1. Field of the Invention
The invention relates to a redundant automation system and method for operating the redundant automation system which is provided with a first subsystem and a second subsystem, where the subsystems each redundantly process a control program while controlling a technical process, and one of these subsystems operate as a master and the other subsystem operates as a slave, and the slave assumes the function of the master if the master fails.
2. Description of the Related Art
In the automation environment, there is an increasing demand for highly available solutions (H systems) that are suitable for minimizing possible downtimes of an installation. The development of such highly available solutions is very cost-intensive, where an H system usually used in the automation environment is distinguished by the fact that two or more subsystems in the form of automation devices or computer systems are coupled to one another via a synchronization connection. In principle, both subsystems can have read and/or write access to peripheral units connected to this H system. One of the two subsystems leads with respect to the peripherals connected to the system. This means that outputs to peripheral units or output information for these peripheral units is/are effected only by one of the two subsystems which operates as a master or has assumed the master function. So that both subsystems can run in a synchronous manner, the subsystems are synchronized at regular intervals via the synchronization connection. With respect to the frequency and extent of synchronization, different forms may be distinguished (e.g., warm standby, hot standby).
An H system often requires a smooth “failover”, if one of the subsystems fails and it is necessary to change over to the other subsystem. This means that, despite this unplanned changeover or this unplanned change from one subsystem to the other, this changeover or change does not have a disruptive effect on the technical process to be controlled. Here, it is permissible for a (short) dead time, during which the outputs remain at their last valid process output values, to occur at the outputs of the connected peripherals. However, a jump (surge) in the values at these outputs on account of the changeover is undesirable and should therefore be avoided. Therefore, “smooth” should also be understood as meaning the continuity of the curve shape of the process output values.
In order to achieve this smoothness, the two subsystems must have the same system state at the time of the failure. This is ensured by the suitable synchronization method. If both subsystems are processing the input information (inputs) of the process, both systems are in the same system state when they change their respective “thread global” data (shared data of programs, i.e., programs with different priorities) in the same manner given the same process input data or process input information. In order to achieve this, the synchronization method ensures that the individual threads of the two subsystems are interrupted or executed in the same manner. This results in an identical “thread mountain”.
The Siemens catalog ST 70, chapter 6, 2011 edition, discloses a redundant automation system that consists of two subsystems and is intended to increase the availability of an installation to be controlled. For this purpose, the automation system is provided with means that initially decide, based on an event, which program must be started in order to suitably react to the event. If, for example, during the execution of a program, an event in the form of a pending alarm for the technical process to be controlled is applied to a signaling input of the automation system, the running program is usually stopped at a waiting point and a program that is intended to analyze the alarm and initiate measures that eliminate the cause of the alarm is started. This automation system is regularly synchronized, and it is ensured that the failure of one of these subsystems does not have a disruptive effect on a process to be controlled because the other subsystem can continue the execution or processing of the corresponding part of its respective control program or the execution or processing of the corresponding parts of this control program.
If, for example, an event that has occurred in a first subsystem is not synchronized with a second subsystem of an automation system comprising two subsystems and, after the event has been processed by the first subsystem, this subsystem fails, the course of a technical process to be controlled may be disrupted. This is because the second subsystem (without knowledge of the event) runs through a different program path, representing the execution order of the programs, from the program path that would be run through by the second subsystem with knowledge of the event and that would also be necessary to avoid disrupting the course of the technical process to be controlled.
In this context, it should be noted that a program is understood as meaning both a program as such and a subroutine, a part of a program, a task, a thread, an organizational module, a functional module or another suitable program code for implementing an automation function, where the programs of an automation system usually are categorized into priority classes and are processed or executed according to their associated priority.
EP 0 907 912 B1 discloses a synchronization method for an automation system constructed from two subsystems. This synchronization method is based on temporally synchronous coupling of the two subsystems, both subsystems waiting for a response from the respective other participant at suitable program points at which adjustment is intended and only then respectively continuing their program processing in a temporally synchronous manner. The disadvantage is the long waiting times before receiving the responses needed for the temporal synchronization.
US 2002/0095221 A1 describes a redundant automation system provided with a first controller and a second controller. Suitable measures that make it possible to execute periodic tasks in a timely manner are provided.