EP3170082A1 - Partial redundancy for i/o modules or channels in distributed control systems - Google Patents

Partial redundancy for i/o modules or channels in distributed control systems

Info

Publication number
EP3170082A1
EP3170082A1 EP14897648.3A EP14897648A EP3170082A1 EP 3170082 A1 EP3170082 A1 EP 3170082A1 EP 14897648 A EP14897648 A EP 14897648A EP 3170082 A1 EP3170082 A1 EP 3170082A1
Authority
EP
European Patent Office
Prior art keywords
channels
module
modules
critical
communication paths
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP14897648.3A
Other languages
German (de)
French (fr)
Other versions
EP3170082A4 (en
Inventor
Dinesh Kumar Kn
Paul Gerhart
Sai Krishnan JAGNNATHAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honeywell International Inc
Original Assignee
Honeywell International Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honeywell International Inc filed Critical Honeywell International Inc
Publication of EP3170082A1 publication Critical patent/EP3170082A1/en
Publication of EP3170082A4 publication Critical patent/EP3170082A4/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2002Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant
    • G06F11/2005Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant using redundant communication controllers
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0423Input/output
    • G05B19/0425Safety, monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2017Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where memory access, memory control or I/O control functionality is redundant
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/10Plc systems
    • G05B2219/14Plc safety
    • G05B2219/14016Triple plc's, processors and dual I-O, triple modular redundant
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/10Plc systems
    • G05B2219/14Plc safety
    • G05B2219/14126Redundant I-O points, two sensors, actuators for same point
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/30Nc systems
    • G05B2219/37Measurements
    • G05B2219/37325Multisensor integration, fusion, redundant
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/30Nc systems
    • G05B2219/42Servomotor, servo controller kind till VSS
    • G05B2219/42318Using two, more, redundant measurements or scales to detect bad function
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0745Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in an input/output transactions management context
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy

Definitions

  • This disclosure is directed generally to control systems. More specifically, this disclosure is directed to partial redundancy for input/output (I/O) modules or channels in distributed control systems.
  • I/O input/output
  • a controller is often configured as a vertical rack housed in a central location, such, as a control room.
  • a rack may include a central processing unit (CPU) , memory devices, power supplies, and interface circuitry for communicating with, process sensors, process actuators, or switches.
  • the interface circuitry typically includes multiple I/O modules arranged in a parallel configuration, and the I/O modules may be connected to the CPU via a parallel bus connector.
  • the sensors send data to the CPU via the I/O modules.
  • the CPU issues commands that are transmitted to the actuators or switches via the I/O modules.
  • Controllers are typically provided with redundant I/O modules to protect against I/O module failures.
  • 1:1 redundancy is often provided to ensure high availability.
  • each I/O module is supported by an additional I/O module, which functions as a redundant module.
  • this increases the size and cost, of the system.
  • This disclosure provides partial redundancy for I/O modules or channels in distributed control systems
  • an apparatus in a first embodiment, includes at least one first input/output (I/O) module having multiple first I/O channels. Each first I/O channel is configured to provide a communication path. The apparatus also includes a second I/O module having multiple second I/O channels. Each second I/O channel is configured to provide a redundant communication path for one of the first I/O channels. The apparatus is configured to provide the redundant communication paths for only a subset of the first I/O channels.
  • I/O input/output
  • a system in a second embodiment, includes at least one processing device configured to communicate over multiple communication paths.
  • the system also includes at least one first input/output (I/O) module having multiple first I/O channels. Each first I/O channel is configured to provide one of the communication paths.
  • the system further includes a second I/O module having multiple second I/O channels. Each second I/O channel is configured to provide a redundant communication path for one of the first I/O channels.
  • the system includes a fault detection circuit configured to detect a fault condition with the at least one first I/O module and/or the first I/O channels. The system is configured to provide the redundant communication paths for only a subset of the first I/O channels .
  • a method in a third embodiment, includes obtaining at least one first input/output (I/O) module having multiple first I/O channels. Each first I/O channel is configured to provide a communication path. The method also includes creating redundant, communication paths using a second I/O module having multiple second I/O channels. Each second I/O channel is configured to provide one of the redundant communication paths for one of the first I/O channels. Redundant communication paths are provided for only a subset of the first I/O channels.
  • I/O input/output
  • FIGURES 1 and 2 illustrate example process control systems supporting partial redundancy of I/O modules or channels according to this disclosure.
  • FIGURE 3 illustrates an example method for providing partial redundancy of I/O modules or channels according to this disclosure.
  • FIGURES 1 through 3 discussed below, and the various embodiments used to describe the principles of the present invention in this patent document are by way of illustration only and should not be construed in any way to limit the scope of the invention. Those skilled in the art will understand that the principles of the invention may be implemented in any type of suitably arranged device or system.
  • a distributed control system provides partial redundancy for input/output (I/O) modules or channels that are connected to process sensors, process actuators, switches, or other components. More specifically, the I/O modules or channels dedicated to critical processes (referred to as “critical I/O modules” and “critical I/O channels”) are identified. The critical I/O modules or channels are provided with a redundancy (such as 1:1 redundancy) to protect against I/O failures and to ensure high availability. The I/O modules or channels dedicated to non-critical processes (referred to as “non-critical I/O modules” and “non-critical I/O channels”) are not provided with a redundancy. Thus, the critical I/O modules or channels are supported by redundant I/O modules or channels while the non-critical I/O modules or channels are not, helping to reduce the size and cost of the digital control system.
  • critical I/O modules or channels are identified.
  • the critical I/O modules or channels are provided with a redundancy (such as 1:1 redundancy) to protect against I/O failure
  • FIGURES 1 and 2 illustrate example process control systems supporting partial redundancy of I/O modules or channels according to this disclosure.
  • a system 100 generally represents a distributed control syste that includes critical I/O modules 104 and. non-critical I/O modules 108 connected, to a central processing unit (CPU) 112 via at least one parallel bus (or serial) connection 124.
  • the critical I/O modules 104 and non-critical I/O modules 108 are also connected to one or more external components, such as process sensors 116 and actuators 120, via at least one parallel bus (or serial) connection 128.
  • a fault detection circuit 140 is connected to the I/O modules via a connection 134 and to the CPU 112 via a connection 136. In other embodiments, a fault detection circuit may be incorporated into the I/0 modu1es ,
  • Each I/O module 104, 108 includes any suitable structure configured to receive signals from a source and to provide signals to a destination (possibly after converting the signals to a different form) .
  • the CPU 112 includes any suitable processing device (s) , such as one or more microprocessors, microcontrollers, digital signal processors, field programmable gate arrays, application specific integrated circuits, or other processing device (s) , arranged in any suitable configuration. In some embodiments, the CPU 112 executes control logic in order to process measurements from one or more sensors and to generate control signals for one or more actuators.
  • Each sensor 116 includes any suitable structure for sensing one or more conditions.
  • Each actuator 120 includes any suitable structure for performing one or more actions to modify an operation of a system being controlled.
  • the fault detection circuit 140 includes any suitable structure for identifying a fault with at least one I/O module.
  • the sensors 116 send data to the CPU 112 via the I/O modules 104, 108.
  • the CPU 112 issues commands that are transmitted to the actuators 120 via the I/O modules 104, 108. If any of the I/O modules 104, 108 fail, this can prevent, sensor measurements from being received by the CPU 112 from the sensors 116 and/or control signals from being received by the actuators 120 from the CPU 112. This could potentially interrupt control of an underlying industrial process.
  • redundant I/O modules 132 are provided for critical I/O modules 104.
  • the redundant I/O modules 132 can be coupled to the communication bus connections 124, 128 in parallel with the critical I/O modules 104.
  • the redundant I/O modules 132 could provide l:n redundancy for the critical I/O modules 104, where each critical I/O module 104 has n redundant I/O modules 132 (n ⁇ l) .
  • each critical I/O module 104 is supported with at least one redundant I/O module 132 for protection against I/O failures.
  • the non-critical I/O modules 108 are provided with no redundancy. By providing only a subset of the I/O modules with redundancy, the overall size and cost of the system 100 can be reduced, and/or the number of I/O modules in the system 100 can be increased.
  • a fault condition may occur due to the failure of one or more I/O modules 104, 108, thereby disrupting a proCGSS Control operation.
  • the fault condition may be detected by the fault detection circuit 140, which can send a message identifying the fault to the CPU 112 over the connection 136.
  • each failed I/O module 104, 108 can be isolated by discGnn ⁇ cting the tailed I/O module from its associated sensor or actuator. If the failed I/O module is a critical module 104, the CPU 112 can also send a redundancy command to cause a redundant I/O module 132 to take over the I/O functionality of the failed critical I/O module 104. In this way, the failure of a critical I/O module 104 can be quickly remedied, reducing or minimizing disruptions to the process control operation .
  • FIGURE 1 has been described as supporting the use of redundant I/O modules, other approaches could also be used.
  • redundant I/O channels could be provided for critical I/O channels.
  • An example of this is shown in FIGURE 2, where primary I/O modules 204 and 208 can be connected to the CPU 112 and to the sensors 116 and actuators 120.
  • the primary I/O modules represent the primary paths through which data is transferred between external components.
  • One or more secondary I/O modules 212 are also present and can provide redundant I/O channels for a subset of the channels provided by the primary I/O modules.
  • each of the I/O modules 204-212 here supports 32 I/O channels (although any number of I/O channels could be supported by each module) .
  • Each primary I/O module 204, 208 provides both critical I/O channels and non-critical I/O channels.
  • the first sixteen channels of each primary I/O module 204, 208 may be dedicated to critical process controls.
  • the second sixteen channels of each primary I/O module 204, 208 may be dedicated to non-critical process controls.
  • the secondary I/O module 212 therefore provides redundant I/O channels for the sixteen critical channels in each primary I/O module 204, 208.
  • the primary I/O module 204 connects the first sixteen channels of a bus connection 220 to a bus connection 224 having sixteen channels.
  • the primary I/O module 204 also connects the second sixteen channels of the bus connection 220 to a bus connection 228 having sixteen channels.
  • the primary I/O module 208 connects the first sixteen channels of a bus connection 232 to a bus connection 236 having sixteen channels.
  • the primary I/O module 208 also connects the second sixteen channels of the bus connection 232 to a bus connection 240 having sixteen channels.
  • Each bus connection 220 , 232 receives a portion of the channels from the bus connection 124.
  • each bus connection 224, 228, 236, 240 receives a portion of the channels from the bus connection 128.
  • the secondary I/O module 212 here is utilized to provide partial redundancy to the primary modules 204, 208.
  • the secondary I/O module 212 connects the first sixteen channels of the bus connection 220 to a bus connection 244, thereby bypassing the primary I/O module 20 .
  • the secondary I/O module 212 connects the first sixteen channels of the bus connection 232 to a bus connection 248, thereby bypassing the primary I/O module 208.
  • the secondary I/O module 212 provides partial redundancy to the critical I/O channels of the primary I/O modules 204, 208 by providing failure protection to only those channels dedicated to critical process controls.
  • the system may provide l:n redundancy for the critical I/O channels, where each critical I/O channel has n redundant I/O channels (n>l) .
  • a fault condition such as one or more channels of a primary I/O module fail
  • the fault detection circuit 140 can detect the fault condition and identify the malfunctioning channel (s) .
  • the failed channels may be disconnected from sensors or actuators. If one or more failed channels are dedicated, to critical processes, the CPU 112 may instruct the secondary I/O module 212 to take over the I/O functions of the failed channel (s) .
  • the secondary I/O module is connected to channels in multiple prinvar I/O modules.
  • the secondary I/O module can provide redundancy to any number of channels in any number of primary I/O modules.
  • a redundant I/O module could also provide redundancy for an entire critical I/O module. That could be achieved in FIGURE 2, for instance, by coupling the bus connection 248 to the channels of the bus connection 228.
  • the secondary I/O module 212 would act as a redundant module for the primary I/O module 204. In either case, redundant I/O channels are provided for critical I/O channels, and the connections to and from a secondary I/O module control whether the secondary I/O module provides redundancy for channels in one or multiple primary I/O modules.
  • FIGURES 1 and 2 illustrate examples of process control systems supporting partial redundancy of I/O modules or channels
  • any suitable l:n redundancy could be used for each I/O module or channel.
  • a process control system could have any- suitable percentage of critical I/O modules or channels and is not limited to a design where 50% of the I/O modules or channels are critical (as is shown in FIGURE 2) .
  • FIGURES 1 and 2 could each include any suitable number of critical I/O modules or channels, non- critical I/O modules or channels, and redundant I/O modules or channels.
  • cost reductions are achieved, using partial redundancy of I/O modules or channels.
  • a system that includes I/O modules having a total of 64 channels. If partial redundancy is provided to 50% of the channels, a 25% cost reduction can be achieved (compared to a system where all I/O channels have a redundant channel) .
  • implementing a 50% partial redundancy in a system having 64 channels results in a 25% cost reduction. It will be appreciated that a greater cost reduction may be achieved by reducing the number of modules or channels with a redundant backup and/or by increasing the number of I/O modules or channels in the system.
  • FIGURE 3 illustrates an example method 300 for providing partial redundancy of I/O modules or channels according to this disclosure.
  • the method 300 can be performed, for example, in the system 100 of FIGURE 1 using redundancy of I/O modules as shown in FIGURE 1 or using redundancy of I/O channels as shown in FIGURE 2.
  • Primary I/O modules or channels are connected to at least one processing device at step 304. This could. include, for example, coupling the CPU 112 to various I/O modules 104, 108, 204, 208.
  • One or more of the primary I/O modules or channels are critical I/O modules or channels that are dedicated to one or more critical processes.
  • the primary I/O modules or channels are connected to other devices at step 308, This could include, for example, coupling one or more process sensors 116 and one or more actuators 120 to various I/O modules 104, 108, 204, 208.
  • One or more redundant I/O modules or channels are connected across one or more critical primary I/O modules or channels at step 312.
  • this could include coupling a redundant I/O module to the inputs and outputs of an I/O module handling critical traffic, where the I/O channels of the redundant I/O module are connected across the channels of a single primary I/O module.
  • this could include coupling a redundant I/O channel to the inputs and outputs of an I/O channel handling critical traffic, where the I/O channels of the redundant I/O module are connected across the channels of multiple primary I/O modules .
  • a fault condition is detected at step 316.
  • a fault condition may be caused by the failure of an entire I/O module or by a partial failure affecting only a subset of the channels in an I/O module.
  • the failed I/O modules or channels are disconnected at step 320. This could include, for example, using switches or other mechanisms to interrupt the communication paths from the failed I/O modules or channels to the CPU 112 and the sensors/actuators.
  • redundant I/O modules or channels are used in place of the failed I/O modules or channels at step 324.
  • FIGURE 3 illustrates one example of a method 300 for providing partial redundancy of I/O modules or channels
  • various changes may be made to FIGURE 3.
  • steps in FIGURE 3 could overlap, occur in parallel, occur in a different order, or occur multiple times .
  • various functions described above are implemented or supported by a computer program that is formed from computer readable program code and that is embodied in a computer readable medium.
  • computer readable program code includes any type of computer code, including source code, object code, and executable code.
  • computer readable medium includes any type of medium capable of being accessed by a computer, such as read only memory (ROM) , random access memory (RAM) , a hard disk drive, a compact disc (CD) , a digital video disc (DVD), or any other type of memory.
  • ROM read only memory
  • RAM random access memory
  • CD compact disc
  • DVD digital video disc
  • A. "non-transitory" computer readable medium excludes wired, wireless, optical, or other communication links that transport transitory electrical or other signals.
  • a non- transitory computer readable medium includes media where data can be permanently stored and media where data can be stored and later overwritten, such as a rewritable optical disc or an erasable memory device.
  • phrases "associated with,” as well as derivatives thereof, may mean to include, be included within, interconnect with, contain, be contained within, connect to or with, couple to or with, be communicable with, cooperate with, interleave, juxtapose, be proximate to, be bound to or with, have, have a property of, have a relationship to or with, or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

An apparatus includes at least one first input/output (I/O) module (204) having multiple first I/O channels (224, 228). Each first I/O channel (224, 228) is configured to provide a communication path. The apparatus also includes a second I/O module (212) having multiple second I/O channels (244, 248). Each second I/O channel (244) is configured to provide a redundant communication path for one of the first I/O channels (224). The apparatus is configured to provide the redundant communication paths for only a subset of the first I/O channels (224, 228). The first I/O channels (224, 228) may include critical I/O channels (224) and non-critical I/O channels (228), and the apparatus may be configured to provide the redundant communication paths for only the critical I/O channels (224).

Description

PAR IAL REDUNDANCY FOR I/O MODULES OR CHANNELS IN DISTRIBUTED CONTROL SYS EMS
TECHNICAL FIELD
[0001] This disclosure is directed generally to control systems. More specifically, this disclosure is directed to partial redundancy for input/output (I/O) modules or channels in distributed control systems.
BACKGROUND
[0002] Controllers are widely used in process control applications. A controller is often configured as a vertical rack housed in a central location, such, as a control room. A rack may include a central processing unit (CPU) , memory devices, power supplies, and interface circuitry for communicating with, process sensors, process actuators, or switches. The interface circuitry typically includes multiple I/O modules arranged in a parallel configuration, and the I/O modules may be connected to the CPU via a parallel bus connector. In operation, the sensors send data to the CPU via the I/O modules. In response, the CPU issues commands that are transmitted to the actuators or switches via the I/O modules.
[0003] Controllers are typically provided with redundant I/O modules to protect against I/O module failures. In critical processes, 1:1 redundancy is often provided to ensure high availability. Thus, in a critical, process, each I/O module is supported by an additional I/O module, which functions as a redundant module. However, this increases the size and cost, of the system. SUMMARY
[0004] This disclosure provides partial redundancy for I/O modules or channels in distributed control systems,
[0005] In a first embodiment, an apparatus includes at least one first input/output (I/O) module having multiple first I/O channels. Each first I/O channel is configured to provide a communication path. The apparatus also includes a second I/O module having multiple second I/O channels. Each second I/O channel is configured to provide a redundant communication path for one of the first I/O channels. The apparatus is configured to provide the redundant communication paths for only a subset of the first I/O channels.
[0006] In a second embodiment, a system includes at least one processing device configured to communicate over multiple communication paths. The system also includes at least one first input/output (I/O) module having multiple first I/O channels. Each first I/O channel is configured to provide one of the communication paths. The system further includes a second I/O module having multiple second I/O channels. Each second I/O channel is configured to provide a redundant communication path for one of the first I/O channels. In addition, the system includes a fault detection circuit configured to detect a fault condition with the at least one first I/O module and/or the first I/O channels. The system is configured to provide the redundant communication paths for only a subset of the first I/O channels .
[0007] In a third embodiment, a method includes obtaining at least one first input/output (I/O) module having multiple first I/O channels. Each first I/O channel is configured to provide a communication path. The method also includes creating redundant, communication paths using a second I/O module having multiple second I/O channels. Each second I/O channel is configured to provide one of the redundant communication paths for one of the first I/O channels. Redundant communication paths are provided for only a subset of the first I/O channels.
[0008] Other technical features may be readily apparent to one skilled in the art from the following figures, descriptions, and claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] For a more complete understanding of this disclosure, reference is now made to the following description, taken in conjunction with the accompanying drawings, in which:
[0010] FIGURES 1 and 2 illustrate example process control systems supporting partial redundancy of I/O modules or channels according to this disclosure; and
[0011] FIGURE 3 illustrates an example method for providing partial redundancy of I/O modules or channels according to this disclosure.
DETAILED DESCRIP ION
[0012] FIGURES 1 through 3, discussed below, and the various embodiments used to describe the principles of the present invention in this patent document are by way of illustration only and should not be construed in any way to limit the scope of the invention. Those skilled in the art will understand that the principles of the invention may be implemented in any type of suitably arranged device or system.
[0013] In accordance with this disclosure, a distributed control system provides partial redundancy for input/output (I/O) modules or channels that are connected to process sensors, process actuators, switches, or other components. More specifically, the I/O modules or channels dedicated to critical processes (referred to as "critical I/O modules" and "critical I/O channels") are identified. The critical I/O modules or channels are provided with a redundancy (such as 1:1 redundancy) to protect against I/O failures and to ensure high availability. The I/O modules or channels dedicated to non-critical processes (referred to as "non-critical I/O modules" and "non-critical I/O channels") are not provided with a redundancy. Thus, the critical I/O modules or channels are supported by redundant I/O modules or channels while the non-critical I/O modules or channels are not, helping to reduce the size and cost of the digital control system.
[0014] FIGURES 1 and 2 illustrate example process control systems supporting partial redundancy of I/O modules or channels according to this disclosure. As shown in FIGURE 1, a system 100 generally represents a distributed control syste that includes critical I/O modules 104 and. non-critical I/O modules 108 connected, to a central processing unit (CPU) 112 via at least one parallel bus (or serial) connection 124. The critical I/O modules 104 and non-critical I/O modules 108 are also connected to one or more external components, such as process sensors 116 and actuators 120, via at least one parallel bus (or serial) connection 128. A fault detection circuit 140 is connected to the I/O modules via a connection 134 and to the CPU 112 via a connection 136. In other embodiments, a fault detection circuit may be incorporated into the I/0 modu1es ,
[0015] Each I/O module 104, 108 includes any suitable structure configured to receive signals from a source and to provide signals to a destination (possibly after converting the signals to a different form) . The CPU 112 includes any suitable processing device (s) , such as one or more microprocessors, microcontrollers, digital signal processors, field programmable gate arrays, application specific integrated circuits, or other processing device (s) , arranged in any suitable configuration. In some embodiments, the CPU 112 executes control logic in order to process measurements from one or more sensors and to generate control signals for one or more actuators. Each sensor 116 includes any suitable structure for sensing one or more conditions. Each actuator 120 includes any suitable structure for performing one or more actions to modify an operation of a system being controlled. The fault detection circuit 140 includes any suitable structure for identifying a fault with at least one I/O module.
[0016] In one aspect of operation, the sensors 116 send data to the CPU 112 via the I/O modules 104, 108. In response, the CPU 112 issues commands that are transmitted to the actuators 120 via the I/O modules 104, 108. If any of the I/O modules 104, 108 fail, this can prevent, sensor measurements from being received by the CPU 112 from the sensors 116 and/or control signals from being received by the actuators 120 from the CPU 112. This could potentially interrupt control of an underlying industrial process.
[0017] According to this disclosure, redundant I/O modules 132 are provided for critical I/O modules 104. For example, the redundant I/O modules 132 can be coupled to the communication bus connections 124, 128 in parallel with the critical I/O modules 104. Depending on the implementation, the redundant I/O modules 132 could provide l:n redundancy for the critical I/O modules 104, where each critical I/O module 104 has n redundant I/O modules 132 (n≥l) . Thus, each critical I/O module 104 is supported with at least one redundant I/O module 132 for protection against I/O failures. The non-critical I/O modules 108, on the other hand, are provided with no redundancy. By providing only a subset of the I/O modules with redundancy, the overall size and cost of the system 100 can be reduced, and/or the number of I/O modules in the system 100 can be increased.
[0018] During operation, a fault condition may occur due to the failure of one or more I/O modules 104, 108, thereby disrupting a proCGSS Control operation. The fault condition may be detected by the fault detection circuit 140, which can send a message identifying the fault to the CPU 112 over the connection 136. Upon detection of the fault condition, each failed I/O module 104, 108 can be isolated by discGnnΘcting the tailed I/O module from its associated sensor or actuator. If the failed I/O module is a critical module 104, the CPU 112 can also send a redundancy command to cause a redundant I/O module 132 to take over the I/O functionality of the failed critical I/O module 104. In this way, the failure of a critical I/O module 104 can be quickly remedied, reducing or minimizing disruptions to the process control operation .
[0019] While FIGURE 1 has been described as supporting the use of redundant I/O modules, other approaches could also be used. For instance, redundant I/O channels could be provided for critical I/O channels. An example of this is shown in FIGURE 2, where primary I/O modules 204 and 208 can be connected to the CPU 112 and to the sensors 116 and actuators 120. The primary I/O modules represent the primary paths through which data is transferred between external components. One or more secondary I/O modules 212 are also present and can provide redundant I/O channels for a subset of the channels provided by the primary I/O modules.
[0020] In this example, each of the I/O modules 204-212 here supports 32 I/O channels (although any number of I/O channels could be supported by each module) . Each primary I/O module 204, 208 provides both critical I/O channels and non-critical I/O channels. For example, the first sixteen channels of each primary I/O module 204, 208 may be dedicated to critical process controls. The second sixteen channels of each primary I/O module 204, 208 may be dedicated to non-critical process controls. The secondary I/O module 212 therefore provides redundant I/O channels for the sixteen critical channels in each primary I/O module 204, 208.
[0021] As shown in FIGURE 2, the primary I/O module 204 connects the first sixteen channels of a bus connection 220 to a bus connection 224 having sixteen channels. The primary I/O module 204 also connects the second sixteen channels of the bus connection 220 to a bus connection 228 having sixteen channels. Similarly, the primary I/O module 208 connects the first sixteen channels of a bus connection 232 to a bus connection 236 having sixteen channels. The primary I/O module 208 also connects the second sixteen channels of the bus connection 232 to a bus connection 240 having sixteen channels. Each bus connection 220 , 232 receives a portion of the channels from the bus connection 124. Similarly, each bus connection 224, 228, 236, 240 receives a portion of the channels from the bus connection 128.
[0022] The secondary I/O module 212 here is utilized to provide partial redundancy to the primary modules 204, 208. The secondary I/O module 212 connects the first sixteen channels of the bus connection 220 to a bus connection 244, thereby bypassing the primary I/O module 20 . Similarly, the secondary I/O module 212 connects the first sixteen channels of the bus connection 232 to a bus connection 248, thereby bypassing the primary I/O module 208. Thus, the secondary I/O module 212 provides partial redundancy to the critical I/O channels of the primary I/O modules 204, 208 by providing failure protection to only those channels dedicated to critical process controls. The system may provide l:n redundancy for the critical I/O channels, where each critical I/O channel has n redundant I/O channels (n>l) .
[0023] If a fault condition occurs (such as one or more channels of a primary I/O module fail) , the fault detection circuit 140 can detect the fault condition and identify the malfunctioning channel (s) . In response, the failed channels may be disconnected from sensors or actuators. If one or more failed channels are dedicated, to critical processes, the CPU 112 may instruct the secondary I/O module 212 to take over the I/O functions of the failed channel (s) .
[0024] Note in FIGURE 2 that the secondary I/O module is connected to channels in multiple prinvar I/O modules. In this way, the secondary I/O module can provide redundancy to any number of channels in any number of primary I/O modules. As described in FIGURE 1, however, a redundant I/O module could also provide redundancy for an entire critical I/O module. That could be achieved in FIGURE 2, for instance, by coupling the bus connection 248 to the channels of the bus connection 228. In this configuration, the secondary I/O module 212 would act as a redundant module for the primary I/O module 204. In either case, redundant I/O channels are provided for critical I/O channels, and the connections to and from a secondary I/O module control whether the secondary I/O module provides redundancy for channels in one or multiple primary I/O modules.
[0025] Although FIGURES 1 and 2 illustrate examples of process control systems supporting partial redundancy of I/O modules or channels, various changes may be made to FIGURES 1 and 2. For example, as noted above, any suitable l:n redundancy could be used for each I/O module or channel. Also, a process control system could have any- suitable percentage of critical I/O modules or channels and is not limited to a design where 50% of the I/O modules or channels are critical (as is shown in FIGURE 2) . In addition, FIGURES 1 and 2 could each include any suitable number of critical I/O modules or channels, non- critical I/O modules or channels, and redundant I/O modules or channels.
[0026] According to this disclosure, cost reductions are achieved, using partial redundancy of I/O modules or channels. Consider, for example, a system that includes I/O modules having a total of 64 channels. If partial redundancy is provided to 50% of the channels, a 25% cost reduction can be achieved (compared to a system where all I/O channels have a redundant channel) . According to this disclosure, implementing a 50% partial redundancy in a system having 64 channels results in a 25% cost reduction. It will be appreciated that a greater cost reduction may be achieved by reducing the number of modules or channels with a redundant backup and/or by increasing the number of I/O modules or channels in the system.
[0027] It will be appreciated that when partial redundancy is implemented providing redundant I/O modules or channels for only a subset of the total I/O modules or channels, a failure of an I/O module or channel lacking redundancy results in reduced channel availability. According to this disclosure, if a 50% redundancy is implemented in a system having 64 channels, channel availability is reduced by only 0.0007%. Thus, if redundancy is reduced from 100% to 50%, channel availability reduces by only 0.0007%. This illustrates that adequate channel availability can still be provided even though half of the I/O modules or channels lack redundancy .
[0028] FIGURE 3 illustrates an example method 300 for providing partial redundancy of I/O modules or channels according to this disclosure. The method 300 can be performed, for example, in the system 100 of FIGURE 1 using redundancy of I/O modules as shown in FIGURE 1 or using redundancy of I/O channels as shown in FIGURE 2.
[0029] Primary I/O modules or channels are connected to at least one processing device at step 304. This could. include, for example, coupling the CPU 112 to various I/O modules 104, 108, 204, 208. One or more of the primary I/O modules or channels are critical I/O modules or channels that are dedicated to one or more critical processes. The primary I/O modules or channels are connected to other devices at step 308, This could include, for example, coupling one or more process sensors 116 and one or more actuators 120 to various I/O modules 104, 108, 204, 208.
[0030] One or more redundant I/O modules or channels are connected across one or more critical primary I/O modules or channels at step 312. In some embodiments, this could include coupling a redundant I/O module to the inputs and outputs of an I/O module handling critical traffic, where the I/O channels of the redundant I/O module are connected across the channels of a single primary I/O module. In other embodiments, this could include coupling a redundant I/O channel to the inputs and outputs of an I/O channel handling critical traffic, where the I/O channels of the redundant I/O module are connected across the channels of multiple primary I/O modules .
[0031] A fault condition is detected at step 316. A fault condition may be caused by the failure of an entire I/O module or by a partial failure affecting only a subset of the channels in an I/O module. In response, the failed I/O modules or channels are disconnected at step 320. This could include, for example, using switches or other mechanisms to interrupt the communication paths from the failed I/O modules or channels to the CPU 112 and the sensors/actuators.
[0032] If any of the failed I/O modules or channels is critical, redundant I/O modules or channels are used in place of the failed I/O modules or channels at step 324. This could include, for example, using switches or other mechanisms to reestablish the communication paths between the CPU 112 and the sensors/actuators using the redundant I/O modules or channels. This could be done, for instance, based on a redundancy command issued by the CPU 112. This could also include using the redundant I/O modules or channels to transport data for critical control applications. In this way, communication can be quickly restored for critical control applications. Other actions could also occur, such as notifying maintenance personnel so that a faulty I/O module can be replaced and communications for non-critical applications can be restored .
[0033] Although FIGURE 3 illustrates one example of a method 300 for providing partial redundancy of I/O modules or channels, various changes may be made to FIGURE 3. For example, while shown as a series of steps, various steps in FIGURE 3 could overlap, occur in parallel, occur in a different order, or occur multiple times .
[0034] In some embodiments, various functions described above are implemented or supported by a computer program that is formed from computer readable program code and that is embodied in a computer readable medium. The phrase "computer readable program code" includes any type of computer code, including source code, object code, and executable code. The phrase "computer readable medium" includes any type of medium capable of being accessed by a computer, such as read only memory (ROM) , random access memory (RAM) , a hard disk drive, a compact disc (CD) , a digital video disc (DVD), or any other type of memory. A. "non-transitory" computer readable medium excludes wired, wireless, optical, or other communication links that transport transitory electrical or other signals. A non- transitory computer readable medium includes media where data can be permanently stored and media where data can be stored and later overwritten, such as a rewritable optical disc or an erasable memory device.
[0035] It may be advantageous to set forth definitions of certain words and phrases used throughout this patent document. The terms "include" and "comprise," as well as derivatives thereof, mean inclusion without limitation. The term "or" is inclusive, meaning and/or. The phrase "at least one of," when used with a list of items, means that different combinations of one or more of the listed items may be used, and only one item in the list may be needed. For example, "at least one of A, B, and C" includes any of the following combinations: A, B, C, A and B, A and C, B and C, and A and B and C. The phrase "associated with," as well as derivatives thereof, may mean to include, be included within, interconnect with, contain, be contained within, connect to or with, couple to or with, be communicable with, cooperate with, interleave, juxtapose, be proximate to, be bound to or with, have, have a property of, have a relationship to or with, or the like.
[0036] While this disclosure has described certain embodiments and generally associated methods, alterations and permutations of these embodiments and methods will be apparent to those skilled in the art. Accordingly, the above description of example embodiments does not define or constrain this disclosure. Other changes, substitutions, and alterations are also possible without departing from the spirit and scope of this disclosure, as defined by the following claims.

Claims

WHAT IS CLAIMED IS:
1. An apparatus comprising:
at least one first input/output (I/O) module (204) comprising multiple first I/O channels (224, 228), each first I/O channel (224, 228) configured to provide a communication path; and
a second I/O module (212) comprising multiple second I/0 channeI s (244, 2 8 ) , wherein each second I/0 channe1 (244) is configured to provide a redundant communication path for one of the first. I/O channels (224);
wherein the apparatus is configured to provide the redundant communication paths for only a subset of the first I/O channels (224, 228) .
2. The apparatus of Claim 1, wherein :
the first. I/O channels (224, 228) comprise critical I/O channels (224) and non-critical I/O channels (228); and
the apparatus is configured to provide the redundant communication paths for only the critical I/O channels (224) .
3. The apparatus of Claim 1, further comprising: a fault detection circuit (140) configured to detect a fault condition with at least one of: the at least one first I/O module (204) and the first I/O channels (224) .
4. A system comprising:
at least one processing device (112) configured to communicate over multiple communication paths (124);
at least one first input/output (I/O) module (204) comprising multiple first I/O channels (22.4 , 228), each first. I/O channel (224 , 228) configured to provide one of the communication paths;
a second I/O module (212} comprising multiple second I/O channels (244), wherein each second I/O channel (244) is configured to provide a redundant communication path for one of the first I/O channels (224),
wherein the at least one first I/O module (204) and the second I/O module (212) include fault detection circuits configured to detect a fault condition with at least one of: the at least one first I/O module (204) and the first I/O channels (224);
wherein the system is configured to provide the redundant communication paths for only a subset of the first I/O channels (224, 228) .
5. The system of Claim 4, wherein:
the first I/O channels (224, 228) comprise critical I/O channels (224) and non-critical I/O channels (228); and
the system is configured to provide the redundant communication paths for only the critical I/O channels (224) .
6. The system of Claim 4, wherein:
the at least one first I/O module (204) comprises multiple first I/O modules; and
the system is configured to provide the redundant communication paths for only the first I/O channels (224) of a single one of the first I/O modules (204, 228) .
7. The system of Clai 4, wherein:
the at least one first I/O module (204) comprises multiple first I/O modules; and
the system, is configured to provide the redundant communication paths for the first I/O channels (224) of multiple ones of the first I/O modules (204).
8. The system of Claim 4, wherein:
the fault detection circuit (140) is further configured to notify the at least one processing device (112) of the fault condition; and
the at least one processing device (112) is further configured to isolate the first I/O module (204) or the first I/O channel (224) associated with the fault condition .
9. The system of Claim 4, further comprising:
one or more sensors (116) configured to provide sensor measurements to the at least one processing device (112) over one or more of the communication paths; and one or more actuators (120) configured to receive control signals from the at least one processing device (112) over one or more other of the communication paths.
10. The system of Claim 4, wherein:
the first I/O channels (224, 228) comprise critical I/O channels (224) and non-critical I/O channels (228); and
the critical I/O channels (224) are associated with at least one critical control application executed by the at least one processing device (112) .
11. A method comprising:
obtaining at least one first input/output (I/O) module (204) comprising multiple first I/O channels (224, 228), each first I/O channel configured to provide a communication path; and
creating redundant communication paths using a second I/O module (212) comprising multiple second I/O channels (244), wherein each second I/O channel is configured to provide one of the redundant communication paths for one of the first I/O channels (224);
wherein redundant communication paths are provided for only a subset of the first I/O channels (224, 228) ,
12. The method of Claim 11, wherein:
the first I/O channels (224, 228) comprise critical I/O channels (224) and non-critical I/O channels (228); and
the redundant communication paths are provided for only the critical I/O channels (224) .
13. The method of Claim 11, wherein:
the at least one first I/O module (204) comprises multiple first I/O modules; and
the redundant communication paths are provided for only the first I/O channels (224) of a single one of the first I/O modules.
14. The method of Claim 11, further comprising:
detecting (316) a fault condition with at least one of: the at least one first I/O module (204) and the first I/O channels (224) .
EP14897648.3A 2014-07-15 2014-07-15 Partial redundancy for i/o modules or channels in distributed control systems Withdrawn EP3170082A4 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/046697 WO2016010521A1 (en) 2014-07-15 2014-07-15 Partial redundancy for i/o modules or channels in distributed control systems

Publications (2)

Publication Number Publication Date
EP3170082A1 true EP3170082A1 (en) 2017-05-24
EP3170082A4 EP3170082A4 (en) 2018-05-30

Family

ID=55078856

Family Applications (1)

Application Number Title Priority Date Filing Date
EP14897648.3A Withdrawn EP3170082A4 (en) 2014-07-15 2014-07-15 Partial redundancy for i/o modules or channels in distributed control systems

Country Status (2)

Country Link
EP (1) EP3170082A4 (en)
WO (1) WO2016010521A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111525919B (en) * 2020-05-27 2023-09-26 上海微阱电子科技有限公司 Redundant structure with feedback correction

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4416795C2 (en) * 1994-05-06 1996-03-21 Mannesmann Ag Redundantly configurable transmission system for data exchange and method for its operation
DE19928517C2 (en) * 1999-06-22 2001-09-06 Pilz Gmbh & Co Control system for controlling safety-critical processes
US20060233204A1 (en) * 2005-04-19 2006-10-19 Pomaranski Ken G Redundant I/O interface management
DE102007045398A1 (en) * 2007-09-21 2009-04-02 Continental Teves Ag & Co. Ohg Integrated microprocessor system for safety-critical regulations
JP4743282B2 (en) * 2009-01-26 2011-08-10 横河電機株式会社 Redundant input / output module
JP5522178B2 (en) * 2009-12-07 2014-06-18 富士通株式会社 Information system
US20110161538A1 (en) * 2009-12-31 2011-06-30 Schneider Electric USA, Inc. Method and System for Implementing Redundant Network Interface Modules in a Distributed I/O System
US9628065B2 (en) * 2012-10-05 2017-04-18 Fisher-Rosemount Systems, Inc. Safety instrumented process control apparatus and methods

Also Published As

Publication number Publication date
WO2016010521A1 (en) 2016-01-21
EP3170082A4 (en) 2018-05-30

Similar Documents

Publication Publication Date Title
KR101552852B1 (en) Triple redundant digital protective relay and operating method thereof
US9053245B2 (en) Partial redundancy for I/O modules or channels in distributed control systems
RU2758229C2 (en) Triple redundancy control system for aircraft and method for controlling this system (options)
US9367375B2 (en) Direct connect algorithm
US20170242693A1 (en) Safety monitoring device, network system and safety monitoring method
CN107957692B (en) Controller redundancy method, device and system
US20080215913A1 (en) Information Processing System and Information Processing Method
WO2015152167A1 (en) Redundant control device and system switching method
KR102071404B1 (en) Apparatus and Method for implementing fail safe in Battery Management System
US10817438B2 (en) Safety arrangement
US10386832B2 (en) Redundant control system for an actuator and method for redundant control thereof
KR101448013B1 (en) Fault-tolerant apparatus and method in multi-computer for Unmanned Aerial Vehicle
US9665447B2 (en) Fault-tolerant failsafe computer system using COTS components
US20050225173A1 (en) Electrical system, and control module and smart power supply for electrical system
JP2011022957A (en) System and method for monitoring voltage
EP3170082A1 (en) Partial redundancy for i/o modules or channels in distributed control systems
KR101581309B1 (en) Airplane Electronic Device for Interlocking Failure Detection and Elimination of Each Board Unit
KR101846222B1 (en) Redundancy system and controllin method thereof
US11824668B2 (en) Redundant system and method of operating a redundant system
JP6618427B2 (en) Redundant current output system
US9241043B2 (en) Method of connecting a hardware module to a fieldbus
US10740199B2 (en) Controlling device, controlling method, and fault tolerant apparatus
EP3316135B1 (en) Control system
KR101950695B1 (en) Electromechanical braking system for railway vehicle and method of controlling the electromechanical braking system
KR20160072503A (en) Apparatus and method for detecting failure in ECU

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20161221

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20180426

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 11/07 20060101AFI20180420BHEP

Ipc: G05B 19/042 20060101ALI20180420BHEP

Ipc: G06F 11/20 20060101ALI20180420BHEP

17Q First examination report despatched

Effective date: 20190121

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20190601