CN103425530B - For the method running redundant automation system - Google Patents

Abstract

The invention relates to a method for operating an automation system having at least two subsystems (M, S), each with a control program (P5, P6), wherein, in order to integrate a single machine of one of the subsystems (M) The process control of the mode is converted into a redundant control mode with another subsystem (S), the relevant data of one of the subsystems (M) are transferred to the other subsystem (S) within the scope of the update phase of the automation system. A measure for simplifying the update is also proposed.

Description

Method for operating redundant automation systems

technical field

The invention relates to a method for operating an automation system with at least two subsystems, each of which has a control program, wherein in order to convert the process control from stand-alone mode of one of the subsystems to redundant with the other subsystem Residual control mode, in which the relevant data of one of the subsystems is transferred to the other within the scope of the update phase of the automation system. Furthermore, the invention relates to a redundant automation system suitable for carrying out the method.

Background technique

In the field of automation, there is an increasing need for highly available solutions (H-systems) which are suitable for minimizing possible standstill times of plants. The development of such highly available solutions is very costly, wherein H-systems, which are usually used in the field of automation, are characterized in that two or more subsystems in the form of automation devices or computer systems are connected to each other by a synchronous connection connected. The two subsystems can basically have read and/or write access to peripheral units connected to the H-system. One of the two subsystems is the primary in terms of peripherals connected to the system. This means that the output to the peripheral units or the output information for these peripheral units is carried out by only one of the two subsystems, which subsystem works as master or assumes the master function. The two subsystems are synchronized at regular intervals via the synchronization link, so that the two subsystems can operate synchronously. In terms of frequency of synchronization and extent of synchronization, different modes can be distinguished (warm backup, hot backup).

Once one of the subsystems fails and must be switched to another subsystem, the H system usually requires a smooth "failover (Failover)", thus, the other subsystem is in the so-called stand-alone mode or Assumes process control tasks in redundant mode. This means: Although in the case of such an unplanned switchover from one subsystem to another or such an unplanned switchover, this switchover or this switchover does not affect the technical process or processes to be controlled Control interferes. In this case, a (brief) downtime is allowed at the output of the connected peripheral device, during which the output remains at its last valid process output value. However, value jumps at this output due to transitions (bursts) are not desired and should therefore be avoided. The absence of sudden events is thus also to be understood as the continuity of the curve change of the process output value.

In order to achieve the above setup, both subroutines must have the same system state at the point in time of the failure. This is ensured by suitable synchronization methods. When two subsystems process input information (input) to a process, then when both systems (in the case of the same process input data or process input information) change their respective "thread-global" in the same way globalen)" data (data shared by programs, especially programs of different priorities), the two systems are in the same system state. To achieve this setup, the synchronization method ensures that the individual threads of the two subsystems are interrupted or handled in the same way and in the same way. The same "Threadgebirge" is thus obtained.

Also, it must be ensured that the transition of process control from stand-alone or non-redundant mode to redundant mode, for example after replacing a failed subsystem, is managed smoothly or this transition. In the context of such a transfer, it is necessary to transfer relevant data from the subsystems that previously dominated the process to new or additionally connected or switched-on subsystems. In this so-called connection and update transmission process, in the so-called connection phase and update phase (AuA phase), no disturbing influence on the technical process to be controlled or process control is allowed in this AuA phase (in the following This process continues undisturbed during the period referred to herein as the update phase for reasons of brevity.

In the 2011 edition of the Siemens catalog, chapter 6, ST 70, a redundant automation system consisting of two subsystems is known, which is provided for increasing the availability of controlled plants. The update is achieved by transferring the data step by step, wherein it is first checked whether the value stored in the data area of the subsystem operating in stand-alone mode differs from the new value to be written. As soon as these values are different, a so-called "dirty bit" is set, which indicates that the data in this data area should be transferred to another subsystem. If all data is transferred, the automation system works in redundant mode. Its disadvantage is that the data in this data area represent highly dynamic data, which cannot be changed without bursts at the end of the update phase ("Update bursts (Aufdatstoβ)"), because the Subsystems must be halted and process control must be stopped briefly.

Contents of the invention

The invention is therefore based on the object of providing a method of the type mentioned at the outset, by means of which updating is simplified. In addition, a redundant automation system suitable for carrying out the method is realized.

The advantage is that the expensive "dirty bit mechanism" can be dispensed with. At the beginning of the update phase, the subsystem working in stand-alone mode (hereafter referred to as the host) creates a copy of its associated data representing the internal state of the host at the start of this update phase, where these data are It is transmitted to the "to-be-updated" or newly accessed subsystem (hereinafter referred to as auxiliary or standby system) in a segmented manner. This internal state is primarily determined or predetermined by static and dynamic data, data modules, process input values and process output values, and configuration data. Finally, the slave will approach the internal state of the master step by step and synchronously with the processing time of the actual control program by the master by means of release messages (Freigaben), wherein the slave only starts processing the release when it has fully acquired the copy information. After setting the release information, the slave uses the relevant data to traverse the same program path that the master has already traversed with a time delay. This means: in terms of program processing or operation, the master runs ahead of the slave in time or the slave runs later than the master in time. "Later than operation (Nachlauf)" or "before operation (Vorauslauf)" is understood here as the time difference between the start of the processing of a processing segment by the master and the start of processing of the corresponding processing segment by the slave, which corresponds to At the point in time when the release information or release signal appears. In addition, it should be pointed out that the program is not only understood as such a program, but also as a subroutine, program part, task, thread, organization module, function module or other program codes suitable for realizing automation functions. Among them, the program of the automation system is usually It is divided into a plurality of priorities and operates or implements according to its assigned priority.

When the delay or delay is compensated by the auxiliary machine or at the point in time when this delay exceeds a time period or a tolerable value to be predetermined or already predetermined and considered to be non-limiting, the update phase ends and the automation system From this point in time, work is carried out in redundant mode. In terms of process control, the master thus switches from a stand-alone mode into a redundant mode with a slave or backup system, wherein from this point onwards the master and slave are preferably time-synchronized based on events such as process alarms go through the same program path.

With regard to the program paths traversed time-synchronously in this way, reference is made to the earlier European patent application 12166006.2, the entire disclosure content of which is incorporated into the present application.

Of course, the automation system can also be designed in such a way that a time-synchronized processing of the program paths takes place after the update phase or after the update.

Due to the time-synchronized communication between master and slave, slow communication links can also be used during the update phase. This means that it is also possible to set up a communication link which is not inherently good in terms of transmission bandwidth or response time, or to set up a communication link which is also used by other communication participants and is therefore not exclusively available for connection and update processes. A separate synchronous connection can thus be dispensed with. In addition, large distances between two subsystems can also be overcome without unduly degrading the system power due to high signal transit times or high recovery times.

In one refinement of the invention, it is provided that the process input values are transmitted to another subsystem together with the release information. Relevant information for another subsystem is first summarized or concentrated and finally transmitted to the other subsystem. This reduces the "overhead" of the two subsystems.

Description of drawings

The invention, its configurations and advantages are explained in greater detail below on the basis of a view showing an exemplary embodiment of the invention.

The figure shows:

Figure 1 shows the process of time synchronization connection of two subsystems;

Figure 2 shows the update process; and

Figure 3 shows a redundant automation system.

The same parts in FIGS. 1 to 3 are shown with the same reference numerals.

detailed description

Referring first to Figure 3, there is shown a known redundant automation system comprising two subsystems. The first subsystem Ta and the second subsystem Tb are connected to the peripheral equipment Pe through the field bus Fb. In this case, the field bus Fb conforms, for example, to the PROFIBUS-DP standard. In principle, other bus systems such as Ethernet, fieldbus, modbus protocol, ProfiNet IO or also parallel bus systems are also suitable. The peripheral unit Pe receives a signal via an input line Es from a measuring transducer or a measured value sensor for detecting the process state and supplies the signal via an output line As to a control element for influencing the process. For reasons of clarity, the process as well as measuring transducers, measured value sensors and control elements are not shown in this figure. The two subsystems Ta, Tb run the same control program periodically and synchronously. A synchronization link Sv is provided for their synchronization, wherein redundancy and monitoring functions are implemented via this synchronization link Sv.

As described, from the point in time at the end of the update phase, the automation system works in redundant operating mode and, in terms of process control, one subsystem is switched from stand-alone mode to redundant mode with another subsystem. From this point in time, e.g. on the basis of an emergency in the form of a process alarm, both subsystem emergencies run synchronously through the same program path, wherein the process with the master (Durchlauf) and the process with the slave are preferably Asynchronously in time.

In order to illustrate the event-synchronized processing of the control program and for a better understanding of the invention, reference is now made to Figure 1, which shows the process of connecting two subroutines asynchronously in time as proposed in the earlier European patent application 12166006.2 . “Event-synchronized processing” here means that both the master and the slave follow the same program path through the individual control programs based on an event, the process being carried out asynchronously in time.

Assume one subsystem operates as master M and the other as slave S or as a backup system. The master M is thus master in controlling the technical process and assumes process control tasks, wherein the master reads process input information or process input values from the peripheral unit Pe ( FIG. 3 ) and makes them available to the slave asynchronously in time. Machine S. The slave S assumes the master function or mastership only if the master M fails due to disturbances.

The master M processes a program P1 for controlling the technical process, wherein the slave S also processes this program P2 corresponding to the control program P1. The two control programs P1 , P2 have a plurality of processing sections (Va) of different durations, wherein the control programs P1 , P2 are interrupted at each start and each end of each processing section Va. The start and end of each processing segment Va, usually comprising a plurality of program codes, thus represents an interruptible program point or interruption point 0, 1, 2, . . . y. At these points 0, 1, 2, . In addition, each control program P1, P2 can be interrupted at these interruption points 0, 1, 2, ... y, so that the master M and the slave S can exchange release information, response information through the field bus Fb or through the synchronous connection Sv or other information. After the respective to-be-predetermined or prespecified time intervals Zi, i=1, 2, . . . At each time point of the first interruption point), the master M transmits the release information or the release information signal to the slave machine S, and the release information signal informs the slave machine S until which processing segment Va just allows the slave machine S to control the program P2 to process. These processing segments Va of the control program P2 correspond to those processing segments that the host M has processed during processing of the control program P1. It is assumed in this embodiment that: when the time interval Z1 reaches the time point t1 and the time point t2 (the first interruption point P1_6 (interruption point 6) appears after the time interval Z1 at this time point), the master M sends a message to the slave The machine S transmits the release message F1. This release information F1 includes information for the auxiliary machine S, that is, to allow the auxiliary machine to process its pending control program P2 until it reaches the interruption point P2_6 (interruption point 6), wherein the interruption point P2_6 of the control program P1 is the same as the control program P2. Interrupt point P1_6 of program P1 corresponds accordingly. This means that, based on this release information, the slave machine S is able to process the processing sections Va of the control program P2 corresponding to the processing sections of the control program P1 up to the point in time when the release information or release information signal is generated Va, where it is assumed in this example for reasons of simplicity that the point in time at which the release message is generated corresponds to the point in time at which the release message is transmitted to the slave S. That is to say, the processing of this processing segment Va by means of the auxiliary machine S is not synchronized in time with the processing of the corresponding processing segment Va by means of the master M, wherein, after the processing segment of the control program P2 has been processed by the auxiliary machine S After Va, when the master M transmits another release message to the slave S, the slave S can be used to process the next processing segment Va. The point in time at which such interruption points P1_6 , P2_6 (interruption point 6 ) occurs represents the beginning of the time interval Z2 after the time interval Z1 .

In the described method and approach, the control programs P1 , P2 are further processed asynchronously in time. When the time point t3 at which the first interrupt point P1_A occurs after the time interval Z2 has elapsed, the master M transmits another release message F2 to the slave M, which informs the slave S that it can process other processing segments Va until reaching the interrupt Point P2_A till. These processing segments Va in turn correspond to the processing segments that the host M has already processed from time t2 to time t3 , that is to say until interruption point P1_A is reached. This means that the slave machine S processes the processing segment from the time point t2 of the previous release information F1 to the time point t3 of the current release information F2. The point in time t3 at which the first interruption point P1_A occurs after the time interval Z2 has elapsed is the start of the time interval Z3 following the time interval Z2.

It can now be found that events occur in the time interval, for example in the form of process alarms. In the exemplary embodiment, denoted by E is the event according to which the master M must react appropriately during the time interval Z3 to the point in time t4 as specified by the control program P1. In this case, the host M is not at the time point at which the interruption point occurs after the time interval Z3, but at the time point t5 at which the interruption point P1_C (interruption point C) occurs after the event E occurs. The slave machine S transmits release information F3. This means that the time interval Z3 is shortened due to the event E, the time point t5 being the start of the next time interval Z4. Based on the release information F3 transmitted to the slave machine S, the slave machine S processes the processing sections Va of the control program P2 corresponding to the processing sections of the control program P1 that have been processed by the master M between the time points t3 and t5 Processing section Va.

Due to this event E, the host M processes the higher priority processing segment Va in the time interval Z4, for example, the host M performs a thread switch at the time point t5 and reaches the time point t6 after the time interval Z4 elapses, at The release message F4 is retransmitted at the point in time t7 at which the first interruption point P1_12 (interruption point 12 ) after the time interval Z4 occurs. Based on this release information, the slave S also processes the processing segments Va until reaching the interruption point P2_12 (interruption point 12) of the control program P2, wherein these processing segments Va correspond to the control program P1 between the time points t5 and t7 The processing segment Va, and wherein, the auxiliary machine S also performs thread switching.

As explained, the release information of the master M is executed in the slave S through the same "thread mountain" as the master M, that is, the slave S is executed at the position in the control program P2 corresponding to the position in the control program P1 "Thread switching". The slave S continues its operation only when the master M makes a request to the slave by means of a release message. In terms of processing the processing segments, the host M processes these processing segments in real-time as in a single or non-redundant mode and gives them in regular time intervals and release messages after events to pass through the secondary The machine S executes the corresponding processing phase, in which the master M continues to process its control program P1 and does not actively wait for a reply from the slave S. The slave S is later than the master M in processing the corresponding processing segments and processes these processing segments based on the master release information given.

It is assumed below that the process control of the master M in stand-alone mode is switched to a redundant control mode with the slave S. For example, this type of conversion is only required when the slave S is reconnected to the master M after repair. For this purpose, reference is made to FIG. 2 , in which the updating process of the automation system is shown.

This switchover starts at time t11 until master M discovers that slave S is connected to fieldbus Fb ( FIG. 3 ), wherein from this time t11 the update phase of both master M and slave S begins. From this point in time t11, the host M creates a local copy K of all relevant data representing the internal state of the host up to this point in time t11, wherein the host continues to control the technical process of the control program P5 in stand-alone mode and The processing section Va of the control program is processed. From the time point t12 until the time point t13 at the end of the update phase of the master M, the master M transmits this copy K to the slave S in segments (this is indicated in the figure by means of the arrow Kf) until the time point t14 , the auxiliary machine S completely receives the copy. At this time t14, the slave S now has the same internal state as the master at time t11. In addition, starting from time point t12, all release information of the master M and all process input values on the master M read by the master M and by the peripheral unit Pe (Fig. 3) are buffered and stored in the slave S or On another subsystem of the automation system, these release messages processed by the slave machine S are activated only after the copy K has been completely received. It is assumed in this embodiment that the master M operating in stand-alone mode generates release information F13, F14, F15, F16 and additionally reads Process input values Ew3, Ew4. These release messages F13 to F16 and these process input values Ew3, Ew4 are only activated in the slave machine S from the time point t14, that is, the time point when the internal state of the master M is fully available for use by the slave machine S, which is shown in the figure This is indicated by the arrow Fs and by the oscillating lines L3, L4. After this activation by the master M, the slave S transitions into the internal state of the master Ms by processing the data of the replica K by the slave S according to the rules of the release messages F13 to F16. Here, the slave machine S processes the processing sections Va of its control program S6, which correspond to the processing section Va of the control program P5 of the master M up to time t13, wherein the processing of the slave machine S in the control program P6 The aspect takes the process input values Ew3, Ew4 into consideration.

Since the slave machine S approaches the internal state of the master M asynchronously in time, the slave machine S is later than the master M in processing the corresponding processing segment Va of the control program P6, wherein this time delay must is reduced to a tolerable range, since excessive time lag may lead to redundancy losses. In order to reduce this time lag, it is designed that the processing speed of the slave machine S is higher than that of the master machine M, which is represented by the "shortened" processing section Va in the control program P6 in the figure. This relative increase in the processing speed of the slave S can be achieved, for example, by making the slave S process the processing segment Va of its program P6 faster or the master M process the processing segment Va of its program P5 more slowly. to realise. The update phase of the slave machine S and thus of the automation system, which started at time t12 , ends only when the delay has been compensated or reduced to a tolerable range or a predetermined value. In the present exemplary embodiment, it is assumed that the delay at time t15 is reduced to a tolerable range. This range is selected or predetermined in such a way that, in the event of a failure of the master M, the slave S can assume the master control without an emergency. In the figure, the time difference between time point t16 and time point t15 represents the tolerable range, which is approximately 20 milliseconds in a practical embodiment of the invention. Within the scope of the update phase of the slave machine S, the slave machine S not only processes the release information F13 to F16 buffered during the transmission of the copy K from time point t14 until time point t15, but also processes the This transmission is then transmitted to the release information F17, F18, F19 of the slave machine S for processing. These release messages F17 to F19 inform the slave machine S which processing sections Va of the control program P6 can additionally be processed by the slave machine S, wherein these processing sections Va correspond to the processing sections Va of the control program P5 which have been processed by the master since time t14 Those processing segments Va that are processed by M. In other words: after the master M has completely transmitted the copy to the slave S or the slave S has completely received this copy K, the slave S has processed all the released processing segments of its control program P6 from the time point t14 until the time point t16 Va performs processing, and these released processing segments correspond to the processing segments that the host M has processed from the time point t11 until the time point t15.

From time t15 onwards, the update phase has ended and the automation system switches to redundant mode. The process control is ignored in the stand-alone mode of the master M and in the redundant mode of the slave S, wherein from the point in time t16 can be asynchronously in time in the described way or in a known way Time-synchronously, the corresponding program paths are traversed further on the master M and the slave S.

Claims (4)

1. the method for operation with the automated system of at least two subsystem (M, S), Described subsystem is respectively provided with control program (P5, P6), wherein, in order to by described subsystem In the process control of single cpu mode of the first subsystem (M) be converted to that there is described subsystem The Redundant Control pattern of the second subsystem (S) in system, in the renewal of described automated system The related data of described first subsystem (M) is transferred to described second by the scope in stage Subsystem (S), described related data represent described in the first subsystem described in time more the new stage starts The internal state of system, it is characterised in that:

-described more the new stage starts time, described first subsystem (M) be described The described related data of one subsystem creates local replica (K),

-during the described more new stage, described copy by described first subsystem (M) with The mode of segmentation is transferred to described second subsystem (S), and the first son described in buffer-stored The process input value (Ew3, Ew4) of system (M) and release information (F13 to F16), Wherein, described release information is pointed out, which of the control program (P5) of described first subsystem A little processing sections (Va) were processed by described first subsystem (M),

-after transferring described copy (K), with described first subsystem (M) Processed processing section (Va) second subsystem corresponding, described of control program (P5) (S) processing section (Va) of the release of control program (P6) is considering buffer-stored Described process input value (Ew3, Ew4) in the case of by described second subsystem (S) Process with time lag, wherein, in order to the described time lag of described process is reduced to previously given Value, than the processed institute of the described control program (P5) processing described first subsystem State processing section (Va) and process the described control program (P6) of described second subsystem quickly The described processing section (Va) of release.

Method the most according to claim 1, it is characterised in that by described process input value (Ew3, Ew4) described second subsystem (S) it is transferred to together with described release information.

3. there is the redundant automation system of at least two subsystem (M, S), described subsystem It is respectively provided with control program (P5, P6), wherein, in order to by the first son in described subsystem The process control of the single cpu mode of system (M) is converted to have second in described subsystem The Redundant Control pattern of subsystem (S), in the scope of more new stage, described first subsystem System (M) transmits relevant data to described second subsystem (S), described related data generation The internal state of the first subsystem described in when more the new stage starts described in table, it is characterised in that:

-described first subsystem (M) is designed for, described more the new stage starts time, Described related data for described first subsystem creates local replica (K)；

-described first subsystem (M) is also designed for, during the described more new stage, In segmented fashion described copy (K) is transferred to described second subsystem (S)；

-described first subsystem (M), described second subsystem (S) are designed for, slow Punching stores process input value (Ew3, Ew4) and the release of described first subsystem (M) Information (F13 to F16), wherein, described release information is pointed out, described first subsystem Which processing section (Va) of control program (P5) is by described first subsystem (M) place Managed；

-described second subsystem (S) is also designed for, and is receiving described copy (K) Afterwards, in the situation of the described process input value (Ew3, Ew4) considering buffer-stored Under, process the described control program (P5) with described first subsystem (M) with time lag The described control program of processed processing section (Va) the second subsystem corresponding, described (P6) processing section (Va) of release, wherein, described automation Design is used for, for The described time lag of described process is reduced to previously given value, described first son than processing The processed described processing section (Va) of the described control program (P5) of system is faster located in Manage the described processing section (Va) of the release of the described control program (P6) of described second subsystem.

Redundant automation system the most according to claim 3, it is characterised in that described first son System (M) is designed for, by described process input value (Ew1, Ew2) and described release Information is transferred to described second subsystem together.