The definition of "hot standby" is a bit like the definition of "real-time". It's up to the user to decide what is or isn't acceptable.
If you have a process where you can not afford to have downtime, then, yes, you should probably consider some form of standby system in case the main system fails. What is the maximum period of time you could survive without effective control? If you're doing high-speed positioning for example, even losing control for a few milliseconds may be enough to cause problems. On the other hand, level control in a reservoir could probably survive hours without major symptoms. Obviously it's physically impossible to repair a system within milliseconds, but it could equally be impossible to get an engineer to a remote unmanned pumping station within the required deadline, so both systems could justify having backups.
For the first example, "hot" standby, where you have two CPUs mirroring each others activity constantly and capable of switching control from the main to the standby possibly within the course of a scan, may be the only answer. That will probably have to be implemented using hardware links and high-speed memory transfer etc. For the latter, there may other less-expensive "warm" standby options involving a standby system which only wakes up when the master has already failed. This could involve a few seconds or more of downtime while process values are updated and synchronised. It may even result in a few bumps in the process while devices come under control of the new system. Can you accept this? It's up to the process.
Any manufacturer who claims to have a hot standby system should be capable of demonstrating what happens when any element of the main system fails. Note that in the examples above I have only considered backup CPUs - what about backup power supplies, what about backup or redundant I/O, what about backup networks, etc? How expensive is the damage when your system fails, and how much can you afford to spend to keep things running? What is the likelihood of a failure of any part of the system (MTBF etc) and what are the consequences if that failure occurs?
Sorry - no real answers, just more questions.
regards
Ken.