Centralization or decentralization for control center networks

When planning a network of several control centers, numerous questions arise: what is the best way for the control centers to work together? How can overload situations be absorbed by the network? How do we achieve optimal reliability and how can operations be maintained if a failure should occur? This article will examine the tactical, technical and organizational aspects of planning a control center network based on two architectural strategies: centralization and decentralization.

Option #1
CENTRALIZED SYSTEMS WITH OPTIONAL DECENTRALIZED FALLBACK LEVEL

When following a centralized strategy, a central location is chosen for the complete server infrastructure. The fallback level for the data center is divided among two or more physical locations to maintain data integrity in the event of a partial failure (cluster quorum). The sites are sized so that one site can carry the entire load and are accessed via high-speed WAN connections with sufficient performance, stability and redundancy to support the operations of multiple control centers.

Tactical aspects

Centralized technology can be used to implement functions that add tactical value to day-to-day incident handling by ensuring continuous data synchronization and fast internal communication through instantaneous data updates. During normal operations, for example, the joint handling of incidents in the border area between control centers is carried out seamlessly and without the need for additional data transmission interfaces. This means that for people who find themselves in an emergency situation, alerting among the control centers is completed without delay.

If one control center experiences an overload (e.g., local events with a high call volume), overflow and escalations to other control centers are possible without manual intervention. This means that the manpower of the entire network is available to assist in dealing with the surge.

Centralization also offers advantages in disaster situations that require the control center to be evacuated, such as the discovery of a bomb, a bomb threat, a pandemic or a power failure, or if the control center is destroyed by fire, water, natural disasters or attacks. Substitute operations can be put into effect, and ongoing incidents can be handled from other control centers without loss of data.

By providing additional workstations, centralized technology gives the network added flexibility and efficiency in especially precarious situations. Since a WAN connection to the control center is the only technical requirement, workstations that need to be relocated quickly, such as those in situation centers or schools, can be equipped with standard hardware.

Technical and organizational aspects

Centralized technology makes it possible to implement a geo-redundant, resilient infrastructure capable of disaster-recovery. Because control centers are classified as critical infrastructure and have the potential to be certified according to the BSI IT-Grundschutz Compendium, it is important to take these issues into account.

By expanding the infrastructure at two or more sites, technical measures such as redundant power supplies, industry standard air and fire systems as well as perimeter protection can be implemented at these sites rather than at all locations, resulting in a considerable reduction in the overall cost.

Growing demands for high availability infrastructure and continuous service during software maintenance make cluster systems and application architectures more complex and the provision of qualified operational staff at each site more difficult. By following the strategy of enhanced architecture at two or three sites, operating personnel for IT and application infrastructure can be concentrated at these locations.

The risk of disruption to the WAN connection cannot, however, be completely ruled out. For this reason, mitigating measures for the loss of the WAN connection to one or more sites must be planned in advance. Concepts are possible in which the affected area can be covered by one or more control centers so that everyone continues to work on the same data set and ongoing incidents can be processed without complications or loss of data.

Optional decentralized fallback level for local autonomy

If, despite these extensive measures, there is a need for the control center to be locally autonomous, a decentralized fallback level can be implemented to meet this requirement. This level is replicated asynchronously, unidirectionally and with a time lag of just a few seconds. If required, the processing of ongoing incidents can be activated on the fallback level and switched to the decentralized fallback level via locally connected interfaces such as telephony, hazard detection systems and alarm systems. The decentrally processed insidents can be transferred back to the productive main system as required.

Option 2:
DECENTRALIZED TECHNOLOGY

In the case of purely decentralized technology, the entire server infrastructure required for autonomous operation is installed in each control center location. As a rule, the technology is distributed across two server rooms, and designed so that one server room can carry the entire load. Workstation access occurs through a local network which reduces dependencies on external WAN connections.

Tactical aspects

Cross-control center collaboration can also be implemented with dedicated decentralized technology. However, the functions are implemented via data exchange interfaces instead of accessing the same database and incidents or other data remain inaccessible until released or transferred from one control center to another.

Cross-control center cooperation is possible in overload situations, although overflow and escalation functions cannot be implemented, or only in a very specific manner, due to the separate databases.

With entirely decentralized technology, the scenarios for evacuating the control center require special advance planning and preparation. Without permanent synchronization of the data to a constantly operational second site, operation continuity is at risk.

Technical and organizational aspects

The main advantage of decentralization is local control center autonomy. Regardless of possible events in the associated organizational structure, the control center is able to operate independently.
Following a centralized strategy with a decentralized emergency system, local autonomy can only be achieved by switching to the decentralized fallback level.

At the same time, the ramifications of complete local autonomy must be considered. Practicalities prevent the implementation of an infrastructure that is geo-redundant, resilient and capable of disaster recovery at every site, as do the associated costs. This brings complications with regards to BSI IT-Grundschutz certification, which requires geo redundancy for the entire network and the technical and organizational processes for evacuating the control center as well as for disaster recovery.

Implementation of cross-control center functions is only possible through the use of supplementary interfaces for data exchange, although technical limits and restrictions, such as the complexity of text input synchronization in real time via a data exchange interface, must be taken into account.

Recommendation from eurofunk

Both options from our solution portfolio have been used in numerous projects. Based on many years of experience, eurofunk recommends implementing a central productive system in junction with a decentralized fallback system:

• Tactical and organizational advantages speak clearly for this strategy which provides added value to the control center, the users, and thus also the population, well over 99% of the time.
• Future system improvements, such as the addition of a new interface, can be carried out in one place with much less effort in centralized systems and are immediately available to all control centers.
• Problems associated with availability, bandwidth, redundancy and costs of the required WAN are negligible.
• If a disaster occurs, the decentralized fallback level ensures operational reliability and the local autonomy of the control center.