High Availability Systems: Selection Guide
High Availability Systems: Selection Guide
High Availability Systems: Selection Guide
What’s Inside
Topic Page
High Availability Systems 3
Hardware Redundancy 5
Hot Backup 13
Availability is the probability that a system is operating successfully when needed. Availability (A) is calculated by using this
formula:
A = MTBF / (MTBF + MTTR)
where:
MTBF = Mean Time Between Failure
MTTR = Mean Time to Repair
High availability encompasses productivity, including reliability and maintainability. Reliability is the likelihood that a device will
perform its intended function during a specific period of time. Maintainability is the ability of a system to be changed or
repaired without interrupting the process.
Redundant Servers
EtherNet/IP™
1715 Redundant
I/O System
EtherNet/IP Devices
EtherNet/IP
Switch
EtherNet/IP™
1715 Redundant I/O 1756 ControlLogix I/O 1734 POINT I/O™ PowerFlex® Drive Connected via
1783-ETAP
For additional redundancy rules and restrictions, see ControlLogix Enhanced Redundancy System User Manual,
publication 1756-UM535.
For detailed specifications, see the 1715 Redundant I/O System Specifications Technical Data, publication 1715-TD001.
Products with EtherNet/IP embedded switch technology have two ports to connect to a linear or DLR network in a single
subnet. You cannot use these ports as two network interface cards connected to two different subnets.
Linear Network
A linear network is a collection of daisy-chained devices. The EtherNet/IP embedded switch technology allows this topology to
be implemented at the device level. No additional switches are required.
EtherNet/IP™
The primary disadvantage of a linear network is that any break of the cable disconnects all devices downstream from the break
from the rest of the network.
DC
0 1 2 3 4 5 6 7
RUN NS INPUT
24 VDC 8 9 10 11 12 13 14 15
FORCE LINK 1 SINK
I/O LINK 2 DC
OUTPUT 0 1 2 3 4 5 6 7
OK SD 24 VDC
SOURCE
8 9 10 11 12 13 14 15
00:00:BC:66:0F:C7
WARNING
EXPLOSION HAZARD
Do Not Disconnect DC DC
While Circuit Is Live INPUT OUTPUT
Unless Area Is
Known To Be 0 8 0 8
Non-Hazardous
1 9 1 9
2 10 2 10
VDC
+
3 11 3 11
VDC 4 12 4 12
-
5 13 5 13
CG
6 14 6 14
FP+ 7 15 7 15
V V C C
FP-
V V C C
24 VDC 24 VDC
SINK SOURCE
A D
B E
MEM
350
ETHERNET
A=ENABLE
B= REGEN
C=DATA ENTRY
D=FAULT
E=COM ACTIVITY
24VDC
INPUT
MORTOR FEEDBACK
BRAKE/
DC BUS
The primary disadvantage of the DLR topology is the additional effort required to set up and use the network as compared to a
linear or star network.
• ControlLogix Controller
• 1756-CN2R or 1756-CNBR
ControlNet Node
ControlNet Node
1756-CPR2 Cables
ControlLogix
1756-PSCA2 Chassis
Adapter
For a redundant power supply system, you need the following components:
• Two of the same redundant power supplies (two 1756-PA75R or two 1756-PB75R)
• One 1756-PSCA2 chassis adapter module
• Two 1756-CPR2 cables to connect the power supplies to the 1756-PSCA2 chassis adapter module (0.91 m [3 ft] length)
• User-supplied annunciator wiring to connect the power supplies to the input modules, as needed
The 1756-PSCA2 chassis adapter module is a passive device that funnels power from the redundant power supplies to the
single power connector on the ControlLogix Series B chassis backplane.
Notes:
L33ERM
RUN NS
FORCE LINK 1
I/O LINK 2
OK SD
RUN
REM
PROG
L33ERM
RUN NS
FORCE LINK 1
I/O LINK 2
OK SD
XX:XX:XX:XX:XX:XX RUN
REM
1 (Front) PROG
2 (Rear)
1769-L30ER, 1769-L33ER
XX:XX:XX:XX:XX:XX
1 (Front)
CompactLogix Controllersz
2 (Rear)
When compared to a hardware-based redundancy solution, this solution uses fewer hardware components and provides
sufficient backup for applications that do not require a bump-less switchover:
• Standard hardware and firmware for CompactLogix or ControlLogix systems
• No added hardware cost
• Support for EtherNet/IP and ControlNet I/O
• 250 ms to a few seconds switchover time
To use a hot back-up solution, you must be able to tolerate all of the following criteria:
• A delay of several milliseconds to several seconds may occur before the secondary controller gains full control of the
system.
• During the switchover, outputs may temporarily revert to the values for Fault mode, according to the I/O configuration
for the modules. We recommend last state during switchover whenever possible.
• Hot backup does not support any motion module, such as 1756-M02AE or1756-M08SE.
• Ethernet modules do not swap I/P addresses.
• Use 1756 or 1794 I/O modules only. 1734 POINT I/O modules are not supported.
• Output modules must be in a remote chassis.
• We recommend placing input modules and output modules in separate chassis.
• Hot backup supports I/O on ControlNet and EtherNet/IP networks only. Firmware revisions 20 and greater support I/O on
EtherNet/IP networks only.
• Controllers must stay in Remote mode. The application will switch once but will not qualify the secondary controller if
either one is in hard Run mode.
Switchover Delay
The switchover of control from one controller to another does not occur immediately. The delay could range from hundreds of
milliseconds to several seconds or longer, and depends on these factors:
• Size of the system
• Quantity of I/O in the system
• Distribution of the output modules in the remote chassis
• Speed of the system
• Type of failure
– If a controller enters Fault or Program mode, it must close its connections to the output modules before the
secondary controller can take over control. (Program mode supported only in firmware revisions earlier than 20.)
– If a controller fails or loses communication to the system, its connections close, so the secondary controller can take
over control as soon as the failure is detected.
The HMI delay depends on the solution you use to switch topics to the other controller. This switchover takes 2…15 seconds
and may cause a bump in the I/O control.
For more information, see Knowledgebase Answer ID 68593 at the Rockwell Automation Support Center