Research on redundant control mode of coordinated controller based on dual control cores

. Dual CPU redundant operation of PLC is of great significance to the reliability of industrial automation control system. In view of the problems existing in the traditional dual CPU PLC redundancy control mode based on hardware strategy, this paper proposes a dual CPU redundancy control idea based on software strategy, and describes in detail the specific scheme of Dual CPU redundancy software design using A-B ControlLogix series PLC.


1.Introduction
Redundancy control is to add standby key equipment in the control system. Once the system fails in operation, the control system starts the standby equipment at the fastest speed, so as to maintain the normal operation of the system. In the industrial control field where programmable logic controller (PLC) is widely used, some large-scale industrial production lines often require continuous operation without pause. However high reliability of PLC is difficult to ensure zero fault continuous operation, and the reliability of PLC mainly depends on its central module CPU (central processing unit). In order to enhance its reliability, many PLC manufacturers have adopted Dual CPU mode to improve the reliability of PLC. Practice shows that the redundancy control of Dual CPU is an effective means to meet the requirements of continuous production and improve the system reliability.
The design methods of redundancy control include "hardware redundancy" and corresponding "software redundancy". Hardware redundancy technology is mainly system redundancy. It can achieve fault tolerance requirements by providing double or higher backup for important components and fault prone components, so as to improve the reliability of the system. The software redundancy method mainly uses the functional redundancy of different components in the system, combined with program design to improve the redundancy of the whole control system, so as to improve the fault-tolerant performance of the system. Aiming at the defects of traditional PLC redundancy control system based on hardware strategy, this paper puts forward the idea of Dual CPU redundancy control based on software strategy, and describes in detail the software measures of Dual CPU redundancy control based on A-B ControlLogix series PLC.

2.Principle of Dual CPU redundancy
"Redundant" control system design, that is, there are "redundant parts" artificially designed in the system. Redundancy configuration represents the ability of PLC to adapt to special needs, and is the embodiment of highperformance PLC. Its purpose is to further improve the reliability of PLC, reduce the probability of failure, and reduce the repair time after failure. With the development of computer technology, automation technology and communication technology, most PLC developers put forward the scheme of using dual CPU redundancy to improve the reliability of PLC, which greatly prolonged the fault-free operation time of PLC. The principle of Dual CPU redundancy is to use two sets of CPU modules in the system, one of which is the working host and the other is the standby module. Once the working host fails, the standby CPU will be put into operation. At this time, the standby CPU becomes the working host, and the original working host becomes the standby CPU after the fault handling of the original working host is completed. In addition to the redundancy of the host CPU, I / O modules can also adopt redundant structure.

3.Analysis of traditional dual CPU redundant control system
The traditional dual CPU redundancy control is completely based on hardware and does not need user programming. In the system design, more than one set of CPU module is configured as a backup, in case of failure of the running CPU module, it can be replaced in time, so as to reduce the system repair time after the failure and reduce the shutdown loss. The reason why it is called "cold backup" is that the backup CPU module is not installed on the control equipment, but placed in the spare parts warehouse for use, and replaced manually by the system engineer when necessary. Manual replacement can only ensure the continuous operation of the control, and it can not meet the requirements for some control systems that do not allow interruption of the control process.

3.2.Hot standby redundancy control
Hot standby means that redundant modules work online, but do not participate in control. Once the control module fails, it can automatically take over its work, and the system can not be damaged by shutdown. In the large and medium-sized PLC control system, the dual CPU hot standby redundancy mode with switchable input and output is often used. The dual CPU hot standby redundancy system with switchable input and output is essentially a system in which two sets of PLC of the same model and the same control content operate in parallel and jointly control a set of input and output systems, as shown in Figure 1. There are two sets of CPU in CPU, which are connected by redundant communication interface module. There is only one set of I / O module. Each CPU unit is connected with I / O module through its own expansion interface, and I / O module is directly connected with field equipment. When a PLC fails, the host can automatically switch to another PLC to continue to perform the control task. That is to say, when one PLC works, its working state and the basic parameters of the control object are sent to another PLC at the same time, then the other PLC can monitor the operation of this PLC at any time and take over the operation of this PLC in real time.
The implementation of Dual CPU redundancy based on hardware hot backup is simple and only needs to be equipped with an independent standby PLC system. Moreover, the pure hardware redundancy mode makes users do not need any programming. When the system is running, the status monitoring of CPU and the transfer of main control right are automatically completed by the hot standby redundancy interface module to ensure the undisturbed switching of output under the logic control of the highest priority task, The handoff only takes tens of milliseconds and is completely transparent to other devices connected to redundant frames through various networks. However, this method has more hardware investment, higher cost, and more components and interface modules are added. The failure of these components and interface modules will greatly reduce the reliability of the whole system. In view of this, a dual CPU redundancy control strategy based on software strategy is proposed.

4.1.The idea of software redundancy
In order to ensure the high reliability of PLC control system, it is not necessary to add a complete set of PLC hardware system, as long as the control process can be replaced by the standby system at the fault point. In this way, the software redundancy can fully meet the requirements. Generally speaking, software redundancy refers to the variable redundancy of control program. Its basic principle is not to use or reduce the use of hardware redundancy. It mainly adopts the method based on online fault detection and expert system diagnosis and self-organization adjustment, and replaces hardware redundancy with analytic redundancy. The core of PLC is the central module CPU, which controls the signal collection of all working conditions of the system and the real-time control of related equipment. Therefore, in order to realize PLC redundancy control based on software technology, only one CPU needs to be added. One CPU is in the main control state, and the other CPU is in the hot standby state. Its essence is the real dual CPU module redundancy control, without adding other module equipment The status monitoring and master control transfer of the two CPU modules are realized by software programming. This forms a dual CPU redundancy control strategy based on software technology.

4.2.Key problems of software redundancy
The redundancy between two redundant CPU modules is realized by the information exchange between the two CPU modules. In the actual operation, the synchronization of data transmission between CPUs is necessary, and the diagnosis process can be simplified according to the actual situation, that is, as long as the hot standby CPU knows that the slave device has been out of the control of the master CPU, the hot standby CPU can be upgraded to the master CPU. In addition, from the process of redundancy switching, it can be concluded that the redundant communication data has the characteristics of time delay, that is, the data of hot standby CPU lags behind that of the main control CPU. Once the data lag occurs, it is easy to lead to control disturbance, controller shutdown or redundant connection fault detection time is too long. If the disturbance duration of the control is too long, the consequences of some actions can not be taken in time, which may lead to accidents. Therefore, the key problem of software redundancy is to realize the undisturbed switching between the main control CPU and the hot standby CPU. In order to solve these problems, the selection and software design of PLC are very important. Therefore, we select the new generation control platform controllogi and series PLC of A-B company with high reliability to design software redundancy control system based on Dual CPU module.

5.Software implementation of Dual CPU redundancy based on A-B ControlLogix PLC
ControlLogix series PLC is one of the most powerful PLC in A-B company. It combines the functions of DCS and PLC and provides an integrated platform of sequence control, process control, motion and transmission control. Using ControlLogix PLC to realize dual CPU redundancy based on software, the hardware basis of which is to plug two CPU modules of the same model into the same frame, and use the backplane communication to control redundancy, as shown in Figure 2. CNBr is the extended communication module. In the implementation of redundancy control software, the judgment and transfer procedure of main control right and the synchronous control program of Dual CPU modules are the key procedures of redundancy control.

5.1.Adjudication and transfer of control
The procedure flow of the adjudication and transfer of master control is shown in Figure 3. Two CPUs are running online at the same time, one is in the main control mode, the other is in the hot standby mode. The CPU with master control has I / O control, while the output of hot standby CPU is prohibited, only data collection and communication connection are kept. The two CPU modules monitor each other's operation status and communication. If the main control CPU module fails, the hot standby CPU module will get the master control right.

5.2.Synchronous control of Dual CPU module
The synchronous control program flow of Dual CPU module is shown in Figure 4.

5.3.The idea of software redundancy
The hot standby CPU should be ready at any time. Once the main CPU fails, it will immediately obtain the master control right and become the master CPU. Therefore, the main CPU must transmit its own status information to the hot standby CPU in real time, and the hot standby CPU must track the changes of the main CPU and keep synchronous with the main CPU. In this way, undisturbed switching can be realized when the two CPU modules transfer the main control power.

.Main functions of LCU
(1) Board electrode interface function; (2) Under normal conditions of the system, the upper computer sends the corresponding command to the LCU for control. When the upper computer system or network fails, the operation of the unit is controlled by the touch screen of the LCU; (3) LCU will handle the accident automatically; (4) All control processes are placed in PLC to ensure that the LCU can still work normally when the host computer or network fails.
To sum up, all the information on the upper computer is processed by the PLC of LCU. If the PLC fails, the information operation personnel of the whole plant can't master it, which means that the corresponding protection control is also lost, which will bring major hidden dangers to the operating equipment. In view of the importance of PLC monitoring system, Therefore, a set of local LCU is considered, and a set of Dual CPU redundant PLC is used to control a generator set or switching station to realize automation, computer operation, monitoring and management automation control.
The controller PLC, touch screen display, communication network, power supply, key test points and other important components of the system are all redundant structure, Two sets of monitoring operation management console composed of two sets of workstations and large screen display run in parallel; two redundant genius high-speed communication networks transmit data at the same time; UPS power supply (UPS) supplies power to controller PLC, touch screen, transmitter and switch input module at the same time, and two sensor test data are set at key test points at the same time.
Redundancy design makes the reliability of the key components of the system doubled, and the overall reliability of the system greatly improved.

7.Conclusion
In the industrial control system based on PLC, PLC is a black box for users. Once there is a fault, it is difficult for users to deal with it. In order to ensure the reliability of the control system, in addition to taking antiinterference measures from the operating environment of PLC, the redundancy design of the control system is an effective measure to improve the reliability of the control system. What kind of redundancy processing technology is adopted is determined by the reliability requirements of the control system and the project cost. Compared with hardware only redundancy strategy, software redundancy based on Dual CPU is an economical and effective method.
It has been proved by practice that its cost is small, but it can greatly improve the reliability of the system.