The invention relates to a process automation installation in which a control apparatus, for example a programmable logic controller, controls at least one peripheral component, by means of which the process is carried out, that is to say electrical energy is produced from coal or bottles are filled, for example. In particular, the invention relates to the stipulation of a suitable time in order to update the operating software of the control apparatus, that is to say carry out an update, without the process having to be interrupted for this purpose.
Highly available solutions which minimize possible downtimes of an automation installation or installation for short are increasingly being required in the automation environment. The development of such highly available solutions is very cost-intensive.
An important function of a highly available automation system is to update the system software or operating software in the course of operation. Another name for operating software is also firmware. An update may be necessary if error corrections in the firmware are intended to be loaded into a running system which must not be stopped for this purpose. This so-called failover during an update is never entirely reactionless for the process. However, a smooth failover is usually required, that is to say it must not be possible to detect any sudden change in the profile of the control signals, which has been caused only by the interruption but not by inherent process changes, at the outputs of the control apparatus, that is to say the inputs of the peripheral components. For example, a control signal therefore must not suddenly fall to the value 0 during the update if a control signal having a value not equal to 0 is actually needed to control the process. The outputs of the control apparatus must therefore constantly behave. A limited period of time in which the outputs retain at least their last value, before the control of the process is then continued either by the control apparatus which is ready for operation again after the update or by a backup CPU, that is to say a further control apparatus, is usually tolerated.
An update must not destabilize the process. However, the user nowadays answers these questions only on the basis of the empirical values relating to his process or similar processes. For this purpose, it is nowadays necessary for the operator of the automation installation to assess, on the basis of empirical values, whether the process to be controlled tolerates the effects of an update.