Overview
In a running Hot Standby system, you can perform the following actions (in either primary or standby rack, cabled or not cabled), and this action does not cause a Hot Standby switch-over or a duplicate IP address:
hot-swap a BMENOR2200H module
remove or reconnect a cable to a BMENOR2200H module
When you clear a detected fault on a BMENOR2200H in a standby rack (network cabling cut, power off, hot swap), this action does not affect the Hot Standby primary operation; in other words, no primary stop or shut down, no I/O bump, or no switch-over occur. The RTU module can switch its servers or SCADA connections smoothly during a Hot Standby switch-over.
During a Hot Standby swap of the BMENOR2200H module, all values are set to 0 in its Hot Standby diagnostics table.
The CPU automatically switches over under some conditions, but a detected error (for example, in the xxxx module) may stop the switchover. You may have to configure some logic to specifically detect the status of the module to trigger the intended switchover.
Hot Standby RTU Service
In a Hot Standby system, the input I/O image (••••_CONN Device DDT) is synchronized cyclically between the M580 primary and standby PACs.
The content of diagnostic Device DDT is not required to exchange between the primary and standby RTU modules.
DNP3/IEC60870-5-101/IEC60870-5-104 Server
With a DNP3, IEC60870-5-101, or IEC60870-5-104 server, only the primary module works as usual in a Hot Standby system, and the standby module has no communication with SCADA connections.
When the DTM configuration of the primary module, as well as its security mode and firmware version are the same as that of the standby module, the two modules can synchronize. In this case, the primary module synchronizes the event history and internal data (unsolicited state, frozen counter....) with the standby module.
NOTE: Confirm that the primary and standby modules have the same cyber security configurations. If they have different configurations, the modules could still synchronize, but they may not work properly because some channels are disabled due to a missing security policy.In run mode, if the primary and standby modules are synchronized, the following items are synchronized via internal protocol:
DNP/IEC event
DNP/IEC event acknowledgement
DNP frozen counter
DNP AII dead band
DNP enable/disable unsolicited
cold/warm start
DNP IIN
IEC MIT (frozen, sequential number)
IEC CRPNA
When a Hot Standby switch-over occurs:
The primary module closes the connection with SCADA.
The secondary module gets the data in value from the PAC to the local database first (AO, BO, String, CMD status, P_ME_A, P_ME_B, P_ME_C, IEC P_AC) and then starts to take over and accept new SCADA connections.
During a switch-over, all server methods report any detected error codes.
With the DNP3 secure authentication enabled, the session key is forced time out.
For MIT:
--> When Auto Local Freeze is set to auto freeze, the new primary module forces a freeze immediately after switch-over.
--> When Auto Local Freeze is set to freeze by application, if the Freeze Cyclic point value is 1, the new primary module forces a freeze immediately after switch-over.
The new primary module handles the last two cycle’s data and generates an event.
For AI, M_ME_A, M_ME_B, and M_ME_C:
--> The second from last cycle before a switch-over is set as the base value, on which the data change check is based.
--> Some of the last two cycle’s events may already be synchronized with the standby module, which causes SCADA to receive duplicate events.
If the module time source is set from the RTU protocol, time synchronizes cyclically between primary and standby RTU modules via internal protocol.
For the IEC60870-5-101 and IEC60870-5-104 message intervals and background periods, the primary and standby modules do not synchronize timer status information. After switch-over, the first cyclic/background message may not remain in time out. The second cyclic/background message remains in time out according to the user setting.
DNP3/IEC60870-5-101/IEC60870-5-104 Client
For a DNP/IEC client, the primary module typically communicates with the remote server, and the standby module does not establish a connection with the remote IED.
The primary and secondary modules synchronize data from the PAC memory with the local database, but the standby module does not send data to the remote server. Therefore, the remote server receives output data from the primary module only.
When a Hot Standby switch-over happens, the primary module closes the connection with the remote server, and the standby module takes the role of communicating with the remote server.
During a switch-over, if some commands (read class, read group, polling command, control operation) are not finished, a detected error code is returned in DDT instance status. We recommend that you manage the status to re-send commands that did not finish.
Confirm that the link status period of client and server is set to a non-zero value, such as 2s. If the link status period is set to zero, during a Hot Standby switch-over, the module cannot create a new connection because the old connection is not in time out.
Event backup is not supported in a Hot Standby system. When this function is enabled in a standalone system in which the CPU is replaced with a Hot Standby CPU, the event backup function is automatically disabled.
For IEC60870-5-101 and IEC60870-5-104, the client does not immediately send an event acknowledgement, which depends on the W value (maximum unacknowledged received APDUs) and the T2 S frame period (the time to wait before sending a supervisory ADPU acknowledgement). During a Hot Standby module hot swap, the client may receive duplicate events because an event is not acknowledged before the hot swap.
For DNP3, IEC60870-5-101, and IEC60870-5-104, the event acknowledgement in the last cycle may not have synchronized from primary to standby. The acknowledgement also causes SCADA to receive the duplicate event, which has the same time stamp.
For
IEC60870-5-101 (via RS232) is not supported in a Hot Standby sytem.