WO2000038021A1 - Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite - Google Patents

Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite Download PDF

Info

Publication number
WO2000038021A1
WO2000038021A1 PCT/DE1999/003895 DE9903895W WO0038021A1 WO 2000038021 A1 WO2000038021 A1 WO 2000038021A1 DE 9903895 W DE9903895 W DE 9903895W WO 0038021 A1 WO0038021 A1 WO 0038021A1
Authority
WO
WIPO (PCT)
Prior art keywords
availability
security
central
safety
units
Prior art date
Application number
PCT/DE1999/003895
Other languages
German (de)
English (en)
Inventor
Herbert Barthel
Andreas Schenk
Hartmut Schütz
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2000038021A1 publication Critical patent/WO2000038021A1/fr

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24008Safety integrity level, safety integrated systems SIL SIS

Definitions

  • Automation system scalable in terms of availability and security
  • the present invention relates to an automation system that is scalable with regard to availability and security, at least with a central unit or a plurality of central units communicatively connected to one another, at least one decentralized peripheral module and at least one communication channel between the central unit or units and the peripheral module or modules.
  • the object of the present invention is therefore to specify an automation system which can be scaled with regard to availability and security or measures to achieve the scalability of the availability and security of such an automation system, so that, in principle, starting from an automation system using suitable components or corresponding measures the respective requirements regarding availability and security are met.
  • the automation system is understood in the following to mean a central unit or a plurality of central units communicatively connected to one another, at least one decentralized peripheral module and at least one communication channel between the central unit or units and the peripheral module or modules, in particular a programmable logic controller designed in this way.
  • decentralized peripherals - ie peripheral modules that are connected via a communication channel implemented as a fieldbus - are increasingly being used. This is also required in the case of highly available and fail-safe automation systems.
  • Standard automation systems and fail-safe automation systems with decentralized peripherals are e.g. from the
  • the automation system consists of one or more central units, one or more decentralized peripheral modules and one or more communication channels (communication media and possibly communication modules) for communication between central units and peripheral modules.
  • the peripheral modules can be available in various designs, on the one hand as a so-called compact device with a direct connection to a fieldbus, or as modular peripherals with an indirect connection to a fieldbus, together with other peripheral modules via a communication module and a corresponding subrack.
  • the scalability of the availability and security is achieved according to the invention through a redundant or non-redundant use of central units, peripheral modules. pen and communication channels, the use of either non-fail-safe standard assemblies or fail-safe special assemblies, the integration or reloading of the functionality (firmware) required for various availability and security into the assemblies, as well as the activation of the functionality required for the desired availability and security Programming or project planning.
  • the central units available for selection within the automation system according to the invention are:
  • Central units optimized in terms of availability, the availability of the central units being able to be increased by using two central units, one central unit acting as a master and the other central unit acting as a reserve.
  • the master has control of the peripheral modules, the reserve runs with (hot standby).
  • the two redundant central units communicate with each other, in particular they synchronize and exchange data that only one CPU has at a time and carry out a comparison of the data.
  • the reserve central unit takes control - i.e. it becomes the new master - if the master central unit detects an error (e.g. through a self-test) or if the master central unit stops working and a synchronization timeout is triggered in the reserve central unit. If an inadmissible deviation is found when comparing common data, an attempt is made to localize the error (e.g. by means of a self-test). Detected errors are optionally signaled to initiate repairs.
  • central units for SIL 2 Fail-safe central processing units for SIL 2, whose security can be upgraded to SIL 2 without hardware redundancy, by integrating error control measures (eg diverse processing, self-test) as standard or reloading into a standard central processing unit.
  • error control measures eg diverse processing, self-test
  • central units for SIL 2 are obtained by combining the principles of the central unit, which is optimized in terms of availability, on the one hand, and the central unit, which is optimized in terms of security, on the other.
  • a SIL 3 central unit that is optimized in terms of security differs from the central unit for SIL 2 that is optimized in terms of security and availability in that, in the event of a fault, the system does not switch to the reserve central unit, but rather the outputs are blocked.
  • a central unit optimized for safety and availability for SIL 3 differs from the central unit optimized for safety and availability for SIL 2 in that solo operation, i.e. the operating state in which the master central unit has failed and the reserve central unit alone controls the system is time-limited.
  • a first communication channel is the master channel and a second communication channel is the reserve channel.
  • the connection of non-redundant peripherals to a redundant communication channel is carried out by a changeover switch, which is implemented in the peripheral module itself or in a special coupling module. The switch monitors the functionality of the
  • Master channel and optionally also that of the reserve channel through time monitoring of the cyclical message traffic.
  • the system switches to the reserve channel.
  • a communication timeout is optionally signaled to initiate a repair.
  • communication channels optimized for use between central units optimized for security or security and availability and peripherals optimized for security or security and availability are obtained by using a special security protocol which is transparent, so that standard communication is also possible via the same communication channel.
  • security and availability communication is obtained by using the security protocol via redundant communication channels, i.e. by combining communication that is optimized with regard to security on the one hand and availability on the other.
  • FIG. 1 shows a schematic block diagram of an example automation system.
  • the example automation system according to FIG. 1 consists of two central subracks R1 and R2 and two decentralized len subracks R3 and R4.
  • the subracks R1 and R2 are supplied with operating voltage by the power supplies SV1 and SV2.
  • the R3 and R4 subracks are supplied via the IM1 and IM2 interfaces.
  • the central units CPU1 and CPU2 in the two central subracks R1 and R2 are connected to one another via a synchronization interface Sync. They work together as central units optimized for safety and availability for SIL 2.
  • the optimization in terms of availability, i.e. Background tests, synchronization, updating etc. and parts of the optimization with regard to security, i.e. essentially background tests are already integrated in the operating system of the central units. They are activated by appropriate configuration. Specific measures to increase security are loaded into the central unit as part of the respective user program.
  • Each central unit has an interface to the communication medium Kir 1, Kir 2.
  • the central processing units CPU1, CPU2 also exchange their input data via the synchronization interface Sync.
  • the interface module IM1 connects the subrack R3 to the first central processing unit CPU1 via the communication medium comm 1, the interface module IM2 connects the subrack R4 to the second central unit CPU2 via the communication medium comm 2.
  • the standard peripheral modules SM1 and SM2 provided in the R3 subrack each work as standard peripherals. Communication to the first central processing unit CPU1, which is optimized in terms of availability and security, takes place via standard communication.
  • the standard peripheral modules SM3 and SM4 provided in the R4 subrack work together as peripherals that are optimized in terms of availability. Communication to the second central processing unit CPU2, which is optimized in terms of security and availability, takes place via a communication channel which is optimized in terms of availability.
  • the fail-safe SFM1 and SFM2 I / O modules provided in the R3 subrack each work as an I / O optimized for safety.
  • the fail-safe SFM3 and SFM4 I / O modules arranged in the R4 subrack work together as peripherals that are optimized in terms of safety and availability. Communication with the second central unit CPU2, which is also optimized with regard to security and availability, accordingly also takes place via a communication channel which is optimized with regard to availability and security.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Hardware Redundancy (AREA)

Abstract

L'invention concerne un système d'automatisation à échelle modulable en termes de disponibilité et de fiabilité, qui comprend au moins une unité centrale (CPU1) ou plusieurs unités centrales (CPU1, CPU2) interconnectées de manière à communiquer l'une avec l'autre, au moins un bloc de composants périphérique et au moins un canal de communication entre la ou les unités centrales et le ou les blocs de composants périphérique(s). Afin de pouvoir moduler l'échelle de ce système en termes de disponibilité et de fiabilité, il est prévu de prendre les mesures suivantes: utilisation redondante ou non redondante d'unités centrales, de blocs de composants périphériques et de canaux de communication, utilisation de blocs de composants standard protégés contre les erreurs ou de blocs de composants spéciaux protégés contre les erreurs, intégration ou rechargement de la fonctionnalité requise pour différents types de disponibilité ou de fiabilité dans chacun des composants concernés et activation de la fonctionnalité requise pour la disponibilité et la fiabilité voulues par planification ou programmation.
PCT/DE1999/003895 1998-12-18 1999-12-06 Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite WO2000038021A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19858645 1998-12-18
DE19858645.0 1998-12-18

Publications (1)

Publication Number Publication Date
WO2000038021A1 true WO2000038021A1 (fr) 2000-06-29

Family

ID=7891689

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE1999/003895 WO2000038021A1 (fr) 1998-12-18 1999-12-06 Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite

Country Status (1)

Country Link
WO (1) WO2000038021A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1596262A1 (fr) * 2004-05-10 2005-11-16 Siemens Aktiengesellschaft Transfert de données orienté sûreté
EP1999544A2 (fr) * 2006-02-23 2008-12-10 Rockwell Automation Technologies, Inc. Interface graphique combinant niveau de sécurité et niveau de disponibilité
EP1826641B1 (fr) * 2003-09-30 2010-11-03 Rockwell Automation Technologies, Inc. Commande de sécurité pour fournir une récupération rapide de données de programme relatives à la sécurité

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0497147A2 (fr) * 1991-01-28 1992-08-05 Siemens Aktiengesellschaft Système d'automatisation redondant
DE4312305A1 (de) * 1993-04-15 1994-10-27 Abb Patent Gmbh Sicherheitsgerichtete speichergrogrammierbare Steuerung
EP0640899A1 (fr) * 1993-08-24 1995-03-01 Landis & Gyr Technology Innovation AG Méthode de programmation d'un moyen de mémoire et appareil pour sa mise en oeuvre
DE4416795A1 (de) * 1994-05-06 1995-11-16 Mannesmann Ag Redundant konfigurierbares Übertragungssystem zum Datenaustausch und Verfahren zu dessen Betrieb
US5592373A (en) * 1993-11-18 1997-01-07 Siemens Aktiengesellschaft Method and apparatus for configuring an automation system
WO1997026587A1 (fr) * 1996-01-17 1997-07-24 Siemens Aktiengesellschaft Appareil d'automatisation
DE19701323A1 (de) * 1997-01-16 1998-07-23 Hartmann & Braun Gmbh & Co Kg Verfahren und Vorrichtung zur Aktualisierung der Betriebssoftware

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0497147A2 (fr) * 1991-01-28 1992-08-05 Siemens Aktiengesellschaft Système d'automatisation redondant
DE4312305A1 (de) * 1993-04-15 1994-10-27 Abb Patent Gmbh Sicherheitsgerichtete speichergrogrammierbare Steuerung
EP0640899A1 (fr) * 1993-08-24 1995-03-01 Landis & Gyr Technology Innovation AG Méthode de programmation d'un moyen de mémoire et appareil pour sa mise en oeuvre
US5592373A (en) * 1993-11-18 1997-01-07 Siemens Aktiengesellschaft Method and apparatus for configuring an automation system
DE4416795A1 (de) * 1994-05-06 1995-11-16 Mannesmann Ag Redundant konfigurierbares Übertragungssystem zum Datenaustausch und Verfahren zu dessen Betrieb
WO1997026587A1 (fr) * 1996-01-17 1997-07-24 Siemens Aktiengesellschaft Appareil d'automatisation
DE19701323A1 (de) * 1997-01-16 1998-07-23 Hartmann & Braun Gmbh & Co Kg Verfahren und Vorrichtung zur Aktualisierung der Betriebssoftware

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1826641B1 (fr) * 2003-09-30 2010-11-03 Rockwell Automation Technologies, Inc. Commande de sécurité pour fournir une récupération rapide de données de programme relatives à la sécurité
EP2273331A1 (fr) * 2003-09-30 2011-01-12 Rockwell Automation Technologies, Inc. Commande de sécurité pour fournir une récupération rapide de données de programme relatives à la sécurité
EP1596262A1 (fr) * 2004-05-10 2005-11-16 Siemens Aktiengesellschaft Transfert de données orienté sûreté
CN100382474C (zh) * 2004-05-10 2008-04-16 西门子公司 安全传输数据的系统和方法
US7453902B2 (en) 2004-05-10 2008-11-18 Siemens Aktiengesellschaft Failsafe transmission of data
EP1999544A2 (fr) * 2006-02-23 2008-12-10 Rockwell Automation Technologies, Inc. Interface graphique combinant niveau de sécurité et niveau de disponibilité
EP1999544A4 (fr) * 2006-02-23 2010-05-05 Rockwell Automation Tech Inc Interface graphique combinant niveau de sécurité et niveau de disponibilité

Similar Documents

Publication Publication Date Title
DE3208573A1 (de) 2 aus 3-auswahleinrichtung bei einem 3-rechnersystem
EP0092719B1 (fr) Disposition pour le couplage d'unités de traitement numérique
EP3622357B1 (fr) Système de commande servant à commander des processus critiques pour la sécurité et non-critiques pour la sécurité, muni d'une fonctionnalité maître-esclave
DE4416795C2 (de) Redundant konfigurierbares Übertragungssystem zum Datenaustausch und Verfahren zu dessen Betrieb
WO2005106603A1 (fr) Systeme d'automatisation redondant comprenant un automate programmable maitre et un automate programmable reserve
EP1174781A2 (fr) Appareil de transmission de signal
EP2491492B1 (fr) Système d'automatisation et procédé pour faire fonctionner un système d'automatisation
EP0109981A1 (fr) Installation de traitement de données à l'abri de défaillance
EP0846290B1 (fr) Dispositif de transmission a une seule voie de donnees provenant de deux sources de donnees
EP3214512B1 (fr) Systeme de commande redondant pour un actionneur et son procede de commande redondant
WO2000038021A1 (fr) Systeme d'automatisation a echelle modulable en termes de disponibilite et de fiabilite
EP0543820B1 (fr) Systeme multicalculateurs de haute securite avec trois calculateurs
DE10148810A1 (de) Steuerungs- und Energieversorgungssystem für wenigstens zwei Flugzeugsitze
EP2480940B1 (fr) Procédé de mise à disposition de fonctions de sécurité
EP0647890A1 (fr) Module de calcul pour un système d'automatisation modulaire
EP0358785B1 (fr) Dispositif pour la mise en fonctionnement d'un système multiprocesseur répondant destiné à la commande d'une cabine à signaux électronique dans la technique des signaux de chemin de fer
EP1485765A2 (fr) Interface detecteur-machine et son mode de fonctionnement
EP2048555A1 (fr) Dispositif de sortie analogique avec detection d'erreurs
EP1302826A1 (fr) Méthode de synchronisation pour des appareils d'automatisation à haute disponibilité
DE19543817C2 (de) Verfahren und Anordnung zum Prüfen und Überwachen der Arbeitsweise wenigstens zweier Datenverarbeitungseinrichtungen mit Rechnerstruktur
DE10247520A1 (de) Verfahren und Einrichtung zur Prozessautomatisierung mit Steuergeräten zur Ansteuerung von Peripheriegeräten über ein Bussystem
DE10246007A1 (de) Kommunikationssystem
DE10344070B4 (de) Antriebsmodul für eine Druckmaschine
WO1997022057A1 (fr) Procede de reglage d'adresses dans des systemes de bus a cablage parallele, et dispositif pour la mise en oeuvre de ce procede
EP1089190A2 (fr) Méthode de fonctionnement d'un circuit de couplage pour un système de bus et circuit correspondant

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): CN CZ KR US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase