Redundant control system for an actuator and method for redundant control thereof

Abstract

A method and redundant control system for an actuator in which two redundant control computers are connected via buses to a respective peripheral station containing an interface module and at least one periphery module, wherein the actuator is connected to mutually decoupled signal outputs of two periphery modules, each forming an output module, of the two peripheral stations, where output values generated by the two redundant control computers for the actuator are transmitted by the interface modules to the output modules, wherein upon detection of a bus fault, the respective interface module transmits a command to all downstream output modules to output substitute values, and where output modules to which the actuator is connected exchange information about receipt of the command via a communication link and implement it only if another output module concerned has also received the command so as to prevent failure modes in redundant operation.

Claims

1.-6. (canceled)

7. A redundant control system for an actuator, comprising: a first control computer connected via a first bus to a first interface module of a first peripheral station containing at least one periphery module; a second redundant control computer connected via a second bus to a second interface module of a second peripheral station containing at least one periphery module, wherein the actuator is connected to mutually decoupled signal outputs of two periphery modules, each forming an output module, of the first and second peripheral stations, respectively; wherein the first and second interface modules are configured to transmit output values received for the actuator from a respective control computer via the first bus or second bus to the output module for output to the actuator and, upon detection of a fault on the first bus or second bus, to transmit a command to the output module and all other output modules of the peripheral station to output substitute values at their signal outputs; and wherein each respective output module with signal outputs to which the actuator are connected is interlinked via a communication link and is configured to exchange information about receipt of a command for outputting a substitute value and to implement this command only if another output module concerned has also received said command.

8. The redundant control system as claimed in claim 7, wherein each respective output module comprises a digital output module.

9. The redundant control system as claimed in claim 7, wherein each respective output module comprises an analog output module.

10. The redundant control system as claimed in claim 7, wherein if each respective output module has a multichannel configuration, then each respective is configured to implement a command received for outputting a substitute value only for those channels with signal outputs to which the actuator is connected, with a restriction that another output module has also received said a command.

11. A method for redundant control of an actuator in a control system, in which a first control computer is connected via a first bus to a first interface module of a first peripheral station containing at least one periphery module, a second redundant control computer is connected via a second bus to a second interface module of a second peripheral station containing at least one periphery module, and the actuator is connected to mutually decoupled signal outputs of two periphery modules, each forming an output module, of the first and second peripheral stations, the method comprising: transmitting by the first and second interface modules output values for the actuator received from a respective control computer via the first bus or second bus to the output module for output to the actuator and, upon detection of a fault on the first bus or second bus, transmitting a command to the output module and all other output modules of the peripheral station to output substitute values to their signal outputs; and exchanging between the output modules with signal outputs to which the actuator is connected information about receipt of a command for output of a substitute value via a communication link and implementing this command only if another output module concerned has also received said a command.

12. The method as claimed in claim 11, wherein if the output modules have a multichannel configuration, then they are configured to implement the received command for output of the substitute value only for those channels with signal outputs to which the actuator is connected, with a restriction that the other output module has also received said command.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0022] To further explain the invention, reference is made hereinafter to the drawings in which:

[0023] FIG. 1 shows an exemplary embodiment of the redundant control system in accordance with the invention in a diagrammatic block representation; and

[0024] FIG. 2 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0025] With reference to FIG. 1, shown is a section of a process control system with a controlling system 1 in a process management level, a first and second control computer 2, 3 in the form of memory-programmable controls in a control level and an actuator 4 at field level. The field level contains further field devices (not shown) which, in the form of sensors, record the states of a technical process and, formed as actuators, specifically influence the process. The controlling system 1 and the control computers 2, 3 are interconnected via a plant bus 5 (e.g., Ethernet). To generate output values for the actuator 4, the two control computers 2, 3 each execute one and the same control or user program in redundancy operation, inter alia, processing input data received from sensors over separate digital field buses 6, 7 (e.g., PROFIBUS DP). The field devices are connected to the field buses 6, 7 of the two control computers 2, 3 via a first and a second decentralized peripheral station 8, 9. Each of the two peripheral stations 8, 9 comprises an interface module (header module) 10, 11 for connection to the respective field bus 6, 7 and a number of single or multichannel periphery modules, of which only one respective output module 12, 13 is shown here. The actuator 4 is connected to the signal outputs 16, 17 of the two output modules 12, 13 via decoupling diodes 14, 15. The interface modules 10, 11 transmit output values that they receive from the respective control computer 2, 3 for the actuator 4 to the output module 12, 13, where the diodes 14, 15 link digital values disjunctively (OR) and add analog values (currents) for the actuator 4. Both output modules 12, 13 are active. They both receive the same output values in error-free redundancy operation. The two control computers 2, 3 synchronize themselves accordingly.

[0026] The interface modules 10, 11 each monitor the respective field bus 6, 7, to which they are connected and, in the event of a fault, such as in the event of failure of the control computer (e.g., operating status STOP, or cable disconnected), issue a command to all output modules of the peripheral station 8, 9 concerned to output substitute values, such as in the form of the most recently received output values. This behavior is necessary in non-redundant operation. In redundant operation, however, this leads to a faulty operating status. The output modules 12, 13 supplying the actuator 4 redundantly with output values therefore implement this command only if, and as long as, they both receive such a command. To make this possible, they exchange information about the receipt of a command for the output of a substitute value via a communication link (e.g., RS485). This prevents the actuator 4, for example, from receiving the sum of a current analog output value and an output value frozen at the time of the command instead of a current analog output value.

[0027] FIG. 2 is a flowchart of a method for redundant control of an actuator 4 in a control system, in which a first control computer 2 is connected via a first bus 6 to a first interface module 10 of a first peripheral station 8 containing at least one periphery module, a second redundant control computer 3 is connected via a second bus 7 to a second interface module 11 of a second peripheral station 9 containing at least one periphery module, and the actuator 4 is connected to mutually decoupled signal outputs 16, 17 of two periphery modules, each forming an output module 12, 13, of the first and second peripheral stations 8, 9.

[0028] The method comprises transmitting by the first and second interface modules 10, 11 output values for the actuator 4 received from a respective control computer 2, 3 via the first bus 6 or second bus 7 to the output module 12, 13 for output to the actuator 4 and, upon detection of a fault on the first bus 6 or second bus 8, transmitting a command to the output module 12, 13 and all other output modules of the peripheral station 8, 9 to output substitute values to their signal outputs 16, 17, as indicated in step 210.

[0029] The output modules (12, 13) with signal outputs (16, 17) to which the actuator (4) is connected now exchange information about receipt of a command for output of a substitute value via a communication link (18) and implementing this command only if another output module concerned has also received said a command, as indicated in step 220.

[0030] While there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.