ControlLogix 5590 High Availability Systems

Controller Switchovers

While redundant chassis are operating normally, a fault on the primary chassis causes control to switch to the secondary chassis. This process is called a switchover. Switchovers occur as fast as 20 ms.

Causes of a Switchover or Disqualification

These conditions cause a switchover:

Loss of power

Major fault on the controller

Removal or insertion of any module

Failure of any module

Loss of connection between redundancy modules

Loss of connection between embedded Ethernet ports on the controller when Front Port Crossload mode is enabled

Loss of an

EtherNet/IP™

connection

The loss of an

EtherNet/IP™

/IP connection only causes a switchover if it results in a lonely state. In a lonely state, the

EtherNet/IP™

module cannot see any devices on the network.

A program-prompted command to switchover

A command that is issued via the

FactoryTalk® Linx

Redundancy Module Configuration Tool (RMCT)

Operation After a Controller Switchover

After a switchover occurs, the new primary controller continues to execute programs. For more information about how standard tasks execute after a switchover, see Crossloads, Synchronization, and Switchovers for Standard Tasks.

IMPORTANT: If you require communication messaging to point to the primary controller when reading/writing to the redundancy system, do not target message instructions to modules in the secondary chassis.

Your application can require some programming considerations and potential changes to accommodate a switchover. For more information on these considerations, see Program Logic to Run After a Switchover.

Because 1756-RM3 modules do not experience a switchover, there is no scan time delay.

Possible Communication Delays During a Switchover

A brief communication interruption up to 30 seconds occurs between

FactoryTalk® Linx

software and the redundant chassis pair when a switchover occurs. After the switchover is complete, communication resumes automatically. These connection types can experience the communication delay when the switchover occurs:

HMI to redundant chassis pair

FactoryTalk®

Batch server to redundant chassis pair

FactoryTalk®

Alarms and Events Service to redundant chassis pair

Reduce Data Server Recovery Time

Any software that uses tag data, such as HMI displays, data loggers, alarm systems, or historians requires data server recovery time. Data server recovery time reduction is important to increase the availability of the system.

To help reduce data server recovery time during a switchover, you can configure redundant controller shortcut paths between a

FactoryTalk® Linx

data server and a redundant

ControlLogix®

controller. Redundant controller shortcut paths are available in

FactoryTalk® Linx

version 6.00 or later. For details about how to implement this feature, see the FactoryTalk Linx Getting Results Guide, publication LNXENT-GR001.

IMPORTANT: The communication modules that are used for this shortcut path cannot be configured for IP address swapping mode.

Switchover Response to Switch Position Mismatch

The position of the switches on redundant controllers must match. Mismatched switch positions affect the switchover response, as described in the following table.

Switchover Response to Switch Position Mismatch
Switch Position on Primary Controller	Switch Position on Secondary Controller	Primary Controller Response	Secondary Controller Response
RUN	REM (Run)	Primary becomes secondary and synchronizes.	Secondary becomes primary with the system in RUN mode.
REM (Run)	RUN	Primary becomes secondary and synchronizes.	Secondary becomes primary with the system in RUN mode.
RUN	PROG	Primary becomes secondary and synchronizes.	Secondary becomes primary with the system in PROGRAM mode.
REM (Run)	PROG	Primary becomes secondary and synchronizes.	Secondary becomes primary with the system in PROGRAM mode.
PROG	REM (Run)	Primary becomes secondary and synchronizes.	Secondary becomes primary with the system in PROGRAM mode.
REM (Program)	PROG	Primary becomes secondary and synchronizes.	Secondary becomes primary with the system in PROGRAM mode.
PROG	RUN	Primary becomes secondary and does not synchronize.	Secondary becomes primary with a major fault in the new primary: (Type 12) Redundancy Fault (Code 34) keyswitch in RUN invalid on switchover.
REM (Program)	RUN	Primary becomes secondary and does not synchronize.	Secondary becomes primary with a major fault in the new primary: (Type 12) Redundancy Fault (Code 34) keyswitch in RUN invalid on switchover.

Redundant Chassis Operation

Provide Feedback

Have questions or feedback about this documentation? Please submit your feedback here.