Automation, Controls

Reducing industrial automation risk and downtime with high availability components

Understanding the details behind industrial automation redundancy implementations is key for achieving high reliability.

By Vibhoosh Gupta and Darrell Halterman July 16, 2021
Courtesy: Emerson

Emerson will be hosting a Control Engineering webcast, titled “How to improve PLC system resiliency to reduce risk and downtime,” on Wednesday, July 21, at 11AM PT | 1PM CT | 2PM ET.

To register for the webcast, please sign up here.

In the context of industrial automation, the term high availability (HA) is a simple phrase with many implications. It can be applied to electrical distribution, instrumentation, field-located equipment such as motors, controllers, networking and software — in short, anything enabling equipment and systems to run reliability. Today, various technologies have made industrial automation HA more accessible than ever before, democratizing this important capability.

For many years, HA was difficult to deploy on a large scale and prohibitively costly to use for smaller systems. The required return on investment (ROI) dictated that HA be applied only for the most critical parts and processes. For large-scale processes where distributed control systems dominated, HA implementations were common, and remain so.

But for smaller systems and machines where programmable logic controllers (PLCs) were the norm, HA was complex and expensive to implement in terms of both parts and labor. Furthermore, there is a newer generation of technology in the form of edge controllers, which combine PLC functionality with general-purpose computing and IT communications, and users are also looking for edge controller HA solutions.

Emerson has changed the HA equation for these smaller systems and machines with a variety of complementary technologies that are easily implemented and maintained to provide HA, deployable at any scale to unlock smarter and more secure operations.

A primary strategy for delivering HA is to remove single points of failure using redundancy. This article looks at how redundant control systems underpin a smart plant strategy, and how users can deploy Emerson’s edge technologies to easily implement redundancy — while increasing uptime, mitigating risk and enhancing cybersecurity.

Redundancy reconsidered

Redundancy is typically implemented with a primary/secondary configuration, or with completely parallel installations. For instance, an uninterruptible power supply delivers line power in its primary mode and battery-sourced power in its secondary more. An important measurement might be obtained using two completely separate and parallel instruments.

Always-on functionality is usually the foremost goal of any redundancy installation, but there are also secondary benefits. The right redundant installations give users more flexible options for performing maintenance or upgrades without any required downtime.

Industrial controllers are the brain of automation systems, and although they are reliable, they are also a single point of failure. These controllers are tasked with connecting “down” to field devices and instruments, “up” to higher level human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems, and “horizontally” to other controllers.

Traditionally, only the most premium PLC products offered redundancy, and even then, implementation was expensive and complicated. Emerson addresses these and other issues by offering multiple PLC platforms with associated technologies so that redundancy is practical and cost-effective.

Controller redundancy architectures

Why would a controller fail? A major fault can be due to a power supply failure, disconnected wire or some on-board electronics problem. To overcome this, a redundancy solution uses two controllers. One is called the primary or active device, and the other is called the backup or standby device. In normal operation, the primary controller must constantly process all I/O signals, logic and memory values. If a major fault occurs, control functionality must seamlessly switch from the primary to the backup device, an action called switchover or failover.

The three controller redundancy schemes are:

  • Cold standby: Where the backup controller is powered off, perhaps on a stockroom shelf, and users must manually configure it prior to installation.
  • Warm standby: Where the backup controller is energized and monitoring the primary controller, but user action is required to fully synchronize and place it into service.
  • Hot standby: Where the backup controller is energized and always fully synchronized with the primary, ready to automatically assume control.

Cold standby is a typical real-world situation as it requires only a spare part, but it is a risky approach and can be time-consuming to execute a switchover. Warm standby is somewhat better, although it still introduces delays for switchover time. A warm standby approach can be acceptable when there are many production machines in parallel, each with their own controller, such that the loss of any one machine for a time does not disable overall production.

Hot standby is the preferred redundancy approach, but there are several ways controller suppliers can implement hot standby synchronization, and some of them may lead to compromised performance. Fortunately, Emerson has carefully avoided these potential pitfalls.

Courtesy: Emerson

Redundancy inner workings

A deep dive into redundancy details makes it clear that any solution must perform in several key areas to deliver:

  • Deterministic switchover: With full data synchronization over dedicated links and lock-step synchronization between primary/backup controllers.
  • Controller installation supporting geographic diversity: Using high-speed deterministic fiber optic connections supporting distances up to 10km, or ethernet connections in some configurations, so controllers can be located to avoid catastrophic but localized failures.
  • Hardware/firmware flexibility: Such that hardware and firmware revisions can be upgraded without downtime and without requiring matching versions.
  • Secure native communications: Built-in from the hardware up, and able to accept periodic updates to address potential cybersecurity issues.

Most PLC and edge controller vendors fall short of these important performance characteristics. They may choose to synchronize limited portions of the controllers based on exception, instead of allocating enough resources to handle a worst-case event. Failover can be variable instead of deterministic, and a cascade-failure can result if too much data must be transferred. Other PLC vendors severely restrict memory — by up to one half — or other capabilities to achieve synchronization. With some products, redundant PLCs operate asynchronously instead of in lockstep, with unexpected application behavior the result.

Inferior PLC schemes may attempt to leverage the I/O network to execute the synchronization task, compromising both roles. Another problem occurs when redundant PLCs exhibit a “blind time” during failover, during which supervisory control and data acquisition (SCADA) or HMI systems cannot read or write to the PLC. Finally, only some PLCs natively support fieldbus rings — like PROFINET — or secure higher-level networks with redundancy provisions, like OPC UA.

Emerson understands the needs of industrial users, and they provide PLC and edge controller platforms and networking to deliver deterministic, diverse, manageable and secure redundancy. Emerson’s Reflective Memory Technology over dedicated synchronization links assures full data synchronization occurs every controller scan, with both controllers operating to solve control logic in lockstep. The backup controller always has the same data set as the primary, and failover is fast and consistent, so real-time control is never impacted.

Courtesy: Emerson

Emerson PACSystems redundancy solutions

Some automation applications demand the highest control logic performance, while others need good connectivity to higher-level systems. Emerson offers PLC and edge controller solutions to meet all needs. Both support PROFINET fault tolerant I/O ring communication networks to ensure the best availability of I/O nodes.

Emerson PACSystems RX3i PLCs are available in a backplane/rack form factor, providing scalability. They provide ultrafast synchronization, with bumpless failovers in a single PLC scan — typically between 5 and 20 milliseconds (the standalone CPU version delivers 300 millisecond failover). Configuration is easy, with just a few checkbox selections required.

The RX3i family is the right choice if the application requires:

  • Controller failovers faster than 300ms.
  • Additional communication or local I/O modules.
  • CPUs to be installed more than 100m apart.
  • More than 32 redundantly controlled PROFINET I/O devices.

Emerson PACSystems CPE400/CPL410 edge controllers are available in a compact standalone form factor. They provide automatic synchronization link recover, with failovers within 300 milliseconds. Configuration is once again easy, with just a few checkbox selections required.

The CPE400/CPL410 family is the right choice if the application requires:

  • Can’t stop controller switchovers.
  • Compact physical footprint, withstanding temperatures outside of 0 to 60 Deg C.
  • Performance at a price point well below the RX3i family.
  • Edge application and communication functionality.

With either Emerson PLCs or edge controllers, PROFINET MRP provides a fault-tolerant I/O network with the addition of just one cable to complete the ring. All I/O families offer built-in Ethernet switches. The RX3i redundant PLCs work seamlessly with Emerson HMI/SCADA products, and they provide redundant internet protocol (IP) addresses to work with non-Emerson HMI/SCADA products.

Rational redundancy

Redundancy ensures an automated machine or system operates with HA. While there is often a sense that more is better, the fact is that most industrial automation redundancy schemes are too expensive, complex or deficient to deliver sufficient ROI.

Emerson offers better options, with several solutions that can be easily implemented to deliver good value, while providing top performance with regards to determinism, diversity, manageability and security. When users understand the details behind a redundancy scheme, they can choose a modern automation platform for their application — with fast, consistent and reliable failover.


Vibhoosh Gupta and Darrell Halterman
Author Bio: Vibhoosh Gupta is a portfolio leader for Emerson’s machine automation solutions business unit and manages its portfolio of automation system, operator interface, industrial PC, and Industrial IoT software and hardware products for industrial automation. Darrell Halterman is a senior product manager of PACSystems controllers at Emerson’s machine automation solutions business, and he is also responsible for the portfolio’s control solutions modernization strategy. He enjoys working with customers to find the right modernization strategy to enhance their existing control solutions with the latest advancements in automation.