1. Field of the Invention
The invention relates to a method for operating an automation system having at least two subsystems which are each provided with a control program, where relevant data from one subsystem is transmitted to the other subsystem within the scope of an updating phase of the automation system to transfer process control from a solo mode of one of the subsystems to a redundant control mode with another of the subsystems. In addition, the invention relates to a redundant automation system which is configured to perform the method.
2. Description of the Related Art
In the automation environment, there is an increasing demand for highly available solutions (H systems) that are suitable for minimizing possible downtimes for the installation. The development of such highly available solutions is very cost-intensive, where an H system that is usually used in the automation environment is distinguished by the fact that two or more subsystems in the form of automation devices or computer systems are coupled to one another via a synchronization connection. In principle, both subsystems can effect read and/or write access to the peripheral units connected to this H system. One of the two subsystems is the leader with respect to the peripherals connected to the system. This means that outputs to peripheral units or output information for these peripheral units is/are provided only by one of the two subsystems that operates as a master or has assumed the master function. So that both subsystems can run in a synchronous manner, the subsystems are synchronized at regular intervals via the synchronization connection. With respect to the frequency and amount of synchronization, different forms may be distinguished (e.g., warm standby or hot standby).
An H system often requires a smooth “failover” if one of the subsystems fails and it is necessary to change over to the other subsystem, as a result of which this other subsystem undertakes the process control in a solo mode or non-redundant mode. This means that, despite this unplanned changeover or this unplanned change from one subsystem to the other, this changeover or change does not have a disruptive effect on the technical process to be controlled or the process control. Here, it is permissible for a (short) dead time to occur at the outputs of the connected peripherals during which the outputs remain at their last valid process output values. However, a jump (i.e., a surge) in the values at these outputs on account of the changeover is undesirable and should therefore be avoided. Consequently, “smooth” should also be understood as meaning the continuity of the curve shape of the process output values.
In order to achieve this smoothness, the two subsystems must have the same system state at the time of the failure. This is ensured by a suitable synchronization method. If both subsystems are processing the input information (inputs) of the process, both systems are in the same system state when they change their respective “thread global” data (shared data of programs, i.e., programs with different priorities) in the same manner (given the same process input data or process input information). In order to achieve this, the synchronization method ensures that the individual threads of the two subsystems are interrupted or executed in the same manner. This results in an identical “thread mountain”.
In addition, it must also be ensured, when transferring the process control from a solo or non-redundant mode to a redundant mode, for example, after a failed subsystem has been replaced, that this transfer or this transition is effected smoothly. During such a transfer, it is necessary to transmit relevant data from the previously process-controlling subsystem to the newly or additionally connected subsystem. During this transfer, which is referred to as coupling and updating, during a coupling and updating phase, the technical process to be controlled or the process control must not be influenced in a disruptive manner and the process control must continue to run without disruption during this coupling and updating phase, i.e., the updating phase below for purposes of simplicity.
Siemens catalog ST 70, chapter 6, 2011 edition, discloses a redundant automation system that consists of two subsystems and is intended to increase the availability of an installation to be controlled. Updating is effected such that data are gradually transmitted, where a check is initially performed to determine whether a value of the subsystem operated in the solo mode, which is stored in a data area, differs from a value to be newly written. If these values differ, a “dirty bit” is set, which indicates that the data from this data area must be transmitted to the further subsystem. If all the data have been transmitted, the automation system operates in the redundant mode. If the data from this data area represent highly dynamic data, the disadvantage is that the transition is not effected smoothly at the end of the updating phase (“update surge”) because the subsystem operating in the solo mode must be stopped and the process control must be briefly stopped.