Redundant Automation System and Method for Operating the Redundant Automation System

Abstract

In order to provide a method for operating a redundant automation system (100) for controlling a technical process, it is proposed to operate a two-out-of-three system with three subsystems, wherein - a comparison means (V1, V2, V3) is cyclically operated in each subsystem (1, 2, 3) and compares the first, second and third output data (A1, A2, A3) with one another, and the respective comparison means (V1, V2, V3) are operated in such a manner that - during each comparison in which the result is that all output data (A1, A2, A3) are approximately the same, no further action is carried out, and - during a comparison in which deviations between the output data are determined, that subsystem (1, 2, 3) in which the deviations of its own output data (A1, A2, A3) from the other output data (A1, A2, A3) are the greatest is identified as faulty by means of a majority decision (ME).

Claims

1-9. (canceled)

10. A method for operating a redundant automation system for controlling a technical process, a first subsystem, a second subsystem, a third subsystem and an output device for the process being operated in a communications network such that communication paths between them are utilized to exchange data, the method comprising: forwarding, by the first subsystem with a first control program with a first program cycle, first output data to the output device in a cycle-oriented manner via a peripheral protocol, an active first application relationship being established between the first subsystem and the output device; calculating, in parallel to the first subsystem, by one of (i) the second subsystem with a second control program with a second program cyclesecond output data and (ii) the third subsystem with a third control program with a third program cycle third output data in readiness for the assumption of control of the technical process; and establishing a passive second application relationship between the second subsystem and the output device and establishing a passive third application relationship between the third subsystem and the output device; wherein the first, second and third subsystems are operated such that the first, second and third subsystems have knowledge of one another via respective calculated output data; wherein the second subsystem sends a second output acknowledgement, and the third subsystem sends a third output acknowledgement to the first subsystem; wherein the first subsystem forwards the first output data to the output device only when the second output acknowledgement and third output acknowledgement have arrived in the first subsystem; wherein in each subsystem of the first, second and third subsystems a comparator is cyclically operated, which compares the first, second and third output data with one another and a respective comparator are operated in such that no further action is performed for each comparison in which all output data are the same as a result; wherein in a comparison in which deviations between items of output data are established, that subsystem of the first, second and third subsystems is recognized as being faulty via a majority decision in which deviations of its own output data from other output data are greatest, and on the basis of this result; wherein in an event that the first subsystem has been identified as being faulty, the second application relationship is transferred from the passive state into an active state and the first application relationship is correspondingly transferred from the active state into a passive state, and from then on the second output data is provided for the process via the output device; wherein the second and the third subsystems follow the first subsystem in time and the first subsystem implements exchanges of data via the communication paths asynchronously in time; wherein a first follow-up system is formed from the first subsystem and the second subsystem and a second follow-up system is formed from the first subsystem and the third subsystem; wherein synchronization data for the first follow-up system and the second follow-up system is identical and is transmitted by the first subsystem via multicast-based communication.

11. The method as claimed in claim 10, wherein the second subsystem sends a second cycle acknowledgement and the third subsystem sends a third cycle acknowledgement to the first subsystem, and a next new first program cycle is started in the first subsystem only when all acknowledgements have arrived.

12. The method as claimed in claim 10, wherein the communication of the first, second and third subsystems occurs via the communications network in accordance with Open Platform Communications United Architecture or OPC UA Time Sensitive Networking.

13. The method as claimed in claim 11, wherein the communication of the first, second and third subsystems occurs via the communications network in accordance with Open Platform Communications United Architecture or OPC UA Time Sensitive Networking.

14. The method as claimed in claim 10, wherein the communication of the first, second and third subsystems to the output device for a Profinet network is configured with a corresponding peripheral protocol.

15. The method as claimed in claim 11, wherein the communication of the first, second and third subsystems to the output device for a Profinet network is configured with a corresponding peripheral protocol.

16. The method as claimed in claim 12, wherein the communication of the first, second and third subsystems to the output device for a Profinet network is configured with a corresponding peripheral protocol.

17. The method as claimed in claim 10, wherein at least one subsystem of the first, second and third subsystems is provided in an IT infrastructure as a virtual subsystem formed as a service.

18. The method as claimed in claim 10, wherein in an event that the second subsystem forwards the output data via the active second application relationship to the output device, the third subsystem now sends the third output acknowledgement and the third cycle acknowledgement to the second subsystem and the second subsystem transmits the second output data to the output device only when the third output acknowledgement and the third cycle acknowledgement have arrived at the second subsystem.

19. A redundant automation system for controlling a technical process, the redundant automation system comprising: a first subsystem; a second subsystem; a third subsystem; an output device, the first subsystem, the second subsystem, the third subsystem and the output device being interconnected via a communications network; and communication paths which are configured between the first second and third subsystems for exchanging data; wherein the first subsystem is configured with a first control program with a first program cycle to output first output data via an active first application relationship to the output device in a cycle-oriented manner; wherein the second subsystem is configured with a second control program with a second program cycle in readiness to provide second output data for the output device via a second application relationship, wherein the third subsystem with a third control program with a third program cycle is configured in readiness to provide third output data for the output device via a third application relationship, wherein the first, second and third subsystems are configured to mutually provide respective calculated output data; wherein the second subsystem includes a second acknowledgement output device which is configured to send a second output acknowledgement and the third subsystem includes a third acknowledgement output device which is configured to send a third output acknowledgement; wherein the first subsystem include a release mechanism which is configured to pass on the first output data to the output device only when the second output acknowledgement and the third output acknowledgement have arrived in the first subsystem, wherein each of the first, second and third subsystems additionally includes a comparator which is configured to cyclically compare the first, second and third output data with one another and, and in an event of a comparison in which a result is that all the output data is the same, no further action is performed, and in an event of a comparison in which deviations between the items of output data are established, a subsystem of the first, second and third subsystems, in which the deviations of its own output data from the other output data are greatest, is recognized as being faulty by via a majority decision, a deviation detector is provided for this purpose; wherein the first subsystem is further configured to transfer the first application relationship from an active state into a passive state in the event that the first subsystem has been recognized as being faulty; wherein the second subsystem is further configured to transfer the second application relationship from the passive state into an active state, whereby from now on the second output data is made available via the output device for the process, a first follow-up system being formed from the first subsystem and the second subsystem, and a second follow-up system being formed from the first subsystem and the third subsystem; and wherein the first subsystem is configured to provide synchronization data for the first follow-up system and the second follow-up system via multicast-based communication.

20. The redundant automation system as claimed in claim 19, wherein the second acknowledgement output device is configured to send a second cycle acknowledgement to the first subsystem and the third acknowledgement output device is configured to send a third cycle acknowledgement to the first subsystem and the first subsystem is configured to start a new first program cycle only when all the acknowledgements have arrived.

21. The redundant automation system as claimed in claim 19, wherein at least one subsystem is arranged in an IT infrastructure as a virtual subsystem formed as a service.

22. The redundant automation system as claimed in claim 20, wherein at least one subsystem is arranged in an IT infrastructure as a virtual subsystem formed as a service.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0035] The drawing shows an exemplary embodiment of the invention, in which:

[0036] FIG. 1 shows a redundant automation system, formed in a 2-out-of-3 configuration in accordance with the invention;

[0037] FIG. 2 shows the automation system of FIG. 1 in a detailed illustration with regard to the subsystems;

[0038] FIG. 3 shows the principle of comparator in accordance with the invention; and

[0039] FIG. 4 shows a table for illustrating the determination of a deviation frequency for a particular subsystem in accordance with the invention;

[0040] FIG. 5 shows a block diagram, where a subsystem is arranged in a cloud;

[0041] FIG. 6 shows a detailed illustration of a subsystem explaining release mechanism in accordance with the invention; and

[0042] FIG. 7 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0043] FIG. 1 shows a redundant automation system 100 for controlling a technical process. The redundant automation system 100 comprises a first subsystem 1, a second subsystem 2, a third subsystem 3 and an output device IO-Dev. The aforementioned subsystems 1,2,3 and the output device IO-Dev are connected via a communications network KN, where a symbolized communications network is shown again laterally in a structure as is customary today, such as for the internet. With the aid of this communications network KN, communication paths KP12, KP13, KP23 can be spanned between the subsystems 1,2,3. Accordingly, a first communication path KP12 exists between the first subsystem 1 and the second subsystem 2, a second communication path KP13 exists between the first subsystem 2 and the third subsystem 3, and a third communication path KP23 exists between the second subsystem 2 and the third subsystem 3.

[0044] The first subsystem 1 is formed as a master and accordingly the first subsystem 1 can output first output data A1 with a first control program P1 with a first program cycle Z1 in a cycle-oriented manner via an active first application relationship AR1 to the output device IO-Dev.

[0045] The second subsystem 2 is provided with a second control program P2 with a second program cycle Z2 and is in readiness, namely in a slave function, to provide second output data A2 for the output device IO-Dev via a second application relationship AR2.

[0046] The third subsystem 3 is provided with a third control program P3 with a third program cycle Z3 and is likewise in readiness to provide third output data A3 for the output means IO-Dev via a third application relationship AR3, where the three subsystems 1,2,3 are furthermore configured to provide their calculated output data A1,A2,A3 to one another via the communication paths KP12, KP13, KP23.

[0047] The second and the third subsystem 2,3 follow the first subsystem 1 in time and the first subsystem 1 exchanges the required data asynchronously in time via the communication paths KP12, KP13, where a first follow-up system N12 is formed from the first subsystem 1 and the second subsystem 2 and a second follow-up system N13 are formed from the first subsystem 1 and the third subsystem 3, and where the necessary synchronization data for the first follow-up system N12 and the second follow-up system N13 are identical and therefore advantageously have to be transmitted only once via a multicast-based communication from the first subsystem 1 to the other subsystems 2,3.

[0048] The embodiment of the subsystems 1,2,3 will be discussed in more detail with reference to FIG. 2. The first subsystem 1 has a first acknowledgement output device QAM1; via this acknowledgement output device QAM1, the first control program P1 with its first program cycle Z1 can provide acknowledgements for other subsystems 2,3 if, for example, the first program cycle Z1 has been completed or the first output data A1 is fully available. The first control program P1 writes the first output data A1 into a first process image PA1, from which first process image PA1 it can be sent to an output means IO-Dev via a first application relationship AR1.

[0049] However, as in the now prevailing configuration of the redundant automation system 100, the first subsystem 1 has the leading control role for the technical process, and the second subsystem 2 and the third subsystem 3 each send their second output acknowledgement AQ2 or their third output acknowledgement AQ3 to the first subsystem 1 via the second acknowledgement output device QAM2 or the third acknowledgement output device QAM3.

[0050] As shown in FIG. 6, the first subsystem 1 has a release mechanism FSM that is configured to forward the first output data A1 to the output device IO-Dev only when the second output acknowledgement AQ2 and the third output acknowledgement AQ3 have arrived in the first subsystem 1.

[0051] In order to detect a possible malfunction, each subsystem 1,2,3 according to FIG. 2 has a comparator V1,V2,V3, which is configured to cyclically compare the first, second and third output data A1,A2,A3 with one another and, in the event of a comparison in which all output data A1,A2,A3 are the same as a result, no further action is performed.

[0052] However, in the event of a comparison in which deviations between the output data A1,A2,A3 are determined, the subsystem 1,2,3, in which the deviation of its own output data A1,A2,A3 from the other output data A1,A2,A3 is greatest, is recognized as being faulty via a majority decision ME.

[0053] For this purpose, there is a deviation detector AEM, as shown in FIG. 3. In the first comparator V1, the deviation detector AEM is arranged which, via a majority decision ME, provides a deviation frequency AH with regard to a subsystem 1,2,3.

[0054] FIG. 4 is intended to illustrate in a table how the majority decision ME is determined via a deviation frequency AH. The first column shows the subsystems 1,2,3 as they produce their output data A1,A2,A3. For the sake of simplicity, the second column is intended to represent standardized output data A1,A2,A3 in terms of their valence. From the third column onwards, the difference between the output data A1,A2,A3 is now represented in terms of absolute value. Accordingly, the difference between the first output data A1 and A2, the difference between the first output data A1 and the third output data A3 and the difference between the second output data A2 and the third output data A3 are represented in terms of absolute value. In the first line T1, the deviation is 1,0,- because there is no deviation between the second output data A2 and the third output data A3, based on the first output data A1.

[0055] The second line T2 shows the deviation 1,-,1. The third line shows the deviation -,0,1. This results in a deviation frequency AH in the second line for the second subsystem 2, since a deviation from 1 exists twice, which in total yields the valence 2. Thus, based on the majority decision ME, it is determined that the second subsystem 2 must be regarded as faulty. Program scenarios would now occur in order to switch off the faulty subsystem, although the first subsystem 1 still has master functionality, the second subsystem 2 is switched off such that it cannot function as a redundant subsystem in the event of failure of the first subsystem 1, now only the third subsystem 3 could function as a redundant subsystem to the failed first subsystem 1.

[0056] In the event that the first subsystem 1 is considered to be faulty, the deviation frequency AH would be found in the first line T1 of the first subsystem 1.

[0057] FIG. 5 shows the possibility of arranging at least one subsystem 1,2,3, namely the third subsystem 3, in an IT infrastructure as a virtual subsystem in the form of a service. The IT infrastructure therefore corresponds to a cloud C. Via an internet Int, the communication paths KP13 or KP23 to the other subsystems 1,2 can still be set up. However, the first subsystem 1 and the second subsystem 2 are located in a Local Area Network LAN such as exists, for example, on a production site of an industrial automation plant, which is advantageous because a redundant automation system 100 is set up here, in which a third physical subsystem 3 does not necessarily have to be placed on the production site, but rather is implemented as a backup solution in a cloud C, which offers a cost advantage and accordingly the third subsystem 3 would not differ from the second subsystem 2.

[0058] According to FIG. 6, the release mechanism FSM is shown again with regard to the acknowledgements. For example, in the first subsystem 1, the second output acknowledgement AQ2, the third output acknowledgement AQ3, the second cycle acknowledgement ZQ2 and the third cycle acknowledgement ZQ3 are interconnected via an AND operation and forwarded to the release mechanism FSM as a validity signal, the first output data A1 provided by the first process image PA1 of the first subsystem 1 can thus be sent to the output device IO-Dev via the first application relationship AR1, such as via a Profinet.

[0059] FIG. 7 is a flowchart of the method for operating a redundant automation system 100 for controlling a technical process, where a first subsystem 1, a second subsystem 2, a third subsystem 3 and an output device IO-Dev for the process are operated in a communications network KN such that communication paths KP12,KP13,KP23 between them are utilized to exchange data.

[0060] The method comprises forwarding, by the first subsystem 1 with a first control program P1 with a first program cycle Z1, first output data A1 to the output device IO-Dev in a cycle-oriented manner via a peripheral protocol PN, as indicated in step 710. Here, an active first application relationship AR1 is established between the first subsystem 1 and the output device IO-Dev for this purpose.

[0061] Next, in parallel to the first subsystem 1, by either (i) the second subsystem 2 with a second control program P2 with a second program cycle Z2 second output data A2 or (ii) the third subsystem 3 with a third control program P3 with a third program cycle Z3 third output data A3 is calculated in readiness for the assumption of control of the technical process, as indicated in step 720.

[0062] Next, a passive second application relationship AR2 is established between the second subsystem 2 and the output device IO-Dev and a passive third application relationship AR3 is established between the third subsystem 3 and the output device (IO-Dev), as indicated in step 730.

[0063] In accordance with the method, the first, second and third subsystems 1,2,3 are operated such that the first, second and third subsystems 1,2,3 have knowledge of one another via respective calculated output data A1, A2, A3.

[0064] In accordance with the method, the second subsystem 2 sends a second output acknowledgement AQ2, and the third subsystem 3 sends a third output acknowledgement AQ3 to the first subsystem 1.

[0065] Furthermore, the first subsystem 1 forwards the first output data A1 to the output device IO-Dev only when the second output acknowledgement AQ2 and third output acknowledgement AQ3 have arrived in the first subsystem 1.

[0066] In accordance with the method, moreover, in each subsystem of the first, second and third subsystems 1,2,3, a comparator V1,V2,V3 is cyclically operated, which compares the first, second and third output data A1,A2,A3 with one another and a respective comparator V1,V2,V3 are operated such that no further action is performed for each comparison in which all output data A1, A2, A3 are the same as a result.

[0067] In accordance with the method, in a comparison in which deviations between items of output data are established, that subsystem of the first, second and third subsystems 1,2,3 is recognized as being faulty via a majority decision ME in which deviations of its own output data A1,A2,A3 from other output data A1,A2,A3 are greatest, and on the basis of this result.

[0068] In accordance with the method, in an event that the first subsystem 1 has been identified as being faulty, the second application relationship AR2 is transferred from the passive state into an active state and the first application relationship AR1 is correspondingly transferred from the active state into a passive state, and from then on the second output data A2 is provided for the process via the output device IO-Device.

[0069] In accordance with the method, the second and the third subsystems 2,3 follow the first subsystem 1 in time and the first subsystem 1 implements exchanges of data via the communication paths KP12,KP13 asynchronously in time.

[0070] In accordance with the method, a first follow-up system N12 is formed from the first subsystem 1 and the second subsystem 2 and a second follow-up system N13 is formed from the first subsystem 1 and the third subsystem 3.

[0071] In accordance with the method, synchronization data for the first follow-up system N12 and the second follow-up system N13 is identical and is transmitted by the first subsystem 1 via multicast-based communication.

[0072] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.