CN114428451A - Method for switching external communication permission of redundant communication module - Google Patents
Method for switching external communication permission of redundant communication module Download PDFInfo
- Publication number
- CN114428451A CN114428451A CN202111478628.9A CN202111478628A CN114428451A CN 114428451 A CN114428451 A CN 114428451A CN 202111478628 A CN202111478628 A CN 202111478628A CN 114428451 A CN114428451 A CN 114428451A
- Authority
- CN
- China
- Prior art keywords
- communication
- communication module
- external
- redundant
- fault
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000006854 communication Effects 0.000 title claims abstract description 705
- 238000004891 communication Methods 0.000 title claims abstract description 701
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000003745 diagnosis Methods 0.000 claims abstract description 22
- 230000004044 response Effects 0.000 claims description 37
- 238000012544 monitoring process Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 6
- 238000011084 recovery Methods 0.000 description 10
- 230000000737 periodic effect Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 3
- 238000004092 self-diagnosis Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Maintenance And Management Of Digital Transmission (AREA)
Abstract
The invention relates to a method for switching external communication permission of a redundant communication module, which comprises the following steps: when the first communication module is in a communication fault state and the second communication module is determined to have communication faults at the same time, the first communication module and the second communication module alternately start external communication authorities to try to communicate with external equipment according to the alternate distribution strategy of the external communication authorities; and transmitting redundant communication data through the redundant communication channel, comprising: strategy information and self communication fault diagnosis results are alternately distributed to the external communication authorities; if the communication fault of the first communication module is cleared and the first communication module is in normal communication with the external equipment in the scheduling period for starting the external communication authority, and new redundant communication data are sent; the two communication modules form a redundant communication module of the safety control system. The method solves the problem of uniqueness of the redundant communication module in the safety control system to the external communication data under the fault condition, and simultaneously solves the problem of data rebound caused by switching of external communication permission.
Description
Technical Field
The invention relates to the field of industrial automation, in particular to a method for switching external communication permission of a redundant communication module.
Background
The communication control bus of the safety control system in the process industry field is provided with two redundant communication modules, wherein one redundant communication module is a main communication module which schedules a communication bus and has the authority of actively initiating external communication, and the other redundant communication module is a standby communication module which obtains the authority of actively initiating communication through redundant switching when the main communication module fails.
Aiming at the problem of redundancy switching of communication modules of an industrial safety control system, the existing method has application number 201711326081.4 and is named as a DCS redundancy communication module switching method, a single level signal is used as a redundancy switching condition of a single fault of a communication module in the existing method, but external communication authority switching cannot be effectively controlled when the redundant communication module is in double faults, the defect can cause the condition that data is not unique when the double faults occur and the fault recovery is slow, and the overall safety and reliability of the system are affected. Secondly, the main communication module in the redundant communication module initiates external communication, when the main communication module is recovered after failure, the design mechanism that the standby card authority is immediately switched to the main communication module causes the defect of external communication data rebound, and the stability and the safety of the control system cannot be ensured.
Disclosure of Invention
Technical problem to be solved
In view of the above disadvantages and shortcomings of the prior art, the present invention provides a method for switching external communication permissions of a redundant communication module, which solves the problem of uniqueness of external communication data of the redundant communication module in a safety control system under a fault condition, and also solves the problem of data rebound caused by switching of external communication permissions.
(II) technical scheme
In order to achieve the purpose, the invention adopts the main technical scheme that:
in a first aspect, an embodiment of the present invention provides a method for switching external communication permissions of a redundant communication module, where the method includes:
s10: when the first communication module is in a communication fault state and the second communication module is determined to have communication faults at the same time, the first communication module and the second communication module alternately start external communication authorities to try communication with external equipment according to an alternate distribution strategy of the external communication authorities;
s20, the first communication module sends redundant communication data to the second communication module through a redundant communication channel, where the redundant communication data includes: strategy information and self communication fault diagnosis results are alternately distributed to the external communication authorities;
s30, if the communication fault of the first communication module is cleared and is in the scheduling period of starting the external communication authority, the first communication module communicates with the external equipment normally and sends new redundant communication data to the second communication module through the redundant communication channel;
if the communication fault of the first communication module is cleared and is in a scheduling period for closing the external communication authority, waiting for the scheduling period for opening the external communication authority, normally communicating with external equipment in the scheduling period for opening the external communication authority, and sending new redundant communication data to the second communication module through a redundant communication channel;
the new redundant communication data comprises: the information of self communication fault clearing and the information of informing the second communication module to close the external communication authority;
the first communication module and the second communication module form a redundant communication module of the safety control system.
Optionally, the method further comprises:
the first communication module in the communication fault state is also used for monitoring response data of the external equipment, and if the response data is correctly obtained, the communication fault of the first communication module is cleared;
the second communication module in the communication fault state is also used for monitoring response data of the external equipment, and if the response data is correctly obtained, the communication fault of the second communication module is cleared;
the first communication module communicates with the second communication module in real time through the redundant communication channel.
Optionally, the method further comprises:
if the redundant communication channels of the first communication module and the second communication module are in fault, the first communication module or the second communication module which starts the external communication authority does not actively switch the external communication authority when the redundant communication channels are in fault;
when the redundant communication channel is cleared, the first communication module and the second communication module communicate through the redundant communication channel, and respectively execute to open or close the external communication authority according to communication information.
Optionally, the policy for allocating the external communication right in turn is: scheduling the strategy of external communication permission at n second period; n is a positive number of 10 or less;
the first communication module and the second communication module open the external communication permission in turn to try communication with the external device according to the strategy for distributing the external communication permission in turn, and the method comprises the following steps:
the first communication module starts the external communication permission in the current n-second scheduling period, tries communication with the external equipment and monitors response data of the external equipment, and the second communication module monitors the response data of the external equipment;
the second communication module starts the external communication authority in the next scheduling period of n seconds, tries to communicate with the external equipment and monitors the response data of the external equipment, and the first communication module monitors the response data of the external equipment.
Optionally, n is 5s/7s/2 s;
the communication fault is a communication hardware fault, a communication connection fault, a communication response timeout fault or an MCU fault.
Optionally, the method further comprises:
if the first communication module is in a communication fault state and sends first fault information to the second communication module through the redundant communication channel, and the second communication module determines that communication fault information does not occur to the second communication module according to the first fault information, external communication permission is opened and communication is carried out with external equipment;
sending new redundant communication data to the first communication module over the redundant communication channel, the new redundant communication data comprising: and informing the first communication module of closing the information of the external communication permission so that the first communication module closes the external communication permission according to the new redundant communication data and monitors the response data of the external equipment.
Optionally, the method further comprises:
if the first communication module receives second fault information sent by the second communication module through the redundant communication channel and determines that the second communication module has a communication fault according to the second fault information, executing the step of S10; and listens for reply data of the external device.
Optionally, the method comprises the following steps:
the first communication module is a main communication module, the second communication module is a standby communication module, and the redundant communication channel is a data channel connected with a bottom-layer physical communication bus;
alternatively, the first and second electrodes may be,
the first communication module is a standby communication module, the second communication module is a main communication module, and the redundant communication channel is a data channel connected with a bottom-layer physical communication bus.
In a second aspect, the present invention further provides a security control system, comprising a first communication module and a second communication module,
the first communication module and the second communication module execute the method for switching the external communication permission of the redundant communication module according to any one of the first aspect.
In a third aspect, the present invention further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor executes the computer program stored in the memory and executes the method for switching the external communication permission of the redundant communication module according to any of the first aspects.
(III) advantageous effects
The method of the invention can solve the problem of uniqueness of the redundant communication module of the safety control system to the external communication data under the fault condition, solve the problem of data rebound caused by switching of external communication permission due to the fault of the redundant communication module, and solve the problem of incapability of quick recovery under the fault condition through redundant monitoring.
The method has stability, practicability and high reliability, ensures the uniqueness of external communication data, avoids data interference when double-authority work occurs, namely, ensures the stability of external communication of the system when a single communication module of a safety control system fails through fast switching when the single communication module fails, and ensures the normal operation of field equipment.
The method of the invention tries to recover the external communication by periodically dispatching and alternately distributing the authority of the two communication modules under the condition of double faults, wherein the module without the communication authority externally carries out periodic self-diagnosis through redundant monitoring, thereby ensuring the rapid recovery under the condition of double faults, reducing the interference of the double faults to the communication, avoiding the data rebound phenomenon generated by switching the standby communication module back to the main communication module after the fault of the main communication module is recovered under the traditional main and standby communication modes, and ensuring the stability of the communication data.
Drawings
Fig. 1 is a schematic flowchart of a method for switching external communication permissions of redundant communication modules according to an embodiment of the present invention;
fig. 2 is a signaling diagram of a method for switching external communication permissions by redundant communication modules according to an embodiment of the present invention.
Detailed Description
For the purpose of better explaining the present invention and to facilitate understanding, the present invention will be described in detail by way of specific embodiments with reference to the accompanying drawings.
In the data communication of a main redundant communication module and a standby redundant communication module of a safety control system, particularly aiming at the data safety problem under the condition of single fault and double faults of the main redundant communication module and the standby redundant communication module, in order to ensure the uniqueness, stability and practicability of the data of the communication modules, a high-reliability switching method of external communication permission of the redundant communication modules is provided, and aiming at the problem that the external communication permission is switched due to faults of the redundant communication modules in the traditional safety control system, so that the external communication data is not unique. The scheme of the following embodiment can effectively avoid the data rebound phenomenon generated by switching the standby communication module back to the main communication module after the failure of the main communication module is recovered in the traditional main and standby communication modes; the problem of quick fault recovery after external communication failure caused by temporary single and double faults of the redundant communication module is solved.
Example one
As shown in fig. 1, a schematic flow chart of a method for switching external communication permissions of a redundant communication module provided in this embodiment is a redundant communication module in a safety control system, where a first communication module and a second communication module of the following embodiments constitute the redundant communication module, and the method of this embodiment may include the following steps:
s10: when the first communication module is in a communication fault state and the second communication module is determined to have communication faults at the same time, the first communication module and the second communication module alternately start external communication authorities to try communication with external equipment according to an alternate distribution strategy of the external communication authorities;
s20, the first communication module sends redundant communication data to the second communication module through a redundant communication channel, where the redundant communication data includes: and allocating strategy information and self communication fault diagnosis results to the external communication authorities in turn.
In this embodiment, the policy for allocating the external communication permission in turn is as follows: scheduling the strategy of the external communication authority in n second period; n is a positive number of 10 or less, and n is, for example, 3s, 5s, 7s, 8s, or the like.
It can be understood that the first communication module alternately opens the external communication right with the second communication module to attempt communication with the external device according to the alternate distribution strategy of the external communication right, including:
the first communication module starts the external communication permission in the current n-second scheduling period, tries to communicate with the external equipment and monitors response data of the external equipment, and the second communication module monitors the response data of the external equipment;
the second communication module starts the external communication permission in the next scheduling period of n seconds, tries communication with the external equipment and monitors response data of the external equipment, and the first communication module monitors the response data of the external equipment.
S30, if the communication fault of the first communication module is cleared and is in the scheduling period of starting the external communication authority, the first communication module communicates with the external equipment normally and sends new redundant communication data to the second communication module through the redundant communication channel;
if the communication fault of the first communication module is cleared and is in a scheduling period for closing the external communication authority, waiting for the scheduling period for opening the external communication authority, normally communicating with external equipment in the scheduling period for opening the external communication authority, and sending new redundant communication data to the second communication module through a redundant communication channel; the new redundant communication data may include: the information of self communication fault clearing and the information of informing the second communication module to close the external communication authority;
in this embodiment, the first communication module and the second communication module constitute a redundant communication module of the safety control system.
It should be noted that the first communication module in the communication failure state is further configured to monitor response data of the external device, and determine that the communication failure of the first communication module is cleared if the response data is correctly obtained;
the second communication module in the communication fault state is also used for monitoring response data of the external equipment, and if the response data is correctly obtained, the communication fault of the second communication module is cleared;
the first communication module is communicated with the second communication module in real time through the redundant communication channel, the first communication module is a main communication module, and the second communication module can be a standby communication module; and if the first communication module is a standby communication module, the second communication module is a main communication module. The redundant communication channel is a data channel connected with a bottom layer physical communication bus.
The communication fault is a communication hardware fault, a communication connection fault, a communication response timeout fault, or an MCU fault.
According to the method, the two communication modules are periodically scheduled to alternately distribute the external communication permission under the condition of double faults, and attempt to recover the external communication, wherein the communication module without the external communication permission performs periodic self-diagnosis through redundancy monitoring, so that the rapid recovery under the condition of double faults is ensured, the interference of the double faults on the communication is reduced, the phenomenon of data rebound caused by switching the standby communication module back to the main communication module after the main communication module recovers the faults in the traditional main communication mode and standby communication mode is avoided, and the stability of communication data is ensured.
In a specific implementation process, the method further includes the following step S40:
s40: if the redundant communication channels of the first communication module and the second communication module are in fault, the first communication module or the second communication module which starts the external communication authority does not actively switch the external communication authority when the redundant communication channels are in fault;
when the redundant communication channel is cleared, the first communication module and the second communication module communicate through the redundant communication channel, and respectively execute to open or close the external communication authority according to communication information.
The main communication module and the standby communication module of the present embodiment respectively perform real-time internal redundant communication and periodic communication with an external device, and interact respective diagnostic results (including normal diagnosis and fault diagnosis) through a redundant communication channel. For example, the main communication module obtains a diagnosis result of the backup communication module, and the backup communication module obtains a diagnosis result of the main communication module, compares the diagnosis result of the other side with the diagnosis result of the backup communication module, and determines whether to perform the switching of the external communication right. And finally, switching of external communication permission of the main communication module under a fault condition is realized, and switching of external communication permission can be scheduled periodically in turn when double faults of the redundant communication module occur, so that the requirement of rapid fault recovery is met.
Example two
The main communication module and the standby communication module are completely identical and independent, the main communication module and the standby communication module diagnose and analyze self internal communication and external communication faults and carry out data interaction on diagnosis results through a hardware bus (namely a redundant communication channel), when the main communication module normally communicates, external communication permission is not switched, and at the moment, the standby communication module is hung up; when the main communication module has communication failure, the standby communication module obtains external communication permission through interactive switching of redundant communication channels; otherwise, when the standby communication module is in normal communication, the switching of the external communication authority is not carried out, and the main communication module is suspended; if the standby communication module has communication failure, the main communication module obtains external communication permission through the interaction of the redundant communication channels.
If the main communication module and the standby communication module simultaneously have faults, the external communication authority is switched through the periodic alternate scheduling of the main communication module and the standby communication module, when one communication module obtains the external communication authority, the other communication module enters a redundant monitoring state without the external communication authority, only response data of external equipment is obtained in the monitoring state, and if the monitoring data can be normally obtained, the self fault state is determined to be cleared. When one of the main module and the standby module can clear the fault, the external communication state can be quickly recovered, the fault recovery under the double fault state is realized, and the switching of the external communication authority with high reliability is realized.
This is explained in detail below with reference to fig. 2.
201, when a communication failure occurs in the external communication process of the second communication module M2, the external communication authority is switched to the first communication module M1, and at this time, the second communication module M2 enters a redundant listening state (for example, the time period T1 in fig. 2).
When the second communication module M2 has a fault such as an MCU fault, a communication hardware fault, a communication connection fault, and a communication response timeout when obtaining the external communication right, which results in that the second communication module M2 cannot perform normal service communication with the external device S1, the second communication module M2 sends redundant communication data containing its own fault diagnosis information to the first communication module M1, and the first communication module M1 also sends redundant communication data containing its own fault diagnosis information to the second communication module M2.
After receiving the redundant communication data of the first communication module M1, the second communication module M2 analyzes the redundant communication data of the first communication module M1, and if the self communication is failed and the diagnosis result of the first communication module M1 is normal, the second communication module M2 closes the external communication right and stops the external communication service; meanwhile, after receiving the redundant communication data of the second communication module M2, the first communication module M1 analyzes the redundant communication data of the second communication module M2, acquires the external communication right if the communication fault diagnosis result is normal, and starts external communication scheduling of the first communication module M1.
202: the second communication module M2 determines that the communication failure is cleared by redundant listening, interacts with the first communication module M1 by means of a redundant communication channel, and suspends.
203, if the first communication module M1 has communication failure during the external communication process, the external communication authority is switched to the second communication module M2 through the redundant communication channel, and the first communication module M1 enters a redundant listening state (for example, the T2 time period in fig. 2).
When the first communication module M1 obtains the external communication right and has faults such as MCU fault, communication hardware fault, communication connection fault, communication response timeout, etc., and the first communication module M1 cannot perform normal service communication on the external device, the first communication module M1 sends redundant communication data containing its own fault diagnosis information to the second communication module M2, and the second communication module M2 also sends redundant communication data containing its own fault diagnosis information to the first communication module M1.
That is, the first communication module M1 receives the redundant communication data of the second communication module M2, analyzes the redundant communication data of the second communication module M2, and if the diagnosis result of the self communication is failure and the diagnosis result of the second communication module M2 is normal, the first communication module M1 closes the external communication right and stops the external communication service; meanwhile, after receiving the redundant communication data of the first communication module M1, the second communication module M2 analyzes the redundant communication data of the first communication module M1, acquires the external communication right if the communication fault diagnosis result is normal, and starts external communication scheduling of the second communication module M2.
204: if the first communication module M1 determines that the communication failure is cleared by redundant listening, it interacts with the second communication module M2 by means of a redundant communication channel and hangs up.
205: the first communication module M1 performs redundant monitoring, and the communication failure is not cleared, at this time, when a communication failure occurs in the external communication process of the second communication module M2, the 5s external communication permission is obtained according to the predefined periodic polling policy, and the first communication module 1 enters redundant monitoring (for example, the T3 time period in fig. 2).
206. After the second communication module M2 performs external communication for 5s, closing the external communication authority, and performing redundant communication with the first communication module M1 through a redundant communication channel in real time; the first communication module M1 attempts to communicate with the external device S1 (e.g., T4 and T5, T6 periods in fig. 2);
the first communication module M1 and the second communication module M2 each take turns to try to communicate with the external device for 5s, and perform internal communication through the redundant communication channel during the period of trying to communicate by the external device, and listen to the response data of the external device.
That is, the two modules are connected with a lower hardware communication bus for data exchange, the first communication module M1 transmits redundant communication data containing its own communication failure diagnosis result to the second communication module M2 through the communication bus, and the second communication module M2 also transmits redundant communication data containing its own communication failure diagnosis result to the first communication module M1 through the communication bus.
When the first communication module M1 and the second communication module M2 fail at the same time, the first communication module 1 takes turns with 5s as a cycle and the second communication module M2 acquires the external communication right, so that the first communication module M1 and the second communication module M2 periodically switch the external communication right, respectively take turns to acquire external communication right scheduling with 5s as a cycle, and attempt to communicate with the external device:
when the first communication module M1 has an external communication right, the first communication module M1 instructs the second communication module M2 to close the external communication right through redundant communication data, the second communication module M2 closes the external communication right after receiving the redundant communication data sent by the first communication module M1, the second communication module M2 sends its own current right state to the first communication module M1 through the redundant communication data, and meanwhile, the second communication module M2 enters a redundant monitoring state, and the second communication module M2 only obtains response data of external devices in the monitoring state;
if the second communication module M2 can normally obtain the response data, that is, the communication fault of itself is cleared, when the next external communication authority scheduling period is reached, the second communication module M2 can quickly recover the external communication state, thereby realizing the fault recovery in the double-fault state.
When the first communication module M1 resolves that the state of the second communication module M2 in the redundant communication data of the second communication module M2 is that the external communication right is closed, the first communication module M1 communicates with the external device in a cycle of 5s, so that the situation that the first communication module M1 and the second communication module M2 obtain the external communication right at the same time in the redundant communication process is avoided, and the uniqueness of the external communication right under the double-fault condition is ensured.
If the first communication module M1 still has a continuous failure in the external communication within 5s, at this time, the first communication module M1 performs permission inversion, that is, closes its own external communication permission, at this time, the first communication module M1 sends information for acquiring the external communication permission to the second communication module M2 through redundant communication data, so that the second communication module M2 opens the external communication permission, and the first communication module M1 enters a redundant monitoring state, in the monitoring state, the first communication module M1 only acquires response data of an external device, if the response data can be normally acquired, that is, its own communication failure is cleared, and when the next external communication permission scheduling cycle, the first communication module M1 can quickly recover the external communication state, thereby implementing failure recovery in the dual-failure state (for example, in the T7 time period in fig. 2, a monitoring recovery process).
207. When the first communication module M1 and the second communication module M2 fail in the underlying redundant communication (for example, in the time period T8 in fig. 2), the redundant communication is in an offline state, and if the first communication module M1 turns on the external communication right and the second communication module M2 turns off the external communication right, the communication between the first communication module M1 and the external device S1 is continued, so that the uniqueness of the external communication data is ensured.
In the method, the switching of the external communication permission is realized through the interaction of the redundant communication data, the uniqueness of the external communication data of the redundant communication module under the normal and fault conditions is ensured, and the double-permission working phenomenon of the redundant communication module is avoided.
In the embodiment, when a single communication module fails, the system operation is not affected; the two redundant communication modules perform periodic authority scheduling and monitoring self-diagnosis under the condition of double faults, so that the interference of the double faults on communication is reduced, and the data rebound phenomenon caused by the authority switching of the traditional communication module is avoided.
EXAMPLE III
The embodiment of the invention also provides a safety control system used in the instrument, a first communication module and a second communication module are arranged in the safety control system,
the first communication module and the second communication module execute the method for switching the external communication permission of the redundant communication module described in the first embodiment or the second embodiment.
The above-mentioned instrument may be an electronic device, and includes a memory and a processor, where the memory stores a computer program, and the processor executes the computer program stored in the memory and executes the method for switching the external communication right of the redundant communication module according to any embodiment of the above-mentioned claims.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the terms first, second, third and the like are for convenience only and do not denote any order. These words are to be understood as part of the name of the component.
Furthermore, it should be noted that in the description of the present specification, the description of the term "one embodiment", "some embodiments", "examples", "specific examples" or "some examples", etc., means that a specific feature, structure, material or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, the claims should be construed to include preferred embodiments and all changes and modifications that fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention should also include such modifications and variations.
Claims (10)
1. A method for switching external communication permission of a redundant communication module is characterized by comprising the following steps:
s10: when the first communication module is in a communication fault state and the second communication module is determined to have communication faults at the same time, the first communication module and the second communication module alternately start external communication authorities to try communication with external equipment according to an alternate distribution strategy of the external communication authorities;
s20, the first communication module sends redundant communication data to the second communication module through a redundant communication channel, where the redundant communication data includes: strategy information and self communication fault diagnosis results are alternately distributed to the external communication authorities;
s30, if the communication fault of the first communication module is cleared and is in the scheduling period of starting the external communication authority, the first communication module communicates with the external equipment normally and sends new redundant communication data to the second communication module through the redundant communication channel;
if the communication fault of the first communication module is cleared and is in a scheduling period for closing the external communication authority, waiting for the scheduling period for opening the external communication authority, normally communicating with external equipment in the scheduling period for opening the external communication authority, and sending new redundant communication data to the second communication module through a redundant communication channel;
the new redundant communication data comprises: the information of self communication fault clearing and the information of informing the second communication module to close the external communication authority;
the first communication module and the second communication module form a redundant communication module of the safety control system.
2. The method of claim 1, further comprising:
the first communication module in the communication fault state is also used for monitoring response data of the external equipment, and if the response data is correctly obtained, the communication fault of the first communication module is cleared;
the second communication module in the communication fault state is also used for monitoring response data of the external equipment, and if the response data is correctly obtained, the communication fault of the second communication module is cleared;
the first communication module communicates with the second communication module in real time through the redundant communication channel.
3. The method of claim 1, further comprising:
if the redundant communication channels of the first communication module and the second communication module are in fault, the first communication module or the second communication module which starts the external communication authority does not actively switch the external communication authority when the redundant communication channels are in fault;
when the redundant communication channel fault is cleared, the first communication module and the second communication module communicate through the redundant communication channel, and respectively execute opening or closing of the external communication authority according to communication information.
4. The method of claim 1,
the strategy for alternately distributing the external communication authority is as follows: scheduling the strategy of external communication permission at n second period; n is a positive number of 10 or less;
the first communication module and the second communication module open the external communication permission in turn to try communication with the external device according to the strategy for distributing the external communication permission in turn, and the method comprises the following steps:
the first communication module starts the external communication permission in the current n-second scheduling period, tries communication with the external equipment and monitors response data of the external equipment, and the second communication module monitors the response data of the external equipment;
the second communication module starts the external communication permission in the next scheduling period of n seconds, tries communication with the external equipment and monitors response data of the external equipment, and the first communication module monitors the response data of the external equipment.
5. The method of claim 3, wherein n is 5 s;
the communication fault is a communication hardware fault, a communication connection fault, a communication response timeout fault, or an MCU fault.
6. The method of claim 1, further comprising:
if the first communication module is in a communication fault state and sends first fault information to the second communication module through the redundant communication channel, and the second communication module determines that communication fault information does not occur to the second communication module according to the first fault information, external communication permission is opened and communication is carried out with external equipment;
sending new redundant communication data to the first communication module over the redundant communication channel, the new redundant communication data comprising: and informing the first communication module of closing the information of the external communication permission so that the first communication module closes the external communication permission according to the new redundant communication data and monitors the response data of the external equipment.
7. The method of claim 6, further comprising:
if the first communication module receives second fault information sent by the second communication module through the redundant communication channel and determines that the second communication module has a communication fault according to the second fault information, executing the step of S10; and listens for reply data of the external device.
8. The method of claim 1, comprising:
the first communication module is a main communication module, the second communication module is a standby communication module, and the redundant communication channel is a data channel connected with a bottom-layer physical communication bus;
alternatively, the first and second electrodes may be,
the first communication module is a standby communication module, the second communication module is a main communication module, and the redundant communication channel is a data channel connected with a bottom-layer physical communication bus.
9. A safety control system is characterized by comprising a first communication module and a second communication module,
the first communication module and the second communication module execute the method for switching the external communication authority of the redundant communication module according to any one of the claims 1 to 8.
10. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program stored in the memory and performs the method for switching the external communication right of the redundant communication module according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111478628.9A CN114428451B (en) | 2021-12-06 | 2021-12-06 | Method for switching external communication permission of redundant communication module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111478628.9A CN114428451B (en) | 2021-12-06 | 2021-12-06 | Method for switching external communication permission of redundant communication module |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114428451A true CN114428451A (en) | 2022-05-03 |
| CN114428451B CN114428451B (en) | 2024-03-19 |
Family
ID=81311472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111478628.9A Active CN114428451B (en) | 2021-12-06 | 2021-12-06 | Method for switching external communication permission of redundant communication module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114428451B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115016246A (en) * | 2022-08-04 | 2022-09-06 | 深圳核心医疗科技有限公司 | Switching control method, switching control circuit, electronic device, and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07334382A (en) * | 1994-06-07 | 1995-12-22 | Hitachi Ltd | Multicontroller system |
| KR20070030513A (en) * | 2005-09-13 | 2007-03-16 | 에스케이 텔레콤주식회사 | Method for duplexing between active board and standby board in switching center |
| CN101296065A (en) * | 2008-06-19 | 2008-10-29 | 浙江中控技术股份有限公司 | Method and system for improving reliability of redundancy main station |
| CN101916218A (en) * | 2010-08-10 | 2010-12-15 | 西安电子科技大学 | Double-CPU redundancy control system based on analysis redundancy mechanism |
| CN107992027A (en) * | 2017-12-13 | 2018-05-04 | 中核控制系统工程有限公司 | A kind of DCS redundant communication modules switching method |
| CN113542057A (en) * | 2021-06-23 | 2021-10-22 | 浙江中控技术股份有限公司 | Communication fault detection method, device and system based on redundant device |
-
2021
- 2021-12-06 CN CN202111478628.9A patent/CN114428451B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07334382A (en) * | 1994-06-07 | 1995-12-22 | Hitachi Ltd | Multicontroller system |
| KR20070030513A (en) * | 2005-09-13 | 2007-03-16 | 에스케이 텔레콤주식회사 | Method for duplexing between active board and standby board in switching center |
| CN101296065A (en) * | 2008-06-19 | 2008-10-29 | 浙江中控技术股份有限公司 | Method and system for improving reliability of redundancy main station |
| CN101916218A (en) * | 2010-08-10 | 2010-12-15 | 西安电子科技大学 | Double-CPU redundancy control system based on analysis redundancy mechanism |
| CN107992027A (en) * | 2017-12-13 | 2018-05-04 | 中核控制系统工程有限公司 | A kind of DCS redundant communication modules switching method |
| CN113542057A (en) * | 2021-06-23 | 2021-10-22 | 浙江中控技术股份有限公司 | Communication fault detection method, device and system based on redundant device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115016246A (en) * | 2022-08-04 | 2022-09-06 | 深圳核心医疗科技有限公司 | Switching control method, switching control circuit, electronic device, and storage medium |
| CN115016246B (en) * | 2022-08-04 | 2022-12-02 | 深圳核心医疗科技有限公司 | Switching control method, switching control circuit, electronic device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114428451B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106170971B (en) | Arbitration process method, arbitration storage device and system after a kind of cluster fissure | |
| CN105095001B (en) | Virtual machine abnormal restoring method under distributed environment | |
| CN108429629A (en) | Equipment fault restoration methods and device | |
| CN110134518B (en) | Method and system for improving high availability of multi-node application of big data cluster | |
| CN105515812A (en) | Fault processing method of resources and device | |
| CN105607590A (en) | Methods and apparatus to provide redundancy in a process control system | |
| CN1633785A (en) | In phase clock time in time touch treaty environment | |
| CN103139033B (en) | Single main communications control bus main equipment redundancy switching method | |
| CN107276839B (en) | Self-monitoring method and system of cloud platform | |
| CN113726573B (en) | Redundant network communication method, device, electronic equipment and storage medium | |
| CN106161090A (en) | The monitoring method of a kind of subregion group system and device | |
| CN105807734A (en) | Multi-robot system control method and multi-robot system | |
| CN114428451A (en) | Method for switching external communication permission of redundant communication module | |
| CN105812161B (en) | A kind of controller failure backup method and system | |
| CN109547873A (en) | A kind of processing method and processing device of the realization two-node cluster hot backup based on one-way optical gate | |
| CN108710545A (en) | A kind of remote monitoring fault self-recovery system | |
| CN110971662A (en) | Two-node high-availability implementation method and device based on Ceph | |
| CN101621404B (en) | Method and system for layering processing of failure | |
| CN102244589B (en) | Method and opposite terminal apparatus for processing link fault in virtual switch unit system | |
| CN110532096B (en) | System and method for multi-node grouping parallel deployment | |
| RU2142159C1 (en) | Methods for checking processor condition in electronic commutation systems | |
| CN114338670B (en) | Edge cloud platform and network-connected traffic three-level cloud control platform with same | |
| US5461609A (en) | Packet data network switch having internal fault detection and correction | |
| EP2456163B1 (en) | Registering an internet protocol phone in a dual-link architecture | |
| CN109067707A (en) | A kind of electric power enterprise IMS communication means, device and IMS communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |