[go: up one dir, main page]

CN116699964A - Redundant operation method and system for industrial process controller - Google Patents

Redundant operation method and system for industrial process controller Download PDF

Info

Publication number
CN116699964A
CN116699964A CN202310677694.1A CN202310677694A CN116699964A CN 116699964 A CN116699964 A CN 116699964A CN 202310677694 A CN202310677694 A CN 202310677694A CN 116699964 A CN116699964 A CN 116699964A
Authority
CN
China
Prior art keywords
redundant
controller
slave
redundancy
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310677694.1A
Other languages
Chinese (zh)
Other versions
CN116699964B (en
Inventor
侯先栋
陈宏君
周强
李响
刘伟
赵天恩
徐深
徐卫峰
杨琛琛
曾凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NR Electric Co Ltd
NR Engineering Co Ltd
Original Assignee
NR Electric Co Ltd
NR Engineering Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NR Electric Co Ltd, NR Engineering Co Ltd filed Critical NR Electric Co Ltd
Priority to CN202310677694.1A priority Critical patent/CN116699964B/en
Publication of CN116699964A publication Critical patent/CN116699964A/en
Application granted granted Critical
Publication of CN116699964B publication Critical patent/CN116699964B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Hardware Redundancy (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

The application provides a redundant operation method and a system of industrial process controllers, wherein two industrial process controllers perform redundant information interaction through a redundant Ethernet to realize redundant operation of the controllers, and the redundant operation logic of the controllers is decoupled into a state redundant logic, a configuration redundant logic, a data redundant logic and a task redundant logic; decoupling a physical link layer and a data link layer of the Ethernet, and decomposing a redundant link by the data link layer to obtain a state redundant link, a configuration redundant link, a data redundant link and a task redundant link; and each redundant link uses a redundant Ethernet to carry out redundant information interaction of corresponding logics, so that independent redundant operation among the redundant logics is realized. The application reduces the complexity of a redundant system, ensures the reliability of redundant operation by decoupling and designing the redundant logic and decomposing the redundant link, and realizes the redundant effects of high reliability and short switching delay under the condition of not increasing the hardware cost.

Description

一种工业过程控制器冗余运行方法和系统Method and system for redundant operation of industrial process controller

技术领域technical field

本发明属于自动化设备冗余运行技术领域,涉及一种工业过程控制器冗余运行方法和系统。The invention belongs to the technical field of redundant operation of automation equipment, and relates to a method and system for redundant operation of industrial process controllers.

背景技术Background technique

当前工业过程控制器普遍针对关键部件采取1:1基于模块级双重化冗余,实现双机主从热备式冗余运行,从而避免控制器单模块故障引发停机等事故,方便系统在线维护升级,提高系统平均无故障时间。At present, industrial process controllers generally adopt 1:1 module-level dual redundancy for key components to realize dual-machine master-slave hot-standby redundant operation, so as to avoid accidents such as downtime caused by a single module failure of the controller, and facilitate online maintenance and upgrade of the system , improve the mean time between failures of the system.

热备式冗余由完全相同的两个子系统组成,而且这两个子系统形成一个工作、一个备用的关系,同时运行完全相同的程序,形成完全并行的两个运行模式。热备冗余系统中互为冗余的两个子系统中,均同时接受输入、执行计算、诊断,但备用子系统不使能输出,不主动上送监控数据。Hot standby redundancy consists of two identical subsystems, and these two subsystems form a working and a standby relationship, and run the exact same program at the same time, forming two completely parallel operating modes. In the hot standby redundant system, the two mutually redundant subsystems both receive input, perform calculations, and diagnose at the same time, but the standby subsystem does not enable output and does not actively send monitoring data.

使用热备式冗余技术主要是为了提升控制器的容错能力,因此热备式冗余的一个重要功能是实现基于故障的冗余切换:工作控制器和备用控制器均进行自诊断和互诊断,当工作控制器发生故障而备用控制器正常的情况下,自动地进行主从关系切换,使处于故障情况下的控制器变为备用状态,而诊断正常的控制器变为工作状态。为避免/减少对被控对象的扰动,要求切换时间尽可能短。The use of hot standby redundancy technology is mainly to improve the fault tolerance of the controller, so an important function of hot standby redundancy is to realize redundancy switching based on failure: both the active controller and the standby controller perform self-diagnosis and mutual diagnosis , when the working controller fails and the standby controller is normal, the master-slave relationship is switched automatically, so that the controller in the fault situation becomes the standby state, and the diagnosed normal controller becomes the working state. In order to avoid/reduce disturbance to the controlled object, the switching time is required to be as short as possible.

按照冗余实现方法,一般可分为硬件冗余和软件冗余。According to the redundancy implementation method, it can generally be divided into hardware redundancy and software redundancy.

硬件冗余系统的冗余结构确保了任何时候的系统可靠性,例如所有的重要部件都是冗余配置。这包括了冗余的CPU、供电模件和用于冗余CPU通信的同步模块。当故障发生时,自动切换到备用控制器,切换过程不停机。但硬件冗余成本较高,一般用于对可靠性要求高的系统。The redundant structure of the hardware redundant system ensures system reliability at any time, for example, all important components are redundantly configured. This includes redundant CPUs, power supply modules and synchronization modules for redundant CPU communication. When a failure occurs, it will automatically switch to the standby controller, and the switching process will not stop. However, the cost of hardware redundancy is relatively high, and it is generally used in systems with high reliability requirements.

软件冗余是通过软件编程方式实现当检测到故障时切换到备用控制器,需要平台或用户编写带冗余功能的控制逻辑,并全程参与冗余的故障诊断判决和状态契合,若没有专用的冗余通信通道,冗余的数据同步和状态切换有滞后性,成本相对较低,切换时间相对较长。Software redundancy is realized by software programming when a fault is detected and switches to the standby controller. It is necessary for the platform or the user to write control logic with redundant functions and participate in the redundant fault diagnosis judgment and state matching throughout the process. If there is no dedicated Redundant communication channels, redundant data synchronization and state switching have hysteresis, the cost is relatively low, and the switching time is relatively long.

发明内容Contents of the invention

为解决现有技术中存在的不足,本发明提供一种工业过程控制器冗余运行方法和系统,通过冗余逻辑解耦与设计、冗余链路分解,降低冗余系统复杂度,确保冗余运行可靠性,在不增加硬件成本的情况下,通过软件冗余实现了运行高可靠、切换短延时的冗余效果,实现工业控制系统控制器热备冗余功能,方便系统在线维护升级,提高系统平均无故障时间。In order to solve the deficiencies in the prior art, the present invention provides a redundant operation method and system for industrial process controllers, through redundant logic decoupling and design, redundant link decomposition, reducing the complexity of redundant systems, ensuring redundant In addition to operational reliability, without increasing the cost of hardware, the redundancy effect of high reliability of operation and short switching delay is realized through software redundancy, and the hot standby redundancy function of the controller of the industrial control system is realized, which is convenient for online maintenance and upgrade of the system , improve the mean time between failures of the system.

本发明采用如下的技术方案。The present invention adopts the following technical solutions.

一种工业过程控制器冗余运行方法,两个工业过程控制器通过冗余以太网络进行冗余信息交互,实现控制器冗余运行;A method for redundant operation of industrial process controllers, in which two industrial process controllers perform redundant information exchange through a redundant Ethernet network to realize redundant operation of the controllers;

优选地,将控制器冗余运行逻辑解耦为状态冗余逻辑、配置冗余逻辑、数据冗余逻辑和任务冗余逻辑;Preferably, the controller redundant operation logic is decoupled into state redundancy logic, configuration redundancy logic, data redundancy logic and task redundancy logic;

将以太网络的物理链路层与数据链路层解耦,其中物理链路层包括物理链路A和B,物理链路A和B形成冗余以太网络,数据链路层进行冗余链路分解得到状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路;Decouple the physical link layer and data link layer of the Ethernet network, where the physical link layer includes physical links A and B, physical links A and B form a redundant Ethernet network, and the data link layer performs redundant links Decompose to get state redundant link, configuration redundant link, data redundant link and task redundant link;

各冗余链路使用冗余以太网络进行对应逻辑的冗余信息交互,实现各冗余逻辑之间的独立冗余运行。Each redundant link uses a redundant Ethernet network to exchange redundant information of the corresponding logic to realize independent redundant operation between redundant logics.

优选地,所述状态冗余逻辑包括上电运行的冗余状态协商逻辑、主机离线从机主动升主逻辑、从机判断故障等级主动升主逻辑以及主机收到工具命令强制主从切换逻辑。Preferably, the state redundancy logic includes redundant state negotiation logic for power-on operation, master offline slave active master logic, slave judge fault level active master master logic, and master slave forced master-slave switching logic upon receipt of a tool command.

优选地,所述上电运行的冗余状态协商逻辑用于确认主从控制器状态,具体为:Preferably, the redundant state negotiation logic of the power-on operation is used to confirm the state of the master-slave controller, specifically:

控制器上电初始化运行,获取各自冗余主从默认状态设置;The controller is powered on and initialized to run, and obtains the default state settings of the respective redundant masters and slaves;

当默认设置为从机状态时,控制器经过延时将本侧设置为初始从机状态;When the default setting is the slave state, the controller sets the side as the initial slave state after a delay;

当默认设置为主机状态时,不经过延时立即将本侧设置为初始从机状态;When the default setting is the master state, immediately set the local side to the initial slave state without delay;

控制器进入初始从机状态后通过状态冗余链路发送心跳报文给对侧;After the controller enters the initial slave state, it sends a heartbeat message to the opposite side through the state redundant link;

当心跳报文连续超时未回复时,控制器进入主机状态;When the heartbeat message continues to time out without reply, the controller enters the host state;

当心跳报文得到对侧主机回复时,控制器保持从机状态。When the heartbeat message is replied by the opposite host, the controller remains in the slave state.

优选地,确认主从控制器状态后,从控制器通过状态冗余链路周期性地发送心跳报文给主控制器,主控制器接收心跳报文后回复心跳报文给从控制器;Preferably, after confirming the state of the master-slave controller, the slave controller periodically sends a heartbeat message to the master controller through the state redundant link, and the master controller replies the heartbeat message to the slave controller after receiving the heartbeat message;

心跳报文包括本侧故障等级、强制切换标志和主从状态标志;The heartbeat message includes the failure level of the local side, the forced switching flag and the master-slave status flag;

其中故障等级针对具体故障类型约定,当主控制器发生故障时,置本侧故障等级为对应约定值,通过心跳回复报文发送给从机。Among them, the failure level is stipulated for the specific failure type. When the master controller fails, the failure level of the local side is set to the corresponding agreed value, and the heartbeat reply message is sent to the slave.

优选地,所述主机离线从机主动升主逻辑具体为:Preferably, the logic of the host offline slave actively upgrading to the master is as follows:

从控制器连续接收心跳回复报文超时,则表示主机离线,从控制器本侧切换为主机,然后连续发送让对侧强制切换为从机的报文。If the slave controller continuously receives the heartbeat reply message timeout, it means that the master is offline, the slave controller itself switches to the master, and then continuously sends messages to force the other side to switch to the slave.

优选地,所述从机判断故障等级主动升主逻辑与应用逻辑配合实现从机判断故障等级主动升主,具体的:Preferably, the slave judges that the fault level is actively upgraded to the master logic and the application logic cooperates to realize the slave judges the fault level to actively upgrade the master, specifically:

所述应用逻辑为:从控制器接收心跳回复报文中对侧故障等级并与本侧故障等级进行对比;The application logic is: receiving the fault level of the opposite side in the heartbeat reply message from the controller and comparing it with the fault level of the local side;

所述从机判断故障等级主动升主逻辑为:通过应用逻辑对比得出从控制器接收心跳回复报文中对侧故障等级连续高于本侧故障等级时,本侧切换为主机,然后连续发送让对侧强制切换为从机的报文;主机接收到让本侧切换为从机的报文后,立即设置为从机。The slave judges that the failure level is actively upgraded to the main logic: through the application logic comparison, when the failure level of the opposite side in the heartbeat reply message received from the controller is continuously higher than the failure level of the side, the side switches to the master, and then continuously sends A message that forces the opposite side to switch to a slave; the host immediately sets it as a slave after receiving a message that makes this side switch to a slave.

优选地,所述主机收到工具命令强制主从切换逻辑,具体为:Preferably, the host receives a tool command to force the master-slave switching logic, specifically:

主控制器从调试工具侧接收到切换主从机命令之后,在本次回复心跳报文时将强制切换标志位置位;After the main controller receives the switch master-slave command from the debugging tool side, it will force the switch flag to be set when replying the heartbeat message this time;

从控制器接收心跳报文中强制切换标志位置位,则本侧切换为主机,然后连续发送让对侧强制切换为从机的报文;When the forced switching flag is set in the heartbeat message received from the controller, the local side switches to the master, and then continuously sends messages to force the opposite side to switch to the slave;

主机接收到让本侧切换为从机的报文后,立即设置为从机。After the host receives the message to switch the local side to the slave, it is immediately set as the slave.

优选地,所述配置冗余逻辑包括从机上电同步配置逻辑和在线更新配置逻辑;Preferably, the configuration redundancy logic includes slave power-on synchronization configuration logic and online update configuration logic;

所述从机上电同步配置逻辑具体为:The slave power-on synchronization configuration logic is specifically:

控制器上电初始化运行通过冗余状态协商确定为从机后,通过配置冗余链路向主机发起配置信息请求报文;After the controller is powered on for initial operation and is determined as a slave through redundancy state negotiation, it sends a configuration information request message to the master through the configuration of the redundant link;

从机获取主机配置信息的校验码后,与本地配置信息比较,校验信息一致则结束配置同步,校验信息不一致则开始同步配置文件。After the slave machine obtains the verification code of the master configuration information, it compares it with the local configuration information. If the verification information is consistent, the configuration synchronization ends, and if the verification information is inconsistent, the configuration file synchronization starts.

优选地,所述在线更新配置逻辑具体为:Preferably, the online update configuration logic is specifically:

调试工具连接主控制器并下发在线更新配置命令时,主机下载更新报文并通过配置冗余链路转发给从机,从机接收下载更新报文后更新本地配置文件;When the debugging tool connects to the main controller and issues an online update configuration command, the master downloads the update message and forwards it to the slave through the configuration redundant link, and the slave updates the local configuration file after receiving the download update message;

其中调试工具仅与当前的主控制器建立连接并在需要在线更新配置时向主控制器下发在线更新配置命令。The debugging tool only establishes a connection with the current main controller and sends an online update configuration command to the main controller when online update configuration is required.

优选地,所述数据冗余逻辑具体为:Preferably, the data redundancy logic is specifically:

将控制器任务分为周期任务、自由任务、状态触发任务、事件触发任务;Divide controller tasks into periodic tasks, free tasks, state-triggered tasks, and event-triggered tasks;

控制器初始化运行时选择设置优先等级最高的周期任务或者自由任务作为最高优先级任务;当周期任务和自由任务最高优先等级设置相同时,选择周期任务,为最高优先级任务;When the controller initializes and runs, select the periodic task or the free task with the highest priority as the highest priority task; when the periodic task and the free task have the same highest priority setting, select the periodic task as the highest priority task;

主控制器在最高优先级任务执行前通过数据冗余链路发送数据同步报文,从控制器接收数据同步报文后更新本地数据并执行最高优先级任务。Before the execution of the highest priority task, the main controller sends a data synchronization message through the data redundancy link, and after receiving the data synchronization message, the slave controller updates the local data and executes the highest priority task.

优选地,所述任务冗余逻辑具体为:Preferably, the task redundancy logic is specifically:

基于数据冗余逻辑合并实现最高优先级任务同步和数据冗余;Realize highest priority task synchronization and data redundancy based on data redundancy logical merging;

主控制器在非最高优先级任务执行前通过任务冗余链路发送任务同步命令,从控制器接收任务同步命令后执行对应任务。The master controller sends a task synchronization command through the task redundancy link before the execution of the non-highest priority task, and the slave controller executes the corresponding task after receiving the task synchronization command.

一种工业过程控制器冗余运行系统,包括两个工业过程控制器和冗余以太网络;A redundant operation system for industrial process controllers, including two industrial process controllers and a redundant Ethernet network;

每一控制器设置状态冗余模块、配置冗余模块、数据冗余模块和任务冗余模块,分别用于执行状态冗余逻辑、配置冗余逻辑、数据冗余逻辑和任务冗余逻辑;Each controller is provided with a state redundancy module, a configuration redundancy module, a data redundancy module and a task redundancy module, which are respectively used to execute state redundancy logic, configuration redundancy logic, data redundancy logic and task redundancy logic;

所述冗余以太网络设置状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路;The redundant Ethernet network sets state redundant links, configuration redundant links, data redundant links and task redundant links;

所述状态冗余模块、配置冗余模块、数据冗余模块和任务冗余模块之间独立运行,各自采用独立线程完成相关逻辑任务,分别采用状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路交互数据。The state redundancy module, the configuration redundancy module, the data redundancy module and the task redundancy module operate independently, and each uses an independent thread to complete the relevant logical tasks, respectively adopts the state redundancy link, the configuration redundancy link, and the data redundancy link. Redundant links and task redundant links exchange data.

优选地,两个工业过程控制器完全相同,且通过冗余以太网络的物理链路A和B进行互联;Preferably, the two industrial process controllers are identical, and are interconnected through physical links A and B of the redundant Ethernet network;

所述控制器的底座具备硬件拨码模块,用于人工设置一侧默认为主控制器,另外一侧默认为从控制器;The base of the controller is equipped with a hardware dialing module, which is used to manually set one side as the master controller by default, and the other side as the slave controller by default;

所述状态冗余模块协商的冗余状态结果可以被其他模块访问,参与其他模块的运行逻辑;同时,状态冗余模块还交换两侧运行状态;The redundant state results negotiated by the state redundancy module can be accessed by other modules and participate in the operation logic of other modules; at the same time, the state redundancy module also exchanges the operation states of both sides;

所述状态冗余链路轮流使用物理链路A、B发送数据,并在连续未收到物理链路A或B发送的应答数据时,判定对应的物理链路断开;The state redundant link uses physical link A and B to send data in turn, and when the response data sent by physical link A or B is not received continuously, it is determined that the corresponding physical link is disconnected;

所述配置冗余链路、数据冗余链路和任务冗余链路采用状态冗余链路探测连通的物理链路发送数据。The configuration redundant link, data redundant link and task redundant link use the state redundant link to detect connected physical links to send data.

一种终端,包括处理器及存储介质;所述存储介质用于存储指令;A terminal, including a processor and a storage medium; the storage medium is used to store instructions;

所述处理器用于根据所述指令进行操作以执行所述方法的步骤。The processor is configured to operate according to the instructions to perform the steps of the method.

计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现所述方法的步骤。A computer-readable storage medium stores a computer program thereon, and implements the steps of the method when the program is executed by a processor.

本发明的有益效果在于,与现有技术相比,本发明冗余控制器通过冗余以太网完成冗余信息交互,可实现控制器的热备冗余运行,在常规控制器硬件基础上仅增加冗余通讯口,充分利用物理带宽,提高了系统的冗余度和可靠性。本发明通过冗余逻辑解耦与设计、冗余链路分解,降低了冗余系统复杂度,确保了冗余运行可靠性,在不提高冗余系统硬件成本的基础上,通过软件冗余实现了运行高可靠、切换短延时的冗余效果。The beneficial effect of the present invention is that, compared with the prior art, the redundant controller of the present invention completes the redundant information exchange through the redundant Ethernet, and can realize the hot standby redundant operation of the controller. On the basis of conventional controller hardware, only Increase the redundant communication port, make full use of the physical bandwidth, and improve the redundancy and reliability of the system. The present invention reduces the complexity of the redundant system and ensures the reliability of redundant operation through redundant logic decoupling and design and redundant link decomposition. On the basis of not increasing the hardware cost of the redundant system, it is realized through software redundancy It ensures the redundancy effect of high reliability of operation and short switching delay.

附图说明Description of drawings

图1是本发明的控制器冗余系统构架示意图;Fig. 1 is a schematic diagram of the architecture of the controller redundancy system of the present invention;

图2是本发明控制器上电冗余状态协商交互流程图;Fig. 2 is a flow chart of negotiation and interaction of controller power-on redundancy state in the present invention;

图3是本发明主机离线从机主动升主交互流程图;Fig. 3 is the interaction flow chart of master offline slave active upgrading to master in the present invention;

图4是本发明从机判断故障等级主动升主交互流程图;Fig. 4 is the interaction flow chart of slave judging the fault level and actively upgrading the master in the present invention;

图5是本发明主机收到工具命令强制主从切换交互流程图;Fig. 5 is the interaction flow chart of the master-slave switching forced master-slave switch received by the host of the present invention;

图6是本发明从机上电同步配置交互流程图;Fig. 6 is an interaction flow chart of slave power-on synchronization configuration interaction in the present invention;

图7是本发明在线更新配置交互流程图;Fig. 7 is a flow chart of online update configuration interaction in the present invention;

图8是本发明数据冗余交互流程图;Fig. 8 is a flow chart of data redundancy interaction in the present invention;

图9是本发明任务冗余交互流程图。Fig. 9 is a flowchart of task redundancy interaction in the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明的技术方案进行清楚、完整地描述。本申请所描述的实施例仅仅是本发明一部分的实施例,而不是全部实施例。基于本发明精神,本领域普通技术人员在没有作出创造性劳动前提下所获得的有所其它实施例,都属于本发明的保护范围。In order to make the object, technical solution and advantages of the present invention clearer, the technical solution of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. The embodiments described in this application are only some embodiments of the present invention, not all embodiments. Based on the spirit of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts all belong to the protection scope of the present invention.

本发明实施例1提供一种工业过程控制器冗余运行方法,两个工业过程控制器通过冗余以太网络进行冗余信息交互,实现控制器冗余运行,在本发明优选但非限制性的实施方式中,所述方法将控制器冗余运行逻辑解耦为状态冗余逻辑、配置冗余逻辑、数据冗余逻辑和任务冗余逻辑;Embodiment 1 of the present invention provides a method for redundant operation of industrial process controllers. Two industrial process controllers perform redundant information exchange through a redundant Ethernet network to realize redundant operation of the controllers. In the preferred but non-limiting aspect of the present invention In an embodiment, the method decouples the controller redundant operation logic into state redundancy logic, configuration redundancy logic, data redundancy logic and task redundancy logic;

将以太网络的物理链路层与数据链路层解耦,其中物理链路层包括物理链路A和B,物理链路A和B形成冗余以太网络,数据链路层进行冗余链路分解得到状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路;Decouple the physical link layer and data link layer of the Ethernet network, where the physical link layer includes physical links A and B, physical links A and B form a redundant Ethernet network, and the data link layer performs redundant links Decompose to get state redundant link, configuration redundant link, data redundant link and task redundant link;

各冗余链路使用冗余以太网络进行对应逻辑的冗余信息交互,实现各冗余逻辑之间的独立冗余运行。Each redundant link uses a redundant Ethernet network to exchange redundant information of the corresponding logic to realize independent redundant operation between redundant logics.

即两个控制器之间采用冗余以太网络连接组成主从冗余控制器,控制器获取各自冗余主从默认状态设置并结合通过冗余以太网交互的冗余信息完成主从状态协商。冗余信息交互包括主从状态协商、主从状态切换、运行状态信息交换、配置同步、数据同步和任务同步。冗余信息交互根据逻辑功能分解为状态冗余模块、配置冗余模块、数据冗余模块和任务冗余模块。冗余模块之间独立运行,分别采用状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路交互数据。That is to say, two controllers are connected by redundant Ethernet network to form a master-slave redundant controller. The controllers obtain the default state settings of their respective redundant masters and slaves and combine the redundant information exchanged through the redundant Ethernet to complete the master-slave state negotiation. Redundancy information exchange includes master-slave state negotiation, master-slave state switching, running state information exchange, configuration synchronization, data synchronization and task synchronization. Redundancy information interaction is decomposed into state redundancy module, configuration redundancy module, data redundancy module and task redundancy module according to logical function. The redundant modules operate independently, and use the state redundant link, configuration redundant link, data redundant link and task redundant link to exchange data respectively.

从控制器通过状态冗余链路周期性地发送心跳报文给主控制器,主控制器接收心跳报文后回复心跳报文给从控制器,冗余控制器通过心跳报文交互进行主从状态协商、主从状态切换和运行状态信息交换。主控制器通过配置冗余链路发送配置信息,从控制器接收配置信息更新本地配置,从控制配置信息同步后等待主控制器发送切换配置命令。The slave controller periodically sends a heartbeat message to the master controller through the state redundant link. State negotiation, master-slave state switching and running state information exchange. The master controller sends configuration information by configuring redundant links, receives configuration information from the slave controller to update the local configuration, and waits for the master controller to send a switching configuration command after synchronizing the configuration information from the slave controller.

从控制器不通过本机的任务调度模块运行任务。主控制器在最高优先级任务执行前通过数据冗余链路发送数据同步报文,从控制器接收数据同步报文更新本地数据并执行最高优先级任务。主控制器在非最高优先级任务执行前通过任务冗余链路发送任务同步命令,从控制器接收任务同步命令执行对应任务。The slave controller does not run tasks through the local task scheduling module. Before the execution of the highest priority task, the main controller sends a data synchronization message through the data redundancy link, and the slave controller receives the data synchronization message to update the local data and execute the highest priority task. Before the execution of non-highest priority tasks, the master controller sends task synchronization commands through the task redundancy link, and the slave controller receives task synchronization commands to execute corresponding tasks.

本发明实施例2提供一种工业过程控制器冗余运行系统,包括两个冗余控制器和冗余以太网络;Embodiment 2 of the present invention provides an industrial process controller redundant operation system, including two redundant controllers and a redundant Ethernet network;

每一控制器设置状态冗余模块、配置冗余模块、数据冗余模块和任务冗余模块,分别用于执行状态冗余逻辑、配置冗余逻辑、数据冗余逻辑和任务冗余逻辑;Each controller is provided with a state redundancy module, a configuration redundancy module, a data redundancy module and a task redundancy module, which are respectively used to execute state redundancy logic, configuration redundancy logic, data redundancy logic and task redundancy logic;

所述冗余以太网络设置状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路;The redundant Ethernet network sets state redundant links, configuration redundant links, data redundant links and task redundant links;

所述状态冗余模块、配置冗余模块、数据冗余模块和任务冗余模块之间独立运行,各自采用独立线程完成相关逻辑任务,分别采用状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路交互数据。The state redundancy module, the configuration redundancy module, the data redundancy module and the task redundancy module operate independently, and each uses an independent thread to complete the relevant logical tasks, respectively adopts the state redundancy link, the configuration redundancy link, and the data redundancy link. Redundant links and task redundant links exchange data.

进一步优选地,结合图1对本发明控制器冗余运行系统构架进行说明:Further preferably, the framework of the controller redundant operation system of the present invention is described in conjunction with FIG. 1:

两个工业过程控制器完全相同,且通过冗余以太网络的物理链路A和B进行互联,并关闭物理链路A和B以太网口的流量控制功能;The two industrial process controllers are identical, and are interconnected through physical links A and B of the redundant Ethernet network, and the flow control function of the Ethernet ports of physical links A and B is turned off;

控制器的底座具备硬件拨码功能,可以人工设置一侧默认为主控制器,另外一侧默认为从控制器。The base of the controller has a hardware dialing function, which can be manually set to one side as the master controller by default, and the other side as the slave controller by default.

控制器软件包含状态冗余模块、配置冗余模块、数据冗余模块、任务冗余模块和应用逻辑模块等。The controller software includes state redundancy module, configuration redundancy module, data redundancy module, task redundancy module and application logic module, etc.

各冗余模块之间独立运行,各自采用独立线程完成相关任务,分别采用状态冗余链路、配置冗余链路、数据冗余链路和任务冗余链路交互数据。Each redundant module operates independently, each uses an independent thread to complete related tasks, and uses state redundant links, configuration redundant links, data redundant links, and task redundant links to exchange data.

其中,状态冗余模块协商的冗余状态结果可以被其他模块访问,参与其他模块的运行逻辑。Among them, the redundant state results negotiated by the state redundancy module can be accessed by other modules and participate in the operation logic of other modules.

同时,状态冗余模块还交换两侧运行状态,包括负载、温度和内存使用率等运行信息。At the same time, the status redundancy module also exchanges the operating status of both sides, including operating information such as load, temperature, and memory usage.

所述状态冗余链路轮流使用物理链路A、B发送数据,充分利用了物理带宽;发送数据中包含数据编号,并在连续未收到物理链路A或B发送的应答数据时,判定对应的物理链路断开;The state redundant link uses physical link A and B to send data in turn, making full use of the physical bandwidth; the sent data contains the data number, and when the response data sent by the physical link A or B is not received continuously, it is judged The corresponding physical link is disconnected;

所述配置冗余链路、数据冗余链路和任务冗余链路采用状态冗余链路探测连通的物理链路发送数据,提高了系统的冗余度和可靠性。即物理链路A和B默认是同时连通的,状态冗余链路连续发出的数据是轮流使用物理链路A、B发出的,配置冗余链路、数据冗余链路和任务冗余链路可以任选一个物理链路发送数据;The configuration redundant link, data redundant link and task redundant link use the state redundant link to detect connected physical links to send data, which improves the redundancy and reliability of the system. That is, physical links A and B are connected at the same time by default, and the data sent continuously by the state redundant link is sent using physical links A and B in turn. Configure redundant links, data redundant links and task redundant links The road can choose a physical link to send data;

当状态冗余链路判断出物理链路断开时,表示该物理链路故障,此时配置冗余链路、数据冗余链路和任务冗余链路使用另一条连通的物理链路,当两条物理链路均故障时进行报错。When the status redundant link determines that the physical link is disconnected, it means that the physical link is faulty. At this time, configure the redundant link, data redundant link and task redundant link to use another connected physical link. An error is reported when both physical links fail.

针对上述的状态冗余逻辑、配置冗余逻辑、数据冗余逻辑和任务冗余逻辑进行具体介绍如下:The specific introduction of the above-mentioned state redundancy logic, configuration redundancy logic, data redundancy logic and task redundancy logic is as follows:

如图2所示,控制器上电运行的冗余状态协商逻辑具体为:As shown in Figure 2, the redundancy state negotiation logic for controller power-on operation is specifically:

控制器上电初始化运行,获取各自冗余主从默认状态设置。The controller is powered on and initialized to run, and obtains the default state settings of the respective redundant master and slave.

进一步优选地,控制器底座提供拨码设置冗余主从默认状态,控制器通过采集底座硬件信号获取相关设置。Further preferably, the controller base provides a dial to set the redundant master-slave default state, and the controller obtains relevant settings by collecting hardware signals of the base.

在不具备硬件条件的实施方案中,采用软件设置参数的方法也可以实现冗余主从默认状态设置。In the implementation scheme that does not have hardware conditions, the method of setting parameters by software can also realize the default state setting of the redundant master and slave.

当默认设置为从机状态时,控制器经过延时T将本侧设置为初始从机状态;When the default setting is the slave state, the controller sets the side as the initial slave state after a delay T;

当默认设置为主机状态时,不经过延时立即将本侧设置为初始从机状态。When the default setting is the master state, immediately set the local side to the initial slave state without delay.

控制器进入初始从机状态后通过状态冗余链路发送心跳报文给对侧。After the controller enters the initial slave state, it sends a heartbeat message to the opposite side through the state redundant link.

当心跳报文连续N帧超时ΔT未回复时,控制器进入主机状态;When the heartbeat message does not reply after N frame timeout ΔT, the controller enters the host state;

当心跳报文得到对侧主机回复时,控制器保持从机状态。When the heartbeat message is replied by the opposite host, the controller remains in the slave state.

综上所述,两侧控制器在正式运行前,先进入初始从机状态并发送心跳报文请求的升为主机。通过设置延时T,可以解决两侧控制器上电同时运行可能出现的主从状态竞争关系。To sum up, before the official operation, the controllers on both sides first enter the initial slave state and send a heartbeat message requesting to upgrade to the master. By setting the delay T, the master-slave state competition relationship that may occur when the controllers on both sides are powered on and run at the same time can be resolved.

主从控制器状态确认后,从控制器通过状态冗余链路按照ΔT周期性地发送心跳报文给主控制器,主控制器接收心跳报文后回复心跳报文给从控制器。After the state of the master-slave controller is confirmed, the slave controller periodically sends a heartbeat message to the master controller through the state redundant link according to ΔT, and the master controller replies the heartbeat message to the slave controller after receiving the heartbeat message.

心跳报文包括本侧故障等级、强制切换标志和主从状态标志。The heartbeat message includes the failure level of the local side, the forced switching flag and the master-slave status flag.

如图3所示,控制器主机离线从机主动升主逻辑具体为:As shown in Figure 3, the logic of the active master upgrade of the offline slave of the controller master is as follows:

当主机由于运行异常或者断电离线时,从控制器通过状态冗余链路按照ΔT周期性地发送心跳报文给主控制器,当连续N帧接收心跳回复报文超时,则本侧切换为主机,然后连续发送让对侧强制切换为从机的报文。When the host is offline due to abnormal operation or power failure, the slave controller periodically sends heartbeat messages to the master controller through the state redundant link according to ΔT. When receiving heartbeat reply messages in consecutive N frames times out, the side switches to The host, and then continuously send messages to force the other side to switch to the slave.

如图4所示,控制器从机判断故障等级主动升主逻辑与应用逻辑配合实现从机判断故障等级主动升主,具体的:As shown in Figure 4, the logic of the controller’s slave judging the fault level to actively upgrade to the master cooperates with the application logic to realize the slave judging the fault level to actively upgrade to the master, specifically:

控制器心跳报文中包含故障等级字段,故障等级分为0~255,数字越大故障等级越高。针对总线异常、电源故障和人机接口故障等具体异常类型分别约定对应故障等级。当主控制器发生故障时,置本侧故障等级为对应非0值,通过心跳回复报文发送给从机。The fault level field is included in the heartbeat message of the controller, and the fault level ranges from 0 to 255. The larger the number, the higher the fault level. For the specific types of abnormalities such as bus anomalies, power failures, and man-machine interface failures, the corresponding fault levels are respectively agreed. When the master controller fails, set the failure level of the local side to a corresponding non-zero value, and send it to the slave machine through a heartbeat reply message.

所述应用逻辑为:从控制器接收心跳回复报文中对侧故障等级(即运行状态)并与本侧故障等级进行对比;The application logic is: receiving the opposite side failure level (i.e. running state) in the heartbeat reply message from the controller and comparing it with the failure level of this side;

所述从机判断故障等级主动升主逻辑为:通过应用逻辑对比得出从控制器接收心跳回复报文中对侧故障等级连续3帧高于本侧故障等级,则本侧切换为主机,然后连续发送让对侧强制切换为从机的报文;The slave judges that the failure level is actively raised to the main logic: by comparing the application logic, it is obtained that the failure level of the opposite side in the heartbeat reply message received from the controller is higher than the failure level of the side for 3 consecutive frames, then the side is switched to the master, and then Continuously send messages to force the other side to switch to the slave;

主机接收到让本侧切换为从机的报文后,立即设置为从机。After the host receives the message to switch the local side to the slave, it is immediately set as the slave.

如图5所示,控制器主机收到工具命令强制主从切换逻辑具体为。As shown in Figure 5, the controller host receives the tool command to force the master-slave switching logic to be specific.

控制器心跳报文中包含强制切换字段,该字段正常运行时为0,当为0x5A时,表示调试工具下发命令强制切换冗余控制器主从状态。The controller heartbeat message contains a forced switching field, which is 0 during normal operation, and when it is 0x5A, it means that the debugging tool issued a command to forcibly switch the master-slave state of the redundant controller.

调试工具仅与当前的主控制器建立通讯。The commissioning tool only establishes communication with the current master controller.

当主控制器从调试工具侧接收到切换主从机命令之后,在本次心跳回复报文中将强制切换标志位设置为0x5A。After the master controller receives the master-slave switch command from the debugging tool side, it sets the forced switch flag bit to 0x5A in this heartbeat reply message.

从控制器接收心跳报文中强制切换标志位置为0x5A,则本侧切换为主机,然后连续发送让对侧强制切换为从机的报文。The position of the forced switching flag in the heartbeat message received from the controller is 0x5A, then the local side switches to the master, and then continuously sends messages to force the opposite side to switch to the slave.

主机接收到让本侧切换为从机的报文后,立即设置为从机。After the host receives the message to switch the local side to the slave, it is immediately set as the slave.

如图6所示,控制器从机上电同步配置逻辑具体为:As shown in Figure 6, the controller slave power-on synchronization configuration logic is as follows:

控制器上电初始化运行通过冗余协商确定为从机后,从机通过配置冗余链路向主机发起配置信息请求报文。After the controller is powered on for initial operation and is determined to be a slave through redundancy negotiation, the slave sends a configuration information request message to the master through the configuration of the redundant link.

主机接收到从机配置信息请求报文后,将本侧的所有配置文件按照文件名+有效标志+校验码发送给从机。After receiving the slave configuration information request message, the master sends all the configuration files on the local side to the slave according to the file name + valid flag + check code.

从机获取主机配置信息后,采用文件名作为关联信息与本侧配置文件比对,首先比较配置文件的有效标志,当有效标志位为无效时,从机删除本地配置文件,否则进一步比较配置文件的校验码,当校验码不一致时,从机后续依次获取不一致的配置文件,否则结束配置同步。After the slave machine obtains the host configuration information, it uses the file name as the associated information to compare with the configuration file on the local side. First, compare the valid flag of the configuration file. When the valid flag bit is invalid, the slave machine deletes the local configuration file, otherwise it further compares the configuration files. check code, when the check code is inconsistent, the slave will obtain inconsistent configuration files in turn, otherwise, the configuration synchronization will end.

如图7所示,控制器在线更新配置逻辑具体为:As shown in Figure 7, the controller online update configuration logic is as follows:

调试工具仅与当前的主控制器建立通讯,当需要在线更新配置时,工具向主控制器下发下载请求、文件传输、下载确认及配置更新命令。The debugging tool only establishes communication with the current main controller. When the configuration needs to be updated online, the tool sends a download request, file transfer, download confirmation and configuration update command to the main controller.

主控制器在接收到上述命令时,通过配置冗余链路转发给从控制器。When the master controller receives the above command, it forwards it to the slave controller by configuring the redundant link.

从控制器接收上述命令后,按照工具下发命令等同逻辑处理。After receiving the above command from the controller, it will be processed according to the equivalent logic of the command issued by the tool.

如图8所示,控制器数据冗余逻辑进行介绍。As shown in Figure 8, the controller data redundancy logic is introduced.

控制器任务一般分为周期任务、自由任务、状态触发任务、事件触发任务等任务调度方式。其中自由任务为不通过周期、状态触发、事件触发的任务。Controller tasks are generally divided into task scheduling methods such as periodic tasks, free tasks, state-triggered tasks, and event-triggered tasks. Among them, the free task is a task that does not pass the cycle, is triggered by a state, or is triggered by an event.

控制器初始化运行时选择设置优先等级最高的周期任务或者自由任务作为最高优先级任务;当周期任务和自由任务最高优先等级设置相同时,选择周期任务,为最高优先级任务;When the controller initializes and runs, select the periodic task or the free task with the highest priority as the highest priority task; when the periodic task and the free task have the same highest priority setting, select the periodic task as the highest priority task;

从控制器不通过本机的任务调度模块触发运行周期任务、自由任务、状态触发任务、事件触发任务;即主机是任务调度模块触发运行周期任务、自由任务、状态触发任务、事件触发任务;从机不触发,完全由数据冗余和任务冗余模块负责触发周期任务、自由任务、状态触发任务、事件触发任务;The slave controller does not trigger the running period tasks, free tasks, state-triggered tasks, and event-triggered tasks through the local task scheduling module; that is, the master is the task scheduling module that triggers the running cycle tasks, free tasks, state-triggered tasks, and event-triggered tasks; The machine does not trigger, and the data redundancy and task redundancy modules are completely responsible for triggering periodic tasks, free tasks, state-triggered tasks, and event-triggered tasks;

在最高优先级任务执行前,主控制器通过数据冗余链路发送数据同步报文,然后再执行最高优先级任务。Before the highest priority task is executed, the main controller sends a data synchronization message through the data redundancy link, and then executes the highest priority task.

从控制器接收数据同步报文后更新本地数据,并在接收全部数据后执行最高优先级任务。Update the local data after receiving the data synchronization message from the controller, and execute the highest priority task after receiving all the data.

如图9所示,对控制器任务冗余逻辑具体为:As shown in Figure 9, the redundancy logic for the controller task is specifically:

冗余控制器的最高优先级任务同步和数据冗余合并实现,避免了数据和任务不同步的问题。The highest priority task synchronization and data redundancy of redundant controllers are combined to avoid the problem of out-of-sync data and tasks.

非最高优先级任务则通过任务冗余模块协调完成。Non-highest priority tasks are coordinated through the task redundancy module.

在非最高优先级任务执行前,主控制器通过任务冗余链路发送任务同步命令,然后执行对应任务。Before the execution of the non-highest priority task, the main controller sends the task synchronization command through the task redundancy link, and then executes the corresponding task.

上述命令内容包含本次执行任务ID,主从控制器任务ID一致。The content of the above command includes the task ID of this execution, and the task ID of the master and slave controllers is the same.

从控制器接收任务同步命令后执行对应任务。Execute the corresponding task after receiving the task synchronization command from the controller.

本发明实施例3提供一种终端,包括处理器及存储介质;所述存储介质用于存储指令;Embodiment 3 of the present invention provides a terminal, including a processor and a storage medium; the storage medium is used to store instructions;

所述处理器用于根据所述指令进行操作以执行根据实施例1所述方法的步骤。The processor is configured to operate according to the instructions to execute the steps of the method according to Embodiment 1.

本发明实施例4提供计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现实施例1所述方法的步骤。Embodiment 4 of the present invention provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps of the method described in Embodiment 1 are implemented.

本发明的有益效果在于,与现有技术相比,本发明冗余控制器通过冗余以太网完成冗余信息交互,可实现控制器的热备冗余运行,在常规控制器硬件基础上仅增加冗余通讯口,通过冗余逻辑解耦与设计、冗余链路分解,降低了冗余系统复杂度,确保了冗余运行可靠性,在不提高冗余系统硬件成本的基础上,通过软件冗余实现了运行高可靠、切换短延时的冗余效果。The beneficial effect of the present invention is that, compared with the prior art, the redundant controller of the present invention completes the redundant information exchange through the redundant Ethernet, and can realize the hot standby redundant operation of the controller. On the basis of conventional controller hardware, only Adding redundant communication ports, through redundant logic decoupling and design, and redundant link decomposition, reduces the complexity of the redundant system and ensures the reliability of redundant operation. On the basis of not increasing the hardware cost of the redundant system, through Software redundancy realizes the redundancy effect of high reliability of operation and short switching delay.

本公开可以是系统、方法和/或计算机程序产品。计算机程序产品可以包括计算机可读存储介质,其上载有用于使处理器实现本公开的各个方面的计算机可读程序指令。The present disclosure can be a system, method and/or computer program product. A computer program product may include a computer readable storage medium having computer readable program instructions thereon for causing a processor to implement various aspects of the present disclosure.

计算机可读存储介质可以是可以保持和存储由指令执行设备使用的指令的有形设备。计算机可读存储介质例如可以是――但不限于――电存储设备、磁存储设备、光存储设备、电磁存储设备、半导体存储设备或者上述的任意合适的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、静态随机存取存储器(SRAM)、便携式压缩盘只读存储器(CD-ROM)、数字多功能盘(DVD)、记忆棒、软盘、机械编码设备、例如其上存储有指令的打孔卡或凹槽内凸起结构、以及上述的任意合适的组合。这里所使用的计算机可读存储介质不被解释为瞬时信号本身,诸如无线电波或者其它自由传播的电磁波、通过波导或其它传输媒介传播的电磁波(例如,通过光纤电缆的光脉冲)、或者通过电线传输的电信号。A computer readable storage medium may be a tangible device that can retain and store instructions for use by an instruction execution device. A computer readable storage medium may be, for example, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of computer-readable storage media include: portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), or flash memory), static random access memory (SRAM), compact disc read only memory (CD-ROM), digital versatile disc (DVD), memory stick, floppy disk, mechanically encoded device, such as a printer with instructions stored thereon A hole card or a raised structure in a groove, and any suitable combination of the above. As used herein, computer-readable storage media are not to be construed as transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., pulses of light through fiber optic cables), or transmitted electrical signals.

这里所描述的计算机可读程序指令可以从计算机可读存储介质下载到各个计算/处理设备,或者通过网络、例如因特网、局域网、广域网和/或无线网下载到外部计算机或外部存储设备。网络可以包括铜传输电缆、光纤传输、无线传输、路由器、防火墙、交换机、网关计算机和/或边缘服务器。每个计算/处理设备中的网络适配卡或者网络接口从网络接收计算机可读程序指令,并转发该计算机可读程序指令,以供存储在各个计算/处理设备中的计算机可读存储介质中。Computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or downloaded to an external computer or external storage device over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or a network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in each computing/processing device .

用于执行本公开操作的计算机程序指令可以是汇编指令、指令集架构(ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码,所述编程语言包括面向对象的编程语言—诸如Smalltalk、C++等,以及常规的过程式编程语言—诸如“C”语言或类似的编程语言。计算机可读程序指令可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络—包括局域网(LAN)或广域网(WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。在一些实施例中,通过利用计算机可读程序指令的状态信息来个性化定制电子电路,例如可编程逻辑电路、现场可编程门阵列(FPGA)或可编程逻辑阵列(PLA),该电子电路可以执行计算机可读程序指令,从而实现本公开的各个方面。Computer program instructions for performing the operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-dependent instructions, microcode, firmware instructions, state setting data, or Source or object code written in any combination, including object-oriented programming languages—such as Smalltalk, C++, etc., and conventional procedural programming languages—such as the “C” language or similar programming languages. Computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server implement. In cases involving a remote computer, the remote computer can be connected to the user computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (such as via the Internet using an Internet service provider). connect). In some embodiments, an electronic circuit, such as a programmable logic circuit, field programmable gate array (FPGA), or programmable logic array (PLA), can be customized by utilizing state information of computer-readable program instructions, which can Various aspects of the present disclosure are implemented by executing computer readable program instructions.

最后应当说明的是,以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that the present invention can still be Any modification or equivalent replacement that does not depart from the spirit and scope of the present invention shall fall within the protection scope of the claims of the present invention.

Claims (15)

1. The utility model provides an industrial process controller redundancy operation method, two industrial process controllers carry out redundant information interaction through redundant Ethernet, realize controller redundancy operation, its characterized in that:
decoupling the controller redundancy operation logic into state redundancy logic, configuration redundancy logic, data redundancy logic and task redundancy logic;
decoupling a physical link layer of the Ethernet from a data link layer, wherein the physical link layer comprises physical links A and B, the physical links A and B form a redundant Ethernet, and the data link layer carries out redundant link decomposition to obtain a state redundant link, a configuration redundant link, a data redundant link and a task redundant link;
and each redundant link uses a redundant Ethernet to carry out redundant information interaction of corresponding logics, so that independent redundant operation among the redundant logics is realized.
2. A method of redundant operation of an industrial process controller according to claim 1 wherein:
the state redundancy logic comprises redundancy state negotiation logic of power-on operation, master-slave active lifting master logic of a host offline slave the slave judges the failure level to actively raise the master logic and the master receives the tool command to force the master-slave switching logic.
3. A method of redundant operation of an industrial process controller according to claim 2 wherein:
the redundant state negotiation logic of the power-on operation is used for confirming the state of the master-slave controller, and specifically comprises the following steps:
the controller is electrified to perform initialization operation to acquire respective redundant master-slave default state settings;
when the default is set as the slave state, the controller sets the local side as the initial slave state through delay;
when the default is set to be in a host state, the local side is set to be in an initial slave state immediately without delay;
after entering the initial slave state, the controller sends a heartbeat message to the opposite side through a state redundancy link;
when the heartbeat message is not replied after continuous timeout, the controller enters a host state;
when the heartbeat message is replied to the opposite-side host, the controller keeps the slave state.
4. A method of redundant operation of an industrial process controller according to claim 3 wherein:
after confirming the state of the master controller and the slave controller, the slave controller periodically transmits heartbeat messages to the master controller through a state redundant link, and the master controller replies the heartbeat messages to the slave controller after receiving the heartbeat messages;
the heartbeat message comprises a local side fault grade, a forced switching mark and a master-slave state mark;
the fault grade is appointed for a specific fault type, when the main controller fails, the fault grade of the main controller is set to be a corresponding appointed value, and a heartbeat reply message is sent to the slave.
5. A method of redundant operation of an industrial process controller according to claim 4 wherein:
the master-slave active lifting logic of the host offline slave specifically comprises the following steps:
and continuously receiving the heartbeat reply message from the controller until the heartbeat reply message is overtime, indicating that the host is offline, switching the host from the local side of the controller, and continuously transmitting the message for forcibly switching the opposite side into the slave.
6. A method of redundant operation of an industrial process controller according to claim 4 wherein:
the slave machine judging fault level active rising master logic is matched with the application logic to realize that the slave machine judges the fault level active rising master, and specifically:
the application logic is as follows: receiving a contralateral fault grade in a heartbeat reply message from a controller and comparing the contralateral fault grade with the local fault grade;
the slave judges that the failure level actively rises the master logic as follows: when the failure level of the opposite side in the heartbeat reply message received from the controller is continuously higher than the failure level of the local side, the local side is switched to the host computer, and then the message for forcibly switching the opposite side to the slave computer is continuously sent; and the host sets the message as the slave immediately after receiving the message for switching the host to the slave.
7. A method of redundant operation of an industrial process controller according to claim 4 wherein:
the host machine receives the tool command to force the master-slave switching logic, specifically:
after receiving a master-slave switching command from the debugging tool side, the master controller sets a forced switching flag bit when replying a heartbeat message at the time;
the slave controller receives a forced switching flag bit in the heartbeat message, the slave controller switches the slave to the master, and then continuously sends a message for enabling the opposite side to be forcibly switched to the slave;
and the host sets the message as the slave immediately after receiving the message for switching the host to the slave.
8. A method of redundant operation of an industrial process controller according to claim 1 wherein:
the configuration redundancy logic comprises slave power-on synchronous configuration logic and online update configuration logic;
the slave power-on synchronous configuration logic specifically comprises:
after the controller is powered on and initialized to run and is determined to be a slave machine through redundancy state negotiation, a configuration information request message is initiated to a host machine through a configuration redundancy link;
after the slave acquires the check code of the configuration information of the host, the check code is compared with the local configuration information, the configuration synchronization is finished when the check information is consistent, and the configuration file is started when the check information is inconsistent.
9. A method of redundant operation of an industrial process controller according to claim 8 wherein:
the online update configuration logic specifically comprises:
when the debugging tool is connected with the main controller and issues an online updating configuration command, the main machine downloads an updating message and forwards the updating message to the auxiliary machine through a configuration redundancy link, and the auxiliary machine updates a local configuration file after receiving the downloading updating message;
wherein the debug tool establishes a connection only with the current host controller and issues an online update configuration command to the host controller when online update configuration is required.
10. A method of redundant operation of an industrial process controller according to claim 1 wherein:
the data redundancy logic specifically comprises:
dividing the controller task into a periodic task, a free task, a state triggering task and an event triggering task;
the method comprises the steps that a controller initializes a periodic task or a free task with highest priority level to be selected as a task with highest priority level when running; when the highest priority level of the periodic task and the free task is set to be the same, selecting the periodic task as the task with the highest priority level;
and the master controller sends a data synchronization message through a data redundancy link before executing the task with the highest priority, and updates local data and executes the task with the highest priority after receiving the data synchronization message from the controller.
11. A method of redundant operation of an industrial process controller according to claim 10 wherein:
the task redundancy logic specifically comprises:
the task synchronization and the data redundancy of the highest priority are realized based on the data redundancy logic combination;
the master controller sends a task synchronous command through a task redundant link before the task with the non-highest priority is executed, and the corresponding task is executed after receiving the task synchronous command from the controller.
12. An industrial process controller redundant operating system for implementing the method of any one of claims 1-11, wherein:
the system includes two industrial process controllers and a redundant ethernet network;
each controller is provided with a state redundancy module, a configuration redundancy module, a data redundancy module and a task redundancy module which are respectively used for executing state redundancy logic, configuration redundancy logic, data redundancy logic and task redundancy logic;
the redundant Ethernet is provided with a state redundant link, a configuration redundant link, a data redundant link and a task redundant link;
the state redundancy module, the configuration redundancy module, the data redundancy module and the task redundancy module independently operate, each of which adopts independent threads to complete related logic tasks, and each of which adopts state redundancy links, configuration redundancy links, data redundancy links and task redundancy links to exchange data.
13. An industrial process controller redundant operating system according to claim 12 wherein:
the two industrial process controllers are identical and are interconnected by physical links A and B of the redundant Ethernet network;
the base of the controller is provided with a hardware dial module which is used for manually setting one side to default to be a master controller and the other side to default to be a slave controller;
the redundant state result negotiated by the state redundant module can be accessed by other modules to participate in the operation logic of the other modules; meanwhile, the state redundancy modules also exchange the running states of the two sides;
the state redundant links alternately use the physical links A, B to send data, and when the response data sent by the physical links A or B are not received continuously, the corresponding physical links are judged to be disconnected;
the configuration redundant link, the data redundant link and the task redundant link adopt physical links communicated by state redundant link detection to transmit data.
14. A terminal comprising a processor and a storage medium; the method is characterized in that:
the storage medium is used for storing instructions;
the processor being operative according to the instructions to perform the steps of the method according to any one of claims 1-11.
15. Computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any of claims 1-11.
CN202310677694.1A 2023-06-08 2023-06-08 Redundant operation method and system for industrial process controller Active CN116699964B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310677694.1A CN116699964B (en) 2023-06-08 2023-06-08 Redundant operation method and system for industrial process controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310677694.1A CN116699964B (en) 2023-06-08 2023-06-08 Redundant operation method and system for industrial process controller

Publications (2)

Publication Number Publication Date
CN116699964A true CN116699964A (en) 2023-09-05
CN116699964B CN116699964B (en) 2025-07-22

Family

ID=87832097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310677694.1A Active CN116699964B (en) 2023-06-08 2023-06-08 Redundant operation method and system for industrial process controller

Country Status (1)

Country Link
CN (1) CN116699964B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117311136A (en) * 2023-11-28 2023-12-29 中国船舶集团有限公司第七一九研究所 Dual-computer operation method and device based on interconnection heartbeat monitoring mechanism
CN117573609A (en) * 2024-01-16 2024-02-20 宁波中控微电子有限公司 System-on-chip with redundancy function and control method thereof
CN120370660A (en) * 2025-06-25 2025-07-25 云南意达智能科技有限公司 Intelligent control system with AI identification in traditional Chinese medicine extraction and concentration process
CN120722822A (en) * 2025-08-29 2025-09-30 浙江中控研究院有限公司 A multi-level redundant control method and system based on multi-entity

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100268857A1 (en) * 2009-04-20 2010-10-21 International Business Machines Corporation Management of Redundant Physical Data Paths in a Computing System
CN103401696A (en) * 2013-06-25 2013-11-20 国家电网公司 Dual-network redundant communication system in industrial equipment and communication method thereof
US20180364673A1 (en) * 2017-06-16 2018-12-20 Honeywell International Inc. Process data synchronization between redundant process controllers
CN110493147A (en) * 2019-08-12 2019-11-22 西安微电子技术研究所 A kind of parallel redundancy ethernet communication controller and its control method
CN114355760A (en) * 2022-01-10 2022-04-15 北京广利核系统工程有限公司 Main control station and hot standby redundancy control method thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100268857A1 (en) * 2009-04-20 2010-10-21 International Business Machines Corporation Management of Redundant Physical Data Paths in a Computing System
CN103401696A (en) * 2013-06-25 2013-11-20 国家电网公司 Dual-network redundant communication system in industrial equipment and communication method thereof
US20180364673A1 (en) * 2017-06-16 2018-12-20 Honeywell International Inc. Process data synchronization between redundant process controllers
CN110493147A (en) * 2019-08-12 2019-11-22 西安微电子技术研究所 A kind of parallel redundancy ethernet communication controller and its control method
CN114355760A (en) * 2022-01-10 2022-04-15 北京广利核系统工程有限公司 Main control station and hot standby redundancy control method thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘志勇: "工业控制器可靠性若干问题的研究与开发", 中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑, no. 2012, 15 July 2012 (2012-07-15), pages 1 - 73 *
吴波 等: "基于Zynq平台的工业控制器双机冗余方案及应用", 工业控制计算机, no. 10, 25 October 2018 (2018-10-25), pages 8 - 12 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117311136A (en) * 2023-11-28 2023-12-29 中国船舶集团有限公司第七一九研究所 Dual-computer operation method and device based on interconnection heartbeat monitoring mechanism
CN117311136B (en) * 2023-11-28 2024-03-01 中国船舶集团有限公司第七一九研究所 Dual-computer operation method and device based on interconnection heartbeat monitoring mechanism
CN117573609A (en) * 2024-01-16 2024-02-20 宁波中控微电子有限公司 System-on-chip with redundancy function and control method thereof
CN117573609B (en) * 2024-01-16 2024-05-03 宁波中控微电子有限公司 System-on-chip with redundancy function and control method thereof
CN120370660A (en) * 2025-06-25 2025-07-25 云南意达智能科技有限公司 Intelligent control system with AI identification in traditional Chinese medicine extraction and concentration process
CN120722822A (en) * 2025-08-29 2025-09-30 浙江中控研究院有限公司 A multi-level redundant control method and system based on multi-entity

Also Published As

Publication number Publication date
CN116699964B (en) 2025-07-22

Similar Documents

Publication Publication Date Title
CN116699964A (en) Redundant operation method and system for industrial process controller
CN115113516B (en) A master-slave redundant control system and control method
CN103647781B (en) Mixed redundancy programmable control system based on equipment redundancy and network redundancy
CN109104349B (en) Method, system and device for train network data transmission based on CANopen protocol
CN101833536B (en) A Reconfigurable Spaceborne Computer with Redundant Arbitration Mechanism
CN103955188A (en) Control system and method supporting redundancy switching function
CN102724083A (en) Degradable triple-modular redundancy computer system based on software synchronization
CN110427283B (en) Dual-redundancy fuel management computer system
CN115913906A (en) A kind of ship redundant control system and method
CN110967969A (en) High availability industrial automation system and method for transmitting information through the same
CN107220197A (en) A kind of dual control storage device master/standby control method and device
CN106445055A (en) Power supply protection mechanism of Rack server
CN116027705A (en) Main-standby switching and data synchronizing system and method for programmable controller
CN119024674A (en) Controller redundancy system, vehicle, and controller redundancy system control method
CN107071189B (en) Connection method of communication equipment physical interface
CN113835337B (en) Train network redundancy control method and system
CN114115053B (en) Method for confirming and switching master-standby mode between arbitration modules in mimicry industrial controller
CN116089176A (en) A Hot Standby Dual Redundancy Computer Control System for AUV
CN120086072A (en) Baseboard management function failure emergency system, method, server and storage medium
CN115616891A (en) Hot standby redundancy control system and method of front-end processor based on OPC UA technology
CN114257500A (en) Fault switching method, system and device for internal network of super-converged cluster
CN118838756A (en) Remote data backup method and device
CN105959193A (en) Train control method and system
CN106789495B (en) A single-controller master-slave network bus controller online switching method
CN117278590A (en) Small hydropower station real-time data monitoring and early warning system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant