For the concise normative reference, see the Architecture Specification. This document provides extended rationale and failure mode detail.
Page 1: Foundation & Constraints
1.1 Executive Summary
The Bidirectional Store-and-Forward Gateway (BSFG) is a hexagonal boundary primitive enabling partition-tolerant integration between Enterprise IT (External Zone) and Plant OT (Internal Zone). It guarantees that either zone may become unreachable without blocking producers or losing data, achieving eventual consistency upon reconnection via exactly-once boundary materialization.
1.2 Problem Definition
Modern plant architectures face asymmetric network partitions, GC pauses, DNS failures, and 24+ hour enterprise outages. Traditional synchronous gateways force producers to block or fail during these events; simple message buses lose in-flight data. BSFG addresses this via durable asynchronous buffering with configurable idempotency.
1.3 Architectural Objectives
| ID | Objective | Verification Criteria |
|---|---|---|
| O1 | Producer Non-Blocking | Producers complete writes via local durable acknowledgment without network dependency on remote zone |
| O2 | Effectively-Once Boundary | No data loss within configured envelope; no duplicate materialization at IFB/EFB via atomic idempotent insertion |
| O3 | Mechanism Agnosticism | Supports arbitrary byte sequences (MQTT, OPC UA, Parquet, Protobuf) with content-type metadata; no schema enforcement |
| O4 | Fast Swappability | Any storage backend or hashing algorithm replaceable within 5 working days via hexagonal interface ports |
1.4 Explicit Non-Objectives (Scope Exclusions)
| ID | Non-Objective | Rationale |
|---|---|---|
| N1 | Not Shared Database | Zones remain transactionally autonomous; no 2PC or synchronous replication |
| N2 | Not Synchronous RPC | No request/response patterns holding connections open for remote acknowledgment |
| N3 | Not Distributed Transactions | No Saga orchestration or atomic cross-boundary transactions |
| N4 | Not Global Total Ordering | Gateway does not enforce causality; vector clocks transported as opaque metadata only |
| N5 | Not Semantic Transformation | No schema normalization or business logic at boundary; pure transport layer |
| N6 | Not Infinite Durability | Retention bounded by TTL (default 7 days) or capacity; explicit overflow policies required |
| N7 | Not End-to-End Exactly-Once | Gateway guarantees exactly-once materialization at boundary buffers only; downstream application idempotency remains application concern |
Page 2: Topology & Core Mechanism
2.1 Minimal Factorization
BSFG represents the minimal factorization of durability × availability × directionality under partition tolerance constraints. The four-buffer topology separates write-durability (Store) from read-availability (Forward) across bidirectional flows.
2.2 Buffer Specifications
Ingress Store Buffer (ISB)
- Location: External Zone perimeter
- Interface:
append(payload: Bytes, metadata: Headers) → Promise<Offset> - Contract: Durable append-only log with monotonic offsets; retains entries until explicit acknowledgment from IFB
- Durability: fsync or replication factor ≥ 2 before acknowledgment to producer
- Storage adapters: Any conforming implementation of the
StoreBufferport interface. See NATS/JetStream Reference for the reference implementation.
Ingress Forward Buffer (IFB)
- Location: Internal Zone perimeter
- Interface:
putIfAbsent(idempotencyKey: Key, payload: Bytes, metadata: Headers) → Promise<Status> - Idempotency Key Strategies (configurable):
- Default:
H(payload)(SHA-256) — byte-exact deduplication - Semantic:
H(canonicalized(payload, metadataSubset))— ignores non-essential metadata - Explicit:
producer_event_id— application-provided UUID
- Default:
- Atomicity: Atomic
putIfAbsentper key (linearizable for single-key operations) - Collision Handling: Secondary hash comparison + manual intervention alert (extremely rare with SHA-256)
- Storage adapters: Any conforming implementation of the
ForwardBufferport interface. See NATS/JetStream Reference for the reference implementation.
Egress Store Buffer (ESB)
- Location: Internal Zone perimeter
- Specification: Mirror of ISB for outbound flow (Internal → External)
Egress Forward Buffer (EFB)
- Location: External Zone perimeter
- Specification: Mirror of IFB for external pickup
2.3 Cursor Management & Frontier Semantics
The Cursor Tracker maintains per-direction state:
next_to_send_offset: Next entry to transmithighest_contiguous_committed_offset: Maximal offset where all prior entries are confirmed in Forward Buffer
Contiguous Prefix Constraint: Acknowledgment frontier is strictly contiguous. Truncation at Store Buffer is safe only for entries ≤ highest_contiguous_committed_offset, ensuring no gaps in durability.
Recovery Protocol: On restart, replay from checkpointed highest_contiguous_committed_offset; duplicates suppressed by IFB/EFB idempotency layer.
Page 3: Interfaces & Data Flow
3.1 Formal Interface Contracts
// Store Buffers (ISB, ESB)
interface StoreBuffer {
append(payload: Bytes, metadata: Headers) → Promise<Offset>;
truncateBefore(offset: Offset) → Promise<void>; // contiguous prefix only
replay(from: Offset) → AsyncIterator<Entry>;
getFrontier() → Promise<Offset>; // returns highest_contiguous_committed_offset
}
// Forward Buffers (IFB, EFB)
interface ForwardBuffer {
putIfAbsent(idempotencyKey: Key, payload: Bytes, metadata: Headers)
→ Promise<Status {Inserted, AlreadyExists}>;
get(key: Key) → Promise<Option<Bytes>>;
queryByTimeRange(start: Timestamp, end: Timestamp) → Iterator<Entry>;
}
// Cursor Tracker
interface CursorTracker {
commit(offset: Offset, idempotencyKey: Key) → Promise<void>;
getCheckpoint() → Promise<{
nextToSend: Offset,
committed: Offset // highest_contiguous_committed_offset
}>;
}
3.2 Operational Modes
Normal Mode (Gate Open):
- Low-latency handoff: ISB → IFB with immediate acknowledgment
- Throughput target: ~10k msgs/sec per direction (reference implementation, not guarantee)
- Latency: P99 < 50ms cross-boundary
Autonomous Mode (Gate Closed):
- Synchronous paths drop; gate materializes partition
- Producers continue appending to ISB/ESB (local durability only)
- Consumers read from IFB/EFB (zero network dependency)
- Cursor advancement freezes at last confirmed offset
Reconciliation Mode (Gate Reopening):
- Replay from
highest_contiguous_committed_offset + 1 - IFB/EFB suppress duplicates via
putIfAbsent - Gradual cursor advancement until backlog cleared
3.3 Data Integrity & Authenticity
- Integrity: Content-addressing (hash) verifies payload has not been modified in transit
- Authenticity: Derived from mTLS client certificates + optionally signed metadata (application-level); hash alone proves consistency, not provenance
Page 4: Operations, Safety & Failure Modes
4.1 Backpressure & Capacity Management
Standard Deployments:
- Policy:
reject_new_writesORdrop_oldest_unacknowledged(configurable) - Monitoring: Alerts at 80% capacity threshold
- Default retention: 7 days TTL
Safety-Critical / SIL-Regulated Deployments:
- Mandatory Policy:
reject_new_writeswith explicit operator escalation - Prohibition: Eviction of unacknowledged data is prohibited in SIL flows
- Emergency Export: Procedures for prolonged partitions exceeding capacity
4.2 Failure Mode Analysis
| Scenario | Behavior | Recovery |
|---|---|---|
| ISB Crash | Replay from checkpointed cursor | Cursor Tracker retrieves committed offset; ISB replays from frontier; duplicates rejected by IFB |
| IFB Crash Mid-Write | Atomic CAS ensures consistency | Replay from ISB; duplicate key rejected by putIfAbsent atomicity |
| Network Partition (Gate Close) | ISB/ESB retain unacknowledged; zones operate autonomously | Resume handoff from cursor frontier on reconnect; contiguous prefix ensures no gaps |
| Hash Collision | Detected by secondary hash comparison | Manual intervention alert; quarantine affected entry |
| Buffer Exhaustion | Configurable policy activation | Standard: drop oldest; Safety-critical: reject new + operator alert |
| Clock Skew | Not interpreted by gateway | Vector clocks transported as opaque metadata; applications handle temporal ambiguity |
4.3 Threat Model
| Threat | Vector | Mitigation |
|---|---|---|
| Replay Attack | Resubmission of old payload with valid key | TTL validation + timestamp metadata checks |
| Hash Flooding | Collision generation to degrade performance | Cryptographic hash (SHA-256) with collision-resistant properties; fallback to bytewise compare |
| Tampering | Payload modification in transit | Hash verification detects modification; authenticity via mTLS |
| Unauthorized Injection | Spurious data from compromised client | mTLS client certificates + capability-based authorization per buffer namespace |
4.4 Safety Certification Context
- BSFG operates as "Other System" per IEC 61508 (not a Safety Instrumented Function)
- Does not execute safety shutdowns; provides data availability for safety systems during partition
- SIL Implication: Gateway failure must not prevent safety systems from accessing last known state (achieved via local IFB/EFB reads)
Page 5: Standards, Validation & References
5.1 Standards Taxonomy
| Standard | Reference | BSFG Mapping |
|---|---|---|
| ISA-95 | Level 3/4 Boundary | Enterprise/Control integration boundary specification |
| IEC 62264 | Gateway Object Class | Functional definition of gateway with store-and-forward |
| IEC 62541-14 | OPC UA PubSub | Store-and-Forward Gateway functional category |
| RFC 1129 | Internet Store-and-Forward | Durability and retry semantics |
| EIP | #101 Guaranteed Delivery | Durable retry until acknowledgment |
| EIP | #128 Messaging Gateway | Abstraction over transport mechanisms |
| EIP | #201 Idempotent Receiver | Content-addressed duplicate suppression |
5.2 Proof by Exclusion
Systematic elimination of Enterprise Integration Patterns alternatives:
- Request-Reply (#154): Eliminated—violates O1 (Producer Non-Blocking) via synchronous coupling
- Message Bus (non-durable): Eliminated—violates O2 (No Loss) via volatile in-flight storage
- Guaranteed Delivery (#101, unidirectional): Eliminated—fails bidirectional autonomy requirement
- Shared Database Integration: Eliminated—violates N1 (Not Shared Database) via 2PC requirement
- Messaging Bridge (#133): Eliminated—assumes simultaneous availability, lacks intermediate staging
Conclusion: BSFG is the minimal compositional primitive satisfying all constraints: dual Guaranteed Delivery (bidirectional) + Idempotent Receiver (configurable keys) + Messaging Gateway (abstraction).
5.3 Verification Matrix
| Objective | BSFG Mechanism | Verification |
|---|---|---|
| O1 Producer Non-Blocking | ISB/ESB local write-ahead logs | Producer ack after local fsync/replication; no remote dependency |
| O2 Effectively-Once | Atomic putIfAbsent at IFB/EFB with contiguous frontier |
Single materialization per idempotency key; truncation only after contiguous confirmation |
| O3 Mechanism Agnostic | Opaque byte storage with metadata headers | Protocol-agnostic payload handling |
| O4 fast Swappability | Hexagonal ports (StoreBuffer, ForwardBuffer interfaces) | Backend replacement without protocol changes |
5.4 Glossary
- BSFG: Bidirectional Store-and-Forward Gateway
- ISB: Ingress Store Buffer (External → Internal, durable write-ahead)
- IFB: Ingress Forward Buffer (External → Internal, idempotent staging)
- ESB: Egress Store Buffer (Internal → External, durable write-ahead)
- EFB: Egress Forward Buffer (Internal → External, idempotent staging)
- Idempotency Key: Unique identifier for duplicate suppression (hash or explicit ID)
- Contiguous Frontier: The maximal offset where all prior entries are confirmed acknowledged
- Hexagonal Port: Interface boundary enabling backend swapability
- Cursor Tracker: Externalized state machine maintaining acknowledgment frontier
- Gate: Logical circuit breaker between Normal and Autonomous modes
5.5 References
- Hohpe, G. & Woolf, B. Enterprise Integration Patterns. Addison-Wesley, 2004.
- IEC 62264: Enterprise-Control System Integration
- IEC 61508: Functional Safety of Electrical/Electronic Systems
- RFC 1129: Internet Time Synchronization and Store-and-Forward
- OPC UA Specification Part 14: PubSub (IEC 62541-14)