Double protection against failure – Redundancy by B&R
High availability systems with real processor redundancy are costly to implement and have conventionally been reserved for applications where the consequences of downtime are the most severe. B&R is breaking down these barriers and making high availability a cost-effective option for a previously unheard of range of applications. This development is based on X20 modules, which can be reconfigured with redundancy features at any time using Automation Studio 4.
Put simply, unplanned controller downtime is unacceptable. As pricing calculations grow ever tighter, there is rarely room left over to account for the cost of production downtime. In power plants, offshore platforms, chemical and pharmaceutical plants and elsewhere, a failure also carries considerable risk of damage and injury. In critical applications, but also increasingly in classic machinery, there is a rising demand for high availability based on redundant control architecture.
High availability through redundancy
When a system contains two components that are identical or extremely similar, these components are said to be redundant. A high availability system is typically designed so that if one component would fail, its redundant counterpart would step in to take over its tasks. Since the likelihood of two of the same components failing at the same time is extremely low, this approach guarantees a very high level of availability.
In order for a system as a whole to be considered a high availability system, it would have to include two of each and every component, plus the corresponding switching mechanisms. When one compares the cost of providing redundant components against the probability and cost of failure, redundant motors are rarely justified. When it comes to sensors, actuators and I/O modules, as well as fieldbus and IT networks, a redundant solution generally makes much more sense. As the heart of an automation solution and its most complex component, processor failure has the most dramatic consequences.
Reducing the cost of redundancy
Conventionally, the construction of a fail-resistant system with redundant processors has been a costly affair, and has therefore typically been reserved for special applications, such as the processing industry, power plants or traffic control systems. In these applications the high costs pay off compared to the even higher costs, damage and injury that might result from a system failure.
With processor redundancy provided by the B&R X20 System and integrated in the Automation Studio 4 development environment, high availability systems are now a cost-effective option even for smaller applications in the classic areas of machine automation. B&R developers have also succeeded in designing the functionality so that automation solutions developed with Automation Studio 4 that use identical hardware products can be operated either with or without processor redundancy. This allows machine manufacturers to implement redundancy as an option or even to offer a redundancy upgrade for existing systems.
In B&R's solution, one processor provides active control, while the second one runs in the background in standby mode. All network functions are monitored continuously, so that when the time comes, the backup processor can take over all of the main processor's functions without needing to reboot. While in standby mode, the backup processor is anything but inactive. On the one hand, the cross-communication capability of POWERLINK allows it to monitor all data traffic as well as the synchronization signal from the main processor in order to respond to a failure within one network cycle.
On the other, the two processors are constantly exchanging data via the redundancy link in order to remain synchronized. This high-speed fiber optic interface operates independently of the fieldbus and is connected via redundancy interface modules. This makes it possible to set up a high availability system using standard CPUs from the X20 portfolio. There is no need for specialized redundancy CPUs, which are generally very expensive. This further reduces initial costs and simplifies logistics. It also makes it very easy to design a system to be operated with or without optional CPU redundancy, with only minor changes to the system. "From the point of view of a higher level control system, it is irrelevant which particular CPU is active at any given time," confirms Manfred Mitterbuchner, who as technical manager of B&R's Automation Software business unit oversaw development of the processor redundancy functions. "Since the active CPU always has the same IP address, no adjustments need to be made here, either."
Switchover in a matter of milliseconds
A critical characteristic of a redundant system is its switchover time. This time determines how long a system "flies blind" when switching to the backup processor – and whether this transition is acceptable given the nature of the system. With B&R's solution, however, this is no longer an issue. How can that be? The B&R X20 System provides a switchover time of 1 to 2 task classes on the I/O bus, which equates to only a few milliseconds.
Compared to values in the range of hundreds of milliseconds seen in other solutions, this puts B&R in a league of its own. The result is a quick and smooth processing transition with no expensive downtime.
The fast switchover between the main and backup processors also has the convenient side-effect of hot-plug functionality – the faulty unit can be quickly replaced without interrupting operation. Since new stations are automatically synchronized during operation, replacements can be made by personnel with minimal training and without affecting productivity.
"There are only a few rules regarding system architecture that need to be kept in mind in order to operate redundant processors effectively," says Mitterbuchner. For example, I/O modules need to be operated on a POWERLINK or Profibus network. "Otherwise the differences between a project with and without redundancy are minimal."
All configurations can be made right in Automation Studio. As always, the user only configures one hardware component. In order to set up processor redundancy, the user simply declares the CPU as a redundant unit, which can also be done later on to add redundancy to an existing project, and configures the communication parameters as well as the failure criteria. All other settings are filled in automatically by the respective Automation Studio functions. Individual process variables and libraries can be defined as redundant or non-redundant in a way that deviates from the default settings suggested by Automation Studio.
B&R's system philosophy allows for construction of high availability systems with real processor redundancy without requiring any specialized CPU modules. Both the programming of the application and the configuration of optional redundancy functions occur independently of one another in the Automation Studio development environment. With B&R's cost-effective and easy-to-implement solution, high availability is now an attractive option for all types of series-produced machines.
"CPU redundancy shouldn't be a luxury reserved only for applications with the greatest risk. In the upcoming versions of Automation Studio and Automation Runtime, it is a standard option that can be configured as needed," explains Manfred Mitterbuchner, technical manager of B&R's Automation Software business unit.