../pvss.htm menu.gif basics.gif

Failure behavior and switching criteria

The redundancy manager is responsible for monitoring the redundancy state (which computer is active/passive) on both computers. The redundancy manager is started after the drivers. The redundancy manager also monitors the error state of both systems. The errors are configured with a weighting in the system overview panel (please refer to System overview in redundant systems). The error state is determined when initializing and is updated continuously (optimum state is 0). The monitoring can be configured for all managers, TCP connections, selected data point elements, working memory and hard disk capacity.

The following priorities apply for the active/passive state in a redundant system (the passive computer becomes active and the active computer becomes passive):

  • Priority 1: Failure

    Complete failure of a computer or neither of the redundant network connections exists. It is no more possible to switch the control If the redundant network connections fail completely.

  • Priority 2:  Manually forced control (set active)
    With this priority it is possible to switch to a computer chosen by a user if this is still possible
    via the hardware and software. This priority is to be considered as switching of the control. Via the switching of the control the desired system is set active immediately. This is independent of the error state.

  • Priority 3:  Different error state

    Communication failures of managers, partial failure of a computer (hardware or software). The system switches to the computer with the lower error state.

  • Priority 4: Defining the priority

    Via this priority it is possible to change (switch) the active computer manually. This switch applies only if both computers run error free or have the same error state.

note.gifNote

After a switch (active/passive) in the redundancy mode, a general query is initiated by the driver automatically!

 

If one (or several) of the above switching criteria are met, the other computer becomes active and takes control.

The redundancy works independently and does not depend on user inputs and responses. However, certain inputs from users are accepted (please refer to priorities 2 and 4). Manual switching triggered by the user has to be executed in the system overview panel.  

The following responses are triggered when certain managers fail:

  • A complete restart of the project and recovery is executed when the event manager, the data manager, the archive manager and the redundancy managers fail.

  • All other managers restarted or no actions are executed depending on the configuration in the console.

note.gifNote

The reaction of the individual manager is dependent on the setting of the start type in the console (please refer to Administration of managers). The start type of the data manager, the event manager, the archive manager and the redundancy manager is set "always" by default and can not be changed in order to guarantee a proper operation in the redundancy case!

note.gifNote

If the redundancy partners of a redundant project lose the connection to each other, both WinCC OA projects become active.  After reestablishing the connection to each other, the system stops the project with the highest error state and the project will be restarted. With the config entry useOfflineErrorstateInfo also the maximum offline error state can be considered when calculating the error state.

In case of a connection error during start-up (due to time-out), the passive server tries to restart until a connection can be established successfully. This prevents both servers from switching to active mode.

caution.gifCAUTION

In case of a redundancy switch the newly started peer should only be set active after the most important period has elapsed (e.g. first after 1 hour). In this way to prevent values of statistical functions from getting lost.

caution.gifCaution

Local UIs must be started with fixed manager numbers (e.g. "-num 2) to prevent problem with remote UIs in case of a connection loss of a redundant system. If the number is not set, e.g. the UI starts with the number 3. Afterwards the system fails and therefore the number 3 is set free and will be used by a remote UI of the now started redundant system. If the stopped system starts again and reestablishes the connection, the UI with number 3 can not be started due to number 3 being already in use.
Additionally the config entry lowestAutoManNumUI can be used to set the starting number for the automatically assigned manager numbers.

 

page_top.gif

V 3.11 SP1

Copyright ETM professional control GmbH 2013 All Rights Reserved