1. Application Background Description
The molten salt furnace control system is a crucial component of the monohydrate alumina pipeline leaching production line. It controls the heating and circulation of the molten salt, using its heat to circulate and heat the alumina slurry. The heating of the alumina slurry is critical, affecting the quality and yield of the final product—alumina. Therefore, the temperature and circulation control of the molten salt are extremely important.
Due to the importance of the molten salt furnace system in pipeline engineering, and considering that molten salt is an active chemical that exists in different forms at different temperatures—solidifying at low temperatures and unstable at high temperatures, potentially causing chemical reactions that could corrode pipe walls or even explode—safety, reliability, ease of operation, and automated management are crucial to the system design. Therefore, this design utilizes a dual-CPU redundant PLC, two industrial control computers, high-quality sensors, transmitters, and actuators to control two 12 million kcal molten salt furnaces, one salt pump, a set of salt valves, one molten salt tank, and other related equipment. This achieves automated control of the molten salt heating and circulation process, as well as automated computer operation, monitoring, and management. The system is shown in Figure 1.
Figure 1. Lava recording control system diagram
The system employs a redundant structure for critical components such as the PLC controller, industrial PC (including monitor), communication network, power supply, and key test points. Two monitoring and management consoles, consisting of two industrial PCs and a large-screen monitor, operate in parallel. Two redundant ControlNet high-speed communication networks transmit data simultaneously. Two DC power supplies simultaneously power the PLC controller, transmitters, and digital input modules. Two sensor test data points are simultaneously configured for each key test point. This redundancy design doubles the reliability of critical components and significantly improves the overall reliability of the system.
2 Dual-CPU PLC Controller
The PLC controller is the central control unit of the system, collecting all operating signals and controlling related equipment actions in real time. It also monitors production process parameters and equipment operating status, issuing audible and visual alarms when dangerous conditions occur and interlocking to protect equipment in extreme conditions, ensuring production safety. Here, we selected the ABControlLogix series and considered using dual CPU module redundancy to further improve system reliability and avoid production stoppages or safety accidents caused by malfunctions.
3. Comparison of two dual-CPU redundancy methods
ControlLogix offers two CPU redundancy solutions: pure hardware redundancy and software redundancy. Hardware redundancy involves installing two CPU modules in two different racks. Each rack includes the CPU module, a communication module (CNBR), a hot standby module (SRM), and an optical fiber connecting the two hot standby modules, as shown in Figure 2. Software redundancy involves installing two CPU modules in the same frame and using backplane communication for redundancy control, as shown in Figure 3.
Figure 2 Hardware solution for dual-CPU redundancy Hardware configuration
Figure 3. Software solution hardware configuration for dual-CPU redundancy
As can be seen from the above, pure hardware redundancy requires a large investment in hardware and incurs significant costs. Software redundancy, on the other hand, only requires adding a CPU module, resulting in minimal cost increase. This is because manufacturers typically provide spare parts for core PLC components like the CPU, enabling redundant control through these spare parts. This improves system reliability and maintainability (allowing for online maintenance without disrupting production line operation) without significantly increasing costs.
From a purely reliability perspective, pure hardware redundancy offers no advantage over software redundancy. This is because it adds numerous components and modules, and the failure of these components and modules will also affect system reliability. For example, a failure in the fiber optic cable connecting two hot standby modules will cause redundancy control to fail. Software redundancy, on the other hand, only adds one CPU module, and the simultaneous failure rate of two CPU modules is virtually zero.
One advantage of pure hardware redundancy is that it doesn't require specialized software programming; CPU status monitoring and control transfer are handled by two hot-standby modules. In contrast, software redundancy relies on software programming for both CPU module status monitoring and control transfer. Therefore, software redundancy programming is relatively more complex and involves a greater workload.
Taking all the above factors into consideration, this molten salt furnace automatic system adopts software-based dual-CPU redundant control of the PLC. Two CPU modules operate simultaneously in the system, one in master control mode and the other in hot backup mode. If either CPU fails, the other CPU immediately monitors the situation, issues an alarm, and automatically switches the healthy CPU to master control mode. This seamless CPU switching ensures the system remains under constant control, guaranteeing safety and keeping the pipelined production line in optimal operating condition.
4. Software Implementation
The software implementation programming for CPU redundancy control mainly considers the following two aspects:
1. Control Assignment and Transfer: Two CPUs operate online simultaneously, one in master control mode and the other in hot standby mode. The CPU with master control has output control, while the hot standby CPU simultaneously acquires data and maintains communication, but output is disabled. The two CPU modules monitor each other's operating status and communication. Upon detecting a fault in the other, an alarm is immediately issued and transmitted to the host industrial control computer via ControlNet, where the alarm is displayed on the management console. If the master control CPU module fails, the hot standby CPU module automatically gains master control. The software block diagram for control assignment and transfer is shown in Figure 4.
Figure 4. Flowchart of Dual-CPU Control Decision and Transfer Procedure
2. Synchronous control of the two CPU modules: Since the hot standby CPU is always ready, it immediately acquires control and becomes the master CPU should the master CPU fail. Therefore, the master CPU must constantly transmit its information to the hot standby CPU, and the hot standby CPU must track the changes of the master CPU and maintain synchronization. In this way, a seamless handover is achieved when the two CPU modules transfer control. The flowchart of the synchronous control program for the CPU modules is shown in Figure 5.
Figure 5. Flowchart of the synchronous control program for the dual-CPU module
5. Conclusion
Our experience suggests that software implementation of dual-CPU redundancy control is an economical and effective method. It incurs minimal costs while significantly improving system reliability. Furthermore, how to utilize the Map command in dual-CPU redundancy control to transmit data only from the CPU with primary control to other control devices via the ControlNet network is a topic worthy of further investigation.
