Factory automation systems are increasingly being integrated with communication networks. Control systems are being implemented on networks for remote monitoring and control of devices, processes, etc. System failures involving the primary mode controller that can shut down the control system are avoided by having a back-up controller readily available in hot/active standby mode to replace the failing primary mode controller. Even with system redundancy, it is important that any system failures be repaired expeditiously in order to reduce the probability of a system outage.
Controllers such as programmable logic controllers (PLC) have been implemented in duplex or back-up system configurations where downtime of a system cannot be tolerated. Such a control system delivers high reliability through redundancy. Generally, the duplex configuration incorporates a pair of PLC's assembled in a hot or active standby configuration, where one PLC is operating in a primary mode and the other PLC is functioning in a secondary or standby/backup mode. The primary controller runs an application by scanning a user program to control and monitor a remote input/output (I/O) network. The other (secondary) controller acts as the active standby controller. The standby controller does not run the application and does not operate the remote I/O devices. The standby controller is updated by the primary controller with each scan. The standby controller is then ready to assume control of the control system within one scan if the primary controller fails to operate or is removed from operation.
The primary and secondary controllers are interchangeable and can be swapped or switched when desired. Either controller can be placed in the primary state. The active standby configuration requires the non-primary controller to be placed in the standby mode to secure the system's redundancy. The controllers continuously communicate with each other to ensure the operability of the control system. The communication among the controllers is used to determine if a swap of the controllers should be initiated due to a system failure or by election of an operator.
Even with a primary/secondary controller configuration where the inoperative controller can be removed from service, it is important that an inoperative controller be repaired in order to provide a reliability that is often expected by the operator. A controller typically includes a number of circuit packs, e.g., a central processor unit (CPU) module and communication module that interfaces with external devices. In order to repair an inoperative controller, a detected faulty module is typically replaced with an operative module. However, a controller functions in a specific control environment; consequently, an inserted circuit pack is typically configured for the control environment.