WO2016144296A1 - Mise à niveau de commande sans mémoire annexe - Google Patents

Mise à niveau de commande sans mémoire annexe Download PDF

Info

Publication number
WO2016144296A1
WO2016144296A1 PCT/US2015/019207 US2015019207W WO2016144296A1 WO 2016144296 A1 WO2016144296 A1 WO 2016144296A1 US 2015019207 W US2015019207 W US 2015019207W WO 2016144296 A1 WO2016144296 A1 WO 2016144296A1
Authority
WO
WIPO (PCT)
Prior art keywords
control code
control
industrial asset
output
processor
Prior art date
Application number
PCT/US2015/019207
Other languages
English (en)
Inventor
Wesley Michael SKEFFINGTON
Jr. Austars Raymond Schnore
Daniel White Sexton
Original Assignee
General Electric Company
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by General Electric Company filed Critical General Electric Company
Priority to PCT/US2015/019207 priority Critical patent/WO2016144296A1/fr
Publication of WO2016144296A1 publication Critical patent/WO2016144296A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/656Updates while running

Definitions

  • the subject matter disclosed herein generally relates to providing updates to industrial assets, and more specifically automatically managing system updates to industrial assets while maintaining system operation.
  • the process of updating industrial assets may require an operator to be physically present at the industrial asset to apply the update.
  • the industrial asset may be controlled individually, there may be a number of different interfaces and tools which have no relation to interfaces and/or tools of other industrial assets.
  • an operator must be knowledgeable in a number of interfaces to properly apply updates to the industrial asset.
  • the required training may be exceedingly costly and time consuming.
  • current systems often must be shut down for software upgrades, which is costly for customers which are leveraging industrial control systems in particular environments such as, for example, power generation, oil and gas, or similar industries.
  • the approaches described herein provide a scalable mechanism which remotely and automatically upgrades, commissions, requisitions, and/or maintains an industrial control system.
  • the approaches are based on a local agent interacting with a web-based server such as a cloud or on-site server backend that provide safe deployment of control and/or other system software based components.
  • systems may be managed at a virtual machine level and may be upgraded without having to cause the system controller to shut down. Further, these approaches may allow for control functionality to be moved to different locations without causing the industrial asset to be bumped or temporarily offline. Further, these approaches may allow a common manner to deploy and maintain security credentials for a number of functions and virtual machines on a given controls platform.
  • the approaches described herein may be used to reduce or eliminate the need for human interaction when performing updates as well as the need to disrupt the process being controlled. Further, these approaches may provide reduced commissioning and maintenance time and expenses to end users and system developers, and reduce costs over the lifecycle of a given asset and control system. By providing updates to the industrial assets, enhanced integrity and security of the system results as the updates improve the correctness of the potentially complex system deployment while allowing up to date security patches as they become available. These approaches may be scaled to upgrade systems at a fleet level as opposed to a single device level.
  • an apparatus for upgrading an industrial asset includes an interface having a programming input and an output and at least one processor coupled to the interface.
  • the at least one processor is configured to control the operation of the industrial asset through the output at least partially by a first control code.
  • the processor executed the first and second control codes in parallel such that the inputs and the outputs of the first and second control code are in communication and synchronized with each other.
  • the processor further is configured to switch control of the industrial asset such that the second control at least partially controls the industrial asset.
  • the processor is further configured to remove the first control code such that the second control code is the only control code present.
  • the processor may alternatively maintain the first control code to act as a backup control code in the event that the first control code experiences an operational failure.
  • the processor may switch control of the industrial asset without interruption of operation of the industrial asset. In other words, the asset may continue to operate without requiring a bump, or temporarily halting operation of the asset to complete the upgrade.
  • the processor further may switch control of the industrial asset such that the second control code at least partially controls the industrial asset through the output.
  • the industrial asset may be at least one of gas turbines, steam turbines, generators, power plants, compressors, locomotives, energy storage devices, and/or generators. Other examples are possible.
  • the first and second control code are stored on a number of remote computing devices having different locations.
  • the first and second control codes may be implemented at any location while still providing control over the industrial asset.
  • an operator is not required to be physically present at the asset to provide the upgrade, as the updates may be managed at any number of locations.
  • a first control code which controls the operation of an industrial asset is executed via a first output.
  • the operation of a second control code is then synchronized with the first control code.
  • control of the industrial asset is switched from the first control code to the second control code via a second output.
  • executing and switching to the second output of the second control code includes upgrading operation of the industrial asset to function via the second control code.
  • the output of the second control code may be applied to the industrial asset without halting operation thereof.
  • the first and second control codes are executed via at least one processor configured to execute the first and the second control codes simultaneously. Further in some examples, at least one input from the industrial asset is synchronized to the first and second control code.
  • an industrial asset is at least partially controlled by executing a first control code via a first output.
  • a second control code is then introduced to the industrial asset, and the first and second control codes are executed in parallel such that the inputs and the outputs of the first and the second control codes are in communication and synchronized with each other.
  • control of the industrial asset is switched such that the second control code at least partially controls the industrial asset via the second output.
  • the first control code is removed. In other examples, the first control code is operated in parallel with the operation of the second control code to provide a layer of redundancy and/or security.
  • FIG. 1 comprises a flow chart illustrating an exemplary bump-less control upgrade approach according to various embodiments of the present invention
  • FIG. 2 comprises a flow chart illustrating an exemplary bump-less control upgrade approach according to various embodiments of the present invention
  • FIG. 3 comprises a block flow diagram further illustrating the exemplary bump- less control upgrade approach of FIG. 2 according to various embodiments of the present invention.
  • FIG. 4 comprises a block diagram illustrating an exemplary bump-less control upgrade approach according to various embodiments of the present invention.
  • a control circuit or agent function operates as an integral part of a system for security and management purposes such as a system and security agent is responsible for initiating communication to various components of the control system, establishing and ensuring secure data connections, and/or identifying available updates.
  • hypervisor By introducing a hypervisor in combination with synchronized networking technologies, system update functions may be synchronously performed with the underlying control process, thus allowing an update without disrupting the main functionality of the process in the control system.
  • hypervisor and as used herein it is meant a virtual machine manager or management apparatus that provides isolation and coordination of virtual machines within an embedded control system.
  • buddy-less as used herein is meant to describe the ability to create an additional control code instance to control an industrial asset and switch to this control code instance without causing an interrupt to the industrial asset.
  • the hypervisor By functionally partitioning a multi-core computer device, the hypervisor causes individual partitions to act as unique devices which perform different tasks. Thus, the hypervisor may implement one partition to control the asset using the first control code, and a second partition to control the asset using the second, updated control code. It is understood that the hypervisor may partition a multi-core computer device in any manner or combination, for example a quad core computer device may be partitioned to two dual-core partitions, a mutli- core partition with the first having three cores and the second having a single core, and so on. Other examples are possible.
  • an edge device may be integral to or communicatively coupled with an industrial asset to provide the industrial asset with control functionalities.
  • a hypervisor to create an additional control code running in parallel with the first control code
  • time sensitive networking the inputs from the industrial asset may be synchronized between the two control codes, and these mechanisms may allow for the outputs from the control codes to be synchronized.
  • the system Upon determining that the inputs, outputs, and intermediate state information are synchronized, the system instructs the additional control code to transmit subsequent controls to the industrial asset, thus effectively replacing the first control code for the industrial asset.
  • the system agent monitors the output of both control codes to ensure they are both synchronized.
  • a first control code is executed. This first control code controls operation of an industrial asset via a first output.
  • the operation of a second control code is synchronized with the first control code.
  • a second output of the second control code is executed and applied to control the industrial asset.
  • the second control code may include upgrades to the control of the industrial asset. Upon executing and switching to the second output of the second control code, the industrial asset may be updated to function via the second control code. It is understood that the second control code may include any number of upgrades or updates used to improve operation and/or functionality of the industrial asset.
  • the second output of the second control code is applied in a bump-less fashion, that is, without halting the operation of the industrial asset.
  • the second control code is instructed to begin providing or transmitting outputs to the industrial asset at a predetermined time in a coordinated manner with the first control code.
  • the first and second control code may be executed via at least one processor that is configured to execute the first and second control codes simultaneously.
  • this processor may be a hypervisor capable of executing multiple instances of control code and performing various additional tasks related to the operation of the industrial asset and the corresponding system. It is understood that any number of processors may be used to
  • first and the second control code may be located centrally or remotely from one another.
  • first and the second control code may be located on a single computational device or located in remote locations.
  • individuals at remote locations may provide upgrades and updates to industrial assets as required.
  • an alternate approach 200 for a bump-less control upgrade is described.
  • an industrial asset is at least partially controlled by executing a first control code via a first output.
  • the first control code may control the entire operation of the industrial asset.
  • a second control code is introduced to the industrial asset.
  • the first and the second control codes are executed in parallel or simultaneously.
  • the first and the second control code may be in communication and synchronized with each other.
  • control of the industrial asset is switched such that the second control code at least partially controls the industrial asset via a second output.
  • the first control code is subsequently removed for various reasons such as to free up memory or to reduce the possibility of reverting operation to the previous control code version.
  • the first control code may be operated in parallel with the operation of the second control code, but outputs from the first control code are not sent to the industrial asset.
  • the first control code may act as a redundant or backup code should the second control code incur a failure or other issue.
  • the step 208 of switching control of the industrial asset may occur without interruption of operation thereof.
  • the approach 200 may include a system having a system agent, an I/O synchronization mechanism, system partitioning functionality, a multi-core controller or a synchronized network, and a number of control codes or applications.
  • the system agent is responsible for interfacing with a back-end server in a secure manner and managing the introduction, coordination, and removal of virtual machines or VMs.
  • the I/O synchronization performs the task of ensuring various versions of the control application are synchronized in order to ensure the transition between control applications will be bump-less.
  • the system partitioning functionality is responsible for partitioning the multi-core controller, processing device, or synchronized network to properly control multiple control applications.
  • the control applications are responsible for providing controls to the industrial or critical asset.
  • the approach 200 is running using the first or current version of the control application.
  • the approach 200 introduces a new version of the control application and it is in an inactive state while the first control application remains active.
  • the first and second versions of the control application run in parallel due to the system agent synchronizing the first and second version of the control application. Necessary data is synced between the control applications.
  • the system switches the control application that actively controls the asset, making the first version of the control application inactive.
  • the first version of the control application is removed from the system.
  • the first version of the control application may remain as a shadow application to act as a redundant or fall-back version.
  • the system is thereby upgraded without disrupting the industrial asset.
  • the bump-less upgrade system 400 includes an interface 402 having a programming input 404 and an output 406, a controller or processor 408, and a memory 410.
  • the system 400 may also include any number of industrial assets 412.
  • the interface 402 is a computer-based program and/or hardware configured to accept controller activity or a signal or communication from a computing device such as a personal computer, a mobile computing device, a control system or server at the programming input 404 and transmit the generated communication at the output 406 to the industrial asset 412, which may be any number of components in an industrial environment, for example, wind turbines, distributed power generators, power plants, and the like. Other examples are possible.
  • the function of the interface 402 is to allow the processor 408 to communicate with the industrial asset 412.
  • the processor 408 is any combination of hardware devices and/or software selectively chosen to process controller activity related to a control system and perform appropriate functions to be sent to the industrial asset 412 via the output 406.
  • the processor 408 includes instructions that determine functionalities and operation of the control codes store on the memory 410. It is understood that any number of processors may be used in the system 400 and may be located either centrally or remotely within the system 400.
  • the memory 410 may be any data storage medium capable of storing data thereto.
  • the memory 410 may be an integral unit of the system 400, it may be physically coupled to the interface 402 and the processor 408 through a data connection (e.g., an Ethernet connection), or it may communicate with the system 400 through any number of wireless communications protocols.
  • the memory 410 includes the first and the second control codes (not shown). These control codes may be any type of data file capable of storing a plurality of variables and instructions thereto. It is understood that any number of control codes may be used, and that any number of individual memory modules may be used which either may be centrally or remotely located. [0039] It will be appreciated that the various components described herein may be implemented using a general purpose processing device executing computer instructions stored in memory. Further, it is understood that the processor 408 may be a standalone component or may be incorporated into the interface 402.
  • the industrial asset 412 may include any number of components which receive instructions or commands from the system 400.
  • the industrial asset may include wind turbines, distributed power generators, power plants, and the like, or any number of these components grouped together. Other examples are possible.
  • the processor 408 is configured to at least partially control operation of the industrial asset 412 through the output 406 using a first control code.
  • the processor 408 Upon receiving a second control code through the programming input 404, the processor 408 is configured to execute the first and the second control codes in parallel such that the inputs and the outputs of the first and second control codes are in communication and synchronized with each other.
  • the processor 408 is further configured to switch control of the industrial asset 412 such that the second control code at least partially controls the industrial asset 412 via the output 406.
  • the processor 408 is configured to switch control of the industrial asset 412 without interruption of operation of the industrial asset 412
  • the processor may receive the second control code or notification of its existence via any number of known methods. For example, a user or operator may generate an update to the control code and transmit it to downstream systems, at which point it may be received by the processor 408. Other examples are possible.
  • the processor 408 is configured to remove the first control code from the memory 410. However, in some approaches, the processor 408 is configured to retain the first control code in the memory 410 should a backup or redundancy be desired.
  • the first and the second control code are stored on memory 410 on a plurality of remote computing devices having different locations.

Abstract

La présente invention concerne un système et des approches de mise à niveau de commande sans mémoire annexe où un premier code de commande est exécuté qui commande le fonctionnement d'un équipement industriel. Le fonctionnement d'un second code de commande est synchronisé avec le fonctionnement du premier code de commande. Lorsque le second code de commande devient synchronisé avec le premier code de commande, le système exécute et commute du premier code de commande à un second code de commande pour commander l'équipement industriel.
PCT/US2015/019207 2015-03-06 2015-03-06 Mise à niveau de commande sans mémoire annexe WO2016144296A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2015/019207 WO2016144296A1 (fr) 2015-03-06 2015-03-06 Mise à niveau de commande sans mémoire annexe

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2015/019207 WO2016144296A1 (fr) 2015-03-06 2015-03-06 Mise à niveau de commande sans mémoire annexe

Publications (1)

Publication Number Publication Date
WO2016144296A1 true WO2016144296A1 (fr) 2016-09-15

Family

ID=56878714

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/019207 WO2016144296A1 (fr) 2015-03-06 2015-03-06 Mise à niveau de commande sans mémoire annexe

Country Status (1)

Country Link
WO (1) WO2016144296A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10310837B2 (en) 2016-08-25 2019-06-04 General Electric Company Method and apparatus for updating industrial assets

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6237091B1 (en) * 1998-10-29 2001-05-22 Hewlett-Packard Company Method of updating firmware without affecting initialization information
US20030140150A1 (en) * 2002-01-14 2003-07-24 Dean Kemp Self-monitoring service system with reporting of asset changes by time and category
US20050028001A1 (en) * 2003-07-29 2005-02-03 Jian Huang Secured software patching and upgrade method for densely deployed networks having spanning-tree topology
US7823147B2 (en) * 2000-09-22 2010-10-26 Lumension Security, Inc. Non-invasive automatic offsite patch fingerprinting and updating system and method
US20120239224A1 (en) * 2011-03-18 2012-09-20 Mccabe Paul P Integration of an autonomous industrial vehicle into an asset management system
US20140130033A1 (en) * 2012-11-06 2014-05-08 General Electric Company Method and system for use in facilitating patch change management of industrial control systems

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6237091B1 (en) * 1998-10-29 2001-05-22 Hewlett-Packard Company Method of updating firmware without affecting initialization information
US7823147B2 (en) * 2000-09-22 2010-10-26 Lumension Security, Inc. Non-invasive automatic offsite patch fingerprinting and updating system and method
US20030140150A1 (en) * 2002-01-14 2003-07-24 Dean Kemp Self-monitoring service system with reporting of asset changes by time and category
US20050028001A1 (en) * 2003-07-29 2005-02-03 Jian Huang Secured software patching and upgrade method for densely deployed networks having spanning-tree topology
US20120239224A1 (en) * 2011-03-18 2012-09-20 Mccabe Paul P Integration of an autonomous industrial vehicle into an asset management system
US20140130033A1 (en) * 2012-11-06 2014-05-08 General Electric Company Method and system for use in facilitating patch change management of industrial control systems

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10310837B2 (en) 2016-08-25 2019-06-04 General Electric Company Method and apparatus for updating industrial assets

Similar Documents

Publication Publication Date Title
US11477083B2 (en) Industrial internet connected control system
CN108513655B (zh) 软件定义自动化系统及其架构
EP2790101B1 (fr) Système et procédé de mise en service automatisée virtuelle d'un système d'automatisation industrielle
CN101393430A (zh) 在过程设备中升级及提供控制冗余的方法及设备
US10520935B2 (en) Distributed control system, control device, control method, and computer program product
JP2009076072A5 (fr)
US10316623B2 (en) Method and system for controlling well operations
EP3419793B1 (fr) Système de commande de robot, agencement de robot, programme informatique et procédé associé
US20140032172A1 (en) Systems and methods for health assessment of a human-machine interface (hmi) device
CN102708027B (zh) 一种避免通信设备运行中断的方法及系统
JP2014517948A (ja) クラスタ化シミュレーションネットワークの設定のためのシステムおよび方法
CN112477919B (zh) 一种适用于列车控制系统平台的动态冗余备份方法及系统
EP2725438B1 (fr) Système et procédé de libération de vendeur indépendant des bibliothèques de bloc de fonction personnalisée réutilisable
CN109643231A (zh) 非冗余输入/输出(i/o)固件的过程中迁移
US20160274930A1 (en) Method and apparatus for an on-process migration in a virtual environment within an industrial process control and automation system
CN105849699B (zh) 控制数据中心架构设备的方法
WO2016144296A1 (fr) Mise à niveau de commande sans mémoire annexe
JP6053637B2 (ja) 仮想ホストのバージョンアップ方法、および、ネットワーク装置
CN112714022A (zh) 多套集群的控制处理方法、装置及计算机设备
US11140221B2 (en) Network-attack-resilient intrusion-tolerant SCADA architecture
EP3719599B1 (fr) Système en réseau distribué de commande de processus et procédé de gestion de la redondance
KR101545232B1 (ko) 분산형 컴퓨팅을 이용한 통합 감시 제어 시스템
CN214851313U (zh) 一种上位机虚拟化系统
EP3757701B1 (fr) Haute disponibilité pour une exécution de commande basée sur un conteneur
Chen et al. Architecture Design of Enterprise Information System Based on Docker and DevOps Technology

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15884826

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15884826

Country of ref document: EP

Kind code of ref document: A1