The present invention relates to the art of industrial controllers, and more particularly to a system and method for resumption of periodic tasks following a redundant control system switchover.
Industrial controllers are special purpose computers used for controlling industrial processes, manufacturing equipment, and other factory automation applications. In accordance with a control program, an industrial controller may measure one or more process variables or inputs reflecting the status of a controlled process, and change outputs effecting control of the process. The inputs and outputs may be binary, (e.g., on or off), as well as analog inputs and outputs assuming a continuous range of values. The control program may be executed in a series of execution cycles with batch processing capabilities.
The measured inputs received from a controlled process and the outputs transmitted to the process generally pass through one or more input/output (I/O) modules. These I/O modules serve as an electrical interface between the controller and the controlled process, and may be located proximate or remote from the controller. The inputs and outputs are recorded in an I/O table in processor memory. Input values may be asynchronously read from the controlled process by one or more input modules and output values are written directly to the I/O table by the processor for subsequent communication to the process by specialized communications circuitry. An output module may interface directly with a controlled process, by providing an output from an I/O table to an actuator such as a motor, valve, solenoid, and the like.
During execution of the control program, values of the inputs and outputs exchanged with the controlled process pass through the I/O table. The values of inputs in the I/O table are asynchronously updated from the controlled process by dedicated scanning circuitry. This scanning circuitry may communicate with input and/or output modules over a bus on a backplane or network communications. The scanning circuitry also asynchronously writes values of the outputs in the I/O table to the controlled process. The output values from the I/O table are then communicated to one or more output modules for interfacing with the process. Thus, the processor may simply access the I/O table rather than needing to communicate directly with the controlled process.
An industrial controller may be customized to a particular process by writing control software that may be stored in the controller""s memory and/or by changing the hardware configuration of the controller to match the control task. In distributed control systems, controller hardware configuration is facilitated by separating the industrial controller into a number of control modules, each of which performs a different function. Particular control modules needed for the control task may then be connected together on a common backplane within a rack and/or through a network or other communications medium. The control modules may include processors, power supplies, network communication modules, and I/O modules exchanging input and output signals directly with the controlled process. Data may be exchanged between modules using a backplane communications bus, which may be serial or parallel, or via a network. In addition to performing I/O operations based solely on network communications, smart modules exist which may execute autonomous logical or other programs.
Various control modules of a distributed industrial control system may be spatially distributed along a common communication link in several racks. Certain I/O modules may thus be located in close proximity to a portion of the control equipment, and away from the remainder of the controller. Data is communicated with these remote modules over a common communication link, or network, wherein all modules on the network communicate using a standard communications protocol.
In a typical distributed control system, one or more I/O modules are provided for interfacing with a process. The outputs derive their control or output values in the form of a message from a master or peer device over a network or a backplane. For example, an output module may receive an output value from a processor, such as a programmable logic controller (PLC), via a communications network or a backplane communications bus. The desired output value is generally sent to the output module in a message, such as an I/O message. The output module receiving such a message will provide a corresponding output (analog or digital) to the controlled process. Input modules measure a value of a process variable and report the input values to a master or peer device over a network or backplane. The input values may be used by a processor (e.g., a PLC) for performing control computations.
Conventional control devices typically provide a run mode wherein a module executes a control program and a configure mode wherein the control program execution is suspended. As control systems become more widely distributed, the logic or control program associated with a particular process or system may be executed on a large number of modules or devices. In this way, individual processors in the devices execute a program autonomously from the rest of the system components. Smart devices, such as I/O modules, transducers, sensors, valves, and the like may thus be programmed to execute certain logical or other programs or operations independently from other such devices.
In many control systems, redundant control devices are provided in order to further ensure proper control of a process or machine in the event of a device failure. Such redundant control systems may be employed, for example, where the operation of the controlled process or machine is in some manner critical. Thus, primary and secondary controllers may be provided in a control system, wherein the primary controller runs the process and the secondary controller is adapted to assume control if the primary controller fails. Such controllers typically execute or run various tasks, some of which may be periodic in nature. In conventional redundant control systems, however, it is difficult or impossible to guarantee the periodicity of such periodic tasks upon switchover from the primary controller to the secondary controller. Thus, there is a need for improved methods and apparatus by which timely execution of periodic tasks may be improved in redundant control systems following a switchover event.
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. This summary is not an extensive overview of the invention. It is intended to neither identify key or critical elements of the invention nor delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
A method and apparatus are disclosed for performing timely execution of periodic tasks in a redundant control system. A secondary controller in the redundant system receives a wakeup time array having one or more wakeup time elements corresponding to periodic tasks, as well as a current time value from a primary controller. For example, the array may include entries for each periodic task and a corresponding element representing an estimated wakeup or execution time for the task. The array may be provided from the redundant primary controller to the secondary controller, for example, across a system redundancy module bridge. The secondary controller then schedules a run time for the periodic tasks at switchover based on the wakeup time elements and the current time value from the primary controller.
In the situation where the primary and secondary controllers determine task execution times according to internal timers (e.g., 1 xcexcs timers), the primary may provide the secondary with its internal timer count value when sending the wakeup time array information. The secondary controller may then use this primary current time value to compute a correlation or correction factor based on a comparison of its internal timer count value and the corresponding value received from the primary. This correction factor may then be used to scale the periodic task time values in the array on the secondary such that if a switchover occurs, the secondary will timely process the periodic tasks.
The secondary controller may further receive a task instance corresponding to a periodic task from the primary control module, such as when the task is readied for execution by the primary controller, and may receive synchronization information to determine when the task has completed on the primary. The secondary controller may then schedule a run time for the periodic task at switchover based on the task instance. The task instance may comprise, for example, a task identifier or instance number, from which the secondary controller may determine which periodic task has been readied for execution in the primary. Using this, and the time at which the task instance was received by the secondary controller, the periodic task may be scheduled for execution according to the time when it was readied for execution on the primary controller, and a period associated with the periodic task.
If no such task instance has been received, the value from the array will be used to schedule the next run time for the periodic task. Where no task instance has been received and no wakeup time array element is present for a given periodic task, the task pends itself on the new primary for its default period. The methodology thus facilitates redundant system switchovers causing minimal or no intrusion into the periodicity of periodic tasks.
If a task instance was received from the primary, but no state information has been received to indicate that the primary had completed the task, then the secondary (e.g., the new primary) will immediately execute the task at switchover.
One aspect of the present invention provides a method for operating a primary controller in a redundant control system. According to the method, the primary controller sends wakeup time information to the secondary controller during qualification of the secondary controller. The wakeup time information includes one or more wakeup time values corresponding to periodic tasks associated with the process, and may be in the form of an array. The primary controller may further send a current time value to the secondary controller during qualification of the secondary controller. The wakeup time information and the primary current time value may, but need not be, included within a single message or packet transferred from the primary controller to the secondary controller. For example, the wakeup time information and the current primary time value may be sent to the secondary controller via a system module redundancy bridge or the like.
The method may further include sending a task instance associated with a periodic task to the secondary controller as the periodic task is readied for execution if the secondary controller is qualified. The secondary controller may, in turn, record the time the task instance was received, and use this to schedule an execution or run time for the periodic task, should a switchover event take place. This provides updated information relating to the periodicity of the periodic task in addition to that provided by the wakeup time array sent to the secondary controller during qualification.
According to another aspect of the present invention, there is provided a method for operating a secondary controller in a redundant control system. The method comprises obtaining wakeup time information (e.g., a wakeup time array) from a primary controller during qualification of the secondary controller, wherein the wakeup time information comprises one or more wakeup time values corresponding to one or more periodic tasks associated with a controlled process. The method further comprises running or executing at least one periodic task according to the wakeup time information from the primary controller after a switchover event. The secondary controller may further obtain a current primary time value from the primary controller during qualification of the secondary controller, and may correct the wakeup time information according to the current primary time value and a current secondary time value. In this regard, running at least one periodic task according to the wakeup time information may comprise running the periodic task according to the corrected wakeup time information.
The correction of the wakeup time information may include performing a comparison of the current primary time value from the primary controller with the current secondary time value, generating a current time correction value according to the comparison, and scaling the wakeup time information from the primary controller to obtain the corrected wakeup time information. Thus, where the primary and secondary controllers operate autonomous timers (e.g., hardware or software controlled timers), a correction or correlation between the values thereof may be derived by the secondary controller, in order to scale or correct the wakeup time information obtained from the primary controller.
The method may further comprise obtaining at least one task instance from the primary controller when the secondary controller is qualified. The task instance may include information relating to the execution of the periodic task by the primary controller, such as an indication that the task has been readied for execution, or that execution has been completed. The secondary controller may then run the periodic task according to the task instance after a switchover event. For example, the task instance may identify a periodic task, wherein running the periodic task in the secondary controller after a switchover event may comprise scheduling the task for execution according to the time when the task instance was obtained from the primary controller. In this regard, scheduling the periodic task for execution may comprise computing a reschedule time according to the time when the task instance was obtained and a default period associated with the periodic task.
In the case where the secondary has been notified that the task has been readied for execution, but has not been notified that the task has completed execution, the secondary will immediately execute the task after a switchover.
Yet another aspect of the invention includes a primary controller for controlling a process in a redundant control system. The primary controller is adapted to send wakeup time information to the secondary controller during qualification of the secondary controller, wherein the wakeup time information comprises at least one wakeup time value corresponding to a periodic task associated with the process. The controller may be further adapted to send a current time value to the secondary controller during qualification of the secondary controller, and to send a task instance associated with a periodic task to the secondary controller as a periodic task is readied for execution if the secondary controller is qualified.
According to still another aspect of the invention, there is provided a secondary controller adapted to assume control of a process from a primary controller in a redundant control system upon a switchover event. The secondary controller is adapted to obtain wakeup time information from the primary controller during qualification of the secondary controller, wherein the wakeup time information comprises at least one wakeup time value corresponding to a periodic task associated with the process. The secondary controller is further adapted to run the periodic task according to the wakeup time information from the primary controller after a switchover event.
In addition, the secondary controller may be adapted to obtain a current primary time value from the primary controller during qualification, and to correct the wakeup time information according to the current primary time value and a current secondary time value. The periodic task may accordingly be run based on the corrected wakeup time information. The secondary controller may be further adapted to obtain a task instance from the primary controller when the secondary controller is qualified, wherein the task instance comprises information relating to the execution of at least one task by the primary controller. In this case, the secondary controller may run the periodic task according to the task instance after a switchover event.
To the accomplishment of the foregoing and related ends, the invention, then, comprises the features hereinafter fully described. The following description and the annexed drawings set forth in detail certain illustrative aspects of the invention. However, these aspects are indicative of but a few of the various ways in which the principles of the invention may be employed. Other aspects, advantages and novel features of the invention will become apparent from the following detailed description of the invention when considered in conjunction with the drawings.