FI127999B - Redundancy in process control system - Google Patents
Redundancy in process control system Download PDFInfo
- Publication number
- FI127999B FI127999B FI20170082A FI20170082A FI127999B FI 127999 B FI127999 B FI 127999B FI 20170082 A FI20170082 A FI 20170082A FI 20170082 A FI20170082 A FI 20170082A FI 127999 B FI127999 B FI 127999B
- Authority
- FI
- Finland
- Prior art keywords
- network
- prp
- traffic
- connectivity
- connection
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/22—Arrangements for detecting or preventing errors in the information received using redundant apparatus to increase reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/08—Arrangements for detecting or preventing errors in the information received by repeating transmission, e.g. Verdan system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L12/40006—Architecture of a communication node
- H04L12/40013—Details regarding a bus controller
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0811—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/28—Routing or path finding of packets in data switching networks using route fault recovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/22—Alternate routing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Environmental & Geological Engineering (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A pair or primary and standby connectivity devices (43, 44) is effectively connected between a PRP network and the non-PRP network(s) to provide a redundant interconnection. The primary devicc (43) is connected to both LANs A and B of the PRP network while the standby device (44) is connected to the LAN A only. During normal faultless operation the primary device (43) is in an active mode and routes the trattic between all connected network interfaces, whereas the standby connectivity device (44) is in a passive standby mode and routes no traffic via the standby connectivity devjce (44) to or from the LAN A of the PRP network. However, when the active primary device (43) or one of its critical interfaces or connections goes down or fails, standby device (44) can replace it and take the active role to route the traffic to and from the LAN A of the PRP network. Thereby, duplication of the connectivity devices (43,44) as well as connections can be normal in all network directions.
Description
FIELD
The present invention relates to arranging redundancy in a process control system.
BACKGROUND
In an industrial process, a highly automatized system is used for ensuring that the process operates in a correct manner. An industrial process, such as a paper making process or a power station process, is very extensive and complex, including many variables. An information system used for con10 trolling an industrial process is responsible for various tasks relating to collecting, distributing, storing and presenting process properties as well as to process control. A process control system typically comprises a large number of work stations, embedded computer, servers, etc. that operate independently or controlled by an operator. Such work stations carry out different process 15 control related tasks, such as pro-cessing of measurement data and storage of historical data, according to the applications to be executed in the work stations.
Conventionally, process control systems have employed proprietary hardware and software solutions, in which case devices from different manu20 facturers are unable to communicate with each other. In such a case, it has been necessary to determine proprietary interfaces for applications in order to access data of different devices. Instead of proprietary hardware and software solutions, several standards have been developed to determine open communication interfaces for process control system. An example of such an open 25 standard is OPC (Object Linking and Embedding for Process Control). The OPC provides a set of interfaces, properties and methods based on ActiveX/COM (Component Object Model) technologies to be used for process control applications. A bus solution supporting the OPC standard comprises OPC clients and OPC servers. The OPC servers may communicate with pro30 prietary devices and transfer data to different OPC clients that forward data to applications utilizing the data. The OPC enables a common interface to be provided for the applications so as to enable access to the data of different process control devices.
Process control system and process controllers or nodes are typi35 cally provided with redundant network connections to provide real time process
20170082 prh 03 -04- 2019 data for further computers, such as operator stations in a control room of an industrial plant. Ethernet, standardized as IEEE 802.3, is widely used for providing network connections for process automation control systems. Network problems may seriously disturb the operation of the process automation 5 system.
EP1483635 discloses a process control system that comprises OPC clients, OPC servers, and devices connected to the OPC servers. The OPC client is provided with at least two parallel logical connections for transferring substantially the same data with one or more OPC server. Property information 10 on parallel data units transferred via different logical connection is checked at the OPC client and compared. The OPC client is provided with predetermined order criteria according to which the parallel data units can be arranged in order of superiority. Parallel data units refer to data units whose payload to be used by an application is exactly or substantially the same. Data units deliv15 ered via the logical connection having, according to the predetermined order criteria, the best property information are selected for the use of one or more applications processing the data units.
The functionality of OPC servers serving up to dozens of OPC clients thus plays a crucial role in the information system. In order to ensure the 20 functionality of a system, redundancy of OPC servers may thus be arranged by doubling, meaning that in addition to a primary OPC server, the system is also provided with a secondary OPC server. Such a redundancy arrangement has been disclosed in WO 0 023 857, the solution according to the publication comprising switching over to using the secondary OPC server when the prima25 ry OPC server is no longer available. The secondary server may start carrying out the tasks of the primary server without the client devices noticing the change (the logical connection provided for the client device remains unchanged although the server device providing the connection changes).
EP1497731 discloses a process control system with a duplicated 30 PROFIBUS-bus (Process Field Bus). The system comprises two control servers, one control server being set to operate as the main (active) control server and the other control server being set to operate as a reserve (passive) control server. The main control server and the reserve control server are connected to each other with a backup bus, which is advantageously duplicated. There 35 are different configurations for a field bus. In one approach, one bus for each field device is formed from each control server. In a second approach, one bus
20170082 prh 03 -04- 2019 departs from each control server, and these buses are connected to a socalled Y-switch, via which the control servers connect to a non-duplicated field bus. In this type of a system, only the bus between the control servers is duplicated, but the field bus is not. In the third approach, one bus departs from each 5 control server to a respective hub or repeater. Moreover, there is at least one further hub or repeater to which field devices are connected. The hubs or repeaters may be connected to each other in a ring configuration.
FI20095450 discloses a process control system with control nodes that may, for example, operate as OPC servers for OPC clients in work10 stations. A redundant Ethernet network and Ethernet switches are applied between the control nodes and the workstations. Each control node is provided by at least two connections, each via a different switch, to provide redundancy for process control related information flows. Thus, each control node may be provided with redundant connections by two or more network interface cards.
The switches may belong to different network segments, i.e. redundancy may be provided by arranging connections via different network segments. Primary and secondary network segments may be totally separated or they may be logical segments from a redundant network, which may be entirely meshinterconnected, for instance. In this case network spanning tree logic should 20 keep the network loop free.
US2013223204 A1 discloses a communication device for redundancy operable industrial communication network.
EP2672657 A1 discloses a verification device for automatically verifying communication redundancy in high availability network.
The International Electrotechnical Commission (IEC) standard
IEC62439-3 clause 4 specifies the Parallel Redundancy Protocol (PRP) wherein each node is connected in parallel to two local area networks and allows seamless communication in the face of a single network disruption (for instance cable, driver, switch or controller failure). IEC 62439-3 Clause 5 speci30 ties the High-availability Seamless Redundancy (HSR) that applies the PRP principle to a ring topology to achieve cost-effective redundancy. Both protocols operate on the same principle. Each node has two ports and sends the same frame simultaneously over two independent connections to the receiving node. The receiving node discards the duplicate frame, if both frames are suc35 cessfully received.
20170082 prh 03 -04- 2019
PRP may implement redundancy in the devices as illustrated in Figure 1A. The principle of operation for PRP is very simple. Each PRP node (called Dual Attached Node, DAN) has two network connections and is attached to two physically independent and uncorrelated networks LAN_A and 5 LAN_B (Local Area Network, LAN). Both interfaces of the DAN have the same MAC address and present the same IP address(es). The networks LAN_A and LAN_B have no direct connection between them but are completely separated and are assumed to be fail-independent. The networks LAN_A and LAN_B operate in parallel, thus providing a zero-time recovery and allowing checking 10 redundancy. The two networks LAN_A and LAN_B are identical in protocol at the MAC-LLC level, but they can differ in performance and topology. Transmission delays may also be different. Both interfaces of a DAN have the same MAC address and present the same IP address(es). A source DAN transmits its packets as duplicates (with the same MAC address and the same IP ad15 dress) on both interfaces and hence over both networks LAN_A and LAN_B. .
In Figure 1A, dotted arrows depict “A” frames transmitted over LAN_A and cross-hatched arrows depict “B” frames transmitted over LAN_B. In an errorfree environment a destination DAN receives the same packets on both interfaces, possibly with a time delay between them. The receiving DAN will use 20 the first of these packets, ignoring the second. There may also be non-PRP nodes, (called SAN or Singly Attached Nodes), the SAN being normal node with only one network interface attached to one network only (and therefore can communicate only with other SANs attached to the same network.
HSR applies the PRP principle of parallel operation to a single net25 work of ring topology. In ring topologies, all devices are connected in a ring.
Each device has a neighbour to its left and right. If a connection on one side of the device is broken, network connectivity can still be maintained over the ring via the opposite side of the device. As in PRP, a node has two ports operated in parallel; it is a DANH (Doubly Attached Node with HSR protocol). A simple 30 HSR network consists of doubly attached bridging nodes, each having two ring ports, interconnected by full-duplex links, as shown in the example of Figure 1B for unicast traffic. In other words, each device incorporates a switch that forwards frames from port to port. In Figure 1B, dotted arrows depict “A” frames, cross-hatched arrows depict “B” frames, and grey arrows depict non35 HSR frames exchanged between ring and host. Frames A and B circulating in the ring carry the HSR tag inserted by the source, which contains a
20170082 prh 03 -04- 2019 sequence number. The doublet {source MAC address, sequence number} uniquely identifies copies A and B of the same frame. A destination node of a unicast frame does not forward a frame for which it is the only destination, except for testing.
Figure 2A illustrates an exemplary functional block diagram of a
DAN. Each DAN has two ports that operate in parallel and that are attached to the same upper layers of the communication stack through a link redundancy entity (LRE). When upper layer protocol sends a frame, the LRE replicates the frame and sends it through both its ports at nearly the same time. The two 10 frames transit through the two LANs with different delays. Ideally they arrive at the destination node within a small time window. When receiving, a node’s LRE forwards the first received frame to its upper layers and discards the duplicate frame. The LRE generates and handles duplicates. This layer presents to its upper layers the same interface as the network adapter of a non15 redundant adapter. The LRE has two tasks: handling of duplicates and management of redundancy. To supervise redundancy, the LRE appends to each sent frame a 32-bit redundancy control trailer (RCT) and removes the RCT at reception. A DAN has the same MAC address for both ports, and only one set of IP addresses. This makes redundancy transparent to the upper layers. Fig20 ure 2B illustrates an Ethernet frame provided with an RCT inserted after the payload “LSDU” so that the RCT remains transparent to normal network traffic. The RCT may contain a sequence counter “SeqNr”, a LAN indicator “Lanid” and a size field “LSDU size” inserted after the payload “LSDU”.
The IEC62439-3 does not specifically describe the connectivity to 25 other networks, such as IEEE 802 LANs. The operation of the PRP is based on duplicate packets with overlapping OSI layer 2 addresses, i.e. MAC and IP addresses. The overlapping MAC and IP addresses will cause a serious malfunction in all OSI layer 2 switch devices and OSI layer 3 router devices. To partly address this problem IEC62439-3 clause 4 introduced a “Red Box” (Re30 dundancy Box), a switching device that behaves like a DANP to connect conventional nodes (with only one network interface, like SANs) to both LANs LAN_A and LAN_B of a PRP network. Basically the RedBox receives duplicate packets from the LAN_A and LAN_B of a PRP network, removes the one of the duplicates and sends the other duplicate packet to non-PRP nodes. Simi35 larly in the reverse direction, the RedBox receives packets from non-PRP nodes, duplicates them and sends the duplicate packets over LAN_A and
20170082 prh 03 -04- 2019
LAN_B to the PRP node. Because the conventional nodes appear to the PRP nodes of the PRP network like dual attached nodes (DANs) they are called virtual dual attached nodes (Virtual Dual Attached Nodes, VDANs). The mechanism of duplicate generation and duplicate rejection is completely transparent 5 to the VDAN.
However, there is a problem how to connect a PRP or HSR network topology to conventional networks, like IEEE 802 LAN, while maintaining a redundancy also towards conventional networks. For example, a process control network may typically be isolated from a normal mill office network of the plant 10 by means of firewall/router environment. Also part of the process control network, such as engineering and information servers may be separated from the remaining process control network to limited access area (i.e. subnet) by means of firewall/router environment. The process control network may provide services to the office network users, while it is ensured that potential prob15 lems in the office network will not affect the process control network and vice versa. Connections with these other networks are often so critical that the connections must be redundant. Also, security devices (e.g. firewalls/routers) isolating different networks must typically be redundant. One RedBox interconnecting a PRP network and a conventional network provides a non-redundant 20 connection. A straightforward approach to use a pair of RedBoxes to provide a redundant connection LANs (LAN_A and LAN_B) of a PRP network a conventional LAN C would result in a network topology illustrated in Figure 3.
Each RedBox has a respective connection P1 to the conventional LAN C. Each RedBox further has two PRP network interfaces: PRP1A to 25 LAN_A and PRP2B to LAN_B which are both connected to a PRP node ACN/PRP. As discussed above, MAC address duplicates (mac x:y:z) are used in the redundant communication between each RedBox and the PRP node ACN/PRP. Although each RedBox removes the duplicate for its respective connection P1 in accordance with the IEC62439-3 clause 4, packets with the 30 same MAC address (mac x:y:z) will still be sent to the conventional LAN C by the two RedBoxes over different connections P1. Thus, serious problems will be encountered in the LAN C due to a so-called “mac-flap” error (the same MAC address is registered at two different ports of a switch which is an intolerable state).
SUMMARY OF THE INVENTION
20170082 prh 03 -04- 2019
An object of the present invention is to enable a redundant duplicated connection of a PRP network to a non-PRP network. The objects of the invention are achieved by a redundant connectivity system and a method according to attached independent claims. The preferred embodiments of the 5 invention are disclosed in attached dependent claims.
An aspect of the invention is a redundant connectivity system, comprising a parallel redundancy protocol (PRP) adapter having a first PRP interface and a second PRP interface for a first local area network and a second 10 local area network, respectively, for sending and receiving duplicated data packets with same addresses to and from at least one dual attached node connected to both of said first and second local area networks, and further having a third interface for sending and receiving non-duplicated data packets, the parallel redundancy adapter being configured to remove duplication of data 15 packets in direction from the first and second interfaces to the third interface and to generate duplication of data packets in direction from the third interface to the first and second interfaces, a first connectivity unit having a fourth interface connected to the third interface of the parallel redundancy adapter and at least one further inter20 face connected to at least one further local area network, a second connectivity unit having a fifth interface connected to said first local area network and at least one further interface connected to said at least one further local area network, the first connectivity unit being configured to connect traffic and the 25 second connectivity unit being configured to not connect traffic, if traffic can be properly routed via the first connectivity unit, and control means for changing the first connectivity unit to not connect traffic and the second connectivity unit to connect traffic, if any of the traffic via the first connectivity unit fails.
In an embodiment, the control means is configured to change the first connectivity unit to connect traffic and the second connectivity unit to not connect traffic, if all interfaces of the first connectivity unit recover to function properly.
In an embodiment, the parallel redundancy protocol adapter com35 prises a Redundancy Box according to the parallel redundancy protocol (PRP).
In an embodiment, the first connectivity unit and the second connec7
20170082 prh 03 -04- 2019 tivity unit comprise a first firewall and a second firewall, respectively.
In an embodiment, the first and second local area networks provide a parallel redundancy protocol (PRP) process control network of an automation system, and the at least one further local area network comprises one or more 5 of a non-PRP office network and a non-PRP server network.
In an embodiment, the non-PRP server network comprises one or more of engineering server, and a process information server of an automation system.
In an embodiment, the control entity is associated with the first con10 nectivity unit.
Another aspect of the invention is a method of controlling a redundant connectivity system according to embodiments of the invention, comprising monitoring interfaces of a first connectivity unit, controlling the first connectivity unit to connect traffic and the second connectivity unit to not connect traffic, if all interfaces of the first connectivity unit function properly, changing the first connectivity to not connect traffic unit and the second connectivity unit to connect traffic, if any of the interfaces of the first 20 connectivity unit fails.
In an embodiment, the method comprises returning the first connectivity unit to connect traffic and the second connectivity unit to not connect traffic, if all interfaces of the first connectivity unit recover to function properly.
In an embodiment, the method comprises returning the first connec25 tivity unit to connect traffic and the second connectivity unit to not connect traffic after a predetermined period of time has lapsed from recovery of all interfaces of the first connectivity unit to function properly.
In an embodiment, the method comprises monitoring interfaces of a first connectivity unit, shutting down the fourth interface of the first connectivity unit connected to the parallel redundancy adapter, if any of the other interfaces of the first connectivity unit fails, setting up the fourth interface of the first connectivity unit connected to the parallel redundancy adapter, if the failed interface of the first connectivity 35 unit recovers.
A further aspect of the invention is a process control system com
20170082 prh 03 -04- 2019 prising a connectivity unit system according to embodiments configured to interconnect in a duplicated manner a PRP process control network and one or more of non-PRP office network and non-PRP engineering and information server network.
BRIEF DESCRIPTION OF DRAWINGS
Some embodiments of the present invention are described below, by way of example only, with reference to the accompanying drawings, in which
Figure 1A is a block diagram illustrating an example of Parallel Re10 dundancy Protocol (PRP) network topology;
Figure 1B is a block diagram illustrating an example of Highavailability Seamless Redundancy (HSR) network topology;
Figure 2A is a block diagram illustrating exemplary functional blocks diagram of a Doubly Attached Node (DAN);
Figure 2B illustrates an Ethernet frame provided with a Redundancy
Control Trailer (RCT) inserted after the payload;
Figure 3 is a block diagram illustrating a hypothetical network topology using a pair of RedBoxes to provide a redundant duplicated connection of a PRP network to a non-PRP network;
Figure 4 is a block diagram illustrating a network topology according to an exemplary embodiment for providing a redundant duplicated connection of a PRP network to a non-PRP network;
Figure 5A and 5B are flow diagrams illustrating standby control procedures according to exemplary embodiments;
Figure 6 is a flow diagram illustrating an example procedure for controlling the PRPPRP interface PRP of the primary connectivity device; and Figure 7 is a block diagram illustrating a process control system according to an exemplary embodiment with a redundant duplicated connection of a PRP process control network to non-PRP networks.
20170082 prh 03 -04- 2019
EXEMPLARY EMBODIMENTS
Figure 4 illustrates a simplified network arrangement example of a process automation system enabling a redundant duplicated connection of a PRP network to a non-PRP network.
A PRP transition unit 41, such as a RedBox, has two PRP network interfaces: PRP1A connected to LAN_A and PRP2B connected to LAN_B of a PRP network. LAN_A and LAN_B are connected to different ports of a PRP node ACN/PRP 42. The PRP Transition Unit 41 has also an interface P1 towards a conventional network or network C. The PRP Transition unit 41 may be any entity, such as RedBox (Redundancy Box) in accordance with the IEC62439-3 clause 4, which behaves like a DANP to connect one network interface P1 to both LANs LAN_A and LAN_B of the PRP network. Basically, the PRP Transition unit 41 receives duplicate packets from the LAN_A and LAN_B of the PRP network via the interface PRP1A and PRP2B respectively, removes 15 one of the duplicates and sends the other duplicate packet via the interface
P1. Similarly, in the reverse direction, the PRP Transition unit 41 receives packets via the interface P1, duplicates them and sends the duplicate packets over LAN A and LAN B to the PRP node 42. MAC address duplicates (mac x:y:z) are used in the redundant communication between the PRP Transition
Unit 41 and the PRP node ACN/PRP 42. The mechanism of duplicate generation and duplicate rejection is completely transparent to devices or networks connected to the interface P1.
Thus, this part of the network arrangement example of a process automation system may provide a normal non-duplicated connection from the 25 PRP network to one or more conventional non-PRP networks.
According to exemplary embodiments of the invention, a pair of a primary connectivity device 43 and a standby connectivity device 44 is provided to enable a redundant duplicated connection of the PRP network to the non-PRP network(s) C. As used herein, the term connectivity device refers to 30 any device that can be used to connect one network to another, examples of connectivity devices including firewalls, repeaters, bridges, routers, , and gateways. In many automation systems, firewalls are used for securing con
20170082 prh 03 -04- 2019 nection to a mill network. This connection is normally very crucial, both in the redundancy point of view and in the data security point of view. In exemplary embodiments, the connectivity devices 43 and 43 may be implemented as firewalls.
The pair of the primary connectivity device 43 and the standby connectivity device 44 is effectively connected between the PRP network and the non-PRP network(s) C to provide a redundant interconnection. More specifically, one of the network interfaces of the primary connectivity device 43 may be connected to the P1 interface of the PRP Transition unit 41, and the other interface(s) of the primary connectivity device 43 may be connected to the conventional non-PRP network(s) C. Further, one of the network interfaces of the standby connectivity device 44 may be connected directly to the LAN_A of the PRP network, in a similar manner as a Single Attached Node (SAN), and the other interface(s) may be connected to the conventional non-PRP net15 work(s) C. The primary connectivity device 43 may be in an active mode during normal faultless operation and routes the traffic between all connected network interfaces. The standby connectivity device 44 may be in a passive standby mode during normal faultless operation. In the passive mode, the standby connectivity device 44 may route no traffic via the standby connectivity device 44 to or from the LAN_A of the PRP network. However, when the active primary connectivity device 43 or one of its critical interfaces or connections goes down or fails, standby connectivity device 44 can replace it and take the active role. The primary connectivity device 43 may be inactivated or resume a standby mode. Having taken the active role, the standby connectivity device 44 may route the traffic to and from the LAN_A of the PRP network. Thereby, the network topology according embodiments of the invention, duplication of the connectivity devices 43 and 44 as well as connections can be normal in all network directions, i.e. towards the PRP network and the conventional non-PRP network(s) C. Examples of failure events in which the network topology accord30 ing to exemplary embodiments ensures the connectivity to and from the conventional non-PRP network(s) C, include:
1) If the PRP Transition Unit 41 fails, the link of the interface PI to the primary connectivity device 43 fails, and the connectivity device 44 may be changed as an active device. Traffic propagates now through the connectivity device 44 to and from the LAN_A of the PRP network. The LAN_B of the PRP network does not have any more communication with the conventional non-PRP network(s) C, but in accordance with the PRP protocol all nodes of the PRP network will still have full connectivity via the LAN_A and the connectivity device 44.
2) If the active primary connectivity device 43 fails, the connectivity device 44 may be changed as an active connectivity device in a similar manner as described above.
20170082 prh 03 -04- 2019
3) if the passive standby connectivity device 44 or any of its critical interfaces of connections fails, there will be no break in the traffic or need for changing the active connectivity device, because the traffic already goes via the active primary connectivity device 43.
4) In failure of the closest switch of LAN_A (or LAN_B), which is connected to a port of the PRP transition Unit 41, there will be no break in the traffic or need for changing the active connectivity device, because the traffic is still propagating to and from the primary connectivity device 43 via the PRP transition and LAN_B (or LAN_A).
The failure in the traffic via the primary connectivity device 43 and the need for switching the standby connectivity device 44 into the active mode may be detected or deducted in various alternative ways.
In an exemplary embodiment, the network interfaces of the primary connectivity device 43, and thereby the links connected to these interfaces, may be monitored or tracked by a standby control entity 46. The standby control entity 46 may be associated with the primary connectivity device 43, as illustrated in Figure 4, or it may be a separate or remote standby control entity, or it may be distributed among the primary and standby connectivity devices 43 and 44 to implement an appropriate redundant protocol, such as Hot
20170082 prh 03 -04- 2019
Standby Router Protocol, HSRP, described in RFC 228, for example. The standby control entity 46 may control the role of the primary and standby connectivity devices 43 and 44 based on the state of the connectivity devices and/or the monitored interfaces or links. Simplified examples of control proce5 dures according to exemplary embodiments are illustrated in Figures 5A and 5B.
Referring now to Figure 5A, the primary connectivity device 43 is an active mode (step 50) and its interfaces are monitored (step 51), and the standby connectivity device 44 is in the passive mode. If there is no failure of 10 any of the monitored links and the traffic can be properly routed via the primary connectivity device 43, the standby control entity 46 may maintain the primary connectivity device 43 as an active connectivity device (in the active mode) and the standby connectivity device 44 as a passive connectivity device (in the passive mode), and the monitoring is looped in steps 51 and 52. On the other 15 hand, if a failure of any of the monitored interface is detected and the traffic cannot be properly routed via the primary connectivity device 43, the standby control entity 46 may reassign the primary connectivity device 43 as a passive connectivity device (in the passive mode) and the standby connectivity device 44 as an active connectivity device (in the active mode), step 53. Referring to 20 Figure 5B, as the standby control entity may continue monitoring the interfaces of the primary connectivity device 43 when it is in the passive mode (steps 55 and 56), and automatically reassign the primary connectivity device 43 as the active connectivity device (in the active mode), if all the monitored interfaces have recovered to a normal state and the traffic can again be properly routed 25 via the primary connectivity device 43 (steps 57 and 58). The reassignment may be performed after a predetermined time from the recovery of the primary connectivity device. The predetermined time may be seconds, dozens of seconds, or minutes.
In exemplary embodiments, a control of the roles of the primary and 30 standby connectivity devices 43 and 44 may be implemented to operate substantially according to Hot Standby Router Protocol, HSRP, described in RFC 228, for example. HSRP is a routing protocol that provides backup to a LAN
20170082 prh 03 -04- 2019 default gateway router in the event of failure. Using HSRP, two or more routers can be connected to the same segment of an Ethernet, FDDI or token-ring network and work together to present the appearance of a single virtual router on the LAN. In the example of Figure 4, such “virtual router” may be imple5 mented by the connectivity devices 43 and 44 connected to the same conventional non-PRP network(s) C and to the same PRP network and arranged to follow the HSRP protocol. The connectivity devices 43 and 44 may share the same virtual gateway IP and MAC addresses, and therefore, in the event of failure of one connectivity device, the hosts on the LAN are able to continue forwarding packets to a consistent gateway IP and MAC address. The process of transferring the routing responsibilities from one device to another is transparent to the user. The connectivity devices 43 and 44 in the HSRP may exchange status messages (hello messages) informing the status or priority of the connectivity devices in order to select the single active device that handles all live traffic. A single standby device is also selected. In the network topology according to exemplary embodiments, the primary connectivity device 43 is configured to be always selected as the active connectivity device in a faultfree situation. To configure the primary connectivity device 43 as the active connectivity device, it is possible to assign to it a priority that is higher than the priority of the standby connectivity device 44.The standby connectivity device may communicate with the active primary connectivity device 43 via multicast and will detect should the active primary connectivity device 43 fail for example, if the active primary connectivity device 43 stops sending hello messages for a predetermined period of time (e.g. 10 seconds by default), the 25 standby connectivity device 44 with next highest priority may become active.
As another example, when the priority of the primary connectivity device 43 decreases below the priority of the standby connectivity device 44, the standby connectivity device 44 may become active. When this happens, the standby connectivity device 44 will take over the duties of the active connectivity device 30 and continue traffic forwarding without much (if any) delay. The delay may be approximately 1 second, for example.
20170082 prh 03 -04- 2019
The HSRP concept includes also an object tracking that allows changing the priority of a connectivity device dynamically when the object that the device is tracking goes down. This object tracking feature may be utilized for implementing exemplary embodiments illustrated in Figures 5A and 5B. For 5 example, if the line protocol state of an interface of the active primary connectivity device 43 is used as a tracked object (steps 50-51), then when it goes down (step 52) the active primary connectivity device’s 43 priority may be decreased (making the primary connectivity device 43 less desirable as a default device) and the standby connectivity device 44 with the higher priority may be10 come the active device (step 53). The line protocol state of an interface of the passive primary connectivity device 43 may also be tracked (step 55-56). When the tracked line protocol state of an interface of the passive primary connectivity device 43 goes up again (step 57), the priority of the primary connectivity device 43 may be increased and the primary connectivity device 43 15 may return to be the active device (step 58). In the network topology according to exemplary embodiments, the connectivity devices 43 and 44 in the HSRP may exchange multicast messages also via LAN_A of the PRP network and the PRP transition Unit 41, in addition to multicasting via the conventional nonPRP network(s) C. Thus, the HSRP redundancy is normal towards all network 20 interfaces, and the status detection of the primary connectivity device 43 can be utilized in determining the need to change the active connectivity device.
In an embodiment, the interface P1 (the “PRPPRP interface”) of the primary connectivity device 43 to the PRP translation 41 may be shut down in a controlled manner, if the primary connectivity device 43 transits into the pas25 sive mode. This may ensure that no mac-flap errors be caused at a switch in the LAN_A. When the primary connectivity device 43 resumes the active mode, the interface P1 of the primary connectivity device 43 is again set up. An example procedure for controlling the PRP interface of the primary connectivity device 43 is illustrated in Figure 6. The primary connectivity device 43 is 30 active (step 61) after startup of the device and monitors a link state of an interface A to the LAN C (step 62). In the startup the link state of the interface A is up. The monitoring loop continues until a change in the link state is detected
20170082 prh 03 -04- 2019 (steps 62-63). If the link state changes down (step 63), the procedure changes the state of the PRP interface P1 down (step 64). The event may be notified to an operator of the plant, e.g. by sending a syslog message (step 65). Then the procedure returns to monitor the link state of the interface A (steps 62 and 63).
If the link state of the interface A changes up (step 63), the procedure changes the state of the PRP interface P1 up (step 66). Then the procedure proceeds to step 65 and further to step 62. The example procedure may be implemented to each interface of the primary connectivity device 43.
The network topology according to exemplary embodiments can be 10 applied to any process control system to provide the duplicated connection between a PRP network and any number of non-PRP networks. The process control system may be arranged to control any industrial process or the like. The industrial processes may include, but are not limited to, processes in a processing industry, such as pulp and paper, oil refining, petrochemical and 15 chemical industries, or processes in power plants, etc.
There are various architectures for a process control system. For example, the process control system may be a Distributed Control System (DCS). One example of such a control system is Metso DNA (DNA, Dynamic Network of Applications) delivered by Metso Corporation. An example topology 20 of a distributed control system according to an exemplary embodiment of the invention is illustrated in Figure 7.
A central processing unit(s) of a process control system controlling the productive activity of an entire factory, such as a paper mill, is (are) often called a control room 70, which may be composed of one or more control room 25 computer(s)/programs and process control computer(s)/programs as well as databases. A process control system may comprise a control room bus/network that may interconnect user interface components and control computers of the room. A control room bus/network may be a local area network, for example, based on the standard Ethernet technology. A process bus/network 78 may, in turn, interconnect process control components, such as control nodes ACN 42 with each other. Control nodes ACN 42 may also be connected to the control room network, allowing communication between con
20170082 prh 03 -04- 2019 trol nodes ACN42 and user interfaces, for example. The term “control node” refers generally to a computer-based apparatus, which may be used for process control purposes, such as a process controller, backup, display server, etc. The control node ACN 42 may be connected to one or more input/output 5 I/O units of field devices for arranging field device control. The term “field device” refers generally to devices of the process being monitored and/or controlled. Typically, there is a high number of process devices (field devices), such as actuators, valves, pumps and sensors, in a plant area (field).
The process control system may be provided with a firewall/router environment 73 and 74, illustrated as a secure interconnection system 69 in the example of Figure 7, to effectively isolate different parts of the process control network from each other and/or a normal office network of the plant 72, referred to as a mill network herein. The separation ensures that potential problems in one separated network zone will not affect to another network zone. For example, the potential problems in the office network will not affect the control room bus or the process network, and vice versa. Direct Internet access from/to the automation network is prohibited.
The process control system may further be provided with a Demilitarized zone (DMZ) 71, a limited access area, which may include process control 20 servers or nodes 77 that provide services to the office network users. The DMZ 71 is separated from the control room network 70, process control network 78 and the mill network 72 by means of the firewall/router environment 73 and 74. Examples of servers 77 that may be located in the DMZ 71 include OPC (Object Linking and Embedding for Process Control) servers, IA (Infor25 mation Activity) servers, Engineering activity (EA) servers, etc.
Connections with these other networks are often so critical that the connections must be redundant. The firewall/router environment may include a HSRP pair of firewalls or routers 73 and 74 or similar connectivity devices in order to provide redundant connections to each of the DMZ 71, the process 30 control network 78 and the mill network 72. In other words, each firewall/router 73 and 74 has a separate interface to each of the DMZ 71, the process control network 78 and the mill network 72. Example of a commercially available
20170082 prh 03 -04- 2019
HSRP firewall/router suitable to be configured to operate as the firewalls/routers 73 and 74 is CISCO2911-SEC/K9 from Cisco Inc. In the DMZ 71, two switches 75 and 76 are illustrated. Example of a commercially available switch suitable to be configured to operate as switches 75 and 76 is CIS5 CO2960X-24TS-L from Cisco Inc.
The process control network 78 may be implemented as a redundant PRP network similar to that shown in Figure 4. ACN 42 may be a PRPenabled node (Dual Attached Node, DAN) that has two network connections and is attached to two physically independent and uncorrelated networks 10 LAN_A and LAN_B (Local Area Network, LAN). Example of a commercially available device suitable to be used as the ACN 42 is a Metso DNA ACN process controller with variety of operating roles (PRP DAN mode). Both interfaces of the DAN have the same MAC address and present the same IP address. The implementation of ACN 42 may be similar to that shown in Figure 2A. The 15 networks LAN_A and LAN_B have no direct connection between them but are completely separated and are assumed to be fail-independent. Example of a commercially available switch suitable to be used as switches in LAN_A and LAN_B is CISCO IE-2000-8TC-B. A PRP transition unit 41, such as a RedBox, is provided with two PRP network interfaces: PRP1A connected to LAN_A and 20 PRP2B connected to LAN_B of the PRP network 78. Example of a commercially available device suitable to be used as the transition unit 41 is the RSP switch Hirschmann RSP25 from Belden Inc . The PRP Transition Unit 41 has also an interface P1 connected to one network interface of the HSRP firewall 73. Further, the network interface PRP1_A of the HSRP firewall 74 is connect25 ed directly to LAN_A of the PRP network. The HSRP firewall 73 may operate as a primary firewall and the HSRP firewall 74 may operate as standby firewall, for example in a similar manner as described for the connectivity devices 43 and 44 above. Thereby, with the exemplary network topology duplication of the firewalls 73 and 74 and connections can be achieved in all network directions, 30 i.e. towards the PRP network, the non-PRP mill network 72 and the non-PRP DMZ 71.
In an embodiment, the interface P1 (the “PRP interface”) of the primary firewall/router 73 to the PRP translation 41 may be shut down in a controlled manner in order to ensure that no mac-flap errors be caused at a switch in the LAN_A, as illustrated above referring Figure 6. In an exemplary embod5 iment the control of the PRP interface of the primary firewall/router 73 may be implemented using an internal programming technique of the primary firewall/router 73, such as Embedded Event Manager (EEM) script in Cisco routers. An exemplary script for the network topology of Figure 7 may be:
Firewall_m:
! monitor Mill Network link state track 1 interface GigabitEthernetO/0 line-protocol ! monitor Metso DNA link state track 2 interface GigabitEthernetO/1 line-protocol ! monitor Metso DMZ link state track 3 interface GigabitEthernetO/2 line-protocol event manager applet pro_if3down
event | track | 3 | state down |
action | 0.5 | cli | command enable |
action | 1.0 | cli | command conf t |
action | 2.0 | cli | command interface GigabitEthernetO/1 |
action | 3.0 | cli | command shut |
action | 4.0 | syslog msg interface g0/l brought DOWN by |
EEM track 3 event manager applet pro_if3up
event | track | 3 | state up | ||
action | 0.5 | cli | command | enable | |
action | 1.0 | cli | command | conf t | |
action | 2.0 | cli | command | interface | GigabitEthernetO/1 |
action | 3.0 | cli | command | no shut | |
action | 4.0 | syslog msg ' | interface | g0/l brought UP by EEM |
event manager applet pro ifldown track 3
event | track | 1 | state down |
action | 0.5 | cli | command enable |
action | 1.0 | cli | command conf t |
action | 2.0 | cli | command interface GigabitEthernetO/1 |
action | 3.0 | cli | command shut |
action | 4.0 | syslog msg interface g0/l brought DOWN by |
EEM track 1
20170082 prh 03 -04- 2019 event manager applet pro iflup event track 1 state up action action action action action
0.5
1.0
2.0
3.0
4.0 command command command command enable conf t interface GigabitEthernetO/1 no shut cli cli cli cli syslog msg interface g0/l brought UP by EEM track 1 event manager detector routing bootup-delay 5000 end
The techniques described herein may be implemented by various means. For example, these techniques may be implemented in hardware (one or more devices), firmware (one or more devices), software (one or more modules), or combinations thereof. For a firmware or software, implementation can 15 be through modules (e.g., procedures, functions, and so on) that perform the functions described herein. The software codes may be stored in any suitable, processor/computer-readable data storage medium(s) or memory unit(s) and executed by one or more processors/computers. The data storage medium or the memory unit may be implemented within the processor/computer or external to the processor/computer, in which case it can be communicatively cou5 pled to the processor/computer via various means as is known in the art. Additionally, components of systems described herein may be rearranged and/or complimented by additional components in order to facilitate achieving the various aspects, goals, advantages, etc., described with regard thereto, and are not limited to the precise configurations set forth in a given figure, as will be appreciated by one skilled in the art.
The accompanying drawings and the description pertaining to them are only intended to illustrate the present invention. The above-illustrated embodiments may be combined in various ways. Different variations and modifications to the invention will be apparent to those skilled in the art, without de15 parting from the scope of the invention defined in the appended claims. Different features may thus be omitted, modified or replaced by equivalents.
Claims (13)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/FI2014/051006 WO2016097458A1 (en) | 2014-12-16 | 2014-12-16 | Redundancy in process control system |
Publications (2)
Publication Number | Publication Date |
---|---|
FI20170082A FI20170082A (en) | 2017-06-01 |
FI127999B true FI127999B (en) | 2019-07-15 |
Family
ID=56125985
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
FI20170082A FI127999B (en) | 2014-12-16 | 2014-12-16 | Redundancy in process control system |
Country Status (2)
Country | Link |
---|---|
FI (1) | FI127999B (en) |
WO (1) | WO2016097458A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107547303B (en) * | 2017-07-06 | 2021-07-09 | 中国南方电网有限责任公司 | Method for processing NodesTable by IED equipment supporting PRP or HSR protocol |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2634973B1 (en) * | 2012-02-29 | 2014-10-01 | Siemens Aktiengesellschaft | Communication device for a redundant industrial communication network and method for operating a communication device |
EP2672657A1 (en) * | 2012-06-05 | 2013-12-11 | ABB Research Ltd. | Device and method for verifying communication redundancy in an automation network |
US9825691B2 (en) * | 2012-11-14 | 2017-11-21 | Flexibilis Oy | Relaying frames |
-
2014
- 2014-12-16 FI FI20170082A patent/FI127999B/en active IP Right Grant
- 2014-12-16 WO PCT/FI2014/051006 patent/WO2016097458A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
FI20170082A (en) | 2017-06-01 |
WO2016097458A1 (en) | 2016-06-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
FI128272B (en) | Redundancy in process control system | |
US6173411B1 (en) | Method and system for fault-tolerant network connection switchover | |
US9673995B2 (en) | Communication device and method for redundant message transmission in an industrial communication network | |
US7969915B2 (en) | Technical enhancements to STP (IEEE 802.1D) implementation | |
US9218230B2 (en) | Method for transmitting messages in a redundantly operable industrial communication network and communication device for the redundantly operable industrial communication network | |
Sidki et al. | Fault tolerant mechanisms for SDN controllers | |
EP3599521B1 (en) | System and method of communicating data over high availability industrial control systems | |
US10454809B2 (en) | Automatic network topology detection for merging two isolated networks | |
US8199637B2 (en) | VPLS remote failure indication | |
US9385944B2 (en) | Communication system, path switching method and communication device | |
US8230115B2 (en) | Cable redundancy with a networked system | |
JP2005130049A (en) | Node | |
WO2013002855A1 (en) | Dual-ring switch for rstp networks | |
JP2010183332A (en) | Ring type ethernet system, ring type switch, ring connection control circuit, ring type ethernet system control method, ring type switch control method, and ring connection control method | |
US20230061491A1 (en) | Improving efficiency and fault tolerance in a software defined network using parallel redundancy protocol | |
WO2014060465A1 (en) | Control system and method for supervisory control and data acquisition | |
JP4636247B2 (en) | Packet network and layer 2 switch | |
Molina et al. | Availability improvement of layer 2 seamless networks using openflow | |
FI127999B (en) | Redundancy in process control system | |
JP4340731B2 (en) | Network fault monitoring processing system and method | |
KR20200049621A (en) | Controller cluster and method for operating the controller cluster | |
Kirrmann | Highly available automation networks standard redundancy methods; rationales behind the IEC 62439 standard suite | |
US8406121B2 (en) | Method for error detection in a packet-based message distribution system | |
Nguyen et al. | An openflow-based scheme for service Chaining’s high availability in cloud network | |
Dolezilek et al. | Fast fault detection, isolation, and recovery in ethernet networks for teleprotection and high-speed automation applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
P71A | Reinstatment acc. sect. 71a patents act | ||
FG | Patent granted |
Ref document number: 127999 Country of ref document: FI Kind code of ref document: B |