The Bonitoo IoT Platform was designed around a simple engineering requirement: no single component should be able to stop the system. This requirement shaped the architecture more than any specific technology choice.
No single component should be able to stop the system.
The event log is the source of truth
The platform does not treat a database as the centre of the system. Every command, telemetry message, configuration change and acknowledgement is first written to a durable, ordered event log. Operational and analytical databases are projections built from that log.
This makes recovery explicit. If a database is lost, corrupted or replaced, it can be rebuilt by replaying the event stream from a known offset. The control path does not depend on a mutable query database being permanently healthy.

Fig 1: Control & Confirmation Flow. Thin ingestion, durable event log, redundant deterministic controllers, edge voting and synchronous confirmation.
Thin ingestion, deterministic processing
The communication adapter has a narrow responsibility: terminate the external protocol, authenticate the caller, assign tenant and correlation identifiers, and publish the request to the log. It does not contain control logic.
Control logic runs in redundant controllers. Each controller consumes the same ordered input and computes the candidate command independently. Because the algorithms are deterministic, healthy controllers produce the same result without shared memory, locking or leader election.
Fault tolerance is resolved at the edge
Instead of electing one central master controller, the platform moves the final decision to the asset site. The edge gateway receives candidate commands from multiple controllers, applies majority voting or priority fallback, and acts as the single writer to the PLC or energy asset.
This design removes split-brain scenarios from the central system. A faulty controller can be out-voted, while the field device still sees exactly one command source.

Fig 2: Deployment & Redundancy - Three redundant nodes form the central platform. The broker is clustered; databases are rebuildable projections; edge gateways connect asset sites.
A platform built for operation
This structure supports rolling maintenance and component replacement. Nodes can be restarted or upgraded independently, while the durable log preserves the authoritative event history.
Replaceable components behind stable interfaces
The architecture deliberately avoids binding the product to one database, broker or identity provider. Storage engines, streaming technology and authentication backends sit behind thin interfaces. The system design should survive technology replacement without changing the control model.

Fig 3: Node Components & Data Flow. One node contains the communication adapter, controller, Web UI, identity/auth, broker and database projections. The same structure runs redundantly.
Reliability before throughput
Industrial control workloads are not the same as consumer-scale event ingestion. The priority is predictable behaviour, deterministic latency, recoverability and fault isolation. A missed or ambiguous control command can matter more than processing another million telemetry points.
The platform is therefore dimensioned for reliable operation rather than raw throughput. Replay, auditability, edge buffering, redundant computation and clear failure handling are first-class architectural concerns.
Security as part of the architecture
Security is not added as a separate layer after the platform is built. Tenant identity is attached at ingestion and propagated through the log, databases, UI and edge communication. The architecture supports mutual TLS, role-based access control, two-factor authentication, tenant isolation and an auditable event history.
Designed for distributed energy systems
The Bonitoo IoT Platform is built around that principle: durable events, redundant deterministic processing, edge voting and operational simplicity.
Created: 2026-06-19 | All Rights Reserved!