Hot Stand BySCADA Hot-Standby System a redundant, backup computer system for ultimate security
The Millennia-DX SCADA "Hot-Standby" System uses two identical Windows based computers connected via a LAN, with both running Rel-Tek's special hot-standby "RFile" software. The XFER supervisory module continuously monitors the DX-COM data communication bus and commands a switchover to the hot-standby in the event the primary computer fails for any reason. The XFER module is totally independent of either computer, so can make the switchover decision independent of either computer. An alarm issues if a failure of either computer occurs.
The Millennia-DX software configuration and setup is essentially identical for the two computers (primary and standby). The Standby computer needed to initiate the Millennia-DX functions is running, but dormant while in the standby mode, however it displays status information continuously.. The Millennia-DX configuration -- including the Units, Alarms, and Signal Data and Logging data files -- is congruent between the two computers. The Window display screens may be different on the two computers. If MagiKal (automatic sensor calibration) is being used, the Calibration Sensor Groups and all the MagiKal settings are identical on both computers. The RFile code keeps the Calibration data and logs updated on the Standby computer. To assure all setup and control functions on the Primary computer are identical on the Secondary (i.e. hot-standby), the Primary backup is parallel loaded on the Secondary. The operator checks blocks to identify which is the Primary and which is the Secondary unit.
Failure of the Primary computer is determined by a cessation of the on-going DX-Bus communications (19.2KB to 115.2KB) to the field I/O system for a duration exceeding a preset value, usually 10 seconds. This loss of communications (indicative of the primary computer failure) is determined by a solid-state watchdog circuit contained in the DX-Com communication driver module. On a computer failure detection, the watchdog monitor closes a relay, which sounds a local alarm, while automatically transferring the system DX-Bus communications to the Secondary (Standby) computer. The failed Primary computer is thus disconnected, and the Standby computer continues all of the monitoring and control functions, transparent to the switchover. It is important to note that the failure determination is done independently from either computer, so a failure of either computer alone does not jeopardize the monitoring/control process. If the Primary computer fails, an alarm sounds and the transfer to the hot standby is automatic. If the Secondary computer fails, an alarm sounds and the Primary continues all of the monitoring/control functions. It would take independent, simultaneous failures of both Primary and Standby computers before the monitoring/control system would shut down, a highly improbable scenario. Since the RFile programs run independent of each Millennia-DX program -- thus providing isolation of the Primary and Secondary computer's monitoring/control functions. Further assuring complete independence, if either computer fails, the other automatically disconnects itself from the other.
The RFile software running in the Secondary computer controls the Ethernet communications between the two computers, automatically asking for, receiving and updating its files as they are transferred from the Primary computer. The communications are through the network LAN cards, over a wide bandwidth cable. The RFile software checks the Primary for new data approximately every 30 seconds, transferring the changed files to the Standby computer whenever it finds changes. Each RFile software is given the IP Address or the Computer Name for the computer it is to communicate with. The RFile software maintains a log of all files transferred.
With the Standby computer data files always up-to-date to within about 30 seconds, if the Primary computer fails, some amount of historical data will be lost, depending on the amount of data in RAM which hadn't yet been saved to hard drive. However, the Standby computer can take over all essential tasks SCADA functions of the Primary computer within about 60 seconds or less. The Secondary reestablishes and maintains complete system operation until such time as the Primary computer problem is resolved and a switch-back is manually enacted. For advanced IT users, the Primary and Standby computers can swap functionality based on changes in the Control, Startup Script or Unit (field address) Files, and can be swapped manually by changing the RFile designations in the Primary and Secondary computer setup.
The hardware necessary for the Standby computer operation consists of an additional DX-COM communications driver for the Secondary computer, a LAN quality cable and a DX2202 I/O card, the latter providing a digital input to tell the Standby computer that it is now the Primary computer and providing controllable relays for switching the DX-Bus communications lines.
The reliability of a Millennia-DX (SCADA) system running in a hot standby mode is impossible to quantize. Estimates have been proffered showing many nines, but the sample population size and operating duration would have to be very great to confirm this. Suffice it to say that the RFile hot-standby system is a major benefit for critical SCADA applications, paralleling the reliability of PLCs and other solid state processors having far less capabilities.
Refer to Millennia-DX, RFile and other Rel-Tek manuals for complete system details. Contact the factory for inquiries and assistance. Our web site contains a wealth of information available for printout and downloading.