUTION
Perform ALL install and configuration instructions on the CA Server under the local
Administrator account, not just an account in Administrators, but the actual Administrator
account. If the CA is installed improperly it cannot be uninstalled easily, so a first-time
successful installation is essential.
1. From the Experion PKS R510 media install the MSI file Secured Communications for
ControlEdge UOC and Experion PKS.msi and accept all defaults.
2. Start an Administrative PowerShell command prompt by going to the Start menu and going to
the Windows PowerShell folder then right click on the Windows PowerShell item in this menu
and choose Run as Administrator.
- 317 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. Run the following command to commence installing and configuring the CA:
.\Install-CA.ps1
When prompted:
a. Enter a password for the NDESop account, The NDESop is a service account used to
support generation of one time passwords (OTP) for enrollment of the UOC into IPSec.
b. Enter a password to protect the TLS certificate generated by this script.
c. Enter any additional IP addresses that the CA Server machine uses that are not shown,
press Enter on a blank entry when complete, or Enter at first Blank entry if no more to
add.
- 318 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
All the Windows components will then be installed and configured, this will take 5-10
minutes.
- 319 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
f. If there is an IP address in the list of locations that is not expected or is invalid for the
machine, such as similar to 169.x.x.x, right-click on the entry with the invalid IP address
and select Remove.
NOTE
Use Power Shell to re-install the IPSec certificate.
- 320 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
TIP
These instructions can be used to make the certificate for IPSec use for Windows nodes that
connect to the UOC, in addition these instructions can also be used to make the Certificate
Manager Configuration Console (CMCC) and GetChallenge IIS web page TLS certificate. The
TLS certificate for the CA GetChallenge web page is created automatically as part of the
.\Install-CA.ps1 PowerShell script.See "Creating theCertificate Authority" for more
information.. So no further mention of it appears outside of this section. The steps for
creating all 3 certificate types (IPSec, CMCC & TLS) are largely the same, where they differ
the steps below will clearly state this.
TIP
Ensure that you log in as an Administrator.
- 321 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
PFXPassword: Is the password to be used to protect the private key in the output PFX file
5. On completion of the script it will show the name and location of where it stored the output
PFX file which contains the certificate and private key.
This file should now be copied to the target machine. The following section will detail how to install
the certificate at the target machine.
Certificate Store
Store Reason What nodes?
type Location
TLS Local WebHosting Used by IIS for CA Server
Machine (Web the
Hosting) GetChallenge
web page
The instructions in this section will explicitly state what needs to be done for each certificate type
as this information varies.
- 322 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
TIP
Ensure that you log in as an Administrator.
1. Locate the certificate PFX file in Windows Explorer (it should have been copied to this node at
end of last section) and then double click on it
2. The certificate store location then needs to be chosen, this varies by certificate type.
a. For IPSec and TLS certificates only:
At the Welcome to the Certificate Import Wizard choose the Store Location to be Local
- 323 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
3. If presented with a User Account Control dialog click Yes or provide appropriate credentials.
- 324 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. At the File to Import dialog verify that it is showing the name of the file you specified and click
Next.
5. At the Private key protection dialog enter the password you set when exporting the certificate,
ensure the Mark the key as exportable option is disabled and that the Include all extended
properties option is enabled then click Next.
- 325 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
6. The correct Certificate Store needs to be chosen for the certificate type, this varies based on
Certificate Type:
- 326 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
- 327 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
- 328 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
8. After the certificate import completes a dialog should popup to confirm that The import was
successful now click OK
With the certificate now installed, and the CA installed as a Trusted Root CA this certificate and
others issued by the CA should now be accepted by this machine without need for the CA to be
online and available.
TIP
It is recommended to install and use the CMCC tool on a Flex Station.
TIP
Ensure that you log in as an Administrator.
1. From the Experion PKS R510 media install the MSI file Secured Communications for
ControlEdge UOC and Experion PKS.msi and accept all defaults.
2. Go to the machine you wish to use for configuring certificates on to the UOC, note this
machine should not be the CA Server. Then open Windows Explorer on this machine and in
the root directory of C:\ make a new folder called CertMgmt and then navigate into this folder.
- 329 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. See "Creating a certificate for a Windows node" for more information. To create a certificate of
type CMCC for the Windows computer you’ve just installed the CMCC software on, ensuring
that you install it to the Current User store at step 2 See "Importing certificate and private key
on target machine" for more information.
5. Start up a management console (mmc.exe) accepting a User account control prompt or
providing appropriate credentials if shown:
- 330 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
7. On the Add or Remove Snap-Ins dialog select Certificates and click Add >
8. On the Certificates snap-in dialog select My user account and click Finish.
- 331 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
9. Back on the Add or Remove Snap-ins dialog, verify that the Selected snap-ins column shows
Certificates – Current User then click OK
- 332 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
11. Call this console “Certificate Management” and save it somewhere you will remember, in this
example it will be saved to the desktop.
12. In the left hand navigation pane navigate to Certificates – Current User then click on Trusted
Root Certification Authorities then click Certificates on the right hand pane should now show
the CA’s certificate that was just imported.
- 333 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
14. On the Certificate dialog Details tab click Copy to File… to save the certificate.
15. At the Certificate Export Wizard dialog click Next.
- 334 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
16. On the Export File Format dialog ensure that the format selected is DER encoded binary X.509
(.CER) then click Next.
- 335 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
17. On the File to Export dialog enter the name and location of a file to store the certificate in
using the .CER extension and then click Next.
- 336 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
18. At the Completing the Certificate Export Wizard dialog click Finish to complete the export.
- 337 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
19. After the file is saved to disk a dialog should popup to indicate that The export was successful
now click OK.
TIP
Note this .CER file will be needed at step 4 in the following section.
NOTE
Install of the CA node fails if CA is in domain.
- 338 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
1. Start a Command Prompt and change to the Certificate Manager Configuration Console
(CMCC) folder with the following command (or similar):
cd \CertMgmt\CertManagerConfigConsole
3. First the Enrollment information needs to be setup. So, at the CMCC prompt type:
SetEnrollInfo
NOTE
The tool accepts only one SntpHostname, so enter the Primary SNTP host name
here. The Secondary SNTP host would not be supported in this case.
DeviceIPAddressN – Enter the IP addresses of the UOC (The first should be the Uplink IP
address of the primary UOC, and the second should be the uplink address of the secondary
- 339 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
UOC. The third and fourth IP address entries should be left blank), press enter after each and
if less than 4 then pressing enter at a blank prompt will signal the tool to stop further
DeviceIPAddress prompts. The first IP address should be pre-populated with the IP address
you used to start the CMCC.
Install CA certificate both on primary and secondary UOC.
5. To verify that the enrolment information has been set in the UOC at the CMCC prompt type:
GetEnrollInfo
<Enter>
- 340 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
- 341 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
ATTENTION
The OTP should be handled with extreme care and ensure the value is
communicated to the UOC in a controlled manner. Loss of the OTP may allow
the introduction of a separate node as trusted node within the system, if it is
used elsewhere between generation and step 9 below you will receive an
error from the CMCC tool indicating the OTP is invalid.
c. Back in the CMCC tool the UOC’s Certificate Manager module can be enrolled by typing
the following command at the CMCC prompt:
EnrollWithPassword
Then type the OTP from the previous step, the enrolment should then succeed.
- 342 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
9. A pop-up window will be displayed, select the CMCC client certificate that was created and
installed at step 3 of section See"Installing Certificate Manager Configuration Console" on
page 63for more information.
10. The CMCC will reconnect to the UOC but will use TLS security on the connection now, to start
the Enroll IPSec process on the UOC type the following command at the CMCC prompt
Profiles
- 343 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
d. Back in the CMCC tool the UOC can now have its IPSec enrolled by typing the following
command at the CMCC prompt: EnrollWithPassword
Then type the OTP from the previous step, the enrolment should then succeed.
e. In the CMCC tool revert back to the top level menu by typing the following command at
the CMCC prompt:
Exit
- 344 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
Then type the OTP from the previous step, the enrolment should then succeed.
16. Redundant UOCs only:
A pop-up window will be displayed, select the CMCC client certificate that was created and
installed at step 3 of section See "Installing Certificate Manager Configuration Console" on
page 63 for more information.
17. Redundant UOCs only:
To continue on in CMCC, it needs to re-connected to the UOC securely, so to achieve that type
the following commands at the CMCC prompt to exit from the current menu and then re-
connect:
Exit
Reconnect
18. Redundant UOCs only:
The CMCC will reconnect to the UOC but will use TLS security on the connection now, to start
the Enroll IPSec process on the UOC type the following command at the CMCC prompt type:
Profiles
19. Redundant UOCs only:
Press <Enter> to choose IPSec.
20. Redundant UOCs only:
Start a new web browser instance and connect to the CA Server:
https://<CA Server IP Address>/GetChallenge
Note: If you are using Internet Explorer on a Windows Server OS, first ensure the CA site has
been added to your “Trusted Sites”.
When prompted login with the local Administrator account credentials for the CA Server,
ensure “Remember my credentials” remains un-checked.
Note: If your web browser is running on a machine in a domain ensure you use
“.\Administrator” as the user name.
21. Redundant UOCs only:
Select Generate random challenge and click on Submit to RA, the page should then display
the Generated Challenge (also known as a one time password, OTP).
22. Redundant UOCs only:
Back in the CMCC tool the UOC can now have its IPSec enrolled by typing the following
command at the CMCC prompt type: EnrollWithPassword
Then type the OTP from the previous step, the enrolment should then succeed.
23. Redundant UOCs only:
Then exit out of the CMCC tool by using the following commands:
Exit
Exit
24. Redundant UOCs only:
Run the following command: CertMngrConfigConsole.exe ip:<UOC IP Address> Where <UOC IP
Address> is the IP of the Primary you are connecting to.
Re-join steps here for single UOC, and continue on for Redundant UOCs:
25. Now enter the following command to enter the IPSec menu at the CMCC prompt:
IPSec
- 345 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
26. Now enter the following command to Edit Policies at the CMCC prompt:
EditPolicies
27. Press Ctrl+Insert to insert a new line into the policies list and press enter to edit the first
column (Local IP).
a. Enter the UOC’s IP address (159.99.79.146 in this example) in the Local IP column and
press enter
b. Move to the right (by pressing right arrow) and press enter again, now enter the PC
accessing the UOC's IP address (159.99.79.148 in this example), press enter.
c. Move to the right (by pressing right arrow) and press enter again, now select the
required policy rule using up and down arrows (encrypt/plain- text/authenticate) in this
example POLICYENCRYPT, then press enter.
28. Use Crtrl+Insert plus steps a-c to add further rules for all IP addresses for primary and backup
controller (in Local IP column), and for each Windows PC (Remote IP column) requiring access
(eg Primary and Backup Server as well as ControlEdge UOC Builder)
29. Use Crtrl+Insert plus steps a-c to add further rules for all IP addresses for primary and backup
controller (in Local IP column) to any EPM (Remote IP column) connected to the UOC,
however create these with a cleartext policy.
30. Then press Esc and then Enter and then Enter again to apply the policies.
31. To exit the tool type the following commands at the CMCC prompt:
Exit
Exit
- 346 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
TIP
Note if using redundant UOCs the policies will be saved and applied automatically at
the backup UOC.
There may naturally be some lag in the establishment of secure communications since it is difficult
to execute these two steps simultaneously.
CAUTION
Similarly deactivating IPSec requires the opposite steps to be performed, and unless these
steps are perform simultaneously there may be a loss of communication until both steps are
executed.
- 347 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
Before proceeding with applying IPSec section ensure that all machines that need to communicate
with the UOC and the UOC itself have installed their certificates and have the CA in their Trusted
Root CA list.
Application of IPSec policy involves laying down a blanket no connection without IPSec rule,
followed by setting a number of exceptions to this rule to control how the various nodes and
devices communicate with and without IPSec.
Use the examples below to formulate your own policies.
CAUTION
The configuration performed in this section should not be performed in an on-process/live
system as you will lose communications to one or all of the nodes in the system as you roll
out this policy, until all nodes have been configured.
To enable IPSec a series of commands must be executed to setup the various policies, these
policies take effect immediately so once the “Default Closed” policy is applied non-IPSec (clear text)
communications to the nodes will be lost, hence it is important that an exception for RDP is made if
the configuration of the nodes is being performed via RDP, otherwise this connection will be lost.
The following set of steps need to be run on all nodes connecting to the UOC, in the example being
used here, these steps would need to be performed on Node 3 and Node 5. Note in all examples
below “endpoint2” should represent the node the rule is being added on, and “endpoint1”, where
specified, is the node that is being remotely connected to/from.
1. Use section 3 to create and install an IPSec certificate for this Windows node
2. Start an Administrative Command prompt
3. Run the following commands to set the main mode parameters on Node 3 & Node 5 only (as
those nodes alone communicate to the UOC).
l netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256
l netsh advfirewall set global mainmode mmforcedh yes
l netsh advfirewall consec delete rule name=all
4. To setup the clear text communication exception rules for the control system subnet, using
the example earlier, this system will need to allow Node 4 and Node 5 to connect to Node 3,
and Node 3 and Node 4 to connect to Node 5.
a. When configuring on Node 3 the following commands need to be run, note each point is
a single command:
l netsh advfirewall consec add rule name="Node 4 Exception" description="Node 4 to
this node clear text comms" action=noauthentication
endpoint1="192.168.10.4,192.168.11.4" endpoint2="192.168.10.3,192.168.11.3"
l netsh advfirewall consec add rule name="Node 5 Exception" description="Node 5 to
this node clear text comms" action=noauthentication
endpoint1="192.168.10.5,192.168.11.5" endpoint2="192.168.10.3,192.168.11.3"
l Further commands similar to these would be run for any other non-IPSec nodes
that need to connect to Node 3, simply modify the values in bold underline to tailor it
for your system.
b. When configuring on Node 5 the following commands need to be run, note each point is
a single command:
l netsh advfirewall consec add rule name="Node 3 Exception" description="Node 3 to
this node clear text comms" action=noauthentication
endpoint1="192.168.10.3,192.168.11.3" endpoint2="192.168.10.5,192.168.11.5"
l netsh advfirewall consec add rule name="Node 4 Exception" description="Node 4 to
this node clear text comms" action=noauthentication"
- 348 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
endpoint1="192.168.10.4,192.168.11.4" endpoint2="192.168.10.5,192.168.11.5
l Further commands similar to these would be run for any other non-IPSec nodes
that need to connect to Node 5, simply modify the values in bold underline to tailor it
for your system.
5. If you are using RDP to connect to the nodes that will communicate with the UOC, then you
will need to create an RDP exception rule (RDP uses TCP port 3389 on the machine being
connected to, i.e. Nodes 3 & 5 below).
a. When configuring on node 3 the following command needs to be run:
l netsh advfirewall consec add rule name="Node 1 RDP Exception" description="Node
1 RDP clear text comms" action=noauthentication endpoint1="192.168.1.1"
endpoint2="192.168.10.3,192.168.11.3" port2="3389" protocol="tcp"
l If there are additional nodes that use RDP to this node, then just create additional
exception rules by modifying the text in bold underline.
6. For Windows PC nodes that will use the CMCC tool to connect to the UOC you will need the
following exceptions to allow CMCC to communicate in clear text to the UOC when IPSec is
enabled, CMCC uses TLS to encrypt this traffic and the UOC has internal rules to not require
IPSec on this connection, so this rule ensures Windows PC nodes do the same. For such
nodes you will need to create an RDP exception rule, take UOC as example:
a. If node 3 uses CMCC the following command needs to be run:
l netsh advfirewall consec add rule name="UOC CM port Exception" description="UOC
CertMngr to this node clear text comms" action=noauthentication
endpoint1="192.168.10.6,192.168.11.6" endpoint2="192.168.10.3,192.168.11.3"
port1="55601,55602" protocol=tcp
l If there are additional UOCs that this node will use CMCC to connect to, then just
create additional exception rules by modifying the text in bold underline.
7. For nodes that use the ControlEdge Builder software, a clear text exception rule needs to be
created for the ControlEdge Builder software to be able to receive multi-cast packets to detect
the presence of a ControlEdge UOC, taking UOC as example:
a. When configuring node 5 the following command needs to be run:
l netsh advfirewall consec add rule name="ControlEdge UOC Discovery Exception"
description="ControlEdge UOC discovery port exception" action=noauthentication
endpoint1="any" endpoint2="192.168.10.5,192.168.11.5" port1="24558" protocol=udp
l Note: the value of port1 specifies the multicast address port that the packets are
received from, this is fixed port for all ControlEdge UOCs.
- 349 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
8. To apply IPSec encryption to the nodes communicating with the UOC, then the following IPSec
rules need to be applied, takeing UOC as example:
a. When configuring on node 3 the following command needs to be run
l netsh advfirewall consec add rule name="UOC Encryption" description="PC to UOC
encrypted comms" action=requireinrequireout auth1=computercertecdsap256
endpoint1="192.168.10.6,192.168.11.6" endpoint2="192.168.10.3,192.168.11.3"
auth1ecdsap256ca="<CA Cert SubjectName>" qmsecmethods=ESP:aesgcm128-
aesgcm128
l For any additional UOCs this PC needs to connect, update the items in bold
underline and run for each UOC.
l The <CA Cert SubjectName> is the string in the Subject field of the CA certificate,
with items in reverse order eg "C=US, O=Honeywell, CN=AS01HSCCASRV" or based
on CA created in section See "Creating the Certificate Authority" onpage 48 for more
information. simply "CN=AS01HSCCASRV-CA"
l If you have redundant UOCs you will need to either make a second version of this
rule, or add the Backup UOC’s IP addresses into the endpoint1 parameter,
separating them by commas.
9. For nodes that use the SNTP servere, a clear text exception rule needs to be created for the
ControlEdge Builder software to be able to receive multi-cast packets to synchronize with the
SNTP server:
When configuring node 6, the following command needs to be run:
netsh advfirewall consec add rule name="SNTP Server Exception" description="SNTP Server
port exception" action=noauthentication endpoint1="any" endpoint2="192.168.10.8"
port1="123" protocol=udp
To ease enabling of IPSec policy on Windows nodes, it is worth creating a batch file per Windows
node, enableIPSec.bat, and storing all the required netsh commands in this file, this will make it
easier to add new rules as new nodes are introduced to your system. It also allows you to backup
your Windows node IPSec rules configuration by just taking a copy of this file. You will need a
separate instance of this batch file for each machine.
CAUTION
Although the rules above will appear in the Windows Advanced Firewall console under
Connection Security, do not use that console to modify these rules as some of the settings in
these rules are not supported by the console and may result in the rules being inadvertently
modified to an unusable state.
- 350 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
CAUTION
Although not required it is advisable to leave the CA running during process operation. If not
there can be seconds delay while secure connections are established, even during
controller switchover. To reduce any such delays during switchover the CA should remain
network-connected and operational at all times.
NOTE
In Server, Experion PKS Policy Agent and Experion policy Decision Point, and in console,
Experion PKS policy agent, must be disabled so that the configured rules will not be erased
form the windows node.
Like with enabling IPSec on a Windows node, for disabling it is worth creating a batch file per
Windows node, disableIPSec.bat, and storing the command above in it, as remembering to type
“disableIPSec” to disable IPSec will be easier than the command above. Given there is no machine
specific data in this batch file, a single disableIPSec.bat can be copied and used on multiple nodes.
TIP
If using redundant UOCs when IPSec is enabled on the primary UOC, this change will be
replicated to the backup UOC and hence IPSec does not need to be manually enabled on
the backup UOC.
1. Connect the CMCC tool to the UOC with the following command:
CertMngrConfigConsole.exe ip:<UOC IP address>
Where <UOC IP address> is the IP address of the UOC (Primary UOC if using redundant UOCs)
- 351 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
3. At the top menu enter the following command to enter the IPSec menu
IPSec
4. Ensure the current IPSec state is Disabled then type the following command to enable IPSec
at the CMCC prompt type:
Enable
5. To exit the tool type the following commands at the CMCC prompt:
Exit
- 352 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
Exit
1. Connect the CMCC tool to the UOC with the following command:
CertMngrConfigConsole.exe ip:<UOC IP address> Where <UOC IP address> is the IP address of
the UOC (Primary UOC if using redundant UOCs)
3. At the top menu enter the following command to enter the IPSec menu
IPSec
- 353 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. Ensure the current IPSec state is Enabled then type the following command to enable IPSec
at the CMCC prompt
Disable
5. To exit the tool type the following commands at the CMCC prompt:
Exit
Exit
- 354 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
16.9.1 Backup
1. On the CA Server start up a management console (mmc.exe) accepting a User account control
prompt or providing appropriate credentials if shown.
- 355 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
3. In the left column choose Certification Authority and click Add, then ensure Local Computer is
selected and click Finish and then OK
- 356 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. In the left hand pane expand Certification Authority (Local) and then right click on your CA
and choose All Tasks and then Back up CA…
5. At the Welcome to the Certification Authority Backup Wizard dialog click Next
- 357 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
6. Ensure that you enable both the Private key and CA certificate as well as the Certificate
database and certificate database log items, then choose a directory to back up to (if it does not
exist you will be prompted to confirm the creation of it) and click Next
- 358 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
7. Enter and confirm a password to protect the CA’s private key and then click Next
- 359 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
9. Then to confirm that the backup has occurred use Windows Explorer to navigate to the folder
you specified in step 6 and check that files have been output to that location.
The CA has now been backed up to the location specified, please ensure this location is included in
any backup jobs, or copy the directory and all its contents to a backup location. You should also
backup the folder where you store certificates created for CMCC, TLS and IPSec created. See
"Creating a certificate" for more information.
- 360 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
16.9.2 Restore
1. On the CA Server start up a management console (mmc.exe) accepting a User account control
prompt or providing appropriate credentials if shown.
- 361 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
3. In the left column choose Certification Authority and click Add, then ensure Local Computer is
selected and click Finish and then OK
- 362 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. In the left hand pane expand Certification Authority (Local) and then right click on your CA
and choose All Tasks and then Restore CA
5. If the CA is running a prompt will be shown to confirm that it will be stopped, if shown click OK
- 363 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
7. Enable the options Private key and CA certificate and Certificate database and certificate
database log and set a directory to restore the CA from, then click Next
8. At the Provide Password dialog enter the password that was used at step 7 of See "Backup" for
more information.and click Next
- 364 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
10. Once the restore is complete click Yes to restart the CA.
The CA Server has now been restored to have the state from the time of the backup used.
- 365 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
2. Right click on the CA and choose All Tasks and then Renew CA Certificate.
3. At the Install CA Certificate dialog click Yes to stop the Active Directory Certificate Services
- 366 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
4. At the Renew CA Certificate dialog box, choose No to re-use the existing CA keys and click OK
5. The Root certificate will then be renewed and the Active Directory Certificate Services
restarted.
16.10.3 PC certificates
Renewal
To renew the CMCC and IPSec certificates, See "Creating a certificate for a Windows node" for
more information. to issue and install new certificates for each type for the PC requiring them.
Once the new certificate has been installed, you can optionally delete the old certificate by right
clicking on it and then clicking Delete, and answering any prompts requiring confirmation. If the
old certificate was in use deleting it will force the connection to re-negotiate its encryption with the
new certificate. Optionally, you could also revoke the certificate at the CA Server once you’ve
deleted it from the PC using it.
16.10.4 Revocation
If you need to revoke a PCs CMCC or IPSec certificate then:
- 367 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
1. Start the Certificate Management console on the CA Server and in the left pane navigate to
your Certification Authority.
2. Then navigate to Issued Certificates and in the middle pane look for the certificate you wish to
revoke.
Some tips to help find the correct certificate:
a. The Issued Common Name column will contain the name of the computer the certificate
was created for
b. If you open a certificate and go to Details tab:
i. A CMCC certificate will:
l Have the computer name as the CN value in the Subject field
l Have an Enhanced Key Usage field with value Client Authentication,
l Have a Key Usage field with value Digital Signature
- 368 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
3. Right click on the certificate and choose All Tasks and then Revoke Certificate
4. From the Certificate Revocation dialog choose an appropriate Reason code and then specify
the time to revoke the certificate from, note it defaults to the current time.
- 369 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
5. Then click Yes to revoke the certificate, this will revoke the certificate and you should now see
the certificate listed in the Revoked Certificates list for the CA.
16.10.6 Revocation
If the UOC certificate is revoked in the CA it will continue to work until the nodes it is connecting to
receive an updated CRL from the CA Server, typically this would be within 48 hours of the
certificate being revoked at the CA.
The Certificate Manager on the UOC will retrieve the Certificate Revocation List (CRL) from the CA
once every 24 hours if the CA is available. The CA will publish a full CRL once every 30 days and a
delta CRL every day, the CRL is then valid for up to 30 days past the CRL publish period by the CA
Server (30 days publish + 30 days overlap = 60 days CRL validity)
e.g. if the CA Server publishes a CRL on September 1, and then its next CRL on October 1, if the
UOC retrieves the CRL during September this CRL would remain valid until October 31 (30 days
after October CRL is published, or 60 days after September CRL was published).
16.11 Troubleshooting
This section provides guidance and background information about the causes and remedies for
failures which may occur in the UOC controller. The following topics are presented here.
- 370 -
Chapter 16 - Configuring a Secure Connection for Experion Integration
From the top level menu type “ResetToDefault” to reset the Certificate Manager in the UOC, this
will reset only the IPSec functionality in theUOC, then See "Setup certificates and IPSec policy in
UOC" for more information. and See "Enable IPSec policy rules in the UOC" for more information.to
setup and enable IPSec in the UOC again.
16.11.4 If CMCC upload a large number of policies, the read data from
the transport connection can not be received
The default time out value in CMCC are not sufficient for ControlEdge UOC to handle all of the
policies.
Workround:
1. Start a Command Prompt and change to the Certificate Manager Configuration Console
(CMCC) folder with the following command (or similar): cd
\CertMgmt\CertManagerConfigConsole
2. Run the following command: CertMngrConfigConsole.exe ip:<CMCCtimeout
catimeout:CMCCtimeout> <UOC IP Address>
3. Where <UOC IP Address> is the IP of the UOC, or the Primary UOC if
4. using redundant UOCs, you are connecting to and CMCCtimeout is the timeout for the
policies.
- 371 -
Notices
Trademarks
Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of
Honeywell International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon International is
a business unit of Honeywell International, Inc.
Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business unit of
Honeywell International, Inc.
Other trademarks
Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries.
Trademarks that appear in this document are used only to the benefit of the trademark owner,
with no intention of trademark infringement.
Third-party licenses
This product may contain or be derived from materials, including software, of third parties. The
third party materials may be subject to licenses, notices, restrictions and obligations imposed by
the licensor. The licenses, notices, restrictions and obligations, if any, may be found in the
materials accompanying the product, in the documents or files accompanying such third party
materials, in a file named third_party_licenses on the media containing the product, or at
http://www.honeywell.com/ps/thirdpartylicenses.
Documentation feedback
You can find the most up-to-date documents on the Honeywell Process Solutions support website
at: http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your feedback to:
hpsdocs@honeywell.com
Use this email address to provide feedback, or to report errors and omissions in the
documentation. For immediate help with a technical problem, contact your local Honeywell
Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center
(TAC).
Support
- 372 -
For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To
find your local CCC visit the website, https://www.honeywellprocess.com/en-US/contact-
us/customer-support-contacts/Pages/default.aspx.
Training classes
Honeywell holds technical training classes that are taught by process control systems experts. For
more information about these classes, contact your Honeywell representative, or see
http://www.automationcollege.com.
- 373 -