The Problem
Industrial plants operating modern IT/OT integration face a critical resilience gap: when enterprise systems (ERP, cloud, corporate networks) become unreachable due to network partitions, GC pauses, or infrastructure failures, plant operations typically face blocking producers, data loss, or forced shutdowns. Existing synchronous bridges or simple message buses violate the fundamental requirement that both zones must survive the other's unavailability without data loss or deadlock.
The Solution
The Bidirectional Store-and-Forward Gateway (BSFG) is a hexagonal boundary primitive that decouples connectivity from communication. It implements a four-buffer topology (Ingress Store/Forward, Egress Store/Forward) enabling autonomous operation: when the boundary seals, both zones continue operating using local durable buffers; when reconnected, they achieve eventual consistency without duplication.
Core Mechanism: Asynchronous store-and-forward with configurable idempotency keys (content-hash or explicit event IDs) eliminates the need for active reconciliation workers. Data producers complete upon local durable write; consumers read from local staging buffers with zero network dependency.
Key Constraints & Guarantees
| Guarantee | Mechanism |
|---|---|
| Producer Non-Blocking | Local write-ahead logs (ISB/ESB) ensure completion regardless of remote availability |
| Effectively-Once Boundary | Atomic putIfAbsent at Forward Buffers with configurable idempotency keys |
| Fast Swappability | Hexagonal architecture: any conforming storage adapter interchangeable via narrow interfaces |
| No Shared State | Transactional autonomy per zone; no 2PC or distributed transactions |
Explicit Exclusions: No synchronous RPC coupling, no global total ordering, no semantic transformation at boundary, no infinite durability (TTL-enforced), no end-to-end exactly-once (application-level idempotency required downstream).
Standards Alignment
Compliant with ISA-95 Level 3/4 boundaries, IEC 62264 Gateway specifications, OPC UA PubSub Store-and-Forward (IEC 62541-14), and Enterprise Integration Patterns (#101 Guaranteed Delivery, #128 Gateway, #201 Idempotent Receiver).
Outcome
Continuous plant operation regardless of enterprise IT availability, with guaranteed eventual consistency and bounded recovery times.
For implementation details using NATS and JetStream, see NATS/JetStream Reference.
System Topology
EXTERNAL ZONE (Enterprise IT) INTERNAL ZONE (Plant OT)
┌─────────────────────────┐ ┌─────────────────────────┐
│ ┌─────────────────┐ │ GATE │ ┌─────────────────┐ │
│ │ Egress Forward │◄───┼──(open)───┼────┤ Egress Store │ │
│ │ Buffer (EFB) │ │ (closed)│ │ Buffer (ESB) │ │
│ └─────────────────┘ │ = │ └─────────────────┘ │
│ │ async │ │
│ ┌─────────────────┐ │ only │ ┌─────────────────┐ │
│ │ Ingress Store │◄───┼───────────┼────┤ Ingress Forward │ │
│ │ Buffer (ISB) │ │ │ │ Buffer (IFB) │ │
│ └─────────────────┘ │ │ └─────────────────┘ │
└─────────────────────────┘ └─────────────────────────┘
Buffer Flow: ISB → IFB (ingress) | ESB → EFB (egress)
Idempotency: Configurable keys (hash, canonicalized, or explicit ID)
Frontier: Contiguous acknowledgment prefix with externalized cursor tracking