DD240456A1 - INFORMATION PROCESSING SYSTEM WITH HIGH LEVEL OF RELIABILITY AND SAFETY - Google Patents

Abstract

The invention relates to a circuit arrangement for process automation based on (m v n) computer modules. Based on the goal of achieving a further increase in the reliability of complex automation systems, the invention has the object of avoiding, with the aid of a circuit arrangement, a certain class of multiple errors in these automation systems, i. H. that this particular class is tolerated by multiple errors. According to the invention, the object is achieved by a direct coupling between the computers Rj of the participating (mv n) modules with an additional cyclically exchanged further coupling between the computers Rj of the modules with the participation of input and output units, each with at least two input-output channels. The invention can be applied to process control in power plants, chemical plants and to control safety-related dependencies in rail-bound traffic. Fig. 1

Description

Field of application of the invention.

The invention relates to a circuit arrangement for process automation on the basis of (m ν n) -Rerchnermodulen. Such a circuit arrangement can be used anywhere where high reliability and safety requirements exist, such as in the process control of power plants, facilities of chemistry and security-related dependencies in rail transport.

Characteristic of the known technical solutions

In complex automation systems, the tasks are generally distributed hierarchically to multiple computer systems that exchange data via communication systems for mutual communication. For high reliability and security demands, the computer systems are each implemented as (mνn) computer modules (m <n). Such a typical automation system is known from DD-PS 160757. This hierarchically constructed multiple computer system has the defect that when a particular class of multiple errors occurs without a participating (2 ν 3) module failure, the overall system fails.

Weistz. For example, the master computer system (2 ν 3) module mentioned in PS 160757 has a single error. (Computer LR1 has failed) and in addition the bidirectionally connected to the computer LR 2 Leitsammelineung, then a data transfer is only a way to (2 v3) module, the area calculator BR, in this case to the I / O Units 4.7.1.1.1 .; 4.7.1.2.1. and 4.7.1.3.1. possible, i. these I / O units each receive only one (rather than the at least two necessary) information so that the necessary comparison of information for correspondence can no longer be performed. Thus, the entire system (master computer system and area computer system) has failed because the area computer system BR is no longer able to work.

Solutions are also known in the art in which the (2 v3) modules have a module internal coupling MIK that makes it possible. Transfer information to the neighboring computers of the module. Is communication between such modules based on three links U ₁ ; U ₂ ; U _{3 is} established, it occurs when the assumed double error (eg computer R ₁ in module I and U ₂ failed) despite the MIKzu a failure of the entire system (module I and module II). This failure results because only the computer R ₃ (module II) receives the information from the module I in the assumed error case and can transfer this information to the neighboring computers (module II) via the MIK for further processing, but this for the processing of security-relevant Tasks may not be accepted, as no independence of information provision is guaranteed for the necessary comparison. To the same effects, as just shown, z. B. the failure combinations R ₁ (module I) and R ₂ (module II), R ₁ (module I) and R ₃ (module II) or R ₂ (module II) and U. ₁ In the illustrated failures, the effect of a twofold error occurs particularly drastically, because although the module II is functional and the module I in (2 ν 2j operation is still working, communication can not be made and the automation system would have to be in a defined safe state become.

The assumed error combinations affect both the reliability and the security level of such a realized automation system.

Object of the invention

The object of the invention is the elimination of the aforementioned technical disadvantages and thus a further increase in the reliability of complex automation systems, which are constructed on the basis of (m ν n) -serior modules (with m <n).

Explanation of the essence of the invention

The invention has for its object to provide a circuit arrangement with which a certain class of multiple errors in complex automation systems can be avoided, i. that this particular class is tolerated by multiple errors.

According to the invention, the object is achieved by the direct coupling between the computers R, the participating (m ν n) -Moduie with an additional cyclically reversed further coupling between the computers R ₁ - the modules with the participation of input and output units, each with at least two Solved one-output channels. The circuit arrangement according to the invention consists of at least two (m ν m) modules, wherein in each computer of a module an (m ν n) comparison, implemented in hardware or software, is performed and each computer is provided with two input / output units I / Oi and I / O ₂ has. Via the input / output unit EzTV ₁ , the module internal coupling MIK is implemented between the individual computers; This means that the exchange of information between the computers of a (m vn) module takes place in this way. The input / output unit I / O ₂ is used for outputting and receiving information and has two data channels A and B. A special realization form for this is an SIO block, as a rule, ie in the error-free state, in information about the Channel B and the associated transmission path Üb \ (i = 1, 2, 3 ... n) is output and received. The transmission channel Ü _B i is connected directly between the computers Rj of the (m ν n) modules. The Kansl A is not connected via the associated transmission link Ü _Ai (i = 1, 2, 3 ... n) as the channel B with the associated computer of the other (m ν n) module, but it is according to the invention with a circuit arrangement cyclic commutation applied.

Due to the selected transmission structure in conjunction with the controlled by the computer Rj channel switching from B to A, it is possible to meet the required task. *

embodiment

The invention will be explained in more detail with reference to an embodiment.

The drawing shows in Fig. 1, the principle of a computer-controlled multi-channel connection of (2 ν 3) modules. FIG. 2 shows the table of the class of double errors to be tolerated.

The comparison of the information is performed by a smart central comparator unit ZVGLE. It is assumed that in the comparison by means of the central comparator units ZVGLE before the data transmission in the (2 ν 3) module I it was determined that the computer R-, has failed. Thus, the (2 ν 3) module I continues to operate in (2 ν 2) mode and the data transmission over the transmission links UB ₂ and UB ₃ to the (2 ν 3) module Il is enabled. The comparison result is appended to each data transmission telegram in the form of a sum error word SFW, whereby the receivers R ₂ and R ₃ in the (2v3) module II are informed about the module status of the transmitter (in this case R ₁ failed). In addition to the failure of Ri, the interruption of the transmission link UB ₂ is now assumed as a further error, ie, the combination of these two errors is a component of the subset of dual errors to be tolerated. This twofold error is recognized by the automation system in two ways, which in their interaction achieve the fault tolerance and keep the automation system working.

I.Weg: The computer R ₂ of (2 v3) module I receives no acknowledgment signal from his computer R ₂ in (2 v3) module II. About this fact, the functioning computer R ₃ in (2 v3) module I informed about the module internal coupling MIK from the computer R ₂ and it takes place in this case, a channel switch in the computers R ₂ and R ₃ in (2 ν 3) module I, so that the computer R ₂ in (2 ν 3 ) Module I switches to the transmission path UA ₂ and the computer R ₃ in the (2 ν 3) module I to the transmission path UA ₃ , if there is additional information on the double error over the 2nd way. Thus, despite the assumed error situation, the (2 v3) module II transmits the information to be compared on two independent transmission links. .

2nd way: In the assumed error case, the computer R _{3 of} the (2 ν 3) module Il receives as the only computer the information with the sum error word SFW from the transmitter (module I), so that it is informed that the information to be compared to the signature is to be ignored by the computer Ri (Module II). The computer R ₃ (module II) passes on the way of the module internal coupling MIK the computer R ₂ (module II) formed on the basis of the content of the information in the central comparator unit ZVGLE signature for comparison in the central comparator unit ZVGLE of Computer R ₂ (Module II). The computer R ₃ (module II) expects the signature of the computer R ₂ (module II) for comparison in its central comparator unit ZVGLE. Since, because of the interruption of the transmission link UB _2, the R ₂ (module II) can not receive any information, the defined waiting time is exceeded. This exceeding leads to the formation of the sum error word SFW which is transferred from the computer R _{3 of} the module Il to the computer R _{3 of} the module I (acknowledgment information). This acknowledgment information results in module I; triggered by the computer R ₃ for channel switching as described in way 1. In the module Il takes place via the module internal coupling MIK, activated by the computer R ₃ , the switching of the computer R ₁ (module II) on the transmission path UA ₃ (channel A), as well as for R ₃ (module II) itself also one Switchover (UA ₂ channel A). In the computer R ₂ (module II), this switching is also carried out, via the transmission path UA ₁ no information transmission due to the failure and removal of the computer R ₁ (module I) from the security-related information processing takes place and also the computer R _{2 of} the module Il on the basis of the transmission of the sum error word SFW a disregard of the information on the channels A and B of the input-output unit I / O _{2 is} guaranteed.

The information transmission is carried out again via the switched transmission links LIA ₂ and LIA ₃ . Thus, the information to be compared of the module I (R ₂ and R ₃ ) at the inputs A of the computer R ₁ and R _{8 of} the module Il are independent of each other. Analogous to the illustrated error case, the procedure is as in the case of the class of double errors cited in FIG. '·'

Generalized in the modules, switching to the second transmission channel always takes place when only one transmission information including the sum error word SFW has arrived in the receiver module and when the transmission module only received acknowledgment information with the sum error word SFW from the receiver module. Each of the mentioned modules can be both transmitter and receiver.

Claims (2)

Invention claim: 1. Information processing system with a high level of reliability and security on the basis of (m ν n) -Rerchnermodulen (m <^, characterized in that each computer (R,) of the modules realized a (m ν n) -Vergieich and over two Eih Output units (I / O, and I / O ₂ ), wherein the input and output unit (EZA ₁ ) of a computer (Rj) for each module-Intemene coupling (MIK) is used and via input-output units (E / A ₂ ) such a connection of the computer (R ₁ ) of the one module to the computers (Rj) of another module is that each of the computers (R, to R _n ) of the one module directly via transmission links (UB ₁ to UB _n ) are connected to the computers (R ₁ to R _n ) of the other module and additionally from the computers (R ₁ to R _n ) of the interconnected modules switchable input-output channels (A / B) of the input-output unit (I / O ₂ ) a cyclically reversed connection is designed such that over a transmission link (ÜAi) of the computer (Rj ) of the one module is connected to the computer (Ri + {1 of the other module and that ultimately via a transmission path (UA _n ) of the computer (R _n ) of the one module to the computer (R ₁ ) of the same other module is connected, where i = 1 to η - 1, and wherein in the case of the additional failure of a transmission path or one of the computers (Rj with j = 1 to η) of a first (m ν n) module to an already occurred failure of the computer (Rj) of a second (m ν n) module or a transmission path, a switching of the channels in the input-output unit (I / O ₂ ) on the channel A and thus tolerating the defined class of multiple errors takes place. 2. Information processing system according to item 1, characterized in that the information comparison with a smart central comparator unit, which has two input and output channels (EZA ₁ ) and (I / O ₂ ), is performed. For this 2 pages drawings.