1. Field of the Invention
The invention relates to a method for operating a redundant automation system provided with a first subsystem and a second subsystem, where one of the subsystems is operated as a master and the other subsystem is operated as a slave, and where the subsystems are provided with transmission and reception tasks to transmit and receive messages. In addition, the invention relates to a redundant automation system that is suitable for implementing the method.
2. Description of the Related Art
In general, methods having inter-task communication mechanisms and redundant automation system for implementing this method are known per se in automation technology. In the environment of this automation technology, there is an increasing demand for highly available solutions (H systems) that are suitable for minimizing possible downtimes of the installation. The development of such highly available solutions is very cost-intensive, where an H system usually used in the automation environment is distinguished by the fact that two or more subsystems in the form of automation devices or computer systems are coupled to one another via a synchronization connection. In principle, both subsystems can have read and/or write access to the peripheral units connected to this H system. One of the two subsystems leads with respect to the peripherals connected to the system. Consequently, outputs to peripheral units or output information for these peripheral units is/are effected only by one of the two subsystems that operates as a master or has assumed the master function. So that both subsystems can run in a synchronous manner, the subsystems are synchronized at regular intervals via the synchronization connection. With respect to the frequency and extent of synchronization, different forms may be distinguished (i.e., warm standby, hot standby).
An H system often requires a smooth “failover”, if one of the subsystems fails and it is necessary to change over to the other subsystem. This means that, despite this unplanned changeover or this unplanned change from one subsystem to the other, this changeover or change does not have a disruptive effect on the technical process to be controlled. Here, it is permissible for a (short) dead time to occur at the outputs of the connected peripherals, during which the outputs remain at their last valid process output values. However, a jump (surge) in the values at these outputs on account of the changeover is undesirable and should therefore be avoided. Consequently, “smooth” should also be understood as meaning the continuity of the curve shape of the process output values.
In order to achieve this, the two subsystems must have the same system state at the time of the failure. This is ensured by a suitable synchronization method. If both subsystems are processing the input information (inputs) of the process, both systems are in the same system state when they change their respective “thread global” data (shared data of programs, in particular programs with different priorities) in the same manner given the same process input data or process input information. In order to achieve this, the synchronization method ensures that the individual threads of the two subsystems are interrupted or executed in the same manner. This results in an identical “thread mountain”.
Prior European patent application 12166006.2, the entire disclosure content of which is intended to be part of the present application, proposes a method for operating a redundant automation system provided with a first subsystem and a second subsystem, which method is used to dispense with temporally synchronous communication between the subsystems with regard to synchronizing the program processing on the two subsystems. One of these subsystems in the form of a master does not (actively) wait for a response from the other subsystem in the form of a slave in order to continue its program processing. That is, relevant information is transmitted from the master to the slave in a temporally asynchronous manner. As a result, the processing performance of the master is decoupled from the communication bandwidth available for event synchronization, which is particularly important with regard to the increasing imbalance between the increase in the processing performance of the processors, on the one hand, and the increase in the communication performance, on the other hand. This is because the communication performance usually cannot keep up with the increasing processing performance.
After an event has occurred, the two subsystems are synchronized such that both the master and the slave run through the same program paths (path synchronization) on account of this event, where the runs are effected in a temporally asynchronous manner. This means that the master temporally leads the slave or the slave temporally trails the master with regard to the program processing. In this context, “trailing” or “leading” is understood as meaning the time difference between the beginning of the processing of the processing sections by the master and the beginning of the processing of the processing sections by the slave, which corresponds to the time at which the release signal occurs.
On account of this leading and trailing, measures are required to send and receive messages in a suitable manner using transmission and reception tasks with respect to processing with program path synchronization. For example, if a communication task of the respective subsystem transmits messages to the reception task of the respective subsystem, it must be ensured that the transmission and reception sequence in the slave corresponds to that in the master.
If—as known per se—messages were processed in the slave in a similar manner to that in the master, a different processing sequence of the messages might result in the master and in the slave on account of the temporally asynchronous run through the program paths, thus possibly resulting in disruption to a technical process with regard to proper control.