CA1182567A - Automatic line termination in distributed industrial process control system - Google Patents
Automatic line termination in distributed industrial process control systemInfo
- Publication number
- CA1182567A CA1182567A CA000442693A CA442693A CA1182567A CA 1182567 A CA1182567 A CA 1182567A CA 000442693 A CA000442693 A CA 000442693A CA 442693 A CA442693 A CA 442693A CA 1182567 A CA1182567 A CA 1182567A
- Authority
- CA
- Canada
- Prior art keywords
- remote
- communications link
- remotes
- message
- messages
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Abstract
AUTOMATIC LINE TERMINATION IN
DISTRIBUTED INDUSTRIAL PROCESS CONTROL SYSTEM
ABSTRACT OF THE DISCLOSURE
A control system for controlling an industrial process includes a plurality of remotely located process control units (remotes) each coupled to an associated input/
output device(s) and adapted to communicate with one another through a dual channel communications link. Digital information in the form of data and control information blocks is transmitted between remotes with the blocks transmitted twice on each channel of the dual channel communications link. The destination remote checks the block validity on one of the dual channels and, if valid, responds with an acknowledgement signal (ACK), and, if invalid, tests the blocks on the other, alternate channel and then responds with an acknowledgement or non-acknowledgement signal (NAK) depending on whether the data blocks tested on the alternate channel are found valid or invalid. Each remote in the system is adapted to test the communication integrity of both channels of the communication link between it and its immediately adjacent remotes in the system and provide a line balanced termination impedance in the event one or both communication channels are degraded or interrupted.
The system thereby provides high overall operating efficiency since the remotes maintain a system-like integrity even if one of the communication links is interrupted by automatically inserting a line-matching termination impedance to prevent or minimize problems incident to unterminated,interrupted or degraded communication links, these problems including loss of signal strength in the transmission line and reflected signals.
DISTRIBUTED INDUSTRIAL PROCESS CONTROL SYSTEM
ABSTRACT OF THE DISCLOSURE
A control system for controlling an industrial process includes a plurality of remotely located process control units (remotes) each coupled to an associated input/
output device(s) and adapted to communicate with one another through a dual channel communications link. Digital information in the form of data and control information blocks is transmitted between remotes with the blocks transmitted twice on each channel of the dual channel communications link. The destination remote checks the block validity on one of the dual channels and, if valid, responds with an acknowledgement signal (ACK), and, if invalid, tests the blocks on the other, alternate channel and then responds with an acknowledgement or non-acknowledgement signal (NAK) depending on whether the data blocks tested on the alternate channel are found valid or invalid. Each remote in the system is adapted to test the communication integrity of both channels of the communication link between it and its immediately adjacent remotes in the system and provide a line balanced termination impedance in the event one or both communication channels are degraded or interrupted.
The system thereby provides high overall operating efficiency since the remotes maintain a system-like integrity even if one of the communication links is interrupted by automatically inserting a line-matching termination impedance to prevent or minimize problems incident to unterminated,interrupted or degraded communication links, these problems including loss of signal strength in the transmission line and reflected signals.
Description
~2~7 AUTOMATIC LINE TERMIMATION IN
DISTRIB~TED INDUSTRIAL PROCESS CONTROL SYSTEM
BACKGROUND OF THE INVENTION
This application is a division of Canadian Serial No. 368,795, filed January 19, 1981.
The present invention relates to control systems of the type having a plurality of remotely located process control units connected together through a communications link and, more particularly, to a control system in which each of the remote units is capable of testing the communica-ti.on integrity of the communications link between it and other remotes in the system and automatically inserting a line-termination impeda~nce when a degraded or interrupted channel in the communications link is detected.
Many system-type industrial installations, for example, those related to industrial process manufacturing and el-ectrical power generation, employ a large number of physically distributed controlled-devices and associated sensors for ef~ecting coordinated opera-tion of the overall sys-tem. In the past, coordinated control of the various devices has been achieved by manual operation and various types of semi-automati.c and automatic control systems including electro-magnetic relay systems, hardwired solid-state logic systems, and various types of computer control systems. The computer systems have included central systems in which ~he various sensors and controlled devices are connected to a central computer; distributed control systems in which a remotely located computer is connected to each of the controlled devices and to one another; and hybrid combinations of -the central and distributed systems. The successful functioning of the control system is vital to any industrial process, and, accordingly, distri~uted systems have generall~ been preferred over central systems because the failure of one of the remotely located control computers generally does not cause a system wide ~ailure as in the case of the ~ailure of the central computer in the central system~ ~owever, in the distributed systems, a communication link or buss inter-connects each of the various remotes and deterioration or interruption o~ the communication link can effectively divide the system into inoperative portions. Such degradation or interruptions of the communication link can occur when the communication link physically passes through an area of high electrical noise that can induce errors into the data transmissions or where the communications link is act-ually severed. In the lattex case, the open communications link causes an lmbalanced line impedance which can adversely affect the data signal-current levels in the communications link. When the system transmits information in digital form at high and very high data rates, an interrupted trans-mission link can cause reflected signals which, in turn, can cause false triggering and garb].ed data transmission.
In view of this, a control system must be able to detect a deyradation or interruption of its communication link and be able to minimize the adverse af~ect on the communicat-ion capability of the remaining remotes in the system in order to maintain high reliability data transmission between remotes.
SUMMAR~ OF THE INVENTION
Accordingly, the present invention seeks to provide an industrial control system for controlling an industrial process or the like having a high overall system operating reliability and more particularly seeks to provide an industrial control system which can detect th~ degradation or inter-ruption o~ the communication link and take steps to minimi.ze the adverse a~fect such degradation or interruption has on communication between remotely located controlled devices.
The present invention also seeks to provide an industrial control system defined by a plurality of remotely located process control units (remotes~ interconnected through a communication link or buss with each of the remotely located units adapted to test the communication integrity of the communications link in accordance with a predetermined sequence.
The present invention further seeks to provide an industrial control system having a plurality of remotely located process control units interconnected through a link or buss in which high reliability information transfer i5 achieved between remotes even when one or more signal carrying channels of the communication link between remotes is inter-rupted or degraded.
The invention to which this divisional application is directed in one aspect pertains to an information transfer system comprising a multiplicity of stations with a communicat-ions link interconnecting -the stations. Each station is provided with ~a) a stored-program controller and (b) trans-mitting and rece:iving means connected between the stored-program controller and the communications link for trans-mitting digital information from the stored-program controller over the communications link in messages of predetermined format to another one of the stations and for receiving digital information from another one of the stations over the communications link in messages of predetermined format.
Each station also has (c) switch means selectively operable under the control of the stored-program controller to connect an impedance to the communications link. The stored-program controllers include message checking means for determining if the transmitted messages are successfully received by the transmitting and receiving means of ~he receiving station.
The invention herein in another aspect pertains to an information transfer system for transferring digital information between stored-proyram controllers interconnected by a communications link, each controller adapted to test the communications integrity of the communications link between it and other of the controllers and connect an impedance to the communications link in the event of an interruption or degra-dation of the communications integrity of the communications link between the controllers. Each system includes a plurality of stored-program controllers interconnected through a com-munications link, each controller is provided with (a~ tran-smitting and receiving means operatively connected to the communications link for transmitting and receiving digital information in messages of predetermined format to and from each other over the communications link and with (b) message-checking means operably connected to the transmitting and receiving means for determining if transmitted messages are successfully received by the receiving controller. Each system also includes (c) selectively operable switch means to selectively connect an impedance to- the communications link. Each controller includes means to cause the trans-mltting and receiving means ko transmit messages to other of the controllers and to provide an actuation signal to the switch means to cause the switch means to connect the impedance to the communications link in response to the message checking means determining that the number of messages successfully received by the other of the controllers is below a predetermined threshhold.
The invention in this divisional application also comprehends a method of providing a line-matching impedance in a communications link of an industrial process control system having a plurality of process controlling remotes interconnected by the communications link in the event of an interruption or degradation of the communications integrity of the communicat~ons link. The method comprises the steps of providing at least a first one of the remotes with an impedance that is selectively connectable to the communica-tions ~8~7 link, transmitting a message from the first one of the remotes to a second one of the remotes, evaluating the validity of the message received at the second one of the remotes and sending a valid-message-received message from the second one of the remotes to the first one of the remotes if the test message is valid, evaluating the cornmunications integrity of the communications link between the first one of the remotes and the second one of the remotes as a function of a number of valid-message-received messages received by the first one of the remotes, and connecting the impedance means to the communications link if the number of valid-message -received messages received by the first one of the remotes is less than a predetermined value.
The invention also comprehends a method of providing a line matching impedance in a commu~ications link of an industrial process control system having a plurality of O, Rl, Rx 1~ Rx~ R~+l -- Rn_L, Rn interconnected by a common communications link in the event of an inter-ruption or degradation of the communications integrity of the communlcations link. rrhe method comprises the steps of (a) providing at least one of said remotes Rx with an impedance means that is selectively connectable to the com-munications li.nk~ (b~ transmitting a test message from the remote Rx to a selected one of the remotes R~l or Rx 1' (c) evaluating the validity of the test message sent to the selected one remote from the remote Rx, (d~ responding to a validly received message by the selected one remo-te by transmitting a valid-message-received message to the remote Rx, (e) evaluating the communicati.ons integrity of the communications link between the remote Rx and the selected one remote as a function of the valid message--received messages by the remote Rx, (f) connecting the impedance means to the communications link when the number of valid-message-received messages is below a predetermined value, and (g) repeating the steps (b) through (f) for -the other one of the remotes RX+l or RX_l.
In accordance with these objects, and others, the present lnvention provides a control system for control-ling an industrial process including a plurality of remote process control units R (remotes) connected to various controlled devices and sensors and communicating with one another through a communications link having at least two independent communication channels. Each remote is assigned a uni~ue succession number or position in a pre-determined succession order with each remote unit assuming supervisory communication control of the communications link on a revolving or master for the moment basis in accordance with the remote's relative position in the succession order. Information transfer including process data and command control information is accomplished bet-ween a source remote RS and a des-tination remote Rd by successively transmitti~g two identical informati~ blocks over each communication channel with the des-tination remote Rd testing the validity of the blocks on one of the chan-nels and, if valid, responding with an acknowledgement signal (ACK), and, if invalid, then testing the validity of the two blocks received on the oth~r, alternate channel.
An acknowled~ement (ACK) or a non-acknowledgement signal (NAK) is sent by the destination remote Rd if -the inform-ation on the alternate channel is found, respectively, valid or invalid. Each remote in the system is adapted to test the communications integrity of both communications channels between it and its immedia-tely lower order and higher order remote in the succession order and connect a line-balancing impedance tilereto in the event that one or both of the communication channels - 5a -are interrupted or degraded to the point where reliable information trancfer can not take place.
The system advantageously maintains a high over-all operating efficiency in the event of a communications link interruption since the remote on each side of the interruption will maintain, to the extent possible, a system-like integrity with a line-terminating impedance inserted by the remotes at the appropriate point in the communications link to prevent or minimize problems incident to the interruption or degradation of the com-munications link including loss of signal strength due to the unbalanced line conditions and reflected signals that can cause false triggering and the like.
BRIEF DESCRIPTION OF THE DRAWINGS
The above description, as well as the aspects, features, and advanta~es of the present invention will be more fully appreciated by reference to the following detailed description of a presently preferred but nonethe-less illustrative embodiment in accordance with the present invention when taken in connect:ion with the accompanying drawings wherein:
FIG. 1 is a schematic diagram of an exemplary process control system including a plurality of remote process control units (remotes), including both primary control remotes and redundant remotes, connected to a common, dual-channel communications link;
FIG. 2 is a schematic block diagram of an exem-plary remote process control unit of the type shown in FIG. l;
FIG. 3 is a schematic block diagram of an ex-emplary modulator/demodulator (MODEM) for the remote process control unit shown in FIG. 2;
- 5b -FIG. 4 i.s a schematic block diagrarn of an e~emplary communication pro-tocol controller for the remote process unit shown in FIG. 2;
FIG. 4A is a schematic block diagram of an exemplary input/output management device for the remote process control unit shown in FIG. 2;
FIG. 4B is a flow diagram illustrating the manner in which the change~in-status even-ts of the controlled devices of FIG. 1 are detected by the input/output manage-ment device oE FIG. 4A;
FIG. 5 illustrates the format of an exemplaryor illustlative information block for transferring infor-mation between remotes;
-- 6 ~
FIG. 5A illustrates the fornat of a header frame of the inforTnation bloc~ shown in FIG. 5;
FIG. 5B illustxates the format for a data/
information rrame of the info~nation block shown in FIG. 5i FIG. 5C illustrates the forrnat for an acknowledgement block (ACX) for acknowledging successful receipt of an information bloc~;
~ IG. 5D illustxates the format for a non-acknowledgement block (NAK) for indica~ing the unsuccessful trans~ission of an information bloc~ between remotes;
FIG. 6 illustrates, in pictorial form, two identical data blocks having the format shown in FIG. 5 successively transmitted on each comrnunication chanrel of the co~nunication link illustrated in FIG. l;
FIG. 7 is a flow diagram summa~y of the manner in which a source and a destination remote effect comm~mi-cations with one another;
FIG. 8A is 2 partial flo~- diagram illustrating in detail the manner in which a source and a destination remote communicate and validate info~nation transfexred between one another;
FIG. 8B is a partial flow diagram which com-pletes the rlow diagram of FIG. 8A and illustrates in detail the rnanner in which a source and a destination remote communicate and validate infoxmation transferred between one another;
FIG. 9 is a legend lllustrating the manner in the flow diagrams of FIG. 8A and FIG~ 8B are to be read;
FIGS. lOA through lOF are exemplary tables illustrating the manner in which supervisory control of the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an exemplary redundant remote that is adapted to assume control from a failed or otherwise inoperative primary remote;
FIGS. llA and llB are flow diagrams of the manner in which the central processing unit of the redundant remote R4 monitors the operating condition of its assigned primary remotes Rl, R2, and R3 and takes over operation when one of the primary remotes fails;
FIG. 12 is a flow diagram summary of the manner by which an interrogating remote Rx tests the integrity of the communication link between it and the remotes Rx 1 and RX+l immediately adjacent thereto in the succession order;
FIG. 12A is a partial flow diagram illustrating in detail the manner by which an interrogating remote Rx tests the communications integrity of the communications link between it and the next lower number remote Rx 1 in the succession order;
FIG. 12B is a partial flow diagram illustrating in detail the manner in which an interrogating remote ~x tests the communiations integrity of the communications link between it and the next higher number remote ~x~l in the succession order;
FIG. 12C is a partial flow diagram illustrating in detail the manner by whioh a line termination impedance is applied to the communications link in the event of a communications link degradatlon or interruption - 8 ~
FIG. 13 is a legend illustrating the manner in which the flow diagrams of FIGS. 12A, 12B, and 12C are to be read; and FIG~ 14 is an exemplary table illustrating the status of various counters when an interro~ating remote Rx is evaluating the integrity of the communications link in accordance wi~h th~ flow diagram shown in FIG. 12A.
DESCRIPTION OF THE PREFERRED EMBODI~E21T
_ An industrial control system in accordance with the present invention is shown in schematic form in FIG. 1 and includes a communications link CL (C-link) having a plurality of remotely located process control units (remotes) Rl, R2,...R7, R~ connected thereto wikh the eight remotes (Rl-R8) shown being exemplary; it being understood that the system is designed to be used with a much larger number of remotes. Of -the eight remotes illustrated, the remotes Rl-R3 and R5-R7 are 'primary' remotes and the remotes R4 and R8 are 'redundant' remotes. The communications link CL is shown as an open line, double channel configuration formed from dual coax, dual twisted pair, or the like with the individual communication links identified, respectively, by the reference characters CL0 and CLl. While the system configuration shown in FIG. 1 is a distrib~ted open loop or shaxed global bus t~pe, the invention is equally suitable for application to central systems or central/
distributed hybrid configurations. The system of FIÇ. 1 is adapted for use in controlling an industrial process, e.g., the operation of a power generating plant, with each primary remote unit Rl-R3 and R5-R~ connected ~o one or more associated or corresponding input/output devices I/01-I/03 and I/05-I/07, respectively. Each input/output device is, in turn, connected to an associated controlled device CDl-CD3 and CD5-CD1 (of which only CD6 and CD7 are ~2~
illustrated in FIG. 1) such as, but not llmited to, various types of sensors (t~mperature, pressure, position, and motion sensors, etc.) and various types of actuators (motors, pumps, compressors, valves, solenoids, and relays, etc.).
Each primary remote may control a large number of output devices and respond to a large number of input devices, and the blocks labeled I/O in FIG. 1 can each represent many input and output devices.
The redundant remote R~ monitors the operation of primary remotes Rl, R2, and R3; and the redundant remote R8 monitors the operation of primary remotes R5, R6, and R7. Should any one of the remotes Rl R2, and R3 fail, -the failure will be detected by the remote R4 in a manner to be described and the remote R4 will take over control of the input and output devices of the failed remote by receiving the data from the failed remote over the communications link CL and sending commands to the failed remote over the communications link CI. in formated information blocks. Similarly, if one of the remotes R5, R6, or R7 fails, the redundant remote R8 will take over control of the operation of the input/output devices for the failed remote as described above ~ith respect to redundant remote R4. Although only eight remotes have been shown in Figure 1, any number of remotes Rl, R2, R3, ...... Rn 1~ Rn could be utilized in a particular system.
The architecture of an exemplary remote Rn is shown in FIG. 2. While the architecture of the remote Rn can vary depending upon the control process require-ments, the remote shown in FIG. 2 includes a modem 10; a communication protocol controller 12; an input~output management device 14; a central processin~ unit lCPU) 16;
~ 10 -5~7 a memory 18; a peripheral device 20 that can include, e.g., a CRT display, a printer, or a keyboardi and a common bus 22 which provides addressing, control, and information transfer between the various devices which constitute the remote. The devices shown in dotted line illustration in FIG. 2 (that is, the central processing unit 16, the memory 18, and the peripheral device 20) are provided depending upon the process control require-ments for the remote Rn. For example, in those primary remotes Rn which function as an elemental wire replacer, only the modem lO, the communication protocol controller 12, and the input/output management device 14 are pro-vided. In more complex process control requirements, an appropriately programmed central processing unit 16 and associated memory 18 are provided to effect active con-trol according to a resident firmware program. In still other remotes requiring a human interface, the appropriate peripheral device(s) 20 may be connected to the common buss 22.
As shown in more detail in FIG. 3, the modem lO
provides two independent communication channels CH~ and CHl connected, respectively, to the communication links CL0 and CL1. Each of the communication channels CH~
~nd CHl is provided with substantially identical communi-cation devices, and a description of the communication devices of the first communication channel CH0 is sufficient to provide an understanding of the second communication channel CHl. The communication channel CH~ includes an encoder/decoder 24~ for providing appropriate modulation and demodulation of the digital data trans-mitted to and received from the communication link CL~.
In the preferred form, the encoder/decoder 24~ converts digital information in non-return-to-æero binary (NRZ) format to base-band modulation (BB.~) signal format for transmission and effects the converse for reception.
~mplifiers 260 and 280 are provided, respectively, to drive a passi~e coupling transformer T0 with digital information provided from the encoder/decoder 24~ from the coupling transformer T0. A set of selectively operable relay contacts 30~ are provided between the coupling transformer T~ and the corresponding communication link CL0 to effect selective interruption thereof to isolate the remote Rn from the communications link CL, and another set of relay contacts 320 are provided to selectively connect the signal output of the coupling transformex T~ with a termination impedance Z~. The termination impedance Z~ is used when the particular remote Rn is at the end of the communication link CL to provide proper line termination impedance for the link, or, as described in more detail below, to assist in terminating an open or degraded portion of the communi-cations link CL.
A selectively operable ].oop-back circuit 34 is provided to permit looping back or recirculation of test data during diagnostic checking of the remote Rn. While not specifically shown in FIG. 3, the loop-back circuit 34 can take the form of a double pole, single throw relay that effects connection between the channels CH~ and CHl in response to a loop-back command signal 'LB'. During the diagnostic checking of a remote, which checking takes place when a ~articular remote is a master-for-the-moment as explained below, the relay contact~ of the loop-back 25~
circuit 34 are closed and a predetermined test word is sent from the channel CH~ to the channel CHl and from the channel CHl to the channel CH0 with the received word in each case being checked against the original test word to verify the transmlt/receive integrity of the particular remote.
The isolation relays 300 and 31l, the impedance termination relays 32~ and 321, and the loop-back circuit 34 are connected to and selectively controlled by a communications link control device 38 which receives its communication and control signals from the communications protrocol controller 12 described more fully below. A
watch-do~ timer 40 is provided to cause the C-link control device 38 to operate the isolation relays 30~ and 30l to disconnect the remote Rn from the communication link CL in the event the timer 40 times-out. The timer 40 is normally prevented from timing ol~t by periodic reset signals provided from the communication protocol controller 12. In this way, a remote Rn is automatically disconnected from the communication link CL in the event of a failllre of its communication protocol controller 12.
As shown in more detail in FIG. 4, each communi-cation protocol controller 12 includes input/output ports 42, 44, and 46 which interface with the above described modem lO for the communication channels CH~ and CHl and the modem C-link control device 38 (FIG. 3). A first-in first-out (FIFO) serializer 48 and another first-in first-out 5~
serializer 50 are connected between the input/output ports 42 and 44 and a CPU signal processor 52. The first-in first-out serializers 48 and 50 function as temporary stores for storing information blocks provided to and from the modems 10 as described more fully below. The CPU 52, in turn, interfaces with the buss 22 through buss control latches 54. A read only memory (ROM) 56 containing a resident firmware program for the CP~ 52 and a random access memory (RAM) 58 are provided to permit the CPU 52 to effect its communication protocol function as described more fu].ly below. Timers 62 and a register Ç0 (for example, a manually operable DIP switch register or a hardwired jumper-type register) that includes registers 60a and 60b are also provided to assist the CPU 52 in performing its communication proto-col operation. An excess transmission detector 64, connected to input/output ports 42 and 44 (corresponding to communication channels CH~ and CHl) determines when the transmission period is in excess of a predetermined limit to cause the C-link control device 38 (FIG. 3) to disconnect the transmitting remote from the communications link CL and thereby prevent a remote that is trapped in a transmission mode from monopolizing the communications link CL.
The input/output management device 14, the architecture o~ which is shown in FIG. 4A, is preferably a firm~are controlled microprocessor-based device which is adapted to scan the various input/output hardware points of the controlled device, effect a point-by-point status comparison with a prior scan, and record the change-in-status events along with the direction of the change and the time the event occurred (time-tagging), effect data collection and distrlbution to and from the input/output points, format the collected data in preferred patterns, and assemble the patterned data in selected seauences.
As shown in FIG. 4A, the input/output management device 14 includes a processor 14A connected to the remote buss 22 through a processor buss 14B; read-only-memories 14C and 14D connected to the processor 14A
through appropriate connections with these memories in-cluding the firmware necessary to effect the above-described functions of the input/output management device 14 including the change-in-status event monitoring (described in more detail below); a read/write memory 14E (RAM) for temporarily storing information incident to the operation of the processor 14A including the change-in-status event in~ormation; a time base 14F for providing time information for time tagging the change-in-status events; and an input/output interface 14G for connection, either directly or indirectly, to the controlled devices.
In the preferred embodiment, the input/output interface 14G is defined by one or more printed circuit control cards generally arranged in rack formation with each card having hardware points arranged in predetermined sets of eight points with each hardware point carrying a binary ~L~8~
indication for controlling or sensing the operation of the controlled device. The control and operational status of the controlled device can generally be represented by one or more eight-bit words (e.g., 00010001) with each bit position representing a control or operational characteristic of the controlled device.
As described in fl~rther detail below in connection with FIG. 4B, the input/output management device 14 effects the aforedescrihed change-in-status monitoring and associated time-tag~ing by periodically scanning the input/output hard-ware points in eight-bit groups and effecting a comparison between the so-obtained eight-bit group and the eight-bit group obtained during the previous scan. If a change is detected in one or more of the bit positions, the latest eight-bit group, along with the time-of-day information obtained from the time base 14F, and other information, if desired, representing the dixection of change, is placed in a first-in first-discard memory (FIFO) of predetermined size. Thus, each change-of-s~atus event along with its time tag and other information such as direction of change, etc. is placed in a memory of selected size as the changes occur. When all the memo~y locations are filled, the first entered event (which now represents the oldest chronological event) is discarded as the latest event enters the memory. The memory loading is inhibited by the occurxence of any one of a selected number of inhibit signals. In the system, various con-ditions including alarm conditions which represent partial or full system failures can be assigned a priority with ~8~
those conditions or con~lnations thereof designated as "high" priority signals being permitted to disable or inhibit further accessing of the memory. In the event one of these high priority conditions occurs, the memory is inhibited from storing additional change-in-status information and the change-in-status events occurring prior to the high priority condition are preserved for subsequent analysis. Alarm conditions which are not designated as high priority, of course, do not inhibit the memory. This technique advantageously differs from those prior techniques in which the controlled device status was only placed in memory at the moment of a high priority signal (in which case a historical pre-failure record-of-events was not available) or those techniques in which the change-in-status events were logged in a memory which was periodically cleared, refilled, and cleared in which case the probability of obtaining a complete history of events prior to a predetermined high priority condition diminished in those instances in which the logging memory was cleared ~ just prior to the occurrence of the high priority condition.
The manner by which the input/output management device 14 effects the change-of-status event logging is shown in FIG. 4B. During initialization, the processor 14s (referred to~ also as the RTZ in FIG. 4B) moves an image of the various input/output points, that is, the current status of the various input/output hardware points, to preassigned locations in the memory 14E (local) of the input/output management device 14 and the memory 18 (system) of the remote Rn (FIG. 2).
Thereafter, the address(s) of the first input/outpuk card is obtained and the input/output hardware points for that card are scanned to obtain an inpu-t/output i~age which takes the form of an eight-bit word ~e.g., 00000000) with each bit position representing the control or operational status of the controlled device. The input/output points so obtained are then compared with the previously obtained image of the points (e.g., 00100000), for example, by effecting a bit-by-bit exclusive OR (XOR) comparison. If the comparison indicates no change in status, (that is, the words are identical) the input/output points in the remaining cards are likewise scanned with the process repeated on a cyclic or looped basis. However, if a change is detected in the exclusive OR comparison, that new input/output scan, along with the time tag information and the direction of change is placed in the memory 18 of the remote Rn, and, in addition, the latest scan is moved to the memroy 14E
of the input/output management device. This process continues with each new change-in status event loaded into the memory 18 of the remote on a first-in first-discarded basis. The first-in first discard memory may be configured by assiyning a preselected number of memory locations in the memory 18 of the remote Rn (e.g., flfty locations) for the logging information and providing an address pointer that points to each successive location in a serial manner with the pointer returning to the first location arter pointing at the last available pre-assigned location in the memory.
In the preferred embodiment, the processor 14A of the input/output management device 14 (FIG. 4A) and the processor 52 (FIG. 4) of the communication protocol controller 12 is 8X300 micro-controller manufactured by the Signetics Company of Sunnyvale, ~alifornia, and the central proces~ing unit 16 (FIG. 2) is an 86/12 single board 16-bit micro-computer manu-factured by the ;ntel Company of S~nta Clara, California and adapted to and configured for the Intel MULTIBUSIM
Each remote Rn is adapted to communicate with ~he other by transitting diyital data organized in pre-determined b1Qck formats. A ~u~ta~1e and illustrative block format 66 is shown in FIG. S and include~ a multi-word header frame 66A, a multi-word data fr~me 66B, and a block termination frame or word 66C. Sel~cted of the informa~ion block configuration~ aro adapted to transfer process control information to and from salected remote units Rn and other of th~ b10ck configuration~ are adapted to transfer super~isory control of the communications link CL from one remote to the other remote as explalned in greater detail helow.
An exemplary torm~t for the header and data fram~s of an information block 66 i5 shown, rèspectively, in FIGS. 5A and SB. The headcr frame 66A preferab1y
DISTRIB~TED INDUSTRIAL PROCESS CONTROL SYSTEM
BACKGROUND OF THE INVENTION
This application is a division of Canadian Serial No. 368,795, filed January 19, 1981.
The present invention relates to control systems of the type having a plurality of remotely located process control units connected together through a communications link and, more particularly, to a control system in which each of the remote units is capable of testing the communica-ti.on integrity of the communications link between it and other remotes in the system and automatically inserting a line-termination impeda~nce when a degraded or interrupted channel in the communications link is detected.
Many system-type industrial installations, for example, those related to industrial process manufacturing and el-ectrical power generation, employ a large number of physically distributed controlled-devices and associated sensors for ef~ecting coordinated opera-tion of the overall sys-tem. In the past, coordinated control of the various devices has been achieved by manual operation and various types of semi-automati.c and automatic control systems including electro-magnetic relay systems, hardwired solid-state logic systems, and various types of computer control systems. The computer systems have included central systems in which ~he various sensors and controlled devices are connected to a central computer; distributed control systems in which a remotely located computer is connected to each of the controlled devices and to one another; and hybrid combinations of -the central and distributed systems. The successful functioning of the control system is vital to any industrial process, and, accordingly, distri~uted systems have generall~ been preferred over central systems because the failure of one of the remotely located control computers generally does not cause a system wide ~ailure as in the case of the ~ailure of the central computer in the central system~ ~owever, in the distributed systems, a communication link or buss inter-connects each of the various remotes and deterioration or interruption o~ the communication link can effectively divide the system into inoperative portions. Such degradation or interruptions of the communication link can occur when the communication link physically passes through an area of high electrical noise that can induce errors into the data transmissions or where the communications link is act-ually severed. In the lattex case, the open communications link causes an lmbalanced line impedance which can adversely affect the data signal-current levels in the communications link. When the system transmits information in digital form at high and very high data rates, an interrupted trans-mission link can cause reflected signals which, in turn, can cause false triggering and garb].ed data transmission.
In view of this, a control system must be able to detect a deyradation or interruption of its communication link and be able to minimize the adverse af~ect on the communicat-ion capability of the remaining remotes in the system in order to maintain high reliability data transmission between remotes.
SUMMAR~ OF THE INVENTION
Accordingly, the present invention seeks to provide an industrial control system for controlling an industrial process or the like having a high overall system operating reliability and more particularly seeks to provide an industrial control system which can detect th~ degradation or inter-ruption o~ the communication link and take steps to minimi.ze the adverse a~fect such degradation or interruption has on communication between remotely located controlled devices.
The present invention also seeks to provide an industrial control system defined by a plurality of remotely located process control units (remotes~ interconnected through a communication link or buss with each of the remotely located units adapted to test the communication integrity of the communications link in accordance with a predetermined sequence.
The present invention further seeks to provide an industrial control system having a plurality of remotely located process control units interconnected through a link or buss in which high reliability information transfer i5 achieved between remotes even when one or more signal carrying channels of the communication link between remotes is inter-rupted or degraded.
The invention to which this divisional application is directed in one aspect pertains to an information transfer system comprising a multiplicity of stations with a communicat-ions link interconnecting -the stations. Each station is provided with ~a) a stored-program controller and (b) trans-mitting and rece:iving means connected between the stored-program controller and the communications link for trans-mitting digital information from the stored-program controller over the communications link in messages of predetermined format to another one of the stations and for receiving digital information from another one of the stations over the communications link in messages of predetermined format.
Each station also has (c) switch means selectively operable under the control of the stored-program controller to connect an impedance to the communications link. The stored-program controllers include message checking means for determining if the transmitted messages are successfully received by the transmitting and receiving means of ~he receiving station.
The invention herein in another aspect pertains to an information transfer system for transferring digital information between stored-proyram controllers interconnected by a communications link, each controller adapted to test the communications integrity of the communications link between it and other of the controllers and connect an impedance to the communications link in the event of an interruption or degra-dation of the communications integrity of the communications link between the controllers. Each system includes a plurality of stored-program controllers interconnected through a com-munications link, each controller is provided with (a~ tran-smitting and receiving means operatively connected to the communications link for transmitting and receiving digital information in messages of predetermined format to and from each other over the communications link and with (b) message-checking means operably connected to the transmitting and receiving means for determining if transmitted messages are successfully received by the receiving controller. Each system also includes (c) selectively operable switch means to selectively connect an impedance to- the communications link. Each controller includes means to cause the trans-mltting and receiving means ko transmit messages to other of the controllers and to provide an actuation signal to the switch means to cause the switch means to connect the impedance to the communications link in response to the message checking means determining that the number of messages successfully received by the other of the controllers is below a predetermined threshhold.
The invention in this divisional application also comprehends a method of providing a line-matching impedance in a communications link of an industrial process control system having a plurality of process controlling remotes interconnected by the communications link in the event of an interruption or degradation of the communications integrity of the communicat~ons link. The method comprises the steps of providing at least a first one of the remotes with an impedance that is selectively connectable to the communica-tions ~8~7 link, transmitting a message from the first one of the remotes to a second one of the remotes, evaluating the validity of the message received at the second one of the remotes and sending a valid-message-received message from the second one of the remotes to the first one of the remotes if the test message is valid, evaluating the cornmunications integrity of the communications link between the first one of the remotes and the second one of the remotes as a function of a number of valid-message-received messages received by the first one of the remotes, and connecting the impedance means to the communications link if the number of valid-message -received messages received by the first one of the remotes is less than a predetermined value.
The invention also comprehends a method of providing a line matching impedance in a commu~ications link of an industrial process control system having a plurality of O, Rl, Rx 1~ Rx~ R~+l -- Rn_L, Rn interconnected by a common communications link in the event of an inter-ruption or degradation of the communications integrity of the communlcations link. rrhe method comprises the steps of (a) providing at least one of said remotes Rx with an impedance means that is selectively connectable to the com-munications li.nk~ (b~ transmitting a test message from the remote Rx to a selected one of the remotes R~l or Rx 1' (c) evaluating the validity of the test message sent to the selected one remote from the remote Rx, (d~ responding to a validly received message by the selected one remo-te by transmitting a valid-message-received message to the remote Rx, (e) evaluating the communicati.ons integrity of the communications link between the remote Rx and the selected one remote as a function of the valid message--received messages by the remote Rx, (f) connecting the impedance means to the communications link when the number of valid-message-received messages is below a predetermined value, and (g) repeating the steps (b) through (f) for -the other one of the remotes RX+l or RX_l.
In accordance with these objects, and others, the present lnvention provides a control system for control-ling an industrial process including a plurality of remote process control units R (remotes) connected to various controlled devices and sensors and communicating with one another through a communications link having at least two independent communication channels. Each remote is assigned a uni~ue succession number or position in a pre-determined succession order with each remote unit assuming supervisory communication control of the communications link on a revolving or master for the moment basis in accordance with the remote's relative position in the succession order. Information transfer including process data and command control information is accomplished bet-ween a source remote RS and a des-tination remote Rd by successively transmitti~g two identical informati~ blocks over each communication channel with the des-tination remote Rd testing the validity of the blocks on one of the chan-nels and, if valid, responding with an acknowledgement signal (ACK), and, if invalid, then testing the validity of the two blocks received on the oth~r, alternate channel.
An acknowled~ement (ACK) or a non-acknowledgement signal (NAK) is sent by the destination remote Rd if -the inform-ation on the alternate channel is found, respectively, valid or invalid. Each remote in the system is adapted to test the communications integrity of both communications channels between it and its immedia-tely lower order and higher order remote in the succession order and connect a line-balancing impedance tilereto in the event that one or both of the communication channels - 5a -are interrupted or degraded to the point where reliable information trancfer can not take place.
The system advantageously maintains a high over-all operating efficiency in the event of a communications link interruption since the remote on each side of the interruption will maintain, to the extent possible, a system-like integrity with a line-terminating impedance inserted by the remotes at the appropriate point in the communications link to prevent or minimize problems incident to the interruption or degradation of the com-munications link including loss of signal strength due to the unbalanced line conditions and reflected signals that can cause false triggering and the like.
BRIEF DESCRIPTION OF THE DRAWINGS
The above description, as well as the aspects, features, and advanta~es of the present invention will be more fully appreciated by reference to the following detailed description of a presently preferred but nonethe-less illustrative embodiment in accordance with the present invention when taken in connect:ion with the accompanying drawings wherein:
FIG. 1 is a schematic diagram of an exemplary process control system including a plurality of remote process control units (remotes), including both primary control remotes and redundant remotes, connected to a common, dual-channel communications link;
FIG. 2 is a schematic block diagram of an exem-plary remote process control unit of the type shown in FIG. l;
FIG. 3 is a schematic block diagram of an ex-emplary modulator/demodulator (MODEM) for the remote process control unit shown in FIG. 2;
- 5b -FIG. 4 i.s a schematic block diagrarn of an e~emplary communication pro-tocol controller for the remote process unit shown in FIG. 2;
FIG. 4A is a schematic block diagram of an exemplary input/output management device for the remote process control unit shown in FIG. 2;
FIG. 4B is a flow diagram illustrating the manner in which the change~in-status even-ts of the controlled devices of FIG. 1 are detected by the input/output manage-ment device oE FIG. 4A;
FIG. 5 illustrates the format of an exemplaryor illustlative information block for transferring infor-mation between remotes;
-- 6 ~
FIG. 5A illustrates the fornat of a header frame of the inforTnation bloc~ shown in FIG. 5;
FIG. 5B illustxates the format for a data/
information rrame of the info~nation block shown in FIG. 5i FIG. 5C illustrates the forrnat for an acknowledgement block (ACX) for acknowledging successful receipt of an information bloc~;
~ IG. 5D illustxates the format for a non-acknowledgement block (NAK) for indica~ing the unsuccessful trans~ission of an information bloc~ between remotes;
FIG. 6 illustrates, in pictorial form, two identical data blocks having the format shown in FIG. 5 successively transmitted on each comrnunication chanrel of the co~nunication link illustrated in FIG. l;
FIG. 7 is a flow diagram summa~y of the manner in which a source and a destination remote effect comm~mi-cations with one another;
FIG. 8A is 2 partial flo~- diagram illustrating in detail the manner in which a source and a destination remote communicate and validate info~nation transfexred between one another;
FIG. 8B is a partial flow diagram which com-pletes the rlow diagram of FIG. 8A and illustrates in detail the rnanner in which a source and a destination remote communicate and validate infoxmation transferred between one another;
FIG. 9 is a legend lllustrating the manner in the flow diagrams of FIG. 8A and FIG~ 8B are to be read;
FIGS. lOA through lOF are exemplary tables illustrating the manner in which supervisory control of the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an exemplary redundant remote that is adapted to assume control from a failed or otherwise inoperative primary remote;
FIGS. llA and llB are flow diagrams of the manner in which the central processing unit of the redundant remote R4 monitors the operating condition of its assigned primary remotes Rl, R2, and R3 and takes over operation when one of the primary remotes fails;
FIG. 12 is a flow diagram summary of the manner by which an interrogating remote Rx tests the integrity of the communication link between it and the remotes Rx 1 and RX+l immediately adjacent thereto in the succession order;
FIG. 12A is a partial flow diagram illustrating in detail the manner by which an interrogating remote Rx tests the communications integrity of the communications link between it and the next lower number remote Rx 1 in the succession order;
FIG. 12B is a partial flow diagram illustrating in detail the manner in which an interrogating remote ~x tests the communiations integrity of the communications link between it and the next higher number remote ~x~l in the succession order;
FIG. 12C is a partial flow diagram illustrating in detail the manner by whioh a line termination impedance is applied to the communications link in the event of a communications link degradatlon or interruption - 8 ~
FIG. 13 is a legend illustrating the manner in which the flow diagrams of FIGS. 12A, 12B, and 12C are to be read; and FIG~ 14 is an exemplary table illustrating the status of various counters when an interro~ating remote Rx is evaluating the integrity of the communications link in accordance wi~h th~ flow diagram shown in FIG. 12A.
DESCRIPTION OF THE PREFERRED EMBODI~E21T
_ An industrial control system in accordance with the present invention is shown in schematic form in FIG. 1 and includes a communications link CL (C-link) having a plurality of remotely located process control units (remotes) Rl, R2,...R7, R~ connected thereto wikh the eight remotes (Rl-R8) shown being exemplary; it being understood that the system is designed to be used with a much larger number of remotes. Of -the eight remotes illustrated, the remotes Rl-R3 and R5-R7 are 'primary' remotes and the remotes R4 and R8 are 'redundant' remotes. The communications link CL is shown as an open line, double channel configuration formed from dual coax, dual twisted pair, or the like with the individual communication links identified, respectively, by the reference characters CL0 and CLl. While the system configuration shown in FIG. 1 is a distrib~ted open loop or shaxed global bus t~pe, the invention is equally suitable for application to central systems or central/
distributed hybrid configurations. The system of FIÇ. 1 is adapted for use in controlling an industrial process, e.g., the operation of a power generating plant, with each primary remote unit Rl-R3 and R5-R~ connected ~o one or more associated or corresponding input/output devices I/01-I/03 and I/05-I/07, respectively. Each input/output device is, in turn, connected to an associated controlled device CDl-CD3 and CD5-CD1 (of which only CD6 and CD7 are ~2~
illustrated in FIG. 1) such as, but not llmited to, various types of sensors (t~mperature, pressure, position, and motion sensors, etc.) and various types of actuators (motors, pumps, compressors, valves, solenoids, and relays, etc.).
Each primary remote may control a large number of output devices and respond to a large number of input devices, and the blocks labeled I/O in FIG. 1 can each represent many input and output devices.
The redundant remote R~ monitors the operation of primary remotes Rl, R2, and R3; and the redundant remote R8 monitors the operation of primary remotes R5, R6, and R7. Should any one of the remotes Rl R2, and R3 fail, -the failure will be detected by the remote R4 in a manner to be described and the remote R4 will take over control of the input and output devices of the failed remote by receiving the data from the failed remote over the communications link CL and sending commands to the failed remote over the communications link CI. in formated information blocks. Similarly, if one of the remotes R5, R6, or R7 fails, the redundant remote R8 will take over control of the operation of the input/output devices for the failed remote as described above ~ith respect to redundant remote R4. Although only eight remotes have been shown in Figure 1, any number of remotes Rl, R2, R3, ...... Rn 1~ Rn could be utilized in a particular system.
The architecture of an exemplary remote Rn is shown in FIG. 2. While the architecture of the remote Rn can vary depending upon the control process require-ments, the remote shown in FIG. 2 includes a modem 10; a communication protocol controller 12; an input~output management device 14; a central processin~ unit lCPU) 16;
~ 10 -5~7 a memory 18; a peripheral device 20 that can include, e.g., a CRT display, a printer, or a keyboardi and a common bus 22 which provides addressing, control, and information transfer between the various devices which constitute the remote. The devices shown in dotted line illustration in FIG. 2 (that is, the central processing unit 16, the memory 18, and the peripheral device 20) are provided depending upon the process control require-ments for the remote Rn. For example, in those primary remotes Rn which function as an elemental wire replacer, only the modem lO, the communication protocol controller 12, and the input/output management device 14 are pro-vided. In more complex process control requirements, an appropriately programmed central processing unit 16 and associated memory 18 are provided to effect active con-trol according to a resident firmware program. In still other remotes requiring a human interface, the appropriate peripheral device(s) 20 may be connected to the common buss 22.
As shown in more detail in FIG. 3, the modem lO
provides two independent communication channels CH~ and CHl connected, respectively, to the communication links CL0 and CL1. Each of the communication channels CH~
~nd CHl is provided with substantially identical communi-cation devices, and a description of the communication devices of the first communication channel CH0 is sufficient to provide an understanding of the second communication channel CHl. The communication channel CH~ includes an encoder/decoder 24~ for providing appropriate modulation and demodulation of the digital data trans-mitted to and received from the communication link CL~.
In the preferred form, the encoder/decoder 24~ converts digital information in non-return-to-æero binary (NRZ) format to base-band modulation (BB.~) signal format for transmission and effects the converse for reception.
~mplifiers 260 and 280 are provided, respectively, to drive a passi~e coupling transformer T0 with digital information provided from the encoder/decoder 24~ from the coupling transformer T0. A set of selectively operable relay contacts 30~ are provided between the coupling transformer T~ and the corresponding communication link CL0 to effect selective interruption thereof to isolate the remote Rn from the communications link CL, and another set of relay contacts 320 are provided to selectively connect the signal output of the coupling transformex T~ with a termination impedance Z~. The termination impedance Z~ is used when the particular remote Rn is at the end of the communication link CL to provide proper line termination impedance for the link, or, as described in more detail below, to assist in terminating an open or degraded portion of the communi-cations link CL.
A selectively operable ].oop-back circuit 34 is provided to permit looping back or recirculation of test data during diagnostic checking of the remote Rn. While not specifically shown in FIG. 3, the loop-back circuit 34 can take the form of a double pole, single throw relay that effects connection between the channels CH~ and CHl in response to a loop-back command signal 'LB'. During the diagnostic checking of a remote, which checking takes place when a ~articular remote is a master-for-the-moment as explained below, the relay contact~ of the loop-back 25~
circuit 34 are closed and a predetermined test word is sent from the channel CH~ to the channel CHl and from the channel CHl to the channel CH0 with the received word in each case being checked against the original test word to verify the transmlt/receive integrity of the particular remote.
The isolation relays 300 and 31l, the impedance termination relays 32~ and 321, and the loop-back circuit 34 are connected to and selectively controlled by a communications link control device 38 which receives its communication and control signals from the communications protrocol controller 12 described more fully below. A
watch-do~ timer 40 is provided to cause the C-link control device 38 to operate the isolation relays 30~ and 30l to disconnect the remote Rn from the communication link CL in the event the timer 40 times-out. The timer 40 is normally prevented from timing ol~t by periodic reset signals provided from the communication protocol controller 12. In this way, a remote Rn is automatically disconnected from the communication link CL in the event of a failllre of its communication protocol controller 12.
As shown in more detail in FIG. 4, each communi-cation protocol controller 12 includes input/output ports 42, 44, and 46 which interface with the above described modem lO for the communication channels CH~ and CHl and the modem C-link control device 38 (FIG. 3). A first-in first-out (FIFO) serializer 48 and another first-in first-out 5~
serializer 50 are connected between the input/output ports 42 and 44 and a CPU signal processor 52. The first-in first-out serializers 48 and 50 function as temporary stores for storing information blocks provided to and from the modems 10 as described more fully below. The CPU 52, in turn, interfaces with the buss 22 through buss control latches 54. A read only memory (ROM) 56 containing a resident firmware program for the CP~ 52 and a random access memory (RAM) 58 are provided to permit the CPU 52 to effect its communication protocol function as described more fu].ly below. Timers 62 and a register Ç0 (for example, a manually operable DIP switch register or a hardwired jumper-type register) that includes registers 60a and 60b are also provided to assist the CPU 52 in performing its communication proto-col operation. An excess transmission detector 64, connected to input/output ports 42 and 44 (corresponding to communication channels CH~ and CHl) determines when the transmission period is in excess of a predetermined limit to cause the C-link control device 38 (FIG. 3) to disconnect the transmitting remote from the communications link CL and thereby prevent a remote that is trapped in a transmission mode from monopolizing the communications link CL.
The input/output management device 14, the architecture o~ which is shown in FIG. 4A, is preferably a firm~are controlled microprocessor-based device which is adapted to scan the various input/output hardware points of the controlled device, effect a point-by-point status comparison with a prior scan, and record the change-in-status events along with the direction of the change and the time the event occurred (time-tagging), effect data collection and distrlbution to and from the input/output points, format the collected data in preferred patterns, and assemble the patterned data in selected seauences.
As shown in FIG. 4A, the input/output management device 14 includes a processor 14A connected to the remote buss 22 through a processor buss 14B; read-only-memories 14C and 14D connected to the processor 14A
through appropriate connections with these memories in-cluding the firmware necessary to effect the above-described functions of the input/output management device 14 including the change-in-status event monitoring (described in more detail below); a read/write memory 14E (RAM) for temporarily storing information incident to the operation of the processor 14A including the change-in-status event in~ormation; a time base 14F for providing time information for time tagging the change-in-status events; and an input/output interface 14G for connection, either directly or indirectly, to the controlled devices.
In the preferred embodiment, the input/output interface 14G is defined by one or more printed circuit control cards generally arranged in rack formation with each card having hardware points arranged in predetermined sets of eight points with each hardware point carrying a binary ~L~8~
indication for controlling or sensing the operation of the controlled device. The control and operational status of the controlled device can generally be represented by one or more eight-bit words (e.g., 00010001) with each bit position representing a control or operational characteristic of the controlled device.
As described in fl~rther detail below in connection with FIG. 4B, the input/output management device 14 effects the aforedescrihed change-in-status monitoring and associated time-tag~ing by periodically scanning the input/output hard-ware points in eight-bit groups and effecting a comparison between the so-obtained eight-bit group and the eight-bit group obtained during the previous scan. If a change is detected in one or more of the bit positions, the latest eight-bit group, along with the time-of-day information obtained from the time base 14F, and other information, if desired, representing the dixection of change, is placed in a first-in first-discard memory (FIFO) of predetermined size. Thus, each change-of-s~atus event along with its time tag and other information such as direction of change, etc. is placed in a memory of selected size as the changes occur. When all the memo~y locations are filled, the first entered event (which now represents the oldest chronological event) is discarded as the latest event enters the memory. The memory loading is inhibited by the occurxence of any one of a selected number of inhibit signals. In the system, various con-ditions including alarm conditions which represent partial or full system failures can be assigned a priority with ~8~
those conditions or con~lnations thereof designated as "high" priority signals being permitted to disable or inhibit further accessing of the memory. In the event one of these high priority conditions occurs, the memory is inhibited from storing additional change-in-status information and the change-in-status events occurring prior to the high priority condition are preserved for subsequent analysis. Alarm conditions which are not designated as high priority, of course, do not inhibit the memory. This technique advantageously differs from those prior techniques in which the controlled device status was only placed in memory at the moment of a high priority signal (in which case a historical pre-failure record-of-events was not available) or those techniques in which the change-in-status events were logged in a memory which was periodically cleared, refilled, and cleared in which case the probability of obtaining a complete history of events prior to a predetermined high priority condition diminished in those instances in which the logging memory was cleared ~ just prior to the occurrence of the high priority condition.
The manner by which the input/output management device 14 effects the change-of-status event logging is shown in FIG. 4B. During initialization, the processor 14s (referred to~ also as the RTZ in FIG. 4B) moves an image of the various input/output points, that is, the current status of the various input/output hardware points, to preassigned locations in the memory 14E (local) of the input/output management device 14 and the memory 18 (system) of the remote Rn (FIG. 2).
Thereafter, the address(s) of the first input/outpuk card is obtained and the input/output hardware points for that card are scanned to obtain an inpu-t/output i~age which takes the form of an eight-bit word ~e.g., 00000000) with each bit position representing the control or operational status of the controlled device. The input/output points so obtained are then compared with the previously obtained image of the points (e.g., 00100000), for example, by effecting a bit-by-bit exclusive OR (XOR) comparison. If the comparison indicates no change in status, (that is, the words are identical) the input/output points in the remaining cards are likewise scanned with the process repeated on a cyclic or looped basis. However, if a change is detected in the exclusive OR comparison, that new input/output scan, along with the time tag information and the direction of change is placed in the memory 18 of the remote Rn, and, in addition, the latest scan is moved to the memroy 14E
of the input/output management device. This process continues with each new change-in status event loaded into the memory 18 of the remote on a first-in first-discarded basis. The first-in first discard memory may be configured by assiyning a preselected number of memory locations in the memory 18 of the remote Rn (e.g., flfty locations) for the logging information and providing an address pointer that points to each successive location in a serial manner with the pointer returning to the first location arter pointing at the last available pre-assigned location in the memory.
In the preferred embodiment, the processor 14A of the input/output management device 14 (FIG. 4A) and the processor 52 (FIG. 4) of the communication protocol controller 12 is 8X300 micro-controller manufactured by the Signetics Company of Sunnyvale, ~alifornia, and the central proces~ing unit 16 (FIG. 2) is an 86/12 single board 16-bit micro-computer manu-factured by the ;ntel Company of S~nta Clara, California and adapted to and configured for the Intel MULTIBUSIM
Each remote Rn is adapted to communicate with ~he other by transitting diyital data organized in pre-determined b1Qck formats. A ~u~ta~1e and illustrative block format 66 is shown in FIG. S and include~ a multi-word header frame 66A, a multi-word data fr~me 66B, and a block termination frame or word 66C. Sel~cted of the informa~ion block configuration~ aro adapted to transfer process control information to and from salected remote units Rn and other of th~ b10ck configuration~ are adapted to transfer super~isory control of the communications link CL from one remote to the other remote as explalned in greater detail helow.
An exemplary torm~t for the header and data fram~s of an information block 66 i5 shown, rèspectively, in FIGS. 5A and SB. The headcr frame 66A preferab1y
2~ includes a 'start of heade~' word(~) that indica~es to all remotes that informaton is being tran~mitt d; a 'source' identification word (8) that ind~c~t~ ~h~ id ntity of the source remote Rs that i~ tran~erring the infor~tion;
'destination' wordts) that indicat~ th~ identiy of th~
receiving or destination r~mot~ Rd; a 'h~adcr-typ~' word(~) th~l~ indicates whethar th~ data block is tran3fer~ing dat~, a parame~ered command block, or a paramcter1eY~ comm~nd block;
'block-type' word indicating the type of block ~that is, a co.~mand block or a data block)s a 'block numher' word that ~ 19 -indicates the number of blocks being sent; a 'block size' word indicating the length of the data framei a 'security code' word(s) that permits alteration of the resident soft-ware programming in a remote; and, finally, a two-byte 'cyclic redundancy code' (CRC) validity word. The data frame for each data block, as shown in FI5. SB, can in-clude a plurality of data carrying bytes or words B1, B2~...Bn of variable length terminated with a two-byte cyclic red~ndancy code word. As described moxe fully below, each of the remotes is adapted to acknowledge (ACK) successful receipt of da~a and command blocks and non-acknowledge (N~C~ the receipt of data in which a trans-mission error is detected. When transmit~ing an acknowledgement block or a non-acknowledgement block, the header format used is shown in FIGS. 5C and 5D in which an acknowledgement (ACK~ or non-acknowledgement (NAK) word occupies the 'block type' word position. The block ~ormats disclosed above are intended to be illustrative only and not limiting.
The various remots units Rl, R2~ R3,.. Rn communi-cate with one anokher by having each remote successlvely take contxol of the communications link CL and the controlli~g remote Rs then sending digital information between itself and a destination remote Rd using a double transmission alternate line technique that provides for high reliability data transfer between remotes even when one of the two communication li~ks C~ or C~l is inoperative, for example, when one of the two communication cables is severed or otherwise degraded as occassionally occurs in harsh industrial environments.
When a remote unit assumes control of the communi-cation link GL (as explained more fully below) and, as a source remote Rs, desires to send data blocks to another, destination remote Rd, the data block is assembled at the source remote Rs.in accordance with the block formats discussed abo~e in connection with FIGS. 5-5D and trans-mitted through ~he information channels CL0 and CLl of the source remote Rs to the communication links CL~ and CL1 wi~h the header frame containing both the source remote Rs and the destination remote Rd identi~ication information.
In accordance with the data transmission technique, the communication protocol controller 12 of the source remo e Rs transmits the information blocks twice on each communication link CL~ and CL1 as schematically illustrated in FIG. 6 to provide a first data block DBA and then a second, following data block DBB on each communication link CL~ and CLl.
The transmitted infonmation block headers include the identity of th~ destination remote, Rd, which causes the destination remote Rd to receive and act upon the information blocks. At the des~ination remote Rd, the two data blocks DBA~ and DBB~ on the communicatlon link C~0 are passed through the communication channel CH0 and the two data blocks DBAl and DBBl on the communication link CLl are passed through the communication channel C~1 to, respectively, the first-in firs~-ou~ serialiæ~rs 48 and SO (FIG~ 4).
A5 shown in the summary flow diagram of FIG. 7, the destingation remote Rd checks the validity of the reseived data by selecting one of the two communication links (e.g., CL0 in FIG. 7) and then checks the first 2~7 data block on the selected line (that is, DBA~) by performing a cyclic redundancy check of the header frame and, if valid, performing a cyclic redundancy check of the data frame. If the data frame is valid, the communi-cation protocol controller 12 of the destination remote Rd then performs a bit-for-bit comparision between the CRC-valid first data block DBA~ and the second following data block DB~. If the bit-for-bit comparision is good, an acknowledgement (ACX) signal is sent from the destination remote Rd to the source remote Rs to indicate the receipt of valid information and complete that data ~lock information transaction. On ~he other hand, if the CRC
validity checks of the header or the data rame or the bit-for-bit comparison check indicate invalid data, the protocol controller 12 of the destination remote Rd then selects the other, alternate line (in this case, CLl) and performs the aforementioned cyclic redundancy checks of the header and data frame and the bit-for-bit comparison between the flrst and second data blocks DBAl and DB
on the alternate line CLl. I~ these checks indicate valid data on the alternate line, the destinat1on remote Rd responds with an acknowledgement signal (ACK) to conclud~ the data block transmission transaction. On the other hand, if ths~e checks indicate invalid data on the alternate line (which mean~ that tha data ~locks on bo~h the first-selected lin~ and the alternate line are in~alid) the destination remote Rd responds with a non acknowledgement signal (NAK) to cause retransmission of the data blocks from the source remote Rs. The non-acknowledgement block (NAK) includes a byte or bytes indicating the identity of the data block or blocks which should be retransmitted. A counter (not shown) is ~rovided that counts the number of retransmissions from the source remote Rs and, after a fini~e number of re-transmissions (e.g., four), halts further retransmission to assure that a source remote Rs and a destination remote Rd do not become lost in a xepetitive transmit/NAK/re-transmit/NAK... sequence in the avent of a hardware or software failure of the destination remote Rd error checking mechanism.
The double message alternate line checking sequence summarized in FIG. 7 may be more fully appreciated by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read i~ accordance with the flow diagram map of FIG. 9). At the start of the information validity checking procedure, the 'line ~-first' flag register is checked; if a flag is present, the 'first-attempt fail' flag register is checked, and, if there is no flag in thIs register, the two data blocks DBAl and DBBl on channel C~l are stored while the tWQ data blocks D~A~ and DB~0 on channel CH~ are used for the first attempt information check.
Thereafter, the header frame of the first data block DBA~
on channel CH~ undergoes a CRC check, and, if acceptable, the data frame of this data block DBA0 undergoes a CRC check.
If the header and data frames CRC checks indicate valid data a 'good message' register is incremented. If the number of good messages is less than two, the error checking procedure returns o the initial part of the 10w diagram and, after ~25~97 dPtermining there is no channel CH0 first flag or first-attempt flag present, checks the second following data block DBB~ by repeating the header and data CRC cyclic redundancy checks. If the header and data frames pass the CRC checks, the 'good messagel register is incremented again to indicate that a total of two messages in succession (that is, DBA~ and DBB0) have passed the cyclic redundancy check for the header and data frames. Thereafter, the two data blocks DBA~ and DBB~ received on line CH~ are checked by performing a bit-by-bit comparision between the two. If the data blocks DBA~ and DBB~ pass the bit-by-bit comparision test, the communi-cations protocol controller 12 of the destination remote Rd sends an acknowledgement (ACR) message to the source remote ~5 to conclude the information block trans~er and resets the various registexs. If, on the other hand, either the data block DBA~ or DBB~ on line CL0 fail the header and data frame C~C checks or these two data blocks fail the bit-by-bit comparison check, the communication protrocol controller 12 sets ~he 'first-at~emp~ fail' flag and returns to the start of the procedure ~o de~ermine tha~ the 'line ~ first' flag a~d the 'first~attempt' fail flag are present. The communi-cation protocol controller 12 then uses the stored da~a blocks DBAl and DBBl from line CLl (which data blocks were previously stvred in FIFO 50). The header block and data block of the data blocks DBAl and DBBl from line C~l undergo the CRC
check and, if successful, cause the incrementing of the 'good - 2~ -message' register to cause the ccmmunication protocol controller 12 to then check the validity of the second data block DBBl. If the data blocks DBAl and DBBl pass the CRC checks, they are compared with one another in a bit-by-bit comparison test and if this comparison check is successful, an acknowledgement ~ACK) is sent. If, on the other hand, either data block DBAl or DBBl does not pass the CRC checX or the data blocks do not pass the bit-by-bit comparison test, a non-acknowledgement (NAK) is sent to the souxce remote Rs including information requesting the retxansmission of the data blocks which failed the validity test at the destination remote Rd. The source remote RS then retransmits the improperly received information blocks as described above with retransmission limited to a finite number.
A register is provided for each of the communication links for recording, in a cumulativa manner, the number of time~ an invalid message is received for each communication link. In this manner, it can be determined, on a statistical basis, whether one of the two communication links has suffered a de~erioration in signal transmission capability and, o course, whether one of the communication links is severed.
As can be appreciated, the dual transmission of the identical messages on plural communication links vastly enhances ~he ability of the destination remote Rd to detect errors and determine whether the information being.transmitted is valid or not. In addition, the destination remote Rd is able ~o operate and successfully receive messages even if one of the communication links CL~ or CLl is severed since the communication protocol controller 12 at the destination Rd will examine the received signals on each line and will find invalid data on the severed line, but will always examine the data blocks on the other line and, if necessary, request retransmission of the lnformation blocksO
In selecting one of the two channels CH~ or CHl for the ~lrst validity check, it is preferred that one of the two channels (e.g., CH~) be selected for the first check on every other information transaction and that the other of the two channels (e~g., C~l) be selected for the first check for the other intermediate information transactions. While thP system has been disclosed as having dual communication links CL~ and CLl f ~he invention is not so limited and can encompass more than two communication links with the remotes adapted to sequentially examine signals received on the various channels.
As mentioned above, each remote Rn ~ the control system is adapted to accept and then relinquish supervisory control of the communication link CL on a master-for-the-moment or revolving master arrangement. The communication protocol controller 12 of each remote Rn includes a register which contains the remote succession number, another register which contains the total number of remotes in the system, and another register which contains the relative position of the remote from ~he present system master. The first two registers are schematically illustrated by th2 reference character 60 in ~IG. 4. In addition, each remote Rn includes a variable transfer~
monitor timex having a time-out interval that is set in accordance with a predetermined control-transfer time constant (50 micro-seconds in the preferred embodiment) and the positioll or the particular remote relative to the present system master to permit, as explained in more detail below, the master-for~the-moment transfer to continue even in the event of a disabled remote (that is, a remote that is unable to accept supervisory control because of a malfunction).
Another timer is provided to force transfer of supervisory control of the communications link CL in the event a remote, because of a malfunction, is unable to transfer supervisory control to its next successive remote. The operation of the master-for-the-moment transfer technique can be appreciated bv consideration of the following example of an illustrative system that includes five remotes arransed in the open loop configuration of FIG. 1 and transferring supervisory control of the communications link CL in accordance with the tables of FIGS. lOA-lOF. The upper row of each table indicates the succession se~uence or order of the five remotes Ro~ Rl, R2, R3 and R4 that comprise the system; the intermediate row identifies the remote that is the present master-for-the moment an~ also identifies the relative successive position of the other remotes from the present master, tha~ is, the first (or next) successive remote from the present master, the second successive remote from the pxesent master, the third remote from the present master, etc.; and the third row of each table lists the setting of the variable transfer-monitor timer for the particular remote.
~ 27 -The system is provided with initialiæation software so that the first remote in the succession, Ro~
assumes supervisory control of the communication link CL after system start-up and becomes the initial master of the system (FIG. lOA). When the initial master Ro is in control of the communications link CL, it can send data to any of the other remotes, request status or other data from another remote, and send control blocks and the like over the communications link CL. When the master Ro determines that it no longer desires possession o the commu~ications link CL, it passes supervisory control of the communications link CL to the next or first successive remote in accordance with the succession order~ Thus, when the present master Ro concludes its information transfer transactions, it transfers supervisory contxol of the communications link CL to its next or first successive remote Rl by transmitting a control block to the remote R
with all the remaining remotes (that is, R2, R3, R4) being cognizant of the transfer o~ supervisory control from the present master Ro to its first or next succ~ssive remote Rl. Since, in the present system, the transfer o supervisory control of the communications linX CL is expected to take plaoe within 50 micro seconds, the second successive remote R2, as shown in the third row of the table of FIG. lOB, sets its variable transfer monitor timer to 50 micro-seconds, the third successive remot~ R3 sets its variable transfer-monitor timer to 100 micro~seconds, and the fourth successive remote R4 sets it transfer-monitox timer to 150 micro-seconds. ~en the first successive remote Rl receives the control block from the present master Ror it accepts supervisory control of the communications link CL by responding with an acknowledgement message (ACX). If the control block is misreceived, the first successive remote Rl can respond with a non-acknowledgement (NAK) to request retransmission of the control block transferring supervisory control of the communications link C~. During the time interval that the present master remote Ro is attempting to transfer supervisory control of the communi-cation link CL to its next successive remote Rl, the transfer-monitor timers of the remaining remotes are counting down. If, for any reason, the next or first successive remote Rl ~ails to take control (e.g., a malfunction of the xemote), the transfer-monitor timer of the second successive remote R2 will time-out at 50 micro secor.ds and cause the second successive remote R2 to then accept supervisory control of the communication link CL
fxom the present master Ro and thus bypass the apparently malfunctioning ~irst successive remote Rl.
Aassuming that the initial system master Ro successively transfers supervisory control of the com~uni-catins link CL to its first successive remote Rl~ that successive remote Rl then becomes the present master with the remaining remotes changing their position relative to the present master and setting their transfer-moni~or timers in accordance with the second and third rows o the table of FIGo lOB. When the present master Rl concludes its _ zg _ ~il2~q67 information transfer transactions, if any, it attempts ~o transfex supervisory control to its first or next successive remote R2 by sending an appropriate control block to remote R2 which responds with an acknowledgement signal (ACK) or, in the event of a mistransmission of the control block, a non-acknowledgement signal (NAK) which causes re transmission of the control block. When the control block requesting transfer of supervisory control of the communi-cation link CL is sent from the present master Rl to its next successive remote R2, all the remaining remotes reset their transfer-monitor timers in accordance with their position relative to the present remote as shown in the third row of the table of FIG. lOC. Should the next successive remote R~ be unable to accept supervisory control of the communication link CL from the present master Rl, the transfer-monitor timer of the second successive xemote R3 will time-out in 50 micro-seconds and cause the second successive remote R3 to assume supervisory control of the communiations link CL to thereby bypass an apparently malfunctioning first successive remote R~. A~ can be appreciated from a review of the transfer-monitor time-out settings of the various remotes, supervisory control of the communicatiorls link CL will transfer even if one or more successive remotes are malfunctioning, when the trans~er monitor timer of the next operable remote times out. This transfer sequence continues in succession as shown in the remaining tables of ~IGS. lOD to lOF with supervisory control of the communication link CL being passed from remote to remote in succession with the last remcte R4 retuxning supervisory control to the first remote Ro~
By employing a master-for-the-moment transfer technique in which the recelving remote acknowle~gPs control from the transferring remote and in which re-transmission of a mis-received control block is provided for in re~ponse to a non-ack*owledgement signal from the re~eiving remote, it is possi~le to positively tran~Pr ' supervisory control of the communication lin~, This technique advantageously transfers co~trol u~ing the data and i~formation carrylng communlcation link rather th~n, as in other systems, by providing separatQ communl cation lines or channels dedicated solely to ~upervisory control transfer function~. Also, the provi~ion o~ a variable ~ranser-monitor timer at each remote that is set in accordance with the remote's relative position to the present ma~ter and a trans~er time~constant automatically transfers supervisory control o~ the co~unication~ l.ink even if one or more of the succe~siva remotes are mal~
functioiling .
The architecture of a redundant remote (R ~ and ~8 in FXG. 1), as shown in ~IG. 1~, i3 es~entially the 5am(?, as that o a primary remote except that it has no i.nput/
output devices as~igned to it. Each redundant xemo~e functions to take over eontrol responsibility o a con~rolled device from a primary remote in tha event the primary remote malfunctions.
~ 3~ -In each primary remote, preassigned memory locations are designated to act as a 'mailbox' register for that remote. Each time th~ eentral processing unit 16 or the primary remote cycles through its applications program, in which it responds to and controls the input/
output devices of the remote via the input/output management device 14, it stores a predetermlned number in its mailbox.
Each time the processor 14A of the input/output management device 14 cycles through its program, it decrements the number stored in the mailbox. The time for the CPU 16 to cycle through its program and for the input/output management device 14 to cycle through its program ls approximately 1:1 so that the number stored in the mailbox will be maintained at or near the predetermined value set by the applications program of the CPU 16 unless the CPU 16 caases to cycle through its applications program.
Should this happen, the number stored in the mailbox memory 18 will be decremented by the input/output management device 14 until it reaches a zero value.
Each time a redundant remote which is serving as a back-up for its associated primary remotes takes its turn in the master-for-the-mome~t sequence described above, the redundant remote will request and obtain the value of the number in the mailbox of its assigned primary remotes.
If the number in the mailbox is not zero, the redundant remote will know that the centxal processing unit 16 in the 50-queried primary remote is carrying out its applications program and has not gone into an emergency mode of operatlon or otherwise ceased to operateO If the redundant remote detects that the number in the mailbox for one of its assigned primary remotes is zero, then the redundant remote will determine that ~he central processing unit 16 of the zero-mailbox remote is not carrying out the applications program and, in response to this determination, the redundant remote will first attempt to restart the applications program in the central processing unit 16 of the prima~y remote. If it fails to successfully restart the applications program, the redundant remote will carry out the applications program for the failed remote. In carrying out the applications program, the redundant remote will respond to the input devices and control the output devices assigned to the ~ailed primary remote by sending commands and receiving data from the failed remote over the com~unications link CL.
The redundant remote, in addition to checking the status of its assigned primary remotes for which the redundant remote serves as a back-up, also must maintain an up-to-date record of the status of the applicakions program in each of these assigned primary remotes. The redundant remote checks the status of the mailbox and gets the current applications program status from each of the primary remotes by sending requests for information over the communications link CL when the redt~dant remote takes its turn in the master-for-the-moment sequence as described above.
~B~
The operation of the redundant remote in carr~ing out its function as a back-up for the primary remotes will be more fully undexstood with reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant remote R4 (FIG. 1), which serves as a back up for its assigned primary remotes Rl, R2~ and R3. The other redundant remote R8 will have the same program except that it will be applied to its assigned remotes R5, R~, and R7.
As shown in FIGS. llA, after the program in the redundant remote R4 is started, it enters into a decision instruction sequence lOl to check the status of remote Rl. As explained above, it does this by sending a request ~or information over the communications link CL to remote Rl asking for the current number in the mailbox of remote Rl. It then determines whether this number is greater than zero. If the number is greater than zero, the status of remote Rl is determined to be opera~ing and the program of the redundant remote R4 advances to instruction step 103 in which it resets a fail 1~g for Rl to 'off' and then enters subroutine 105, in which the cuxrent applications program status in remote Rl is obtained. This means that the redundant remote R4 requests and obtains the current status of the input and output devices in remote Rl and the current status of the timers and the counters and the flags being used in the applications program of remote Rl. In other .
2~
words, in subroutine 105, all of the info~nation tha'c would be needed f~r the redundant remote R4 to take over the applications progr~m is obtained from remote R1 This informatlon is obtained by sending requests for data and receiving data bac~ over the communications link CL.
Following the obtaining of the current appli~
cAtions program status of remote Rl, the redundant remote R4 program proceeds to decision instruction sequence 107, in which the status of remote R2 is checked in the same manner that was done with respect to Rl. If the status of remote R~ is operating, the program ad~ances to instruction step 109, in which the program sets a fail flag for remote R2 and then proceeds into subroutine 111, in which the status of the applications program for remote R2 is obtained in the same manner as for Rl in sub-routine 105. The program then proceeds into a decision instruction sequence 113 to check the status of remote R3. If the status of remote R3 is operating, then the program resets the ~ail flag for remote R3 in instruction step 115 and proceeds into subroukine 117 to obtain the applications program status for remote R3 in the same manner as Lor Rl in subroutine 105O Following subroutine 111, the program returns agaln to decision instruction sequence 101 to check the status of remote Rl and the process cyclically repeats.
If in decision instruction sequence 101, the program determines that the status Rl is not operating as indicated by the number in the mailbox of the remo~e Rl, being zero, the program then advances to decision instruction sequence 119, in which the program determines if the fail flag for Rl is 'on' or 'off'. If the fail flag is iof', the 5~
program proceeds into instruction sequence 121, in ~hich the program attempts to restart the applications program for remote Rl. It does this by sending a command over the communications link CL to remote Rl to direct the communications protocol controller 12 (FIG. 2) to attempt a hardware restart of the applications pxogram.
This is carried ou~ by the communications protocol controller 1~ pulling a restart wire to ground in the common buss 22. When this restart wire is pulled to ground, it starts the applications program back thro~gh its initialization program and sets all of t~e flags, timers, and counters just as if power had been turned on. Such a restart is called a har~ware restart. Alternatively, the redundant remote R4 could efect a sof~ware restart in the failed remote. A software restart would merely start the applications program through its initialization program with the timers, counters and flags left in their present status.
Ater completing instruction sequence 121, the redundant remote R4 program then sets the fail flag for remote Rl to 'on' in instruction step 123 and then proceeds into decision instruction sequence 125 to again check the status of remote Rl by checking the number in the mailbox of remote Rl in the same manner as in decision instruction sequence lOL. If the applications program in remote Rl was successfully started in instruction sequence 121, the num~er in the mailbox will not be zero and the program will detenmine that the status of remote Rl is operating, whereupon the pxogram will jump to decision instruction sequence 107 ~o ch~ck the status of remote R2 as already described.
'destination' wordts) that indicat~ th~ identiy of th~
receiving or destination r~mot~ Rd; a 'h~adcr-typ~' word(~) th~l~ indicates whethar th~ data block is tran3fer~ing dat~, a parame~ered command block, or a paramcter1eY~ comm~nd block;
'block-type' word indicating the type of block ~that is, a co.~mand block or a data block)s a 'block numher' word that ~ 19 -indicates the number of blocks being sent; a 'block size' word indicating the length of the data framei a 'security code' word(s) that permits alteration of the resident soft-ware programming in a remote; and, finally, a two-byte 'cyclic redundancy code' (CRC) validity word. The data frame for each data block, as shown in FI5. SB, can in-clude a plurality of data carrying bytes or words B1, B2~...Bn of variable length terminated with a two-byte cyclic red~ndancy code word. As described moxe fully below, each of the remotes is adapted to acknowledge (ACK) successful receipt of da~a and command blocks and non-acknowledge (N~C~ the receipt of data in which a trans-mission error is detected. When transmit~ing an acknowledgement block or a non-acknowledgement block, the header format used is shown in FIGS. 5C and 5D in which an acknowledgement (ACK~ or non-acknowledgement (NAK) word occupies the 'block type' word position. The block ~ormats disclosed above are intended to be illustrative only and not limiting.
The various remots units Rl, R2~ R3,.. Rn communi-cate with one anokher by having each remote successlvely take contxol of the communications link CL and the controlli~g remote Rs then sending digital information between itself and a destination remote Rd using a double transmission alternate line technique that provides for high reliability data transfer between remotes even when one of the two communication li~ks C~ or C~l is inoperative, for example, when one of the two communication cables is severed or otherwise degraded as occassionally occurs in harsh industrial environments.
When a remote unit assumes control of the communi-cation link GL (as explained more fully below) and, as a source remote Rs, desires to send data blocks to another, destination remote Rd, the data block is assembled at the source remote Rs.in accordance with the block formats discussed abo~e in connection with FIGS. 5-5D and trans-mitted through ~he information channels CL0 and CLl of the source remote Rs to the communication links CL~ and CL1 wi~h the header frame containing both the source remote Rs and the destination remote Rd identi~ication information.
In accordance with the data transmission technique, the communication protocol controller 12 of the source remo e Rs transmits the information blocks twice on each communication link CL~ and CL1 as schematically illustrated in FIG. 6 to provide a first data block DBA and then a second, following data block DBB on each communication link CL~ and CLl.
The transmitted infonmation block headers include the identity of th~ destination remote, Rd, which causes the destination remote Rd to receive and act upon the information blocks. At the des~ination remote Rd, the two data blocks DBA~ and DBB~ on the communicatlon link C~0 are passed through the communication channel CH0 and the two data blocks DBAl and DBBl on the communication link CLl are passed through the communication channel C~1 to, respectively, the first-in firs~-ou~ serialiæ~rs 48 and SO (FIG~ 4).
A5 shown in the summary flow diagram of FIG. 7, the destingation remote Rd checks the validity of the reseived data by selecting one of the two communication links (e.g., CL0 in FIG. 7) and then checks the first 2~7 data block on the selected line (that is, DBA~) by performing a cyclic redundancy check of the header frame and, if valid, performing a cyclic redundancy check of the data frame. If the data frame is valid, the communi-cation protocol controller 12 of the destination remote Rd then performs a bit-for-bit comparision between the CRC-valid first data block DBA~ and the second following data block DB~. If the bit-for-bit comparision is good, an acknowledgement (ACX) signal is sent from the destination remote Rd to the source remote Rs to indicate the receipt of valid information and complete that data ~lock information transaction. On ~he other hand, if the CRC
validity checks of the header or the data rame or the bit-for-bit comparison check indicate invalid data, the protocol controller 12 of the destination remote Rd then selects the other, alternate line (in this case, CLl) and performs the aforementioned cyclic redundancy checks of the header and data frame and the bit-for-bit comparison between the flrst and second data blocks DBAl and DB
on the alternate line CLl. I~ these checks indicate valid data on the alternate line, the destinat1on remote Rd responds with an acknowledgement signal (ACK) to conclud~ the data block transmission transaction. On the other hand, if ths~e checks indicate invalid data on the alternate line (which mean~ that tha data ~locks on bo~h the first-selected lin~ and the alternate line are in~alid) the destination remote Rd responds with a non acknowledgement signal (NAK) to cause retransmission of the data blocks from the source remote Rs. The non-acknowledgement block (NAK) includes a byte or bytes indicating the identity of the data block or blocks which should be retransmitted. A counter (not shown) is ~rovided that counts the number of retransmissions from the source remote Rs and, after a fini~e number of re-transmissions (e.g., four), halts further retransmission to assure that a source remote Rs and a destination remote Rd do not become lost in a xepetitive transmit/NAK/re-transmit/NAK... sequence in the avent of a hardware or software failure of the destination remote Rd error checking mechanism.
The double message alternate line checking sequence summarized in FIG. 7 may be more fully appreciated by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read i~ accordance with the flow diagram map of FIG. 9). At the start of the information validity checking procedure, the 'line ~-first' flag register is checked; if a flag is present, the 'first-attempt fail' flag register is checked, and, if there is no flag in thIs register, the two data blocks DBAl and DBBl on channel C~l are stored while the tWQ data blocks D~A~ and DB~0 on channel CH~ are used for the first attempt information check.
Thereafter, the header frame of the first data block DBA~
on channel CH~ undergoes a CRC check, and, if acceptable, the data frame of this data block DBA0 undergoes a CRC check.
If the header and data frames CRC checks indicate valid data a 'good message' register is incremented. If the number of good messages is less than two, the error checking procedure returns o the initial part of the 10w diagram and, after ~25~97 dPtermining there is no channel CH0 first flag or first-attempt flag present, checks the second following data block DBB~ by repeating the header and data CRC cyclic redundancy checks. If the header and data frames pass the CRC checks, the 'good messagel register is incremented again to indicate that a total of two messages in succession (that is, DBA~ and DBB0) have passed the cyclic redundancy check for the header and data frames. Thereafter, the two data blocks DBA~ and DBB~ received on line CH~ are checked by performing a bit-by-bit comparision between the two. If the data blocks DBA~ and DBB~ pass the bit-by-bit comparision test, the communi-cations protocol controller 12 of the destination remote Rd sends an acknowledgement (ACR) message to the source remote ~5 to conclude the information block trans~er and resets the various registexs. If, on the other hand, either the data block DBA~ or DBB~ on line CL0 fail the header and data frame C~C checks or these two data blocks fail the bit-by-bit comparison check, the communication protrocol controller 12 sets ~he 'first-at~emp~ fail' flag and returns to the start of the procedure ~o de~ermine tha~ the 'line ~ first' flag a~d the 'first~attempt' fail flag are present. The communi-cation protocol controller 12 then uses the stored da~a blocks DBAl and DBBl from line CLl (which data blocks were previously stvred in FIFO 50). The header block and data block of the data blocks DBAl and DBBl from line C~l undergo the CRC
check and, if successful, cause the incrementing of the 'good - 2~ -message' register to cause the ccmmunication protocol controller 12 to then check the validity of the second data block DBBl. If the data blocks DBAl and DBBl pass the CRC checks, they are compared with one another in a bit-by-bit comparison test and if this comparison check is successful, an acknowledgement ~ACK) is sent. If, on the other hand, either data block DBAl or DBBl does not pass the CRC checX or the data blocks do not pass the bit-by-bit comparison test, a non-acknowledgement (NAK) is sent to the souxce remote Rs including information requesting the retxansmission of the data blocks which failed the validity test at the destination remote Rd. The source remote RS then retransmits the improperly received information blocks as described above with retransmission limited to a finite number.
A register is provided for each of the communication links for recording, in a cumulativa manner, the number of time~ an invalid message is received for each communication link. In this manner, it can be determined, on a statistical basis, whether one of the two communication links has suffered a de~erioration in signal transmission capability and, o course, whether one of the communication links is severed.
As can be appreciated, the dual transmission of the identical messages on plural communication links vastly enhances ~he ability of the destination remote Rd to detect errors and determine whether the information being.transmitted is valid or not. In addition, the destination remote Rd is able ~o operate and successfully receive messages even if one of the communication links CL~ or CLl is severed since the communication protocol controller 12 at the destination Rd will examine the received signals on each line and will find invalid data on the severed line, but will always examine the data blocks on the other line and, if necessary, request retransmission of the lnformation blocksO
In selecting one of the two channels CH~ or CHl for the ~lrst validity check, it is preferred that one of the two channels (e.g., CH~) be selected for the first check on every other information transaction and that the other of the two channels (e~g., C~l) be selected for the first check for the other intermediate information transactions. While thP system has been disclosed as having dual communication links CL~ and CLl f ~he invention is not so limited and can encompass more than two communication links with the remotes adapted to sequentially examine signals received on the various channels.
As mentioned above, each remote Rn ~ the control system is adapted to accept and then relinquish supervisory control of the communication link CL on a master-for-the-moment or revolving master arrangement. The communication protocol controller 12 of each remote Rn includes a register which contains the remote succession number, another register which contains the total number of remotes in the system, and another register which contains the relative position of the remote from ~he present system master. The first two registers are schematically illustrated by th2 reference character 60 in ~IG. 4. In addition, each remote Rn includes a variable transfer~
monitor timex having a time-out interval that is set in accordance with a predetermined control-transfer time constant (50 micro-seconds in the preferred embodiment) and the positioll or the particular remote relative to the present system master to permit, as explained in more detail below, the master-for~the-moment transfer to continue even in the event of a disabled remote (that is, a remote that is unable to accept supervisory control because of a malfunction).
Another timer is provided to force transfer of supervisory control of the communications link CL in the event a remote, because of a malfunction, is unable to transfer supervisory control to its next successive remote. The operation of the master-for-the-moment transfer technique can be appreciated bv consideration of the following example of an illustrative system that includes five remotes arransed in the open loop configuration of FIG. 1 and transferring supervisory control of the communications link CL in accordance with the tables of FIGS. lOA-lOF. The upper row of each table indicates the succession se~uence or order of the five remotes Ro~ Rl, R2, R3 and R4 that comprise the system; the intermediate row identifies the remote that is the present master-for-the moment an~ also identifies the relative successive position of the other remotes from the present master, tha~ is, the first (or next) successive remote from the present master, the second successive remote from the pxesent master, the third remote from the present master, etc.; and the third row of each table lists the setting of the variable transfer-monitor timer for the particular remote.
~ 27 -The system is provided with initialiæation software so that the first remote in the succession, Ro~
assumes supervisory control of the communication link CL after system start-up and becomes the initial master of the system (FIG. lOA). When the initial master Ro is in control of the communications link CL, it can send data to any of the other remotes, request status or other data from another remote, and send control blocks and the like over the communications link CL. When the master Ro determines that it no longer desires possession o the commu~ications link CL, it passes supervisory control of the communications link CL to the next or first successive remote in accordance with the succession order~ Thus, when the present master Ro concludes its information transfer transactions, it transfers supervisory contxol of the communications link CL to its next or first successive remote Rl by transmitting a control block to the remote R
with all the remaining remotes (that is, R2, R3, R4) being cognizant of the transfer o~ supervisory control from the present master Ro to its first or next succ~ssive remote Rl. Since, in the present system, the transfer o supervisory control of the communications linX CL is expected to take plaoe within 50 micro seconds, the second successive remote R2, as shown in the third row of the table of FIG. lOB, sets its variable transfer monitor timer to 50 micro-seconds, the third successive remot~ R3 sets its variable transfer-monitor timer to 100 micro~seconds, and the fourth successive remote R4 sets it transfer-monitox timer to 150 micro-seconds. ~en the first successive remote Rl receives the control block from the present master Ror it accepts supervisory control of the communications link CL by responding with an acknowledgement message (ACX). If the control block is misreceived, the first successive remote Rl can respond with a non-acknowledgement (NAK) to request retransmission of the control block transferring supervisory control of the communications link C~. During the time interval that the present master remote Ro is attempting to transfer supervisory control of the communi-cation link CL to its next successive remote Rl, the transfer-monitor timers of the remaining remotes are counting down. If, for any reason, the next or first successive remote Rl ~ails to take control (e.g., a malfunction of the xemote), the transfer-monitor timer of the second successive remote R2 will time-out at 50 micro secor.ds and cause the second successive remote R2 to then accept supervisory control of the communication link CL
fxom the present master Ro and thus bypass the apparently malfunctioning ~irst successive remote Rl.
Aassuming that the initial system master Ro successively transfers supervisory control of the com~uni-catins link CL to its first successive remote Rl~ that successive remote Rl then becomes the present master with the remaining remotes changing their position relative to the present master and setting their transfer-moni~or timers in accordance with the second and third rows o the table of FIGo lOB. When the present master Rl concludes its _ zg _ ~il2~q67 information transfer transactions, if any, it attempts ~o transfex supervisory control to its first or next successive remote R2 by sending an appropriate control block to remote R2 which responds with an acknowledgement signal (ACK) or, in the event of a mistransmission of the control block, a non-acknowledgement signal (NAK) which causes re transmission of the control block. When the control block requesting transfer of supervisory control of the communi-cation link CL is sent from the present master Rl to its next successive remote R2, all the remaining remotes reset their transfer-monitor timers in accordance with their position relative to the present remote as shown in the third row of the table of FIG. lOC. Should the next successive remote R~ be unable to accept supervisory control of the communication link CL from the present master Rl, the transfer-monitor timer of the second successive xemote R3 will time-out in 50 micro-seconds and cause the second successive remote R3 to assume supervisory control of the communiations link CL to thereby bypass an apparently malfunctioning first successive remote R~. A~ can be appreciated from a review of the transfer-monitor time-out settings of the various remotes, supervisory control of the communicatiorls link CL will transfer even if one or more successive remotes are malfunctioning, when the trans~er monitor timer of the next operable remote times out. This transfer sequence continues in succession as shown in the remaining tables of ~IGS. lOD to lOF with supervisory control of the communication link CL being passed from remote to remote in succession with the last remcte R4 retuxning supervisory control to the first remote Ro~
By employing a master-for-the-moment transfer technique in which the recelving remote acknowle~gPs control from the transferring remote and in which re-transmission of a mis-received control block is provided for in re~ponse to a non-ack*owledgement signal from the re~eiving remote, it is possi~le to positively tran~Pr ' supervisory control of the communication lin~, This technique advantageously transfers co~trol u~ing the data and i~formation carrylng communlcation link rather th~n, as in other systems, by providing separatQ communl cation lines or channels dedicated solely to ~upervisory control transfer function~. Also, the provi~ion o~ a variable ~ranser-monitor timer at each remote that is set in accordance with the remote's relative position to the present ma~ter and a trans~er time~constant automatically transfers supervisory control o~ the co~unication~ l.ink even if one or more of the succe~siva remotes are mal~
functioiling .
The architecture of a redundant remote (R ~ and ~8 in FXG. 1), as shown in ~IG. 1~, i3 es~entially the 5am(?, as that o a primary remote except that it has no i.nput/
output devices as~igned to it. Each redundant xemo~e functions to take over eontrol responsibility o a con~rolled device from a primary remote in tha event the primary remote malfunctions.
~ 3~ -In each primary remote, preassigned memory locations are designated to act as a 'mailbox' register for that remote. Each time th~ eentral processing unit 16 or the primary remote cycles through its applications program, in which it responds to and controls the input/
output devices of the remote via the input/output management device 14, it stores a predetermlned number in its mailbox.
Each time the processor 14A of the input/output management device 14 cycles through its program, it decrements the number stored in the mailbox. The time for the CPU 16 to cycle through its program and for the input/output management device 14 to cycle through its program ls approximately 1:1 so that the number stored in the mailbox will be maintained at or near the predetermined value set by the applications program of the CPU 16 unless the CPU 16 caases to cycle through its applications program.
Should this happen, the number stored in the mailbox memory 18 will be decremented by the input/output management device 14 until it reaches a zero value.
Each time a redundant remote which is serving as a back-up for its associated primary remotes takes its turn in the master-for-the-mome~t sequence described above, the redundant remote will request and obtain the value of the number in the mailbox of its assigned primary remotes.
If the number in the mailbox is not zero, the redundant remote will know that the centxal processing unit 16 in the 50-queried primary remote is carrying out its applications program and has not gone into an emergency mode of operatlon or otherwise ceased to operateO If the redundant remote detects that the number in the mailbox for one of its assigned primary remotes is zero, then the redundant remote will determine that ~he central processing unit 16 of the zero-mailbox remote is not carrying out the applications program and, in response to this determination, the redundant remote will first attempt to restart the applications program in the central processing unit 16 of the prima~y remote. If it fails to successfully restart the applications program, the redundant remote will carry out the applications program for the failed remote. In carrying out the applications program, the redundant remote will respond to the input devices and control the output devices assigned to the ~ailed primary remote by sending commands and receiving data from the failed remote over the com~unications link CL.
The redundant remote, in addition to checking the status of its assigned primary remotes for which the redundant remote serves as a back-up, also must maintain an up-to-date record of the status of the applicakions program in each of these assigned primary remotes. The redundant remote checks the status of the mailbox and gets the current applications program status from each of the primary remotes by sending requests for information over the communications link CL when the redt~dant remote takes its turn in the master-for-the-moment sequence as described above.
~B~
The operation of the redundant remote in carr~ing out its function as a back-up for the primary remotes will be more fully undexstood with reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant remote R4 (FIG. 1), which serves as a back up for its assigned primary remotes Rl, R2~ and R3. The other redundant remote R8 will have the same program except that it will be applied to its assigned remotes R5, R~, and R7.
As shown in FIGS. llA, after the program in the redundant remote R4 is started, it enters into a decision instruction sequence lOl to check the status of remote Rl. As explained above, it does this by sending a request ~or information over the communications link CL to remote Rl asking for the current number in the mailbox of remote Rl. It then determines whether this number is greater than zero. If the number is greater than zero, the status of remote Rl is determined to be opera~ing and the program of the redundant remote R4 advances to instruction step 103 in which it resets a fail 1~g for Rl to 'off' and then enters subroutine 105, in which the cuxrent applications program status in remote Rl is obtained. This means that the redundant remote R4 requests and obtains the current status of the input and output devices in remote Rl and the current status of the timers and the counters and the flags being used in the applications program of remote Rl. In other .
2~
words, in subroutine 105, all of the info~nation tha'c would be needed f~r the redundant remote R4 to take over the applications progr~m is obtained from remote R1 This informatlon is obtained by sending requests for data and receiving data bac~ over the communications link CL.
Following the obtaining of the current appli~
cAtions program status of remote Rl, the redundant remote R4 program proceeds to decision instruction sequence 107, in which the status of remote R2 is checked in the same manner that was done with respect to Rl. If the status of remote R~ is operating, the program ad~ances to instruction step 109, in which the program sets a fail flag for remote R2 and then proceeds into subroutine 111, in which the status of the applications program for remote R2 is obtained in the same manner as for Rl in sub-routine 105. The program then proceeds into a decision instruction sequence 113 to check the status of remote R3. If the status of remote R3 is operating, then the program resets the ~ail flag for remote R3 in instruction step 115 and proceeds into subroukine 117 to obtain the applications program status for remote R3 in the same manner as Lor Rl in subroutine 105O Following subroutine 111, the program returns agaln to decision instruction sequence 101 to check the status of remote Rl and the process cyclically repeats.
If in decision instruction sequence 101, the program determines that the status Rl is not operating as indicated by the number in the mailbox of the remo~e Rl, being zero, the program then advances to decision instruction sequence 119, in which the program determines if the fail flag for Rl is 'on' or 'off'. If the fail flag is iof', the 5~
program proceeds into instruction sequence 121, in ~hich the program attempts to restart the applications program for remote Rl. It does this by sending a command over the communications link CL to remote Rl to direct the communications protocol controller 12 (FIG. 2) to attempt a hardware restart of the applications pxogram.
This is carried ou~ by the communications protocol controller 1~ pulling a restart wire to ground in the common buss 22. When this restart wire is pulled to ground, it starts the applications program back thro~gh its initialization program and sets all of t~e flags, timers, and counters just as if power had been turned on. Such a restart is called a har~ware restart. Alternatively, the redundant remote R4 could efect a sof~ware restart in the failed remote. A software restart would merely start the applications program through its initialization program with the timers, counters and flags left in their present status.
Ater completing instruction sequence 121, the redundant remote R4 program then sets the fail flag for remote Rl to 'on' in instruction step 123 and then proceeds into decision instruction sequence 125 to again check the status of remote Rl by checking the number in the mailbox of remote Rl in the same manner as in decision instruction sequence lOL. If the applications program in remote Rl was successfully started in instruction sequence 121, the num~er in the mailbox will not be zero and the program will detenmine that the status of remote Rl is operating, whereupon the pxogram will jump to decision instruction sequence 107 ~o ch~ck the status of remote R2 as already described.
- 3~ -~%~
If the program determines khat the status.
of remote Rl is not operating in decision instruction sequence 125, then ~hls means that the attempt to restart the applications program in remote Rl in instruction sequence 121 failed and the redundant remote R4 program then proceeds into instruction sequence 127 to initialize the input/output management device 14 (also identified in FIG. llB as ' RTX ' ) in remote Rl to receive instructions and data from the redundant remote R4 instead of from the central processing unit 16 in the remote Rl and to send data on the status of the input and output devices to the redundant remote R4.
If the. program of the red~ndant remote R~
dete~nines that the fail flag was 'on' instead o~ 'off' in decision instruction sequence 119, the redundant remote program would proceed dixectly into the instruction sequence 127 to initialize the input/output management device 14 of remote Rl to respond to the redundant remote R4.
The purpose of the fail flay which is set to 'on' in instruction step 123 and is reset to 'off' in instructlon step 103 i~ to prevent the redundant remote program from getting hung-up in a condition in which it successully restarts the remote Rl on~y to have the remote Rl fail again by the time the program of the redundant remote recycles around to checking the mailbox of the remote Rl again in decision instruction sequence 101. If this should happen, the fail flag for remote Rl will have been set ~o 'on' in instruction step 123 after the successful restarting of -the 5~
applications program. Then, the next time that the redundant remote program cycles back to decision instruction sequence 101, and determines that the status of remote Rl is not operating, the fail flag for remote Rl will be 'on'. Accordingly, the program will jump from decision instruction sequence 119 into the instruction sequence 127 to initialize the remote Rl to respond to redundant remote R4. If the next time the redundant remote program recycles back to decision instruction sequence 101 to check the status of Rl, it determines that the s~atus of Rl is operating, the program will then reset the fail ~lag to 'off' in instruction step 103 so that in subsequent cycles, should the program determine that the remote R1 has again failed, the program will again go into the restart instruction sequence 121 instead of immediately jumping to the initialization instruction sequence 127.
After the redundant remote program has completed the initialization instruction sequence 127, it then proceeds to subroutine 129. In this subroutine, the status of the applications program o~ remote R1 last received by khe redundant remote R4, which status is stored in the memory of the redundant remote R4, is loaded into predetermined registers of the memory of the redundant remote R~ in order to carry out the applications program of remote Rl in the redundant remote R4. After this subroutine is completed, the program proceeds into instruction sequence 130 and then into the subroutine 131 in which it starts and carries out the applications program. The redundant remote R4 carries out the Rl applications program by receiving data from remote Rl as to the status of the input and output devices of ~he remote Rl and sending instructions to remote R1 to direct operation of the input/output management device 14 of the remote Rl. The program in the redundant remote R4 will then continue to cycle through the applications program for the remote Rl until it receives a command from the operator to reset it back into its main cycle of checXing the status of the remotes Rl, R2, and R3.
Should the redundant remote ~4 determine that the status of remote R2 or remote R3 is not operating, it then performs the same program with respect to these remotes as described with respect to remote Rl as is illustrated in FIGS. llA and llB.
The redundant remote R8 will take over the applications program should any of the primary remotes R5-R7 become nonoperative in the same manner as described above with respect to R4 serving as a back-up for the primary remotes Rl-R3.
It will be appreciated that the provision of the redundant remotes decreases malfunctioning of the control system due to one of the primary remotes becoming inoperative as a result of Eailure 0f the central prc)cessing unit 16 of the primary remote. Because each redundant remote serves as a back-up for several primary remotes, the cost of providing the redundancy is significantly reduced. Because the redundant remotes are themselves each a remote control unit which takes its turn in the master-for-a-moment sequence communicating wi~h the other remotes over the dual channel communications link, the redundant remotes can be provided in the system very inexpensively.
Each remote Rn, as described above, is provided with termination impedances Z~ and Zl for the first and second communication channels C~ and CHl (FIG. 3) and a line termination relay 32~ and 321 under the contxol of the communications link control device 38. The termination impedances are connected across each channel of the communi-cations link when the particular remote is the first or the last remote in the system (eOg., Rl and R8 in FIG. 1) to establish proper line termination impedance to prevent signal level degradation and the presence of reflected signals, both conditions which can advexsely affect the performance of the system. The termination impedances Z~ and Zl are also applied across the appropriate communi-cations channels when a remote determines, as described below, that the communications link CL between it and its immediately adjacent higher or lower number remote is severed or suf~iciently degraded that reliable data transmission cannot be maintained therebetween. The determination as to communications link degradation can be made b~ providing each remote with a register for each communications channel that records, in a cumulative manner, the number of invalid messages received from the immediately adjacent remote(s) and terminate one or both of the communications link CL~ and CLl in the direction of the remote from which the number of in~alid messages received exceeds a threshhold valueO ~ore preferably, however, each remote is provied ~ith an active testing diagnostic routine to enable it to test the communication integrity of the communications link between it and its immediately adjacent remote(s) in accordance wi~h the flow diagrams illustrated in FIGS. 12, 12A, 13B and 12C as xead in accordance with FX5. 13 and the table of FIG. 14.
-- ~0 --The flow diagram illus~rated in FIG. 12 is a summary of the manner by which each remote ls capable of testing the communication integrity of the communications link CL between it and its immediate adjacent remote or remotes and terminating one or both of the communications links, CL0 and CLl, when a degraded or interrupted line condition is detected. As shown in FIGo 12 ~ the remote Rx is initialized and then, in sequence, tests the communi-cations integrity of the communications link CL~ in the downstream direction between it and its immediately adjacen~
lower number remote (that is, Rx 1) and then tests the communication integrity of the communications link CLl in the downstream direction with the same remote. If either the communications link C~ or CLl in the downstream direction is faulty, an appropriate flag is set in a register in the remote Rx reserved for this purpose. In a similar manner, the remote Rx then tests the communications integrity of the communications link CL~ and CLl in the up-stream direction with its immediately adjacent higher number remote (that is, remote RX~l3 and sets the appropriate ~lag, as and if required. After this initial diagnostic checking takes place, the remote Rx will terminate the failed communi-cations line CL~ and/or CLl by actuating the appropriate relay contacts 320 andfor 321 as required~ The line check-ng test utilized in FIG. 12 pre~erably takes place when the remote Rx is master-for-the-moment (that i5, Rm)o A more detailed explanation of the communications line integrity check and automatic line termination may be had by referring to FIGS. ~2A, 12~ and 12C (as read in accordance ~2~ii~
with the flow chart legend of ~IG. 13) in which FIG. 12A
represents the downstream integrity check with the next lower number remote, FIG. 12B represents the upstream integrity check with the next hlgher number remote, and FIG. 12C represents the line termination function in response to the results of the integrity test performed in FIGS. 12A and 12B.
In FIG. 12A, the line che~king diagnostic is started by first loading ~hree registers or counters, namely, a 'retry counter', a 'CL0 retry counter', and a 'CLl retry counter' with an arbitrarily selected number, for example, five. The 'retry counter' is then decremented by one and a message sent from the remote Rx to the remote Rx 1 requesting an acknowledgement ACK signal. If the communications link CL0 and CLl between the interrogaking remote and the responding remote is fully functional, a valid ACR signal will be received by the interrogating remote Rx on both C~0 and CLl. The diagnostic checkiny will then route to the part of the program ~FIG. 12B~ ~or checking the communications integrity of the communications link CL0 and CLl between the interrogating remote Rx and the next higher number remote in the system, that is, RX~l. On the other hand, if a valid ACK signal is not received on one or both of the communications links CL0 or CLl by the requesting remote Rx fxom the immediately adjacent lower number responding remote R~ 1~ the appropriate retry counter (that i5, ~ CL0 retry counter' or 'CLl retry counter') will be decremented by one and the procedure repeated until the 'retry counter' is zero at which time the appropriate CL0 5~i~
and/or CLl termina e flag register will be set; thereafter, the program will route to the upstream communications integrity check shown in FIG. 12B.
The flow diagram o~ FIG. 12B is basically the same as that of FIG. 12A except that the communication~ integrity check occurs for that portion of the communications link CL between the interrogating remote Rx and the next higher number responding remote RXtl More specifically, the three registers or counters, that is, the 'retry counter', the 'CL0 retry counter', and the 'CLl retry counter' are loaded with the arbitrarily selected value of five. The 're~ry counter' is then decremented by one and a message sent from the interrogating remote Rx to the remote RX+l requesting an acknowledgement signal. If the communications link CL~ and CLl between the interrogating remote Rx and the responding remote RX~l is integral, a valid acknowledgement signal will be received by the interrogating remote Rx and the pxogram will route to the termination impedance portion of the procedure shown in FIG. 12C.
On the other hand, if a valid acknowledgement signal is not received on one or both of the communications lines CL~
or CLl by the interrogating remote Rx from the higher order responding remote RX+1, the appropriate retry counter, that is, the 'CL0 or CLl retry counter' will be decremented by one and the procedure repeated until the 'retry counter' is zero at which point the appropriate C~ and/ox CLl termination ~lag register will be set; thereafter, the program diagnostic will route to the line impedance termination portion shown in FIG. 12C.
In the flow diagram of FIG. 12C, the various termination registers are ex~mined for set flags and appropriate commands issued to the C-link control device 38 (FIG. 3) to terminate the line by appropriate actuation of the relay contacts 32~ and/or 32l. As is also shown in FTG. 12C, a line termination relay can also be released (that is, reset) to remove a previously applied line termination impedance. Accordingly, the system provides each remote with the ability to remove a line termination as well as apply a line termination. This particular feature is desirable when a communication link is temperarily degraded by the pxesence of non-recurriny electrical noise to permit the system to automatically re-configure its line impedances.
The following specific example illustrates the operation o~ the line termination procedure in which it is assumed that the communications link CL~ in FIG. l is severed at point A as shswn therein and that the remote R4 is the pxesent master ~Rm) of the system and testing the communications integrity of the communications link between itself as the interxogating remote (Rx) and its next lower order ~umber remote R3 (that is, Rx 1)~ In accordance with the flow diagram of FIG. 12A, the 'retry counter', and the 'CL~ retry counter', and the 'C~l retry counter'~ as shown in the tabulation table of FIG. 14, are set to ~he pre-determined value of five. The 'retry cou~ter' is decremerlted by one and the requesting interrogating remote R4 (R~) requests an acknowledgement from the responding remote R3 (that is, Rx_l). The requested acknowledgement will be provided on line C~l but not line CL~ because of the .
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested acknowledgement signal on communications link CL~, will decrement the 'CL~ retry counter' by one. Thereafter, the retest procedure will be sequentially continued with the 'CL0 retry counter' being decremented with each additional unsuccessful attempt to obtain an acknowledgement from remote R3 through the communications link CL0. When the 'retry counter' decrements to zero, the 'CL~ retry coun~er' will also be decremented to zero at which time the CL0 lower order termination flag will be set. The remote R4 will thereafter continue the diagnostic checking procedure to ~est the communications integrity of that portion of the communications link between the remote R4 (Rx) and the next adjacent higher remote R5 (that is, RX+l) in accordance with the flow diagram of FIG. 12B. At the conclusion o~
the test o~ the communications link between the inter-rogating remote R4 and the immediately adjacent lower number and higher n~mber remotes R3 and R5, the termination relay contacts 320 (FIG. 3) will be set to terminate the communi~
cations link Ch0 at the remote R~. In a ~imilar manner, the remote R3, when it becomes master-for-the~moment, will also apply a termination impedance across the communications link CL~.
As can be appreciated from the foregoing, the remotes Ro...~n have the ability, even when one or both of the commur.ication links CL0 and CLl are severed to still function on a master-for-the-moment basis and also to effect appropriate line termination to minimize the adverse effect on digital data signal strength and the generation of xeflected signals from mismatched line impedance caused by deteriorated or sevexed communication linesO In addition, the system is self-healing, that is, when reliable communications is restored over the severed or degraded portion o~ the communications link the remotes Rn will then again functi.on to remove the line impedances to resume full system operation.
As will be apparent to those skilled in the art, various changes and modifications may be made to the industrial control system of the present invention without departing from the spirit and scope of the invention as recited in the appended calims and their legal equivalent.
If the program determines khat the status.
of remote Rl is not operating in decision instruction sequence 125, then ~hls means that the attempt to restart the applications program in remote Rl in instruction sequence 121 failed and the redundant remote R4 program then proceeds into instruction sequence 127 to initialize the input/output management device 14 (also identified in FIG. llB as ' RTX ' ) in remote Rl to receive instructions and data from the redundant remote R4 instead of from the central processing unit 16 in the remote Rl and to send data on the status of the input and output devices to the redundant remote R4.
If the. program of the red~ndant remote R~
dete~nines that the fail flag was 'on' instead o~ 'off' in decision instruction sequence 119, the redundant remote program would proceed dixectly into the instruction sequence 127 to initialize the input/output management device 14 of remote Rl to respond to the redundant remote R4.
The purpose of the fail flay which is set to 'on' in instruction step 123 and is reset to 'off' in instructlon step 103 i~ to prevent the redundant remote program from getting hung-up in a condition in which it successully restarts the remote Rl on~y to have the remote Rl fail again by the time the program of the redundant remote recycles around to checking the mailbox of the remote Rl again in decision instruction sequence 101. If this should happen, the fail flag for remote Rl will have been set ~o 'on' in instruction step 123 after the successful restarting of -the 5~
applications program. Then, the next time that the redundant remote program cycles back to decision instruction sequence 101, and determines that the status of remote Rl is not operating, the fail flag for remote Rl will be 'on'. Accordingly, the program will jump from decision instruction sequence 119 into the instruction sequence 127 to initialize the remote Rl to respond to redundant remote R4. If the next time the redundant remote program recycles back to decision instruction sequence 101 to check the status of Rl, it determines that the s~atus of Rl is operating, the program will then reset the fail ~lag to 'off' in instruction step 103 so that in subsequent cycles, should the program determine that the remote R1 has again failed, the program will again go into the restart instruction sequence 121 instead of immediately jumping to the initialization instruction sequence 127.
After the redundant remote program has completed the initialization instruction sequence 127, it then proceeds to subroutine 129. In this subroutine, the status of the applications program o~ remote R1 last received by khe redundant remote R4, which status is stored in the memory of the redundant remote R4, is loaded into predetermined registers of the memory of the redundant remote R~ in order to carry out the applications program of remote Rl in the redundant remote R4. After this subroutine is completed, the program proceeds into instruction sequence 130 and then into the subroutine 131 in which it starts and carries out the applications program. The redundant remote R4 carries out the Rl applications program by receiving data from remote Rl as to the status of the input and output devices of ~he remote Rl and sending instructions to remote R1 to direct operation of the input/output management device 14 of the remote Rl. The program in the redundant remote R4 will then continue to cycle through the applications program for the remote Rl until it receives a command from the operator to reset it back into its main cycle of checXing the status of the remotes Rl, R2, and R3.
Should the redundant remote ~4 determine that the status of remote R2 or remote R3 is not operating, it then performs the same program with respect to these remotes as described with respect to remote Rl as is illustrated in FIGS. llA and llB.
The redundant remote R8 will take over the applications program should any of the primary remotes R5-R7 become nonoperative in the same manner as described above with respect to R4 serving as a back-up for the primary remotes Rl-R3.
It will be appreciated that the provision of the redundant remotes decreases malfunctioning of the control system due to one of the primary remotes becoming inoperative as a result of Eailure 0f the central prc)cessing unit 16 of the primary remote. Because each redundant remote serves as a back-up for several primary remotes, the cost of providing the redundancy is significantly reduced. Because the redundant remotes are themselves each a remote control unit which takes its turn in the master-for-a-moment sequence communicating wi~h the other remotes over the dual channel communications link, the redundant remotes can be provided in the system very inexpensively.
Each remote Rn, as described above, is provided with termination impedances Z~ and Zl for the first and second communication channels C~ and CHl (FIG. 3) and a line termination relay 32~ and 321 under the contxol of the communications link control device 38. The termination impedances are connected across each channel of the communi-cations link when the particular remote is the first or the last remote in the system (eOg., Rl and R8 in FIG. 1) to establish proper line termination impedance to prevent signal level degradation and the presence of reflected signals, both conditions which can advexsely affect the performance of the system. The termination impedances Z~ and Zl are also applied across the appropriate communi-cations channels when a remote determines, as described below, that the communications link CL between it and its immediately adjacent higher or lower number remote is severed or suf~iciently degraded that reliable data transmission cannot be maintained therebetween. The determination as to communications link degradation can be made b~ providing each remote with a register for each communications channel that records, in a cumulative manner, the number of invalid messages received from the immediately adjacent remote(s) and terminate one or both of the communications link CL~ and CLl in the direction of the remote from which the number of in~alid messages received exceeds a threshhold valueO ~ore preferably, however, each remote is provied ~ith an active testing diagnostic routine to enable it to test the communication integrity of the communications link between it and its immediately adjacent remote(s) in accordance wi~h the flow diagrams illustrated in FIGS. 12, 12A, 13B and 12C as xead in accordance with FX5. 13 and the table of FIG. 14.
-- ~0 --The flow diagram illus~rated in FIG. 12 is a summary of the manner by which each remote ls capable of testing the communication integrity of the communications link CL between it and its immediate adjacent remote or remotes and terminating one or both of the communications links, CL0 and CLl, when a degraded or interrupted line condition is detected. As shown in FIGo 12 ~ the remote Rx is initialized and then, in sequence, tests the communi-cations integrity of the communications link CL~ in the downstream direction between it and its immediately adjacen~
lower number remote (that is, Rx 1) and then tests the communication integrity of the communications link CLl in the downstream direction with the same remote. If either the communications link C~ or CLl in the downstream direction is faulty, an appropriate flag is set in a register in the remote Rx reserved for this purpose. In a similar manner, the remote Rx then tests the communications integrity of the communications link CL~ and CLl in the up-stream direction with its immediately adjacent higher number remote (that is, remote RX~l3 and sets the appropriate ~lag, as and if required. After this initial diagnostic checking takes place, the remote Rx will terminate the failed communi-cations line CL~ and/or CLl by actuating the appropriate relay contacts 320 andfor 321 as required~ The line check-ng test utilized in FIG. 12 pre~erably takes place when the remote Rx is master-for-the-moment (that i5, Rm)o A more detailed explanation of the communications line integrity check and automatic line termination may be had by referring to FIGS. ~2A, 12~ and 12C (as read in accordance ~2~ii~
with the flow chart legend of ~IG. 13) in which FIG. 12A
represents the downstream integrity check with the next lower number remote, FIG. 12B represents the upstream integrity check with the next hlgher number remote, and FIG. 12C represents the line termination function in response to the results of the integrity test performed in FIGS. 12A and 12B.
In FIG. 12A, the line che~king diagnostic is started by first loading ~hree registers or counters, namely, a 'retry counter', a 'CL0 retry counter', and a 'CLl retry counter' with an arbitrarily selected number, for example, five. The 'retry counter' is then decremented by one and a message sent from the remote Rx to the remote Rx 1 requesting an acknowledgement ACK signal. If the communications link CL0 and CLl between the interrogaking remote and the responding remote is fully functional, a valid ACR signal will be received by the interrogating remote Rx on both C~0 and CLl. The diagnostic checkiny will then route to the part of the program ~FIG. 12B~ ~or checking the communications integrity of the communications link CL0 and CLl between the interrogating remote Rx and the next higher number remote in the system, that is, RX~l. On the other hand, if a valid ACK signal is not received on one or both of the communications links CL0 or CLl by the requesting remote Rx fxom the immediately adjacent lower number responding remote R~ 1~ the appropriate retry counter (that i5, ~ CL0 retry counter' or 'CLl retry counter') will be decremented by one and the procedure repeated until the 'retry counter' is zero at which time the appropriate CL0 5~i~
and/or CLl termina e flag register will be set; thereafter, the program will route to the upstream communications integrity check shown in FIG. 12B.
The flow diagram o~ FIG. 12B is basically the same as that of FIG. 12A except that the communication~ integrity check occurs for that portion of the communications link CL between the interrogating remote Rx and the next higher number responding remote RXtl More specifically, the three registers or counters, that is, the 'retry counter', the 'CL0 retry counter', and the 'CLl retry counter' are loaded with the arbitrarily selected value of five. The 're~ry counter' is then decremented by one and a message sent from the interrogating remote Rx to the remote RX+l requesting an acknowledgement signal. If the communications link CL~ and CLl between the interrogating remote Rx and the responding remote RX~l is integral, a valid acknowledgement signal will be received by the interrogating remote Rx and the pxogram will route to the termination impedance portion of the procedure shown in FIG. 12C.
On the other hand, if a valid acknowledgement signal is not received on one or both of the communications lines CL~
or CLl by the interrogating remote Rx from the higher order responding remote RX+1, the appropriate retry counter, that is, the 'CL0 or CLl retry counter' will be decremented by one and the procedure repeated until the 'retry counter' is zero at which point the appropriate C~ and/ox CLl termination ~lag register will be set; thereafter, the program diagnostic will route to the line impedance termination portion shown in FIG. 12C.
In the flow diagram of FIG. 12C, the various termination registers are ex~mined for set flags and appropriate commands issued to the C-link control device 38 (FIG. 3) to terminate the line by appropriate actuation of the relay contacts 32~ and/or 32l. As is also shown in FTG. 12C, a line termination relay can also be released (that is, reset) to remove a previously applied line termination impedance. Accordingly, the system provides each remote with the ability to remove a line termination as well as apply a line termination. This particular feature is desirable when a communication link is temperarily degraded by the pxesence of non-recurriny electrical noise to permit the system to automatically re-configure its line impedances.
The following specific example illustrates the operation o~ the line termination procedure in which it is assumed that the communications link CL~ in FIG. l is severed at point A as shswn therein and that the remote R4 is the pxesent master ~Rm) of the system and testing the communications integrity of the communications link between itself as the interxogating remote (Rx) and its next lower order ~umber remote R3 (that is, Rx 1)~ In accordance with the flow diagram of FIG. 12A, the 'retry counter', and the 'CL~ retry counter', and the 'C~l retry counter'~ as shown in the tabulation table of FIG. 14, are set to ~he pre-determined value of five. The 'retry cou~ter' is decremerlted by one and the requesting interrogating remote R4 (R~) requests an acknowledgement from the responding remote R3 (that is, Rx_l). The requested acknowledgement will be provided on line C~l but not line CL~ because of the .
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested acknowledgement signal on communications link CL~, will decrement the 'CL~ retry counter' by one. Thereafter, the retest procedure will be sequentially continued with the 'CL0 retry counter' being decremented with each additional unsuccessful attempt to obtain an acknowledgement from remote R3 through the communications link CL0. When the 'retry counter' decrements to zero, the 'CL~ retry coun~er' will also be decremented to zero at which time the CL0 lower order termination flag will be set. The remote R4 will thereafter continue the diagnostic checking procedure to ~est the communications integrity of that portion of the communications link between the remote R4 (Rx) and the next adjacent higher remote R5 (that is, RX+l) in accordance with the flow diagram of FIG. 12B. At the conclusion o~
the test o~ the communications link between the inter-rogating remote R4 and the immediately adjacent lower number and higher n~mber remotes R3 and R5, the termination relay contacts 320 (FIG. 3) will be set to terminate the communi~
cations link Ch0 at the remote R~. In a ~imilar manner, the remote R3, when it becomes master-for-the~moment, will also apply a termination impedance across the communications link CL~.
As can be appreciated from the foregoing, the remotes Ro...~n have the ability, even when one or both of the commur.ication links CL0 and CLl are severed to still function on a master-for-the-moment basis and also to effect appropriate line termination to minimize the adverse effect on digital data signal strength and the generation of xeflected signals from mismatched line impedance caused by deteriorated or sevexed communication linesO In addition, the system is self-healing, that is, when reliable communications is restored over the severed or degraded portion o~ the communications link the remotes Rn will then again functi.on to remove the line impedances to resume full system operation.
As will be apparent to those skilled in the art, various changes and modifications may be made to the industrial control system of the present invention without departing from the spirit and scope of the invention as recited in the appended calims and their legal equivalent.
Claims (21)
1. A system for controlling an industrial process, said system including a plurality of process controlling remotes interconnected by a common communications link and each adapted to test the communications integrity of the communications link between remotes and provide an impedance thereto in the event of an interruption or degradation of the communications integrity of the communications link between remotes, said system comprising:
a plurality of process controlling remotes interconnect-ed through a communications link, each remote provided with (a) transmitting and receiving means operatively connected to said communications link for transmitting and receiving digital information in messages of predetermined format, to and from each of the other remotes within the system, (b) message checking means operatively connected to said trans-mitting and receiving means for determining if the so-trans-mitted messages are successfully received, and (c) selectively actuatable switch means to selectively connect an impedance to said communications link;
each remote including means to cause said transmit-ting and receiving means to transmit messages to other of said remote and provide an actuation signal to said switch means to cause said switch means to connect said impedance to said communications link in response to said message check-ing means determining the number of messages successfully received by said other of said remote(s) is below a pre-determined threshhold.
a plurality of process controlling remotes interconnect-ed through a communications link, each remote provided with (a) transmitting and receiving means operatively connected to said communications link for transmitting and receiving digital information in messages of predetermined format, to and from each of the other remotes within the system, (b) message checking means operatively connected to said trans-mitting and receiving means for determining if the so-trans-mitted messages are successfully received, and (c) selectively actuatable switch means to selectively connect an impedance to said communications link;
each remote including means to cause said transmit-ting and receiving means to transmit messages to other of said remote and provide an actuation signal to said switch means to cause said switch means to connect said impedance to said communications link in response to said message check-ing means determining the number of messages successfully received by said other of said remote(s) is below a pre-determined threshhold.
2. The system claimed in Claim 1 wherein:
said message checking means including validity check-ing means for evaluating the validity of each message received from a transmitting remote and responding thereto with an acknowledgement signal for a validly received message and a non-acknowledgement signal for an invalidly received mess-age, said transmitting remote determining the successful reception of its transmitted messages thereto by the ack-nowledgement messages received therefrom.
said message checking means including validity check-ing means for evaluating the validity of each message received from a transmitting remote and responding thereto with an acknowledgement signal for a validly received message and a non-acknowledgement signal for an invalidly received mess-age, said transmitting remote determining the successful reception of its transmitted messages thereto by the ack-nowledgement messages received therefrom.
3. The system claimed in Claim 1 wherein said com-munications link comprises:
at least two independent communication channels connected to and extending between said remotes.
at least two independent communication channels connected to and extending between said remotes.
4. The system claimed in Claim 3, wherein:
said means for transmitting associated with each remote transmits identical messages on each of said plural communication channels.
said means for transmitting associated with each remote transmits identical messages on each of said plural communication channels.
5. The system claimed in Claim 4 wherein:
said means for transmitting associated with each remote transmits each message at least twice on each of said plural communication channels and said message validity evaluation means effects evaluation by at least comparing the plural transmitted messages on said at least one channel of said communications link.
said means for transmitting associated with each remote transmits each message at least twice on each of said plural communication channels and said message validity evaluation means effects evaluation by at least comparing the plural transmitted messages on said at least one channel of said communications link.
6. The system claimed in Claim 5, wherein:
said message validity evaluation means, after effect-ing said evaluation of said plural messages transmitted on said at least one channel, effects comparison of the plural messages received on said other channel.
said message validity evaluation means, after effect-ing said evaluation of said plural messages transmitted on said at least one channel, effects comparison of the plural messages received on said other channel.
7. A method of providing a line-matching impedance in a communications link of an industrial process control system having a plurality of process controlling remotes interconnected by the communications link in the event of an interruption or degradation of the communications integrity of the communications link comprising the steps of:
providing at least a first one of said remotes with an impedance that is selectively connectable to the communications link;
transmitting a message from said first one of said remotes to a second one of said remotes;
evaluating the validity of the message received at the said second one of said remotes and sending a valid-message-received message from said second one of said remotes to said first one of said remotes if the test message is valid;
evaluating the communications integrity of the communications link between said first one of said remotes and said second one of said remotes as a function of a number of valid message-received messages received by said first one of said remotes; and connecting said impedance means to said communications link if the number of valid-message-received messages re-ceived by said first one of said remotes is less than a predetermined value.
providing at least a first one of said remotes with an impedance that is selectively connectable to the communications link;
transmitting a message from said first one of said remotes to a second one of said remotes;
evaluating the validity of the message received at the said second one of said remotes and sending a valid-message-received message from said second one of said remotes to said first one of said remotes if the test message is valid;
evaluating the communications integrity of the communications link between said first one of said remotes and said second one of said remotes as a function of a number of valid message-received messages received by said first one of said remotes; and connecting said impedance means to said communications link if the number of valid-message-received messages re-ceived by said first one of said remotes is less than a predetermined value.
8. A method of providing a line matching impedance in a communications link of an industrial process control system having a plurality of remotes R0, R1,...RX-1,RX, RX+1, ... Rn-1, Rn interconnected by a common communications link in the event of an interruption or degradation of the comm-unications integrity of the communications link, comprising the steps of:
(a) providing at least one of said remotes Rx with an impedance means that is selectively connectable to said communications link;
(b) transmitting a test message from the remote Rx to a selected one of the remotes RX+1 or Rx-1;
(c) evaluating the validity of the test message sent to said selected one remote from the remote Rx;
(d) responding to a validly received message by said selected one remote by transmitting a valid-message-received message to the remote Rx;
(e) evaluating the communications integrity of the communications link between the remote Rx and the selected one remote as a function of the valid-message-received messages by the remote Rx;
(f) connecting the impedance means to the communicat-ions link when the number of valid-message-received messages is below a predetermined value; and (g) repeating the steps (b) through (f) for the other one of the remotes RX+1 or Rx-1.
(a) providing at least one of said remotes Rx with an impedance means that is selectively connectable to said communications link;
(b) transmitting a test message from the remote Rx to a selected one of the remotes RX+1 or Rx-1;
(c) evaluating the validity of the test message sent to said selected one remote from the remote Rx;
(d) responding to a validly received message by said selected one remote by transmitting a valid-message-received message to the remote Rx;
(e) evaluating the communications integrity of the communications link between the remote Rx and the selected one remote as a function of the valid-message-received messages by the remote Rx;
(f) connecting the impedance means to the communicat-ions link when the number of valid-message-received messages is below a predetermined value; and (g) repeating the steps (b) through (f) for the other one of the remotes RX+1 or Rx-1.
9. A system for controlling an industrial process as recited in Claim 1, wherein said predetermined threshhold is a plurality.
10. A method as recited in Claim 7, wherein said predetermined value is a plurality.
11. A method as recited in Claim 8, wherein said predetermined value is a plurality.
12. An information transfer system comprising a multiplicity of stations, a communications link interconnecting said stations, each station provided with (a) a stored-program controller, (b) transmitting and receiving means connected between said stored-program controller and said communications link for transmitting digital information from said stored-program controller over said communications link in messages of predetermined format to another one of said stations and for receiving digital information from another one of said stations over said communications link in messages of predetermined format, and (c) switch means selectively operable under the control of said stored-program controller to connect an impedance to said communications link, the stored-program controllers including message check-ing means for determining if the transmitted messages are successfully received by the transmitting and receiving means of the receiving station.
13. An information transfer system for transferring digital information between stored-program controllers inter-connected by a communications link, each controller adapted to test the communications integrity of the communications link be-tween it and other of the controllers and connect an impedance to the communications link in the event of an interruption or degradation of the communications integrity of the comm-unications link between the controllers, each system comprising:
a plurality of stored-program controllers inter-connected through a communications link, each controller provided with (a) transmitting and receiving means operatively connected to said communications link for transmitting and receiving digital information in messages of predetermined format to and from each other over said communications link/
(b) message-checking means operably connected to said trans-mitting and receiving means for determining if transmitted messages are successfully received by the receiving controller, and (c) selectively operable switch means to selectively connect an impedance to said communications link, each control-ler including means to cause said transmitting and receiving means to transmit messages to other of said controllers and to provide an actuation signal to said switch means to cause said switch means to connect said impedance to said communications link in response to said message checking means determining that the number of messages successfully received by said other of said controllers is below a pre-determined threshhold.
a plurality of stored-program controllers inter-connected through a communications link, each controller provided with (a) transmitting and receiving means operatively connected to said communications link for transmitting and receiving digital information in messages of predetermined format to and from each other over said communications link/
(b) message-checking means operably connected to said trans-mitting and receiving means for determining if transmitted messages are successfully received by the receiving controller, and (c) selectively operable switch means to selectively connect an impedance to said communications link, each control-ler including means to cause said transmitting and receiving means to transmit messages to other of said controllers and to provide an actuation signal to said switch means to cause said switch means to connect said impedance to said communications link in response to said message checking means determining that the number of messages successfully received by said other of said controllers is below a pre-determined threshhold.
14. An information transfer system as recited in Claim 13, wherein said predetermined threshhold is a plurality.
15. The system claimed in Claim 13, wherein said message checking means includes validity determining means for evaluating the validity of each message received from a transmitting controller and responding thereto with an acknowledgement message for a validly received message and a non-acknowledgement message for an invalidly received message, said transmitting controller determining the success-ful reception of its transmitted message by reception of the acknowledgement message.
16. The system claimed in Claim 15 wherein said communications link comprises:
at least two independent communication channels connected to and extending between said controllers.
at least two independent communication channels connected to and extending between said controllers.
17. The system claimed in Claim 15 wherein said means for transmitting associated with each controller is adapted to transmit identical messages on each of said communication channels.
18. The system claimed in Claim 17 wherein said means for transmitting associated with each controller trans-mits each message at least twice on each channel and said message validity evaluating means associated with each control-ler effects evaluation of the received messages by at least comparing the plural messages transmitted on at least one of said plural communication channels.
19. The system claimed in Claim 18 wherein said message validity evaluating means, after effecting said evaluation on said at least one channel, effects a comparison of the plural messages received on said other channel if the messages received on said at least one channel are not valid.
20. The system as claimed in claim 1 wherein at least one remote includes means for logging change-in-status information, with respect to a plurality of devices controlled by said at least one remote, the controlled devices having associated sensors each having input/output data-points associated therewith, said controlled devices and associated sensors being interconnected through a communications buss, said means for logging change-in-status information including computer-based controlling means for effecting control thereover, first and second memory files for storing input/
output data associated with said controlled devices and sensors, said second memory of a predetermined size and of the first-in first-discard type;
scanning means for obtaining the input/output data associated with each of said controlled devices and sensors and storing the so-obtained data in said first memory and thereafter obtaining the input/output data on a cyclic basis;
comparing and detecting means for comparing the input/
output data obtained during the latest of said cyclic scans with the input/output data stored in said first memory file, and, in the event a difference between the latest obtained data and the stored data is detected indicating a change-in-status, updating the appropriate input/output data in said first memory and storing information relating to the so detected change-in-status in said second memory on a first-in first-discard basis;
means at least responsive to selected ones of said input/output data or combinations thereof for providing an inhibit signal to said second memory to inhibit further storage therein.
output data associated with said controlled devices and sensors, said second memory of a predetermined size and of the first-in first-discard type;
scanning means for obtaining the input/output data associated with each of said controlled devices and sensors and storing the so-obtained data in said first memory and thereafter obtaining the input/output data on a cyclic basis;
comparing and detecting means for comparing the input/
output data obtained during the latest of said cyclic scans with the input/output data stored in said first memory file, and, in the event a difference between the latest obtained data and the stored data is detected indicating a change-in-status, updating the appropriate input/output data in said first memory and storing information relating to the so detected change-in-status in said second memory on a first-in first-discard basis;
means at least responsive to selected ones of said input/output data or combinations thereof for providing an inhibit signal to said second memory to inhibit further storage therein.
21. The system as claimed in Claim 1 wherein at least one remote includes a processor-based controller for providing control signals to a controlled device and obtaining device-responsive signals from a sensor therefor and providing a historical log of change-in-status events for said device and sensor, said controller comprising:
a processor connected to said controlled device for providing control signals thereto for effecting control thereover and for receiving device-responsive signals from a sensor operatively associated with said control device, said controlled device having input/output status data-points associated therewith;
first and second memory files connected to said processor, said second memory of the first-in first discard type;
means operatively associated with said processor for scanning the input/output status data-points and storing the so-obtained status information in said first memory file and, thereafter scanning said input/output status data-points and comparing the thereafter obtained input/output status information with the input/output status information stored in said first memory file and, in the event that a difference between the thereafter obtained status information and the status information stored in said first memory is detected, for updating the appropriate status information in said first memory and storing information related to the detected difference in said second memory file;
means responsive to selective ones or combination (Claim 21 cont'd) thereof of said input/output status information for providing an inhibit signal to said second memory file to prevent storage therein.
a processor connected to said controlled device for providing control signals thereto for effecting control thereover and for receiving device-responsive signals from a sensor operatively associated with said control device, said controlled device having input/output status data-points associated therewith;
first and second memory files connected to said processor, said second memory of the first-in first discard type;
means operatively associated with said processor for scanning the input/output status data-points and storing the so-obtained status information in said first memory file and, thereafter scanning said input/output status data-points and comparing the thereafter obtained input/output status information with the input/output status information stored in said first memory file and, in the event that a difference between the thereafter obtained status information and the status information stored in said first memory is detected, for updating the appropriate status information in said first memory and storing information related to the detected difference in said second memory file;
means responsive to selective ones or combination (Claim 21 cont'd) thereof of said input/output status information for providing an inhibit signal to said second memory file to prevent storage therein.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US06/202,471 US4402082A (en) | 1980-10-31 | 1980-10-31 | Automatic line termination in distributed industrial process control system |
| US202,471 | 1980-10-31 | ||
| CA000368795A CA1171543A (en) | 1980-01-24 | 1981-01-19 | Industrial control system |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000368795A Division CA1171543A (en) | 1980-01-24 | 1981-01-19 | Industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA1182567A true CA1182567A (en) | 1985-02-12 |
Family
ID=25669231
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442693A Expired CA1182567A (en) | 1980-10-31 | 1983-12-06 | Automatic line termination in distributed industrial process control system |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA1182567A (en) |
-
1983
- 1983-12-06 CA CA000442693A patent/CA1182567A/en not_active Expired
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4347563A (en) | Industrial control system | |
| US4410983A (en) | Distributed industrial control system with remote stations taking turns supervising communications link between the remote stations | |
| CA1171543A (en) | Industrial control system | |
| US4352103A (en) | Industrial control system | |
| US4402082A (en) | Automatic line termination in distributed industrial process control system | |
| US4607365A (en) | Fault-tolerant communications controller system | |
| US4745597A (en) | Reconfigurable local area network | |
| US5084871A (en) | Flow control of messages in a local area network | |
| US4628504A (en) | Distributed bus control communication protocol | |
| EP0464014A2 (en) | Communications systems using a fault tolerant protocol | |
| CA1182567A (en) | Automatic line termination in distributed industrial process control system | |
| US4783733A (en) | Fault tolerant communications controller system | |
| CA1182569A (en) | Industrial control system with interconnected remotely located computer control units | |
| CA1182568A (en) | Industrial control system | |
| KR100237613B1 (en) | Remote redundant system and control method in plc | |
| RU2430400C1 (en) | Backup software-hadware system for automatic monitoring and control | |
| JPH045300B2 (en) | ||
| JP2937871B2 (en) | Polling monitoring method | |
| JP2644571B2 (en) | Remote IPL control method | |
| KR0153942B1 (en) | Duplication apparatus for atm cell data transmission link | |
| JPS6144425B2 (en) | ||
| JPS62213452A (en) | Signal terminal equipment | |
| JPH04185138A (en) | Communication controller | |
| JPH0282841A (en) | Automatic station address numbering method | |
| JPH07107674B2 (en) | Terminal device failure detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MKEX | Expiry |