100% Employee Owned, Founded 1954

Achieving High Availability with Redundant Rockwell ControlLogix Systems

Rockwell’s Allen Bradley ControlLogix line supports enhanced redundancy with processors, communications, and power supplies to achieve high availability of your control system. Here are some of our recommendations, plus some pitfalls to avoid when implementing such a system.

1. Make sure you include the right parts

Use Rockwell’s new “enhanced redundancy” platform – The older redundancy platform used a different redundancy module and included several communication modules that are no longer “the latest and greatest”.

Some communication cards are not compatible with enhanced processor redundancy – a ControlLogix 1756-ENBT is sufficient for some simple, non-redundant implementations and for remote racks in a redundant system, but a 1756-EN2T or better is required in the processor rack. Read more about ControlLogix Redundancy

Make sure your processor hardware is supported – Some very old processors may need to be upgraded. Also note the L7x series has roughly twice the memory and twice the speed of the older L6x series.

Not all RSLogix5000 and firmware versions support enhanced redundancy – 16, 19 and 20 have good redundancy support. 17 did not support redundancy. 18 should be avoided regardless of whether the system is redundant or not.

Also note that the processor racks must contain only processors and communication cards all I/O must be in remote racks. It may make sense for communication cards not requiring redundancy (perhaps with information-only links to auxiliary equipment) to also be in an I/O rack.

2. Networking without single points of failure

The redundant 1756-EN2TR card is for an Ethernet ring – it does not support dual-star networks. We recommend using 1756-EN2TR cards for the I/O network. There are also ControlNet cards with redundant media, but Ethernet gives better performance and flexibility, including the ability to add cards and racks on the fly and not having to use RSNetworx.

We recommend two 1756-EN2Ts per processor rack to support fully redundant dual star HMI (human-machine interface) networks.

Make sure your HMI stations have two network cards – If you will be using HMIs that cannot support redundant network cards, use a second Ethernet ring (with 1756-EN2TR modules in the processor racks in addition to the ones for the I/O network) for the HMI network with ring switches at each HMI location.

3. Power Supplies

Design for two power sources at each cabinet. Ideally one should be from a UPS (uninterruptable power supply). Have a pair of power supplies for each requirement; one from each source.

  • Redundant ControlLogix power supplies mount separately and have cables to a chassis adapter.
  • 12 and 24 VDC (volts direct current) power supplies should both feed to a diode module to prevent back-feeding a dead circuit.
  • 120 VAC (volts alternating current) distribution power can be made redundant with a contactor where the load is on the common of each contact, the coil is attached to the power source also going to the normally open contacts, and the other power source goes to the normally closed contacts.

ControlLogix I/O racks definitely need redundant power supplies. You can save money by putting non-redundant standard supplies on the processor racks, since the racks themselves are redundant. However, a power interruption on either source will then cause one processor rack to go down, and this interruption can cause problems. Therefore, we recommend putting redundant Rockwell supplies on processor racks as well.

Internal batteries may be useful, especially for systems where all I/O connections are 12 or 24 VDC (none are 120 VAC). Use 24 VDC UPS devices to manage the charging and the use of batteries downstream of power supplies. If such batteries are used, at least one of each pair of Rockwell power supplies should be 24 VDC input rather than 120 VAC so that it can be powered from the batteries when all incoming 120 VAC is lost.

4. Processor Resource Considerations

Processor redundancy doubles memory consumption – You may need to move up to the next size to get more memory.

Alarm and Event blocks (ALMD, ALMA) are wonderful, but are resource hogs – You should only use around 300 of them per pair of processors. Using more will cause the synchronization to bog down and result in the secondary processor periodically becoming unavailable while updating. One technique to minimize the number of alarm blocks: ALMDs have variable message strings which can be used to combine multiple related conditions into a single alarm block.

5. Alert when one of a redundant pair fails

A redundant system that doesn’t tell you when one half is down is hardly better than no redundancy at all – Make sure the correct people are alerted as soon as one of a pair of redundant devices goes down so it (or its replacement) can be brought back online before the other one fails.

  • Bring status contacts from each power supply to discrete inputs and alarm when any of those inputs goes off for more than a few seconds.
  • Use RSLogix5000 instructions such as MSG (message) and GSV (get system value) to obtain the status of each communication module, processor chassis, and processor card. Alarm if any becomes unavailable. A longer delay is appropriate for processor status – sometimes they go offline but will be back available within two minutes.

6. Other Common Cause Failure Considerations

The classic “common cause failure” is when a pair of redundant processors is mounted in the same cabinet, then a forklift hits the cabinet or it’s hosed down with a door open – some event that takes down both processors. To avoid this, mount the processor racks in separate cabinets with some space between. 10 and 100 meter standard fiber optic redundancy cables are available, or a custom single mode cable can be used to separate the processors by as much as 10 km.

Achieving High Availability

To recap – A redundant system will be most robust and perform best when:

  • The proper parts are chosen.
  • Power supplies are designed so that everything critical stays powered even when components fail and power sources are interrupted.
  • Communication networks have no single points of failure.
  • Processor memory and alarming resources are properly utilized.
  • Operators are warned if any redundant component has failed.
  • Opportunities for common cause failure are minimized.

Questions to consider:

  • How much money does a single control system outage incident cost my company?
  • How long does it generally take my technicians and operators to get the system back up and running after an outage?
  • If I’m upgrading a standard system to redundant, can I keep the existing processors and communication cards or do I need to upgrade? Will I need to add a rack to separate processors and communication from I/O cards?
  • How much power redundancy and battery storage is appropriate and worth the cost? If I lose power to the controller, is the process likely down anyway?
  • Do I have enough 120 VAC circuits and capacity to support redundant power supplies?
  • How many pairs of processors will I need to avoid exceeding memory, scan time, and alarm block limitations?

Contact Cross

For more information, contact a Cross team member and our experts can help source the right hardware and setup for your operation.

See how our process solutions team can help improve quality, increase efficiency, and reduce risk.