This site uses Cookies. By using the site you accept our usage of Cookies. Dismiss More info

PLC Engine - OPC Redundancy

PLC server redundancy


Redundancy should prevent failure and consequential damages in plants  in case of flawed components

The ideal state is having all components redundant. This will include the SCADA system with its staff and the machine itself. For cost reasons machines, teams and SCADA systems are redundant seldom. Ideal are two systems, for security reasons at different locations.

If the costs are considered, very extensive redundancies are economically rarely portable. There are few exceptions for far-reaching redundancy as nuclear power plants and railway signals.

Suggestive those components having most failures or will produce highest costs on failure will be make redundant. This are network cables, switches, sometimes the network adapters on the PC and the controller. The main reason for this is the broad expanse of networks. Various disturbance are threatening all components like construction work, overload, aging contacts and animals affecting the cables.
It is impossible making wireless networks redundant. If the "air cable" is affected it can not be made redundant with air. Multiple senders and receivers do not help often. As maximum the number of failures can be decreased a little bit.
Power supply can be make redundant also. This will not be threated here.
Multiple available SCADA systems will not be threatened here, the same is for multiple controllers or complete plants for redundancy. High-available controllers will be part of redundancy concepts.

For best results the information need to be fetched simultanously over multiple connections. The data need to be checked for the best value. Such logic will result in heavyly load on the controller, so it is not usable on most plants. The main reason for this: The controllers are optimized for fast reactions of the plant and not for heavily network communication. Additionally - fetching the data over multiple connections will result in inconsistent data behaviour. The data reading works with a lot of small requests. If the data are changing in between - especially if they will be fetched over multiple connections - no consistency check can be used truely. In real plants the data content is changing very quickly.
If system immanent errors (by construction or by design) should be circumvented different technologies must be used. An example: Two different controller types on one machine from different manufacturers need to be used. Another example are computers with different technology as a PC with INTEL cpu and Windows, another with ARM cpu and Linux. Such things are not handled here.

Interpretation of Network Redundancy

The network has the most failures. So doing redundant networks rises the down time significantly.
A SCADA machine running the OPC Server or PLC Engine needs a minimum of two network adapters, the controller also.
Two separate networks need to be build up.
Both networks need a different IP address area. One station with an standard operating system can not handle overlapping network masks on multiple network adapters. Broken lines using the same subnet does not switch to the second network fast enough to the remaining cable system if the network masks overlap.
The network cables should not be build into the same cable tunnel. The switches of both networks need to be mounted in different cabinets. The cables need to be shielded against on another. A goot thing is having fire protection between both cables.

Rule: Prevent a "Single Point Of Failure". Exceptions are the starting point (the SCADA station) and the end point (the machine).

Interpretation Redundancy in Tani Products

In the Tani OPC server and PLC Engine the connection to the controllers will be defined as redundant. The connection consists of two or more connections internally. Each connection is configured in a manner that it will work over one of the network adapters only. The controller has two network adapters also. Each redundancy single connection has an IP destination address of its own. The result is each connection uses its defined network adapter.
There are some options for the redundancy connection check: Check the connection for running only, or check the controller run modus, or check a watchdog element for changes.

Configuration of redundancy in connections

The connection has a checkmark for redundancy. If it will be checked another entry field for connection parameters will open.

How it works in the OPC server

The OPC application need not to be changed or affected for redundance connections to the controllers.

During the start of the data aquisition both connections will be created, established and checked. The data will be handled over one connection only preventing the controller from overloaded. This connection now is the master connection.
If the master connection does not respond in the requested time or it breaks, all items will be switched active on the second connection. If data are arriving now it becomes the master connection. The previous connection becomes slave, all items will be inactivated on it. None of the items will give a quality error to the OPC client. In the diagnostics logger the switching will be listed.
Only if all connections will be disturbed the elements will deliver bad quality. The OPC client can check the switching connection over the item "System.Topics.<plc connection>.Redundancy", the value will change.
If the slave connection will fail this will be written into the diagnostics logger. Additionally the item "System.Topics.<plc connection>.Status<n>" will be set to failure.

On redundancy with three connections in case of failure of the master connection, some items are switched active on both slave connections. The faster connection wins and will become master, all of the rest items will be used on it. The more slowly connection goes into the slave state again..
Over the item "Redundancy" it can be checked which connection actually is the master. The items "Status1" and "Status2" (optionally "Status3" or more) are showing the actual state of the connections. They should be all zero if all connections exists.
Writing to the item "Redundancy" will switch the master immediately. This is for test purposes or for mainenance.
The jitter during switching the redundancy connection sets together from

The smaller value from both is used.
If the connection singals an error self reliant because the network cable on the adapter was removed the redundancy connection will switch immediately.
In the SCADA system or in the controller the connection state shound be used for warning messages for the machinery personel. So they can look for the reason of the failure and fix it.

How it works in the PLC Engine

PLC Engine uses the connection and item management the OPC server is using also. The redundency functionality is used in the same manner. The status variables should be used in logic tables so a broken connection will signal this to the plant personel. This can be writing to an element in the controller or into a database.