Method and industrial facility system for changing configuration
阅读说明:本技术 用于改变配置的方法和工业设施系统 (Method and industrial facility system for changing configuration ) 是由 赫伯特·*** 大卫·费伦齐 沃尔夫冈·施毛斯 马克西米利安·沃尔特 于 2019-07-16 设计创作,主要内容包括:本发明涉及一种用于改变在第一自动化设备(A)与第二自动化设备(B)之间的、针对功能安全所设计的通信连接(1、1’)的通信参数(KP1)的配置的方法。为了在运行中能够无冲突地改变配置,第一自动化设备(A)将用于改变参数的请求(31)发送给第二自动化设备(B),并且第二自动化设备对该请求做出反应,使得:发送对请求(31)的就绪确认(32),并且随着就绪确认(32)的发送在第二自动化设备中立刻冻结输出过程图像,和改变用于第二自动化设备的通信参数(KP2),此外,第一自动化设备做出反应,使得在第一自动化设备中接收到就绪确认(32)之后,立刻停止通信并且改变用于第一自动化设备的通信参数(KP2),其中冻结输入过程图像。(The invention relates to a method for changing the configuration of communication parameters (KP1) of a communication connection (1, 1') designed for functional safety between a first automation device (A) and a second automation device (B). In order to be able to change the configuration in operation without conflict, the first automation device (A) sends a request (31) for changing the parameters to the second automation device (B), and the second automation device reacts to the request in such a way that: sending a ready confirmation (32) to the request (31) and immediately freezing the output process image in the second automation device as the sending of the ready confirmation (32) and changing the communication parameters (KP2) for the second automation device, furthermore, the first automation device reacts such that after receiving the ready confirmation (32) in the first automation device, the communication is immediately stopped and the communication parameters (KP2) for the first automation device are changed, wherein the input process image is frozen.)
1. A method for changing a configuration of a communication parameter (KP1) of a communication connection (1, 1') between a first automation device (A) and a second automation device (B) designed for functional safety,
wherein, for exchanging data from the first automation device (A) to the second automation device (B) and in the opposite direction, a security protocol is used, wherein
The data is used as process output data (OV) or process input data (IV) for a safety critical process,
running a first send-receive application (SEA1) on the first automation device (A), the first send-receive application performing communication together with a first device driver (G1), and
running a second send-receive application (SEA2) on the second automation device (B), which second send-receive application performs communication together with a second device driver (G2), wherein
The respective transceiver applications (SEA1, SEA2) and the respective device drivers (G1, G2) operate with a first set of communication parameters (KP1) prior to the change and with a second set of communication parameters (KP2) after the change,
it is characterized in that the preparation method is characterized in that,
the first automation device (A) sends a request (31) for changing a parameter to the second automation device (B), and the second automation device (B) reacts to the request such that
Sending a ready confirmation (32) to the request (31), at the moment in the second automation device (B) following the sending of the ready confirmation (32)
Freezing the output process image, wherein the last output process output data (OV) at the second automation device (B) remains the last value of the process output data, and
changing communication parameters (KP2) for the second automation device (B), and furthermore
The first automation device (A) reacts so that
Immediately after receiving the ready confirmation (32) in the first automation device (A), the communication is stopped and communication parameters (KP2) for the first automation device (A) are changed, wherein
Freezing the input process image, whereby the process input data (IV) last present at the first automation device (A) remains as the last value of the process input data,
when the change of the communication parameters (KP2) is ended in the first automation device (a), the first automation device restarts the communication and sends new process output data (OV) as an output process image to the second automation device (B), whereby the process output data (OV) last output at the second automation device (B) is replaced by the updated process output data (OV).
2. Method according to claim 1, wherein, with the sending of the ready acknowledgement (32), a first timer (WD1) with a first running time (T1) is started in the second transceiver application (SEA2) and monitored by means of the first timer (WD 1): whether the communication is restarted by the first automation device (A) within the first running time (T1) and thereby sending new process output data (OV) as a new output process image to the second automation device (B), and if this is the case, the second automation device (B) reacts with a completion confirmation (35) and stops the first timer (WD 1).
3. Method according to claim 2, wherein after receiving the ready confirmation (32) in the first automation device (a), a second timer (WD2) with a second running time (T2) is started in the first send receive application (SAE1) and is monitored by means of the second timer (WD 2): whether the completion confirmation (35) is received within the second runtime (T2).
4. The method according to claim 3, wherein the completion confirmation (35) comprises new process input data (IV) as a new input process image for the first automation device (A).
5. The method according to any one of claims 1 to 4 for performing a configuration change in an industrial facility system for controlling a safety critical process, wherein thereby an uninterrupted facility operation is achieved during the configuration change.
6. Method according to one of claims 1 to 4, wherein, after the restart of the communication, a signature is formed via the new communication parameters (KP2) in addition to the transmitted new process output data (OV) and is jointly transmitted to the second automation device (B), and the transmitted signature (CRC) is compared in the second automation device (B) with a signature (CRC') formed in the second automation device (B) via the new communication parameters (KP 2).
7. An industrial facility system for controlling safety-critical processes, having a first automation device (A) and a second automation device (B), which are connected to one another via a field bus (3),
the first automation device (A) having a first transceiver application (SEA1) and a first device driver (G1), the second automation device (B) having a second transceiver application (SEA2) and a second device driver (G2),
furthermore, a configuration system (2) is provided, which is designed to configure the respective transceiver applications (SEA1, SEA2) and the respective device drivers (G1, G2) with a first set of communication parameters (KP1) and to configure the respective transceiver applications (SEA1, SEA2) and the respective device drivers (G1, G2) with a second set of communication parameters (KP2) for changes,
it is characterized in that the preparation method is characterized in that,
the first automation device (A) is designed to obtain a request (31) for changing a parameter from the configuration system (2) and to send the request to the second automation device (B) for changing a parameter, wherein the request is sent to the second automation device (B)
The second automation device (B) is designed to react to the request (31) in such a way that a ready confirmation (32) is sent to the request (31), and the second automation device (B) is designed to immediately send the ready confirmation (32) at the point in time when the ready confirmation (32) is sent
Freezing the output process image, whereby the last output process output data (OV) at the second automation device (B) remains the last value of the process output data, and
triggering a change of the communication parameters (KP2) for the second automation device (B), and furthermore,
the first automation device (A) is designed to
Immediately after receiving the ready confirmation (32) in the first automation device (A), stopping the communication and changing communication parameters (KP2) for the first automation device (A),
freezing the input process image, whereby the process input data (IV) last present at the first automation device (A) remains as the last value of the process input data,
after the change of the communication parameters (KP2) has been ended in the first automation device (A), the construction of the communication is restarted and new process output data (OV) is transmitted as an output process image to the second automation device (B).
8. The facility system according to claim 7, wherein the second transceiver application (SEA2) has a first timer (WD1) and is designed to start the first timer (WD1) at the point in time of transmitting the ready acknowledgement (32) and to monitor: whether communication is restarted by the first automation device (A) within a first operating time (T1).
9. The facility system according to claim 8, wherein the first transceiver application (SEA1) has a second timer (WD2) and is designed to start the second timer (WD2) and to monitor at the point in time of receiving the ready acknowledgement: whether a completion confirmation is received within the second runtime (T2).
10. The facility system according to any of claims 7 to 9, wherein the first automation device (a) or the first send-receive application (SEA1) is designed for: after restarting the communication, a signature (CRC) is formed via the new communication parameters (KP2) in addition to the transmitted new process output data (OV), and the signature (CRC) is jointly transmitted to the second automation device (B), and the second automation device (B) is designed to: the transmitted signature (CRC) is compared with a second signature (CRC ') formed in the second automation device (B) via the new communication parameters (KP2), the second transceiver application (SEA2) being designed for this comparison and, by knowing the new communication parameters (KP2) and by forming the second signature (CRC'), an expectation can be generated about the new communication parameters (KP2) and, if the expectation is not met, an error response is generated and/or a replacement value is provided.
Technical Field
The invention relates to a method for changing a configuration of communication parameters of a communication connection designed for functional safety between a first automation device and a second automation device, wherein, for the exchange of data from the first automation device to the second automation device and in the opposite direction, a security protocol is used, wherein the data is used as process output data or process input data for a safety-critical process, and wherein a first transmission-reception application is run on a first automation device, the first send receive application performing communication in conjunction with a first device driver and running a second send receive application on a second automation device, the second send receive application performing communication in conjunction with a second device driver, wherein the respective transmit receive application and the respective device driver operate with a first set of communication parameters prior to the changing and with a second set of communication parameters after the changing.
The invention further relates to an industrial installation system for controlling safety-critical processes, having a first automation device and a second automation device, which are connected to one another via a field bus, the first automation device having a first transceiver application and a first device driver, the second automation device having a second transceiver application and a second device driver, and a configuration system being provided, which is designed to configure the respective transceiver application and the respective device driver using a first set of communication parameters and, for a change, using a second set of communication parameters.
Background
The invention relates to the technical field of functional safety communication, in particular for communication between field devices, control units and similar devices in industrial process automation or manufacturing automation. Such functional secure communication is also referred to as F-communication and is used in particular in security-related applications, in particular when errors in the communication may harm human or life or tangible assets.
In the case of such functionally secure communication connections, especially in the operation of industrial installations, uninterrupted operation of the installation is also important when changing the configuration at a device or network or when adding, removing or replacing a plurality of devices or individual modules.
Therefore, configuration changes during runtime, also referred to as "change parameter in runtime" -measures (PiR), should be made without conflict and without compromising communication in the network. Thereby, continuous production operation should be ensured without facility shutdown.
European patent EP 2814193B 1 entitled "method and System for identifying errors in the Transmission of data from a sender to at least one receiver (Verfahren und System zur Erkennung von Fehlern bei der
von Daten von einem Sender zu zumindest einen) ", relates to functionally secure communication, however, no solution for conflict-free reparameterization of functionally secure connections is provided in EP 2814193B 1.Disclosure of Invention
The purpose of the invention is: in continuous operation, communication parameters can be re-parameterized or reconfigured in a communication link designed for functional safety. That is to say that as far as possible there are no interruptions or switching conflicts of the facility process.
In the method proposed in the preamble, this object is achieved in that: the first automation device sends a request for changing a parameter to the second automation device. And the second automation device reacts to the request such that a ready confirmation to the request is sent, at which time the output process image is immediately frozen in the second automation device as the sending of the ready confirmation, whereby the process output data last output at the second automation device remains at its final value and the communication parameters for the second automation device are changed, and furthermore the first automation device reacts such that, after the ready confirmation is received in the first automation device, the communication is immediately stopped and the communication parameters for the first automation device are changed, wherein the input process image is frozen, whereby the process input data last present at the first automation device remains at its final value, when the change of the communication parameters is ended in the first automation device, then the first automation device restarts the communication and sends new process output data as output process image (Prozess-Abbild) to the second automation device, the process output data last output at the second automation device is thereby replaced by the updated process output data.
For the security protocol in the sense of the present invention, for example, the Profisafe protocol for Profinet connections is used. Thus, the functional security protocol Profisafe is executed in the transmit receive application and in the device driver.
It is now advantageously possible to execute the reparameterization of both parties as quickly as possible and restart the functionally secure communication stack. As soon as the first automation device recognizes the confirmation of the request for "change of parameter", a renewed parameterisation is started in the first automation device at a moment, and likewise, when the second automation device has generated a "change of parameter" confirmation, the second automation device immediately starts a renewed parameterisation, although the second automation device is not yet aware of when the first automation device scans for or receives this confirmation. In this case, the second automation device keeps its process image unchanged until the first automation device transmits new process output data as an output process image to the second automation device.
In a further embodiment of the method, a first timer with a first running time is started in the second transceiver application with the sending of the ready acknowledgement, and the following is monitored by means of the first timer: whether the communication was restarted by the first automation device within the first operating time and, as a result, new process output data were sent to the second automation device as a new output process image. If this is the case, the second automation device reacts with the completion confirmation and stops the first timer. The time monitoring in the first timer is used as a so-called watchdog and if the completion check does not occur in the first running time of the first timer, an error is generated and, for example, a secure substitute value is provided or the first timer assumes a secure state.
In order to further improve the safety, after receiving the ready confirmation in the first automation device, a second timer having a second running time is started in the first transmitting and receiving application, and the following is monitored by means of the second timer: whether a completion confirmation is received within the second runtime. Also applicable here are: time monitoring is applied as a watchdog function and if a timer expires before the completion acknowledgement arrives, an error response is generated and/or a replacement value is provided.
It is also advantageous if the completion confirmation likewise comprises new process input data as a new input process image for the first automation device.
It is seen as an important advantage to use a method according to the above-described solution features for performing a configuration change in an industrial facility system for controlling a safety-critical process, wherein thereby an uninterrupted facility operation is achieved during the change of the configuration.
A further measure for increasing the communication security consists in that, after the communication has been restarted, in addition to the new process output data transmitted, a signature is formed via the new communication parameters and this signature is jointly transmitted to the second automation device, and the transmitted signature is compared in the second automation device with the signature formed in the second automation device via the new communication parameters. If the comparison result is positive, the process image is changed, otherwise the process image is held or a safety action is taken, since a transmission error may be recognized on the basis of the changed signature.
As described in the foregoing, the object is also achieved by an industrial facility system: the first automation device is designed to obtain a request for changing a parameter from the configuration system and to send the request to the second automation device for changing the parameter, wherein the second automation device is designed to react to the request such that a ready confirmation of the request is sent, wherein the second automation device is designed to freeze the output process image immediately at the point in time at which the ready confirmation is sent, whereby the process output data last output at the second automation device remains at its final value and a change of the communication parameters for the second automation device is triggered, and wherein the first automation device is designed to release the communication immediately after the ready confirmation is received in the first automation device and to change the communication parameters for the first automation device, and wherein the first input process image is also designed to freeze the first input process image, whereby the process input data last present at the first automation device remains at its final value, and also after the change of the communication parameters is ended in the first automation device, the communication is reconstructed and the new process output data is transmitted as an output process image to the second automation device.
For example, engineering systems, in particular the engineering system named "TIA-Portal" by siemens ag, are used as configuration systems. By utilizing the engineering system, parameterization and planning can be carried out on the functional safety module. For example, in the communication parameter range, F parameters, such as F monitoring time, F destination address, performance after channel error or F peripheral DB number, are parameterized or set.
The following are considered as important advantages: the parameterization can be carried out during the continuous operation of the installation, so that a conflict-free reparameterization of the communication connection is achieved. In this case, the handling of parameter changes in the two automation devices is very important. According to the invention, the process can therefore be started significantly earlier than is known from the prior art. Furthermore, the software implementation of the new method is also simpler than in the prior art.
It is further advantageous that: the facility system is designed such that the second transceiver application has a first timer and is designed to start the first timer at the time of the transmission ready acknowledgement and to monitor: whether the communication is restarted by the first automation device within the first operating time.
Furthermore, the first transceiver application has a second timer and is designed to start the second timer at the point in time when the ready acknowledgement is received and to monitor: whether a completion confirmation is received within the second runtime. The first automation device or the first transceiver application is also designed to, after restarting the communication, form a signature via the new communication parameters in addition to the transmitted new process output data and this signature is jointly transmitted to the second automation device, and to compare the transmitted signature in the second automation device with a second signature formed in the second automation device via the new communication parameters, in accordance therewith the second transceiver application is designed for this comparison and to be able to generate an expectation about the new parameters by knowing the new communication parameters and by forming the second signature and to generate an error response if the expectation is not met.
Drawings
An embodiment of the invention is described with reference to the accompanying drawings. The figures show:
figure 1 is a flow of a method for making communication changes in communication parameters according to the prior art,
figure 2 is a process flow according to the invention,
figure 3 is a first and second automation device with a configuration system connected thereto,
FIG. 4 is a sequential flow of making configuration changes in continuous operation, an
Fig. 5A and 5B are sequential flows of making configuration changes in continuous operation, with detailed confirmation events.
Detailed Description
According to fig. 1, a schematic method sequence for changing a configuration between a first automation device a and a second automation device B according to the prior art is shown. The first knowledge layer K1, the second knowledge layer K2, the third knowledge layer K3 and the fourth knowledge layer K4 are shown with dashed lines. As can be seen from the figure, in the first knowledge layer K1, the first automation device a knows that it has sent a message and that it wants to be reparameterized. In the second knowledge layer K2, the second automation device B knows that the first automation device a was intentionally re-parameterized. In the third knowledge layer K3, the first automation device a knows that the second automation device B has obtained a message that the first automation device a wishes to be reparameterized. In the fourth knowledge layer K4, the second automation device B knows that the first automation device a knows that the second automation device B has obtained a message that the first automation device a wishes to be reparameterized.
The first automation device a sends a
Fig. 2 now shows that, according to the invention, the time t can be reparameterized up to nowaltConversion into an improved, shortened, new reparameterisation time tneu. Now, the waiting time WZ (see fig. 1) fixed set so far is cancelled. In a method for changing the configuration of a communication parameter KP1 of a
In the second automation device B, the output processed image is immediately frozen as soon as the
Functional safety is further improved by adding a watchdog function in the form of a first timer WD1 and a second timer WD 2. With the sending of the
After receiving the
After the
Since the second automation device B is already informed in advance of the communication parameter KP2 to be changed, the second automation device itself can also form a second signature CRC' via the second communication parameter KP2, so that the second automation device generates an expectation, and an error must occur if the expectation does not correspond to the transmitted signature CRC of the second communication parameter KP2 of the first automation device a.
Fig. 3 shows an overview in the form of a block diagram, via which the system 2 can be configured to exchange communication parameters during operation. The configuration system 2 is connected to the first automation device a and sends a request for changing parameters (see also fig. 4) to the first automation device a. The first automation device a and the second automation device B are connected to each other via a
The first automation device a has a first send receive application SEA1 and a first device driver G1. The second automation device B has a second send-receive application SEA2 and a second device driver G2. The configuration system 2 connected to the first automation installation a is designed to configure the respective transceiver applications SEA1, SEA2 and the respective installation drivers G1, G2 with a first set of configuration parameters KP1 and to configure the respective transceiver applications SEA1, SEA2 and the respective installation drivers G1, G2 with a second set of configuration parameters KP2 for a change.
The first automation device a is designed to obtain a
For the purpose of the reparameterization, the second automation device is designed to freeze the output process image as soon as the point in time of the sending of the ready confirmation 32', so that the last output process output data OV remains at its last value at the second automation device B. The configuration parameters are now changed from KP1 to KP 2.
The first automation device a is designed to release the communication immediately after receiving the
The sequence of messages and requests between the first automation installation a and the second automation installation B for configuration changes during operation or for parameter changes (PiR) during operation is explained with reference to fig. 4.
The second automation device B or the second send-receive Application SEA2 reacts to it with knowledge of New _ F-par2.6 and sends a command Application ready (for this submodul)2.7 back to the first automation device a. The first automation device a in turn sends a command PRM _ Update accepted 2.8 back to the configuration system 2. Now the configuration system can trigger the real start PiR3.0 of the reparameterization. The process of reparameterizing the start PiR3.0 is explained in detail with the aid of fig. 5.
Fig. 5A and 5B show how the re-parameterization is performed by the configuration system 2 after the Start command Start PiR 3.0.
The first automation device a is depicted in dashed lines and shows in outline a first send receive application SEA1 and a first device driver G1. The second automation device B is likewise depicted in dashed lines and shows a second transmit receive application SEA1 and a second device driver G2. The first automation device a or the first send-receive application SEA1 now receives the Start command for reparameterizing Start PiR3.0 and thereby reacts internally in response to Start PiR 3.1, and subsequently sends a command ipr _ EN _ C of 13.2, which represents: parameter changes are now implemented. This is forwarded again by the first device driver G1 via the iPar _ EN ═ 13.3, and the commands or qualifications for effecting parameter changes are forwarded to the second device driver G2 of the second automation device B. The second device driver G2 informs the second send receive application SEA2 of the parameter change internally with a command ipra _ EN _ DS of 13.4, now the second send receive application SEA2 triggers the freezing of the process output value OV with a command Hold _ LOV Start WD-PiR 3.5.5. The second transceiver application acknowledges it with iPar _ OK _ DC — 13.6. The Start WD-PiR is commanded to Start the
The second transceiver application SEA2 replies with the feasibility of reparameterizing the iPar _ EN _ DE of 1 with an acknowledgement that iPar _ OK _ DC is 13.6. The second automation device now remains in the Wait state Wait for iPar _ EN _ DS 03.7.
The second device driver G2 sends the first device driver G1 an iprar _ OK ═ 13.8. The first device driver G1 then reacts with the send command to the first send receive application SEA1 and sends to it the iprar _ OK _ S ═ 13.9. From now on, the process Input value IV is held with the command Hold Last Input-value (LIV) or use FV and start WD-PiR 3.10.10. Now, the second timer W2 is started for the monitoring time explained in fig. 2.
The command Stop PSD is used to Stop the Profisafe driver PSD and thus also the Profisafe communication. On the second automation device B side, the Profisafe driver is also stopped in the second device driver G2 on this side with the command Stop PSD 4.1. On the side of the second automation device B, the checking of the new parameters and the application of the new parameters can now be performed with the command Check and use new ipar 4.2. Likewise, on the first automation device a side, the new configuration parameters are used with the command Use newF-Par 4.3. On both sides, i.e. on the side of the first automation device a and on the side of the second automation device B, the respective Profisafe driver can now be restarted. This takes place on the second automation device B side with the command Restart PSD, iParOK _ DE 04.5 and on the first automation device a side with the command Restart PSD, iPar _ EN _ C04.6.
Subsequently, starting from the first automation device a side, the connection is restarted with the command Restart PROFIsafe comm 5.0. The second automation device B reacts with Cyclic Profisafe comm 5.1 using Cyclic Profisafe communication. For the case of using the override value, i.e. the error value FV, this override value is now reset with the command FV _ activated equal to 0. This takes place on the second automation device B side by means of 5.6 and on the first automation device a side by means of 5.7. Finally, the New Value is incorporated again into the loop communication by means of the command End Hold _ LV use Input-Value stop WD-PiR 5.9.9 and finally the New F-Parameter inserted 5.10 is notified to the
It is noted with regard to fig. 4 and fig. 5A and 5B that the reparameterization is carried out without conflict between the cyclical communication by means of 1.0, 1.2 and 1.1, as can be seen above fig. 4.