Redundant PM866 restart after power shutdown
In a DCS installation with 800xA – AC800M (PM866) – S800I/O we were testing the battery operation after power shutdown. In all tests the batteries were connected continuously with or without the DC 24V power.
When the controller pair was restarted simultaneously, it was operating with the same order of primary – secondary controller as it was before the shutdown.
In our case, due to a power loss of all upper controllers, this order was Lower = primary, Upper=secondary. Therefore after the shutdown the order remained as described before.
As we wanted to reverse the order or primary controller (to use the upper) we started first the upper and we wait to become primary and after that to restart the secondary.
Then we noticed that the upper controller could not start as it had no program stored in his memory.
We thought it was a battery problem. Then we started the Lower controller and it started normally.
We tried the same test to 3 controller pairs, all showed the same result.
Then we come to an arbitrary conclusion that, the controllers must restart together as a pair and the order of primary – secondary will be the same as it was before the power shut down.
As I could not find this information in AC800M manuals can you kindly confirm this is a correct behavior and our conclusion is correct?
Please let me know if you need any more data or information.
PS: I had a very bad experience with Li battery failure in 2 other cases, even though never had before a message for battery failure. For that reason we test the batteries when the plant is in maintenance and we can shut down the controllers.
Voted best answer
Another way to switch the primary controller is from the Control Builder, in Online Mode, left click on the PM866 hardware -> Redundancy -> Switch Primary.
You can power off the primary controller so the backup controller takes over as primary.
The behaviour you are having in your test, for me is ok considering the way controllers work, one of them is primary and the other has the necesary information to be a backup, for example, the backup controller remains with IP address not in the range of RNRP address. So if you power off both of them and then you start first the one wich was as backup it will start with no program, in addition, I don't remember exactly but I think, if you start then the other controller, it will become backup of the first and the pair will have been lost the program, you will need to make a cold restart of them...
Either both CPU's must get power back at the same time, or the former primary must get power first. If the former backup CPU get power first it doesn't know if maybe the former primary managed to perform some steps or execute code after the backup lost power, hence the controller will start with a Controller reset and the memory will be empty. A cold download is needed.
In the later system versions there is a delay that allows the backup CPU to get power up to 30s before the primary and still the former primary will start to execute as primary.
Just as said by others, to switch primary CPY, simply push init on the primary CPU or use CB to switch.