High Availability Logix-Based Control Systems

| Joe Amorese

High Availability

If you have a control system that must be able to withstand disruptions from either hardware failure or intentional system updates, a high availability Logix-based control system may be the solution. Your technology will be determined by your requirements. Rockwell Automation® has two offerings: redundancy and hot backup. 

High Availability with Redundancy

Redundancy is only a solution for ControlLogix® units supported by both 1756-L7 and L8 families of controllers. ControlLogix controller redundancy consists of two identical chassis cross-linked by a fiberoptic cable to two 1756-RM2 redundancy modules. The only modules that are supported in the redundant pair are processors, EN2T(R) ethernet modules, and the 1756-RM2 redundancy modules. The 1756-L8 family in a redundant pair disables the embedded Gb ethernet port, and up to seven 1756- EN2T(R) are supported. If using the 1756-L7 family, ControlNet 1756-CN2(R) communication modules are also supported. Redundant chassis are connected to other components outside the redundant chassis pair. For example, remote I/O chassis, drives, human-machine interfaces (HMIs), and advanced software via FactoryTalk® Linx software. When sizing a system, 1756-L7 controllers must have enough data memory to store twice the amount of tag data that is associated with the controller project. The L8 family does not have those memory constraints. 

During redundant system operation, the loss of power, major fault, failure, or removal insertion of any module will cause the primary controller to switch to the secondary controller. Loss of an Ethernet/IP connection, program-prompted command, or a command issued from the redundancy module configuration tool (RMCT) will also cause a switch.

Some of the differentiators of a redundant system are automatic data synchronization, also called crossloading, which updates tag values, forced values, online edits, and automatic program duplication to the secondary controller when downloading. Crossloading by default occurs at the end of each program within the controller project but can be at other intervals if configured. Switchover occurs in less than 20ms.

High Availability with Hot Backup

Hot backup is another high availability Logix-based control system solution that is available for both ControlLogix controller and CompactLogix™ controller families. This technique uses ladder logic to switch I/O control to a peer Logix5000™ controller if the main controller experiences a problem that prevents it from controlling the system. There are no hardware modules to perform this control, so ladder logic allows for soft-output switching as a form of backup control of the system. In this configuration without any intervention, both controllers are live and will both try to control outputs in the system. This is not a valid configuration in a Logix5000 system. The ladder logic program inhibits the output connections in the peer controller so that only one main controller at a time has ownership of outputs, inputs, third-party communications modules, or drives.

Switchover occurs in the event of communication loss to output modules, communication loss of the main chassis, major recoverable and non-recoverable faults, power loss, and user-initiated manual switchover. Unlike redundant systems, switchover times are at minimum 250ms and could take up to 10 seconds for full control to be reestablished. Some key limitations to the hot backup architecture are the outputs are not “bumpless” and will revert to their safe state temporarily during switchover (local I/O is not supported). The only I/O supported is 1756 ControlLogix I/O modules, 1794 Flex™ I/O modules, and 5069 Compact I/O™ modules. Unlike ControlLogix redundant systems where Ethernet IP addresses are automatically swapped to their redundant module, hot backup does not switch IP addresses at switchover, which can create problems for systems using HMIs. The workaround is to have screens developed for both PLCs or using FactoryTalk View SE station and RSLinx® software alias switching. Motion is not supported either. Because both PLCs are independent, edits and forcing must be performed on each PLC. Data synchronization is also not automatic and must be done with user-created logic.

Which High Availability Solution is Right for You?

As you can see hot backup is not as automatic as a fully redundant system, but if your needs don’t require a fully redundant system, a hot backup solution may fit your application needs. A hot backup code generation tool is available by request. Please contact your Horizon Solutions PLC Specialist for instructions on obtaining a copy of the code.