RU2430400C1 - Backup software-hadware system for automatic monitoring and control - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: in the software-hardware system for controlling technological processes, automation processors are connected to an EN system bus which is based on the Industrial Ethernet interface in form of a ring structure of series-connected network switches, over two channels; the automation processors are connected to input/output stations having an interface module and modules for communication with the technological process; the automation processors are connected to the interface modules of the input/output stations over an ENL bus which is based on Industrial Ethernet with a radial connection topology and ensuring the minimum possible data exchange time for the Industrial Ethernet; the interface module of the input/output station is connected to each module for communication with the technological process over a separate serial interface of the input/output bus; automation processors also have channels for connecting to ENS buses based on Industrial Ethernet on a ring connection topology for constructing multiply backed-up systems.

EFFECT: high reliability of the system bus, high rate of collecting technological process data and high fault-tolerance.

5 cl, 5 dwg

Description

The invention relates to automation and computer technology and can be used in systems of automated control and management of thermal and nuclear power plants.

A well-known complex of software and hardware for automation of control and management of technological processes, including a common data bus (OSD) and at least one controller containing input / output modules for input and processing of signals from sensors and output of control signals of actuators, and a processor module (PM) for controlling input / output modules and actuators by means of input / output modules, wherein the input / output modules and processor modules are connected by a VME-bus system bus. RF patent No. 2279117, IPC G05B 19/418, 2006. Disadvantages of the complex: low fault tolerance and reliability, the complexity of the design of the controllers due to the use of multi-wire VME-bus.

A known complex based on the controller in the form of a base unit containing a master module with a CPU card in the PC 104 standard, and a remote USO unit, the functional modules of which are connected to the base unit CPU via a serial ST BUS bus based on the RS-485 interface, moreover base units are connected to upper-level computers via the Ethernet bus. "TREI-5B-02 software control device." "Operation manual TREI1.421457.101-00.RE". 2008 Disadvantages of the complex: low data transfer rate, low fault tolerance, lack of redundancy at the module level.

A well-known complex of software and hardware automation control and management, in which the input / output modules and processor modules are connected to a common data bus, combining the functions of the system buses of the controllers, field buses and a local network, with the possibility of forming a single network of devices and forming requests and answers. The complex additionally contains control modules connected to a common data bus, and workstations and / or servers connected to a common data bus for visualizing, archiving and documenting data received from input / output modules, processor modules, and control modules. The shared Ethernet-based data bus is redundant.

A single set of protocols includes TCP / IP, and / or UDP / IP, and / or MODBUS, and / or BACnet. Patent of the Russian Federation No. 2349949, IPC G05B 19/418, 2009

The common data bus does not provide protection against failures for a common reason: for example, a failure of one processor module can lead to the transfer of false data on the shared bus to other modules and cause them to malfunction.

Redundant automation systems based on S7-400H programmable controllers and ET200M distributed input / output stations are known, in which controllers are connected via a ring topology to a redundant Idustrial Ethernet bus for data exchange between controllers and communication with the upper level. The controllers reserve and connect one channel each to the bus. I / O stations are connected to the controller via redundant buses designed for data exchange between the controller and I / O modules. Each bus is connected to a controller that performs the functions of a master on the bus, and two interface modules in the input / output stations. The communication of the interface module with the input / output modules of the station is carried out via parallel or serial buses. "Catalog of components for the integrated automation of SIEMENS products." SIMATIC. 2007, p.24-25. Prototype. The disadvantages of the prototype: loss of control for the delay time of switching the controller to the reserve, reducing the fault tolerance of the complex.

This invention eliminates the disadvantages of analogues and prototype.

The technical result of the invention is to increase the speed of collection and processing of process data, increase the reliability and fault tolerance of systems, eliminate errors for a common reason in redundant safety systems of nuclear power plants, reduce the cost of hardware.

The invention is illustrated in figures 1-4.

Figure 1 schematically shows the structure of a complex with a non-redundant automation system, in which: 1 - network switches for connecting to a top-level system, 2 _i - network switches for connecting to automation processors (PA _i ), where i - 1, 2, ... n integer, 3 _i - automation processors (PA _i ), 4 - bus system EN, 5 - network switch of the bus system ENL, 6 - bus system ENL, 7, - non-reserved input-output stations (CBB _i ), 8 _{1, 2} - interface modules (IM), 9 _i - communication modules with the process or SP-modules.

Figure 2 shows the connection diagram of unreserved PA _i to the EN bus, made in accordance with the main backup mode, where 2 _i are network switches for connection by automation processors (PA _i ), i - 1, 2, ... n (number of subscriber inputs of the switch ), 3 _i - automation processors (PA _i ), 10 - switch with backup manager functions.

In Fig. 3, a non-redundant and variant I / O station is shown, where 7 _i is a non-redundant I / O station (CBB _i ), 8 _1,2 are interface modules (IM), 9 _i are communication modules with a process or SP modules.

Figure 4 schematically shows a multi-channel security system, where 1 - network switches for connecting to a top-level system, 2 _i - network switches for connecting to automation processors (PA _i ), i - 1, 2, ... n integer, 3 _i - automation processors (PA _i ), 4 - bus system EN, 5 - network switch bus system ENL.

Figure 5 schematically shows the procedure for transmitting data on the ENL bus.

The complex of hardware and software process control works as follows.

The collection of process data, the issuance of control actions, as well as a number of standard functions, such as filtering, individual control, regulation, are implemented in I / O stations.

The interface modules of the input / output stations receive data from the input / output modules via the input / output buses for subsequent transmission to the automation processors via the ENL bus and transfer to the input / output modules the control data received from the automation processors via the ENL bus. The interface modules receive from the input / output modules and transmit data to the input / output modules only upon receipt of corresponding requests from the automation processors in the interface modules.

Automation processors receive data from interface modules on the ENL bus, receive data from other automation processors on the EN and ENS buses, process them in accordance with applied automation algorithms, and transfer data and processing results to the interface modules on the ENL bus and other automation processors on the buses EN and ENS.

The ENL bus is designed to transfer data in full duplex mode between the automation processor and the interface modules, while the automation processor is the leading subscriber of the bus, having the right to access the bus at any time, and the interface modules are slave subscribers of the bus, transmitting or receiving data only upon request from the automation processor.

Automation processors exchange data with interface modules via the ENL bus and process them cyclically, while at the beginning of the cycle, in the phase of cyclic data exchange, automation processors transfer data to interface modules, which immediately transmit the received data to input / output modules, and receive data from the interface modules they received from the I / O modules at the end of the previous cycle. The interface module immediately after receiving from the automation processor of a telegram a request for receiving data or a telegram with transmitted data sends a telegram with response data or a confirmation telegram for receiving data to the interface module. After the exchange phase is completed, data is processed. At the beginning of the cycle, before the cyclic data exchange procedure, automation processors issue a service telegram of the beginning of the cycle to the interface modules to synchronize the operation of the interface modules.

The cycle time, which determines the reaction time of the automation system, largely depends on the time of the data exchange phase. In order to minimize the time for data exchange on the ENL 4 bus, between the automation processor 3, which is the bus master (“master”), and all the interface modules that are 5 _i slave (“slaves”), the “master” 3 first continuously transmits requests ( data) sequentially to each “slave” 5 _i , without waiting for it to receive confirmations or response data in accordance with the time diagram of FIG. 10. The “master” 3 simultaneously with the transmission receives data from the “slaves” 5 _i accumulated by the switch in the buffer and transmitted to the “master” 3 at the maximum rate. In this case, the transmission of all telegrams in this cycle is delayed in the switch only for the delay time of the first transmitted by the "master" 3 telegrams equal to the time the telegram was sent to the ENL 4 bus. The response data is received by the "master" via the ENL bus simultaneously with the delayed data transmission the switch for the delay time of the first response telegram. The duration of the exchange phase is reduced to the minimum possible value for the bus based on Industrial Ethernet due to the exclusion of the waiting time by the “master” 3 receipt of response data sequentially from each “slave” 5 _i and the delay time in the delivery switch of each telegram to the “slave” 5 _i subscribers for a while its delivery to the ENL 4 bus by the “master” 3. An analysis of the receipt of all responses from the “slaves” 5 _{i by the} “master” 3 takes place after a timeout from the start of the transmission.

In the double backup mode at the level of the complex components, the exchange of data on the EN, ENL buses and their processing in accordance with the applied automation algorithms are performed by one of the redundant automation processors ("active"), the other processor ("standby") is in a hot standby state. On separate serial interfaces, redundant automation processors receive information about the health of the partner. Based on the assessment of this information and the results of self-monitoring in accordance with the specified criteria, the active automation processor can be switched to the "standby" state, and the "standby" to the active state.

The active automation processor exchanges data in the "request / response" mode with only one of the two redundant interface modules ("active") in each I / O station by accessing it at its address on the ENL bus, the second module ("redundant") It is in hot standby mode and does not participate in the data exchange via the ENL bus. Redundant interface modules are connected to each other via separate serial interfaces, with the help of which the interrogation of the partner’s health and the switching of the reserve is carried out.

Two channels of the ENL 4 bus of each automation processor 3 cross-connect the automation processor 3 to its own ENL 4 bus through its network switch and the ENL 4 bus of the automation partner processor 3 through the network switch of this bus. Thus, the automation processor can exchange data with any of the two interface modules in each I / O station, which currently performs the functions of the "active", in accordance with its address on the ENL bus. The interface module transmits response data via the ENL bus in broadcast mode, i.e. all subscribers on the ENL bus, and through the cross-connection, this data also goes to the backup automation processor. Thus, the additional periodic transmission of current data from the active automation processor 3 _i to the backup automation processor 3 _{i is} excluded _. (procedure for updating current data), providing shock-free switching to the reserve without data loss with less information load on the active automation processor. The transfer of time-dependent results of data processing from the main automation processor to the standby one (the procedure for updating time-dependent data) is also carried out through the cross-connection of automation processors to the ENL bus. In this way they provide a shock-free switch to the reserve, without introducing a separate interface for this.

The EN 2 bus is based on the Industrial Ethernet interface with a ring redundancy method. The EN 2 bus in the main redundancy mode, which ensures operability in case of any one-time errors in the network equipment, is made in the form of a single ring bus from series-connected network switches, it is used to connect non-redundant and redundant automation processors, while non-redundant automation processors 3 (network subscribers ) are connected to the EN 2 bus via two subscriber channels A and B - through channel A to one network switch, and through channel B to another network switch, redundant automation processors are connected to the bus via four channels, namely, through channels A and B of each of the two processors to two switches, both processors can be connected to the same or different pairs of network switches. Data is transmitted and received only on one channel of the active subscriber.

Failure detection of trunk communications in the EN 2 ring bus and their recovery is carried out by one of the switches, appointed by the backup manager. The backup manager keeps the ring open and monitors the integrity of the ring by sending diagnostic messages from one end and receiving them from the other end of the open ring. In the absence of messages at the receiving end in the event of a break in the trunk connection, the backup manager closes the ring and thereby restores the data transmission backbone. The subscriber communication channels of active channels are controlled by means of Ethernet and by transmitting diagnostic messages by subscribers with registration of channel failures and associated switches. The restoration of bus performance for any one-time failures of subscriber communications and switches is performed using a two-channel connection of each subscriber. In case of failure of the active subscriber communication channel or switch to which the subscriber is connected via this channel, the subscriber switches to another backup communication channel connected to another switch. This channel is transferred from the backup state to the active, and the previously active channel is transferred to the backup. A two-channel connection of automation processors, unlike a single-channel one, which uses a prototype, eliminates the need for switching to a backup subscriber and loss of bus control and data during switching during the most probable single failures of subscriber communications and network switches. If both channels of the active automation processor fail, they switch to the standby subscriber connected to the EN 2 bus via its two channels. At each target communication session, the operation of the recipient subscribers as well as the sender subscribers and the relationships between them during the transmission of each target telegram by acknowledging the receipt of the telegram by the recipient user is also monitored. If there is no acknowledgment telegram from the recipient subscriber at the target communication session when the transmission of the target telegram is repeated n times and the channel of the subscriber-transmitter is in good condition, the recipient subscriber is inaccessible and during subsequent communication sessions with this subscriber the transmission of the target telegram is not repeated until communication with by the subscriber and no acknowledgment telegram will be received, which allows reducing the time of communication sessions with the faulty subscriber and loading the bus.

The EN bus in the redundancy mode with increased fault tolerance, which ensures operability during any single or double errors in the network equipment, is made in the form of two physically disconnected ring buses A and B in series connected network switches (duplicated ring), it is used only for connecting redundant automation processors In this case, each automation processor is connected to the buses via two subscriber channels A and B: through channel A to the network switch of bus A, and through the channel at B to the network switch of bus B, with the active and standby automation processors connected to different switches of bus A and bus B.

The control of trunk and subscriber communications in each of the two ring buses is carried out in the same way as in the EN bus, with the main backup mode.

The backbone managers restore data backbones in the event of a backbone failure in each of the two ring buses.

The restoration of communications between subscribers in case of failure of subscriber communications and network switches is performed as follows. In the absence of malfunctions in the network equipment, each subscriber transmits addressed telegrams to other subscribers via one bus active in a given communication session with acknowledgment of their receipt, and receives from other subscribers via two buses. Broadcast telegrams without acknowledgment are transmitted and received on two buses simultaneously. In case of failure of one of the subscriber channels registered by means of monitoring subscriber connections, the subscriber initiates a procedure for updating information on the status of communication channels of all subscribers in each subscriber, for which he sends a service broadcast message on another channel indicating the failed channel, the number of the subscriber whose channel failed , and the subscriber’s number of the sender of the telegram, and all other subscribers, having received a telegram with the same value of the address of the sender and the subscriber whose channel has failed, send these telegrams to other subscribers on both channels, indicating their own sender address. Telegrams with different numbers of the sending subscriber and the subscriber with a failed channel are not broadcast. The information received by each active subscriber is transmitted to the backup subscriber. Thus, as a result of this procedure, each subscriber of the network has information about the current state of communication channels of other subscribers.

Before each communication session, the active subscriber-transmitter checks the operability of its own channels and the channels of the subscriber-recipient in this communication session and transmits a telegram on the bus, the connection channels to which both subscribers (transmitter and receiver) are operational. When transmitting a telegram, they control the delivery of the telegram to the recipient using an acknowledgment. If the receipt is not received from the receiving subscriber when the telegram is repeated n times, the sending subscriber considers that the receiving subscriber on this channel is not available, marks it in the status table as not available on this channel and selects another channel for communication, if it is working , translating it into active mode (previously active channel is transferred to the standby state) at this communication session. If the recipient’s subscriber is unavailable on both buses, for example, due to a malfunction or temporary shutdown, when the transmitter and receiver channels are serviceable, or if one channel is unavailable if the channel on the other bus fails, the corresponding channels or channel are marked as unavailable, while switching to the backup subscriber produce. The next time the subscriber-transmitter contacts the unavailable subscriber and does not receive a receipt from the recipient, the telegram transmission is not repeated. Thus, at each communication session, depending on the state of the channels of the subscribers participating in the communication session, the transmitter-subscriber assigns the active and backup communication channels, choosing the delivery path of the telegram via bus A or B to the receiving subscriber, which can receive telegrams on both buses.

If the transmitter-subscriber has both channels faulty or if one channel is faulty and the receiver-subscriber has a faulty channel on the other bus, the transmitter-subscriber goes into the standby state, and previously the standby subscriber goes into the active state, while the new active subscriber initializes the procedure for updating the information about the state of channels of bus subscribers.

Due to the fact that the same telegram can be transmitted several times in the data exchange procedure, in order to prevent repeated telegrams from being received by the recipient subscriber as different telegrams, they provide for individual identifiers that are independently generated for this recipient subscriber and subscriber receiver.

The 7 _i I / O station in a non-redundant configuration contains one or two non-redundant interface modules 5 _i and up to 16 non-redundant I / O modules 6 _i , each of which is connected to both serial interfaces of the I / O bus 7 _i with full duplex data transfer mode to both interface modules 5 _i. In this case, the interface module is the only leading subscriber on the ШВВ bus, input / output modules are slave subscribers, and receive data from the interface module, and transmit response data to the ШВВ bus only upon receipt of requests from the interface module. An I / O bus with a radical connection of I / O modules via separate serial interfaces provides higher fault tolerance compared to the trunk buses used in analogs and prototypes.

An I / O station in a non-redundant configuration with one interface module is connected via a non-redundant ENL bus to a non-redundant automation processor. At the beginning of the cycle, the interface module receives data or requests for receiving data from the automation processor and transmits data reception confirmations or response data of the input / output modules prepared by the interface module in the previous cycle. The interface module receives the data received from the automation processor to the input / output modules of the input / output station via serial interfaces of the input / output bus via the FIFO type transmission buffer with a volume larger than the maximum length of the transmitted data of one input / output module. In response to the receipt of data, the input / output modules transmit confirmation telegrams (acknowledgment) of data receipt. From FIFO buffers, the interface module transmits data via serial interfaces almost simultaneously to all I / O modules of the station, without waiting for the receipt of receipts, which it analyzes after completion of the transmission of all data by timeout, which reduces the time of data transfer.

At the end of the cycle, the interface module collects data from the input / output modules for transmission to the automation processor at the beginning of the next cycle. For this, the interface module issues reception requests through the FIFO transmitting buffers to the input / output modules, in response to which the input / output modules simultaneously transmit the requested data, which are received in the receive buffer of the FIFO type of the interface module with a volume larger than the maximum length of the received data . The interface module analyzes the received data after receiving data from all the input / output modules by timeout, which reduces the time of data transfer. Thus, the exchange of data between the interface module and all the input / output modules of the station is carried out via serial interfaces of the input / output bus at the same time, which can significantly reduce the data exchange time in comparison with the main serial interfaces used in analogs.

Input-output station 7 _i in a redundant configuration comprising a pair of redundant interface modules 5 to 8 and _i pairs of redundant I / O modules 6 _i, each of which is a separate serial interfaces IO bus 7 _i connected to both interface modules 5 _i. in this case, the interface modules are connected to each other via separate serial interfaces, and the pairs of input / output modules via bi-directional signal lines, with the help of which the redundancy of the modules is controlled, i.e. switching the active module to the standby state, and previously the standby module to the active state based on the assessment of the partner’s health and its own health based on the results of operational self-monitoring. The active interface module requests the serial data from the active and standby I / O modules via the serial interfaces of its own SHVV bus, which enter the active interface module for transferring from the active interface module to the active and standby automation processors in the next cycle. The redundant module, in turn, at the end of the cycle polls the active and redundant I / O modules on the serial interfaces of its I / O bus, but does not transmit the received data to the processor modules via the ENL bus.

If the active I / O module fails, the standby module becomes active. The interface module determines this during the next polling of a previously active I / O module. The information received from the failed module is not valid, and the interface module takes information received from the backup module. Thus, they perform shock-free switching of the reserve at the level of I / O modules, without using the procedure for updating the current data of I / O modules and eliminating data loss. The time-dependent results of the preliminary processing of the input / output modules are updated on each cycle in the interface module by transferring them from the memory area in which the data of the active input / output modules are stored to the memory area of the backup modules.

If the active interface module fails, it is switched to the standby state, and the standby module to the active state. The automation processor determines this during the next poll of the active interface module at the beginning of the cycle and does not use the data received from the interface module, because they are invalid. At the end of this cycle, the redundant interface module polls the I / O modules and prepares the data for transmission to the automation processor in the next cycle, at the beginning of which the redundant interface module is set to active. In the next cycle, the automation processor sends data to the new active interface module via the second channel of the ENL bus and receives data from the input / output modules prepared by this interface module in the previous cycle. Thus, data loss is minimized when switching the reserve at the interface module level.

The active interface module transfers control data only to active I / O modules. If the I / O module fails, the interface module transfers control data to the standby module, which becomes active. If the interface module fails, it blocks the transfer of control data to the input / output modules, the automation processor determines this during the next interrogation of the interface modules, and in the next cycle transfers this data to the standby interface module, which becomes active, and translates it into active input / output modules.

An I / O station in a non-redundant configuration with two interface modules can be connected via two non-redundant ENL buses to non-redundant automation processors. In this configuration of the I / O station, independent access to I / O modules 6, control of actuators from two non-redundant automation processors 3 via separate non-redundant ENL 4 buses, interface modules 5 _i and I / O bus lines 7 _i is possible. This can be used in a safety system that is not reserved at the level of the complex components for independent control of the common actuating valves by the security system and normal operation system in accordance with the priority set in input / output modules 6 and eliminates any impact of the normal operation system on operation security systems.

The software and hardware complex makes it possible to build on its basis systems of normal operation without redundancy and with double redundancy at the level of complex components, as well as the safety systems of nuclear plants that are not redundant at the level of complex components, but redundant at the level of subsystems (security channels) and other automation objects .

In the security system, data transfer between automation processors takes place via ENS buses, which provide the construction of computing and communication structures with high fault tolerance. The security system also performs multiple backups at the level of subsystems - security channels that perform the same application tasks, by organizing the connections of each security channel with each other channel on separate ENS buses according to the majority principle and processing the data received on these buses at the application level in security channel automation processors in accordance with the selected voting rules. ENS buses are based on the Industrial Ethernet interface with a ring redundancy method, but in contrast to the EN bus, automation processors are connected to the bus switches on one channel, and the trunk communications between the bus switches related to safety channels, the block and backup control panels are made in the form of fiber optic cables, which provides protection against failures for common reasons that cause physical effects on mating components.

Data transmission on the ENS buses is carried out using telegrams indexed at the application level of the protocols in accordance with the numbers of the channels on which they are transmitted. When receiving telegrams, the subscriber analyzes them for belonging to this channel and discards telegrams whose index does not coincide with the channel number due to a possible malfunction of the transmitter-subscriber. Thus, protection against failures is introduced for a common reason, when, for example, the subscriber-transmitter as a result of a failure generates and transmits via a channel a telegram with an index belonging to another channel, which can lead to an erroneous result during voting and disruption of a functioning subscriber-receiver.

In the ENS bus application protocols, automation processors provide means for sequentially polling the receiving buffers of ENS bus channel channels, regardless of their filling. Thus, additional protection against failures is introduced for a common reason, when, for example, a subscriber-transmitter as a result of a failure starts transmitting data on a channel with a speed that is too high that the data processing speed in the receiver, which, if there are no protection means, can lead to a malfunction subscriber-receiver due to the loss of telegrams received on other channels.

Claims (5)

1. A set of software and hardware tools for controlling the technological processes of thermal and nuclear plants, containing programmable controllers, a system bus based on the Industrial Ethernet interface and standard network switches in a ring communication topology for data exchange between programmable controllers and communication with the upper level, input station I / O, connected by buses with programmable controllers and containing interface modules and input / output modules, characterized in that it includes: processors systems connected to the EN system bus with its own application protocol, the local ENL bus, based on the Industrial Ethernet interface and standard network switches according to the radial communication topology for connecting interface modules to the automation processor and exchanging automation processor data with process communication modules (modules input / output), through the interface modules of I / O stations, and in the application protocols of the ENL bus, means of exchanging data with interface modules with a minimum of but possible exchange time for the Industrial Ethernet interface; ENS buses made on the basis of the Industrial Ethernet interface and standard network switches in a ring communication topology for exchanging data between security automation processors; moreover, in the application protocols of the ENS buses, means are established for sequentially polling the receiving buffers of the connection channels to the ENS buses regardless of their filling, means indexing the transmitted telegrams in accordance with the channel number, as well as the means of analyzing the received telegrams for belonging to this channel and blocking the processing of telegrams that do not belong to this channel, and up to two interface modules and process communication modules (communication modules) can be installed in I / O stations, with each interface module connected to communication modules via separate serial I / O bus interfaces according to the radial topology communication. 2. The complex of software and hardware tools for controlling the technological processes of thermal and nuclear plants according to claim 1, characterized in that the automation processors, interface modules and input / output modules and EN, ENL and ШВВ buses are equipped with redundancy tools that ensure the construction of high reliability systems and fault tolerance with shockless switching to the reserve without loss of information; in the backup mode at the level of the complex components (automation processor, interface module, input / output module, EN, ENL, ШВВ buses), each of the two redundant automation processors is connected to the redundant ENL bus and through it to the redundant interface modules via two channels: one a channel to the switch of its own bus, otherwise to the switch of the partner bus (cross-connection), while interface modules are connected to other ports of the switches; the interface module is connected to the redundant I / O modules via separate redundant serial I / O bus interfaces, while the redundant automation processors and interface modules are connected to their partners via separate serial interfaces, and the redundant I / O modules are connected to their partners via bi-directional signal lines communication. 3. The complex of software and hardware tools for controlling the technological processes of thermal and nuclear plants according to claim 1, characterized in that the EN bus in the main redundancy mode, designed to connect redundant and non-redundant automation processors, is made in the form of one ring bus from series-connected network switches In this case, each automation processor is connected to the buses through two subscriber channels A and B, through channel A to one network switch, and through channel B to another network switch to the atoru. 4. The complex of software and hardware tools for controlling the technological processes of thermal and nuclear plants according to claim 1, characterized in that the EN bus in the redundancy mode with increased fault tolerance, intended only for connecting redundant automation processors, is made in the form of two physically unconnected ring buses A and In series-connected network switches (duplicated ring), with each automation processor connected to the buses via two subscriber channels A and B: through channel A to the network bus A, and channel B to the network switch of bus B, while the active and standby processors are connected to different pairs of switches. 5. The complex of software and hardware tools for process control according to claim 1, characterized in that the unreserved input / output station in a configuration designed for independent access of two automation processors to the input / output modules controlling the actuators contains two interface modules, which connected via separate serial interfaces to all station modules and connected via two non-redundant ENL buses to two automation processors.

Images