The present invention concerns an updating method for coupling a supplementary automation system to an overall automation system which has a basic automation system and controls an industrial process without interruption. Each automation system has access to its own main storage area and can exchange information with the others and with the industrial operation via communication means.
Conventional redundant automation systems are widely used. In most cases, the automation systems are designed with single or double redundancy, i.e., two to three automation system are used to control one and the same industrial operation or industrial plant. With such a configuration, one of the automation systems, hereinafter referred to as the supplementary automation system, may fail, and then the industrial plant is controlled by the remaining automation system(s), the basic automation system or the remaining automation systems.
Updating in coupling a supplementary automation system to an overall automation system formed by at least one automation system is thus necessary, for example, when one of the automation systems has been shut down temporarily due to maintenance work and then started up again after conclusion of the maintenance work. When the automation system that has been shut down temporarily is coupled, it is relevant in particular that the supplementary automation system to be coupled receives the data inventory of the basic automation system. This procedure is known as updating.
Thus, an object of the updating method is to transfer the contents of the main memory area of a basic automation system to a supplementary automation system. European Patent No. 636 956 describes an updating method where data configurations of non-time-critical states and the respective periods of time during which responses to changes in state of the industrial operation are non-time-critical are preset in the basic automation system. Updating is triggered when the duration of the non-time-critical state exceeds the duration required for updating.
If there is insufficient non-time-critical state, updating is performed according to the method described in European Patent No. 636 956 within time slices inserted cyclically into the program processing. The actual updating takes place by reading out of the main memory area of the basic automation system section by section and writing to the main memory area of the supplementary automation system.
Reading out data section by section is also time consuming. Specifically for the case when a time-critical operation is controlled by the basic automation system whose data must be read out, it should be taken into account that the basic controlling automation system cannot monitor the operation during readout and thus may not be able to react promptly to changes in state of the operation. Often, even such a short-term xe2x80x9cmonitoring gapxe2x80x9d is intolerable in controlling the industrial operation.
An object of the present invention is to provide an updating method for coupling a supplementary automation system to an overall automation system which has a basic automation system and controls an industrial operation without interruption, with the method being executable without any negative effect on the control of the industrial operation.
Due to the given boundary conditions in the industrial operation to be controlled, it is impossible to transfer the contents of the main memory area of the basic automation system in one step to the supplementary automation system to be coupled. Therefore, the updating is divided into two runs.
In a first run, the contents of the main memory area of the basic automation system are transferred by successive readout from the main memory area of the basic automation system and input into the main memory area of the supplementary automation system. The volume of data read out or written in one step is determined by the length of time required for this procedure and the maximum tolerable latency phase of the basic automation system with respect to the industrial operation to be controlled.
If, in section by section readout of data from the main memory area of the basic automation system, the same data is written in a buffer storage area, then the basic automation system can resume control of the technical operation again to advantage while data is being transferred from the buffer storage area to the supplementary automation system. The time during which the basic automation system cannot monitor the industrial operation is thus shortened by using the buffer storage area.
The more powerful the communication means over which data is transferred from the main storage area of the basic automation system into the buffer storage area, the shorter the period of time during which the basic automation system cannot monitor the industrial operation.
A similarly positive effect is achieved by using powerful memory, optimized for the given applicationxe2x80x94e.g., a static RAM, or static RAM as a dual-port RAMxe2x80x94for the buffer memory area.
After a certain number of reading and writing operations as described above, the xe2x80x9cbasic data inventoryxe2x80x9d of the basic automation system has been successfully transferred to the supplementary automation system. During this period of time, however, data in the main memory area of the basic automation system is subjected to continuous changes due to the uninterrupted control of the industrial operation, because counts and timer values, for example, as well as output signals also change. Before the updating can be regarded as concluded, the identity of the data must be guaranteed.
The changes occurring meanwhile in the basic automation system must be transferred in at least one additional subsequent updating run.
To do so, in writing new and/or revised data into the main memory area of the basic automation system, the same data is also written to the buffer memory area together with position information. The contents of the buffer memory area are transferred to the supplementary automation system, and the data transferred is written to the main memory area of the supplementary automation system with analysis of the position information.
The position information includes information on the position of the revised data in the main memory area of the basic automation system and also at least information about the data volume. This position information is then analyzed in entering in the main memory area of the supplementary automation system so that data transferred will occupy the same position in the main memory area of the supplementary automation system as did the original data in the main memory area of the basic automation system.
This position information is absolutely necessary only in transmitting new and/or revised values during the minimum of one additional updating run. In section-by-section readout of data from the main memory area of the basic automation system and in writing this data to the buffer memory area, the position information is not necessary under the condition that it is stipulated that the readout data will always occupy the same area in the buffer memory area, and the area of the buffer memory area thus occupied is transferred to the supplementary automation system before being overwritten in renewed section-by-section readout of data from the main memory area of the basic automation system. In such a procedure, position information is present more or less implicitly. The updating method logs the number of sections read out of the main memory area of the basic automation system and writes the next section on the basis of this information. In addition, the supplementary automation system logs the number of sections already written when data is entered into this system, so that it is always the next section that is updated.