The present invention relates to a method for updating a supplementary automation system, which is coupled to an automation system comprising at least one starting automation system and controlling a technical process or a technical system through an executed program.
Redundant automation systems are in widespread use. These automation systems are mostly singly or doubly redundant, that is, two or three automation systems are used to control one and the same technical process or one and the same technical system. In a configuration of this type a subsystem occasionally fails, and the technical system or the technical process is controlled by the remaining subsystem (starting automation system) or rather the remaining subsystems. Following the exchange or the repair of the failed subsystem, this subsystem must be recoupled to at least one starting automation system. Until now, one way of handling this required the following steps: 1) the starting automation system momentarily controlling the technical system interrupts program execution; 2) the necessary operating data are transferred from the starting automation system to the supplementary automation system, and thereupon the starting automation system; and 3) the supplementary automation system resumes program execution and, thus, jointly takes control of the technical system.
This procedure is not optimal in that during the updating step, control over the technical system is not guaranteed. Under certain circumstances, it can even be difficult, dangerous and time-consuming to bring down a system and restart it at a later time.
Accordingly, an object of the present invention is to provide an update method in which the aforementioned disadvantages are prevented from occurring.