1. Patent Search
  2. Details

PROCESS DATA SYNCHRONIZATION BETWEEN REDUNDANT PROCESS CONTROLLERS

20180364673 ยท 2018-12-20

    Inventors

    Cpc classification

    International classification

    Abstract

    A fault-tolerant industrial control system includes a redundant controller including a first process controller (CP1) including a first processor with a first associated memory, and a parallel connected second redundant process controller (CP2) including a second processor with a second associated memory. A redundancy link is between CP1 and CP2 for sharing data. CP1 and CP2 include logic gates exclusive of any conditional branching for performing data synchronization and calculations including a different logical arrangement for providing each of a digital output (DO), a digital input (DI), an analog input (AI), and an analog output (AO). At least one input/output (IO) module includes a first IO processor including a first memory coupled by a first leg to CP1 and by a second leg to CP2. The IO module is coupled to field devices that are coupled to processing equipment.

    Claims

    1. A fault-tolerant industrial control system, comprising: a redundant controller including a first process controller (CP1) including a first processor with a first associated memory, and a parallel connected second redundant process controller (CP2) including a second processor with a second associated memory; a redundancy link between said CP1 and CP2 for sharing data between said CP1 and said CP2; said CP1 and said CP2 comprising logic gates exclusive of any conditional branching for performing data synchronization and calculations including a different logical arrangement for providing each of a digital output (DO), a digital input (DI), an analog input (AI), and an analog output (AO), and at least one input/output (IO) module including a first IO processor including a first memory coupled by a first leg to said CP1 and by a second leg to said CP2, wherein said IO module is coupled to field devices that are coupled to processing equipment.

    2. The fault-tolerant control system of claim 1, wherein said logic gates for said DO, DI, AI, and AO each include AND gates, OR gates, and XOR gates.

    3. The fault-tolerant control system of claim 1, wherein said at least one IO module consists of a single IO module.

    4. The fault-tolerant control system of claim 1, wherein said at least one IO module comprises a first IO module and parallel connected second IO module.

    5. The fault-tolerant control system of claim 1, wherein said CP1 and said CP2 both comprise a programmable logic controller (PLC).

    6. The fault-tolerant control system of claim 1, wherein said first associated memory and second associated memory are both configured to have stored property data for a plurality of channels including properties comprising scan values, output status data, override flags, and override values organized per said property.

    7. The fault-tolerant control system of claim 1, wherein said first associated memory and second associated memory are both configured to have stored property data for plurality of channels including properties comprising scan values, output status data, override flags, and override values per said plurality of channels.

    8. A method of process data synchronization between redundant process controllers of a fault-tolerant industrial control system, comprising: providing a redundant controller including a first process controller (CP1) including a first processor with a first associated memory, and a parallel connected second redundant process controller (CP2) including a second processor with a second associated memory, a redundancy link between said CP1 and CP2 for sharing data between said CP1 and said CP2, said CP1 and said CP2 comprising logic gates exclusive of any conditional branching for performing data synchronization and calculations including a different logical arrangement for providing each of a digital output (DO), a digital input (DI), an analog input (AI), and an analog output (AO), and at least one input/output (IO) module including a first IO processor including a first memory coupled by a first leg to said CP1 and by a second leg to said CP2, wherein said IO module is coupled to field devices that are coupled to processing equipment; organizing property data for a plurality of channels received including properties comprising scan values, output status data, override flags, and override values in said first associated memory and in said second associated memory, and performing logical operations using said logic gates to generate said DO, said DI, said AI, and said AO.

    9. The method of claim 8, wherein said logic gates for said DO, DI, AI, and AO each include AND gates, OR gates, and XOR gates.

    10. The method of claim 8, wherein said at least one IO module consists of a single IO module.

    11. The method of claim 8, wherein said at least one IO module comprises a first IO module and parallel connected second IO module.

    12. The method of claim 8, wherein said organizing property data comprises organizing per said property.

    13. The method of claim 8, wherein said organizing property data comprises organizing per channel for each of said plurality of channels.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0012] FIG. 1 shows an example industrial control system including a redundant process controller arrangement including a primary process controller and a redundant secondary controller both coupled through IOs to control the same processing equipment, according to an example embodiment.

    [0013] FIGS. 2A and 2B each depict one possible method of performing memory organization for controller memory being organized per property shown in FIG. 2A and organized per point shown in FIG. 2B.

    [0014] FIG. 3A depicts system components associated with example redundant legs A and B in a redundant IO module arrangement.

    [0015] FIG. 3B depicts system components associated with a non-redundant IO module arrangement which explains the redundant channel value used with FIGS. 5A-D described below.

    [0016] FIG. 4 shows a redundant process controller coupled to a redundant IO module.

    [0017] FIG. 5A shows an example all logic implementation exclusive of any conditional branching for process controller DO calculations that provides DO synchronization for redundant process controllers, according to an example embodiment.

    [0018] FIG. 5B shows an example all logic implementation exclusive of any conditional branching for process controller DI synchronization for redundant process controllers, according to an example embodiment.

    [0019] FIG. 5C shows an example all logic implementation exclusive of any conditional branching for process controller AI synchronization for redundant process controllers, according to an example embodiment.

    [0020] FIG. 5D shows an example all logic implementation exclusive of any conditional branching for process controller AO calculations that provides AO synchronization for redundant process controllers, according to an example embodiment.

    DETAILED DESCRIPTION

    [0021] Disclosed embodiments are described with reference to the attached figures, wherein like reference numerals, are used throughout the figures to designate similar or equivalent elements. The figures are not drawn to scale and they are provided merely to illustrate aspects disclosed herein. Several disclosed aspects are described below with reference to example applications for illustration. It should be understood that numerous specific details, relationships, and methods are set forth to provide a full understanding of the embodiments disclosed herein.

    [0022] Also, the terms coupled to or couples with (and the like) as used herein without further qualification are intended to describe either an indirect or direct electrical connection. Thus, if a first device couples to a second device, that connection can be through a direct electrical connection where there are only parasitics in the pathway, or through an indirect electrical connection via intervening items including other devices and connections. For indirect coupling, the intervening item generally does not modify the information of a signal but may adjust its current level, voltage level, and/or power level.

    [0023] FIG. 1 shows an example fault-tolerant industrial control system 100 comprising a redundant process controller 140 shown as comprising a first process controller (CP1) including a first CPU or first processor shown as processor 120 including a first associated memory 121, and a second redundant process controller (CP2) including a second CPU or processor shown as processor 130 including a second associated memory 131. The memories 121 and 131 generally comprise a battery backed-up random access memory (RAM), or some other non-volatile memory. The processors 120, 130 can comprise a microprocessor, digital signal processor (DSP), or a microcontroller unit (MCU).

    [0024] A redundancy link 135 is for sharing data between CP1 and CP2. The redundancy link 135 does not perform any calculations. The distributed data shared between the CPs includes a plurality of channel configurations comprising DO, DI, AI and AO. FIGS. 5A-5D described below shows example all logic gate implementations for process controller synchronization of AI and DI and calculation of synchronized AO and DO, that can be used by CP1 and CP2 to ensure process controller synchronization for redundant process controllers.

    [0025] A redundant IO module 160 comprises a first IO module (IOM) 150 and a second IOM 155 that are between the process controller 140 and field devices comprising sensors 112 and actuators 113 which are coupled to processing equipment 114. The first IOM 150 and a second IOM 155 are shown receiving a channel (ch) shown as ch17 input from the sensors 112 and transmitting a ch shown as a ch2 output (AO or DO received from their CP) to the sensors 112 and to the actuators 113.

    [0026] The link 170 shown between the first IOM 150 and a second IOM 155 is the redundancy link between these redundant IOM. The IOMs 150 and 155 generate what is termed scan values (AI and DI) and output status values from the data received from the field devices 112, 113 which is used by the process controller during scan times. During a scan cycle by process controllers CP1 and CP2, as with other process controllers, there are 5 main steps, comprising reading the scan values, output status, as well as the override values and override flags from the supervisory computer, executing the program, processing communication requests, executing controller diagnostics, and using the scan values from the IO(s) along with output status, override flags and override values from the supervisory computer for calculating and writing outputs comprising AOs and DOs.

    [0027] A first connection leg (shown as LegA) is shown connecting CP1 to the first IOM 150, and a second connection leg (shown as LegB) is shown connecting CP2 to the second IOM 155. In operation CP1 receives scan values and output status values from first IOM 150 over LegA and CP2 receives the scan values output status values from second IOM 155 over LegB. The legs can be wireless, or wired legs such as utilizing Ethernet.

    [0028] As described above, the data synchronization and calculations performed by CP1 and CP2 has no conditional branching. An example of conditional branching is an IF (condition is true) THEN do ELSE do, so that for each channel the logical operation and calculation is performed by the process controllers CP1 and CP2 independent of state or condition (states such as used with IF (condition is true) THEN do ELSE do. After distribution of synchronized AI and DI data generated by one process controller over the redundancy link 135 this synchronized AI, DI data is stored in the other process controller's memory 121 or 131 which is enabled by disclosed memory organization. Memory organization performed by the process controllers, CP1 and CP2 takes care of gathering all the property information (properties comprising scan values, output status values, override flags and override values) and putting it into memory before sending it over the redundancy link 135 as one block or multiple blocks of data.

    [0029] FIGS. 2A and 2B collectively depicts two example methods of performing memory organization that can be utilized by disclosed process controllers. The properties in FIG. 2A and 2B shown are scan values (AI and DI), output status, override flags, and override values. The organized per property shown in FIG. 2A is suited for the logic calculations shown as arrows pointing down with channel properties per column of memory. The organized per point method shown in FIG. 2B has the channel properties kept together in row blocks of memory. Either of these two example methods of performing memory organization may be used with disclosed embodiments.

    [0030] FIG. 3A depicts example system components associated with redundant leg A and leg B shown in FIG. 1 in a redundant IO module arrangement that are linked through their respective process controllers by the redundancy link 135. Processor 120 is powered by power supply 310, while processor 130 is powered by power supply 320. The IOM associated with LegA comprises input 311 and output 312. The IOM associated with LegB comprises input 321 and output 322.

    [0031] As noted above in operation the processor 120 receives scanned data values and output status values from the input 311 of its IOM over LegA and processor 120 receives the scanned values output status values from the input 321 of its IOM over LegB. Disclosed processors as well their associated IOs can all be combined in the same process controller module as shown in FIG. 1 and FIG. 3A, or the processors can be in one module and their inputs and outputs can be stored in separate process controller modules. Redundant IO as shown in FIG. 3A has the redundant channel value as used with FIGS. 5A, 5B, 5C, 5D set to logical 1 (high).

    [0032] FIG. 3B depicts example system components associated with non-redundant IO shown as input 311 and output 312 connected to both of the redundant leg A and leg B associated with the process controllers shown in FIG. 1 that are linked by redundancy link 135. Leg A is associated with processor 120 and Legb with processor 130. Non-redundant IO has the redundant channel value as used with FIG. 5A, 5B, 5C, 5D set to logical 0 (low).

    [0033] FIG. 4 depicts a redundant process controller 140 along with a redundant IO module 160 comprising IOMs 150 and 155. The IOMs 150 and 155 are each shown having modules at Node 1, with IOM 1.1 for IOM 150 and IOM 1.2 for IOM 155 at Node 1, and at Node 2 with IOM 2.1 for IOM 150 and IOM 2.2 for IOM 155. There is a redundancy link 170 shown at each node.

    [0034] The IOMs 150 including IOM 1.1 and IOM 2.1 are connected by Leg A to CP1, and IOMs 155 including IOM 1.2 and IOM 2.2 are connected by Leg B to CP2. The redundant process controller 140 performs some checks on the property data including scan data values (AI and DI) and output status values received from the IOMs 150, 155, and also performs logic calculations on the property data received to generate synchronized AI and DI, and calculates synchronized output control values AO and DO. Disclosed PV synchronization and calculation as described above provides synchronization, checking and the necessary fault reaction that the redundant process controller 140 performs. The input values and output values are scanned and controlled by the IOMs 150 and 155. The IO modules 150, 155 periodically provide the scan values and output status values to the redundant process controller 140 and the redundant process controller 140 sends the synchronized output values (AO and DO) to the IOMs 150, 155.

    [0035] In operation, during each control cycle CP1 receives the property data including scan values and output status values from the IO modules 1.1 and 2.1 over LegA. CP2 receives the property data including scan values and output status values from IO module 1.2 and 2.2 over LegB. CP1 and CP2 exchange all the data comprising scan values (AI and DI), output status values, and override values, and override flags over the redundancy link 135 so that both CP1 and CP2 have the values from both Leg A and Leg B. CP1 and CP2 will each perform synchronization and calculations with an all logic implementation, and CP1 and CP2 will each generate output values AO and DO. Due to the synchronization and calculation it is guaranteed that CP1 and CP2 will receive the same input values (scan values, output status, override flags and override values) at essentially the same time (to be in the same control cycle) and calculate and then transmit the same output values AO and DO.

    EXAMPLES

    [0036] Disclosed embodiments are further illustrated by the following specific Examples, which should not be construed as limiting the scope or content of this Disclosure in any way. The input channel being redundant or non-redundant is handled by disclosed logic by setting to logical 1 when the channel is redundant, and by setting to logical 0 when the channel is non-redundant. Output status values disclosed above are shown in FIGS. 5A-D as actual output values.

    [0037] FIG. 5A shows an example all logic implementation exclusive of any conditional branching for process controller DO PV calculations that provides DO synchronization for redundant process controllers. With every important logical output there is a number shown as 1 to 26 in FIG. 5A which is explained in detail below. The store function box 540 shown is provided to avoid overwriting the values of the other data types. For example, to prevent that the result of the DO-sync in FIG. 5A overwriting memory locations assigned to DI in FIG. 5B. The store function box 540 can thus enable mixing data types.

    Note 1: the Store: actual output status invalid LegX 510 in the upper-left of FIG. 5A takes effect on the same control cycle so that an actual vs. scan value mismatch will result in a bad status and fault-reaction being applied on the same control cycle.
    Note 2: As pre-processing in case of redundant configurations with one CP inactive (e.g. powered down) the active CP will copy its own values to its data buffers (see memory 121 and memory 131 in FIG. 1) that are normally filled with the PV values (AI, DI) received from the redundant CP. This assures that even if the redundant CP is disconnected or powered-off, the memory locations assigned to the redundant CP hold valid scan, output status, override flags and override value data. Having valid data in all buffers avoids exceptions in the synch functions and assures redundant CP-state independent execution times.
    Note 3: For labels 6, 7 and 13 open loop is not mentioned in FIG. 5A as it has no influence on the calculated DO value. For the short circuit situation it is different as the software (run by the process controller) de-energizes (drive to low, logical 0) the DO when it is known that there is a short circuit.
    Label 1, 2: Comparing (XOR) the actual output value LegX with scan value LegX asserts that the output value did not change since the last update. As the scan value is read from the IO module a difference is either caused by a random IO module hardware fault or a random process controller hardware fault. Being an XOR gate, when the actual output value (referred to with actual output value LegX) and the expected (referred to with scan value LegX) are equal the output of the XOR gate is low.
    Label 3: Comparing (XOR) the scan values of both legs in a redundant configuration asserts that redundant scan values have an identical value. To reduce the number of checks the filtering for redundancy and channel health can be designed as overall post-check, where if a channel is faulty or not redundant the compare errors are suppressed. As the compare is between CP memory cells, a difference is caused by a random CP hardware fault. When both scan values are equal the output of the XOR gate is low.
    Label 4: Comparing (XOR) the actual output values of both legs in a redundant configuration asserts that redundant outputs have an identical value. To reduce the number of checks the filtering for redundancy and channel health is designed as overall post-check: if a channel is faulty or not redundant the compare errors are suppressed. As the compare is between CP memory cells a difference is caused by a random CP hardware fault.
    Label 3, 4, 5, 6, 7, 8, 10, 11: Compares difference for a redundant channel Store the output compare fault LegA 515 and the output compare fault LegB 520.
    Label 12, 13, 14, 15, 16, 17, 18, 19: are application values with a fault reaction applied.
    Label 16: Comparing the application values calculated by redundant CPs asserts that both CPs calculated identical output values. As redundant CP are always running identical firmware and application any difference is caused by either a random CP hardware fault or an input synchronization fault (software).
    Label 20, 21, 22: Application value with an override value applied.

    [0038] Labels 23, 24, 25, 26: Application value with On-line modification (OLM) applied. In a redundant configuration both CP1 and CP2 always execute the On-Line Modification (OLM) which allows one to change one or more channels from for example DI to AI or to add a new channel without losing the values from the previously configured channels. This allows no-break process control) simultaneously. The OLM flags are synchronized before use. Label 26 is the input which is stored as store actual output value LegX 525.

    [0039] FIG. 5B shows an example all logic implementation exclusive of any conditional branching for process controller DI synchronization for redundant process controllers, according to an example embodiment. With every significant logical output there is a number shown in FIG. 5B which is explained in detail below:

    Note 1: Compare timer functionality; if the two legs have a different channel status then both use the previous channel status for the duration of one control cycle.
    Label 1: Comparing the Scan values of both legs in a redundant configuration asserts that redundant scan values have an identical value.
    Label 1, 2, 3, 4, 5: Compare differences for a redundant channel. Start a compare timer.
    Label 9, 10: Use previous value LegX when there is difference between Legs.
    Label 2, 6, 7, 8, 11, 12, 13, 14, 15, 16: At least one healthy channel which has a valid scan value, so scan value is passed for LegX.
    Label 17, 18, 19, 20, 21, 22, 23, 37, 38: Determines if a fault reaction must be applied for LegX.
    Label 37: Indicates that channel LegA is healthy and there is no open and no short. Outcome of this logical function is used as input elsewhere in FIG. 5B diagram as label health LegA.
    Label 38: Indicates that channel LegB is healthy and there is no open and no short. Outcome of this logical function is used as input elsewhere in FIG. 5B as label health LegB.
    Label 24, 25, 26, 27: Applies a fault reaction for LegA. Although three fault reactions can be configured, only one fault reaction can be active: [0040] 1. freeze; takes the application value LegA as input meaning it freezes the value to the previous application value. [0041] 2. scan; takes the scan value LegA meaning it will (try to) follow the field. [0042] 3. fixed; the configured value is taken as is.
    Label 28: Same as label 27 for LegB.
    Override and store logic Lega block 538 comprises labels 29-32. Label 29: Combination of the previous value (due to compare timer), the scan (actual value) and fault reaction value (channel is faulty) for LegA. For non-redundant IO module the first module could be connected to LegA and the second module to LegB. To support this one uses the synced value from that Leg.
    Label 30, 31, 32: Application value with fault reaction and override applied for LegA.
    Override and store logic Legb block 539 comprises labels 33-36. Label 33: Combination of the previous value (due to the compare timer 528), the scan (actual value) and fault reaction value (channel is faulty) for LegB. For non-redundant IO module the first module could be connected to LegA and the second module to LegB. To support this need one uses the synced value from that Leg.
    Label 34, 35, 36: Application value with fault reaction and override applied for LegB.
    The Store function box 540 shown described above is also included in FIG. 5B.

    [0043] FIG. 5C shows an example all logic implementation exclusive of any conditional branching for process controller AI calculations for redundant process controllers that provides that provides AI synchronization, according to an example embodiment. With every important logical output there is a number shown in FIG. 5C which is explained in detail below:

    Note 1: Compare timer functionality; if the two legs have a different channel status then both shall use the previous channel status for the duration of one application cycle.
    Note 2: For labels 2, 3 and 17 open loop and short circuit are not mentioned in FIG. 5C as it has no influence on the calculated AI value.
    Label 1: Comparing the Scan values of both legs in a redundant configuration asserts that redundant scan values have a value within a band.
    Label 1, 2, 3, 4, 5: Compare difference for a redundant channel. Start compare timer.
    Label 6, 7: Use previous value LegX when there is difference between Legs.
    Label 2, 3, 8, 9, 10, 11, 12, 13, 14, 15, 16: When both redundant channels are healthy take the average of the two scan values (label 10). When there is one healthy channel take the scan value for LegX (label 15 and 16).
    Label 17, 18, 19, 20, 21, 22, 23: Determine if fault reaction must be applied for LegX.
    Label 24, 25, 26, 27: Applies fault reaction for LegA. Three fault reactions can be configured, only one fault reaction can be active: [0044] 1. freeze; takes the application value LegA as input meaning it freezes the value to the previous application value. [0045] 2. scan; takes the scan value LegA meaning it will (try to) follow the field. [0046] 3. fixed; the configured value is taken as is.
    Label 28: Same as label 27 for LegB.
    As with FIG. 5B Override and store logic Lega block 538 comprises labels 29-32. Label 29: Combination of the previous value (due to compare timer), the scan (actual value) and fault reaction value (channel is faulty) for LegA. For non-redundant IO module the first module could be connected to LegA and the second module to LegB. To support this need one uses the synced value from that Leg.
    Label 30, 31, 32: Application value with fault reaction and override applied for LegA.
    As with FIG. 5B Override and store logic Legb block 539 comprises labels 33-36. Label 33: Combination of the previous value (due to compare timer), the scan (actual value) and fault reaction value (channel is faulty) for LegB. For non-redundant IO module the first module could be connected to LegA and the second module to LegB. To support this need one uses the synced value from that Leg.
    Label 34, 35, 36: Application value with fault reaction and override applied for LegB.
    The store function box 540 shown described above is also included in FIG. 5C.

    [0047] FIG. 5D shows an example all logic implementation exclusive of any conditional branching for process controller AO PV calculations that provides AO synchronization for redundant process controllers, according to an example embodiment. With every important logical output there is a number shown in FIG. 5D which is explained in detail below:

    Note 1: the Store: actual output status invalid LegX in the upper-left of the FIG. 5D takes effect on the same cycle. I.e., an actual vs. scan value mismatch will result in a bad status and fault-reaction being applied on the same cycle.
    Note 2: For labels 5, 6 and 13 open loop is not mentioned in this FIG. 5D as it has no influence on the calculated DO value. For the short it is different as there one wants the software to de-energize the DO when it is know that there is a short circuit.
    Label 1, 2: Comparing (XOR) the actual output value with scan value asserts that the output value did not change since the last update. As the scan value is read from the IO module a difference is either caused by a random IO module hardware fault or a random CPM hardware fault. When both scan values are equal the output of the logic gate is low.
    Label 3: Comparing (XOR) the Scan values of both legs in a redundant configuration asserts that redundant scan values have an identical value. To reduce the number of checks the filtering for redundancy and channel health is designed as overall post-check: if a channel is faulty or not redundant the compare errors are suppressed. As the compare is between CP memory cells a difference is caused by a random CP hardware fault. When both scan values are equal the output of the logic gate is low.
    Label 4: Comparing (XOR) the actual output values of both legs in a redundant configuration asserts that redundant outputs have an identical value. To reduce the number of checks the filtering for redundancy and channel health is designed as overall post-check: if a channel is faulty or not redundant the compare errors are suppressed. As the compare is between CP memory cells a difference is caused by a random CP hardware fault.
    Label 3, 4, 5, 6, 7, 8, 10, 11: Compare difference for a redundant channel Store output compare fault.
    Label 12, 13, 14, 15, 16, 17, 18, 19: Application value with fault reaction applied.
    Label 20, 21, 22: Unscaled application value with override applied.
    Label 23, 24, 25, 26: Unscaled application value with OLM applied. The store function box 540 shown described above is also included in FIG. 5D.

    [0048] One having ordinary skill in the relevant art, however, will readily recognize that the disclosed embodiments can be practiced without one or more of the specific details or with other methods. In other instances, well-known structures or operations are not shown in detail to avoid obscuring aspects disclosed herein. Disclosed embodiments are not limited by the illustrated ordering of acts or events, as some acts may occur in different orders and/or concurrently with other acts or events. Furthermore, not all illustrated acts or events are required to implement a methodology in accordance with this Disclosure.

    [0049] While various disclosed embodiments have been described above, it should be understood that they have been presented by way of example only, and not as a limitation. Numerous changes to the disclosed embodiments can be made in accordance with the Disclosure herein without departing from the spirit or scope of this Disclosure. Thus, the breadth and scope of this Disclosure should not be limited by any of the above-described embodiments. Rather, the scope of this Disclosure should be defined in accordance with the following claims and their equivalents.