The invention relates to a software system for a monitoring/control installation of redundant architecture and comprising a first processor (1) connected to a second processor (2) via a communications network (10), the software system comprising a first object-oriented program constituted by first objects to be run by the first processor, a second object-oriented program constituted by second objects that are replicas of at least certain first objects and that are to be run by the second processor, the second objects and said certain first objects encapsulating data, updating means being provided for maintaining consistency between the data of the second objects and the data of said certain first objects during running of said certain first objects.
An object-oriented program is particularly suited to the diversity of supervisory functions in a monitoring/control installation, because of the modular structure of the program. There are numerous existing object-oriented programming languages on the market that enable programs to be made that can include several thousand software objects. Conventionally, a software object encapsulates data and methods that operate on the data of the object.
It is advisable, and often even a requirement, for an industrial monitoring/control installation to tolerate failures so as to guarantee continuity of service.
Redundancy techniques are a well known solution to failure tolerance.
U.S. Pat. No. 4 958 270 describes a data-processing system of redundant architecture comprising two processors running programs which are not necessarily object-oriented programs. The program run by the first processor handles data recorded in a first data base, and the program run by the second processor handles data recorded in a second data base. An updating system is also provided for maintaining consistency between the first data base and the second data base. The updating system is constituted by a program run by the second processor so as to:
perform certain control operations that are performed by the first processor; PA1 update the first data base in response to performing said certain operations; PA1 capture predetermined information to be recorded in the first data base simultaneously with updating thereof; and PA1 transfer the captured data to the second processor so as to update the second data base. PA1 a) comparing marking information derived from the first object referenced in the object call message with reference information to detect whether or not the referenced first object is a replicated object; and PA1 b) in response to a marked object being detected, transferring the object call message to the second dynamic messaging mechanism via the communications network so that the second object that is the replica of the first object referenced in the transferred object call message can be run by the second processor and via the second messaging mechanism.
In the redundancy technique described in that document, the second processor is used only to pass on the changes made in the first data base to the second data base. Since the second processor is relieved of some of the processing performed by the first processor, the second processor can be used for other tasks. That redundancy technique may be referred to as "semi-active redundancy".