1. Patent Search
  2. Details

Method for Operating a Redundant Automation System

20200394111 · 2020-12-17

    Inventors

    Cpc classification

    International classification

    Abstract

    A method for operating a redundantly configured automation system which has a first subsystem and a second subsystem, wherein one of these subsystems operates as the master and the other of these subsystems operates as the slave, where in the event that the master fails the slave takes over the function of the master, and where the first subsystem receives a data packet generated by an external data source and forwards the data packet only at a level of the physical layer and the data link layer to the second subsystem before processing of the data packet occurs in the first subsystem at a higher layer than the level of the physical layer and the data link layer.

    Claims

    1. A method for operating a redundantly configured automation system having a first subsystem and a second subsystem, the method comprising: operating one subsystem of the first and second subsystems as a master; and operating another of the first and second subsystems as a slave which, in an event that the master fails, assumes functionalities of the master; wherein the first subsystem receives a data packet generated by an external data source and forwards the data packet only at a level of a physical layer and a data link layer to the second subsystem before processing of the data packet occurs in the first subsystem at a higher layer than the level of the physical layer and the data link layer.

    2. The method as claimed in claim 1, wherein the first subsystem stores the data packet after the processing at a level of a network layer and at a level of a transport layer in an electronic memory of the first subsystem.

    3. The method as claimed in claim 1, wherein the electronic memory comprising a First-in-First-Out memory which is configured to save the data packet in a particular sequence and to re-output the data packet in the particular sequence.

    4. The method as claimed in claim 2, wherein once the data packet has been stored in the memory of the first subsystem, a synchronization message is transmitted from the second subsystem to the first subsystem to synchronize processing of the data packet on the second subsystem with processing of the data packet on the first subsystem.

    5. The method as claimed in claim 4, wherein the synchronization message includes information as to which quantity of data from the data packet stored in the memory of the first subsystem the first subsystem should be removed from the memory.

    6. A redundantly configured automation system comprising: a first subsystem; and a second subsystem; wherein one subsystem of the first and second subsystems is configured to operate as a master and another subsystem of the first and second subsystems is configured to operate as a slave which is configured such that, in an event that the master fails, assumes functionalities of the master; and wherein the first subsystem is configured to receive a data packet generated by an external data source and to forward the data packet only at a level of a physical layer and a data link layer to the second subsystem before processing of the data packet occurs in the first subsystem at a higher layer than the level of the physical layer and the data link layer.

    7. A method for operating a redundantly configured automation system having a first subsystem and a second subsystem, the method comprising: operating one subsystem of first and second subsystems as a master; and operating another subsystem of the first and second subsystems operates as the slave which, in an event that the master fails, assumes functionalities of the master; wherein a data packet intended for an external recipient is transferred from the second subsystem to the first subsystem only at a level of a physical layer and a data link layer and the data packet is forwarded from the first subsystem to the external recipient before processing of the data packet occurs in the first subsystem at a higher layer than the level of the physical layer and the data link layer.

    8. A redundantly configured automation system comprising: a first subsystem; and a second subsystem; wherein one subsystem the first and second subsystems is configured to operate as a master and another subsystem of the first and second subsystems is configured to operate as a slave which is configured such that in an event that the master fails the slave assumes functionalities of the master; wherein the second subsystem is configured to transfer a data packet intended for an external recipient from the second subsystem to the first subsystem only at a level of a physical layer and a data link layer and the first subsystem is configured to forward the data packet received from the second subsystem to the external recipient before processing of the data packet occurs in the first subsystem at a higher layer than the level of the physical layer and the data link layer.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0019] The above-described properties, features and advantages of this invention and the manner in which these are achieved will become clearer and more intelligible in conjunction with the following description of the exemplary embodiment which will be explained in detail making reference to the drawings, in which:

    [0020] FIG. 1 shows an automation system with two subsystems in accordance with the invention;

    [0021] FIG. 2 shows a sequence of a temporal coupling of two subsystems in the case of an incoming data packet in accordance with the invention;

    [0022] FIG. 3 shows the sequence of FIG. 1 in the event of a failure of one of the two subsystems;

    [0023] FIG. 4 shows a sequence of a temporal coupling of two subsystems in the case of an outgoing data packet in accordance with the invention; and

    [0024] FIG. 5 is flowchart of the method in accordance with the invention.

    DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

    [0025] FIG. 1 shows an automation system 1 configured as a redundant network node. The automation system 1 includes a first subsystem 2 and a second subsystem 3. The first subsystem has a first network interface 4, the second subsystem a second network interface 5, via which the two subsystems 2, 3 can communicate with external devices (not shown).

    [0026] The first subsystem 2 can be divided internally into a first transport system 6 and a first application system 7, whereas in an analogous manner the second subsystem 3 has a second transport system 8 and a second application system 9. The first transport system 6 and the second transport system take on tasks of forwarding or transferring data packets inter alia between the two subsystems 2, 3. To this end, the two subsystems 2, 3 are coupled together via a synchronization link 10.

    [0027] It should be understood that the second subsystem 3 is assumed to be operated as the master and the first subsystem 2 is assumed to be operated as the slave or as the reserve. With respect to control of a technical process, the master assumes the lead and is responsible for the process control. The slave then only assumes the master function if the master fails as a result of a malfunction.

    [0028] FIG. 2 shows a sequence diagram in the event of a sequence for synchronizing two redundantly configured subsystems 2, 3. Here, a data packet generated from an external data source 11 is received by the first subsystem 2 in a first step 12. Initially, the first subsystem 2 now performs an analysis 13 of the data packet and determines, among other things, the type of data packet and the destination addresses included in the data packet. Here, a check is performed, for example, in order to ascertain whether an IP address included in the data packet as a destination address corresponds to an IP address of the automation system 1. This check is performed on behalf of the second subsystem 3 by the first subsystem 2.

    [0029] Once the address has been successfully checked, a transfer 14 of the data packet from the first subsystem 2 to the second subsystem 3 occurs at a level of the physical layer and/or the data link layer. This transfer 14 already occurs before the data packet is further processed by the first subsystem 2 at a level of a higher layer (network layer, transport layer etc.) of the transport system 6 of the first subsystem 2.

    [0030] An interim buffering 15a, 15b of the data packet and a further processing 16a, 16b at a level of a higher layer (network layer, transport layer etc.) of the respective transport system 6, 8 of the two subsystems 2, 3 then occurs on both subsystems 2, 3. The part of the data packet relevant to the respective application system 7, 9, the application data 17a, 17b, is taken from the data packet by applications, such as web servers on both of the subsystems 2, 3. In this way, no data processing occurs as yet, but only a separation of the application data 17a, 17b from the remaining part of the data packet.

    [0031] The application data 17a is stored in the first subsystem 2 as part of a storage process 18 in a memory 19 configured as a FIFO memory (First InFirst Out). This is configured to store the application data 17a in a specific sequence.

    [0032] Once the application data 17a has been stored in the memory 19 of the first subsystem 2, a synchronization message 20 is transmitted from the second subsystem 3 to the first subsystem 2. In this context, the synchronization message includes information as to which quantity of application data 17a is to be removed from the memory 19 of the first subsystem 2. The sequence of the actual synchronization occurs as described in EP 2 657 797 A1. Full reference should be made in this context to this publication.

    [0033] The synchronization message 20 triggers a removal instruction 25 that is addressed directly to the memory 19. Following the removal 21 of the application data 17a from the FIFO memory 19, the application data 17a is subject to processing 22 on the first subsystem 2 by an application (e.g., a web server). An analogous processing 23 of the application data 17b located there occurs on the second subsystem 3.

    [0034] FIG. 3 essentially shows the same sequence diagram as shown in FIG. 2. One difference here, however, lies in the fact that after running through the higher levels of layers or separating the application data 17a, 17b from the remaining part of the data packet, failure 24 of the second subsystem 3 (functioning as the master) occurs. The first subsystem 2 (functioning as the slave) must now assume the tasks of the master system 3 and, for example, maintain the operation of a process installation. In this context, it should be possible for data transfer to external devices to be continued without any data loss.

    [0035] Should the second subsystem 3 fail, the first subsystem 2 must seamlessly continue processing at the level of the applications. This is possible because the first subsystem 2 following a removal instruction 25 automatically generated at a specific point in time removes the application data 17a included in the FIFO memory 19 and forwards this application data 17a as part of a forwarding 37 to the application processing 22 of the first subsystem 2 until the FIFO memory 19 is emptied. The status of the first subsystem 2 is then identical to that of the second subsystem 3 at the time of the failure 24. Once the FIFO memory 19 has been emptied, the application on the first subsystem 1 once again reads directly from the level of the further processing 16a, 16b at a level of a higher layer (e.g., network layer or transport layer) of the transport system 6 of the first subsystem 2 (also known as a layer stack). A link 26 to a communication partner can therefore be continued without interruption and without data loss because the status of the layer stack 16a on the first subsystem 2 has not been changed since the failure 24.

    [0036] FIG. 4 shows a sequence diagram for sending data packets. The starting point is the application data 27 processed by an application on the second subsystem 3. Resulting from a send request 28 from the second subsystem 3 addressed to the transport system 8, a first synchronization message 29 is transmitted to the first subsystem 2. The sequence of the actual synchronization occurs as described in EP 2 657 797 A1. As a result, a discard 30 of the application data 27 on the second subsystem 3 and a data transfer 31 of the application data 27 to the first subsystem 2 occur. On the first subsystem 2 a send instruction 32 is connected to the transport system 6 of the first subsystem 2, and is followed by a transfer 33 of the application data 27 to an external recipient 11 a. The data transfer 31 between the second subsystem 3 and the first subsystem 2 already occurs, in this case, at the level of a physical layer and/or a data link layer, whereby the method is particularly efficiently configured.

    [0037] In parallel to this, processing 34 of further (new) application data occurs on the second subsystem 3. With a second synchronization message 35, information relating thereto, as described in EP 2 657 797 A1, is exchanged with the first subsystem 2. An analogous further processing 36 of the new application data occurs there.

    [0038] FIG. 5 is a flowchart of the method for operating a redundantly configured automation system 1 having a first subsystem 2 and a second subsystem 3. The method comprises operating one subsystem of the first and second subsystems 2, 3 as a master, as indicated in step 510. Next, the other of the first and second subsystems 2, 3 is operated as a slave which, in an event that the master fails, assumes functionalities of the master, as indicated in step 520. In one embodiment, the first subsystem 2 receives a data packet generated by an external data source 11 and forwards the data packet only at a level of the physical layer and the data link layer to the second subsystem 3 before processing of the data packet occurs in the first subsystem 2 at a higher layer than the level of the physical layer and the data link layer. In an alternative embodiment, a data packet intended for an external recipient 11a is transferred from the second subsystem 3 to the first subsystem 2 only at a level of the physical layer and the data link layer and the data packet is forwarded from the first subsystem 2 to the external recipient 11a before processing of the data packet occurs in the first subsystem 2 at a higher layer than the level of the physical layer and the data link layer.

    [0039] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.