The
redundancy manager is responsible for monitoring the redundancy
state (which computer is active/passive) on both computers. The
redundancy manager is started after the drivers. The redundancy
manager also monitors the error state of both systems. The errors
are configured with a weighting in the system overview panel (please
refer to System
overview in redundant systems). The error state is determined
when initializing and is updated continuously (optimum state is
0). The monitoring can be configured for all managers, TCP connections,
selected data point elements, working memory and hard disk capacity.
The
following priorities apply for the active/passive state in a redundant
system (the passive computer becomes active and the active computer
becomes passive):
Note
After a switch (active/passive) in the redundancy
mode, a general query is initiated by the driver automatically!
If one (or several) of the above switching criteria
are met, the other computer becomes active and takes control.
The redundancy works independently and does
not depend on user inputs and responses. However, certain inputs
from users are accepted (please refer to priorities 2 and 4).
Manual switching triggered by the user has to be executed in the
system overview panel.
The following responses are triggered when
certain managers fail:
A
complete restart of the project and recovery is executed
when the event manager, the data manager, the archive manager
and the redundancy managers fail.
All other managers
restarted or no actions are executed
depending on the configuration in the console.
Note
The reaction of the individual manager is dependent
on the setting of the start type in the console (please refer
to Administration
of managers). The start type of the data
manager, the event manager, the archive manager and the
redundancy manager is set "always"
by default and can not be changed in order to guarantee a proper
operation in the redundancy case!
Note
If the redundancy partners of a redundant project
lose the connection to each other, both WinCC OA
projects become active. After reestablishing the connection
to each other, the system stops the project with the highest error
state and the project will be restarted. With the config entry
useOfflineErrorstateInfo
also the maximum
offline error state can be considered when calculating the error
state.
In
case of a connection error during start-up (due to time-out),
the passive server tries to restart until a connection can be
established successfully. This prevents both servers from switching
to active mode.
CAUTION
In case of a redundancy switch the newly started
peer should only be set active after the most important period
has elapsed (e.g. first after 1 hour). In this way to prevent
values of statistical functions from getting lost.
Caution
Local UIs must be started with fixed manager
numbers (e.g. "-num 2) to prevent problem with remote UIs
in case of a connection loss of a redundant system. If the number
is not set, e.g. the UI starts with the number 3. Afterwards the
system fails and therefore the number 3 is set free and will be
used by a remote UI of the now started redundant system. If the
stopped system starts again and reestablishes the connection,
the UI with number 3 can not be started due to number 3 being
already in use.
Additionally the config entry lowestAutoManNumUI
can be used to set the starting number for the automatically assigned
manager numbers. |