Přejít na obsah

Designing Bonitoo IoT Platform for Energy Infrastructure

Industrial IoT platforms are often described through dashboards, integrations and device connectivity. For energy infrastructure, that is not enough. The platform does not only collect data. It participates in control decisions that affect physical assets, commercial dispatch and operational reliability.
19. června 2026 od
Jozef Chudý

The Bonitoo IoT Platform was designed around a simple engineering requirement: no single component should be able to stop the system. This requirement shaped the architecture more than any specific technology choice.

No single component should be able to stop the system.

The event log is the source of truth

The platform does not treat a database as the centre of the system. Every command, telemetry message, configuration change and acknowledgement is first written to a durable, ordered event log. Operational and analytical databases are projections built from that log.

This makes recovery explicit. If a database is lost, corrupted or replaced, it can be rebuilt by replaying the event stream from a known offset. The control path does not depend on a mutable query database being permanently healthy.

Control & Confirmation Flow. Thin ingestion, durable event log, redundant deterministic controllers, edge voting and synchronous confirmation.

Fig 1: Control & Confirmation Flow. Thin ingestion, durable event log, redundant deterministic controllers, edge voting and synchronous confirmation.


Thin ingestion, deterministic processing

The communication adapter has a narrow responsibility: terminate the external protocol, authenticate the caller, assign tenant and correlation identifiers, and publish the request to the log. It does not contain control logic.

Control logic runs in redundant controllers. Each controller consumes the same ordered input and computes the candidate command independently. Because the algorithms are deterministic, healthy controllers produce the same result without shared memory, locking or leader election.


Fault tolerance is resolved at the edge

Instead of electing one central master controller, the platform moves the final decision to the asset site. The edge gateway receives candidate commands from multiple controllers, applies majority voting or priority fallback, and acts as the single writer to the PLC or energy asset.

This design removes split-brain scenarios from the central system. A faulty controller can be out-voted, while the field device still sees exactly one command source.

Node Components & Data Flow. One node contains the communication adapter, controller, Web UI, identity/auth, broker and database projections. The same structure runs redundantly.

Fig 2: Deployment & Redundancy - Three redundant nodes form the central platform. The broker is clustered; databases are rebuildable projections; edge gateways connect asset sites.


A platform built for operation

The baseline deployment uses three redundant nodes fronted by a load balancer and virtual IP. Each node contains an application container, an event broker instance, an operational database projection and a time-series database projection. The event brokers form one replicated cluster.

This structure supports rolling maintenance and component replacement. Nodes can be restarted or upgraded independently, while the durable log preserves the authoritative event history.


Replaceable components behind stable interfaces

The architecture deliberately avoids binding the product to one database, broker or identity provider. Storage engines, streaming technology and authentication backends sit behind thin interfaces. The system design should survive technology replacement without changing the control model.

Deployment & Redundancy. Three redundant nodes form the central platform. The broker is clustered; databases are rebuildable projections; edge gateways connect asset sites.

Fig 3: Node Components & Data Flow. One node contains the communication adapter, controller, Web UI, identity/auth, broker and database projections. The same structure runs redundantly.


Reliability before throughput

Industrial control workloads are not the same as consumer-scale event ingestion. The priority is predictable behaviour, deterministic latency, recoverability and fault isolation. A missed or ambiguous control command can matter more than processing another million telemetry points.

The platform is therefore dimensioned for reliable operation rather than raw throughput. Replay, auditability, edge buffering, redundant computation and clear failure handling are first-class architectural concerns.


Security as part of the architecture

Security is not added as a separate layer after the platform is built. Tenant identity is attached at ingestion and propagated through the log, databases, UI and edge communication. The architecture supports mutual TLS, role-based access control, two-factor authentication, tenant isolation and an auditable event history.


Designed for distributed energy systems

The resulting platform is suitable for battery energy storage systems, photovoltaic plants, virtual power plants, demand response, microgrids, industrial EMS and EV charging infrastructure. These systems need more than monitoring. They need a control architecture that continues to behave correctly when individual components fail.

The Bonitoo IoT Platform is built around that principle: durable events, redundant deterministic processing, edge voting and operational simplicity.

Created: 2026-06-19 | All Rights Reserved!