Maintenance Mode is an Enhanced Failover feature that allows you to temporarily suspend synchronization between the two SCADA nodes in an Enhanced Failover pair in order to make changes to your iFIX database. For example, you could use Maintenance Mode to add a database block (using a pre-existing driver I/O address). Driver modifications are not recommended in Maintenance Mode. Any SCADA modifications using Maintenance Mode should be planned ahead of time to minimize disruptions to your network.
IMPORTANT: Maintenance Mode is the only valid and supported way to modify a database on the Enhanced Failover pair. In Maintenance Mode, modifications are done on the primary node. If you do not go into Maintenance Mode to make your changes, you may lose the changes you enter or corrupt the database.
You can initiate Maintenance Mode on the primary SCADA node either locally or remotely from an iClient. When you enter Maintenance Mode, SCADA synchronization temporarily stops; synchronization between the SCADA pair is suspended. Physical file synchronization of the process database (.PDB file) is included in this suspension of synchronization. After Maintenance Mode is enabled, you can make changes to the database on the primary node.
When iFIX security is enabled, you are encouraged to use an Enhanced Failover security area to restrict the remote usage of Maintenance Mode to specified users. When security is enabled on your iFIX nodes, Maintenance Mode can only be enabled if you have access to that Enhanced Failover security area. For information on the security area for Maintenance Mode, refer to the Enhanced Failover Security Area section.
NOTES:
- In Maintenance Mode, the Scan, Alarm, and Control (SAC) program is active on both SCADA nodes. This places an increased load on your PLC network, as the I/O drivers on both nodes are polling at the active rate. Both nodes will generate alarms.
- Since both nodes are SAC-active in Maintenance Mode, this can cause duplicate alarm entries (one from each SCADA node) in the Alarm ODBC service. In addition, Historian tags continue to collect from the primary SCADA node running in Maintenance Mode. You can use the Historian Administrator to force a switch to the redundant collector.
After entering Maintenance Mode, changes to the database can be made on the primary SCADA node only; however, the secondary node remains active and is fully runtime functional. In Maintenance Mode, all iClient applications (except the Database Manager) operate on the secondary SCADA node. All real-time operator interactions, such as alarm acknowledgement and outputs, are performed through the secondary SCADA node and are recorded in the secondary SCADA node's database.
IMPORTANT: Before exiting Maintenance Mode, be sure to save the database on the primary node. Failure to do so can result in database corruption or loss of changes.
Upon exiting Maintenance Mode, alarm acknowledgements and the simulation register changes made on the secondary SCADA node are copied to the primary SCADA node. Then, iFIX copies the database on the primary SCADA node to the secondary SCADA node, including the .PDB file. The primary SCADA node becomes the active node and the secondary SCADA node becomes standby. All iClient (View) node connections display the active SCADA node, which is now the primary node.
NOTE: Some file changes made during Maintenance Mode are not retroactively propagated. For example, if you entered Maintenance Mode to add a new alarm area, after you exit Maintenance Mode from the primary node, you will need to manually copy the *.AAD files from the primary SCADA to the secondary SCADA.
Enabling or Disabling Maintenance Mode
To enable or disable Maintenance Mode, use the SCADA Sync Monitor on the primary node, or the A_MAINTENANCEMODE or F_MAINTENANCEMODE fields of the SCADASync tag in an iFIX picture or an EDA application.
To enable or disable Maintenance Mode locally on the primary SCADA node, use either the SCADA Sync Monitor application (ScadaSyncMonitor.exe) or the SCADASync tag. The Enable or Disable Maintenance Mode button is available in SCADA Sync Monitor on the PDB Synchronization Information screen. The button is available only on the primary node. It does not display on the secondary node.
When iFIX security is enabled, the following two security checks are made when enabling or disabling Maintenance Mode. Unauthorized users are blocked and violations are logged to the Security log.
- The Manual Failover application feature is checked prior to enabling/disabling Maintenance Mode using the SCADASyncMonitor application. The Manual Failover application feature should be assigned to users or groups who are allowed to enable or disable Maintenance Mode using the SCADA Sync Monitor.
- The Enhanced Failover security area is checked prior to enabling/disabling Maintenance Mode using the SCADASync tag. This security area should be assigned to users or groups who are allowed to enable or disable Maintenance Mode using the SCADASync tag.
To enable or disable Maintenance Mode remotely from an iClient, use the SCADASync tag. For information on the SCADASync tag, refer to the Maintenance Mode from Remote iClient section.
The following graphic provides an example of the ScadaSyncMonitor screen with the Enable Maintenance Mode button displayed. For information on SCADA Sync Monitor, refer to the Components of Enhanced Failover section.
Maintenance Mode Steps
When using Maintenance Mode, the following events must occur:
IMPORTANT: It is usually a good idea to disable .PDB file synchronization from the secondary SCADA node to the primary SCADA node. Since we recommend that all database maintenance be performed on the primary node, there is usually no need to copy the .PDB files on the secondary to the primary. Also, the .PDB files on the primary may be overwritten by the (perhaps out-of-date) files on the secondary. So, the recommendation is to disable .PDB file synchronization on the secondary and leave it enabled on the primary. Disabling .PDB file synchronization on the secondary will not prevent the secondary from receiving .PDB files from the primary. It will only keep the secondary from sending its .PDB files to the primary. To do this, modify the ScadaSync.INI on the secondary only. For more information, refer to the Customizing the Synchronization Process with SCADASync.ini section.
- Place the primary
node into Maintenance Mode by clicking the Enable Maintenance Mode button
in SCADA Sync Monitor, or by using the A_MAINTENANCEMODE or F_MAINTENANCEMODE
fields of the SCADASync tag in an iFIX picture or an EDA application. Synchronization between the SCADA nodes is temporarily suspended.
NOTE: When working with large databases that synchronize frequently, it will take longer to switch to Maintenance Mode when the SCADAs are in the middle of a synchronization. If the Primary was the Active SCADA when switching to Maintenance Mode then the ScadaSyncMonitor screen will show a status of ‘PENDING MAINTENANCE MODE’ on the Primary while a synchronization is still in progress. Do not make any changes to the database while in this state, as the Primary is still the Active SCADA. - In Maintenance Mode, all changes must be made to the database on the primary node. Enter your database changes on the primary node either locally from the server, or remotely from an iClient. When entering changes remotely, open the primary database on the iClient node (assuming you have the network privileges to do so) to make your changes.
- Save your database on the primary node.
- After your changes
are completed, take the primary node out of Maintenance Mode by clicking
the Disable Maintenance Mode button in SCADA Sync Monitor or by using
the A_MAINTENANCEMODE or F_MAINTENANCEMODE fields of the SCADASync tag
in an iFIX picture or an EDA application.
NOTE: As with switching into Maintenance Mode, an Enhanced Failover pair with a large database may take longer to exit Maintenance Mode and switch the primary back to Active. - Alarm acknowledgements and simulation register changes are copied from the secondary node to the primary node.
- The databases are re-synchronized.
- The primary node becomes the active node. The secondary node becomes standby node. All iClient (View) node connections display the primary SCADA node.
NOTES:
- Client applications running locally on the SCADA nodes are dependent on an operational iFIX networking path between the SCADA nodes. Ensure that after a disruption of the synchronization path followed by a disruption of the iFIX network path that both network paths are once again operational. When only the synchronization path is restored, and the iFIX network path between the SCADAs remains bad, the client applications on the local SCADA can only connect to the local SCADA. In this situation, the client applications on the standby SCADA are not able to “write” to the SCADA node. To check the iFIX networking path between the SCADA nodes, run NetHis.EXE on each SCADA node. The partner SCADA node should be listed as an established connection.
- Any database changes made by clients, EDA programs, or schedules to the secondary node are lost when Maintenance Mode ends. For example, if you added a block to the Secondary node database, that change would be gone when the primary node leaves Maintenance Mode and becomes active.
- For more up to date information on Maintenance Mode, refer to our Knowledgebase.
See Also
Database Synchronization Status
Diagnostics with the SCADA Sync Monitor
