Double protection against failure – Redundancy by B&R
High availability systems with real controller redundancy are costly to implement and have conventionally been reserved for applications where the consequences of downtime are the most severe. Now, however, B&R is making high-availability systems much more attractive by reducing costs to previously unheard of levels. This development is based on X20 modules, which can be reconfigured with redundancy features at any time using Automation Studio 4.
Put simply, unplanned controller downtime is unacceptable. As pricing calculations grow ever tighter, there is rarely room left over to account for the cost of production downtime. In power plants, offshore platforms, chemical and pharmaceutical plants and elsewhere, a failure also carries considerable risk of damage and injury. In critical applications, but also increasingly in classic machinery, there is a rising demand for high availability based on redundant control architecture.
Maximum availability through redundancy
When a system contains two components that are identical or extremely similar, these components are said to be redundant. A high availability system is typically designed so that if one component would fail, its redundant counterpart would step in to take over its tasks. Since the likelihood of two of the same components failing at the same time is extremely low, this approach guarantees a very high level of availability.
In order for a system as a whole to be considered a high availability system, it would have to include two of each and every component, plus the corresponding switching mechanisms. When one compares the cost of providing redundant components against the probability and cost of failure, redundant motors are rarely justified. When it comes to sensors, actuators and I/O modules, as well as fieldbus and IT networks, a redundant solution generally makes much more sense. The controller is the heart that makes redundant automation possible; if this essential yet complex component fails, it can have extremely dramatic consequences.
Reducing the cost of redundancy
Conventionally, the construction of a fail-resistant system with redundant processors has been a costly affair, and has therefore typically been reserved for special applications, such as the processing industry, power plants or traffic control systems. In these applications the high costs pay off compared to the even higher costs, damage and injury that might result from a system failure.
With controller redundancy provided by the B&R X20 system and integrated in the Automation Studio 4 development environment, high availability systems are now a cost-effective option even for smaller applications in the classic areas of machine automation. B&R developers have also succeeded in designing the functionality so that automation solutions developed with Automation Studio 4 that use identical hardware products can be operated either with or without controller redundancy. This allows machine manufacturers to implement redundancy as an option or even to offer a redundancy upgrade for existing systems.
With B&R's solution, one processor provides active control, while the second one runs in the background in standby mode. All network functions are monitored continuously, so that when the time comes, the backup processor can take over all of the main controller's functions without needing to reboot. While in standby mode, the backup controller is anything but inactive. On the one hand, the cross-communication capability of POWERLINK allows it to monitor all data traffic as well as the synchronization signal from the main controller in order to respond to a failure within one network cycle.
On the other, the two processors are constantly exchanging data via the redundancy link in order to remain synchronized. This high-speed fiber optic interface operates independently of the fieldbus and is connected via redundancy interface modules. This makes it possible to set up a high-availability system using standard controllers from the X20 portfolio. There is no need for specialized redundancy CPUs, which are generally very expensive. This further reduces initial costs and simplifies logistics. It also makes it very easy to design a system to be operated with or without optional controller redundancy, with only minor changes to the system. "From the point of view of a higher level control system, it is irrelevant which particular controller is active at any given time," confirms Manfred Mitterbuchner, who as technical manager of B&R's Automation Software business unit oversaw development of the processor redundancy functions. "Since the active controller always has the same IP address, no adjustments need to be made here, either."
Switchover in a matter of milliseconds
A critical characteristic of a redundant system is its switchover time. This time determines how long a system "flies blind" when switching to the backup processor – and whether this transition is acceptable given the nature of the system. With B&R's solution, however, this is no longer an issue. The reason? The B&R X20 system provides a switchover time of 2 cycles on the I/O bus, which equates to only a few milliseconds.
Compared to values in the range of hundreds of milliseconds seen in other solutions, this puts B&R in a league of its own. The result is a quick and smooth transition of the process control when an error occurs with no expensive downtime.
The fast switchover between the main and backup controllers also has the convenient side-effect of hot-plug functionality – the faulty unit can be quickly replaced without interrupting operation. Since new stations are automatically synchronized during operation, replacements can be made by personnel with minimal training and – above all – without affecting productivity.
"There are only a few rules regarding system architecture that need to be kept in mind in order to operate redundant controllers effectively," says Mitterbuchner. For example, I/O modules need to be operated on a POWERLINK or PROFIBUS network. "Otherwise the differences between a project with and without redundancy are minimal."
All configurations can be made right in Automation Studio. As always, the user only configures one hardware component. In order to set up controller redundancy, the user simply declares the controller as a redundant unit – this can be done at any point for an existing project – and configures the communication parameters and failure criteria. All other settings are filled in automatically by the respective Automation Studio functions. Individual process variables and libraries can be defined as redundant or non-redundant in a way that deviates from the default settings suggested by Automation Studio.
B&R's system philosophy makes it possible to design high-availability systems with real controller redundancy without requiring specialized controllers. Both the programming of the application and the configuration of optional redundancy functions occur independently of one another in the Automation Studio development environment. With B&R's cost-effective and easy-to-implement solution, high availability is now an attractive option for all types of series-produced machines.
"Controller redundancy shouldn't be a luxury reserved only for applications with the greatest risk. In the upcoming versions of Automation Studio and Automation Runtime, it is a standard option that can be configured as needed," explains Manfred Mitterbuchner, technical manager of B&R's Automation Software business unit.