WO2000038021A1 - Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite - Google Patents
Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite Download PDFInfo
- Publication number
- WO2000038021A1 WO2000038021A1 PCT/DE1999/003895 DE9903895W WO0038021A1 WO 2000038021 A1 WO2000038021 A1 WO 2000038021A1 DE 9903895 W DE9903895 W DE 9903895W WO 0038021 A1 WO0038021 A1 WO 0038021A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- availability
- security
- central
- safety
- units
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24008—Safety integrity level, safety integrated systems SIL SIS
Definitions
- Automation system scalable in terms of availability and security
- the present invention relates to an automation system that is scalable with regard to availability and security, at least with a central unit or a plurality of central units communicatively connected to one another, at least one decentralized peripheral module and at least one communication channel between the central unit or units and the peripheral module or modules.
- the object of the present invention is therefore to specify an automation system which can be scaled with regard to availability and security or measures to achieve the scalability of the availability and security of such an automation system, so that, in principle, starting from an automation system using suitable components or corresponding measures the respective requirements regarding availability and security are met.
- the automation system is understood in the following to mean a central unit or a plurality of central units communicatively connected to one another, at least one decentralized peripheral module and at least one communication channel between the central unit or units and the peripheral module or modules, in particular a programmable logic controller designed in this way.
- decentralized peripherals - ie peripheral modules that are connected via a communication channel implemented as a fieldbus - are increasingly being used. This is also required in the case of highly available and fail-safe automation systems.
- Standard automation systems and fail-safe automation systems with decentralized peripherals are e.g. from the
- the automation system consists of one or more central units, one or more decentralized peripheral modules and one or more communication channels (communication media and possibly communication modules) for communication between central units and peripheral modules.
- the peripheral modules can be available in various designs, on the one hand as a so-called compact device with a direct connection to a fieldbus, or as modular peripherals with an indirect connection to a fieldbus, together with other peripheral modules via a communication module and a corresponding subrack.
- the scalability of the availability and security is achieved according to the invention through a redundant or non-redundant use of central units, peripheral modules. pen and communication channels, the use of either non-fail-safe standard assemblies or fail-safe special assemblies, the integration or reloading of the functionality (firmware) required for various availability and security into the assemblies, as well as the activation of the functionality required for the desired availability and security Programming or project planning.
- the central units available for selection within the automation system according to the invention are:
- Central units optimized in terms of availability, the availability of the central units being able to be increased by using two central units, one central unit acting as a master and the other central unit acting as a reserve.
- the master has control of the peripheral modules, the reserve runs with (hot standby).
- the two redundant central units communicate with each other, in particular they synchronize and exchange data that only one CPU has at a time and carry out a comparison of the data.
- the reserve central unit takes control - i.e. it becomes the new master - if the master central unit detects an error (e.g. through a self-test) or if the master central unit stops working and a synchronization timeout is triggered in the reserve central unit. If an inadmissible deviation is found when comparing common data, an attempt is made to localize the error (e.g. by means of a self-test). Detected errors are optionally signaled to initiate repairs.
- central units for SIL 2 Fail-safe central processing units for SIL 2, whose security can be upgraded to SIL 2 without hardware redundancy, by integrating error control measures (eg diverse processing, self-test) as standard or reloading into a standard central processing unit.
- error control measures eg diverse processing, self-test
- central units for SIL 2 are obtained by combining the principles of the central unit, which is optimized in terms of availability, on the one hand, and the central unit, which is optimized in terms of security, on the other.
- a SIL 3 central unit that is optimized in terms of security differs from the central unit for SIL 2 that is optimized in terms of security and availability in that, in the event of a fault, the system does not switch to the reserve central unit, but rather the outputs are blocked.
- a central unit optimized for safety and availability for SIL 3 differs from the central unit optimized for safety and availability for SIL 2 in that solo operation, i.e. the operating state in which the master central unit has failed and the reserve central unit alone controls the system is time-limited.
- a first communication channel is the master channel and a second communication channel is the reserve channel.
- the connection of non-redundant peripherals to a redundant communication channel is carried out by a changeover switch, which is implemented in the peripheral module itself or in a special coupling module. The switch monitors the functionality of the
- Master channel and optionally also that of the reserve channel through time monitoring of the cyclical message traffic.
- the system switches to the reserve channel.
- a communication timeout is optionally signaled to initiate a repair.
- communication channels optimized for use between central units optimized for security or security and availability and peripherals optimized for security or security and availability are obtained by using a special security protocol which is transparent, so that standard communication is also possible via the same communication channel.
- security and availability communication is obtained by using the security protocol via redundant communication channels, i.e. by combining communication that is optimized with regard to security on the one hand and availability on the other.
- FIG. 1 shows a schematic block diagram of an example automation system.
- the example automation system according to FIG. 1 consists of two central subracks R1 and R2 and two decentralized len subracks R3 and R4.
- the subracks R1 and R2 are supplied with operating voltage by the power supplies SV1 and SV2.
- the R3 and R4 subracks are supplied via the IM1 and IM2 interfaces.
- the central units CPU1 and CPU2 in the two central subracks R1 and R2 are connected to one another via a synchronization interface Sync. They work together as central units optimized for safety and availability for SIL 2.
- the optimization in terms of availability, i.e. Background tests, synchronization, updating etc. and parts of the optimization with regard to security, i.e. essentially background tests are already integrated in the operating system of the central units. They are activated by appropriate configuration. Specific measures to increase security are loaded into the central unit as part of the respective user program.
- Each central unit has an interface to the communication medium Kir 1, Kir 2.
- the central processing units CPU1, CPU2 also exchange their input data via the synchronization interface Sync.
- the interface module IM1 connects the subrack R3 to the first central processing unit CPU1 via the communication medium comm 1, the interface module IM2 connects the subrack R4 to the second central unit CPU2 via the communication medium comm 2.
- the standard peripheral modules SM1 and SM2 provided in the R3 subrack each work as standard peripherals. Communication to the first central processing unit CPU1, which is optimized in terms of availability and security, takes place via standard communication.
- the standard peripheral modules SM3 and SM4 provided in the R4 subrack work together as peripherals that are optimized in terms of availability. Communication to the second central processing unit CPU2, which is optimized in terms of security and availability, takes place via a communication channel which is optimized in terms of availability.
- the fail-safe SFM1 and SFM2 I / O modules provided in the R3 subrack each work as an I / O optimized for safety.
- the fail-safe SFM3 and SFM4 I / O modules arranged in the R4 subrack work together as peripherals that are optimized in terms of safety and availability. Communication with the second central unit CPU2, which is also optimized with regard to security and availability, accordingly also takes place via a communication channel which is optimized with regard to availability and security.
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Hardware Redundancy (AREA)
Abstract
L'invention concerne un système d'automatisation à échelle modulable en termes de disponibilité et de fiabilité, qui comprend au moins une unité centrale (CPU1) ou plusieurs unités centrales (CPU1, CPU2) interconnectées de manière à communiquer l'une avec l'autre, au moins un bloc de composants périphérique et au moins un canal de communication entre la ou les unités centrales et le ou les blocs de composants périphérique(s). Afin de pouvoir moduler l'échelle de ce système en termes de disponibilité et de fiabilité, il est prévu de prendre les mesures suivantes: utilisation redondante ou non redondante d'unités centrales, de blocs de composants périphériques et de canaux de communication, utilisation de blocs de composants standard protégés contre les erreurs ou de blocs de composants spéciaux protégés contre les erreurs, intégration ou rechargement de la fonctionnalité requise pour différents types de disponibilité ou de fiabilité dans chacun des composants concernés et activation de la fonctionnalité requise pour la disponibilité et la fiabilité voulues par planification ou programmation.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE19858645 | 1998-12-18 | ||
DE19858645.0 | 1998-12-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000038021A1 true WO2000038021A1 (fr) | 2000-06-29 |
Family
ID=7891689
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE1999/003895 WO2000038021A1 (fr) | 1998-12-18 | 1999-12-06 | Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2000038021A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1596262A1 (fr) * | 2004-05-10 | 2005-11-16 | Siemens Aktiengesellschaft | Transfert de données orienté sûreté |
EP1999544A2 (fr) * | 2006-02-23 | 2008-12-10 | Rockwell Automation Technologies, Inc. | Interface graphique combinant niveau de sécurité et niveau de disponibilité |
EP1826641B1 (fr) * | 2003-09-30 | 2010-11-03 | Rockwell Automation Technologies, Inc. | Commande de sécurité pour fournir une récupération rapide de données de programme relatives à la sécurité |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0497147A2 (fr) * | 1991-01-28 | 1992-08-05 | Siemens Aktiengesellschaft | Système d'automatisation redondant |
DE4312305A1 (de) * | 1993-04-15 | 1994-10-27 | Abb Patent Gmbh | Sicherheitsgerichtete speichergrogrammierbare Steuerung |
EP0640899A1 (fr) * | 1993-08-24 | 1995-03-01 | Landis & Gyr Technology Innovation AG | Méthode de programmation d'un moyen de mémoire et appareil pour sa mise en oeuvre |
DE4416795A1 (de) * | 1994-05-06 | 1995-11-16 | Mannesmann Ag | Redundant konfigurierbares Übertragungssystem zum Datenaustausch und Verfahren zu dessen Betrieb |
US5592373A (en) * | 1993-11-18 | 1997-01-07 | Siemens Aktiengesellschaft | Method and apparatus for configuring an automation system |
WO1997026587A1 (fr) * | 1996-01-17 | 1997-07-24 | Siemens Aktiengesellschaft | Appareil d'automatisation |
DE19701323A1 (de) * | 1997-01-16 | 1998-07-23 | Hartmann & Braun Gmbh & Co Kg | Verfahren und Vorrichtung zur Aktualisierung der Betriebssoftware |
-
1999
- 1999-12-06 WO PCT/DE1999/003895 patent/WO2000038021A1/fr active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0497147A2 (fr) * | 1991-01-28 | 1992-08-05 | Siemens Aktiengesellschaft | Système d'automatisation redondant |
DE4312305A1 (de) * | 1993-04-15 | 1994-10-27 | Abb Patent Gmbh | Sicherheitsgerichtete speichergrogrammierbare Steuerung |
EP0640899A1 (fr) * | 1993-08-24 | 1995-03-01 | Landis & Gyr Technology Innovation AG | Méthode de programmation d'un moyen de mémoire et appareil pour sa mise en oeuvre |
US5592373A (en) * | 1993-11-18 | 1997-01-07 | Siemens Aktiengesellschaft | Method and apparatus for configuring an automation system |
DE4416795A1 (de) * | 1994-05-06 | 1995-11-16 | Mannesmann Ag | Redundant konfigurierbares Übertragungssystem zum Datenaustausch und Verfahren zu dessen Betrieb |
WO1997026587A1 (fr) * | 1996-01-17 | 1997-07-24 | Siemens Aktiengesellschaft | Appareil d'automatisation |
DE19701323A1 (de) * | 1997-01-16 | 1998-07-23 | Hartmann & Braun Gmbh & Co Kg | Verfahren und Vorrichtung zur Aktualisierung der Betriebssoftware |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1826641B1 (fr) * | 2003-09-30 | 2010-11-03 | Rockwell Automation Technologies, Inc. | Commande de sécurité pour fournir une récupération rapide de données de programme relatives à la sécurité |
EP2273331A1 (fr) * | 2003-09-30 | 2011-01-12 | Rockwell Automation Technologies, Inc. | Commande de sécurité pour fournir une récupération rapide de données de programme relatives à la sécurité |
EP1596262A1 (fr) * | 2004-05-10 | 2005-11-16 | Siemens Aktiengesellschaft | Transfert de données orienté sûreté |
CN100382474C (zh) * | 2004-05-10 | 2008-04-16 | 西门子公司 | 安全传输数据的系统和方法 |
US7453902B2 (en) | 2004-05-10 | 2008-11-18 | Siemens Aktiengesellschaft | Failsafe transmission of data |
EP1999544A2 (fr) * | 2006-02-23 | 2008-12-10 | Rockwell Automation Technologies, Inc. | Interface graphique combinant niveau de sécurité et niveau de disponibilité |
EP1999544A4 (fr) * | 2006-02-23 | 2010-05-05 | Rockwell Automation Tech Inc | Interface graphique combinant niveau de sécurité et niveau de disponibilité |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE3208573A1 (de) | 2 aus 3-auswahleinrichtung bei einem 3-rechnersystem | |
EP0092719B1 (fr) | Disposition pour le couplage d'unités de traitement numérique | |
EP3622357B1 (fr) | Système de commande servant à commander des processus critiques pour la sécurité et non-critiques pour la sécurité, muni d'une fonctionnalité maître-esclave | |
DE4416795C2 (de) | Redundant konfigurierbares Übertragungssystem zum Datenaustausch und Verfahren zu dessen Betrieb | |
WO2005106603A1 (fr) | Systeme d'automatisation redondant comprenant un automate programmable maitre et un automate programmable reserve | |
EP1174781A2 (fr) | Appareil de transmission de signal | |
EP2491492B1 (fr) | Système d'automatisation et procédé pour faire fonctionner un système d'automatisation | |
EP0109981A1 (fr) | Installation de traitement de données à l'abri de défaillance | |
EP0846290B1 (fr) | Dispositif de transmission a une seule voie de donnees provenant de deux sources de donnees | |
EP3214512B1 (fr) | Systeme de commande redondant pour un actionneur et son procede de commande redondant | |
WO2000038021A1 (fr) | Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite | |
EP0543820B1 (fr) | Systeme multicalculateurs de haute securite avec trois calculateurs | |
DE10148810A1 (de) | Steuerungs- und Energieversorgungssystem für wenigstens zwei Flugzeugsitze | |
EP2480940B1 (fr) | Procédé de mise à disposition de fonctions de sécurité | |
EP0647890A1 (fr) | Module de calcul pour un système d'automatisation modulaire | |
EP0358785B1 (fr) | Dispositif pour la mise en fonctionnement d'un système multiprocesseur répondant destiné à la commande d'une cabine à signaux électronique dans la technique des signaux de chemin de fer | |
EP1485765A2 (fr) | Interface detecteur-machine et son mode de fonctionnement | |
EP2048555A1 (fr) | Dispositif de sortie analogique avec detection d'erreurs | |
EP1302826A1 (fr) | Méthode de synchronisation pour des appareils d'automatisation à haute disponibilité | |
DE19543817C2 (de) | Verfahren und Anordnung zum Prüfen und Überwachen der Arbeitsweise wenigstens zweier Datenverarbeitungseinrichtungen mit Rechnerstruktur | |
DE10247520A1 (de) | Verfahren und Einrichtung zur Prozessautomatisierung mit Steuergeräten zur Ansteuerung von Peripheriegeräten über ein Bussystem | |
DE10246007A1 (de) | Kommunikationssystem | |
DE10344070B4 (de) | Antriebsmodul für eine Druckmaschine | |
WO1997022057A1 (fr) | Procede de reglage d'adresses dans des systemes de bus a cablage parallele, et dispositif pour la mise en oeuvre de ce procede | |
EP1089190A2 (fr) | Méthode de fonctionnement d'un circuit de couplage pour un système de bus et circuit correspondant |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): CN CZ KR US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
122 | Ep: pct application non-entry in european phase |