When it comes to engineering control systems for fault conditions, there many types of redundancies: cold, warm & hot. Use of each depends on the criticality of the process and the consequences of equipment failures. And failures are inevitable.
Some processes require less intervention (cold redundancy - a pump failure on a holding tank) while some cannot tolerate any failures or delays (hot redundancy - communication systems processor failures). Some are in the middle where automatic action is necessary but the response time is not critical.
Redundancy in engineering systems is about providing reliability and a process alternative to a failing condition.
An alternative response can be designed into a system at the component level (i.e. two processors, two pumps) or at the process level (i.e. two process trains).
The amount of redundancy can be priced in dollar terms which is the total of the extra equipment, installation and manpower. For some critical operations, the total price cannot be tallied because the consequences are too large and the public relations fallout too great (i.e. pipeline leaks). Redundancy helps to ensure business continuity.
Cold redundancy is for non-critical processes where time is not a high priority and human intervention is acceptable.
As an example, if a pressing machine fails, the automation system should notify the operator and issue an alarm. A simple response may be to cut the power supply and displaying a red alarm light. The operator can resume operation by simply starting another unit and requesting service for the failing unit.
When time and response to a failure is more important but not critical, a warm redundancy strategy may suffice if a temporary outage is acceptable.
As an example, if a valve fails to operate on a fluid transfer system, the pump can be disabled and the system shut down. Depending on the process, the product may have a finite period in which it will not be damaged, contaminated or start to deteriorate.
The cycle can tolerate a few seconds or minutes of interruption but the process must be restored quickly and automatically to avoid any integrity issues.
PLC redundancy in warm systems usually operate in shadow mode where they run the identical software and share a heartbeat signal from the primary to the secondary.
An interruption in control with the primary will result in the secondary assuming control. Depending on the process train & components, extra arbitration circuitry may be needed to mux control signals.
THINGS THAT GO BUMP - Since a fault can happen at any moment during a program, it may take a few program scans for the changeover to complete. The standby processor may have incomplete or stale data that may result in a process bump and glitch to the product.
Warm & hot redundancy are similar in architecture but hot redundancy that offers instant process correction when a failure is detected.
For example, in a mining or ore operation, if a primary controller for a conveyor fails, a backup one should immediately assume control to avoid any delays in the transfer.
The PLC programming software & hardware coordination must be solid to allow for constant messaging between processors and access to common data to allow for a smooth transition.
Data can be transferred between processors or accessed through a common database located on the network. Either way, the secondary process must have knowledge of every logic cycle as to where the primary left off.
Data can be transferred at the end of each program scan. This is the most popular method where data is transferred to the other processor before the next scan begins.
Program control must be designed properly since the combined program scan and data transfer may exceed the critical timing of the specific application. One way to minimize the scan time is to limit the number of run executions on each ladder to only when a logic condition has changed.
Some PLCs come with two processors in the same unit. One is dedicated to program execution and the other to data transfer to the backup PLC. Program design is simplified as it does not need to be optimized for scan time.
Redundancy in industrial control systems is critical for the safety of equipment, employees and even the public. Three types of redundancy can be used, depending on how critical the process needs to be controlled. Understanding and implementing the right redundancy strategy will result in a reliable system when equipment fail. And everything will eventually fail.