1. Field of the Invention
The present invention relates to control systems and, more particularly, to a redundant control system.
2. Description of the Related Art
Process control systems, such as SIMATIC PCS 7 from Siemens, serve to automate processes in technical systems and are usually hierarchically structured by way of several layers. At field level, the states of the technical process are recorded (sensors) and/or the process specifically influenced (actuators) by field devices. At control level, control computers (stored program controls with CPU units) perform control and regulatory functions in proximity to the field, where they receive input values from the sensors, e.g., a pressure transducer, and deliver output values to the actuators, e.g., a positioner for a control valve. At process management level, superordinate control and regulation of the process occurs in host computers.
Data exchange between field devices and control computers usually occurs via a digital field bus, such as PROFIBUS DP or PROFINET. As field devices do not normally have a corresponding field bus connection themselves, they are connected to the field bus via decentralized peripheral stations. A peripheral station consists of an interface module (header module) for connection to the field bus and a number of periphery modules (digital and analog input and output modules) for connection of the field devices. The periphery modules may have one or more channels, to each of which a field device can be connected.
A high-availability system, as known from DE 10 2004 034 451 A1 or WO 2005/057306 A1, for example, possesses redundantly designed central functions and is assembled with two separate control computers. In so-called “hot standby” operation, if uninterrupted the two control computers process the same control program simultaneously, but with only one control computer active and controlling the process with its output values. In the event of a fault, the intact control computer assumes control of the process alone. The output values of the two control computers are supplied to the actuator via separate output modules, where, as shown by DE 10 2004 034 451 A1, decoupling diodes effect an OR link of digital output values and/or an addition of analog output values at the signal outputs of the output modules. For the exchange of information, e.g., in the form of status and alignment information, redundancy coupling is provided, via which the control computers are interconnected.
In the case of the redundant control system known from WO 2005/057306 A1, the first control computer is connected via a first bus to an interface module of a first peripheral station, such as ET200M from Siemens, which has at least one periphery module. The second redundant control computer is connected via a second bus to an interface module of a second peripheral station which likewise has at least one periphery module. The actuator is arranged at signal outputs of two periphery modules that form output modules and are arranged in different peripheral stations. Each of the interface modules of the two peripheral stations is designed to transmit output values received over the bus from the respective control computer for the actuator to the respective output module for output to the actuator. Each of the output modules is designed to detect and report a malfunction at its signal output to the control computer to enable a changeover to the uninterrupted peripheral unit.
EP 0 478 288 A2 discloses a redundant automation system for an actuator that is connected to mutually decoupled signal outputs of two output modules. Both output modules are connected to two redundant control computers via a common bus.
EP 2 806 316 A1 discloses a redundant automation system for a sensor, which is connected redundantly to two periphery modules arranged in different peripheral stations. Both peripheral stations contain one interface module each, with which they are connected to an automation device via a common bus.
EP 2 799 947 A1 discloses an arrangement with a redundancy adapter unit to connect a field device, e.g., actuator, redundantly to two periphery modules arranged in different peripheral stations.
EP 2 860 598 A1 discloses a redundant automation system for sensors and actuators that are connected to a peripheral station. The peripheral station is connected via a bus to two subsystems, such as automation devices, which, as also known from the aforementioned DE 10 2004 034 451 A1 or WO 2005/057306 A1, process the same control program cyclically and synchronously and are connected to each other for this purpose via a synchronization connection. Here, only one subsystem is also active, where a changeover is made to the other subsystem in the event of a fault. To avoid the changeover from interrupting the technical process to be controlled, a dead time may occur at the outputs of the connected periphery during which the outputs persist with their last valid process output values.
A problem for redundancy operation is produced by the determination of a particular reaction of the system when a device upstream of the output model, such as when the control computer or the field bus is interrupted or fails. In a PCS7 system, such a field bus interruption and/or such a failure is detected by the interface module of the peripheral station in order to subsequently prompt all the output modules of the peripheral station to freeze the most recently received output values via a command (“Output Disable” command). In the aforementioned redundancy operation with two control computers and two decentralized peripheral stations, this means that in the event of a malfunction of the hitherto active control computer the output value last output by it is kept at the signal output of the downstream output module, while the output module downstream of the hitherto inactive and now active control computer outputs the current output values. In the case of analog output, the actuator then receives the sum of the frozen and the current output value and in the case of digital output, in the worst case, the logical value “one” permanently. The established reaction mechanism therefore results in a complete redundancy failure.
One possible solution to the foregoing problem is to arrange an additional digital output module in each of the two peripheral stations as an auxiliary module which, upon receiving the “Output Disable” command, triggers an external switching relay to disconnect the output module provided for the redundancy operation from the power supply. As a result, the signal output of the output module is forcibly brought into a current-free and voltage-free state that cannot influence the output value supplied by the other redundant output module by way of the OR link.
Although this measure solves the problem, albeit with increased effort, it has the disadvantage that when their power supply is removed, the redundant output modules behave in an uncontrollable and undefined manner for a relatively long period, preventing a rapid changeover to the other redundant output module.