The present invention relates to a synchronization method for a redundant automation system having at least two subsystems, where the minimum of two subsystems have a minimum of one processor, are linked together via communication means, execute functionally identical sequences of machine instructions to control a process and synchronize with one another from time to time via the communication means.
Synchronization methods for automation systems are generally conventional. European Patent 497 147 describes a method in which the subsystems of an automation system composed of two subsystems synchronize one another after a period of time preselectable by the user at the latest. European Patent 616 274 describes a similar method where synchronization is performed as a function of the actual run time of a sequence of machine instructions. Thus, it is necessary to know the run times of the instructions of the user program and to constantly add up these run times. The conventional methods are not optimal inasmuch as an unnecessarily long amount of time is spent for synchronization.
An object of the summary present invention is to provide a synchronization method with minimal complexity for an automation systems composed of at least two subsystems. The synchronization method independent of the presence of special hardware. The synchronization method according to the present invention has the least possible negative effect on the computing capacity of the automation system.
The synchronization method is based on a counter for each of the subsystemsxe2x80x94hereinafter called synchronization countersxe2x80x94which is incremented, i.e., increased by one, using increment instructions. Incrementation is an especially simple task for a processor. In individual cases, incrementation can take place within a single clock cycle and therefore especially rapidly.
Synchronization is performed at least when one of the minimum of two subsystemsxe2x80x94hereinafter referred to as the alerted subsystemxe2x80x94registers a special event, e.g., an interrupt or an alarm. In this case, the alerted subsystem relays to the minimum of one other subsystem the instantaneous value of its synchronization counter. This relaying informs the minimum of one other subsystem that a special event has occurred. The minimum of one other subsystem in turn relays to each other subsystem the instantaneous value of its synchronization counter. Each of the subsystems is thus informed of the instantaneous value of its own synchronization counter as well as the value of the synchronization counter of the minimum of one other subsystem.
At the time of occurrence of the special event, one of the subsystems may be ahead of the minimum of one other subsystem in executing the sequence of machine instructions. If this is the case, it is also possible for the subsystem which is in the lead to have already executed a larger number of increment instructions, so that the values of the synchronization counters of the subsystems differ.
Each subsystem determines the largest value at the moment from the value of its own synchronization counter and the value of the synchronization counter of the minimum of one other subsystem. The value of the synchronization counter which all subsystems can attain together by continuing to execute the sequence of machine instructions is the largest value of the synchronization counter increased by one, i.e., incremented. Therefore, in each subsystem, the largest value of the synchronization counters of all subsystems is incremented. This value which is the same for all subsystems is hereinafter referred to as the synchronization counter target value. This can, of course, also be determined by an alternative method by first incrementing the values of the synchronization counters and then determining the synchronization counter target value as their maximum value.
The subsystems interrupt the execution of the sequence of machine instructions on attaining the position of the increment instruction (hereinafter referred to as synchronization position) at which the values of the respective synchronization counters attain the synchronization counter target value. Since the increment instructions occur at corresponding locations in the functionally identical sequences of machine instructions, the increment instructions are consequently especially suitable as the potential synchronization position.
The fact that such a synchronization position has been attained can be determined especially easily by comparing the value of the respective synchronization counter with the synchronization counter target value. The synchronization method is thus based on incrementation and comparison operations, which can be carried out especially rapidly and efficiently by a processor.
Since both subsystems can attain their synchronization positions at different times, each subsystem signals the minimum of one other subsystem that the synchronization position has been attained by sending a synchronization signal. Each subsystem then waits for arrival of the synchronization signal from the minimum of one other subsystem. This signals that it has attained its synchronization position. In the case of more than one other subsystem, each subsystem waits for arrival of the synchronization signal from all other subsystems, so that each subsystem executes additional actions only when all subsystems have attained the synchronization position. However, there are also conceivable applications where no synchronization signal is exchanged on attaining the synchronization position.
After attaining the synchronization position, and after registering the synchronization signal from the minimum of one other subsystem, each subsystem determines a specific response for the special event and performs it. This response is a specific sequence of machine instructions for the special event. Then, each subsystem continues executing the sequence of machine instructions, the execution of which was reset on attaining the synchronization position because of the synchronization and because of the response to the special event.
The alerted subsystem relays the special event to the minimum of one other subsystem immediately after registering the special event at the earliest, e.g., in conjunction with relaying the instantaneous value of the synchronization counter, but at the latest in conjunction with the synchronization signal.
There are also cases where exchanging or waiting for the synchronization signal does not take place for the specific response for the special event to be executed. In such a case, the special event-specific response is carried out immediately on attaining the synchronization position. Then, there is no time synchronization, but the method according to the present invention ensures that although the special event-specific response will not be carried out at the same time but at functionally identical positions within the sequence of machine instructions of the respective subsystem. In this way, the desired synchronization is ensured, because the synchronization positions are arranged at corresponding positions in the sequences of functionally identical machine instructions.
The synchronization position can be attained especially efficiently if the address of each machine instruction of the sequence of machine instructions, in particular the address of the machine instruction being carried out at the moment, and the address of the machine instruction corresponding to the synchronization position can be determined.
This makes it possible for the address of the machine instruction being carried out at the moment to always be compared with the address of the machine instruction corresponding to the synchronization position when executing the sequence of machine instructionsxe2x80x94at least after the alerted subsystem has registered a special event. If the two addresses compared are found to match, the synchronization position has been attained. In this way, execution of the sequence of machine instructions can be interrupted precisely on attaining the synchronization position.
For the case when the synchronization position lies within a subsequence of the sequence of machine instructions which is to be repeated conditionally or unconditionally, the individual machine instructions are processed repeatedly. However, the position of an increment instruction does not become a synchronization position until the synchronization counter has attained the synchronization counter target value in executing the increment instruction. Therefore, in the case of loops, an increment instruction may be processed repeatedly in the loop, but not become the synchronization position until after a certain number of processing operations. Thus it is not sufficient in this case to determine the address of the increment instruction. In this case the synchronization position is not attained until the address of the machine instruction being carried out at the moment matches the address of the machine instruction corresponding to the potential synchronization position while at the same time the synchronization counter matches the synchronization counter target value.
If, as described above, the address of each machine instruction can be determined, a break point can also be associated with the synchronization position, so that execution of the sequence of machine instructions is interrupted exactly at the synchronization position. Then the processor directly assumes the function of checking whether the synchronization position, i.e., the address associated with the break point, has been attained. Usually, with processors from Intel, such as the i80386, i80486, Pentium, etc. processorsxe2x80x94an interrupt is triggered on attaining the address associated with the break point, and its occurrence indicates unambiguously the fact that the address in question has been attained.
If the processor can be operated in a single-step mode, then it is also possible as an alternative to always compare the address of the machine instruction being carried out at the moment with the address of the synchronization position in executing the sequence of machine instructions, at least after the alerted system has registered a special event. If a match is found, the synchronization position has been attained and processing of the individual instructions in the sequence of machine instructions is interrupted.
According to the present invention, another efficient option for attaining the synchronization position is for the value of the synchronization counter to be compared, on an ongoing basis, with the synchronization counter target value in executing the sequence of machine instructions, at least after the special event has been registered by the alerted subsystem, and for the execution of the sequence of machine instructions to be interrupted when the value of the synchronization counter target value is attained. To do so, a first memory location and a second memory location are determined, with the value of the synchronization counter being stored in the first memory location and the synchronization counter target value being stored in the second memory location. With conventional processors, specifically the aforementioned Intel processors, the processor can be programmed so that execution of the sequence of machine instructions is interrupted as soon as the contents of the first memory location match the contents of the second memory location. This special functionality of the processor has previously been utilized for diagnostic programs, also known as debuggers, in particular. It may of course also be used to attain the synchronization position.
The positions of the increment instructions within the sequence of machine instructions may be defined according to different strategies. If the sequences of machine instructions are generated from instruction sequences of a programming language, it is advantageous to insert the increment instructions during the conversion of instruction sequences into machine instruction sequences. However, the scope of the present invention also includes inserting the increment instructions into the machine instruction sequence by relocating after the latter have been generated but before they are executed.
If the sequences of instructions are sequences of instructions in a programming language, with the instruction sequences that belong together being combined in a block, the increment instructions are inserted into the sequence of machine instructions at least at one of the limits of the block. Examples of such programming languages include all xe2x80x9cstructuredxe2x80x9d programming languages, such as Pascal, PEARL, C/C++, etc., which have language conventions for defining a block, with specific language resources also implicitly defining a particular block.
Increment instructions are always to be inserted in conjunction with all jump instructions, e.g., conditional and unconditional jump instructions, as is also the case in the related art according to European No. 497 147 A. Jump instructions are understood to refer to all instructions and commands from high-level languages which lead to a conditional or unconditional jump on a language level directly understandable to the processor. This is necessary because increment instructions might be skipped due to a jump. In particular, it would be conceivable for only machine instructions between two increment instructions to be executed due to a jump over a long period of time, possibly even an unlimited period of time, so that no increment instructions would be executed during this period of time. In this case, no potential synchronization positions would be attained accordingly, so that synchronization could not be performed. Therefore, the increment instructions are inserted frequently, but not necessarily before such a jump instruction.
In the case of call-up of subroutines, it is advantageous if the increment instructions are inserted within the subroutine, i.e., at the beginning of the subroutine and at the end of the subroutine. This makes insertion of the increment instructions into the sequences of machine instructions much simpler in an advantageous manner, because call-up of a subroutine is not always clearly recognizable, but the start and end of a subroutine are. CALL and RET instructions can be given as examples of Assembler programming language, each triggering a jump to a subroutine or a return from a subroutine.
In the case of programmable controllers whose specific programming languages usually do not offer any language resources for a block-oriented structuring, the increment instructions are always to be inserted before jump instructions. Specifically in the case of programmable controllers, the sequence of machine instructions is often structured by way of modules. A module is thus to be regarded as a specific embodiment of a block. The change of modules which becomes necessary in executing the sequence of machine instructions of a programmable control is implemented with the help of jump instructions, so here again, inserting increment instructions before a jump instruction leads to the desired result. The same thing is also true in a similar manner for programming languages such as Assembler or BASIC which have little or no structuring.
In addition, the increment instructions can also be inserted into the sequence of machine instructions after a fixed number of individual instructions of the sequence of machine instructions, in particular after a number of instructions that are preselected by the user. A sequence of machine instructions preselected in this way has the advantage that the average period of time between the occurrence of two increment instructions always remains approximately the same. The period of time between the occurrence of two increment instructions is determined by the sum of the run times of the individual instructions to be executed between the increment instructions.
If potential synchronization positions corresponding to the increment instructions in actually equidistant intervals are desired, the run time of each individual instruction is determined during conversion of the instruction sequences of the programming language into the sequence of machine instructions, and the run time of a sequence of individual instructions is determined by adding up the run times of the individual instructions. On attaining a certain run time, in particular a run time preselected by the user, an increment instruction is inserted into the sequence of machine instructions. After an increment instruction, the run times of the individual instructions begin again to be added up from zero. However, for the reasons given above, it is always necessary to insert increment instructions before jump instructions. The increment instruction may be inserted before a jump instruction in addition to being inserted according to the fixed run time/spacing grid. As an alternative, however, it is possible to begin the run time or spacing count at zero after an increment instruction inserted before a jump instruction.
In addition, the increment instructions can also be inserted into the sequence of machine instructions or into the sequence of instruction sequencesxe2x80x94hereinafter referred to as the source sequencexe2x80x94by testing the source sequence for certain machine instructions or certain instruction sequences, in particular for certain strings of machine instruction sequences or certain strings of instruction sequencesxe2x80x94hereinafter referred to as search sequences.
If the search sequence is recognized within the source sequence, the increment instructions of the search sequence may be inserted at the beginning or at the end. The search sequence includes those elements of the source sequence to which an increment instruction is to be assigned according to the above instructionsxe2x80x94i.e., at least block limits and/or jump instructions.
According to a specific embodiment, the increment instruction is inserted with the help of a special compiler. The conversion method of this special compiler differs from that of a standard compiler due to the fact that the language resources which define a block or a jump instruction, for example, are recognized and translated into the respective machine instructions and also into the increment instructions.
One alternative is a pre-processor. With the help of the pre-processor, the instruction sequences of a programming language can be pre-processed. With the help of a special syntax, which is known in principle to a programmer, such a pre-processor can be made to replace certain language resources of a programming language, e.g., language resources which introduce a block, with one language resource introducing such a block plus another language resource with which the increment instruction is initiated.
However, it would be desirable for the increment instructions to be inserted into the sequence of machine instructions in a manner that is transparent for the user. The instructions to the pre-processor described above can be recognized and thus manipulated by the user. However, manipulation could result in errors in synchronization and/or errors in the program generated itself. Therefore, another advantageous alternative for inserting the increment instructions into the sequence of instruction sequences is to use instead of the pre-processor a special pre-processor which converts at least the instruction sequences to which an increment instruction is to be assigned according to the above explanation into precisely these instruction sequences and the increment instruction, regardless of any other exchanges as per the instructions.
It is also possible through the above-mentioned alternatives for inserting the increment instructions, which essentially cannot be influenced by the user, for the user to insert the increment instructions himself into the sequence of machine instructions or into the sequence of instruction sequences.