Overview
In a running Hot Standby system, you can perform the following actions (in either primary or standby rack, cabled or not cabled), and this action does not cause a Hot Standby switch-over or a duplicate IP address:
hot-swap a BMENOR2200H module
remove or reconnect a cable to a BMENOR2200H module
When you clear a detected fault on a BMENOR2200H in a standby rack (network cabling cut, power off, hot swap), this action does not affect the Hot Standby primary operation; in other words, no primary stop or shut down, no I/O bump, or no switch-over occur. The BMENOR2200H module can switch its servers or SCADA connections smoothly during a Hot Standby switch-over.
During a Hot Standby swap of the BMENOR2200H module, all values are set to 0 in its Hot Standby diagnostics table.
The controller automatically switches over under some conditions, but a detected error (for example, in the xxxx module) may stop the switchover. You may have to configure some logic to specifically detect the status of the module to trigger the intended switchover.
Event backup is not supported in a Hot Standby system. When this function is enabled in a standalone system in which the controller is replaced with a Hot Standby controller, the event backup function is automatically disabled.
For DNP3, IEC60870-5-101, and IEC60870-5-104, the event acknowledgement in the last cycle may not have synchronized from primary to standby. The acknowledgement also causes SCADA to receive the duplicate event, which has the same time stamp.
For IEC60870-5-101 (via RS232) is not supported in a Hot Standby system.
Hot Standby Enable/Disable
The Hot Standby event synchronization can be enabled/disabled via DTM configuration in following steps:
Hot Standby Path Selection
Control port
Backplane port
Hot Standby RTU Service
In a Hot Standby system, the input I/O image (••••_CONN Device DDT) is synchronized cyclically between the M580 primary and standby PACs.
The content of diagnostic Device DDT is not required to exchange between the primary and standby BMENOR2200H modules.
DNP3/IEC60870-5-101/IEC60870-5-104 Server
With a DNP3, IEC60870-5-101, or IEC60870-5-104 server, only the primary module works as usual in a Hot Standby system, and the standby module has no communication with SCADA connections.
When the DTM configuration of the primary module, as well as its security mode and firmware version are the same as that of the standby module, the two modules can synchronize. In this case, the primary module synchronizes the event history and internal data (unsolicited state, frozen counter....) with the standby module.
NOTE: Confirm that the primary and standby modules have the same cyber security configurations. If they have different configurations, the modules could still synchronize, but they may not work properly because some channels are disabled due to a missing security policy.In run mode, if the primary and standby modules are synchronized, the following items are synchronized via internal protocol:
DNP/IEC event
DNP/IEC event acknowledgement
DNP frozen counter
DNP AII dead band
DNP enable/disable unsolicited
cold/warm start
DNP IIN
IEC MIT (frozen, sequential number)
IEC CRPNA
When a Hot Standby switch-over occurs:
The primary module closes the connection with SCADA.
The secondary module gets the data in value from the PAC to the local database first (AO, BO, String, CMD status, P_ME_A, P_ME_B, P_ME_C, IEC P_AC) and then starts to take over and accept new SCADA connections.
During a switch-over, all server methods report any detected error codes.
With the DNP3 secure authentication enabled, the session key is forced time out.
For MIT:
--> When Auto Local Freeze is set to auto freeze, the new primary module forces a freeze immediately after switch-over.
--> When Auto Local Freeze is set to freeze by application, if the Freeze Cyclic point value is 1, the new primary module forces a freeze immediately after switch-over.
The new primary module handles the last two cycle’s data and generates an event.
For AI, M_ME_A, M_ME_B, and M_ME_C:
--> The second from last cycle before a switch-over is set as the base value, on which the data change check is based.
--> Some of the last two cycle’s events may already be synchronized with the standby module, which causes SCADA to receive duplicate events.
If the module time source is set from the RTU protocol, time synchronizes cyclically between primary and standby BMENOR2200H modules via internal protocol.
For the IEC60870-5-101 and IEC60870-5-104 message intervals and background periods, the primary and standby modules do not synchronize timer status information. After switch-over, the first cyclic/background message may not remain in time out. The second cyclic/background message remains in time out according to the user setting.
DNP3/IEC60870-5-101/IEC60870-5-104 Client
For a DNP/IEC client, the primary module typically communicates with the remote server, and the standby module does not establish a connection with the remote IED.
The primary and secondary modules synchronize data from the PAC memory with the local database, but the standby module does not send data to the remote server. Therefore, the remote server receives output data from the primary module only.
When a Hot Standby switch-over happens, the primary module closes the connection with the remote server, and the standby module takes the role of communicating with the remote server.
During a switch-over, if some commands (read class, read group, polling command, control operation) are not finished, a detected error code is returned in DDT instance status. The user can manage the status to re-send commands that did not finish.