Redundancy

• What does Redundancy mean to you?

• Definition: – the quality or state of being redundant – serving as a duplicate for preventing failure of an entire system (as a spacecraft) upon

failure of a single component

• Why is redundancy needed?– “My plant runs 24x7x365”

Can affect overall financial commitment and engineering development– “Zero Downtime”– “Zero Data Loss”

Source: Merriam-Webster

Different Redundancy Solutions Exist• Network Media Redundancy

– “What if my network cable gets cut ?”– “What if my network card fails?”

• Controller Redundancy– “What if my controller has a hiccup ?”– DE10: High Availability Control Systems

• Computer Hardware Redundancy– “What if my computer fails ?”– “What if some components of the PC fail?”

• Software Application Redundancy– “What if the software product faults ?”– Native feature of the product such as RSViewSE & FactoryTalk Data servers– Implemented with features built into the product. Example - A8934 - Redundancy Method Using

Cooperating RSSql Applications and A9067 - RSSql Redundancy Method Using PLC Logic• User-project “Redundancy”

– Specific checks/safeguards built into the project by the user

Which Solution Should I Use ?• May vary on a case-by-case basis

• Some applications may require several redundancy solutions used together to provide system-wide protection

– Beware of statements like “Zero Downtime” or “Zero Data Loss” These are virtually impossible to deliver How much $$ are you willing to spend

• Clearly understand:– What each solution was designed to protect against– The cost associated with a given solution– Application considerations associated with a given solution

What is important to the solution? Does this solution solve the problem?

• By the end of this session, you should have a better understanding of Rockwell’s redundancy solutions.

Redundancy Solutions OverviewRedundancy Solutions Overview

The Architecture

IA02 System Redundancy Architecture - Logical

Secondary RSSql

Terminal Server 2

Secondary HMI/Data

Primary HMI/Data

Primary RSSql

Terminal Server 1

Factory Talk Directory

Student Clients

Redundant CLXPrimary ENet

Secondary Enet

Redundant ControlNet

Student Clients

IA02 System Redundancy Architecture – Physical

Primary HMI/Data

Primary RSSql

Terminal Server 1

Secondary RSSql

Terminal Server 2

Secondary HMI/Data

Student Clients

•Microsoft SQL Server *•RSBizWare Historian

•Factory Talk Directory

Redundant CLX

Redundant ControlNet

Fiber Optic Ring

* Location for demo purposes only

Network Media RedundancyNetwork Media Redundancy

Redundant Switches and Network Cards

Network Media Redundancy• What is it ?

– Automatic switching of physical media such that the network automatically switches to a different cable path in the event of a problem

• How does it work ?– The network transceivers perform a “diagnostic” of each cable path to determine the

“best” physical cable to use– This is transparent to controllers, computers, software, user project, etc.

Its all handled by the network.– “Spanning Tree” – Hirschmann HIPER-Ring

• Redundant topology in that it provides network redundancy instead of just path redundancy while preventing loops in a network.

• For Ethernet to function properly only one active path can exist between devices.• To provide redundancy, Spanning Tree relies on having multiple paths or

connections to different switches and configures some of these paths into standby (Blocked) state.

• If a network segment becomes unreachable, spanning tree reconfigures and reestablishes link by activating the "Blocked" links.

• IEEE standardized (Most existing company IT architectures)• Demonstrates importance of managed switches instead of “home grown” networks

Media Redundancy Types

Spanning Tree / Rapid Spanning Tree

HIPER-Ring

• Typically used when downtime is critical• Available in all Hirschmann Managed Switches• Up to 50 switches in a ring supported• Maximum reconfiguration time of 300mS – reducing downtime• No software required to configure – just set DIP switch on 1 switch in ring

(Redundancy Manager)

500 ms maximum network “downtime” with 100BASE ring

50 ms maximum network “downtime” with 100BASE ring

(up to 50 switches in ring and 4,000 connected MAC addresses)

ToPLC 7

From PC 10

RM: ON (ACTIVE)RM: OFF RM: ON (STANDBY)RM: OFF

P1 P2 P1 P2 P1 P2

P3

PC 10

P3

PLC 3

P3

PLC 7

ToPLC 7

From PC 10

ToPLC 7

From PC 10

ToPLC 7

From PC 10

ToPLC 7

From PC 10

Redundant Connection

HIPER-Ring Redundancy

ToPLC 7

From PC 10

ToPLC 7

From PC 10

ToPLC 7

From PC 10

SW 1 Address TablePORT 1 PORT 2 PORT 3

PLC 3 - PC 10PLC 7 - -

SW 2 Address TablePORT 1 PORT 2 PORT 3

- PLC 7 PLC 3- PC 10 -

SW 3 Address TablePORT 1 PORT 2 PORT 3

PLC 3 PC 10 PLC 7- - -

HIPER-Ring(Reconfiguration < 0,5sec.)

HIPER-Ring(Reconfiguration < 0,5sec.)

Media Redundancy – Combinations

Redundant Link(Spanning Tree)

Spanning Tree / Rapid Spanning Tree

HIPER-Ring(Hirschmann Only)

Hirschmann Switches workIn Spanning Tree, Rapid Spanning Tree, And HIPER-Ringnetwork architectures

Network Media Redundancy (con’t.)• When should I use it ?

– To protect against media failures• What products supports it ?

– ControlNet 1756-CNBR, 1786-PCICS

– Ethernet Thru the use of Hirschmann switches Encompass Partner

• Instructor– Use HIDiscovery to show Hirschmann configuration software samples– Disconnect a fiber-optic connection– Clients continue to get data and successfully navigate screens– Reconnect the fiber-optic cable

• Questions?

Network Interface Card Redundancy• What is it?

– Automatic switching of NIC such that the network communications automatically switches to a different hardware component of the same PC in the event of a failure

• How does it work?– Typically, software ‘utility pack’ is used to ‘team’ a pair (or more) of NIC’s to appear as a single IP

address to the rest of the network. Should any NIC fail, the rest of the team carries the load.

Controller RedundancyController Redundancy

Redundant CLX with SRM Module

Controller Redundancy• What is it ?

– Duplicate chassis hosting controllers and communications modules such that if one controller faults, the other controller takes over.

– System is “bumpless” from the standpoint of I/O – no uncontrolled I/O states– DE10: High Availability Control Systems– System may or may not be bumpless from a supervisory/HMI perspective – temporary

loss of communications may exist depending upon media type.• How does it work ?

– Controller pairs sync their program scans, and data from supervisory systems, program edits, etc. written to the primary controllers are automatically cross-loaded to the secondary controllers Note: The bandwidth and memory required for successful synchronization should

be taken into account when estimating communications throughput.– Communications cards in the primary & secondary chassis automatically “swap” node

addresses so that the primary & secondary chassis remain at the same node addresses Times for communications to be re-established after a node swap vary by network

type, system loading, etc.

RSLogix 5000 Configuration• Configuration check box option within RSLogix 5000

Recipe Display• Students to return back to the “Welcome” display (press buttons or F3 key) and then open the

Recipe Demo display• Instructor to download values to the registers with a ‘full control’ client• Students verify they see the downloaded values & navigate back to the previous displays (F3)

as instructed in the beginning of the lab based on seat location

1 person in each row to connect in a different manner:“Rich” client on EtherNet“Rich” client on ControlNet

“Thin” client on EtherNet“Thin” client on ControlNet

Computer Hardware RedundancyComputer Hardware Redundancy

Marathon Endurance

Computer Hardware Redundancy• What is it ?

– Automatic switching of PC hardware devices such that a failure of the device does not interrupt the O/S nor applications running on the PC.

Motherboard Hard Drive Network Card

• How does it work ?– Performs similarly to Controller Redundancy– The PC performs self checks of system components.– If a component fails, the system switches over to use the secondary system component provided

by the other co-server. – This is transparent to the application software, networks, etc.

• Software Faults?– Does not protect against faulty code, “hang ups”, or software “glitches”– If system gets out of synch, it is possible to have to start from scratch in order to rebuild

Computer Hardware Redundancy (con’t.)• When should I use it ?

– To protect against PC hardware failures• What products supports it ?

– RAID– Clustering

Although not supported by RSI products, it can be used for database components of a system– Marathon Technologies Endurance system

Although not currently supported by RSI products, it is being reviewed for platform support in the very near future…so stay tuned

– How is it configured? A pair of hardware ‘co-server’ systems share a ‘virtual’ system that is synchronized via a 1

Gb/s Ethernet backbone Requires Server class hardware

Marathon Configuration

Co-Server 1

Co-Server 2

Virtual ServerVirtual Server

• 2 Co-Server PC’s host a virtual server

• This is the most costly example. Can be used with less network connections

Computer Hardware Redundancy (con’t.)• Hands-On:

– RSSql configuration running within the synchronized ‘virtual’ server– Demonstrate the GUI provided by Marathon– Disable the network card on a co-server– Co-server #2 detects the network card failure and uses its component– RSSql configuration remains running and inserts data into the database– Students notice the Virtual Server Manager indicates the component failure inside the provided GUI

Software Application RedundancySoftware Application Redundancy

RSView SE & RSLinx Enterprise

Software Application Redundancy• What is it ?

– Automatic failover from a software application running on one computer (primary) to an identical software application running on another computer (secondary) should the primary software application fail

• How does it work ?– The health of both primary & secondary software application is checked, and client-side

applications will automatically switch to the secondary server-side application should the primary server-side application become unavailable

Example – RSView SE & FactoryTalk Data Server allow redundancy configuration

Software Application Redundancy (con’t.)• Hands-On:

– Please navigate to an HMI display 1 person in each row to connect in a different manner

“Rich” client on EtherNet connect to Alarm Summary “Rich” client on ControlNet connect to a Segment display “Thin” client on EtherNet connect to a Segment display “Thin” client on ControlNet connect to Alarm Summary

– Using examples from the RSView SE Design Guide, Fail the primary HMI/Data Server by disconnecting the network cables and shutting down

power– Please note the behavior of the system and compare with your neighbor’s system

Alarm States are synchronized between primary & secondary HMI Servers

Summary• Many forms of redundancy exist

– Each were created to solve a specific application need– Be sure to use the correct redundancy solution for the application– Multiple solutions may be used concurrently based on application needs

• Redundancy is dependent upon software and hardware solutions working in tandem• Many times the software is a messenger to problems with hardware• Redundancy is not a method to ‘cover up’ poor application implementation

Questions ?

• G102753810 – RSView SE 3.20 Distributed System Design Considerations• OP07 – RSView SE Distributed Design Considerations• GN03 – FactoryTalk Distributed Design Considerations

• Thanks for attending IA02 - Visualization Redundancy for Real World Applications at RSTechEd 2005

• Please tidy up your area, complete the survey, and have a nice evening!