WO2011061394A1 - A control system of a reciprocating engine - Google Patents
A control system of a reciprocating engine Download PDFInfo
- Publication number
- WO2011061394A1 WO2011061394A1 PCT/FI2010/050922 FI2010050922W WO2011061394A1 WO 2011061394 A1 WO2011061394 A1 WO 2011061394A1 FI 2010050922 W FI2010050922 W FI 2010050922W WO 2011061394 A1 WO2011061394 A1 WO 2011061394A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- control
- module
- elements
- control module
- control system
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0423—Input/output
- G05B19/0425—Safety, monitoring
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02D—CONTROLLING COMBUSTION ENGINES
- F02D29/00—Controlling engines, such controlling being peculiar to the devices driven thereby, the devices being other than parts or accessories essential to engine operation, e.g. controlling of engines by signals external thereto
- F02D29/02—Controlling engines, such controlling being peculiar to the devices driven thereby, the devices being other than parts or accessories essential to engine operation, e.g. controlling of engines by signals external thereto peculiar to engines driving vehicles; peculiar to engines driving variable pitch propellers
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24183—If error, spare unit takes over, message to master, confirm new configuration
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/31—From computer integrated manufacturing till monitoring
- G05B2219/31253—Redundant object manager
Definitions
- the present invention relates to a system, that controls a reciprocating engine. Especially the invention relates to a control system comprising I/O elements and a communication bus between the I/O elements.
- redundancy where necessary core functionality is placed in two identical units. Upon failure of one unit, the control is transferred to the other unit, and the control is not interrupted.
- this type of "hot standby" redundant systems are utilized in e.g. process automation, where the process safety is based on e.g. programmable logic.
- This redundancy architecture requires a significant amount of synchronization information to keep the redundant unit up to date with the information from the first unit. Quite commonly, this is done utilizing some fast bus, e.g. over an optical media, to transfer the synchronization information fast enough.
- FIG. 1 shows a prior art system wherein two identical units are utilized.
- the other is a safety unit 12 that is used when the primary unit 1 1 is in a malfunction state.
- the safety unit must be continuously updated via line 6 in order to provide uninterrupted control of the reciprocating engine. Therefore, a great amount of synchronization information is needed.
- Such duplicated systems are expensive.
- Only a CPU 11 and a bus 13 have commonly been duplicated 12, 14 for preventing failure of one communication channel to impact on the control task.
- Field device interfaces i.e. I/O elements 15-18 have no safety units in such control systems.
- the CPUs 11 , 12 denote a central control element. Two CPUs are used to obtain a redundancy.
- the I/O denotes input/output elements 15 - 18, that may measure or control similar process values (as the redundancy on e.g. the actuator side is highly dependent on the process).
- a common weak point in such a redundant setup described above is the fact that the system design becomes rather expensive, as the redundancy means a doubling of e.g. processors and other control elements. Another week point is that in order to reduce costs, the input/output elements often are not doubled, and the remaining functionality will therefore in these cases not be fully redundant. A typical design can therefore be described as showed in Fig. 1._One reason to keep this control architecture is the fact that creating the control logs for this type of systems is easy, as the logic can assume that the main control element, the CPU, is always available.
- the purpose of the invention is to achieve more redundant and more fault tolerant engine control.
- the invention is based on a new architecture of a control system for controlling a reciprocating engine.
- a control system comprise I/O elements 25 - 28, 35 - 38, 45 - 48 and a communication bus 23, 24, 33, 34, 43, 44 between the I/O elements.
- Each I/O element is arranged to transfer any physical reading to any I/O element to control any physical output from any I/O element, and to follow states of the other I/O elements.
- At least one of the I/O elements comprises at least one control module 29, 39, 49 for controlling the system and at least one of the I/O elements comprises at least one safety control module 210, 310 specific for the certain control module for controlling the system in case of a malfunction of the control module.
- the invention discloses a distributed architecture where main control is preferably divided into several modules.
- the modules can be situated in I/O- elements as desired.
- the modules are preferably software.
- Figure 1 shows a visualisation of the structure of a prior art solution
- Figures 2 - 4 show different embodiments of a system according to the present invention.
- Figure 5 shows a structure of an I/O module according to the present invention.
- Figure 2 presents a system 20, which includes I/O elements 25, 26, 27, 28 ... n, wherein n is a positive integer.
- the system 20 further includes buses 23 and 24.
- the first bus 23 is for a normal use.
- the other bus 24 is a safety bus that is used if malfunction occurs in the first bus.
- the I/O element 25 includes a control module 29 that handles tasks of the main control.
- the I/O elements 25, 26 ... 28 have the means for handling physical output signals based on the control signals from the control module. Therefore they also have the means for receiving the control signals through the bus.
- the I/O elements 25, 26, 27, 28 ... n also have means for transferring the physical inputs to the form understandable by the control module 29, and means for transferring them through the bus.
- another I/O element, for example element 26, contains a safety control module 210. If the control module 29 fails to run, the task of main control can be transferred to the safety control module 210.
- Input/output elements 25, 26 , 27, 28... n are capable of independent operation. They can also be controlled by a control module 29 or the safety control module 210. A dynamical redundancy is achieved by allowing any of the input/output elements 26, 27 ... 28 + n to fail, while keeping the essential control functionality still working. In the example of Fig. 2 a single control module 29 takes care of the tasks of the main control. If the I/O element 25 fails to run or has a serious malfunction, the tasks of the main control can be transferred to the safety control module 210.
- any of the input/output elements can contain the control module.
- the main control is located at least to one I/O element instead of a large centralized device. If, the input/output element 25 executing the main control, would fail, the total control would not stop, since the other I/O element 26 containing the safety control module can continue the functions of the main control.
- Figure 3 presents a system 30, which includes I/O elements 35, 36, 37, 38 ... n, wherein n is a positive integer.
- the system 30 further includes buses 33 and 34.
- the I/O element 36 contains the control module here.
- the control module includes the main control as one control module 39.
- the I/O elements 35, 36 ... 38 + n have the means for handling physical output signals based on the control signals from the control module 39. They also have the means for receiving the control signals through the bus.
- the I/O elements 35, 36, 37, 38 ... n also have means for transferring the physical inputs to the form understandable by the control module 39, and means for transferring them through the bus.
- the underlying platform (preferably software) of the I/O element is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element 35 - 38. Therefore, the execution of the main control can equally well be executed in a different input/output element compared to the system of figure 2, e.g. in element 36. More generally, the main control is executed in the I/O element wherein the control module is located. It can be said that the main control can be made independent of the place of execution in the sense that it can be executed in any of the input/output elements 35 , 36 ... 38 + n wherein the control module exists. The same applies for the safety control module 310 that is located in the I/O module 38 of the embodiment of Fig. 3.
- Figure 4 presents a system 40, which includes I/O elements 45 , 46, 47, 48 ... n, wherein n is a positive integer.
- the system 40 further includes buses 43 and 44.
- the I/O elements 45 and 47 contain control modules here so the main control of the system 40 is divided to three control modules 49, 410, 41 1.
- the unit 45 includes the control module 49 and the unit 47 includes the control modules 410 and 411.
- the I/O elements 45, 46 ... 48 have the means for implementing physical output signals based on the control signals from control modules. They also have the means for receiving the control signals through the bus.
- the I/O elements 45 , 46, 47, 48 also have means for transferring the physical inputs to the form understandable by the control modules, and means for transferring them through the bus.
- the execution of the main control is not implemented in one control module alone, but is separated to different I/O elements 45, 47 containing control modules in order to optimize the performance of the system.
- part of the main control is executed by the control module 49 in the I/O element 45, and two more parts, are executed by the control modules 410, 411 in the I/O element 47.
- the I/O element 46 contains safety control modules 412, 413, 414.
- the safety control modules can also be situated in several I/O elements, for example, module 414 can be alternatively situated in I/O element 48.
- control modules in figure 4 can be smaller or larger than 3, but 3 is suitable here for illustrative purposes. Also the division of control modules into I/O elements can be different than here presented.
- each I/O element 45, 46, 48 is aware of the state (working/failed) of all other I/O elements 45, 46, 48 via bus communication. There is redundancy function in each I/O element 45, 46, ..., 48, that based on the state of the other elements has means for deciding whether the control module shall be considered active or inactive. In case the I/O element or the control module fails, the inactive safety control module shall be activated. Each I/O element also has means for noticing the activation of the safety control module according the decision.
- the system of figure 4 creates redundancy independently of location, by offering means for causing I/O elements 45, 46, 48 to notice a failure of any other I/O element 45, 46, 48 and means for activating the inactive safety control module to handle the necessary control.
- the system includes means for activating safety control module in the I/O element 46, thereby offering means for providing essentially uninterrupted service, even at a total failure of the I/O element 47.
- the design of the control logic module is made in such a way that all necessary state information is transferred over the communication bus to the safety control module.
- the internal states of the control modules are maintained similar with the safety control modules.
- the inventive architecture allows a separation of the main control into separately executable blocks, preferably software modules.
- the underlying (software) platform is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element.
- a failure of any I/O element will cause the other elements to notice the failure, and the redundancy function will (automatically) activate the safety control to handle the necessary control.
- Module based structure can make the planning of a redundant control easier, because the structure remains the same when there is a single or redundant control.
- Engine control can be easily dimensioned according to the requirements for system control with distributed devices rather than with a large centralized device.
- Redundancy can be implemented by distributing the control modules in a way that when a single I/O element fails, every control module it includes has a safety module in some other module. When I/O element fails, also the system level 40 has the support that this is noticed and the system 40 then activates a similar safety control module to handle the same control, which the failed module did.
- the invention concerns the distribution of tasks of the CPU (reference numbers 11, 12 in figure 1) to the I/O elements, which are capable of independent operation.
- the I/O elements have to be capable of running control modules. In the prior art I/O elements this is not possible.
- I/O elements are all controlled by control logic module/s. At least one, preferably all, I/O elements include the control module and at least one I/O element includes the safety control module. Their changes are controlled by redundancy logic, which includes in each I/O element.
- the underlying system level operation monitors which I/O elements are active and which control modules are active, and announce to the inactive safety control modules commands for starting to control when the I/O element, which executes the active control modules stops working or fails.
- the execution is neither necessary to be executed in one I/O element alone, but can be separated to several elements.
- I/O element 70 is illustrated in figure 5.
- I/O element 70 is arranged to transfer any physical reading to any I/O element, to control any physical output from any I/O element, and to follow states of other I/O elements.
- the physical readings means signals from the field devices via the field device interface 76.
- the control of any physical output means control signals to the field devices via the field device interface.
- At least one of the I/O elements of the system comprises at least one control module 74 for controlling the system and at least one of the I/O elements comprises at least one safety control module 75 specific for the certain control module for controlling the system in case of a malfunction of the control module.
- the embodiment of figure 5 includes at least one bus interface 71.
- I/O element is arranged to transfer information to and from other I/O element/s, the information including at least state changes of I/O element/s and control signal/s.
- a follow module 72 is arranged to follow the states of the other I/O elements taking into account at least state change information as its input.
- the internal state of the I/O element can be understood to include the states of the interface signals 76 of the field devices.
- a redundancy module 73 is arranged to sense if there is fault somewhere and in response to the fault sensing to transfer the tasks of the control module 74 to the safety control module.
- Control module 74 is arranged to handle state (change) information of other I/O elements (from the bus), modify its internal state accordingly and output corresponding engine control command/s.
- Safety control module 75 is arranged to execute at least the same control tasks as the corresponding control module in response to the control module fault signal from the redundancy module.
- the I/O element according to Fig. 5 has interface/s to field devices 76 as are the prior art I/O elements.
- redundancy module 73 can be arranged to direct the tasks of the control module partly or completely to the safety control module in response to too high load of the control module.
- FIG. 5 illustrates a way to implement the inventive I/O element 70.
- the modules illustrated above are on the software platform 77 that takes care of transmission tasks.
- the transmission tasks are sending and receiving data communication via the bus interface 71 and the field device interface 76.
- the platform 77 takes also care of communication between the modules.
- the tasks of the redundancy module 73 can be allocated to the platform 77.
- the combination of the platform and the modules is convenient to manufacture.
- Another solution can be the use of the modules only having not any platform.
- the software realization of the invention is not the only solution. It may also possible to use special circuits, such as ASIC (Application Specific Integrated Circuit) circuits, for the realization.
- ASIC Application Specific Integrated Circuit
- control modules and safety control modules can be divided to essential functions and non essential functions.
- the essential functions comprise at least the necessary functions to continue running the engine.
- Redundancy module 73 is arranged to prioritize the essential functions, when assigning task/s to safety module/s by task signal/s. It is preferable to implement the above mentioned modules with at least one programmable processor for each I/O element containing control module being arranged to compute a new internal state of the I/O element and possible module output/s in response to input from bus and its current internal state. It is preferable that there is a software platform for controlling I/O element. The platform can transform any reading of the field devices to any I/O-element, and control any output from any I/O element.
- system according to the invention includes computer readable means arranged to perform the main control in several control modules situated redundantly in more than one I/O element.
- Some ways to situate control modules redundantly in several I/O elements is presented in the examples of the figures. Any of the modules above can be computer readable.
- the same functionality can, with some additional logic, also be used to dynamically share the load in the system, as a control module working with a too high load, voluntarily could request the safety control module in another control element to take over some of the tasks. Thereby, the load of the system could dynamically be kept at an acceptable level.
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Chemical & Material Sciences (AREA)
- Combustion & Propulsion (AREA)
- Mechanical Engineering (AREA)
- General Engineering & Computer Science (AREA)
- Safety Devices In Control Systems (AREA)
- Hardware Redundancy (AREA)
Abstract
The present invention relates to a system for controlling a reciprocating engine, the system (40) comprising a I/O elements (45 - 48) and a communication bus (43, 44) between the I/O elements. The purpose of the invention is to achieve more redundant and more fault tolerant engine control. The invention is based on a new architecture for the system control.
Description
A CONTROL SYSTEM OF A RECIPROCATING ENGINE Field of invention
The present invention relates to a system, that controls a reciprocating engine. Especially the invention relates to a control system comprising I/O elements and a communication bus between the I/O elements.
Background and the prior art
In the prior art technologies electronics is commonly used in control systems. The use of electronics is common in small reciprocating engines. However, the use of electronics is not so simple in larger engines. In large reciprocating engines, electronic control is increasing in importance. With the electronic control, the engine can perform better, produce less emission, and consume less fuel. Thereby, the use of electronics in combination with the large engines is increasing. Although the use of electronics on smaller reciprocating engines has been commonly used, the adaptation to larger engines is not straightforward. The main difference comes from the fact that larger engines are often used in applications where the reliability is very important and essential. Such applications may be e.g. in ship propulsion, where a malfunction of the engine may result in a "dead ship", i.e. a ship without control, a situation that in worst case may be fatal. Therefore, the electronics and programmable systems used for large engines are usually designed in a robust way, to reach a high reliability. One way to reach such reliability is so called redundancy, where necessary core functionality is placed in two identical units. Upon failure of one unit, the control is transferred to the other unit, and the control is not interrupted. Typically, this type of "hot standby" redundant systems are utilized in e.g. process automation, where the process safety is based on e.g. programmable logic. This redundancy architecture requires a significant amount of synchronization information to keep the redundant unit up to date with the information from the first unit. Quite commonly, this is done utilizing some fast bus, e.g. over an optical media, to transfer the synchronization information fast enough.
Fig. 1 shows a prior art system wherein two identical units are utilized. The other is a safety unit 12 that is used when the primary unit 1 1 is in a malfunction state. The safety unit must be continuously updated via line 6 in order to provide uninterrupted control of the reciprocating engine. Therefore, a great amount of synchronization information is needed. Such duplicated systems are expensive. Thus, only a CPU 11 and a bus 13 have commonly been duplicated 12, 14 for preventing failure of one communication channel to impact on the control task. Field device interfaces i.e. I/O elements 15-18 have no safety units in such control systems. The CPUs 11 , 12 denote a central control element. Two CPUs are used to obtain a redundancy. The I/O denotes input/output elements 15 - 18, that may measure or control similar process values (as the redundancy on e.g. the actuator side is highly dependent on the process).
Drawbacks of the prior art
A common weak point in such a redundant setup described above, is the fact that the system design becomes rather expensive, as the redundancy means a doubling of e.g. processors and other control elements. Another week point is that in order to reduce costs, the input/output elements often are not doubled, and the remaining functionality will therefore in these cases not be fully redundant. A typical design can therefore be described as showed in Fig. 1._One reason to keep this control architecture is the fact that creating the control logs for this type of systems is easy, as the logic can assume that the main control element, the CPU, is always available.
Short description of invention
The purpose of the invention is to achieve more redundant and more fault tolerant engine control. The invention is based on a new architecture of a control system for controlling a reciprocating engine. A control system comprise I/O elements 25 - 28, 35 - 38, 45 - 48 and a communication bus 23, 24, 33, 34, 43, 44 between the I/O elements. Each I/O element is arranged to transfer any physical reading to any I/O element to control any physical output from any I/O element, and to follow states of the other I/O elements. At least one of the I/O elements comprises at least one control module 29, 39,
49 for controlling the system and at least one of the I/O elements comprises at least one safety control module 210, 310 specific for the certain control module for controlling the system in case of a malfunction of the control module.
Considerable advantages can be gained with the invention. More redundant and fault tolerant engine control can be achieved. Engine control can be easily dimensioned according to the requirements for system control with distributed devices rather than with a large centralized device. The invention discloses a distributed architecture where main control is preferably divided into several modules. The modules can be situated in I/O- elements as desired. The modules are preferably software.
List of figures
The invention is presented with reference to the following figures:
Figure 1 shows a visualisation of the structure of a prior art solution,
Figures 2 - 4 show different embodiments of a system according to the present invention, and
Figure 5 shows a structure of an I/O module according to the present invention.
Detailed description of figures
Figure 2 presents a system 20, which includes I/O elements 25, 26, 27, 28 ... n, wherein n is a positive integer. The system 20 further includes buses 23 and 24. The first bus 23 is for a normal use. The other bus 24 is a safety bus that is used if malfunction occurs in the first bus. The I/O element 25 includes a control module 29 that handles tasks of the main control. The I/O elements 25, 26 ... 28 have the means for handling physical output signals based on the control signals from the control module. Therefore they also have the means for receiving the control signals through the bus. The I/O elements 25, 26, 27, 28 ... n also have means for transferring the physical inputs to the form understandable by the control module 29, and means for transferring them through the bus. In order that the system is redundant, another I/O
element, for example element 26, contains a safety control module 210. If the control module 29 fails to run, the task of main control can be transferred to the safety control module 210.
Input/output elements 25, 26 , 27, 28... n are capable of independent operation. They can also be controlled by a control module 29 or the safety control module 210. A dynamical redundancy is achieved by allowing any of the input/output elements 26, 27 ... 28 + n to fail, while keeping the essential control functionality still working. In the example of Fig. 2 a single control module 29 takes care of the tasks of the main control. If the I/O element 25 fails to run or has a serious malfunction, the tasks of the main control can be transferred to the safety control module 210.
Since the input/output elements 25, 26, 27, 28 ... n are all capable of independent operation, any of the input/output elements can contain the control module. In the system of the figure 2 and other here presented systems of the invention, the main control is located at least to one I/O element instead of a large centralized device. If, the input/output element 25 executing the main control, would fail, the total control would not stop, since the other I/O element 26 containing the safety control module can continue the functions of the main control.
Figure 3 presents a system 30, which includes I/O elements 35, 36, 37, 38 ... n, wherein n is a positive integer. The system 30 further includes buses 33 and 34. The I/O element 36 contains the control module here. The control module includes the main control as one control module 39. The I/O elements 35, 36 ... 38 + n have the means for handling physical output signals based on the control signals from the control module 39. They also have the means for receiving the control signals through the bus. The I/O elements 35, 36, 37, 38 ... n also have means for transferring the physical inputs to the form understandable by the control module 39, and means for transferring them through the bus.
The underlying platform (preferably software) of the I/O element is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element 35 - 38. Therefore, the execution of the main control can equally well be executed in a different input/output element compared to the system of figure 2, e.g. in element 36. More generally, the
main control is executed in the I/O element wherein the control module is located. It can be said that the main control can be made independent of the place of execution in the sense that it can be executed in any of the input/output elements 35 , 36 ... 38 + n wherein the control module exists. The same applies for the safety control module 310 that is located in the I/O module 38 of the embodiment of Fig. 3.
Figure 4 presents a system 40, which includes I/O elements 45 , 46, 47, 48 ... n, wherein n is a positive integer. The system 40 further includes buses 43 and 44. The I/O elements 45 and 47 contain control modules here so the main control of the system 40 is divided to three control modules 49, 410, 41 1. The unit 45 includes the control module 49 and the unit 47 includes the control modules 410 and 411. The I/O elements 45, 46 ... 48 have the means for implementing physical output signals based on the control signals from control modules. They also have the means for receiving the control signals through the bus. The I/O elements 45 , 46, 47, 48 also have means for transferring the physical inputs to the form understandable by the control modules, and means for transferring them through the bus.
According to the system 40 of figure 4, the execution of the main control is not implemented in one control module alone, but is separated to different I/O elements 45, 47 containing control modules in order to optimize the performance of the system. Thus, part of the main control, is executed by the control module 49 in the I/O element 45, and two more parts, are executed by the control modules 410, 411 in the I/O element 47. The I/O element 46 contains safety control modules 412, 413, 414. The safety control modules can also be situated in several I/O elements, for example, module 414 can be alternatively situated in I/O element 48.
The amount of control modules in figure 4 can be smaller or larger than 3, but 3 is suitable here for illustrative purposes. Also the division of control modules into I/O elements can be different than here presented.
In the system of figure 4, each I/O element 45, 46, 48 is aware of the state (working/failed) of all other I/O elements 45, 46, 48 via bus communication. There is redundancy function in each I/O element 45, 46, ..., 48, that based on the state of the other elements has means for deciding whether the control module shall be considered active or inactive. In case the I/O element or the control module fails, the inactive safety
control module shall be activated. Each I/O element also has means for noticing the activation of the safety control module according the decision.
The system of figure 4 creates redundancy independently of location, by offering means for causing I/O elements 45, 46, 48 to notice a failure of any other I/O element 45, 46, 48 and means for activating the inactive safety control module to handle the necessary control. E.g. for a case where the hardware or software of I/O element 47 is failing, the system includes means for activating safety control module in the I/O element 46, thereby offering means for providing essentially uninterrupted service, even at a total failure of the I/O element 47. In the embodiments of the invention the design of the control logic module is made in such a way that all necessary state information is transferred over the communication bus to the safety control module. The internal states of the control modules are maintained similar with the safety control modules.
The inventive architecture allows a separation of the main control into separately executable blocks, preferably software modules. The underlying (software) platform is capable to transfer any physical reading to any input/output element over the bus, and the control of any physical output can be controlled from any input/output element.
A failure of any I/O element will cause the other elements to notice the failure, and the redundancy function will (automatically) activate the safety control to handle the necessary control.
The execution of the main control is neither necessary to be executed in one control module alone, but can be separated to different control modules. Module based structure can make the planning of a redundant control easier, because the structure remains the same when there is a single or redundant control. Engine control can be easily dimensioned according to the requirements for system control with distributed devices rather than with a large centralized device.
Redundancy can be implemented by distributing the control modules in a way that when a single I/O element fails, every control module it includes has a safety module in some other module. When I/O element fails, also the system level 40 has the support that this
is noticed and the system 40 then activates a similar safety control module to handle the same control, which the failed module did.
The invention concerns the distribution of tasks of the CPU (reference numbers 11, 12 in figure 1) to the I/O elements, which are capable of independent operation. The I/O elements have to be capable of running control modules. In the prior art I/O elements this is not possible.
I/O elements are all controlled by control logic module/s. At least one, preferably all, I/O elements include the control module and at least one I/O element includes the safety control module. Their changes are controlled by redundancy logic, which includes in each I/O element.
The underlying system level operation monitors which I/O elements are active and which control modules are active, and announce to the inactive safety control modules commands for starting to control when the I/O element, which executes the active control modules stops working or fails. The execution is neither necessary to be executed in one I/O element alone, but can be separated to several elements.
An example of the embodiment of the I/O element 70 is illustrated in figure 5. I/O element 70 is arranged to transfer any physical reading to any I/O element, to control any physical output from any I/O element, and to follow states of other I/O elements. The physical readings means signals from the field devices via the field device interface 76. The control of any physical output means control signals to the field devices via the field device interface. At least one of the I/O elements of the system comprises at least one control module 74 for controlling the system and at least one of the I/O elements comprises at least one safety control module 75 specific for the certain control module for controlling the system in case of a malfunction of the control module. The embodiment of figure 5 includes at least one bus interface 71. I/O element is arranged to transfer information to and from other I/O element/s, the information including at least state changes of I/O element/s and control signal/s. A follow module 72 is arranged to follow the states of the other I/O elements taking into account at least state change information as its input. In this text, the internal state of the I/O element can be understood to include the states of the interface signals 76 of the field devices.
A redundancy module 73 is arranged to sense if there is fault somewhere and in response to the fault sensing to transfer the tasks of the control module 74 to the safety control module.
Control module 74 is arranged to handle state (change) information of other I/O elements (from the bus), modify its internal state accordingly and output corresponding engine control command/s. Safety control module 75 is arranged to execute at least the same control tasks as the corresponding control module in response to the control module fault signal from the redundancy module.
The I/O element according to Fig. 5 has interface/s to field devices 76 as are the prior art I/O elements.
Optionally redundancy module 73 can be arranged to direct the tasks of the control module partly or completely to the safety control module in response to too high load of the control module.
Figure 5 illustrates a way to implement the inventive I/O element 70. It can be useful that the modules illustrated above are on the software platform 77 that takes care of transmission tasks. The transmission tasks are sending and receiving data communication via the bus interface 71 and the field device interface 76. The platform 77 takes also care of communication between the modules. There is also other ways to implement the invention, for example the tasks of the redundancy module 73 can be allocated to the platform 77. The combination of the platform and the modules is convenient to manufacture. Another solution can be the use of the modules only having not any platform. The software realization of the invention is not the only solution. It may also possible to use special circuits, such as ASIC (Application Specific Integrated Circuit) circuits, for the realization. Functions of control modules and safety control modules can be divided to essential functions and non essential functions. The essential functions comprise at least the necessary functions to continue running the engine. Redundancy module 73 is arranged to prioritize the essential functions, when assigning task/s to safety module/s by task signal/s.
It is preferable to implement the above mentioned modules with at least one programmable processor for each I/O element containing control module being arranged to compute a new internal state of the I/O element and possible module output/s in response to input from bus and its current internal state. It is preferable that there is a software platform for controlling I/O element. The platform can transform any reading of the field devices to any I/O-element, and control any output from any I/O element.
It is preferable that system according to the invention includes computer readable means arranged to perform the main control in several control modules situated redundantly in more than one I/O element. Some ways to situate control modules redundantly in several I/O elements is presented in the examples of the figures. Any of the modules above can be computer readable.
There is some predefined logic in the system which tells which safety control module/s are allocated to which control element/s in a case of total failure of certain control element or control module.
The same functionality can, with some additional logic, also be used to dynamically share the load in the system, as a control module working with a too high load, voluntarily could request the safety control module in another control element to take over some of the tasks. Thereby, the load of the system could dynamically be kept at an acceptable level.
Having described certain embodiments of the invention, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the invention may be used. Therefore, the invention should not be limited to certain embodiments, but rather should be limited only by scope of the following claims.
Claims
1. A control system for controlling a reciprocating engine, the system comprising I/O elements (25 -28, 35 -38, 45 -48, 70) and a communication bus (33, 34, 23, 24, 43, 44) in connection to the I/O elements, characterizedin that each I/O element (25 -28, 35 -38, 45 -48, 70) is arranged to transfer any physical reading to any I/O element to control any physical output from any I/O element, and to follow states of other I/O elements, at least one of the I/O elements (25 -28, 35 -38, 45 -48, 70) comprising at least one control module (74) for controlling the system and at least one of the I/O elements comprising at least one safety control module (75) specific for the certain control module (74) for controlling the system in case of a malfunction of the control module (75).
2. A control system according to Claim 1, c haract eriz e d in that the safety module (75) is arranged to execute the same control tasks as the corresponding control module (74) in response to the control module fault signal from the redundancy (73) module.
3. A control system according to Claim 2, characterized in that the control module/s (74) is arranged to receive state information of the other I/O elements, modify its internal state accordingly, and transmitting corresponding engine control command/s.
4. A control system according to one of Claims 1 -3, characterized in that the I/O element/s (25 -28, 35 -38, 45 -48, 70) comprise a follow module (72) being arranged to follow states of the other I/O element/s taking into account at least state change information as its input.
5. A control system according to one of Claims 1 -4, characterized in that the I/O element/s comprise a redundancy module (73) being arranged to monitor if there is fault somewhere and in response to a fault transferring tasks of the control module/s to the safety module/s.
6. A control system according to Claim 5, characterized in that the redundancy module (73) is arranged to transmit a control module fault signal to the safety module (75) in response to too high load of the control module (74).
7. A control system according to one of Claims 1 -6, characterized in that it comprises a platform means (77) on which the modules are situated, the platform handling communication between the modules and transmission tasks for sending and receiving data communication via the bus and a field device interface (76) of the I/O element.
8. A control system according to one of Claims 1 -7, characterized in that computer readable means are arranged to perform the main control in several control modules (74) situated redundantly in more than one I/O element (25 -28, 35 -38, 45 -48, 70).
9. A control system according to one of Claims 1 -8, characterized in that a bus interface (71) of each I/O element (70) is arranged to transfer information to and from other I/O element/s, the information including at least state changes of the I/O element/s and control signal/s.
10. A control system according to one of Claims 1 -9, characterized in that at least one programmable processor for each I/O element (70) containing control module (74) is arranged to compute a new internal state of the I/O element (70) and possible module output/s in response to input from the bus and its current internal state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP10795736A EP2502119A1 (en) | 2009-11-20 | 2010-11-16 | A control system of a reciprocating engine |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FI20096212 | 2009-11-20 | ||
FI20096212A FI121718B (en) | 2009-11-20 | 2009-11-20 | Control system for controlling a piston engine |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011061394A1 true WO2011061394A1 (en) | 2011-05-26 |
Family
ID=41395259
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FI2010/050922 WO2011061394A1 (en) | 2009-11-20 | 2010-11-16 | A control system of a reciprocating engine |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2502119A1 (en) |
FI (1) | FI121718B (en) |
WO (1) | WO2011061394A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19520744A1 (en) * | 1995-06-07 | 1996-12-12 | Siemens Ag | Control system object manager infrastructure for power plant control |
US20080091300A1 (en) * | 2006-10-13 | 2008-04-17 | Honeywell International, Inc. | Robotic system with distributed integrated modular avionics across system segments |
EP2048561A2 (en) * | 2007-09-18 | 2009-04-15 | Fisher-Rosemount Systems, Inc. | Methods and apparatus to upgrade and provide control redundancy in process plants |
WO2009144207A1 (en) * | 2008-05-30 | 2009-12-03 | Siemens Aktiengesellschaft | Control system, control computer and method for operating a control system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19915253A1 (en) * | 1999-04-03 | 2000-10-05 | Bosch Gmbh Robert | Operator for car divided control system in motor vehicle, has several electronic units mutually exchanging data via communications system |
-
2009
- 2009-11-20 FI FI20096212A patent/FI121718B/en not_active IP Right Cessation
-
2010
- 2010-11-16 EP EP10795736A patent/EP2502119A1/en not_active Withdrawn
- 2010-11-16 WO PCT/FI2010/050922 patent/WO2011061394A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19520744A1 (en) * | 1995-06-07 | 1996-12-12 | Siemens Ag | Control system object manager infrastructure for power plant control |
US20080091300A1 (en) * | 2006-10-13 | 2008-04-17 | Honeywell International, Inc. | Robotic system with distributed integrated modular avionics across system segments |
EP2048561A2 (en) * | 2007-09-18 | 2009-04-15 | Fisher-Rosemount Systems, Inc. | Methods and apparatus to upgrade and provide control redundancy in process plants |
WO2009144207A1 (en) * | 2008-05-30 | 2009-12-03 | Siemens Aktiengesellschaft | Control system, control computer and method for operating a control system |
Also Published As
Publication number | Publication date |
---|---|
FI121718B (en) | 2011-03-15 |
FI20096212A0 (en) | 2009-11-20 |
EP2502119A1 (en) | 2012-09-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8760004B2 (en) | Electrical power distribution | |
US10089199B2 (en) | Fault-tolerant high-performance computer system for autonomous vehicle maneuvering | |
WO2015104841A1 (en) | Redundant system and method for managing redundant system | |
CN110710164A (en) | Flight control system | |
JP7023722B2 (en) | Duplex control system | |
US8510594B2 (en) | Control system, control computer and method for operating a control system | |
US9003067B2 (en) | Network and method for operating the network | |
WO2011061394A1 (en) | A control system of a reciprocating engine | |
EP2547045A1 (en) | Field communication system | |
JP2001060160A (en) | Cpu duplex system for controller | |
JP2007086941A (en) | Configuration control system and method for information processing apparatus, and information processing apparatus using the same | |
JP5589719B2 (en) | Multiplexing system and method for controlling multiplexed system | |
JP2009070135A (en) | Distributed processing system | |
CN111190345B (en) | Redundant automation system with multiple processor units per hardware unit | |
US7836335B2 (en) | Cost-reduced redundant service processor configuration | |
JP7360277B2 (en) | aircraft control system | |
JP7132837B2 (en) | Independent interlocking redundant system | |
JP7299344B2 (en) | In-vehicle electronic control unit | |
JP5860659B2 (en) | Train operation management system | |
JP2017228159A (en) | Control device, and control method for control device | |
JP2022172757A (en) | Redundancy system | |
JPS6252907B2 (en) | ||
JP4993577B2 (en) | Plant control system | |
WO2010070713A1 (en) | Information processing device and control method | |
CN113467389A (en) | Process control system with different hardware architecture controller backup |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10795736 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010795736 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |