EP2502119A1 - A control system of a reciprocating engine - Google Patents

A control system of a reciprocating engine

Info

Publication number
EP2502119A1
EP2502119A1 EP10795736A EP10795736A EP2502119A1 EP 2502119 A1 EP2502119 A1 EP 2502119A1 EP 10795736 A EP10795736 A EP 10795736A EP 10795736 A EP10795736 A EP 10795736A EP 2502119 A1 EP2502119 A1 EP 2502119A1
Authority
EP
European Patent Office
Prior art keywords
control
module
elements
control module
control system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP10795736A
Other languages
German (de)
French (fr)
Inventor
Johan Pensar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wartsila Finland Oy
Original Assignee
Wartsila Finland Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wartsila Finland Oy filed Critical Wartsila Finland Oy
Publication of EP2502119A1 publication Critical patent/EP2502119A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F02COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
    • F02DCONTROLLING COMBUSTION ENGINES
    • F02D29/00Controlling engines, such controlling being peculiar to the devices driven thereby, the devices being other than parts or accessories essential to engine operation, e.g. controlling of engines by signals external thereto
    • F02D29/02Controlling engines, such controlling being peculiar to the devices driven thereby, the devices being other than parts or accessories essential to engine operation, e.g. controlling of engines by signals external thereto peculiar to engines driving vehicles; peculiar to engines driving variable pitch propellers
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0423Input/output
    • G05B19/0425Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24183If error, spare unit takes over, message to master, confirm new configuration
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/30Nc systems
    • G05B2219/31From computer integrated manufacturing till monitoring
    • G05B2219/31253Redundant object manager

Definitions

  • the present invention relates to a system, that controls a reciprocating engine. Especially the invention relates to a control system comprising I/O elements and a communication bus between the I/O elements.
  • redundancy where necessary core functionality is placed in two identical units. Upon failure of one unit, the control is transferred to the other unit, and the control is not interrupted.
  • this type of "hot standby" redundant systems are utilized in e.g. process automation, where the process safety is based on e.g. programmable logic.
  • This redundancy architecture requires a significant amount of synchronization information to keep the redundant unit up to date with the information from the first unit. Quite commonly, this is done utilizing some fast bus, e.g. over an optical media, to transfer the synchronization information fast enough.
  • FIG. 1 shows a prior art system wherein two identical units are utilized.
  • the other is a safety unit 12 that is used when the primary unit 1 1 is in a malfunction state.
  • the safety unit must be continuously updated via line 6 in order to provide uninterrupted control of the reciprocating engine. Therefore, a great amount of synchronization information is needed.
  • Such duplicated systems are expensive.
  • Only a CPU 11 and a bus 13 have commonly been duplicated 12, 14 for preventing failure of one communication channel to impact on the control task.
  • Field device interfaces i.e. I/O elements 15-18 have no safety units in such control systems.
  • the CPUs 11 , 12 denote a central control element. Two CPUs are used to obtain a redundancy.
  • the I/O denotes input/output elements 15 - 18, that may measure or control similar process values (as the redundancy on e.g. the actuator side is highly dependent on the process).
  • a common weak point in such a redundant setup described above is the fact that the system design becomes rather expensive, as the redundancy means a doubling of e.g. processors and other control elements. Another week point is that in order to reduce costs, the input/output elements often are not doubled, and the remaining functionality will therefore in these cases not be fully redundant. A typical design can therefore be described as showed in Fig. 1._One reason to keep this control architecture is the fact that creating the control logs for this type of systems is easy, as the logic can assume that the main control element, the CPU, is always available.
  • the purpose of the invention is to achieve more redundant and more fault tolerant engine control.
  • the invention is based on a new architecture of a control system for controlling a reciprocating engine.
  • a control system comprise I/O elements 25 - 28, 35 - 38, 45 - 48 and a communication bus 23, 24, 33, 34, 43, 44 between the I/O elements.
  • Each I/O element is arranged to transfer any physical reading to any I/O element to control any physical output from any I/O element, and to follow states of the other I/O elements.
  • At least one of the I/O elements comprises at least one control module 29, 39, 49 for controlling the system and at least one of the I/O elements comprises at least one safety control module 210, 310 specific for the certain control module for controlling the system in case of a malfunction of the control module.
  • the invention discloses a distributed architecture where main control is preferably divided into several modules.
  • the modules can be situated in I/O- elements as desired.
  • the modules are preferably software.
  • Figure 1 shows a visualisation of the structure of a prior art solution
  • Figures 2 - 4 show different embodiments of a system according to the present invention.
  • Figure 5 shows a structure of an I/O module according to the present invention.
  • Figure 2 presents a system 20, which includes I/O elements 25, 26, 27, 28 ... n, wherein n is a positive integer.
  • the system 20 further includes buses 23 and 24.
  • the first bus 23 is for a normal use.
  • the other bus 24 is a safety bus that is used if malfunction occurs in the first bus.
  • the I/O element 25 includes a control module 29 that handles tasks of the main control.
  • the I/O elements 25, 26 ... 28 have the means for handling physical output signals based on the control signals from the control module. Therefore they also have the means for receiving the control signals through the bus.
  • the I/O elements 25, 26, 27, 28 ... n also have means for transferring the physical inputs to the form understandable by the control module 29, and means for transferring them through the bus.
  • another I/O element, for example element 26, contains a safety control module 210. If the control module 29 fails to run, the task of main control can be transferred to the safety control module 210.
  • Input/output elements 25, 26 , 27, 28... n are capable of independent operation. They can also be controlled by a control module 29 or the safety control module 210. A dynamical redundancy is achieved by allowing any of the input/output elements 26, 27 ... 28 + n to fail, while keeping the essential control functionality still working. In the example of Fig. 2 a single control module 29 takes care of the tasks of the main control. If the I/O element 25 fails to run or has a serious malfunction, the tasks of the main control can be transferred to the safety control module 210.
  • any of the input/output elements can contain the control module.
  • the main control is located at least to one I/O element instead of a large centralized device. If, the input/output element 25 executing the main control, would fail, the total control would not stop, since the other I/O element 26 containing the safety control module can continue the functions of the main control.
  • Figure 3 presents a system 30, which includes I/O elements 35, 36, 37, 38 ... n, wherein n is a positive integer.
  • the system 30 further includes buses 33 and 34.
  • the I/O element 36 contains the control module here.
  • the control module includes the main control as one control module 39.
  • the I/O elements 35, 36 ... 38 + n have the means for handling physical output signals based on the control signals from the control module 39. They also have the means for receiving the control signals through the bus.
  • the I/O elements 35, 36, 37, 38 ... n also have means for transferring the physical inputs to the form understandable by the control module 39, and means for transferring them through the bus.
  • the underlying platform (preferably software) of the I/O element is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element 35 - 38. Therefore, the execution of the main control can equally well be executed in a different input/output element compared to the system of figure 2, e.g. in element 36. More generally, the main control is executed in the I/O element wherein the control module is located. It can be said that the main control can be made independent of the place of execution in the sense that it can be executed in any of the input/output elements 35 , 36 ... 38 + n wherein the control module exists. The same applies for the safety control module 310 that is located in the I/O module 38 of the embodiment of Fig. 3.
  • Figure 4 presents a system 40, which includes I/O elements 45 , 46, 47, 48 ... n, wherein n is a positive integer.
  • the system 40 further includes buses 43 and 44.
  • the I/O elements 45 and 47 contain control modules here so the main control of the system 40 is divided to three control modules 49, 410, 41 1.
  • the unit 45 includes the control module 49 and the unit 47 includes the control modules 410 and 411.
  • the I/O elements 45, 46 ... 48 have the means for implementing physical output signals based on the control signals from control modules. They also have the means for receiving the control signals through the bus.
  • the I/O elements 45 , 46, 47, 48 also have means for transferring the physical inputs to the form understandable by the control modules, and means for transferring them through the bus.
  • the execution of the main control is not implemented in one control module alone, but is separated to different I/O elements 45, 47 containing control modules in order to optimize the performance of the system.
  • part of the main control is executed by the control module 49 in the I/O element 45, and two more parts, are executed by the control modules 410, 411 in the I/O element 47.
  • the I/O element 46 contains safety control modules 412, 413, 414.
  • the safety control modules can also be situated in several I/O elements, for example, module 414 can be alternatively situated in I/O element 48.
  • control modules in figure 4 can be smaller or larger than 3, but 3 is suitable here for illustrative purposes. Also the division of control modules into I/O elements can be different than here presented.
  • each I/O element 45, 46, 48 is aware of the state (working/failed) of all other I/O elements 45, 46, 48 via bus communication. There is redundancy function in each I/O element 45, 46, ..., 48, that based on the state of the other elements has means for deciding whether the control module shall be considered active or inactive. In case the I/O element or the control module fails, the inactive safety control module shall be activated. Each I/O element also has means for noticing the activation of the safety control module according the decision.
  • the system of figure 4 creates redundancy independently of location, by offering means for causing I/O elements 45, 46, 48 to notice a failure of any other I/O element 45, 46, 48 and means for activating the inactive safety control module to handle the necessary control.
  • the system includes means for activating safety control module in the I/O element 46, thereby offering means for providing essentially uninterrupted service, even at a total failure of the I/O element 47.
  • the design of the control logic module is made in such a way that all necessary state information is transferred over the communication bus to the safety control module.
  • the internal states of the control modules are maintained similar with the safety control modules.
  • the inventive architecture allows a separation of the main control into separately executable blocks, preferably software modules.
  • the underlying (software) platform is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element.
  • a failure of any I/O element will cause the other elements to notice the failure, and the redundancy function will (automatically) activate the safety control to handle the necessary control.
  • Module based structure can make the planning of a redundant control easier, because the structure remains the same when there is a single or redundant control.
  • Engine control can be easily dimensioned according to the requirements for system control with distributed devices rather than with a large centralized device.
  • Redundancy can be implemented by distributing the control modules in a way that when a single I/O element fails, every control module it includes has a safety module in some other module. When I/O element fails, also the system level 40 has the support that this is noticed and the system 40 then activates a similar safety control module to handle the same control, which the failed module did.
  • the invention concerns the distribution of tasks of the CPU (reference numbers 11, 12 in figure 1) to the I/O elements, which are capable of independent operation.
  • the I/O elements have to be capable of running control modules. In the prior art I/O elements this is not possible.
  • I/O elements are all controlled by control logic module/s. At least one, preferably all, I/O elements include the control module and at least one I/O element includes the safety control module. Their changes are controlled by redundancy logic, which includes in each I/O element.
  • the underlying system level operation monitors which I/O elements are active and which control modules are active, and announce to the inactive safety control modules commands for starting to control when the I/O element, which executes the active control modules stops working or fails.
  • the execution is neither necessary to be executed in one I/O element alone, but can be separated to several elements.
  • I/O element 70 is illustrated in figure 5.
  • I/O element 70 is arranged to transfer any physical reading to any I/O element, to control any physical output from any I/O element, and to follow states of other I/O elements.
  • the physical readings means signals from the field devices via the field device interface 76.
  • the control of any physical output means control signals to the field devices via the field device interface.
  • At least one of the I/O elements of the system comprises at least one control module 74 for controlling the system and at least one of the I/O elements comprises at least one safety control module 75 specific for the certain control module for controlling the system in case of a malfunction of the control module.
  • the embodiment of figure 5 includes at least one bus interface 71.
  • I/O element is arranged to transfer information to and from other I/O element/s, the information including at least state changes of I/O element/s and control signal/s.
  • a follow module 72 is arranged to follow the states of the other I/O elements taking into account at least state change information as its input.
  • the internal state of the I/O element can be understood to include the states of the interface signals 76 of the field devices.
  • a redundancy module 73 is arranged to sense if there is fault somewhere and in response to the fault sensing to transfer the tasks of the control module 74 to the safety control module.
  • Control module 74 is arranged to handle state (change) information of other I/O elements (from the bus), modify its internal state accordingly and output corresponding engine control command/s.
  • Safety control module 75 is arranged to execute at least the same control tasks as the corresponding control module in response to the control module fault signal from the redundancy module.
  • the I/O element according to Fig. 5 has interface/s to field devices 76 as are the prior art I/O elements.
  • redundancy module 73 can be arranged to direct the tasks of the control module partly or completely to the safety control module in response to too high load of the control module.
  • FIG. 5 illustrates a way to implement the inventive I/O element 70.
  • the modules illustrated above are on the software platform 77 that takes care of transmission tasks.
  • the transmission tasks are sending and receiving data communication via the bus interface 71 and the field device interface 76.
  • the platform 77 takes also care of communication between the modules.
  • the tasks of the redundancy module 73 can be allocated to the platform 77.
  • the combination of the platform and the modules is convenient to manufacture.
  • Another solution can be the use of the modules only having not any platform.
  • the software realization of the invention is not the only solution. It may also possible to use special circuits, such as ASIC (Application Specific Integrated Circuit) circuits, for the realization.
  • ASIC Application Specific Integrated Circuit
  • control modules and safety control modules can be divided to essential functions and non essential functions.
  • the essential functions comprise at least the necessary functions to continue running the engine.
  • Redundancy module 73 is arranged to prioritize the essential functions, when assigning task/s to safety module/s by task signal/s. It is preferable to implement the above mentioned modules with at least one programmable processor for each I/O element containing control module being arranged to compute a new internal state of the I/O element and possible module output/s in response to input from bus and its current internal state. It is preferable that there is a software platform for controlling I/O element. The platform can transform any reading of the field devices to any I/O-element, and control any output from any I/O element.
  • system according to the invention includes computer readable means arranged to perform the main control in several control modules situated redundantly in more than one I/O element.
  • Some ways to situate control modules redundantly in several I/O elements is presented in the examples of the figures. Any of the modules above can be computer readable.
  • the same functionality can, with some additional logic, also be used to dynamically share the load in the system, as a control module working with a too high load, voluntarily could request the safety control module in another control element to take over some of the tasks. Thereby, the load of the system could dynamically be kept at an acceptable level.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Chemical & Material Sciences (AREA)
  • Combustion & Propulsion (AREA)
  • Mechanical Engineering (AREA)
  • General Engineering & Computer Science (AREA)
  • Safety Devices In Control Systems (AREA)
  • Hardware Redundancy (AREA)

Abstract

The present invention relates to a system for controlling a reciprocating engine, the system (40) comprising a I/O elements (45 - 48) and a communication bus (43, 44) between the I/O elements. The purpose of the invention is to achieve more redundant and more fault tolerant engine control. The invention is based on a new architecture for the system control.

Description

A CONTROL SYSTEM OF A RECIPROCATING ENGINE Field of invention
The present invention relates to a system, that controls a reciprocating engine. Especially the invention relates to a control system comprising I/O elements and a communication bus between the I/O elements.
Background and the prior art
In the prior art technologies electronics is commonly used in control systems. The use of electronics is common in small reciprocating engines. However, the use of electronics is not so simple in larger engines. In large reciprocating engines, electronic control is increasing in importance. With the electronic control, the engine can perform better, produce less emission, and consume less fuel. Thereby, the use of electronics in combination with the large engines is increasing. Although the use of electronics on smaller reciprocating engines has been commonly used, the adaptation to larger engines is not straightforward. The main difference comes from the fact that larger engines are often used in applications where the reliability is very important and essential. Such applications may be e.g. in ship propulsion, where a malfunction of the engine may result in a "dead ship", i.e. a ship without control, a situation that in worst case may be fatal. Therefore, the electronics and programmable systems used for large engines are usually designed in a robust way, to reach a high reliability. One way to reach such reliability is so called redundancy, where necessary core functionality is placed in two identical units. Upon failure of one unit, the control is transferred to the other unit, and the control is not interrupted. Typically, this type of "hot standby" redundant systems are utilized in e.g. process automation, where the process safety is based on e.g. programmable logic. This redundancy architecture requires a significant amount of synchronization information to keep the redundant unit up to date with the information from the first unit. Quite commonly, this is done utilizing some fast bus, e.g. over an optical media, to transfer the synchronization information fast enough. Fig. 1 shows a prior art system wherein two identical units are utilized. The other is a safety unit 12 that is used when the primary unit 1 1 is in a malfunction state. The safety unit must be continuously updated via line 6 in order to provide uninterrupted control of the reciprocating engine. Therefore, a great amount of synchronization information is needed. Such duplicated systems are expensive. Thus, only a CPU 11 and a bus 13 have commonly been duplicated 12, 14 for preventing failure of one communication channel to impact on the control task. Field device interfaces i.e. I/O elements 15-18 have no safety units in such control systems. The CPUs 11 , 12 denote a central control element. Two CPUs are used to obtain a redundancy. The I/O denotes input/output elements 15 - 18, that may measure or control similar process values (as the redundancy on e.g. the actuator side is highly dependent on the process).
Drawbacks of the prior art
A common weak point in such a redundant setup described above, is the fact that the system design becomes rather expensive, as the redundancy means a doubling of e.g. processors and other control elements. Another week point is that in order to reduce costs, the input/output elements often are not doubled, and the remaining functionality will therefore in these cases not be fully redundant. A typical design can therefore be described as showed in Fig. 1._One reason to keep this control architecture is the fact that creating the control logs for this type of systems is easy, as the logic can assume that the main control element, the CPU, is always available.
Short description of invention
The purpose of the invention is to achieve more redundant and more fault tolerant engine control. The invention is based on a new architecture of a control system for controlling a reciprocating engine. A control system comprise I/O elements 25 - 28, 35 - 38, 45 - 48 and a communication bus 23, 24, 33, 34, 43, 44 between the I/O elements. Each I/O element is arranged to transfer any physical reading to any I/O element to control any physical output from any I/O element, and to follow states of the other I/O elements. At least one of the I/O elements comprises at least one control module 29, 39, 49 for controlling the system and at least one of the I/O elements comprises at least one safety control module 210, 310 specific for the certain control module for controlling the system in case of a malfunction of the control module.
Considerable advantages can be gained with the invention. More redundant and fault tolerant engine control can be achieved. Engine control can be easily dimensioned according to the requirements for system control with distributed devices rather than with a large centralized device. The invention discloses a distributed architecture where main control is preferably divided into several modules. The modules can be situated in I/O- elements as desired. The modules are preferably software.
List of figures
The invention is presented with reference to the following figures:
Figure 1 shows a visualisation of the structure of a prior art solution,
Figures 2 - 4 show different embodiments of a system according to the present invention, and
Figure 5 shows a structure of an I/O module according to the present invention.
Detailed description of figures
Figure 2 presents a system 20, which includes I/O elements 25, 26, 27, 28 ... n, wherein n is a positive integer. The system 20 further includes buses 23 and 24. The first bus 23 is for a normal use. The other bus 24 is a safety bus that is used if malfunction occurs in the first bus. The I/O element 25 includes a control module 29 that handles tasks of the main control. The I/O elements 25, 26 ... 28 have the means for handling physical output signals based on the control signals from the control module. Therefore they also have the means for receiving the control signals through the bus. The I/O elements 25, 26, 27, 28 ... n also have means for transferring the physical inputs to the form understandable by the control module 29, and means for transferring them through the bus. In order that the system is redundant, another I/O element, for example element 26, contains a safety control module 210. If the control module 29 fails to run, the task of main control can be transferred to the safety control module 210.
Input/output elements 25, 26 , 27, 28... n are capable of independent operation. They can also be controlled by a control module 29 or the safety control module 210. A dynamical redundancy is achieved by allowing any of the input/output elements 26, 27 ... 28 + n to fail, while keeping the essential control functionality still working. In the example of Fig. 2 a single control module 29 takes care of the tasks of the main control. If the I/O element 25 fails to run or has a serious malfunction, the tasks of the main control can be transferred to the safety control module 210.
Since the input/output elements 25, 26, 27, 28 ... n are all capable of independent operation, any of the input/output elements can contain the control module. In the system of the figure 2 and other here presented systems of the invention, the main control is located at least to one I/O element instead of a large centralized device. If, the input/output element 25 executing the main control, would fail, the total control would not stop, since the other I/O element 26 containing the safety control module can continue the functions of the main control.
Figure 3 presents a system 30, which includes I/O elements 35, 36, 37, 38 ... n, wherein n is a positive integer. The system 30 further includes buses 33 and 34. The I/O element 36 contains the control module here. The control module includes the main control as one control module 39. The I/O elements 35, 36 ... 38 + n have the means for handling physical output signals based on the control signals from the control module 39. They also have the means for receiving the control signals through the bus. The I/O elements 35, 36, 37, 38 ... n also have means for transferring the physical inputs to the form understandable by the control module 39, and means for transferring them through the bus.
The underlying platform (preferably software) of the I/O element is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element 35 - 38. Therefore, the execution of the main control can equally well be executed in a different input/output element compared to the system of figure 2, e.g. in element 36. More generally, the main control is executed in the I/O element wherein the control module is located. It can be said that the main control can be made independent of the place of execution in the sense that it can be executed in any of the input/output elements 35 , 36 ... 38 + n wherein the control module exists. The same applies for the safety control module 310 that is located in the I/O module 38 of the embodiment of Fig. 3.
Figure 4 presents a system 40, which includes I/O elements 45 , 46, 47, 48 ... n, wherein n is a positive integer. The system 40 further includes buses 43 and 44. The I/O elements 45 and 47 contain control modules here so the main control of the system 40 is divided to three control modules 49, 410, 41 1. The unit 45 includes the control module 49 and the unit 47 includes the control modules 410 and 411. The I/O elements 45, 46 ... 48 have the means for implementing physical output signals based on the control signals from control modules. They also have the means for receiving the control signals through the bus. The I/O elements 45 , 46, 47, 48 also have means for transferring the physical inputs to the form understandable by the control modules, and means for transferring them through the bus.
According to the system 40 of figure 4, the execution of the main control is not implemented in one control module alone, but is separated to different I/O elements 45, 47 containing control modules in order to optimize the performance of the system. Thus, part of the main control, is executed by the control module 49 in the I/O element 45, and two more parts, are executed by the control modules 410, 411 in the I/O element 47. The I/O element 46 contains safety control modules 412, 413, 414. The safety control modules can also be situated in several I/O elements, for example, module 414 can be alternatively situated in I/O element 48.
The amount of control modules in figure 4 can be smaller or larger than 3, but 3 is suitable here for illustrative purposes. Also the division of control modules into I/O elements can be different than here presented.
In the system of figure 4, each I/O element 45, 46, 48 is aware of the state (working/failed) of all other I/O elements 45, 46, 48 via bus communication. There is redundancy function in each I/O element 45, 46, ..., 48, that based on the state of the other elements has means for deciding whether the control module shall be considered active or inactive. In case the I/O element or the control module fails, the inactive safety control module shall be activated. Each I/O element also has means for noticing the activation of the safety control module according the decision.
The system of figure 4 creates redundancy independently of location, by offering means for causing I/O elements 45, 46, 48 to notice a failure of any other I/O element 45, 46, 48 and means for activating the inactive safety control module to handle the necessary control. E.g. for a case where the hardware or software of I/O element 47 is failing, the system includes means for activating safety control module in the I/O element 46, thereby offering means for providing essentially uninterrupted service, even at a total failure of the I/O element 47. In the embodiments of the invention the design of the control logic module is made in such a way that all necessary state information is transferred over the communication bus to the safety control module. The internal states of the control modules are maintained similar with the safety control modules.
The inventive architecture allows a separation of the main control into separately executable blocks, preferably software modules. The underlying (software) platform is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element.
A failure of any I/O element will cause the other elements to notice the failure, and the redundancy function will (automatically) activate the safety control to handle the necessary control.
The execution of the main control is neither necessary to be executed in one control module alone, but can be separated to different control modules. Module based structure can make the planning of a redundant control easier, because the structure remains the same when there is a single or redundant control. Engine control can be easily dimensioned according to the requirements for system control with distributed devices rather than with a large centralized device.
Redundancy can be implemented by distributing the control modules in a way that when a single I/O element fails, every control module it includes has a safety module in some other module. When I/O element fails, also the system level 40 has the support that this is noticed and the system 40 then activates a similar safety control module to handle the same control, which the failed module did.
The invention concerns the distribution of tasks of the CPU (reference numbers 11, 12 in figure 1) to the I/O elements, which are capable of independent operation. The I/O elements have to be capable of running control modules. In the prior art I/O elements this is not possible.
I/O elements are all controlled by control logic module/s. At least one, preferably all, I/O elements include the control module and at least one I/O element includes the safety control module. Their changes are controlled by redundancy logic, which includes in each I/O element.
The underlying system level operation monitors which I/O elements are active and which control modules are active, and announce to the inactive safety control modules commands for starting to control when the I/O element, which executes the active control modules stops working or fails. The execution is neither necessary to be executed in one I/O element alone, but can be separated to several elements.
An example of the embodiment of the I/O element 70 is illustrated in figure 5. I/O element 70 is arranged to transfer any physical reading to any I/O element, to control any physical output from any I/O element, and to follow states of other I/O elements. The physical readings means signals from the field devices via the field device interface 76. The control of any physical output means control signals to the field devices via the field device interface. At least one of the I/O elements of the system comprises at least one control module 74 for controlling the system and at least one of the I/O elements comprises at least one safety control module 75 specific for the certain control module for controlling the system in case of a malfunction of the control module. The embodiment of figure 5 includes at least one bus interface 71. I/O element is arranged to transfer information to and from other I/O element/s, the information including at least state changes of I/O element/s and control signal/s. A follow module 72 is arranged to follow the states of the other I/O elements taking into account at least state change information as its input. In this text, the internal state of the I/O element can be understood to include the states of the interface signals 76 of the field devices. A redundancy module 73 is arranged to sense if there is fault somewhere and in response to the fault sensing to transfer the tasks of the control module 74 to the safety control module.
Control module 74 is arranged to handle state (change) information of other I/O elements (from the bus), modify its internal state accordingly and output corresponding engine control command/s. Safety control module 75 is arranged to execute at least the same control tasks as the corresponding control module in response to the control module fault signal from the redundancy module.
The I/O element according to Fig. 5 has interface/s to field devices 76 as are the prior art I/O elements.
Optionally redundancy module 73 can be arranged to direct the tasks of the control module partly or completely to the safety control module in response to too high load of the control module.
Figure 5 illustrates a way to implement the inventive I/O element 70. It can be useful that the modules illustrated above are on the software platform 77 that takes care of transmission tasks. The transmission tasks are sending and receiving data communication via the bus interface 71 and the field device interface 76. The platform 77 takes also care of communication between the modules. There is also other ways to implement the invention, for example the tasks of the redundancy module 73 can be allocated to the platform 77. The combination of the platform and the modules is convenient to manufacture. Another solution can be the use of the modules only having not any platform. The software realization of the invention is not the only solution. It may also possible to use special circuits, such as ASIC (Application Specific Integrated Circuit) circuits, for the realization. Functions of control modules and safety control modules can be divided to essential functions and non essential functions. The essential functions comprise at least the necessary functions to continue running the engine. Redundancy module 73 is arranged to prioritize the essential functions, when assigning task/s to safety module/s by task signal/s. It is preferable to implement the above mentioned modules with at least one programmable processor for each I/O element containing control module being arranged to compute a new internal state of the I/O element and possible module output/s in response to input from bus and its current internal state. It is preferable that there is a software platform for controlling I/O element. The platform can transform any reading of the field devices to any I/O-element, and control any output from any I/O element.
It is preferable that system according to the invention includes computer readable means arranged to perform the main control in several control modules situated redundantly in more than one I/O element. Some ways to situate control modules redundantly in several I/O elements is presented in the examples of the figures. Any of the modules above can be computer readable.
There is some predefined logic in the system which tells which safety control module/s are allocated to which control element/s in a case of total failure of certain control element or control module.
The same functionality can, with some additional logic, also be used to dynamically share the load in the system, as a control module working with a too high load, voluntarily could request the safety control module in another control element to take over some of the tasks. Thereby, the load of the system could dynamically be kept at an acceptable level.
Having described certain embodiments of the invention, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the invention may be used. Therefore, the invention should not be limited to certain embodiments, but rather should be limited only by scope of the following claims.

Claims

Claims
1. A control system for controlling a reciprocating engine, the system comprising I/O elements (25 -28, 35 -38, 45 -48, 70) and a communication bus (33, 34, 23, 24, 43, 44) in connection to the I/O elements, characterizedin that each I/O element (25 -28, 35 -38, 45 -48, 70) is arranged to transfer any physical reading to any I/O element to control any physical output from any I/O element, and to follow states of other I/O elements, at least one of the I/O elements (25 -28, 35 -38, 45 -48, 70) comprising at least one control module (74) for controlling the system and at least one of the I/O elements comprising at least one safety control module (75) specific for the certain control module (74) for controlling the system in case of a malfunction of the control module (75).
2. A control system according to Claim 1, c haract eriz e d in that the safety module (75) is arranged to execute the same control tasks as the corresponding control module (74) in response to the control module fault signal from the redundancy (73) module.
3. A control system according to Claim 2, characterized in that the control module/s (74) is arranged to receive state information of the other I/O elements, modify its internal state accordingly, and transmitting corresponding engine control command/s.
4. A control system according to one of Claims 1 -3, characterized in that the I/O element/s (25 -28, 35 -38, 45 -48, 70) comprise a follow module (72) being arranged to follow states of the other I/O element/s taking into account at least state change information as its input.
5. A control system according to one of Claims 1 -4, characterized in that the I/O element/s comprise a redundancy module (73) being arranged to monitor if there is fault somewhere and in response to a fault transferring tasks of the control module/s to the safety module/s.
6. A control system according to Claim 5, characterized in that the redundancy module (73) is arranged to transmit a control module fault signal to the safety module (75) in response to too high load of the control module (74).
7. A control system according to one of Claims 1 -6, characterized in that it comprises a platform means (77) on which the modules are situated, the platform handling communication between the modules and transmission tasks for sending and receiving data communication via the bus and a field device interface (76) of the I/O element.
8. A control system according to one of Claims 1 -7, characterized in that computer readable means are arranged to perform the main control in several control modules (74) situated redundantly in more than one I/O element (25 -28, 35 -38, 45 -48, 70).
9. A control system according to one of Claims 1 -8, characterized in that a bus interface (71) of each I/O element (70) is arranged to transfer information to and from other I/O element/s, the information including at least state changes of the I/O element/s and control signal/s.
10. A control system according to one of Claims 1 -9, characterized in that at least one programmable processor for each I/O element (70) containing control module (74) is arranged to compute a new internal state of the I/O element (70) and possible module output/s in response to input from the bus and its current internal state.
EP10795736A 2009-11-20 2010-11-16 A control system of a reciprocating engine Withdrawn EP2502119A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20096212A FI121718B (en) 2009-11-20 2009-11-20 Control system for controlling a piston engine
PCT/FI2010/050922 WO2011061394A1 (en) 2009-11-20 2010-11-16 A control system of a reciprocating engine

Publications (1)

Publication Number Publication Date
EP2502119A1 true EP2502119A1 (en) 2012-09-26

Family

ID=41395259

Family Applications (1)

Application Number Title Priority Date Filing Date
EP10795736A Withdrawn EP2502119A1 (en) 2009-11-20 2010-11-16 A control system of a reciprocating engine

Country Status (3)

Country Link
EP (1) EP2502119A1 (en)
FI (1) FI121718B (en)
WO (1) WO2011061394A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19915253A1 (en) * 1999-04-03 2000-10-05 Bosch Gmbh Robert Operator for car divided control system in motor vehicle, has several electronic units mutually exchanging data via communications system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19520744C2 (en) * 1995-06-07 1999-09-30 Siemens Ag Infrastructure for a system of distributed object manager components
US8588970B2 (en) * 2006-10-13 2013-11-19 Honeywell International Inc. Robotic system with distributed integrated modular avionics across system segments
US20090076628A1 (en) * 2007-09-18 2009-03-19 David Mark Smith Methods and apparatus to upgrade and provide control redundancy in process plants
DE102008026574A1 (en) * 2008-05-30 2009-12-10 Siemens Aktiengesellschaft Control system, control computer and method for operating a control system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19915253A1 (en) * 1999-04-03 2000-10-05 Bosch Gmbh Robert Operator for car divided control system in motor vehicle, has several electronic units mutually exchanging data via communications system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO2011061394A1 *

Also Published As

Publication number Publication date
FI121718B (en) 2011-03-15
FI20096212A0 (en) 2009-11-20
WO2011061394A1 (en) 2011-05-26

Similar Documents

Publication Publication Date Title
US8760004B2 (en) Electrical power distribution
US10089199B2 (en) Fault-tolerant high-performance computer system for autonomous vehicle maneuvering
WO2015104841A1 (en) Redundant system and method for managing redundant system
CN110710164A (en) Flight control system
JP7023722B2 (en) Duplex control system
US8510594B2 (en) Control system, control computer and method for operating a control system
US9003067B2 (en) Network and method for operating the network
WO2011061394A1 (en) A control system of a reciprocating engine
EP2547045A1 (en) Field communication system
JP2001060160A (en) Cpu duplex system for controller
JP2007086941A (en) Configuration control system and method for information processing apparatus, and information processing apparatus using the same
JP5589719B2 (en) Multiplexing system and method for controlling multiplexed system
JP2009070135A (en) Distributed processing system
CN111190345B (en) Redundant automation system with multiple processor units per hardware unit
US7836335B2 (en) Cost-reduced redundant service processor configuration
JP7360277B2 (en) aircraft control system
JP7132837B2 (en) Independent interlocking redundant system
JP7299344B2 (en) In-vehicle electronic control unit
JP5860659B2 (en) Train operation management system
JP2017228159A (en) Control device, and control method for control device
JP2022172757A (en) Redundancy system
JPS6252907B2 (en)
JP4993577B2 (en) Plant control system
WO2010070713A1 (en) Information processing device and control method
CN113467389A (en) Process control system with different hardware architecture controller backup

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20120516

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20130711

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20131122