HC900 Controller Redundancy

Overview & System Operation

Doc. No.: 51-52-25-133

Revision: 3
Date: 9/06

Industrial Measurement and Control

 Notices and Trademarks

Copyright 2006 by Honeywell

Revision 3 Sept. 2006

Warranty/Remedy
Honeywell warrants goods of its manufacture as being free of defective materials and faulty workmanship. Contact
your local sales office for warranty information. If warranted goods are returned to Honeywell during the period of
coverage, Honeywell will repair or replace without charge those items it finds defective. The foregoing is Buyer's sole
remedy and is in lieu of all other warranties, expressed or implied, including those of merchantability and fitness for a
particular purpose. Specifications may change without notice. The information we supply is believed to be accurate
and reliable as of this printing. However, we assume no responsibility for its use.

While we provide application assistance personally, through our literature and the Honeywell web site, it is up to the
customer to determine the suitability of the product in the application.

Industrial Measurement and Control

Honeywell
1100 Virginia Drive
Fort Washington, PA 19034

HC900, 559 and 1042 are U.S. registered trademarks of Honeywell

Other brand or product names are trademarks of their respective owners.

ii HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 About This Document

Abstract
This manual gives an overview of the HC900 Redundancy architecture and products.

References
The following list identifies all documents that may be sources of reference material for topics discussed in this
publication.

Document Title Doc ID

HC900 Hybrid Controller Specification 51-52-03-31

559 and 1042 Operator Interface Specification 51-52-03-32

HC900 Module Specification 51-52-03-41

Hybrid Control Designer Specification 51-52-03-43

HC900 Controlware Specification 51-52-03-42

HC900 Hybrid Controller Installation and User Guide 51-52-25-107

OPC Server User Guide 51-52-25-134

HC900 Hybrid Control Designer User Guide 51-52-25-110

HC900 Hybrid Control Utilities User Guide 51-52-25-126

HC900 Hybrid Control Designer Function Block Reference Guide 51-52-25-109

HC900 Hybrid Controller Communications User Guide 51-52-25-111

1042 & 559 Operator Interface User Guide 51-52-25-108

Revision 3 HC900 Controller Redundancy Overview & System Operation iii

9/06
Contacts
World Wide Web
The following lists Honeywell’s World Wide Web sites that will be of interest to our customers.

Honeywell Organization WWW Address (URL)

Corporate http://www.honeywell.com

Industrial Measurement and Control http://content.honeywell.com/imc/

IM&C Technical tips http://content.honeywell.com/ipc/faq

Telephone
Contact us by telephone at the numbers listed below.

Organization Phone Number

United States and Canada Honeywell 1-800-423-9883 Tech. Support

1-800-525-7439 Service

iv HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
Symbol Definitions
The following table lists those symbols that may be used in this document to denote certain conditions.

Symbol Definition

This DANGER symbol indicates an imminently hazardous situation, which,

if not avoided, will result in death or serious injury.

This WARNING symbol indicates a potentially hazardous situation, which, if

not avoided, could result in death or serious injury.

This CAUTION symbol may be present on Control Product instrumentation

and literature. If present on a product, the user must consult the
appropriate part of the accompanying product literature for more
information.

This CAUTION symbol indicates a potentially hazardous situation, which, if

not avoided, may result in property damage.

WARNING
PERSONAL INJURY: Risk of electrical shock. This symbol warns the user of a
potential shock hazard where HAZARDOUS LIVE voltages greater than 30 Vrms,
42.4 Vpeak, or 60 Vdc may be accessible. Failure to comply with these
instructions could result in death or serious injury.

ATTENTION, Electrostatic Discharge (ESD) hazards. Observe precautions for

handling electrostatic sensitive devices

Protective Earth (PE) terminal. Provided for connection of the protective earth
(green or green/yellow) supply system conductor.

Functional earth terminal. Used for non-safety purposes such as noise immunity
improvement. NOTE: This connection shall be bonded to protective earth at the
source of supply in accordance with national local electrical code requirements.

Earth Ground. Functional earth connection. NOTE: This connection shall be bonded
to Protective earth at the source of supply in accordance with national and local
electrical code requirements.

Chassis Ground. Identifies a connection to the chassis or frame of the equipment

shall be bonded to Protective Earth at the source of supply in accordance with
national and local electrical code requirements.

Revision 3 HC900 Controller Redundancy Overview & System Operation v

9/06
 Contents
Symbol Definitions........................................................................................................v

Introduction ............................................................................................. 1
Overview.......................................................................................................................1
Purpose of this document.......................................................................................................1
What’s in this document .........................................................................................................1
Documentation .............................................................................................................1

Purpose of the product ............................................................................ 2

Product architecture ................................................................................ 2

Key components ..................................................................................... 3

Redundant Controller Rack ..........................................................................................3
CPU .......................................................................................................................................4
Power .....................................................................................................................................4
Redundant Switch Module (RSM) ..........................................................................................4
Remote I/O Racks ........................................................................................................5
Dual-Port Scanner2 Module ...................................................................................................5
Power Status Module .............................................................................................................5
I/O Modules............................................................................................................................6
Operator Interfaces & Serial Ports ...............................................................................6

Networking .............................................................................................. 7
System Network ...........................................................................................................7
System Network Supervisory Functions.......................................................................8
To PC Applications.................................................................................................................8
To Peer HC900 Controllers ....................................................................................................9
Connection options ................................................................................................................9
I/O Network to Remote Racks....................................................................................10
Device Network (Serial)..............................................................................................11
Modbus Master ....................................................................................................................11
Modbus Slave ......................................................................................................................11
Modbus Master and/or Slave ...............................................................................................11
Remote Access ..........................................................................................................11

Configuration......................................................................................... 12
Lead Controller configuration .....................................................................................12
Configuration & Setup Parameters for Redundant Controllers.............................................12
Reserve Controller configuration................................................................................12
Software .....................................................................................................................13

Revision 3 HC900 Controller Redundancy Overview & System Operation vii

9/06
Contents

HC Designer & HC Utilities PC Software..............................................................................13

Downloading configuration from PC to controller .................................................................13
Configuration storage ...........................................................................................................13
Configuration edits ...............................................................................................................13
Uploading configuration from controller to PC......................................................................14
Downloading to multiple controllers......................................................................................14
Configuration backup ...........................................................................................................14
Configuration conversion......................................................................................................14
Monitoring configurations .....................................................................................................14

Operation .............................................................................................. 15
Overview.....................................................................................................................15
Start-Up ......................................................................................................................15
Modes of operation.....................................................................................................15
RUN Mode (Locked) ............................................................................................................16
RUN/PROGRAM Mode (Unlocked)......................................................................................16
PROGRAM Mode (Locked)..................................................................................................16
Steady State Operations ............................................................................................16
Execution time......................................................................................................................17
Execution sequence.............................................................................................................17
Lead/Reserve controller synchronization .............................................................................17
Failover.......................................................................................................................18
Automatic Failover ...............................................................................................................18
Manual Failover....................................................................................................................19
Failover Performance ...........................................................................................................19
Redundancy Diagnostic Monitoring......................................................................................19

Installation ............................................................................................. 20
Installing the Redundant Controller Rack...................................................................20
Installing the I/O Racks...............................................................................................20
Installing Networking Equipment ................................................................................21
I/O Network ..........................................................................................................................21
Supervisory / Peer Network..................................................................................................21
Installing a Panel-Mounted Operator Interface ..........................................................21
Honeywell OI-1042 & OI-559 ...............................................................................................21
3rd Party Panel-Mounted OI.................................................................................................21
Installing PC Hosts .....................................................................................................22
Honeywell HC Designer & HC Utilities Software ..................................................................22
Honeywell Vista Software.....................................................................................................22
3rd Party PC Application Software .......................................................................................22

Troubleshooting .................................................................................... 23
Diagnostic Indicators ..................................................................................................23
Diagnostic Monitoring from HC Designer and HC Utilities PC Software....................23
Status data available via Supervisory PC ..................................................................23
Servicing.....................................................................................................................24
Module Replacement ...........................................................................................................24
C70R Module Replacement .................................................................................................24
Redundancy Switch Module Replacement...........................................................................24

viii HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Contents

Scanner2 Module Replacement ...........................................................................................24

C70R Power Supply Replacement.......................................................................................24
Non-Redundant Power Supply for I/O Rack Replacement...................................................24
Optional Redundant Power Supply for I/O Rack Replacement ............................................24
Power Status Module Replacement .....................................................................................25
I/O Module Replacement......................................................................................................25

Sales and Service ................................................................................. 26

Revision 3 HC900 Controller Redundancy Overview & System Operation ix

9/06
 Figures
Figure 1 HC900 Redundant Controller architecture ......................................................................................................2
Figure 2 Redundant controller rack components ...........................................................................................................3
Figure 3 Ethernet switch with redundant controller.......................................................................................................7
Figure 4 Redundant Ethernet switches with redundant networks..................................................................................8
Figure 5 Peer Data Exchange, Redundant Controllers, Non-Redundant Network .......................................................9
Figure 6 Peer Data Exchange, Redundant & Non-Redundant Controllers, Non-Redundant Network.........................9
Figure 7 Peer Data Exchange, Redundant Controllers, Redundant Networks............................................................10
Figure 8 Connection from Lead controller to PC ........................................................................................................12
Figure 9 Modes of operation on RSM .........................................................................................................................16
Figure 10 Lead/Controller synchronization .................................................................................................................18

Revision 3 HC900 Controller Redundancy Overview & System Operation x

9/06
 Introduction
Overview

Introduction

Overview
Purpose of this document
Provide an overview of the Redundant HC900 product.

What’s in this document

Topic Page

Purpose of the Product 2

Product Architecture 2

Key Components 3

Networking 7

Configuration 12

Operation 15

Installation 20

Troubleshooting 23

Documentation
See References on page iii.

Revision 3 HC900 Controller Redundancy Overview & System Operation 1

9/06
Purpose of the product

Purpose of the product

The HC900 Controller with redundancy minimizes the impact on a process resulting from a single failure
of a critical component of the control system. Availability is improved with:
• Redundant Controller Processors - Provides redundant controllers with seamless failover under fault
conditions,
• Independent power supplies for each of the Redundant Controllers,
• Redundant host networks - Provides interfaces to survive a single network failure,
• Redundant I/O Power – Provides redundant power for I/O racks on a per rack basis.

Product architecture
The Redundant HC900 controller uses a separate rack for controller processors mounted separately from
I/O Racks

Vista R400, Specview

or 3rd Party Software
Ethernet 10/100 base-T
Switch
OPC Server
with Dual
Ethernet support
RS 485

Redundant
Controller
1042, 559 or 3rd
Party
Rack
Operator Interface Ethernet
Switch A
Redundant
Power
B 100 base-T

I/O Racks

Figure 1 HC900 Redundant Controller architecture

2 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Key components
Redundant Controller Rack

Key components

Redundant Controller Rack

C70R RSM C70R

Lead

RS232/RS485
Reserve
Serial Ports 1 & 2

Run/ Run
Pgm
Pgm . .Fail-

Ethernet Host Port 1

E1
. Over
. E1
Ethernet Host Port 2

E2 E2

I/O Port
I/O I/O

Power C70R Redundancy C70R Power

Supply CPU Switch CPU Supply
Module

Figure 2 Redundant controller rack components

• Holds two redundant C70R CPUs, two power supplies, and one Redundancy Switch Module (RSM).
• Contains the back-plane for C70R-to-C70R communications, power, and interface to RSM.
• The C70R Controller Rack does not support any I/O Modules; I/O Modules are read from and written to
directly from a Scanner2 CPU.
• Cannot be used with C30 or C50 CPU’s.

Revision 3 HC900 Controller Redundancy Overview & System Operation 3

9/06
Key components
Redundant Controller Rack

CPU
• Requires Scanner2 module(s)
• Reads inputs from I/O Racks through Scanner2 modules
• Executes control strategy (5000 function blocks)
• Writes outputs to I/O Racks through Scanner2 modules
• Dual Ethernet communication ports to host systems
• Each C70R Controller CPU has a dedicated, single Ethernet communication port to I/O racks
• Two serial ports – each is RS-232 or 485 configurable; Modbus or ELN protocols for interface to OI,
Modbus Host, or Modbus Slaves
• Lead Controller CPU – writes to the physical outputs; serves as the single external interface to other
devices and systems (i.e., responds to requests from PC Hosts, a local Operator Interface, communicates
to HC900 peers, and polls network slave devices)
• Reserve Controller CPU – executes control strategy in sync with Lead but does not write to physical
outputs; does not respond to Hosts or OI.
• Reserve Controller CPU receives configuration updates and run-time data (operator entries, supervisory
changes) from the Lead CPU with no manual user interaction. Configuration changes to a Reserve CPU
are not permitted, except through the Lead CPU where both CPUs receive the change.
• The C70R is not recommended for non-redundant applications.

Power
• Each C70R CPU has a dedicated Power Supply (two in the controller rack). Failure of the Lead CPU
power supply will cause a failover condition.
• The same power supply model(s) are used for the controller rack and the I/O racks.
• The same power supply models(s) are used for the redundant and non-redundant systems.

Redundant Switch Module (RSM)

• One RSM is installed in the redundant controller rack.
• Provides indicators to identify Lead and Reserve Controller CPU’s.
• Provides a key switch to set the controller mode (RUN, PROGRAM, RUN/PROG), and to force a
manual failover from the Lead to the Reserve. The Reserve CPU tracks the mode selection of the Lead
CPU.
• RSM may be replaced under power.

4 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Key components
Remote I/O Racks

Remote I/O Racks

• Each CPU has a separate Ethernet 100base T physical connection for up to 5 Remote I/O racks.
• Racks are available in three sizes: 4 I/O modules, 8 I/O modules, 12 I/O modules
• Systems with only one remote rack may have the remote rack connected directly to the CPU without a
switching hub.
• Systems with more than one remote rack require a separate switching hub for each CPU connection. The
switching hubs used in the I/O network must be Honeywell recommended industrial grade hubs.
• Remote racks require a dual-ported Scanner2 module to interface with the Redundant Controllers.
• Remote racks hold one Scanner2 module, one power supply, and up to 4, 8, or 12 I/O modules.
• The 8 and 12 Slot racks are available with a redundant power supply option. A Power Status Module
(PSM) provides power supply status when two power supplies are used.
• The PSM monitors the power supply outputs and turns the green status LED off if a fault is detected.
• The load is distributed between the two supplies during normal operation when two power supplies are
used.
• Racks with four I/O slots do not support the redundant power option.

Dual-Port Scanner2 Module

• Reads inputs from the modules in the rack.
• Writes outputs to the modules in the rack.
• Has two Ethernet ports – one dedicated to each of the redundant C70R Controller CPU’s
• Maintains communications with both Lead and Reserve C70R CPU’s to facilitate failover.
• One Scanner2 Module is installed in each I/O Rack
• Required for the interface to C70R redundant controllers (cannot use non-redundant Scanner modules
with C70R CPUs)

Power Status Module

• Indicates current status of both Power Supplies
• May be replaced under power

Revision 3 HC900 Controller Redundancy Overview & System Operation 5

9/06
Key components
Operator Interfaces & Serial Ports

I/O Modules
• The full complement of HC900 Analog and Digital I/O modules are available for use in I/O racks using
the Scanner2 module connected to redundant C70R Controller CPU’s.
• Requires Digital I/O modules with model numbers 900xxx-0102 or later with enhanced I/O back-plane
performance and shield modification.
• Requires Analog Input modules 900A01-0102 or later with shield modifications.
• Requires Analog Output modules 900B01-0101 or later with shield modifications.
• Any module may be inserted into any rack slot location.
• Redundant I/O modules are not supported in the HC900 system.

Operator Interfaces & Serial Ports

• The C70R CPU provides two user-selectable RS232 or RS 485 serial ports. A Honeywell 1042 or 559
operator interface may be connected to either of the ports when configured as RS 485 and ELN protocol.
• Only one Honeywell operator interface may be connected to a controller.
• Lead controller communicates with the operator interface.
• Baud rates of 38.3K and 57.6K are supported for communications to 1042 and 559 Operator Interfaces
for distances up to 2000 feet, 610M.
• The RS 485 twisted pair cable should be connected to both C70R CPUs of a redundant system to
maintain communication following a failover event. .
• The same serial port (S1 or S2) must be used on both CPUs of a redundant system to maintain
compatibility with the common configuration.
• Failure of a CPU will cause the second CPU to assume the serial port function.
• Failure of a serial port of the Lead controller will not cause a failover of the CPU.
• The S1 and S2 serial ports may also be used to interface the controller to 3rd party operator interfaces
using either RS232 or RS 485 and Modbus RTU slave protocol.

6 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Networking
System Network

Networking

System Network
Each C70R CPU provides two 10/100base T Ethernet Host ports with Modbus TCP protocol. A total of 10
sockets are available and are shared by the two ports of the CPU for host device interfacing. Either port
may be used in a non-redundant connection for host systems that do not support redundant network
communications.
• Requires Honeywell (PN 50008930-001) or commercially available industrial switches, routers, etc for
10/100-baseT connection to the host/peer network. See Figure 3.
• Supports single or dual network interface to PC Hosts.
• Supports single or dual network interface to peer HC900 Redundant Controllers.
• Supports single network interface to peer HC900 Non-Redundant Controllers or other Modbus/TCP
devices.
• Network changes such as setting IP addresses must be made with the controller in the Program mode.
See Modes of operation on page 15.
• Maximum distance of system network (per 10/100 baseT specification, 100 meters per segment).

Ethernet
Switch
10/100 base-T

RS-485
A
Twisted Pair B
100 base-T
Up to 100m

Figure 3 Ethernet switch with redundant controller

Revision 3 HC900 Controller Redundancy Overview & System Operation 7

9/06
Networking
System Network Supervisory Functions

For applications where the host supports redundant networks, two separate Ethernet switches are required,
one for each port of the CPUs. See Figure 4.

Vista R400, Specview

or 3rd Party Software
Ethernet
Switch 10/100 base-T OPC Server
with Dual
Ethernet support

RS-485
A
Twisted Pair B
100 base-T
Up to 100m

Figure 4 Redundant Ethernet switches with redundant networks

In this configuration a second communication path is available between the Host and the controller in the
event of a switching hub or connection failure.

System Network Supervisory Functions

To PC Applications
Network communications of a host system to the controller is directed to the Lead controller.
Communication to the Reserve controller is not supported. Following a failover event, the new Lead
controller assumes this function.
• Native Applications – HC Designer & HC Utilities
− Communicate to HC900 Controllers over Ethernet
− Applications provide a choice of either a single port to verify proper port operation, or two ports with
automatic connection where the PC will use the first available port capable of communicating to the
controller.
• OPC Client Applications - Honeywell’s OPC server is a PC application with an embedded
communication driver to support simplex and redundant network communications to HC900 controllers
and other Modbus/TCP compatible devices. The database export files generated by Hybrid Control
Designer software may be used to transfer the database from the controller to the application,
minimizing the amount of user entered data needed to apply the application. The OPC server is used to
interface products such as Vista and Specview to HC900 controllers with dual Ethernet capability.
• Supports single or dual network interface to C70R CPUs
• Communicate to Honeywell Vista Software

8 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Networking
System Network Supervisory Functions

• Communicate to 3rd Party OPC-Client aware PC applications

− Communicate to HC900 Controllers over Ethernet
− OPC server detects a failure of an Ethernet connection and automatically fails-over to a second port.

To Peer HC900 Controllers

• Peer-to-Peer communications to C30, C50, or other C70R Controllers
• Lead Controller handles all peer communications
• Automatic failover of function to the new Lead Controller
• Auto-Discovery of peer network addresses; Easy to configure & set-up
• Peer controllers do not consume Ethernet sockets.
• A controller can support up to 8 peers in its configuration database.

Connection options

To Host
Ethernet
Switch

Peer Data Exchange

A A
B B
100 base-T 100 base-T
Up to 100m Up to 100m

Figure 5 Peer Data Exchange, Redundant Controllers, Non-Redundant Network

To Host Ethernet
Switch

Non-Redundant Controller
Redundant Controller

A Peer Data Exchange

B
100 base-T
Up to 100m

Figure 6 Peer Data Exchange, Redundant & Non-Redundant Controllers, Non-Redundant

Network

Revision 3 HC900 Controller Redundancy Overview & System Operation 9

9/06
Networking
I/O Network to Remote Racks

To Host
Ethernet
Switch

Peer Data Exchange

A A
B B
100 base-T 100 base-T
Up to 100m Up to 100m

Figure 7 Peer Data Exchange, Redundant Controllers, Redundant Networks

I/O Network to Remote Racks

• IEEE 802.4 Physical Layer Ethernet
• Two networks must be used for the I/O rack connections in a redundant system, one for each C70R
CPU. See Figure 1.
• May be direct connected for single I/O rack systems.
• Two Ethernet switching hubs must also be used for installations with 2 or more I/O racks
• Must use Honeywell recommended industrial grade switching hubs (PN 50008930-001).
Performance of the system is not warranted if an alternate switching hub is used for this
connection.
• Up to 5 I/O Racks per configuration
• Separate hub required for interface from each C70R CPU
• Requires Ethernet cable: Shielded CAT5 cable with RJ-45 connectors.
• Maximum distance from Redundant Controller Rack to I/O Racks is 100 meters without hubs, 300
meters using two hubs. Fiber optic cable and switches can extend distance to up to 1500 meters.

10 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Networking
Device Network (Serial)

Device Network (Serial)

Modbus Master
• RS-485 Serial Interface with Modbus RTU Protocol
• Two ports available, each can be set as a Master or Slave.
• Only one of the two ports may be selected for Modbus RTU Master operation.
− The same port on each CPU must be used for this function to maintain consistency between controller
configurations.
− Both CPUs of the redundant controller should be connected to the slave devices.
• Up to 16 Slave Devices supported per configuration.
• Up to 384 total slave register addresses supported per configuration.

Modbus Slave
• The two serial ports of the C70R CPU may each be set to RS 485 or RS 232 and Modbus slave
operation.
• Supports data exchange with an external Modbus master such as a local operator panel or PC
application.
• Port connections to redundant C70R CPUs should be made to both CPUs in the rack.
• Uses same local Modbus unit address for both RS 485 serial ports of the two C70R CPUs.
• A modem configuration selection extends the 3-character timeout limit of Modbus protocol for remote
access.

Modbus Master and/or Slave

• Lead Controller transmits on the link.
• Automatic failover of Master/Slave functions to the new Lead Controller.
• Failure of the Modbus Master serial port of the Lead Controller will not cause a failover of the CPU.
• Supports transmission speeds from 1200 to 57600 baud.
• Up to 609 Meters, 2000 feet, total network length

Remote Access
• Requires an external modem.
• Available with HC Designer software.
• Lead Controller provides communications.

Revision 3 HC900 Controller Redundancy Overview & System Operation 11

9/06
Configuration
Lead Controller configuration

Configuration

Lead Controller configuration

• Develop the initial control strategy or convert C30 or C50 configurations.
• Make incremental changes to existing control strategies as required.
• Upload & Download a control strategy from the PC.

Configuration & Setup Parameters for Redundant Controllers

• Upon initial power-up, prior to configuration, either CPU may be assigned Lead status by the system.
• Configurations are loaded into a Lead Controller only.
• The PC is connected to the Lead Controller as viewed from the indicators on the Redundant Switch
Module (RSM).
• All controller data needed for synchronization between the Lead and Reserve Controllers is
automatically transferred; no user-programming required.
• Single or Dual (Supervisory) Network interfaces available, no selection required.

Reserve Controller configuration

• Controller configurations loaded into the Lead Controller are automatically transferred to the Reserve
Controller.
• The Reserve Controller’s status indicator on the RSM is illuminated when database synchronization
exists.
• Powering a Reserve CPU with an on-line Lead Controller will trigger the Lead to reprogram the
Reserve.
• If both CPUs of a redundant controller are being powered with valid configurations, but only one has the
desired configuration, the CPU with the desired configuration should be powered first.

C70R RSM C70R

Lead

Reserve

To PC

Figure 8 Connection from Lead controller to PC

12 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Configuration
Software

Software
HC Designer & HC Utilities PC Software
• Redundant configurations require version 3.0 or later of the Designer and Utilities Software
− The version number of the software should be equal to or greater than the version number of the
controller CPU being configured.
• The same software is used to configure both redundant and non-redundant HC900 controllers.
• Supports forward migration of existing C30 and C50 configurations to the C70R.
• Software Version 3.xx or later may be used to create or modify configurations for earlier controller
versions.

Downloading configuration from PC to controller

• Downloading configurations to a Lead Controller can be performed using a serial port or a network port.
− Serial port settings use slide switches on the CPU module to determine if the port is setup for RS 232
or RS 485 operation. To setup the serial ports for the desired interface, see HC900 Hybrid Controller
Installation and User Guide 51-52-25-107.
• The Lead Controller has two Ethernet ports, each supplied with a default IP address from the Honeywell
factory.
− Ethernet Port #1 (E1) is supplied with IP address 192-168-1-254 and Ethernet Port #2 (E2) is supplied
with IP address 192-168-2-254. Users should change the default addresses to make them compatible
with their local network.
− IP addresses entered into the Lead Controller are automatically transferred to the Reserve Controller.
• The Reserve Controller does not communicate on a network.
− If the Reserve Controller transitions to become a Lead Controller in a system, it assumes the network
communication function for the control system.

Configuration storage
• Controller configurations downloaded to the controller are stored in battery backed RAM memory and
non-volatile Flash memory.
− The controller CPU executes its program from RAM memory. The battery backed RAM memory
also stores the controller dynamic status during a loss of power to allow graceful resumption of
controller operation following the interruption. If the battery is not available, startup following a
power loss will use the configuration stored in Flash memory.

Configuration edits
• On-line edits to the configuration may be downloaded to the controller.
− On-line edits made to C70R CPU configurations are stored in both RAM and Flash memory.
− HC Designer software lets you monitor the controller’s live configuration to verify edits. All edits are
made to the configuration of the Lead controller. The Reserve controller’s configuration is
automatically updated following a change to the Lead controller’s configuration.

Revision 3 HC900 Controller Redundancy Overview & System Operation 13

9/06
Configuration
Software

Uploading configuration from controller to PC

• Controller configurations may be uploaded from the controller’s RAM memory, and may include a
user‘s annotations, eliminating the risk of selecting an inappropriate file from the PC’s memory for
editing when making changes to a running controller. Upload requests are serviced by the Lead
Controller.

Downloading to multiple controllers

• Controller configuration files ending with extension .cde do not include serial port and network port
setups.
− This facilitates downloading the same configuration file to multiple controllers on the same network
or serial link without creating network address duplications or bus contention problems.
− Require the port parameters to be manually entered as a separate task while HC Designer is in
communication with the controller.

Configuration backup
• Controller configurations may be uploaded and saved as Backup Files.
− Backup files contain all of the information needed to restore a CPU to the operating conditions at the
time the backup file was created, eliminating the need to for separate manual entries.
− Useful facility to quickly get a controller back on-line following CPU replacement.
− Backup configuration files use file extension .cbk.

Configuration conversion
• Configurations built for use with C30 and C50 CPUs may be downloaded into C70 CPUs following a
file conversion performed using HC Designer software, version 3.xx or later.
− To convert a C30 or C50 configuration files for used with C70R CPUs, open the files to be converted
using HC Designer and perform a “Save As” operation and select a C70R file type.

Monitoring configurations
• Monitoring the configuration of the Lead Controller may be performed using Hybrid Control Designer
software.
• Controller connection via Ethernet or serial.
• When Ethernet is used, HC Designer consumes one network socket.
• While in the monitor mode, viewing the function block diagram allows the user to view the input and
output values for each function block.
• Watch windows allow viewing data by parameter type and in a user specified group.
• System Monitor (ASYS) function blocks provide an output to indicate the Reserve status of the CPU.
• Redundant controller status may be monitored from HC Designer.
• A redundancy icon is provided to allow access to information in the monitor menu.
• Selections under the Utilities Tab allow users to view diagnostic status and perform maintenance level
activities.

14 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Operation
Overview

Operation

Overview
In a redundant HC900 system, the Lead Controller performs all primary tasks including interfacing with
remote I/O racks, communicating with a local HMI, exchanging data with peer controllers, interfacing with
Modbus slave devices, and communicating with a Host PC application. Detection of a fault or removing
power from a Reserve Controller will initiate a diagnostic prompt in the Lead Controller, but will have no
impact on the process under control. The detection of a fault or removing power from a Lead Controller
will initiate failover, that is, transfer all primary tasks to the Reserve Controller, establishing this controller
as the new Lead. Following a failover, the new Lead Controller will remain the Lead, even if the condition
that caused the failover is corrected.

Start-Up
• Assignment of Lead and Reserve status is determined at start-up
− First available C70R assumes Lead
− In case of a tie, CPU mounted in the left position of the rack will Lead
− No user configuration or manual operations required to establish Lead / Reserve status
• Lead Controller assumes control of I/O and all external communication interfaces.
• Reserve Controller receives the configuration from the Lead Controller

Modes of operation
The modes of operation are:
• Run
• Run/Program
• Program
You can change modes with:
• key-switch on the redundancy control module
• HC Designer software
• HC Utilities software
• local 1042 or 449 operator interfaces.
• a command from a supervisory host
Both Lead and Reserve Controllers maintain the same mode. Placing the Lead Controller into the Program
mode will also place the Reserve Controller in the Program mode.

Revision 3 HC900 Controller Redundancy Overview & System Operation 15

9/06
Operation
Steady State Operations

Reserve

Run/ Run
Pgm
Redundancy Fail-
Pgm Over
Switch
Module E1
(RSM)

E2

I/O

Figure 9 Modes of operation on RSM

RUN Mode (Locked)

In the Run mode, the controller performs all control and communication tasks needed for steady-state
operation. On-line configuration edits and configuration changes are inhibited.

RUN/PROGRAM Mode (Unlocked)

In the Run/Program mode, steady-state tasks are executed and on-line configuration edits are permitted.
Configuration changes made in this mode are retained in both RAM and Flash memory in the controller.

PROGRAM Mode (Locked)

In the program mode, all outputs are turned OFF, function blocks do not execute and configuration changes
are permitted. Exiting the Program Mode performs a cold-start, which clears all timers, counters, totalizers
and other function blocks with residual data. Function blocks are initialized to their initial state with no
reference to previous history. Exiting the Program mode updates the RAM and Flash memory of the
controller with the most recent configuration data.

Steady State Operations

• Lead Controller issues polls to I/O Racks for inputs
• Both Lead and Reserve read I/O responses from I/O Racks
• Lead and Reserve both execute function blocks in the control strategy
• Only the Lead Controller writes physical outputs to the I/O Racks
• Lead Controller responds to communication messages from host devices on the Supervisory Network
and RS-232/RS-485 interfaces
• Lead Controller handles communications with HC900 peers
• Lead Controller handles communications with Modbus RTU slave devices
• Lead and Reserve exchange system status data to determine conditions for failover.
• I/O Scanners relay system status data between each Controller to determine conditions for failover

16 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Operation
Steady State Operations

Execution time
HC900 Controllers are designed to execute control functions within fixed scan cycles for analog data types
and logic data types. In redundant controllers, the minimum scan time is 533ms for analog data types and
53ms for logic data types; scan time varies depending on configuration.

Execution sequence
• The type of control functions executed during a scan is determined by the system configuration.
− Controller configurations contain a series of algorithms in the form of function blocks that get
executed in a fixed sequence. The first 100 function blocks are pre-assigned by the system to handle
communication tasks, alarm processing, system monitoring functions, etc. and cannot be changed by
the user. Starting with function block number 101, the user may select the type of function to be
executed.
• The sequence of function block execution is initially determined by the sequence in which the function
blocks are placed on the graphic diagram in HC Designer.
− Final desired sequence must be set by the user to achieve proper and optimum performance.
− Incorrect execution sequences can contribute to delays in processing outputs and/or improper or
unexpected operation.
• The HC900 controller samples all inputs before the start of a controller scan.
− Each input being used in the configuration must be assigned to a function block. The sequence order
of the function block determines when in time the actual value will be updated. It is important that
algorithms that need updated input values for their calculations have the inputs execute first in the
sequence.
• Except for Time Proportioning Output (TPO), Three-Position-Step-Control (TPSC) and Position
Proportional Output (PPO) function block types that update their physical output values while the
function blocks are being executed, all physical outputs are updated at the end of a scan.

Lead/Reserve controller synchronization

• Lead Controller automatically synchronizes the Reserve with the configuration database
− During download of a configuration from a Host to the Lead
− During process operation to bring a Reserve Controller from the Unavailable state to the On-Line
state
• Lead Controller automatically synchronizes the Reserve with run-time data during each function block
execution cycle
• Both the Lead and Reserve Controllers execute the function blocks in the control strategy, but only the
Lead Controller writes the physical outputs to the I/O Racks. See Figure 10.
• The Lead and Reserve controllers exchange system status to determine conditions for failover.

Revision 3 HC900 Controller Redundancy Overview & System Operation 17

9/06
Operation
Failover

Lead Controller Reserve Controller

Get Inputs Get Inputs

SYNC SYNC

Control SYNC Control SYNC

Execute Control Strategy Execute Control Strategy

Write Outputs

Diagnostic Check Diagnostic Check

Communications

Figure 10 Lead/Controller synchronization

Failover
Automatic Failover
• Triggered on any of the following conditions of the Lead Controller:
− Loss of communications with I/O Rack(s)
− Processor exception conditions
• Error conditions that occur in the following areas will not cause a failover:
− Loss of communications to a Host on a network
− Loss of communications to Modbus Slave devices
− Loss of communications to Operator Interface
− Loss of communications with a Peer controller
• During the transition from the Lead to the Reserve, analog and digital output status is maintained at the
I/O racks.

18 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Operation
Failover

Manual Failover
• Via Key Switch on the Redundancy Switch Module in the Redundant Controller Rack
• Via Software Command from HC Designer & HC Utilities PC Software
• Via Software Command from Modbus / TCP & Serial Modbus RTU Hosts
• Via Software Command from OI-1042 & OI-559 Operator Interfaces

Failover Performance
Failure condition detection and failover from Lead to Reserve CPU executed in 4 analog control cycles or
less.

Redundancy Diagnostic Monitoring

• From HC Designer and HC Utilities PC Software
− Redundant System Status - current status of Lead/Reserve Controller CPU’s
− On-Line Monitoring, Controller Diagnostics, Communications Loop-Back tests
− Redundant Link Status – status of communications between Lead and Reserve controllers.
− Lead CPU status
− Reserve CPU status
− Scanner status

Revision 3 HC900 Controller Redundancy Overview & System Operation 19

9/06
Installation
Installing the Redundant Controller Rack

Installation

Installing the Redundant Controller Rack

• Rack must be installed in an enclosure and oriented for ventilation with mounting holes on top and
bottom
• A Redundancy Switch Module (RSM) mounts in the center slot of the rack
• One Power Supply and C70R Controller mount to the left of the RSM
• One Power Supply and C70R Controller mount to the right of the RSM
• Ethernet ports (E1 & E2) are host network ports
• Ethernet port (labeled I/O) is the dedicated I/O rack port
• An optional Honeywell Operator Interface connects to Serial port S2
• Power with over-current protection and separate disconnects should be connected to each Power Supply

Installing the I/O Racks

• Rack must be installed in an enclosure and oriented for ventilation with mounting holes at top and
bottom of rack
• When installing a single Power Supply in the rack:
− The Power Supply mounts in the first slot on the left in the rack.
• When installing redundant Power Supplies in the proper rack to support this feature:
− Mount the Power Status Module (PSM) to the left of the first power supply.
− The second Power Supply installs to the left of the PSM.
• A Scanner2 CPU mounts to the right of the Power Supply.
• I/O Modules mount to the right of the Scanner2 module.
• Power with over-current protection and separate disconnects should be connected to each Power Supply.

20 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Installation
Installing Networking Equipment

Installing Networking Equipment

I/O Network
• Required for configurations using multiple I/O Racks; Not required for configurations using only one
I/O Rack.
• Must use Honeywell qualified industrial hubs between controller rack and I/O Racks (PN 50008930-
001)
• Follow installation instructions in HC900 Hybrid Controller Installation and User Guide 51-52-25-107.
• Use a separate hub for each C70R Controller CPU.
• Each Scanner2 connects to both hubs using consistent port assignments for each I/O rack.
• Only use Shielded CAT 5 cable for network connections.

Supervisory / Peer Network

• Any switching device that meets the specifications for the specific site can be used.
• Follow the supplier’s installation instructions
• Each C70R CPU connects to each switching device
• Use consistent C70R port assignments when connecting the CPUs to their respective switching devices.
• Only use shielded CAT5 cable for Supervisory/Peer Network connections.

Installing a Panel-Mounted Operator Interface

Honeywell OI-1042 & OI-559
• Follow panel-mounting instructions provided with the interface.
• The RS-485 Serial Interface is Daisy-chained to both C70R Controllers
• Use the same serial port, S1 or S2 on both C70R CPUs.

3rd Party Panel-Mounted OI

• Follow the supplier’s installation instructions
• The RS-485 Serial Interface is Daisy-chained to both C70R Controllers
• Use the same serial port, S1 or S2 on both C70R CPUs.

Revision 3 HC900 Controller Redundancy Overview & System Operation 21

9/06
Installation
Installing PC Hosts

Installing PC Hosts
Honeywell HC Designer & HC Utilities Software
• Operating Systems supported: Windows 2000, NT, XP Professional
• PC hardware requirements:
− Pentium 200 MHz with 64 MB of RAM
− Screen resolution – SVGA (1024x768 recommended)
− CD ROM drive (for loading software)

• Connects to the C70R Controllers using Ethernet, RS-232, Modbus RTU, or Modem
• Available on CD

Honeywell Vista Software

• See document 51-52-03-38 PlantScape Vista Specification
• Connects to the C70R Controllers using Ethernet
• Interfaced through Honeywell-supplied OPC Server for redundant networks or embedded drive
• For simplex connections

3rd Party PC Application Software

• Interfaced through Honeywell-supplied OPC Server
• Requires 3rd Party PC Software to be an OPC Client
• Connect to the C70R Controllers using Ethernet
• OPC Server available on CD

22 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Troubleshooting
Diagnostic Indicators

Troubleshooting

Diagnostic Indicators
• LEDs on the front of each module are provided to indicate the module’s health. These include:
− C70R Controller Status LEDs
− Scanner2 Status LEDs
− I/O Module Status LEDs
• The HC900 modules use a combination of color and flashing patterns to indicate fault conditions and the
type of fault detected. See the HC900 controller manual for a detailed explanation of fault conditions.
• LEDs on the front of the Redundancy Switch Module indicate the Lead/Reserve status of the two
redundant C70R Controllers
− Reserve indicator will flash while Reserve CPU is being updated by Lead.
− Reserve controller is not available during this period.
• LEDs on the front of the Power Status Module indicate the status of the redundant Power Supplies for an
I/O Rack
− ON if the power supply if functioning properly
− Off if either the 5 volt or the 24 volt source of a power supply has a fault.

Diagnostic Monitoring from HC Designer and HC Utilities PC Software

• Monitor the current status of Lead/Reserve Controller CPU’s
• View a Historical log of controller failover events
• Monitor Lead controller function block execution
• View controller diagnostic status
• Perform communications Loop-Back tests

Status data available via Supervisory PC

• Current status of Lead/Reserve Controller CPU’s
• Status of I/O Rack Power, including optional redundant power supplies

Revision 3 HC900 Controller Redundancy Overview & System Operation 23

9/06
Troubleshooting
Servicing

Servicing
Module Replacement
• Servicing a failed module is accomplished by replacing only that module

C70R Module Replacement

• Requires power for the module to be turned off during replacement
• Does not impact the other C70R CPU module, which will continue to control the process
• Contains start-up diagnostics after replacement to verify proper operation
• If there is a Lead Controller, the configuration database is automatically copied from the Lead to the
newly replaced C70R CPU module.

Redundancy Switch Module Replacement

• May be removed or inserted under power
• The C70R CPU modules will remain in the last used mode while the Redundancy Switch Module is
removed.
• Does not induce a controller failover during replacement

Scanner2 Module Replacement

• Requires power to the rack to be turned off during replacement
• I/O in the rack will be powered off during Scanner2 module replacement
• Redundant controllers will operate with the affected I/O in failsafe state during Scanner2 module
replacement
• Does not impact other I/O Racks in the same configuration
• Contains start-up diagnostics after replacement to verify proper operation

C70R Power Supply Replacement

• Requires power for the module to be turned off during replacement, which supplies power to a single
C70R CPU
• Does not impact the other C70R CPU module, which will continue to control the process

Non-Redundant Power Supply for I/O Rack Replacement

• Requires power for the module to be turned off during replacement, which supplies power to a single I/O
Rack

Optional Redundant Power Supply for I/O Rack Replacement

• Requires power for the module to be turned off during replacement
• Power is maintained for the I/O Rack by the other Power Supply of the redundant pair

24 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
 Troubleshooting
Servicing

Power Status Module Replacement

• May be removed or inserted under power
• No impact on the Scanner2 or I/O modules during replacement

I/O Module Replacement

• May be removed or inserted under power
• Removable terminal blocks preserve field wiring during module replacement
• Removal of the module is detected by the Scanner2 and a diagnostic is posted
• Contains start-up diagnostics after replacement to verify proper operation

Revision 3 HC900 Controller Redundancy Overview & System Operation 25

9/06
Sales and Service
Servicing

Sales and Service

For application assistance, current specifications, pricing, or name of the nearest Authorized Distributor,
contact one of the offices below.
ICELAND REPUBLIC OF SPAIN
CANADA HONEYWELL IRELAND HONEYWELL S.A
HONEYWELL LIMITED Hataekni .hf HONEYWELL Factory
ARGENTINA Unit 1
HONEYWELL S.A.I.C. THE HONEYWELL Armuli 26 Josefa Valcarcel, 24
CENTRE PO Box 8336 Robinhood Business 28027 MADRID
BELGRANO 1156 300 Yorkland Blvd. Park
BUENOS AIRES 128 reykjavik SPAIN
NORTH YORK, Iceland Robinhood Road Tel. : 34 91 31 3 61 00
ARGENTINA ONTARIO DUBLIN 22
Tel : 354 588 5000
Tel. : 54 1 383 9290 M2J 1S1 Republic of Ireland SWEDEN
CANADA Tel. : 353 1 4565944
ASIA PACIFIC ITALY HONEYWELL A.B.
Tel.: 800 461 0013
HONEYWELL S.p.A. S-127 86 Skarholmen
HONEYWELL ASIA Fax:: 416 502 5001 REPUBLIC OF
PACIFIC Inc. Via P. Gobetti, 2/b STOCKHOLM
SINGAPORE
Room 3213-3225 20063 Cernusco Sul SWEDEN
CZECH HONEYWELL PTE LTD
Naviglio Tel. : 46 8 775 55 00
Sun Kung Kai Centre REPUBLIC BLOCK 750E CHAI
N° 30 Harbour Road ITALY
HONEYWELL, CHEE ROAD
WANCHAI Spol.s.r.o. Tel. : 39 02 92146 1 SWITZERLAND
06-01 CHAI CHEE IND.
Budejovicka 1 HONEYWELL A.G.
HONG KONG PARK
Tel. : 852 829 82 98 140 21 Prague 4 MEXICO Hertistrasse 2
1646 SINGAPORE
Czech Republic HONEYWELL S.A. DE 8304 WALLISELLEN
REP. OF SINGAPORE
Tel. : 42 2 6112 3434 CV SWITZERLAND
AUSTRALIA Tel. : 65 2490 100
HONEYWELL LIMITED AV. CONSTITUYENTES Tel. : 41 1 831 02 71
5 Thomas Holt Drive DENMARK 900
REPUBLIC OF SOUTH
HONEYWELL A/S COL. LOMAS ALTAS AFRICA TURKEY
North Ryde Sydney
NSW AUSTRALIA 2113 Automatikvej 1 11950 MEXICO CITY HONEYWELL HONEYWELL
Tel. : 61 2 353 7000 DK 2860 Soeborg MEXICO Southern Africa Otomasyon ve Kontrol
DENMARK Tel : 52 5 259 1966 PO BOX 138 Sistemlen San ve Tic
AUSTRIA
Tel. : 45 39 55 56 58 Milnerton 7435 A.S.
HONEYWELL THE NETHERLANDS REPUBLIC OF SOUTH (Honeywell Turkey A.S.)
AUSTRIA FINLAND HONEYWELL BV AFRICA Emirhan Cad No 144
G.m.b.H. HONEYWELL OY Laaderhoogtweg 18 Tel. : 27 11 805 12 01 Barbaros Plaza C. Blok
Handelskai 388 Ruukintie 8 1101 EA AMSTERDAM Kat 18
A1020 VIENNA FIN-02320 ESPOO 32 ZO ROMANIA Dikilitas 80700 Istanbul
AUSTRIA FINLAND THE NETHERLANDS HONEYWELL Office TURKEY
Tel. : 43 1 727 800 Tel. : 358 0 3480101 Tel : 31 20 56 56 911 Bucharest Tel : 90-212 258 18 30
147 Aurel Vlaicu Str.,
BELGIUM FRANCE NORWAY Sc.Z., UNITED KINGDOM
HONEYWELL S.A. HONEYWELL A/S HONEYWELL CONTROL
HONEYWELL S.A. Apt 61/62 SYSTEMS LTD
3 Avenue de Bourget Bâtiment « le Mercury » Askerveien 61 R-72921 Bucharest Industrial Measurement
B-1140 BRUSSELS Parc Technologique de PO Box 263 ROMANIA and Control CRC
BELGIUM St N-1371 ASKER Tel : 40-1 211 00 76/ Lovelace Road
Tel. : 32 2 728 27 11 Aubin NORWAY 211 79 Southern Industrial Area
Route de l’Orme Tel. : 47 66 76 20 00 Bracknell
BRAZIL (CD 128) RUSSIA Berks
HONEYWELL DO 91190 SAINT-AUBIN POLAND HONEYWELL INC RG12 8WD
BRAZIL FRANCE HONEYWELL Sp.z.o.o 4 th Floor Administrative Tel: 01344 655034
AND CIA Tel. from France: UI Domainewksa 41 Builiding of AO Fax: 01344 655554
Rua Jose Alves Da 01 60 19 80 00 02-672 WARSAW "Luzhniki"
Chunha From other countries: POLAND Management U.S.A.
Lima 172 33 1 60 19 80 00 Tel. : 48 22 606 09 00 24 Luzhniki HONEYWELL INC.
BUTANTA 119048 Moscow INDUSTRIAL
05360.050 SAO PAULO GERMANY PORTUGAL RUSSIA PROCESS CONTROLS
SP HONEYWELL AG HONEYWELL Tel : 7 095 796 98 00/01 1100 VIRGINIA DRIVE
BRAZIL Kaiserleistrasse 39 PORTUGAL LDA PA 19034-3260
Tel. : 55 11 819 3755 D-63067 OFFENBACH Edificio Suecia II SLOVAKIA FT. WASHINGTON
GERMANY Av. do Forte nr 3 - Piso HONEYWELL Ltd U.S.A.
BULGARIA Tel. : 49 69 80 64444 3 Mlynske nivy 73 Tel. : 1-800-343-0228
HONEYWELL EOOD 2795 CARNAXIDE PO Box 75
14, Iskarsko Chausse HUNGARY PORTUGAL 820 07 BRATISLAVA 27 VENEZUELA
POB 79 HONEYWELL Kft Tel. : 351 1 424 50 00 SLOVAKIA HONEYWELL CA
BG- 1592 Sofia Gogol u 13 Tel. : 421 7 52 47 400/ APARTADO 61314
BULGARIA H-1133 BUDAPEST 425 1060 CARACAS
Tel : 359-791512/ HUNGARY VENEZUELA
794027/ 792198 Tel. : 36 1 451 43 00 Tel. : 58 2 239 0211

26 HC900 Controller Redundancy Overview & System Operation Revision 3

9/06
Industrial Measurement and Control
Honeywell
1100 Virginia Drive
Fort Washington, PA 19034

51-52-25-133 Rev.3 0906 Printed in USA www.honeywell.com/imc/