Method of protecting redundant servers coupled to a manufacturing executing system

Abstract

A method protects at least two redundant servers. The redundant servers act as main and shadow interfaces between respectively at least two redundant process servers coupled to a manufacturing execution system and at least two redundant control servers coupled to an automation part. Each of the servers is configured to receive automation data from each of the redundant control servers. A time of receipt and a tag are extracted from the automation data and are registered in a database coupled with the servers. If one of the tags is registered within a predefined delay after the time of receipt of the other tag, the server with the older time of receipt is set up as the main interface and the other server is set up as the shadow interface.

Claims

1. A method for protecting at least two redundant servers, the redundant servers acting as main and shadow interfaces between respectively at least two redundant process servers coupled to a manufacturing execution system and at least two redundant control servers coupled to an automation part, which comprises the steps of: configuring each of the redundant servers to receive automation data from each of the redundant control servers; extracting a time of receipt and a tag from each of the automation data and registering times of receipt and tags in a database coupled with the redundant servers; and setting one of the redundant servers to function as the main interface and another one of the redundant servers to function as the shadow interface dependent on a time of receipt of the automation data, wherein the one of the redundant servers having the automating data with an older time of receipt is set to function as the main interface and the other one of the redundant servers is set to function as the shadow interface, if one of the tags is registered within a predefined delay after the time of receipt of the other tag.

2. The method according to claim 1, wherein if one of the tags is registered later than the predefined delay after the time of receipt of the other tag, the one of the redundant servers with a previous time of receipt is set to function as the main interface and the other one of the redundant servers is set to function as the shadow interface.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

(1) FIG. 1 is a block diagram of an interface between a MES and a batch system PLC containing a plurality of PLC units;

(2) FIG. 2 is an illustration showing how a main server receives newer automation data then a shadow server;

(3) FIG. 3 is an illustration showing that the main server does not receive any automation data; and

(4) FIG. 4 is an illustration showing how the shadow server receives newer automation data then the main server.

DETAILED DESCRIPTION OF THE INVENTION

(5) Referring now to the figures of the drawings in detail and first, particularly to FIGS. 2-4 thereof, there is shown a schematic analysis within a database DB according to the system shown in FIG. 1, in the case of a failure by the redundant EPE-servers EPE1, EPE2 (each one containing serial coupled EPE-servers 11, 12 and 21, 22).

(6) Principally according to FIG. 1 and to one of the FIGS. 2-4 the present invention focuses on a method of protecting at least two redundant servers (EPE1, EPE2), the servers acting as the main and shadow interfaces between respectively at least two redundant process servers (PI1, PI2) coupled to a manufacturing execution system (MES) and at least two redundant control servers (OPC1, OPC2) coupled to an automation part (PLC). Wherein each of the servers (EPE1, EPE2) are configured to receive automation data from each of the redundant control servers (OPC1, OPC2). A time of receipt (d1, d2) and a tag (T1, T2) are extracted from the automation data and are registered in a database coupled with the servers (EPE1, EPE2). A detection process of a failure is performed in real-time within the database by analyzing the times of receipt (d1, d2) of each tag (T1, T2) of the redundant automation data. If one of the tags (T1, T2) is registered within a predefined delay after the time of receipt of the other tag, the server with the older time of receipt is setup as the main interface and the other server is setup as the shadow interface.

(7) Analogically if one of the tags (T1, T2) is registered later than the predefined delay after the time of receipt of the other tag, the server with the previous time of receipt is setup as the main interface and the other server is setup as the shadow interface.

(8) FIG. 2 represents the first case in that the main server EPE1 (MAIN)in fact this data is received in a buffer at a database correlated to the serverreceives newer automation data then the shadow server EPE2 (SHADOW) according to FIG. 1. Here this is detected in two steps A, B (for the redundant receipt of two following tags T1, T2 at each of the main and shadow servers) by the detection of a newer time of receipt d1 (10:01) for the (last) tag T1 at the main server than the time of receipt (10:00) of the same tag at the shadow server. The detection is also pending within the predefined delay for ensuring a detection end per default. The main server EPE1 (MAIN) is hence free of any failure and there is no need to switch a data transmission on a redundant path, like over the shadow server EPE2 (SHADOW).

(9) FIG. 3 (on the same principal as FIG. 2) represents the second case in that the main server EPE1 (MAIN) does not receive any more automation data as the shadow server EPE2 (SHADOW) receives. This is detected due to the fail state of a coming tag T1 and consequently over the fail state of a time of receipt d1 the corresponding tag at the main server EPE1 (MAIN). As well the fail state of time of receipt d1 results in a delaying over the predefined delay which is set to avoid any endless detection. At this stage the shadow server EPE2 (SHADOW) can replace the main server EPE1 (MAIN) without interruption and loss of any data.

(10) FIG. 4 (on the same principal as FIG. 2 or 3) represents the third case in that shadow server EPE2 (SHADOW) receives newer automation data then main server EPE1 (MAIN). This case is more complex because it does not mean that the main server has a failure EPE1 (MAIN) because the automation data was received on both the main and shadow sides within the predefined time delay. Anyway it can be managed in the following manner:

(11) if within the predefined delay no change of the received tags T1, T2 occurs in the main or the shadow server, the main server stays as the main one;

(12) if within the predefined delay the main server receives a change of tag T1 to T2 after the same tag in the shadow server, see and apply the process described by FIG. 2; and

(13) if within the predefined delay the shadow server receives a change of tag after the same tag in the main server, see the process described by FIG. 3 or 4.

Method of protecting redundant servers coupled to a manufacturing executing system

Assignee

Inventors

Cpc classification

Classification Explorer

G05B19/4185

PHYSICS

Classification Explorer

Y02P90/02

GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS

Classification Explorer

G05B2219/31372

PHYSICS

Classification Explorer

G05B2219/34263

PHYSICS

Classification Explorer

H04L69/40

ELECTRICITY

International classification

Classification Explorer

G06F15/16

PHYSICS

Classification Explorer

G05B19/418

PHYSICS

Abstract

Claims

Description