1. Field of the Invention
The present invention relates to a redundant supervisory control system and a switching control method of the same. When data is transmitted between each of a plurality of controllers and each of a plurality of remote input/output devices those which are composing the system, the redundant supervisory control system switches transmission paths between them.
2. Description of the Related Art
A block diagram of a conventional supervisory control system which controls a plant or the like is shown in FIG. 1. In this configuration, a controller 11 and each of remote input/output (I/O) units 21 are cascade-connected to each other by utilizing a field bus 113 of a digital network that is defined, for example, according to IEC61158, and that is used in communications between measurement-and-control instruments. In this way, supervisory control of the plant is executed.
This connection scheme of the network entails the following problem. In the event of a break of the field bus 113 or a breakdown of one of the remote I/O units 21, the controller 11 and the remote I/O unit 21 are disconnected. As a result, all of the I/O units 21 in the downstream of the location of the breakdown become inaccessible.
Additionally, there is another connection scheme, as shown in FIG. 2, where a controller 12 and remote I/O units 22 are connected in a one-to-many relationship in a star shape. In the case of this scheme, however, in addition to the problem of disconnection due to a breakdown, there is a problem of poor extensibility. This is because the number of interface buses 114 of the controller 12 has to be as many as the number of the remote I/O units 22.
For the purpose of solving these problems, there is a supervisory control system as shown in FIG. 3 which is constituted by connecting a field bus 115 and loop interface (I/F) units 23a to one another in a ring. In this connection scheme, in the event of only one break of the filed buses 115 in the ring, the controller 13 can access all of the remote I/O units 23. Moreover, in the event of a breakdown in only one of the remote I/O units 23, the controller 13 can access all the rest of the remote I/O units 23. Thus, the supervisory control can be continued.
Also in this connection scheme, however, when failures occur in plural locations, the failures including a cable break in the field bus 115 and a breakdown in the remote I/O units 23, the controller 13 cannot access the remote I/O units 23 positioned at a side far from the location of each of the failures.
In addition, as a redundancy scheme for taking a countermeasure against an equipment breakdown, there has conventionally been a dual supervisory control system as shown in FIG. 4.
In this scheme, a control system, which is constituted of a controller 14A, a controller 14B and remote I/O units 24, or the like is made dual-redundant. One of the dual-redundant systems is used as an active system, and the other of the dual-redundant systems is used as a standby system. In a case where a breakdown occurs in the remote I/O units 24 of the active system, the remote I/O units 24 are accessible by switching from the active system to the standby system, and thus the system can continue a control.
However, in this dual supervisory control system, there is a problem of a temporary interruption of the control. This is because it is inevitable to switch from the active system to the standby system, even when a breakdown occurs in only one location in the remote I/O units 24.
Additionally, there is a case where failures occur in both of the systems including the plural remote I/O units 24. To be more precise, this is the case where one of failures occurs in an interface (I/F) unit 24a that belongs to one of the systems in a remote I/O unit 24 and the other failure occurs in an I/F unit 24b that belongs to the other of the systems in another remote I/O unit 24. This case causes another problem that the remote I/O unit 24 of any one of the systems become inaccessible.
On the other hand, in a supervisory control system 100 as shown in FIG. 5, in a case where dual transmission paths 117 and 118 of a process input/output apparatus (PIO) 61 are switched to each other, switching from an active system to a standby system is made system by system regardless a location of a failure. That is, the entire system is switched even when the failure does not occur in a common portion of one of the data transmission paths each connecting a plurality of controllers 41.
For example, there is a case where there is a break in any one of transmission path portions a and b, each of which is located before a main line (common portion) of the corresponding transmission path from each of the two controllers 41 of the PIO 61, and each of which concerns only each of these controllers 41. Even in this case, the supervisory control system cannot grasp this situation. Thus, the supervisory control system switches the active data transmission path to the standby one, by judging that any one of the entire transmission paths 117 and 118 of the active system is abnormal.
In this case, even though the other controllers 41 do not have any failure of the transmission path 117 of the active system, the active transmission path 117 is switched to the standby one. Additionally, in a conventional method of switching transmission paths, only any one of the systems is used as an active system. For this reason, in a case where breaks simultaneously occur in a transmission path portion of the active system of one of the controllers 41, the portion being out of the common portion, and a transmission path portion of the standby system of another one of the controllers 41, it becomes impossible to communicate with the controller of at least one of the systems.
Accordingly, input data from at least one of the controllers 41 are missed, and, at the same time, the supervisory control system 100 comes to treat this controller as having a breakdown.
In order to solve the problem as described above, there is a method of switching data transmission paths used by a remote PIO unit (for example, refer to Japanese Patent Application Publication No. Hei 11(1999)-119802). In this method, the transmission paths used by the PIOs 61 are efficiently switched to each other, when a failure occurs in a portion that is located from each of the controllers 41 to each of the dual transmission paths 117 and 118, and that concerns only individual one of the controllers 41. Thus, this method makes it possible to construct a highly reliable system.
In this method, the transmission path of the active system is switched to that of the standby system by using units of control means for controlling inputs and outputs unit by unit.
Thus, the method has been disclosed, in which transmission paths used by the PIO 61 are efficiently switched with the means mentioned above, and which makes it possible to construct a highly reliable system.
Additionally, a method has been disclosed for enhancing reliability of a process control system in the following way. A control itself of a remote PIO is multiplexed, and thus, the remote PIO has serial buses capable of performing a multitask operation (for example, Japanese Patent Application Publication No. 2000-207373).
However, in the dual supervisory control system as shown in FIG. 4, there is a problem that a breakdown occurring in any one location in the remote I/O units 24 inevitably brings about switching from the active system to the standby system, thereby causing a temporary interruption of the control.
Additionally, there is another problem that, in a case where failures occur, if one of the failures occurs in the I/F unit 24a of one of the plural remote I/O units 24, and the other failure occurs in the an I/F unit 24b of another one of the remote I/O units 24, the remote I/O units 24 of any one of the systems becomes inaccessible.
In addition, the method of switching transmission paths by use of the PIO disclosed in Japanese Patent Application Publication No. Hei 11(1999)-119802 has the following problems. In a case where a failure occurs in any portion of the transmission path that is the main line, signals from I/O units disconnected from the main line of the transmission path are not duplexed. In addition, in a case where both of the dual main lines of the transmission paths have failures, it becomes impossible to control the I/O apparatus.
Furthermore, in the method disclosed in Japanese Patent Application Publication No. 2000-207373, although reliability of the PIO is enhanced, no consideration is given to a problem of a failure in the main line of the transmission path connecting the controller and the PIOS.