For many years, some rules of thumb for applying industrial automation platforms were relatively well-defined. Programmable logic controllers (PLCs) were best for control of machines and smaller systems, while distributed control systems (DCSs) dominated for larger processing plants. Redundancy was most likely to be implemented for a DCS, where ubiquity made it somewhat common and therefore straightforward. Implementing PLC redundancy, on the other hand, was complex and expensive and therefore reserved for only the most critical applications.
The outlook has evolved significantly over the recent years. DCSs still dominate for large and complex process control applications — with improved capability and connectivity at all levels. Similarly, PLCs have gained extensive processing and communication capabilities, especially through the development of edge controllers, which combine traditional PLC functionality with PC-type computing.
Today’s PLC and edge controller technologies now also offer an exceptional controller redundancy price/performance ratio, similar to a DCS. For many projects, industrial controller redundancy can now be easily and economically incorporated to improve uptime, security and system maintainability. This article examines what details implementers should be aware of when considering industrial controller redundancy.
In the computing world, high availability (HA) is the general term for any characteristics providing improved uptime. For industrial control implementations, this means designers need to consider the ramifications of any single points of failure for power, instrumentation, networking and computing. Making these systems redundant, either in a primary/secondary configuration or as completely parallel installations, is a main strategy for improving HA.
Industrial controllers, acting as the brain for automated equipment or processes, are very reliable but still represent a single point of failure. Many makes and models of PLCs do not even offer redundancy, while those that do are usually the most expensive products offered. Furthermore, implementing redundant PLCs has not always been a straightforward activity.
The usual goal for HA redundancy installations is to preserve always-on operation. But some users are finding that redundant systems give them more flexible options for performing system upgrades and maintenance during normal working hours, instead of waiting to do this type of work during downtime.
Redundancy, behind the curtain
There is a lot going on with redundant controllers, which are generally implemented as a primary/secondary pair. The primary controller is active until there is a major fault, which triggers failover to the secondary standby controller. Major faults can include on-board controller hardware problems, power failures or cut cables.
The controller pair needs to interact so the primary can update or mirror itself to the secondary, ensuring that the secondary is ready to take over operations in the event of failure. The redundant controllers also must interact with lower-level field devices, inputs/outputs (I/O) and instruments, as well as higher-level human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems.
However, all these redundancy tasks are implemented by vendors in a variety of ways; some of which can compromise performance. Therefore, designers must understand the details to make an informed choice.
Deterministic, diverse, secure and manageable
Any investigation of applying HA to industrial automation by using redundant controllers needs to address how deterministic, diverse, secure and manageable the implementation is in practice.
The task of a primary controller updating the secondary is called synchronization. Some PLC platforms economize by using a synchronize-by-exception approach. However, this causes failover performance and timing to vary and can lead to cascaded failures in worst-case situations. Other PLCs must restrict the amount of usable memory by up to one-half in order to accomplish synchronization.
Very few PLC redundancy solutions can fully synchronize all data, I/O memory and logic solving completely for every single scan. However, those that do are able to perform deterministic redundancy bumplessly within a single logic sweep. This applies not just to controlled I/O devices but also to supervisory HMI and SCADA interactions.
Diverse redundancy refers to the ability for the primary and secondary controllers to be located remotely from each other, and it is dependent on the synchronization network between the two. Some PLCs try to leverage the I/O network to also act as the synchronization network, which can negatively affect both.
Best synchronization is executed over a dedicated and very high-speed network, typically fiber optic media to allow the controllers to be up to 10 km distant from each other. The fieldbus for I/O, such as PROFINET, also must support long links and a ring configuration. Finally, the supervisory network performs best when it is native to the controllers and redundancy-aware, both of which are built-in features for OPC UA.
OPC UA has ascended as a preferred industrial automation protocol for many other reasons besides redundancy. The protocol is extensible and allows contextualization of data, making it a universal language for interconnecting many types of industrial devices and systems. Also, OPC UA delivers security in the form of built-in encryption and authentication, providing protection against cyberattacks.
Redundant systems are understood to provide more cybersecurity than simplex systems for two reasons. The first is that even if an intruder faults the primary controller, the secondary can continue operating. More importantly, today’s automation systems are built on large code bases, with significant functionality and communications connectivity. This means that over the course of their 10- to 20-year lifetimes, it is a near certainty that these systems will require firmware or hardware upgrades to improve performance and cybersecurity. Unlike simplex systems, the right redundant PLC systems can receive these upgrades while operating, with no impact to production.
Upgrading firmware is not the only task associated with managing a redundant system. Some older redundancy schemes demanded specialized hardware designs, unique programming techniques — or impose other memory, I/O count and configuration restrictions. Other systems are demanding and require exact hardware, firmware and/or software version matches if any work is to be performed.
A modern redundancy system should avoid these constraints and effectively allow a redundant controller to be added to a simplex system at any time with just a few software configuration checkbox settings. This ensures that end users can easily design, deploy and maintain redundant systems.
End users are usually aware of the benefits of redundancy to achieve HA. However, for industrial control platforms, these users are equally aware of the potential expense and complexity. Not all redundancy implementations are created the same, and there are many details around determinism, diversity, security and manageability that may be compromised with some vendor solutions.
With an understanding of these conditions, end users can make an informed selection for industrial controller redundancy to take advantage of all the benefits HA can offer for their applications. As detailed above, HA provides more benefits than always-on operation through fast, consistent and reliable failovers. Modern automation platforms can deliver these benefits via controller redundancy with a minimal hardware investment and easy implementation.
Darrell Halterman is a senior product manager of PACSystems controllers at Emerson’s machine automation solutions business, and he is responsible for the portfolio’s control solutions modernization strategy. He enjoys working with customers to find the right modernization strategy to enhance their existing control solutions with the latest advancements in automation.