CA1182572A - Industrial control system with interconnected remotely located computer control units - Google Patents
Industrial control system with interconnected remotely located computer control unitsInfo
- Publication number
- CA1182572A CA1182572A CA000442692A CA442692A CA1182572A CA 1182572 A CA1182572 A CA 1182572A CA 000442692 A CA000442692 A CA 000442692A CA 442692 A CA442692 A CA 442692A CA 1182572 A CA1182572 A CA 1182572A
- Authority
- CA
- Canada
- Prior art keywords
- remote
- control
- master
- next successive
- communications link
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Abstract
INDUSTRIAL CONTROL SYSTEM WITH INTERCONNECTED
REMOTELY LOCATED COMPUTER CONTROL UNITS
ABSTRACT OF THE DISCLOSURE
A control system for controlling an industrial process includes a plurality of remotely located process control units (remoted) each coupled to an associated input/output device(s) and adapted to communicate with one another through a dual channel communications link. Each remote has a unique succession number within a predetermined succession order with supervisory communication-control of the communication link sequentially transferred to each remote according to its succession number to provide a revolving or master for the moment control of the system. Digital information in the form of data and control information blocks is transmitted between the remotes with the blocks transmitted twice on each channel of the communications link. The destination remote tests the blocks validity on one of the two dual channels and, if validated, responds with an acknowledgement signal (ACK) and, if invalid, tests the blocks on the other, alternate channel and then responds with an acknowledgement or non-acknowledgement signal (NAK) depending upon whether the data blocks tests on the alternate channel are found valid or invalid. A non-acknowledgement from the destination remote re-triggers the transmission of the blocks from the source remote. The system provides high overall operating efficiency since the remotes will maintain a system-like integrity of each side of a severed communication link and the redundant block transmission with alternate line checking provides very high information transfer reliability.
REMOTELY LOCATED COMPUTER CONTROL UNITS
ABSTRACT OF THE DISCLOSURE
A control system for controlling an industrial process includes a plurality of remotely located process control units (remoted) each coupled to an associated input/output device(s) and adapted to communicate with one another through a dual channel communications link. Each remote has a unique succession number within a predetermined succession order with supervisory communication-control of the communication link sequentially transferred to each remote according to its succession number to provide a revolving or master for the moment control of the system. Digital information in the form of data and control information blocks is transmitted between the remotes with the blocks transmitted twice on each channel of the communications link. The destination remote tests the blocks validity on one of the two dual channels and, if validated, responds with an acknowledgement signal (ACK) and, if invalid, tests the blocks on the other, alternate channel and then responds with an acknowledgement or non-acknowledgement signal (NAK) depending upon whether the data blocks tests on the alternate channel are found valid or invalid. A non-acknowledgement from the destination remote re-triggers the transmission of the blocks from the source remote. The system provides high overall operating efficiency since the remotes will maintain a system-like integrity of each side of a severed communication link and the redundant block transmission with alternate line checking provides very high information transfer reliability.
Description
7~
INDUSTRIAL CONTROL SYSTEM ~IT~ INTERCONNECTED
REMOTELY LOCATED COMPUTER CONTROL UNITS
BACKGROUND OF THE INV~NTION
This application is a divisional of Canadian Serial No. 368,795 filed January 19, 1981.
The present invention relates to control systems of the type having a pluralit~ of remotely located process control units connected together through a communications link and, more particularly, to a control system in which each of the remote units sequentially assumes supervisory communication control of the communication link and in which high reliability information transfer is achieved between remotes.
Many system type industrial installations, for example, those related to industrial process-type-manufacturing and electrical power generation, employ a large number of physically distributed controlled-devices and associated sensors for effecting coordinated operation of the overall system. In the past, coordinated control of the various devices has been achieved by manual operatlon and various types of semi-automatic and automatic control systems including electro-magnetic relay systems, hardwired solid-state logic systems, and various types of computer control sys~ems. The computer systems have included central systems in which the various sensors and controlled devices are connected to a central computer; distributed control systems in which a remotely located computer is connected to each of the controlled devices and to one another; and hybrid combinations of the central and distributed systems. The success-ful functioning of the control system is vital to any industrial process, and, accordingly, distributed systems have ~enerally been preferred over central systems because the failure of one of the remotely located control computers generally does not cause a system ~7ide failure as in the case of the failure of the _ 2 ~ ~
central computer in the central system. However, in many distributed computer systems, one of the remotes or a specially designed control unit generally handles supervisory communication control of the communication buss and, for these systems, failure of the communication b~ss supervisor can lead to a system-wide failure.
In many industrial control systems, the various communication busses that extend between the remotely located computer process control units are exposed to high electrical noise environments. Accordingly, the inormation transferred over the communication buss can be subjected to error-inducing interference because of the harsh electrical environment. In view of this, a control system must have a means for detecting errors within the transmitted information in order to provide high reliability data transmission between remotes.
SUMMARY OF THE INVENTION
Broadly, the present invention seeks to provide an industrial control system for control].ing an industrial process or the llke having a high overall system ope~ating reliability and to provide an industrial control system which may take the form of a distributed control system, a central control system, or a combination thereof to provide high overall operating efficiency and reliability.
The present invention also see~s to provide an industrial control system defined by a plurality of remotely located process control units lremotes) interconnected through a communication huss which each of the remotely loaated units adapted assume supervisory control of the communication buss in accordance with a predetermined se~uence.
The invention to which this divisional application is directed pertains in one aspect to a control system of the type having a plurality of process control remotes inter-connected through a communications link with each remote assigned 7~
a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a revolving master basis. Supervisory control of the communications link is transferred Erom a present system master to the next successive remote in the succession order by a method comprising the steps of transmi-tting a control-transfer command signal along the communication link from the present system master to the next successive remote in the succession order, receiving and evaluating the validity of the control-system command signal at the next successive remote, and accepting supervisory control of the communication link by the next successive remote from the present master if the control-transfer command signal is found valid by the next successive remote, whereby the next successive remote becomes the present system master.
The invention in a further aspect in this divisi.onal application pertains to a system for controlling an industrial process, which system comprises a plurality of process control-ling remotes with a common communi.cation link interconnecting the remotes, each remote being assigned a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a master for a moment basis in accordance with the succession order.
Each remote includes a means for transmitting digital in-formation in block format over the communications link to the other of the remotes and each includes receiver means for receiving diaital information transmitted from one other of th~ remotes, and each remote including means for transferring the supervisory control to -the next successive remote in the succession order 30 by transmitting a control-transfer block o~er the communication link to the next successive remote in the succession order and the next successive remote accepting supervisory control of the communication lin~: in response to the control-transfer block.
4 _ More particularly, disclosed is a control system for controlling an industrial process including a plurality of remote process control units ~n (remotes) connected to various controlled devices and sensors and communicating with one another through a communications link having at least two independent communication channels. Each remote is assigned a unique succession number or position in a predetermined succession order with each remote unit assuming supervisory communic~tion control of the communications link on a revolving or master for the moment basis in accordance with the remote's relative position in the succession order. Information transfer including process data and command control information is accomplished between a source remote Rs and a destination remote Rd by successively transmitting two identical information blocks over each communication channel with the destination remote Rd testing the validity of the blocks on one of the channels and, if valid, responding with an acknowledgement signal (ACK), and, if invalid, then testing the validity of the two blocks received on the other, alternate channel. An acknowledgement (~CK) or a non-acknowledgement signal (NA~) is sent by the destination remote Rd if the information on the alternate channel is found, respectively, valid or invalid. The source remote Rs will re-transmit the information blocks in response to a non-acknowledgement signal from a destination remote with the retransmission from the source remote Rs limited to a pre-determined, finite numberO
The system advantageollsly prcvides a me~ns for controlling an industrial process in which high overall system operating reliability is achie~ed. The system is equally sui~-able for use with central lmaster~slave), distributed, andhybrid system configurations.
57~
BRIEF DESCRIPTION OF THE DRAWINGS
_ The above description, as well as the 1s"ects, features, and advantages of the present invention will be more fully appreciated by reference to the following detailed description of a presently prefe~red ~ut none-theless illustrative embodiment in accordance with the present invention when taken in connection with the accompanying drawings wherein:
FIG. l is a schematic diagram of an exemplary process control system including a plurality of remote process control units (remotes), including both primary con-trol remotes and redundant remotes, connected to a common, d~al-channel communications link;
FIG~ 2 is a schematic block diagram of an exemplary remote process contxol unit of the type shown in FIG. l;
FIG. 3 is a schematic block diagram oE an exemplary modulator/demodulator (MODEM) for the remote process control unit sho~n in E1IG. 2;
FIG. 4 is a schematic block diagram of an exemplary communication protocol controller for the remote process unlt shown in FIG. 2;
FIG~ 4A is a schemat-c block diagx~ of an exemplary input~output management device for the remote ~rocess control unit shown in FIG. 2;
FIGo 4B is a flow diagram illustrating the manner in which the change-in-status events of the controlled devices of FIG. l are detected by the input/
output management device of FIG. 4A, FIG. 5 illustrates the format of an exemplary or illustrative information block for transferrlng information between remotes;
~2~
FIG. 5A illustrates the format of a header rrame of the information block shown in FIG. 5i FIG, SB illustrates the format for a data/
information rrame of the information block shown in FIG. S;
FIG. 5C illustrates the format for an acknowledgement block (ACK) for acknowledging successful receipt of an information block;
FIG. SD illustrates the ~ormat for a non-acknowledgement block (NAK~ for indicating the unsuccessful transmission of an information bloc~ between remotes;
.FIG. 6 illustrates, in pictorial form, two identical data blocks having the format sho~n in FIG. 5 successively transmitted on each communication chanr.el of the co~unicaticn link illustrated in FIG. l;
FIG. 7 is a ~low diagram sw~a-y of the manner in which a source and a destinati.on remote effect communi-~
cations with one another;
FIG. 8A is 2 partial flow diagram illustra~ing in detail the manner in which a source and a destination remote communicate and validat2 information transrerred between one another;
FIG. sa is a partial flow diagram which com-pletes the f~ow dlagram of FIG. 8A and illustra~es in detail the manner in whlch a source and a destination remote communicate and validate infor~ation transferred between one another;
7~
FIG. 9 is a legend illustrating the manner in the flow diagrams o~ FIG. 8A and FIG. 8B are to be read;
FIGS. lOA through lOF are exemplary tables illustrating the manner in which supervisoxy control of the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an exemplary redundant remote that is adapted to assume control from a failed or otherwise inoperative primary remote;
FIGS. llA and llB are flow diagrams of the manner in which the central processing unit of the redundant remote R.4 monitors the operating condition of its assigned primary remotes Rl, R2, and R3 and takes over operation when one of the primary remotes fails;
~ IG. 12 is a flow diagram summary of the manner by which an interrogating remote Rx tests the integrity of the co~munication link bètween it and the remotes R
and RX+1 immediately adjacent thereto in the succession order;
FIG. 12A is a partial flow diagram illustrating in detail the manner by which an interrogating remote R~
tests the colNmunications integrity ~f the communica~ions link between it and the next lower number remote R~_l in the succession order;
FIG. 12B is a partial flow diagram illustrating in detail ~he manner in which an interrogating remote Rx tests the communiations integrity of the communications link between it and the next higher number remote RX+l in the succession order;
FIG. 12C is a partial flow diagram illustrating in detail the manner by which a line termination impedance is applied to the communications link in the event of a communications link degradation or intexruption;
S7~2 FIG. 13 is a legend illustrating the manner in which the flow diagrams of FIGS. 12A, 12B, and 12C are to be read; and ~ IG. 14 is an exemplary table illustrating the status of various counters when an interrogating remote Rx is evaluating the integrity of the communications link in accordance with the flow diagram shown in FIG. 12A~
DESCRIPTION OF THE PREFERRED E~BODIMENT
An industrial control system in accordance with the present invention is shown in schematic form in FIG. 1 and includes a communications link CL (C-link) having a plurality of remotely located process control units (remotes) Rl, R2,...R7, R8 connected thereto with the eight remotes (Rl-R8) shown being exemplary; it being understood that the system is designed to be used with a much laryer number of remotes. Of the eight remotes illustrated, the remotes Rl-R3 and R5-R7 are 'primary' remotes and the remotes R4 and R8 are 'redundant' remotes. The communications link CL is shown as an open line, double channel configuration formed from dual coax, dual twisted pair, or the like with the individual co~munication links identified, respectively, by the reference characters CL~ and CLl. While the system configuration shown in FIG. 1 is a distributed open loop or shared global bus type, the invention is equally suitable for application to central systems or central/
distributed hybrid con~iguration~O The system of FIG~ 1 is adapted for use in controlling an industrial process, e.g., the operation of a power generating plant, with each primary remote unit Rl-R3 and R5-R7 connected to one or more associated or corresponding input/output devices I/Ol-I/03 and I/05-I/07, respectively. Each input/output device is, in turn, connected to an associated controlled device CDl-CD3 and CD5-CD7 (of which only CD6 and CD7 are ~2~7;~
illustrated in FIG. 1) such as, but not limited to, various types of sensors (temperature, pressure, position, and motion sensors, etc.) and various types of actuators (motors, pumps, compressors, valves, solenoids, and relays, etc.).
Each primary remote may control a large number of output devices and respond to a large number of input devices, and the blocks labeled I/O in FIG. 1 can each represent many input and output d~vices.
The redundant remote R4 monitors the operation of primary remotes Rl, R2, and R3; and the redundant remote R8 monitors the operation of primary remotes R5, R6, and R7. Should any one of the remotes Rl R2, and R3 fail, the failure will be detected by the remote R4 in a manner to be described and the remote R4 will take over control of the input an~ output devices of the failed remote by receiving the data from the failed remote over the communications link CL and sending commands to -the failed remote over the communications link CL in formated information blocks. Similarly, if one of the remotes R5, R6, o~ R7 fails, the redundan-t remote R8 will take over control of ~he operation of the inputtoutput devices for the failed remote as described abovewithrespect to redundant remote R4. Although only eight remotes have been .shown in Figure 1, any number of remotes Rl, R2, R3, ...... Rn 1' Rn could be utilized in a particular system.
The architecture of an exemplary remote Rn is shown in FIG. 2. ~hile the architecture of the remote Rn can vary depending upon the control process require-ments, the remote shown in FIG. 2 includes a mo~em 10; a communication protocol controller 12; an input/output management device 14; a central processing unit (CP~) 16;
S7~
a memory 18; a peripheral device 20 that can include, e.g., a CRT display, a printer, or a keyboard; and a common bus 22 which provides addressing, control, and informaticn transfer between the various devices which constitute the remote. The devices shown in dotted line illustration in FIG. 2 (that is, the central processing unit 16, the memory 18, and the peripheral device 20) are provided depending upon the process control require-ments for the remote Rn. For example, in those primary remotes Rn ~hich function as an elemental wire replacer, only the modem 10, the communication protocol controller 12, and the input/output management device 14 are pro-vided. In more complex process control requirements, an appropriately programmed central processing unit 16 and associated memory 18 are provided to effect active con-trol according to a resident firmware program. In still other remotes requiring a human interface, the appropriate peripheral device~s) 20 may be connected to the common buss 22.
As shown in more detail ln FIG. 3, the mod~m 10 provides two independent communication channels CH0 and CHl connected, respectively, to the communication links CL0 and CL1. Each of the communication channels CH~
and CH1 is provided with substantially identical communi-cation devices, and a description of the communication devices of the first communication channel CH~ is sufficient to provide an understanding of the second communication channel CH1. The communication channel Cl~ includes an encoder/decoder 240 for providing appropriate modulation and demodulation of the digital data trans-mitted to and received from the communication link CL~.
zs~
In the preferred form, the encoder/decoder 240 converts digital information in non-return-to-zero binary (NRZ) format to base-band modulation (BB~) signal format for transmission and effects the converse for reception.
.~mplifiers 26~ and 280 are provided, respectively, to drive a passive coupling transformer T0 with digital information provided from the encoder/decoder 240 from the coupling transformer T0. A set of selectively operable relay contacts 300 are provided between the coupling transformer T0 and the corresponding communication link CL0 to effect selective interruption thereof to isolate the remote Rn from the communications link CL, and another set of relay contacts 320 are provided to selectively connect the signal output o~ the coupling transformer T~ with a termination impedance Z0. The termination impedance Z~ is used when the particular remote Rn .is at the end of the communicatio link CL to provide proper line termination impedance for the llnk, or, as described in more detail below, to assist in terminating an open or degraded portion of the communi-cations link CL.
A selectively operable loop-back circuit 34 is provided to permit looping back or recirculation of test data duxing diagnostic checking of the remote Rn. While not specifically shown in FIG. 3, the loop back CirCllit 34 can take the form of a double pole, single throw relay that effects connection between the channels CH0 and CH1 in response to a loop-back command signal 'LB'. During the diagnostic checking of a remote, which checking takes place when a ~articular remote is a mastex-for-the-moment as explained below, the relay contacts of the loop-back 57~
circuit 34 are closed and a predetermined test word is sent from the channel CH~ to the channel CHl and from the channel CHl to the channel CH~ with the received word in each case being checked against the original test word to verify the transmit/receive integrity of the particular remote.
The isolation relays 300 and 311, the impedance termination relays 32~ and 321, and the loop-back circuit 34 are connected to and selectively controlled by a communications link control device 38 which receives its communication and control signals from the communlcations protrocol controller 12 described more fully below. A
watch-dog timer 40 is provided to cause the C-link control device 38 to operate the isolation relays 30~ and 301 to disconnect the remote Rn from the communication link CL in the event the timer 40 times-out. The timer 40 is normally prevented from timing out by periodic reset signals provided from the communication protocol controller 12. In this way, a remote Rn is automatically disconnected from the co}~unication link CI. in the event of a failure of its con~unication protocol controller 12.
As shown in more detail in FIG. 4, each communi-cation protocol controller 12 includes input/output ports 42, 44, and 46 which interface with the above described modem 10 for the communication channels CH0 and CHl and the modem C link control device 38 (FIG. 3). A first-in first-out (FIFO) serializer 48 and another first-in first-out serializex 50 are connected between the input/output ports 42 and 44 and a CPU signal processor 52. The first-in first-out serializers 48 and 50 function as temporary stores for storing information blocks provided to and from the modems 10 as described more fully below. The CPU 52, in turn, interfaces with the buss 22 thxough buss control latches 54. A read only memory (ROM) 56 containing a resident firmware program for the CPU 52 and a random access memory (RAM) 58 ar~
provided to permit the CPU 52 to effect its communication protocol function as described more fully below. Timers 62 and a register 60 (for example, a manually operable DIP switch register or a hardwixed jumper type register) tha-~ includes registers 60a and 60b are also provided to assist the CPU 52 in performing its communication proto-col operation. An excess transmission detector 64, connected to input/output porks 42 and 44 (coxresponding to communication channels CH~ and CHl) determines when the transmission period is in excess of a predetermined limit to cause the C-link control device 38 (FIG. 3) to disconnect the transmitting remote from the com~lunications link CL and thereby prevent a remote that is -trapped in a transmission mode from monopolizing the coI~nunications link CL.
The input/output management device 14, the architecture of which is shown in FIG. 4A, is prefer~bly a firmware controlled microprocessor-based device which 7~2 is adapted to scan the various input/output hardware points of the controlled device, effect a point-by-point status comparison with a prior scan, and record the change-in-status events along with the direction of the change and the time the event occurred (time-tagging), effect data collection and distribution to and from the input/output points, format the collected data in preferred pa-tterns, and assemble the patterned data in selected sequences.
As shown in FIG. 4A, the input/output management device 14 includes a processor 14A connected to the remote buss 22 through a processor buss 14B; read-only-memories 14C a.nd 14D connected to the processor 14A
through appropriate connections with these memories in-cluding the firmware necessary to effect the abnve-described functions of the input/output management device l4 including the change-in-status event rnonitoring (described in more detail below); a read/write memory 14E (RAM) for temporari.ly storing information incident to the operation of the processor 14A including the change-in-status event information; a time base l4F for providing time information for time tagging the change-in-status events; and an input/output intexface 14G for connection, either directly or indirectly, to the controlled devices.
In the preferred embodiment, the input/output interface 14G is defined by one or more printed circuit control cards generally arranged in rack format~on with each card having hardware poin~s arranged in predetermined sets of eight points with each hardware point carrying a binary 7~
indication for controlling or sensing the operation of the controlled device. The control and operational status of the controlled device can generally be represented ~y one or more eight-bit words (e.g., 000100011 with each bit position representiny a control or operational characteristic of the controlled device.
As described in further detail below in connection with FIG. 4B, the input/output management device 14 effects the aforedescribed change-in-status monitoring and associated time-tagging by periodically scanning the input/output hard-ware points in eight-bit groups and effecting a comparison between the so-obtained eight-bit group and the eight-bit group obtalned during the previous scan. If a change is detected in one or more of the bit positions, the latest eight-bit group, along with the time-of-day information obtained from the time base 14F, and other information, if desired, representing the direction of change, is placed in a first~in first-discard memory (FIFO) of predetermined size. Thus, each change-of-status event along with its time tag and other information such as direction of change, etc. is placed in a memory of selected size as the changes occur. When all the memory locations are filled, the first entered event (which now represents the oldest chronological event) is discarded as the latest event enters the memory. ~he memory loading is inhibited by the occurrence of any one of a selected number of inhibit signals. In the system, various con-ditions including alarm conditions which represent partial or ~ull system failures can be assigned a priority with - 16 ~
those conditions or combinations thereof designated as "high" priority signals being permitted to disable or inhibit further accessing of the memory. In the event one of these high priority conditions occurs, the memory is inhibited from storing additional change-in-status information and the change-in-status events occurring prior to the high priority,condition are preserved for subsequent analysis. Alarm conditions which are not designated as high priority, of course, do not inhibit the memory. This technique advantageously differs from those prior techniques in which the controlled device status was only placed in memory at the moment of a high priority signal (in which case a historical pre-failure record-of-events was not available) or those techniques in which the change-in-status events were logged in a memory which was periodically cleared, refilled, and cleared in which case the probability of obtaining a complete history of events prior to a predetermined high priority condition diminished in those instances in which the logging memory was cleared just prior to the occurrence o the high priority condition.
The manner by which the input/output management device 14 effects the change-of-status event logging is shown in FIG. 4B. During initialization, the processor 14B (referred to also as the RTZ in FIG. 4B) moves an image of the various input/output points, that is, the current status o~ the various input/output hardware points, to preassigned locations in the memory 14~ (local) of the input~output management device 14 and the memory 18 (syst~m) of the remote Rn (FIG. 2).
Thereafter, the address(s) of the first input/output card is obtained and the input/output hardware points for ~hat card are scanned to obtain an input/output image whi,ch takes the 5~2 form of an eight-bit word (e.g., 00000000) with each bit posi-tion representing the control or operational status of the controlled device. The input/output points so obtained are then compared with the previously obtained image of the points (e.g., 00100000), for example, by effecting a bit-by~bit exclusive OR (XOR) comparison. If the comparison indicates no change in status, (that is, the words are identical) the input/output points in the remaining cards are likewise scanned with the process repeated on a cyclic or looped basis. However, if a change is detected in the exclusive OR comparison, that new input/output scan, along with the time tag information and the direction of change is placed in the memory 18 of the remote Rn, and, in addition, the latest scan is moved to the memroy 14E
of the input/output management device. This process continues with each new change-in-status event loaded into the memory 18 of the remote on a first-in first-discarded basis. The first-in first discard rnemory may be configured by assiyning a preselected number of memory locations in the memory 18 of the remote Rn (e.g., fifty locations) for the logging information and providing an address pointer that points to each successive location in a serial manner with the pointer returning to the first location after pointing at the last available pre-assigned location in the mernory.
In the preferred embodiment, the processor 14A of the input/output management device 14 (FIG. 4A) and the processor 52 (FIG. 4) of the communication protocol controller 12 is 8X300 micro~controller manufactured by the Slgnetics Company of S~nnyvala, - 18 ~
7;~:
~alifornia, and the central prooessin~ unit 16 (FIG. 2) is an 86/12 single board 16-bit micro-computer manu-factured by the Intel Company o~ Santa Clara, Califo~nia ~nd adapted to an~ configuxed fox the Intel MULTIBUS~M
Each remote Rn iS adapted to commu~icate with the other by transitting digital data organi ed in pre-determlned block forma~s. A su~table and illustrative block format 66 is shown in FIG. 5 and includes a multi-word head~x frame 66A, a multi-word data fram~ 66B, and a lock termination frame or word 66C. Sol~actod of the information block configuration~ ~re adapted to transfer process control information to and from s~locted remot~
unit~ Rn and othe~ of the block configurations ar~ adapted to transfer super~isory control of the communications link CL from on~ remote to the other remote as explained in greater detail below.
An exemplary format for the header ancl data frames of an information block 66 is shown, respectively, in FIGS. 5A and SB. The header frame 66A preferably includes a 'start of header' word(~) that indicates to all remotes that information is being transmitted; a 'source' identification word(~) that indlcates th~ identity of the source remot2 Rs that ic tr~n~ferring the infor~ation, a 'destination' word(s) that indica~e~ the ide~ify o th~
receiviny or des~ination r~mot~ Rd; a 'header-type' word(s) th~t indicates whether th~ data block is txan~ferring data, a parametered com~and block, or a p~rameterle~s command block;
'block-type' word indicating the type o~ block ~that is, a command block or a dat~ block)7 a 'block number' word that ~ 19 ~
indicates the number of blocks being sent; a 'block size' word indicating the length of the data frame; a 'security code' word(s) that permits alteration of the resident soft-ware programming in a remote; and, finally, a two-byte 'cyclic redundancy code' (CRC) validity word. The data frame for each data block, as shown in FIG. 5B, can in-clude a plurality of data carrying bytes or words Bl, B2,...B~ of variable length terminated with a two-byte cyclic redundancy code word. As described more fully below, each of the remotes is adapted to acknowledge (~CK) successful receipt of data and command blocks and non-acknowledge (NAK) the receipt of data in which a trans-mission error is detectedO When transmitting an acknowledgement bl.ock or a non-acknowledgement block, the header format used is show~ in F~GS. 5C and 5D in which an acknowledgPment (ACK) or non-acknowledgement (NAK) word occupie~ ths 'block type' word position. The hlock formats disclosed above are intended to be illustrative only and not limiting.
The various remote units Rl, R2~ R3,... Rn communi-cate with one another by having each remote successively take control of the communications link CL and the controlling remote Rs then sending digital information between ikself and a destination remote Rd using a double transmission alt~rnate line technique that provides for high reliability data transfer between remotes even when one of the two communication links CL~ or CLl is inoperativa, for example, when one of the two communication cables is severed or otherwisa degraded as occassionally occurs in harsh industxial environments~
- ~0 -5~
When a remote unit assumes control of the communi-cation link CL (as explained more fully below) and, as a source remote Rs~ desires to send data blocks to another, destination remote Rd, the data block is assembled at the source remote Rs.in accordance with the block formats discussed above in connection with FIGS. 5-5D and trans-mitted through tha information channels CL~ and CL1 of the source remote Rs to the communication links CL~ and CLl with the hPader frame containing both the source remote Rs and the destination remote Rd identification info:cmation.
In accordance with the data transmission technique, the communication protocol controller 12 of the source remote RS transmi~s ~he information blocks ~wice on each communication link CL~ and CLl as schematically illustrated in FIG. 6 to provide a first data block DBA and ~hen a second, following data block DBB on each communication link CL~ and CLl.
The transmitted information block headers include the identity o~ the destination remote, Rd, which causes the d~tination remote Rd to receive and act upon the informa~ion blocks. At tha destination remote ~d~ the two data blocks D8A0 and DBB~ on the communication link CL~ are passed through ~he communication channel CH~
and the two data blocks DBAl and DBBl on the communicaLion link CLl are passed through the communication channel CHl to, respectively, the first-in firs~-out serialize~s 48 and 50 (FIG. 4).
As shown in the summary flow diagram o~ FIG. 7, the destingation remote Rd checks ~he validity of the received data by selecting one of the two communication links (eOg., CL0 in FIG. 7) and then checks the first i7~
data block on the selected line (that is, DBA~) by performing a cyclic redundancy check of the header frame and, if valid, performing a cyclic redundancy check of the data frame. If the data frame is valid, the communi-cation protocol controller 12 of the destination remote Rd khen performs a bit-for-bit comparision between the CRC-valid first data block ~BA~ and the second following data block DBB~. If tha bit~Eor-bit comparision is good, an acknowledgement (ACK) signal s sent ~rom the destinat.ion remote Rd to the source remote R5 to indicate the receipt of valid information and complete that data block information transaction. On the other hand, if the CRC
validity checks of the header or the data frame or the bit for-bit comparison check indicate invalid data, ~he protocol controller 12 of the destination remote Rd then selects ~he other, alternate line ~in this case, CLl) and performs the aforementioned cyclic rerlundancy checks of the header and data frame and the blt-fox-b.it co~parison between the ~irst and second data blocks D~l and D3 on the alternate line CLl. If these checks indicate valid data on the ~lternate line, the destination remote Rd responds with an acknowledgement sign21 (ACK) to conclude the data block transmission transaction. On the other hand, if these checks indicate invalid data on the alternate line (which means that the data blocks on both the first-~elected line and the alternate line are invalid) the destination remote Rd r~sponds with a non-acknowledg~ment signal (NAK) ~o cause re~ransmission of the data blocks from the source remote Rs. The non acknowledgement block (NAK) includes a by~e or bytes indicating the identity of the data block or blocks which should be retransmitted. A counter (not shown) is provided that counts the number of retransmissions from the source remote Rs and, after a fini.te number of re-transmissions (e.g., four), halts fuxther retransmission to assure tha~ a souxce remote Rs and a destina~ion remote Rd do not become lost in a repetitive transmit/NAK/re transmit/NAR... sequence in the event of a hardware or software failure of the destination remote Rd error checking mechanism.
The double message alternate line checking sequence sun~arized in FIG~ 7 may be more ~ully appreciated by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read in accordance with the flow diagram map of FIG. 9~. ~t the start of the information validity checking procedure, the 'line ~-first' flag register is checked; if a flag is present, the 'first-attempt ail' flag register is checked, and, i there is no flag in this register, the two data ~locks DB~l and DBB~ on channel C~l are stored while the two da~a blocks DBA~ and DBB0 on channel CH~ are used for the first attempt information check.
Thereater, the header frame o the first data block DBA~
on channel CH~ undergoes a CRC check, and, if acceptable, the data frame of this data block DBA~ undergoes a CRC check.
If the header and data frames CRC checks indicate valid data a 'good message' register is incremented. I the number of good messages is less than two, the error checking procedure ~eturns to the initial part of the flow diagram and, after 7~
determining there is no channel CH~ first flag or first-attempt flag present, checks the second following data block DBB~ by repeating the header and data CRC cyclic redundancy checks. If the header and data frames pass the CRC checks, the 'good message' register is incremented again to indicate that a total of two messages in succession (that is, DBA~ and DBB0) have passed the cyclic redundancy check for the header and data framesO Thereafter, the two data hlocks DBA~ and DBB0 received on line CEI~ ~re checked by perorming a bit-by-bit comparision between the two. If the data blocks DBA~ and DBB~ pass the bit-by-bit comparision test, the communi-cations protocol controller 12 o the destination remo~e Rd sends an acknowledgement (ACK) message to the source remote Rs to conclude the information block transfer and resets the various registers. If, on the other hand, eithex the data block DB~ or DBB0 on line CL0 fail the header and data frame CRC checks or these two data bloc~s ~ail the bit~by-bit comparison check, the communication protrocol cont.roller 12 sets ~he 'first-attempt fail' flag and re~urns to the start o~ the procedure to determine that the lline 0-first' flag and the 'irst-attempt' fail flag are present. The communi-cation protocol controller 12 then uses the stored data blocks DBAl and DBB1 from line CLl (which data blocks were previously stored in FIFO 50). The header block and data block of the data blocks DBAl and DBBl rom line CLl undergo the CRC
check and, if successful, cause tha incrementing o~ the 'good ~ 111 L~ t~~tr,~, message' re~ister to cause the communication protocol controller 12 to then check the validity of the second data block DBBl. If the data blocks DBAl and DBBl pass the CRC checks, they are compared with one another in a bit-by-bit comparison test and if this comparison check is successful, an acknowledgement (ACX) is sent. If, on the other hand, either data block DBAl or DBBl does not pass the CRC check or the data blocks do not pass the bit-by-bit comparison test, a non-acknowledgement (NAK) is sent to the source remote ~5 including information requesting the retransmission of the data blocks which ailed the validity test at the destination remote Rd. The source remote RS then retransmits the improperly received information blocks as described above with retransmission limited to a finite number.
A register i5 provided for each o~ the communication links for recording, in a cumulative manner, the number of times an invalid message is received for each communication link. In this manner, it can be determined, on a statistical basis, ~hether one of the two communication links has suffered a deterioration in signal transmission capability and, of course, whether one of the com~uniGation links is severed.
As can be appreciated, the dual txansmission of the identical messages on plural communication ~inks vastly enhances the ability of the destination remote Rd to detect errors and determine whether the infonma~ion being transmitted is valid or not. In addition, the de~tination xemote Rd is able to operate and successfully receive messayes even if one of the communicatlon links CL~ or C~l is severed since the communication protocol con~roller 12 at the destination R~
~2~
will examine the received signals on each line and will find invalid data on the severed line, but will al~7ays examine the data blocks on the other line and, if necessary, request retransmission of the information blocks.
In selecting one of the two channels CH~ or CHl for the first validity check, it is preferred that one of the two channels (e.g., CH0) be selected for the first check on every other information transaction and that the other of the two channels (e.g.~ CH1) be selected for the first check for the other intermediate information transactions. While the system has been disclosed as having dual communication links CL~ and CLl, the invention is not so limited and can encompass more than two communication links with the remotes adapted to sequentially examine signals received on the various channels.
As mentioned above, each remote Rn f the control system is adapted to accept and then relinquish supervisory control of the communication link CL on a master-for-the-moment or xevolvlng mastar arrangement. The communication protocol controller 12 of each remote Rn includes a register which contains the remote succession numher, anothex register which contains the total number of remotes in the system, and another register which contains the relative position of the remote from the present system master. The first two registers are schematically illustrated by the reference character 60 in FIG. 4. In addition, each remote Rn includes a variable transfer-monitor timer having a time-out interval that is set in accordance with a predetermined control-transfer time constant (50 micro-seconds in the preferred embodiment) and the position of the 57~
particular remote relative to the present system master to permit, as explained in more detail below, the master-for-the-moment transfer to continue even in the event of a disabled remote (that is, a remote that is unable to accept supervisory control because of a malfunction).
Anothex timer is provided to force transfer of supervisory control of the communications link CL in the ~vent a remote, because of a malfunction, is unable to transfer supervisory control to its nex~ successive remote. The operation of the master-for-the-moment transfer technique can be appreciated by consideration of the following example of an illustrative system tha~ includes five remotes arranged in the open loop configuration of FIG. 1 and transferring supervisory control of the co~munications link CL in accordance with the tables of FIGS. lOA-lOF. The upper row of each table indicates the succession sequence or order of the five ~emotes Ror Rl, R2, R3 and R4 that comprise the system; the intermediate row identifies the remote that is the present master-for-the-moment and also identifies the relative successive posikion of the other remotes from the present master, that is, the first (or next) successive remote from ~he present master, the second successive remote from the present master, the third remote from the present master, etc.; and the third row of each table lists the setting of the variable transfer-monitor timer for the particular remote.
The system is provided with initialization software so that the first remote in the succession, R
assumes supervisory control oE the communication link CL after system start-up and becomes the initial master of the system (FIG. lOA). When the initial master Ro is in control of the communications link CL, it can send data to any of the other remotes, request status or other data from another remote, and send control blocks and the like ove- the communications link CL. When the master Ro determines that it no longer deslres possession of the communications link CL, it passes supervisory control of the comm~nications link CL to the next or first successive remote in accordance with the succession order. Thus, when the present master Ro concludes its in~onmation transfer transactions, it transfers supervisory control of the com~unications link C~ to its next or first successive remote Rl by transmitting a control block to the remote R
with all the remaining remotes ~that is, R~, R3, R~) being cognizant of the transfer of supervisory control rom the present mas~er R~ to its first or next succ~ssive remote Rl. Since, in the present system, the transfer of supervisory control of the communications link CL is expected to take place within 50 micro-seconds, the second successive remote R2, as shown in the third row o~
the table of FIG. lOB, sets its variable transfer-moni~or timer to 50 micro-seconds, the third succe~sive remote R3 sets its variable transfer-monitor timer to 100 micro-seconds, - ~8 -7~
and the fourth successive remote R4 sets it transfex-monitor timer to lSO micro-seconds. When the first successive remote Rl receives the control block from the present master Rnl it accepts supervisory control of the communlcations link CL by re~ponding with an acknowledgement message (ACK). If the control block is misreceived, the first successive remote Rl can re3pond with a non-acknowledgement (NAK) to request retransmission of the control block transferring supervisory control of the communications link CL. During the time interval that the present master remote Ro is attemp~ing to transfer supervisoxy control of the communi-cation link CL to its next successive remote Rl, the transfer-monitor timers of the remaining remotes are counting down. I, for any reason, the next or first successive remote Rl fails to take control (e.g., a malfunction of the remote), the transfer-monitor timer of the second successive remote R2 will time-out at 50 micxo-seconds and cause the second successive remote R2 to then accept supervisory control of the cornmunication link CL
from the present master Ro and thus bypass the apparently malfunctioniny ~irst successive remote Rl.
Aassuming that the initial system master Ro successively transfers supervisory control of the communi catins link C~ to its first successive remote Rl, that successive remote Rl then becomes tha present master with the remaining remotes changing their position relative to the present master and setting their transfer-monitor timers in accordance with the second and third rows of the table of FIG~ lOB. ~hen the present master Rl concludes its -- 2g --information transfer transactions, if any, it attempts to transfer supervisory control to its first or next successive remote R2 by sending an appropriate control block to remote R2 which responds with an acknowledgement signal (ACK) or, in the event of a mistransmission of the con rol block, a non-acknowledgement signal (NAK) which causes re-transmission of the control block. When the control block requesting transfer of supervisory con~rol of the communi-cation link CL is sent from the present master ~1 to its next successive remote R2, all the remaining remotes reset their transfer-monitor timers in accordance with their posi~ion relative to the present remote as shown in the third row of the table of FIG. 10C. Should the next successive remote R2 be unable to accept supervisory control of the communicatlon link CL from the present master Rl, the transfer-monitor timer of the second successive remote R3 will time-out in 50 micro-seconds and cause the second successive remote R3 to assume supervisory control of the communiations link CL to thereby bypass an apparently malfunctioning first successive remote R2 As can be appreciated from a review of the transfer-monitor tirne-out set~ings o the various remotes, supervisory control of the communications link CL will transfer even if one or more successive remotes are malunctioning, when the transfer-monitor timer of the next operable remote times out. This tr~nsfer sequence continues in succession as shown in the remaining tables of FIG5. 10D to 10F with supervisory control of the communication link CL being passed from remote to remote in succession with the last remote R4 returning supervisory control to the first remo~e Ro~
'7~
By employing a master-fox-the-moment transfer technique in which the receiving remote acknowledges control from ~he transferring remote and in which re-transmission of a mis-received control block is provided for ln response to a non-ack~owled~ement signal from the receiving remote, it is poss~ble to positively transfer ' supervisory control o~ the communication linkO This technique advantageously transfers co~trol u~ing the data and infoxmation carrying com~unication link rather than, as in other systems, by providing ~epaæate communi cation lines or channel3 dedicated solely to ~upervisory control transfer functions. Also, the provl~ion of a ~ariable transfer-monitor timer at each remote that is s~t in eccordance with the remote's relative position to the present master and a transfer time-constank automatically transfers supervisory control of the communicatio~s 7ink even if one or more of the succe~ive remote are mal-functioning~
The architecture of a r~dundant remote (R4 and ~8 in FIG~ 1~, as shown in FIG. 11, ~ essentially the same as tha~ of a primary remote except that it ha~ no input/
output devices assigned to it. Each redundant remote functions to take over control responsibility of a controlle~
device ~rom a primary remote in ~he event the primary remote malfunctions.
7~
In each primary remote, preassigned memory locations are designated to act as a 'mailbox' register for that remote. Each time the central processing unit 16 of the primary remote cycles through its applications program, in which it responds to and controls the input/
outpu. devices of the remote via the input/output management device 14, it stores a predetermined number in its mailbox.
Each time the processor 14A of the input/output management device 14 cycles through its program, it decrements the number stored in the mailbox. The time for the CPU 16 to oycle through its program and for the input/output management device 14 to cycle through its program is approximately 1:1 so that the number stored in the mailbox will be maintained at or near the predetenmined value set by the applications program of the CPU 16 unless khe CPU 16 ceases to cycle through its applications program.
Should this happen, the number stored in the mailbox memory 18 will be decremented by the input/output management detrice 14 until it reaohes a zero value.
~ach time a redundant remote which is serving as a back-up for its associated primary remotes ta~es its tuxn in the master-for-the-moment saquence described above, the redundant remote will request and obtain the value of the number in the mailbox of its assigned primary remotas.
If the number in the mailbox is not zero, the redundant remote will ~now that the central processing unit 16 in the 50-queried primary remote is carrying out its applications program and has not gone into an emergency mode of operation or otherwise ceased to operate. If the redundant remote
INDUSTRIAL CONTROL SYSTEM ~IT~ INTERCONNECTED
REMOTELY LOCATED COMPUTER CONTROL UNITS
BACKGROUND OF THE INV~NTION
This application is a divisional of Canadian Serial No. 368,795 filed January 19, 1981.
The present invention relates to control systems of the type having a pluralit~ of remotely located process control units connected together through a communications link and, more particularly, to a control system in which each of the remote units sequentially assumes supervisory communication control of the communication link and in which high reliability information transfer is achieved between remotes.
Many system type industrial installations, for example, those related to industrial process-type-manufacturing and electrical power generation, employ a large number of physically distributed controlled-devices and associated sensors for effecting coordinated operation of the overall system. In the past, coordinated control of the various devices has been achieved by manual operatlon and various types of semi-automatic and automatic control systems including electro-magnetic relay systems, hardwired solid-state logic systems, and various types of computer control sys~ems. The computer systems have included central systems in which the various sensors and controlled devices are connected to a central computer; distributed control systems in which a remotely located computer is connected to each of the controlled devices and to one another; and hybrid combinations of the central and distributed systems. The success-ful functioning of the control system is vital to any industrial process, and, accordingly, distributed systems have ~enerally been preferred over central systems because the failure of one of the remotely located control computers generally does not cause a system ~7ide failure as in the case of the failure of the _ 2 ~ ~
central computer in the central system. However, in many distributed computer systems, one of the remotes or a specially designed control unit generally handles supervisory communication control of the communication buss and, for these systems, failure of the communication b~ss supervisor can lead to a system-wide failure.
In many industrial control systems, the various communication busses that extend between the remotely located computer process control units are exposed to high electrical noise environments. Accordingly, the inormation transferred over the communication buss can be subjected to error-inducing interference because of the harsh electrical environment. In view of this, a control system must have a means for detecting errors within the transmitted information in order to provide high reliability data transmission between remotes.
SUMMARY OF THE INVENTION
Broadly, the present invention seeks to provide an industrial control system for control].ing an industrial process or the llke having a high overall system ope~ating reliability and to provide an industrial control system which may take the form of a distributed control system, a central control system, or a combination thereof to provide high overall operating efficiency and reliability.
The present invention also see~s to provide an industrial control system defined by a plurality of remotely located process control units lremotes) interconnected through a communication huss which each of the remotely loaated units adapted assume supervisory control of the communication buss in accordance with a predetermined se~uence.
The invention to which this divisional application is directed pertains in one aspect to a control system of the type having a plurality of process control remotes inter-connected through a communications link with each remote assigned 7~
a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a revolving master basis. Supervisory control of the communications link is transferred Erom a present system master to the next successive remote in the succession order by a method comprising the steps of transmi-tting a control-transfer command signal along the communication link from the present system master to the next successive remote in the succession order, receiving and evaluating the validity of the control-system command signal at the next successive remote, and accepting supervisory control of the communication link by the next successive remote from the present master if the control-transfer command signal is found valid by the next successive remote, whereby the next successive remote becomes the present system master.
The invention in a further aspect in this divisi.onal application pertains to a system for controlling an industrial process, which system comprises a plurality of process control-ling remotes with a common communi.cation link interconnecting the remotes, each remote being assigned a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a master for a moment basis in accordance with the succession order.
Each remote includes a means for transmitting digital in-formation in block format over the communications link to the other of the remotes and each includes receiver means for receiving diaital information transmitted from one other of th~ remotes, and each remote including means for transferring the supervisory control to -the next successive remote in the succession order 30 by transmitting a control-transfer block o~er the communication link to the next successive remote in the succession order and the next successive remote accepting supervisory control of the communication lin~: in response to the control-transfer block.
4 _ More particularly, disclosed is a control system for controlling an industrial process including a plurality of remote process control units ~n (remotes) connected to various controlled devices and sensors and communicating with one another through a communications link having at least two independent communication channels. Each remote is assigned a unique succession number or position in a predetermined succession order with each remote unit assuming supervisory communic~tion control of the communications link on a revolving or master for the moment basis in accordance with the remote's relative position in the succession order. Information transfer including process data and command control information is accomplished between a source remote Rs and a destination remote Rd by successively transmitting two identical information blocks over each communication channel with the destination remote Rd testing the validity of the blocks on one of the channels and, if valid, responding with an acknowledgement signal (ACK), and, if invalid, then testing the validity of the two blocks received on the other, alternate channel. An acknowledgement (~CK) or a non-acknowledgement signal (NA~) is sent by the destination remote Rd if the information on the alternate channel is found, respectively, valid or invalid. The source remote Rs will re-transmit the information blocks in response to a non-acknowledgement signal from a destination remote with the retransmission from the source remote Rs limited to a pre-determined, finite numberO
The system advantageollsly prcvides a me~ns for controlling an industrial process in which high overall system operating reliability is achie~ed. The system is equally sui~-able for use with central lmaster~slave), distributed, andhybrid system configurations.
57~
BRIEF DESCRIPTION OF THE DRAWINGS
_ The above description, as well as the 1s"ects, features, and advantages of the present invention will be more fully appreciated by reference to the following detailed description of a presently prefe~red ~ut none-theless illustrative embodiment in accordance with the present invention when taken in connection with the accompanying drawings wherein:
FIG. l is a schematic diagram of an exemplary process control system including a plurality of remote process control units (remotes), including both primary con-trol remotes and redundant remotes, connected to a common, d~al-channel communications link;
FIG~ 2 is a schematic block diagram of an exemplary remote process contxol unit of the type shown in FIG. l;
FIG. 3 is a schematic block diagram oE an exemplary modulator/demodulator (MODEM) for the remote process control unit sho~n in E1IG. 2;
FIG. 4 is a schematic block diagram of an exemplary communication protocol controller for the remote process unlt shown in FIG. 2;
FIG~ 4A is a schemat-c block diagx~ of an exemplary input~output management device for the remote ~rocess control unit shown in FIG. 2;
FIGo 4B is a flow diagram illustrating the manner in which the change-in-status events of the controlled devices of FIG. l are detected by the input/
output management device of FIG. 4A, FIG. 5 illustrates the format of an exemplary or illustrative information block for transferrlng information between remotes;
~2~
FIG. 5A illustrates the format of a header rrame of the information block shown in FIG. 5i FIG, SB illustrates the format for a data/
information rrame of the information block shown in FIG. S;
FIG. 5C illustrates the format for an acknowledgement block (ACK) for acknowledging successful receipt of an information block;
FIG. SD illustrates the ~ormat for a non-acknowledgement block (NAK~ for indicating the unsuccessful transmission of an information bloc~ between remotes;
.FIG. 6 illustrates, in pictorial form, two identical data blocks having the format sho~n in FIG. 5 successively transmitted on each communication chanr.el of the co~unicaticn link illustrated in FIG. l;
FIG. 7 is a ~low diagram sw~a-y of the manner in which a source and a destinati.on remote effect communi-~
cations with one another;
FIG. 8A is 2 partial flow diagram illustra~ing in detail the manner in which a source and a destination remote communicate and validat2 information transrerred between one another;
FIG. sa is a partial flow diagram which com-pletes the f~ow dlagram of FIG. 8A and illustra~es in detail the manner in whlch a source and a destination remote communicate and validate infor~ation transferred between one another;
7~
FIG. 9 is a legend illustrating the manner in the flow diagrams o~ FIG. 8A and FIG. 8B are to be read;
FIGS. lOA through lOF are exemplary tables illustrating the manner in which supervisoxy control of the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an exemplary redundant remote that is adapted to assume control from a failed or otherwise inoperative primary remote;
FIGS. llA and llB are flow diagrams of the manner in which the central processing unit of the redundant remote R.4 monitors the operating condition of its assigned primary remotes Rl, R2, and R3 and takes over operation when one of the primary remotes fails;
~ IG. 12 is a flow diagram summary of the manner by which an interrogating remote Rx tests the integrity of the co~munication link bètween it and the remotes R
and RX+1 immediately adjacent thereto in the succession order;
FIG. 12A is a partial flow diagram illustrating in detail the manner by which an interrogating remote R~
tests the colNmunications integrity ~f the communica~ions link between it and the next lower number remote R~_l in the succession order;
FIG. 12B is a partial flow diagram illustrating in detail ~he manner in which an interrogating remote Rx tests the communiations integrity of the communications link between it and the next higher number remote RX+l in the succession order;
FIG. 12C is a partial flow diagram illustrating in detail the manner by which a line termination impedance is applied to the communications link in the event of a communications link degradation or intexruption;
S7~2 FIG. 13 is a legend illustrating the manner in which the flow diagrams of FIGS. 12A, 12B, and 12C are to be read; and ~ IG. 14 is an exemplary table illustrating the status of various counters when an interrogating remote Rx is evaluating the integrity of the communications link in accordance with the flow diagram shown in FIG. 12A~
DESCRIPTION OF THE PREFERRED E~BODIMENT
An industrial control system in accordance with the present invention is shown in schematic form in FIG. 1 and includes a communications link CL (C-link) having a plurality of remotely located process control units (remotes) Rl, R2,...R7, R8 connected thereto with the eight remotes (Rl-R8) shown being exemplary; it being understood that the system is designed to be used with a much laryer number of remotes. Of the eight remotes illustrated, the remotes Rl-R3 and R5-R7 are 'primary' remotes and the remotes R4 and R8 are 'redundant' remotes. The communications link CL is shown as an open line, double channel configuration formed from dual coax, dual twisted pair, or the like with the individual co~munication links identified, respectively, by the reference characters CL~ and CLl. While the system configuration shown in FIG. 1 is a distributed open loop or shared global bus type, the invention is equally suitable for application to central systems or central/
distributed hybrid con~iguration~O The system of FIG~ 1 is adapted for use in controlling an industrial process, e.g., the operation of a power generating plant, with each primary remote unit Rl-R3 and R5-R7 connected to one or more associated or corresponding input/output devices I/Ol-I/03 and I/05-I/07, respectively. Each input/output device is, in turn, connected to an associated controlled device CDl-CD3 and CD5-CD7 (of which only CD6 and CD7 are ~2~7;~
illustrated in FIG. 1) such as, but not limited to, various types of sensors (temperature, pressure, position, and motion sensors, etc.) and various types of actuators (motors, pumps, compressors, valves, solenoids, and relays, etc.).
Each primary remote may control a large number of output devices and respond to a large number of input devices, and the blocks labeled I/O in FIG. 1 can each represent many input and output d~vices.
The redundant remote R4 monitors the operation of primary remotes Rl, R2, and R3; and the redundant remote R8 monitors the operation of primary remotes R5, R6, and R7. Should any one of the remotes Rl R2, and R3 fail, the failure will be detected by the remote R4 in a manner to be described and the remote R4 will take over control of the input an~ output devices of the failed remote by receiving the data from the failed remote over the communications link CL and sending commands to -the failed remote over the communications link CL in formated information blocks. Similarly, if one of the remotes R5, R6, o~ R7 fails, the redundan-t remote R8 will take over control of ~he operation of the inputtoutput devices for the failed remote as described abovewithrespect to redundant remote R4. Although only eight remotes have been .shown in Figure 1, any number of remotes Rl, R2, R3, ...... Rn 1' Rn could be utilized in a particular system.
The architecture of an exemplary remote Rn is shown in FIG. 2. ~hile the architecture of the remote Rn can vary depending upon the control process require-ments, the remote shown in FIG. 2 includes a mo~em 10; a communication protocol controller 12; an input/output management device 14; a central processing unit (CP~) 16;
S7~
a memory 18; a peripheral device 20 that can include, e.g., a CRT display, a printer, or a keyboard; and a common bus 22 which provides addressing, control, and informaticn transfer between the various devices which constitute the remote. The devices shown in dotted line illustration in FIG. 2 (that is, the central processing unit 16, the memory 18, and the peripheral device 20) are provided depending upon the process control require-ments for the remote Rn. For example, in those primary remotes Rn ~hich function as an elemental wire replacer, only the modem 10, the communication protocol controller 12, and the input/output management device 14 are pro-vided. In more complex process control requirements, an appropriately programmed central processing unit 16 and associated memory 18 are provided to effect active con-trol according to a resident firmware program. In still other remotes requiring a human interface, the appropriate peripheral device~s) 20 may be connected to the common buss 22.
As shown in more detail ln FIG. 3, the mod~m 10 provides two independent communication channels CH0 and CHl connected, respectively, to the communication links CL0 and CL1. Each of the communication channels CH~
and CH1 is provided with substantially identical communi-cation devices, and a description of the communication devices of the first communication channel CH~ is sufficient to provide an understanding of the second communication channel CH1. The communication channel Cl~ includes an encoder/decoder 240 for providing appropriate modulation and demodulation of the digital data trans-mitted to and received from the communication link CL~.
zs~
In the preferred form, the encoder/decoder 240 converts digital information in non-return-to-zero binary (NRZ) format to base-band modulation (BB~) signal format for transmission and effects the converse for reception.
.~mplifiers 26~ and 280 are provided, respectively, to drive a passive coupling transformer T0 with digital information provided from the encoder/decoder 240 from the coupling transformer T0. A set of selectively operable relay contacts 300 are provided between the coupling transformer T0 and the corresponding communication link CL0 to effect selective interruption thereof to isolate the remote Rn from the communications link CL, and another set of relay contacts 320 are provided to selectively connect the signal output o~ the coupling transformer T~ with a termination impedance Z0. The termination impedance Z~ is used when the particular remote Rn .is at the end of the communicatio link CL to provide proper line termination impedance for the llnk, or, as described in more detail below, to assist in terminating an open or degraded portion of the communi-cations link CL.
A selectively operable loop-back circuit 34 is provided to permit looping back or recirculation of test data duxing diagnostic checking of the remote Rn. While not specifically shown in FIG. 3, the loop back CirCllit 34 can take the form of a double pole, single throw relay that effects connection between the channels CH0 and CH1 in response to a loop-back command signal 'LB'. During the diagnostic checking of a remote, which checking takes place when a ~articular remote is a mastex-for-the-moment as explained below, the relay contacts of the loop-back 57~
circuit 34 are closed and a predetermined test word is sent from the channel CH~ to the channel CHl and from the channel CHl to the channel CH~ with the received word in each case being checked against the original test word to verify the transmit/receive integrity of the particular remote.
The isolation relays 300 and 311, the impedance termination relays 32~ and 321, and the loop-back circuit 34 are connected to and selectively controlled by a communications link control device 38 which receives its communication and control signals from the communlcations protrocol controller 12 described more fully below. A
watch-dog timer 40 is provided to cause the C-link control device 38 to operate the isolation relays 30~ and 301 to disconnect the remote Rn from the communication link CL in the event the timer 40 times-out. The timer 40 is normally prevented from timing out by periodic reset signals provided from the communication protocol controller 12. In this way, a remote Rn is automatically disconnected from the co}~unication link CI. in the event of a failure of its con~unication protocol controller 12.
As shown in more detail in FIG. 4, each communi-cation protocol controller 12 includes input/output ports 42, 44, and 46 which interface with the above described modem 10 for the communication channels CH0 and CHl and the modem C link control device 38 (FIG. 3). A first-in first-out (FIFO) serializer 48 and another first-in first-out serializex 50 are connected between the input/output ports 42 and 44 and a CPU signal processor 52. The first-in first-out serializers 48 and 50 function as temporary stores for storing information blocks provided to and from the modems 10 as described more fully below. The CPU 52, in turn, interfaces with the buss 22 thxough buss control latches 54. A read only memory (ROM) 56 containing a resident firmware program for the CPU 52 and a random access memory (RAM) 58 ar~
provided to permit the CPU 52 to effect its communication protocol function as described more fully below. Timers 62 and a register 60 (for example, a manually operable DIP switch register or a hardwixed jumper type register) tha-~ includes registers 60a and 60b are also provided to assist the CPU 52 in performing its communication proto-col operation. An excess transmission detector 64, connected to input/output porks 42 and 44 (coxresponding to communication channels CH~ and CHl) determines when the transmission period is in excess of a predetermined limit to cause the C-link control device 38 (FIG. 3) to disconnect the transmitting remote from the com~lunications link CL and thereby prevent a remote that is -trapped in a transmission mode from monopolizing the coI~nunications link CL.
The input/output management device 14, the architecture of which is shown in FIG. 4A, is prefer~bly a firmware controlled microprocessor-based device which 7~2 is adapted to scan the various input/output hardware points of the controlled device, effect a point-by-point status comparison with a prior scan, and record the change-in-status events along with the direction of the change and the time the event occurred (time-tagging), effect data collection and distribution to and from the input/output points, format the collected data in preferred pa-tterns, and assemble the patterned data in selected sequences.
As shown in FIG. 4A, the input/output management device 14 includes a processor 14A connected to the remote buss 22 through a processor buss 14B; read-only-memories 14C a.nd 14D connected to the processor 14A
through appropriate connections with these memories in-cluding the firmware necessary to effect the abnve-described functions of the input/output management device l4 including the change-in-status event rnonitoring (described in more detail below); a read/write memory 14E (RAM) for temporari.ly storing information incident to the operation of the processor 14A including the change-in-status event information; a time base l4F for providing time information for time tagging the change-in-status events; and an input/output intexface 14G for connection, either directly or indirectly, to the controlled devices.
In the preferred embodiment, the input/output interface 14G is defined by one or more printed circuit control cards generally arranged in rack format~on with each card having hardware poin~s arranged in predetermined sets of eight points with each hardware point carrying a binary 7~
indication for controlling or sensing the operation of the controlled device. The control and operational status of the controlled device can generally be represented ~y one or more eight-bit words (e.g., 000100011 with each bit position representiny a control or operational characteristic of the controlled device.
As described in further detail below in connection with FIG. 4B, the input/output management device 14 effects the aforedescribed change-in-status monitoring and associated time-tagging by periodically scanning the input/output hard-ware points in eight-bit groups and effecting a comparison between the so-obtained eight-bit group and the eight-bit group obtalned during the previous scan. If a change is detected in one or more of the bit positions, the latest eight-bit group, along with the time-of-day information obtained from the time base 14F, and other information, if desired, representing the direction of change, is placed in a first~in first-discard memory (FIFO) of predetermined size. Thus, each change-of-status event along with its time tag and other information such as direction of change, etc. is placed in a memory of selected size as the changes occur. When all the memory locations are filled, the first entered event (which now represents the oldest chronological event) is discarded as the latest event enters the memory. ~he memory loading is inhibited by the occurrence of any one of a selected number of inhibit signals. In the system, various con-ditions including alarm conditions which represent partial or ~ull system failures can be assigned a priority with - 16 ~
those conditions or combinations thereof designated as "high" priority signals being permitted to disable or inhibit further accessing of the memory. In the event one of these high priority conditions occurs, the memory is inhibited from storing additional change-in-status information and the change-in-status events occurring prior to the high priority,condition are preserved for subsequent analysis. Alarm conditions which are not designated as high priority, of course, do not inhibit the memory. This technique advantageously differs from those prior techniques in which the controlled device status was only placed in memory at the moment of a high priority signal (in which case a historical pre-failure record-of-events was not available) or those techniques in which the change-in-status events were logged in a memory which was periodically cleared, refilled, and cleared in which case the probability of obtaining a complete history of events prior to a predetermined high priority condition diminished in those instances in which the logging memory was cleared just prior to the occurrence o the high priority condition.
The manner by which the input/output management device 14 effects the change-of-status event logging is shown in FIG. 4B. During initialization, the processor 14B (referred to also as the RTZ in FIG. 4B) moves an image of the various input/output points, that is, the current status o~ the various input/output hardware points, to preassigned locations in the memory 14~ (local) of the input~output management device 14 and the memory 18 (syst~m) of the remote Rn (FIG. 2).
Thereafter, the address(s) of the first input/output card is obtained and the input/output hardware points for ~hat card are scanned to obtain an input/output image whi,ch takes the 5~2 form of an eight-bit word (e.g., 00000000) with each bit posi-tion representing the control or operational status of the controlled device. The input/output points so obtained are then compared with the previously obtained image of the points (e.g., 00100000), for example, by effecting a bit-by~bit exclusive OR (XOR) comparison. If the comparison indicates no change in status, (that is, the words are identical) the input/output points in the remaining cards are likewise scanned with the process repeated on a cyclic or looped basis. However, if a change is detected in the exclusive OR comparison, that new input/output scan, along with the time tag information and the direction of change is placed in the memory 18 of the remote Rn, and, in addition, the latest scan is moved to the memroy 14E
of the input/output management device. This process continues with each new change-in-status event loaded into the memory 18 of the remote on a first-in first-discarded basis. The first-in first discard rnemory may be configured by assiyning a preselected number of memory locations in the memory 18 of the remote Rn (e.g., fifty locations) for the logging information and providing an address pointer that points to each successive location in a serial manner with the pointer returning to the first location after pointing at the last available pre-assigned location in the mernory.
In the preferred embodiment, the processor 14A of the input/output management device 14 (FIG. 4A) and the processor 52 (FIG. 4) of the communication protocol controller 12 is 8X300 micro~controller manufactured by the Slgnetics Company of S~nnyvala, - 18 ~
7;~:
~alifornia, and the central prooessin~ unit 16 (FIG. 2) is an 86/12 single board 16-bit micro-computer manu-factured by the Intel Company o~ Santa Clara, Califo~nia ~nd adapted to an~ configuxed fox the Intel MULTIBUS~M
Each remote Rn iS adapted to commu~icate with the other by transitting digital data organi ed in pre-determlned block forma~s. A su~table and illustrative block format 66 is shown in FIG. 5 and includes a multi-word head~x frame 66A, a multi-word data fram~ 66B, and a lock termination frame or word 66C. Sol~actod of the information block configuration~ ~re adapted to transfer process control information to and from s~locted remot~
unit~ Rn and othe~ of the block configurations ar~ adapted to transfer super~isory control of the communications link CL from on~ remote to the other remote as explained in greater detail below.
An exemplary format for the header ancl data frames of an information block 66 is shown, respectively, in FIGS. 5A and SB. The header frame 66A preferably includes a 'start of header' word(~) that indicates to all remotes that information is being transmitted; a 'source' identification word(~) that indlcates th~ identity of the source remot2 Rs that ic tr~n~ferring the infor~ation, a 'destination' word(s) that indica~e~ the ide~ify o th~
receiviny or des~ination r~mot~ Rd; a 'header-type' word(s) th~t indicates whether th~ data block is txan~ferring data, a parametered com~and block, or a p~rameterle~s command block;
'block-type' word indicating the type o~ block ~that is, a command block or a dat~ block)7 a 'block number' word that ~ 19 ~
indicates the number of blocks being sent; a 'block size' word indicating the length of the data frame; a 'security code' word(s) that permits alteration of the resident soft-ware programming in a remote; and, finally, a two-byte 'cyclic redundancy code' (CRC) validity word. The data frame for each data block, as shown in FIG. 5B, can in-clude a plurality of data carrying bytes or words Bl, B2,...B~ of variable length terminated with a two-byte cyclic redundancy code word. As described more fully below, each of the remotes is adapted to acknowledge (~CK) successful receipt of data and command blocks and non-acknowledge (NAK) the receipt of data in which a trans-mission error is detectedO When transmitting an acknowledgement bl.ock or a non-acknowledgement block, the header format used is show~ in F~GS. 5C and 5D in which an acknowledgPment (ACK) or non-acknowledgement (NAK) word occupie~ ths 'block type' word position. The hlock formats disclosed above are intended to be illustrative only and not limiting.
The various remote units Rl, R2~ R3,... Rn communi-cate with one another by having each remote successively take control of the communications link CL and the controlling remote Rs then sending digital information between ikself and a destination remote Rd using a double transmission alt~rnate line technique that provides for high reliability data transfer between remotes even when one of the two communication links CL~ or CLl is inoperativa, for example, when one of the two communication cables is severed or otherwisa degraded as occassionally occurs in harsh industxial environments~
- ~0 -5~
When a remote unit assumes control of the communi-cation link CL (as explained more fully below) and, as a source remote Rs~ desires to send data blocks to another, destination remote Rd, the data block is assembled at the source remote Rs.in accordance with the block formats discussed above in connection with FIGS. 5-5D and trans-mitted through tha information channels CL~ and CL1 of the source remote Rs to the communication links CL~ and CLl with the hPader frame containing both the source remote Rs and the destination remote Rd identification info:cmation.
In accordance with the data transmission technique, the communication protocol controller 12 of the source remote RS transmi~s ~he information blocks ~wice on each communication link CL~ and CLl as schematically illustrated in FIG. 6 to provide a first data block DBA and ~hen a second, following data block DBB on each communication link CL~ and CLl.
The transmitted information block headers include the identity o~ the destination remote, Rd, which causes the d~tination remote Rd to receive and act upon the informa~ion blocks. At tha destination remote ~d~ the two data blocks D8A0 and DBB~ on the communication link CL~ are passed through ~he communication channel CH~
and the two data blocks DBAl and DBBl on the communicaLion link CLl are passed through the communication channel CHl to, respectively, the first-in firs~-out serialize~s 48 and 50 (FIG. 4).
As shown in the summary flow diagram o~ FIG. 7, the destingation remote Rd checks ~he validity of the received data by selecting one of the two communication links (eOg., CL0 in FIG. 7) and then checks the first i7~
data block on the selected line (that is, DBA~) by performing a cyclic redundancy check of the header frame and, if valid, performing a cyclic redundancy check of the data frame. If the data frame is valid, the communi-cation protocol controller 12 of the destination remote Rd khen performs a bit-for-bit comparision between the CRC-valid first data block ~BA~ and the second following data block DBB~. If tha bit~Eor-bit comparision is good, an acknowledgement (ACK) signal s sent ~rom the destinat.ion remote Rd to the source remote R5 to indicate the receipt of valid information and complete that data block information transaction. On the other hand, if the CRC
validity checks of the header or the data frame or the bit for-bit comparison check indicate invalid data, ~he protocol controller 12 of the destination remote Rd then selects ~he other, alternate line ~in this case, CLl) and performs the aforementioned cyclic rerlundancy checks of the header and data frame and the blt-fox-b.it co~parison between the ~irst and second data blocks D~l and D3 on the alternate line CLl. If these checks indicate valid data on the ~lternate line, the destination remote Rd responds with an acknowledgement sign21 (ACK) to conclude the data block transmission transaction. On the other hand, if these checks indicate invalid data on the alternate line (which means that the data blocks on both the first-~elected line and the alternate line are invalid) the destination remote Rd r~sponds with a non-acknowledg~ment signal (NAK) ~o cause re~ransmission of the data blocks from the source remote Rs. The non acknowledgement block (NAK) includes a by~e or bytes indicating the identity of the data block or blocks which should be retransmitted. A counter (not shown) is provided that counts the number of retransmissions from the source remote Rs and, after a fini.te number of re-transmissions (e.g., four), halts fuxther retransmission to assure tha~ a souxce remote Rs and a destina~ion remote Rd do not become lost in a repetitive transmit/NAK/re transmit/NAR... sequence in the event of a hardware or software failure of the destination remote Rd error checking mechanism.
The double message alternate line checking sequence sun~arized in FIG~ 7 may be more ~ully appreciated by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read in accordance with the flow diagram map of FIG. 9~. ~t the start of the information validity checking procedure, the 'line ~-first' flag register is checked; if a flag is present, the 'first-attempt ail' flag register is checked, and, i there is no flag in this register, the two data ~locks DB~l and DBB~ on channel C~l are stored while the two da~a blocks DBA~ and DBB0 on channel CH~ are used for the first attempt information check.
Thereater, the header frame o the first data block DBA~
on channel CH~ undergoes a CRC check, and, if acceptable, the data frame of this data block DBA~ undergoes a CRC check.
If the header and data frames CRC checks indicate valid data a 'good message' register is incremented. I the number of good messages is less than two, the error checking procedure ~eturns to the initial part of the flow diagram and, after 7~
determining there is no channel CH~ first flag or first-attempt flag present, checks the second following data block DBB~ by repeating the header and data CRC cyclic redundancy checks. If the header and data frames pass the CRC checks, the 'good message' register is incremented again to indicate that a total of two messages in succession (that is, DBA~ and DBB0) have passed the cyclic redundancy check for the header and data framesO Thereafter, the two data hlocks DBA~ and DBB0 received on line CEI~ ~re checked by perorming a bit-by-bit comparision between the two. If the data blocks DBA~ and DBB~ pass the bit-by-bit comparision test, the communi-cations protocol controller 12 o the destination remo~e Rd sends an acknowledgement (ACK) message to the source remote Rs to conclude the information block transfer and resets the various registers. If, on the other hand, eithex the data block DB~ or DBB0 on line CL0 fail the header and data frame CRC checks or these two data bloc~s ~ail the bit~by-bit comparison check, the communication protrocol cont.roller 12 sets ~he 'first-attempt fail' flag and re~urns to the start o~ the procedure to determine that the lline 0-first' flag and the 'irst-attempt' fail flag are present. The communi-cation protocol controller 12 then uses the stored data blocks DBAl and DBB1 from line CLl (which data blocks were previously stored in FIFO 50). The header block and data block of the data blocks DBAl and DBBl rom line CLl undergo the CRC
check and, if successful, cause tha incrementing o~ the 'good ~ 111 L~ t~~tr,~, message' re~ister to cause the communication protocol controller 12 to then check the validity of the second data block DBBl. If the data blocks DBAl and DBBl pass the CRC checks, they are compared with one another in a bit-by-bit comparison test and if this comparison check is successful, an acknowledgement (ACX) is sent. If, on the other hand, either data block DBAl or DBBl does not pass the CRC check or the data blocks do not pass the bit-by-bit comparison test, a non-acknowledgement (NAK) is sent to the source remote ~5 including information requesting the retransmission of the data blocks which ailed the validity test at the destination remote Rd. The source remote RS then retransmits the improperly received information blocks as described above with retransmission limited to a finite number.
A register i5 provided for each o~ the communication links for recording, in a cumulative manner, the number of times an invalid message is received for each communication link. In this manner, it can be determined, on a statistical basis, ~hether one of the two communication links has suffered a deterioration in signal transmission capability and, of course, whether one of the com~uniGation links is severed.
As can be appreciated, the dual txansmission of the identical messages on plural communication ~inks vastly enhances the ability of the destination remote Rd to detect errors and determine whether the infonma~ion being transmitted is valid or not. In addition, the de~tination xemote Rd is able to operate and successfully receive messayes even if one of the communicatlon links CL~ or C~l is severed since the communication protocol con~roller 12 at the destination R~
~2~
will examine the received signals on each line and will find invalid data on the severed line, but will al~7ays examine the data blocks on the other line and, if necessary, request retransmission of the information blocks.
In selecting one of the two channels CH~ or CHl for the first validity check, it is preferred that one of the two channels (e.g., CH0) be selected for the first check on every other information transaction and that the other of the two channels (e.g.~ CH1) be selected for the first check for the other intermediate information transactions. While the system has been disclosed as having dual communication links CL~ and CLl, the invention is not so limited and can encompass more than two communication links with the remotes adapted to sequentially examine signals received on the various channels.
As mentioned above, each remote Rn f the control system is adapted to accept and then relinquish supervisory control of the communication link CL on a master-for-the-moment or xevolvlng mastar arrangement. The communication protocol controller 12 of each remote Rn includes a register which contains the remote succession numher, anothex register which contains the total number of remotes in the system, and another register which contains the relative position of the remote from the present system master. The first two registers are schematically illustrated by the reference character 60 in FIG. 4. In addition, each remote Rn includes a variable transfer-monitor timer having a time-out interval that is set in accordance with a predetermined control-transfer time constant (50 micro-seconds in the preferred embodiment) and the position of the 57~
particular remote relative to the present system master to permit, as explained in more detail below, the master-for-the-moment transfer to continue even in the event of a disabled remote (that is, a remote that is unable to accept supervisory control because of a malfunction).
Anothex timer is provided to force transfer of supervisory control of the communications link CL in the ~vent a remote, because of a malfunction, is unable to transfer supervisory control to its nex~ successive remote. The operation of the master-for-the-moment transfer technique can be appreciated by consideration of the following example of an illustrative system tha~ includes five remotes arranged in the open loop configuration of FIG. 1 and transferring supervisory control of the co~munications link CL in accordance with the tables of FIGS. lOA-lOF. The upper row of each table indicates the succession sequence or order of the five ~emotes Ror Rl, R2, R3 and R4 that comprise the system; the intermediate row identifies the remote that is the present master-for-the-moment and also identifies the relative successive posikion of the other remotes from the present master, that is, the first (or next) successive remote from ~he present master, the second successive remote from the present master, the third remote from the present master, etc.; and the third row of each table lists the setting of the variable transfer-monitor timer for the particular remote.
The system is provided with initialization software so that the first remote in the succession, R
assumes supervisory control oE the communication link CL after system start-up and becomes the initial master of the system (FIG. lOA). When the initial master Ro is in control of the communications link CL, it can send data to any of the other remotes, request status or other data from another remote, and send control blocks and the like ove- the communications link CL. When the master Ro determines that it no longer deslres possession of the communications link CL, it passes supervisory control of the comm~nications link CL to the next or first successive remote in accordance with the succession order. Thus, when the present master Ro concludes its in~onmation transfer transactions, it transfers supervisory control of the com~unications link C~ to its next or first successive remote Rl by transmitting a control block to the remote R
with all the remaining remotes ~that is, R~, R3, R~) being cognizant of the transfer of supervisory control rom the present mas~er R~ to its first or next succ~ssive remote Rl. Since, in the present system, the transfer of supervisory control of the communications link CL is expected to take place within 50 micro-seconds, the second successive remote R2, as shown in the third row o~
the table of FIG. lOB, sets its variable transfer-moni~or timer to 50 micro-seconds, the third succe~sive remote R3 sets its variable transfer-monitor timer to 100 micro-seconds, - ~8 -7~
and the fourth successive remote R4 sets it transfex-monitor timer to lSO micro-seconds. When the first successive remote Rl receives the control block from the present master Rnl it accepts supervisory control of the communlcations link CL by re~ponding with an acknowledgement message (ACK). If the control block is misreceived, the first successive remote Rl can re3pond with a non-acknowledgement (NAK) to request retransmission of the control block transferring supervisory control of the communications link CL. During the time interval that the present master remote Ro is attemp~ing to transfer supervisoxy control of the communi-cation link CL to its next successive remote Rl, the transfer-monitor timers of the remaining remotes are counting down. I, for any reason, the next or first successive remote Rl fails to take control (e.g., a malfunction of the remote), the transfer-monitor timer of the second successive remote R2 will time-out at 50 micxo-seconds and cause the second successive remote R2 to then accept supervisory control of the cornmunication link CL
from the present master Ro and thus bypass the apparently malfunctioniny ~irst successive remote Rl.
Aassuming that the initial system master Ro successively transfers supervisory control of the communi catins link C~ to its first successive remote Rl, that successive remote Rl then becomes tha present master with the remaining remotes changing their position relative to the present master and setting their transfer-monitor timers in accordance with the second and third rows of the table of FIG~ lOB. ~hen the present master Rl concludes its -- 2g --information transfer transactions, if any, it attempts to transfer supervisory control to its first or next successive remote R2 by sending an appropriate control block to remote R2 which responds with an acknowledgement signal (ACK) or, in the event of a mistransmission of the con rol block, a non-acknowledgement signal (NAK) which causes re-transmission of the control block. When the control block requesting transfer of supervisory con~rol of the communi-cation link CL is sent from the present master ~1 to its next successive remote R2, all the remaining remotes reset their transfer-monitor timers in accordance with their posi~ion relative to the present remote as shown in the third row of the table of FIG. 10C. Should the next successive remote R2 be unable to accept supervisory control of the communicatlon link CL from the present master Rl, the transfer-monitor timer of the second successive remote R3 will time-out in 50 micro-seconds and cause the second successive remote R3 to assume supervisory control of the communiations link CL to thereby bypass an apparently malfunctioning first successive remote R2 As can be appreciated from a review of the transfer-monitor tirne-out set~ings o the various remotes, supervisory control of the communications link CL will transfer even if one or more successive remotes are malunctioning, when the transfer-monitor timer of the next operable remote times out. This tr~nsfer sequence continues in succession as shown in the remaining tables of FIG5. 10D to 10F with supervisory control of the communication link CL being passed from remote to remote in succession with the last remote R4 returning supervisory control to the first remo~e Ro~
'7~
By employing a master-fox-the-moment transfer technique in which the receiving remote acknowledges control from ~he transferring remote and in which re-transmission of a mis-received control block is provided for ln response to a non-ack~owled~ement signal from the receiving remote, it is poss~ble to positively transfer ' supervisory control o~ the communication linkO This technique advantageously transfers co~trol u~ing the data and infoxmation carrying com~unication link rather than, as in other systems, by providing ~epaæate communi cation lines or channel3 dedicated solely to ~upervisory control transfer functions. Also, the provl~ion of a ~ariable transfer-monitor timer at each remote that is s~t in eccordance with the remote's relative position to the present master and a transfer time-constank automatically transfers supervisory control of the communicatio~s 7ink even if one or more of the succe~ive remote are mal-functioning~
The architecture of a r~dundant remote (R4 and ~8 in FIG~ 1~, as shown in FIG. 11, ~ essentially the same as tha~ of a primary remote except that it ha~ no input/
output devices assigned to it. Each redundant remote functions to take over control responsibility of a controlle~
device ~rom a primary remote in ~he event the primary remote malfunctions.
7~
In each primary remote, preassigned memory locations are designated to act as a 'mailbox' register for that remote. Each time the central processing unit 16 of the primary remote cycles through its applications program, in which it responds to and controls the input/
outpu. devices of the remote via the input/output management device 14, it stores a predetermined number in its mailbox.
Each time the processor 14A of the input/output management device 14 cycles through its program, it decrements the number stored in the mailbox. The time for the CPU 16 to oycle through its program and for the input/output management device 14 to cycle through its program is approximately 1:1 so that the number stored in the mailbox will be maintained at or near the predetenmined value set by the applications program of the CPU 16 unless khe CPU 16 ceases to cycle through its applications program.
Should this happen, the number stored in the mailbox memory 18 will be decremented by the input/output management detrice 14 until it reaohes a zero value.
~ach time a redundant remote which is serving as a back-up for its associated primary remotes ta~es its tuxn in the master-for-the-moment saquence described above, the redundant remote will request and obtain the value of the number in the mailbox of its assigned primary remotas.
If the number in the mailbox is not zero, the redundant remote will ~now that the central processing unit 16 in the 50-queried primary remote is carrying out its applications program and has not gone into an emergency mode of operation or otherwise ceased to operate. If the redundant remote
2~7~
detects that the number in the mailbox for one of its assigned primary remotes is zero, then the redundant remote will determine that the central processing unit 16 of the zero-mailbox remote is not carrying out the applications program and, in response to this determination, the redundant remote will first attempt to res~art the applications program in the central processing unit 16 of the primary remote. If it fails to successfully restart the applications program, the redundant remote will carxy out the applications program for the failed remote. In carrying out the applications program, the redundant remote will respond to the input devices and control the output devices assigned to the ailed primary remote by sending commands and receiving data from the failed remote over the communications link CL.
The redundant remote, in addition to checking the status of its assigned primary remotes for which the redundant remote serves as a back up, also must maintain an up-to-date record o the sta~us of the applications program in each of these assigned primary remotes. The redundant remote checks the status of the mailbox and gets the current applications program status from each of the primary remote~ by sending request~ for information over the communications link CL when the redundant remote takes its turn in the master-for-the-moment sequenee as described above.
57~
The operation of the redundant remote in carrying out its function as a back-up for the primary remotes will be more fully understood with reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant remote R4 (FIG. 1), which ser~es as a back-up for its assigned primary remotes Rl, R2, and R3. The other redunclant remote R8 will have the same program except that it will be applied to its assigned remotes R5, R6, and R7.
As shown in FIGS. llA, after the program in the redundant remote R4 is started, it enters into a decision instruction sequence 101 to check the status of remote Rl. As explained above, it does this by sending a request for information over the communications link CL to remote Rl asking for the current number in the mailbox of remote Rl. It then determines whether this number is greater than zero. If the number is greater than zero, the status of remote Rl is determined to be operating and the program of the redundant remote R4 advances to instxuction step 103 ln which it resets a fail flag for Rl to 'off' and then enters subroutine 105, in which the current applications program status in remote Rl is obtained. This means that the redundant remote R4 requests and obtains the current status of the input and output devices in remote Rl and the current status of the timers and ~he counters and the flags being used in the applications program of remote Rl. In other words, in subroutine 105, all of the information that would be needed for the redundant remote R4 to take over the applications program is obtained from remote Rl.
This information is obtained by sending requests for data and recei~lng data back over the communications link CL.
Following the obtaining of the current appli-cations program status of remote Rl, the redundant remote R4 program proceeds to decision instruction sequence 107, in which the status of remote R2 is chec~ed in the same manner that was done with respect to Rl. If the status of remote R2 is opexating, the program advances to instruction step 109, in which the program sets a fail flag for remote R2 and then proceeds into subroutine 111, in which the status of the applications program for remote R2 is obtained in the same manner as for Rl in sub-routine 105. The program then proceeds into a decision instruction sequence 113 to chec~ the status of remote R3. If the status of remote R3 is operating, then the program resets the fail flag for remote R3 in instruction step llS and proceeds into subroutine 117 to obtain the applications program status for remote R3 in the same manner as ~or Rl in subroutine 105. Following subroutine 111, the program returns again to decision instructlon sequence 101 to check the status of remote Rl and the process cyclically repeats~
If in decision instr.uction sequence 101, the program determines that the status Rl is not operating as indicated by the number in the mailbox of the remote Rl, being zero, the program then advances to decision instruction sequence 113, in which the program determines if the fail flag for Rl is 'on' or 'off'. lf the fail flag is 'off', the program proceeds into instruction sequence 121, in ~hich the pxogram attempts to restart the applications program for remote Rl. It does this by sending a command over the communications link CL to remote Rl to direct the communications protocol controller 12 (FIG. 2) to attempt a hardware restart of the applications program.
This is carried out by the communications protocol controller 12 pulling a restart wire to ground in the com~on buss 22. When ~his restart wire is pulled to ground, it starts the applications program back through its initialization program and sets all of the flags, timers, and counters just as if power had been turned on. Such a restart is calle~ a hardware restart. Alternatively, the redundant remote R4 could ef~ect a software restart in the failed remote. A software restart would merely start the applications program through its initialization program with the timers, counters and flags left in their present status.
After completing instruction sequence 121, the redundant remote R4 program then sets the fail flag for remote Rl to 'on' in instruction step 123 and then proceeds into decision instruction sequence 125 to again check the status of remote Rl by chec~ing the num~er in the mailbox o~ remote Rl in the same manner as in decision instruction sequence 101. If the applications program in remote R~ was successfully starked in instruction sequence 121, the number in ~he mailbox will not be zero and the program will determine that the status of remote Rl is operating, whereupon the program will jump to decision instruction sequence 107 to cheok the s~atus of remote R2 as already described.
If the proyram determines that the status.
of remote Rl is not operating in decision instruction sequence 125, then this means that the attempt to restart the applications program in remote Rl in instruction sequence 121 failed and Lhe redundant remote R4 program then proceeds into instruction sequence 127 to initialize the input/output management device 14 (also identified in FIG. llB as 'RTX') in remote Rl to receive instructions and data from the redundant remote R4 instead of from the central processing unit 16 in the remote Rl and to send data on the status of the input and output devices to the redundant remote R4.
If the program of the redundant remote R4 determines that the fail flag was 'on' instead of 'off' in decislon instruction sequence 119, the redundant remote pxogram would proceed directly into the instruction sequence 127 to initialize the input/output management device 14 of remote Rl to respond to the redundant remote The purpose of the fail flag which is set to 'on' in instruction step 123 and is reset to 'off' in instruction step 103 i~ to prevent the xedundant remote program from getting hung-up in a condition in which i~ successfully restar~s the remote Rl only to have the remote Rl fail again by the ~ime the program of the redundan~ remote recycles around to checking the mailbox of th~ remo~e Rl again in desision instruction sequence 101. If this should happen, the fail ~lag for remo~e Rl will have been set to 'on' in in~ruction s~ep 123 after the successful restarting of the 7~
applications program. Then, the next time that the redundant remote program cycles back to decision instruction sequence lO1, and determines that the status of remote Rl is not operating, the fail flag for remote Rl will be 'on'. Accordingly, the program will jump from decision instxuction sequence ll9 into the instruction sequence 127 to initialize the remote R1 to respond to redundant remote R4. If the next time the redundant remote program recycles back to decision instruction sequence lOl to check the status of Rl, it determines that the status of Rl is operating, the program will then reset the fail flag to 'off' in instruction step 103 so that in subsequent cycles, should the program determine that the remote Rl has again failed, the progr~m will again go into the restart instruction sequence 121 instead of immediately jumping to the initialization instruction sequence 127.
After the redundant remote program has completed the initialization instruction sequence 127, it then proceeds to subroutine 129. In this subroutine, the ~tatus of the applications program of remote R1 last received by the redundant remote R4, which status is stored in the memory of the redundant remote R4, is loaded into predetermined registers of the memory of the redundant remote R4 in order to carry out the applications program of remote Rl in ~he redundant remote R4. After this subroutine i~ completed, the program proceeds into instruction sequence 130 and then into the subroutine 131 in which it starts and carries out the applications program. The redundant remote R4 carries out the Rl applications program by receiving data from remote Rl as to the status o the input and output devices - 38 ~
of the remote Rl and sending instructions to remote Rl to direct operation of the input/output management device 14 of the remote Rl. The program in the redundant remote R4 will then continue to cycle through -the applications program for the remote Rl until it receives a command from the operator to reset it back into its main cycle of checking the status of the remotes Rl, R2, and R3.
Should the redundant remote R4 determine that the status of remote R2 or remote R3 is not operating, it then performs the same program with respect to these remotes as described with respect to remote Rl as is illustrated in FIGS. llA and llB.
The redun~ant remote R8 ~ill take over the applications program should any of the primary remotes ~5-R7 become nonoperative in the same manner as described above with respect to R4 serving as a back-up for the primary remotes Rl-R3.
It will be appreciated that the provision of the redundant remotes decreases malfunctioniny o.f the control ~0 system due to one of the primary remotes becoming inoperative as a result of failure of the central processing unit 16 of the primary remote. Because each redundant remote serves as a back-up for several primary remotes, the cost of providing the redundancy is significantly reduced~ Because the redundant remotes are themselves each a remote control unit which takes its turn in the master-for a-moment sequence communicating with the other remotes over the dual channel communications link/ the redundant remotes can be provided in the system very inexpensively.
J~t~ od Each remote Rn, as described above, is provided with termination impedances Z~ and Zl for the first and second communication channels CH~ and CHl (FIG. 3) and a line termination relay 32~ and 321 under the control of the comm~nications link control device 38. The termination impedances are connected across each channel of the communi-cations link when the particular remote is the first or the last remote in the system (e.g., Rl and R8 in FIG~ 1) to establish proper line termination impedance to prevent signal level degradation and the presence of reflected signals, both conditions which can adversely affect the perormance of the system. ~he termination impedances Z~ and Zl are also applied acro,ss the appropriate communi-cations channels when a remote dete~mines, as described below, that the communications link CL between it and its immediately adjacert higher or lower number remote is severed or sufficiently degraded that reliable data transmission cannot be maintained the~ebetween~ The determination as to communications link degrada~ion can be made by providing each remote with a register for each communications channel that records, in a cumulative manner, the numbex of invalid messages received from the immediately adjacent remote(s) and terminate oné or both of the communications link CL0 and C~l in the direction of the remote from which the number of invalid messages raceived exceeds a threshhold value. More preferably, however, each remote is pro~ied with an acti~e testir.g diagnostic routine to enable it to test the communication integrity of the communications link between it and its immediately adjacent remote(s) in accordance with the fl'ow diagrams illustra~ed in FIGS. 12, 12A, 13B and 12C as read in accordance with FIG. 13 and the table of FIG. 14.
~ ~0 -The flow diagram illustrated in FIG. 12 is a summary of the manner by which each remote is capable of testing the communication integrity of the communications link CI. between it and its immediate adjacent remote or remotes and terminating one or both of the communications links, C~0 and CLl, when a degraded or interrupted line conditiop is detected. As shown in FIG. 12, the remote Rx is initialized and then, in sequence, tests the communi-cations integrity of the communications link CL~ in the downstream direction between it and its immediately adjacent lower number remote (that is, Rx 1) and then tests the communication integrity of the communicaticns link CLl in the downstream direction with the same remote. If either the communications link CL~ or CL1 in the downstream direction is faulty, an appropriate flag is set in a register in the remote Rx reserved for this purpose. In a similax manner, the remote ~x then tests the communications integrity of the communications link CL~ and CLl in the up-stream direction with its immediately adjacent higher number remote (that is, remoke RX+l) and sets the appropriate flag, as and if required. After this initial diagnostic chec~ing takes place, the r~mote Rx will terminate the failed communi-cations line CL~ and/or CL1 by actuating the appropriate relay contacts.320 and/or.321 as required. The I~ne checking test utilized in FIG. 12 preerably take place when the remote R is master-for-the=moment (that is, R ~.
x m A more detailed explanation of the communica~ions line integrity check and automatic line termination may be had by referring to FIGS. 12A, 12B and 12C tas read in accordance 57~
with the flow chart legend of FIG. 13) in which FIG. 12A
represents the downstream integrity check with the next lower number remote, FIG. 12B represents the upstream integrity check with the next higher number remote, and FIG. 12C represents ~he line termination function in response to the results of the integrity test performed in FIGS 12A and 12B.
In FIG. 12A, the line checking diagnostic is started by first loading three registers or counters, namely, a 'retry counter', a 'CL0 retry counter', and a 'CL1 retry counter' with an arbitrarily selected number, for example, five. The 'retry counter' is then decremented by one and a message sent from the remote Rx to the remote Rx 1 requesting an acknowledgement ACK signal. If the communications link Ch~ and C~l between the interrogating remote and the responding remote is fully functional, a valid ACK signal will be received by the interrogating remote Rx on both CL~ and CLl. The diagnostic checking will then route to the part o~ the program (FIG. 12B) for checking the communications integrity of the communications link CL0 and CLl between the interrogating remote Rx and the ~ext higher number remote in the system~ that is, RX+l. On the other hand, if a valid ACK signal i5 not received on one or both of the communications links CL~ or CLl by the requesting remote Rx from the immediately adjacent lower number responding remote Rx 1~ the appropriate retry counter (that is, 'CL0 retry counter' or 'CLl retry co~nterl) will be decremented by one and the procedure repeated until the 'retry counter' is zero at which time tne appropriate CL0 5~
and/or CLl terminate flag register will be set; thereafter, the program will route to the upstream communications integrity check sho~ in FIG. 12B.
~ he flow diagram of FIG. 12B is basically the same as that of FIG. 12A except that the communications integrity check occurs for that portion o the communications link CL between the interrogating remote Rx and the next higher number responding remote RX+1. More specifically, the three registers or counters, that is, the 'retry counter', the 'C~0 retry counter', and the 'CLl retry counter' are loaded with the arbitrarily selected value of five. The 'retry counter' is then decremented by one and a message sent from the interrogating remote R~ to the remote RX+l requesting an acknowledgement signalO If the communications link CL0 and CLl between the interrogating remote Rx and the responding remote RX+l is integral, a valid acknowledgement signal will be recei~ed by the interrogating remo~e Rx and the program will route to the termina~ion impedance portion of ~he procedure shown in FIG. 12C.
On the other hand, if a valid acknowledgement signal is not received on one or both o the communications lines CL~
or CLl by the interrogatlng remote Rx from the highex order responding remote RX~1, the appropriate retry counter, thzt is, the 'CL0 or CLl retry counter' will be decremented by one and the procedure repeated until the 're~ry counter' is zero at which point the appropriate C~ and/or CLl terminztion flag register will be set; thereafter, the program diagnostic will rou~e to the line impedance termination portion shown in FIG. 12C.
Z57~
In the flow diagram of FIG. 12C, the various termination registers are examined for set flags and appropriate commands issued to the C-link control device 38 ~FIG. 3) to terminate the line by appropriate actuation of the relay contacts 320 and/or 321. As is also shown in FIG. 12C, a line termination relay can also be released (that is, reset) to remove a previously applied line termination impedance. Accoxdingly, the system provides each remote with the ability to remove a line termination as well as apply a line termination. This particular feature is desirable when a communication link is temperarily degraded by the presence of non-recurring electrical noise to permit the system to automatically re~
configure its line impedances.
The following specific example illustrates the operation of the line termination procedure in which it is assumed that ~he communications link CL~ in FIG. 1 is severed at polnt A as shown therein and that the remote R4 is the present master (Rm) of the system and testing the communications integrity of the communications link between itself as ~he interrogating remote (Rx) and its next lower order number remote R3 (that is, Rx 1) In accordance with the flow diagram of FIG. 12A, the 'retry counter' r and the 'CL~ retry counter', and the 'CLl retry counter', as shown in the tabulation table of FXG. 14, are set to the pre~
determined valus of five. The 'retry counter' is decremented by one and the requesting interrogating remote R4 (Rx) requests an acknowledgement from the responding remote R3 (tha~ is, Rx 1) The requested acknowledgement will be provided o~ line CLl but not line CL~ because of the - 4~ ~
57~
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested acknowledgement signal on communications li.nk CL~, will decrement the 'CL~ retry counter' by one. Thereafter, the retest procedure will be sequentially continued with the 'CL0 retry counter' being decremented with each additional unsuccessful attempt to obtain an acknowledgement from remote R3 through the communications link CL~. When the 'retry counter' decrements to zero, the 'CL~ retry counter' will also be decremented to zero at which time the CL~ lower order termination flag will be set. The remote R4 will thereafter continue the diagnostic checking procedure to test the communications integrity of that portion of the communications link between the remote R4 (Rx) and the next adjacent higher remote R5 (that is, RX+l) in accordance with the flow diagram of FIG. 12B. At the conclusion of the test of the communications link between ths inter-rogating remote R4 and the immediately adjacent lower number and higher number remotes R3 and R5, the termination relay contacts 32~ (FIG. 3) will be set to terminate the communi-cations link CL~ at the remote R4. In a similar manner, the remote R3, when it becomes master-for-the-moment, will also apply a termination impedance across the communications link CL~.
As can be appreciated from the foregoing, the remotes Ro~Rn have the ability, even when one or both of the communication links CL0 and CLl are severed to still 7~
function on a master-for-the-moment basis and also to effect appropriate line termination to minimize the adverse effect on digital data signal strength and the generation of reflected signals from mismatched line impedance caused by deteriorated or se~ered communication lines. In addition, the system is self-healing, that is, when reliable communications is restored over the severed or degraded portion of the communications link the remotes Rn wilL then again function to remove the line impedances to resume full system operation.
As will be apparent to those skilled in the art, various changes and modifications may be made to the industrial control system of the present invention without departing from the spirit and scope of the invention as recited in the appended calims and their legal equivalent.
~ 46 ~
detects that the number in the mailbox for one of its assigned primary remotes is zero, then the redundant remote will determine that the central processing unit 16 of the zero-mailbox remote is not carrying out the applications program and, in response to this determination, the redundant remote will first attempt to res~art the applications program in the central processing unit 16 of the primary remote. If it fails to successfully restart the applications program, the redundant remote will carxy out the applications program for the failed remote. In carrying out the applications program, the redundant remote will respond to the input devices and control the output devices assigned to the ailed primary remote by sending commands and receiving data from the failed remote over the communications link CL.
The redundant remote, in addition to checking the status of its assigned primary remotes for which the redundant remote serves as a back up, also must maintain an up-to-date record o the sta~us of the applications program in each of these assigned primary remotes. The redundant remote checks the status of the mailbox and gets the current applications program status from each of the primary remote~ by sending request~ for information over the communications link CL when the redundant remote takes its turn in the master-for-the-moment sequenee as described above.
57~
The operation of the redundant remote in carrying out its function as a back-up for the primary remotes will be more fully understood with reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant remote R4 (FIG. 1), which ser~es as a back-up for its assigned primary remotes Rl, R2, and R3. The other redunclant remote R8 will have the same program except that it will be applied to its assigned remotes R5, R6, and R7.
As shown in FIGS. llA, after the program in the redundant remote R4 is started, it enters into a decision instruction sequence 101 to check the status of remote Rl. As explained above, it does this by sending a request for information over the communications link CL to remote Rl asking for the current number in the mailbox of remote Rl. It then determines whether this number is greater than zero. If the number is greater than zero, the status of remote Rl is determined to be operating and the program of the redundant remote R4 advances to instxuction step 103 ln which it resets a fail flag for Rl to 'off' and then enters subroutine 105, in which the current applications program status in remote Rl is obtained. This means that the redundant remote R4 requests and obtains the current status of the input and output devices in remote Rl and the current status of the timers and ~he counters and the flags being used in the applications program of remote Rl. In other words, in subroutine 105, all of the information that would be needed for the redundant remote R4 to take over the applications program is obtained from remote Rl.
This information is obtained by sending requests for data and recei~lng data back over the communications link CL.
Following the obtaining of the current appli-cations program status of remote Rl, the redundant remote R4 program proceeds to decision instruction sequence 107, in which the status of remote R2 is chec~ed in the same manner that was done with respect to Rl. If the status of remote R2 is opexating, the program advances to instruction step 109, in which the program sets a fail flag for remote R2 and then proceeds into subroutine 111, in which the status of the applications program for remote R2 is obtained in the same manner as for Rl in sub-routine 105. The program then proceeds into a decision instruction sequence 113 to chec~ the status of remote R3. If the status of remote R3 is operating, then the program resets the fail flag for remote R3 in instruction step llS and proceeds into subroutine 117 to obtain the applications program status for remote R3 in the same manner as ~or Rl in subroutine 105. Following subroutine 111, the program returns again to decision instructlon sequence 101 to check the status of remote Rl and the process cyclically repeats~
If in decision instr.uction sequence 101, the program determines that the status Rl is not operating as indicated by the number in the mailbox of the remote Rl, being zero, the program then advances to decision instruction sequence 113, in which the program determines if the fail flag for Rl is 'on' or 'off'. lf the fail flag is 'off', the program proceeds into instruction sequence 121, in ~hich the pxogram attempts to restart the applications program for remote Rl. It does this by sending a command over the communications link CL to remote Rl to direct the communications protocol controller 12 (FIG. 2) to attempt a hardware restart of the applications program.
This is carried out by the communications protocol controller 12 pulling a restart wire to ground in the com~on buss 22. When ~his restart wire is pulled to ground, it starts the applications program back through its initialization program and sets all of the flags, timers, and counters just as if power had been turned on. Such a restart is calle~ a hardware restart. Alternatively, the redundant remote R4 could ef~ect a software restart in the failed remote. A software restart would merely start the applications program through its initialization program with the timers, counters and flags left in their present status.
After completing instruction sequence 121, the redundant remote R4 program then sets the fail flag for remote Rl to 'on' in instruction step 123 and then proceeds into decision instruction sequence 125 to again check the status of remote Rl by chec~ing the num~er in the mailbox o~ remote Rl in the same manner as in decision instruction sequence 101. If the applications program in remote R~ was successfully starked in instruction sequence 121, the number in ~he mailbox will not be zero and the program will determine that the status of remote Rl is operating, whereupon the program will jump to decision instruction sequence 107 to cheok the s~atus of remote R2 as already described.
If the proyram determines that the status.
of remote Rl is not operating in decision instruction sequence 125, then this means that the attempt to restart the applications program in remote Rl in instruction sequence 121 failed and Lhe redundant remote R4 program then proceeds into instruction sequence 127 to initialize the input/output management device 14 (also identified in FIG. llB as 'RTX') in remote Rl to receive instructions and data from the redundant remote R4 instead of from the central processing unit 16 in the remote Rl and to send data on the status of the input and output devices to the redundant remote R4.
If the program of the redundant remote R4 determines that the fail flag was 'on' instead of 'off' in decislon instruction sequence 119, the redundant remote pxogram would proceed directly into the instruction sequence 127 to initialize the input/output management device 14 of remote Rl to respond to the redundant remote The purpose of the fail flag which is set to 'on' in instruction step 123 and is reset to 'off' in instruction step 103 i~ to prevent the xedundant remote program from getting hung-up in a condition in which i~ successfully restar~s the remote Rl only to have the remote Rl fail again by the ~ime the program of the redundan~ remote recycles around to checking the mailbox of th~ remo~e Rl again in desision instruction sequence 101. If this should happen, the fail ~lag for remo~e Rl will have been set to 'on' in in~ruction s~ep 123 after the successful restarting of the 7~
applications program. Then, the next time that the redundant remote program cycles back to decision instruction sequence lO1, and determines that the status of remote Rl is not operating, the fail flag for remote Rl will be 'on'. Accordingly, the program will jump from decision instxuction sequence ll9 into the instruction sequence 127 to initialize the remote R1 to respond to redundant remote R4. If the next time the redundant remote program recycles back to decision instruction sequence lOl to check the status of Rl, it determines that the status of Rl is operating, the program will then reset the fail flag to 'off' in instruction step 103 so that in subsequent cycles, should the program determine that the remote Rl has again failed, the progr~m will again go into the restart instruction sequence 121 instead of immediately jumping to the initialization instruction sequence 127.
After the redundant remote program has completed the initialization instruction sequence 127, it then proceeds to subroutine 129. In this subroutine, the ~tatus of the applications program of remote R1 last received by the redundant remote R4, which status is stored in the memory of the redundant remote R4, is loaded into predetermined registers of the memory of the redundant remote R4 in order to carry out the applications program of remote Rl in ~he redundant remote R4. After this subroutine i~ completed, the program proceeds into instruction sequence 130 and then into the subroutine 131 in which it starts and carries out the applications program. The redundant remote R4 carries out the Rl applications program by receiving data from remote Rl as to the status o the input and output devices - 38 ~
of the remote Rl and sending instructions to remote Rl to direct operation of the input/output management device 14 of the remote Rl. The program in the redundant remote R4 will then continue to cycle through -the applications program for the remote Rl until it receives a command from the operator to reset it back into its main cycle of checking the status of the remotes Rl, R2, and R3.
Should the redundant remote R4 determine that the status of remote R2 or remote R3 is not operating, it then performs the same program with respect to these remotes as described with respect to remote Rl as is illustrated in FIGS. llA and llB.
The redun~ant remote R8 ~ill take over the applications program should any of the primary remotes ~5-R7 become nonoperative in the same manner as described above with respect to R4 serving as a back-up for the primary remotes Rl-R3.
It will be appreciated that the provision of the redundant remotes decreases malfunctioniny o.f the control ~0 system due to one of the primary remotes becoming inoperative as a result of failure of the central processing unit 16 of the primary remote. Because each redundant remote serves as a back-up for several primary remotes, the cost of providing the redundancy is significantly reduced~ Because the redundant remotes are themselves each a remote control unit which takes its turn in the master-for a-moment sequence communicating with the other remotes over the dual channel communications link/ the redundant remotes can be provided in the system very inexpensively.
J~t~ od Each remote Rn, as described above, is provided with termination impedances Z~ and Zl for the first and second communication channels CH~ and CHl (FIG. 3) and a line termination relay 32~ and 321 under the control of the comm~nications link control device 38. The termination impedances are connected across each channel of the communi-cations link when the particular remote is the first or the last remote in the system (e.g., Rl and R8 in FIG~ 1) to establish proper line termination impedance to prevent signal level degradation and the presence of reflected signals, both conditions which can adversely affect the perormance of the system. ~he termination impedances Z~ and Zl are also applied acro,ss the appropriate communi-cations channels when a remote dete~mines, as described below, that the communications link CL between it and its immediately adjacert higher or lower number remote is severed or sufficiently degraded that reliable data transmission cannot be maintained the~ebetween~ The determination as to communications link degrada~ion can be made by providing each remote with a register for each communications channel that records, in a cumulative manner, the numbex of invalid messages received from the immediately adjacent remote(s) and terminate oné or both of the communications link CL0 and C~l in the direction of the remote from which the number of invalid messages raceived exceeds a threshhold value. More preferably, however, each remote is pro~ied with an acti~e testir.g diagnostic routine to enable it to test the communication integrity of the communications link between it and its immediately adjacent remote(s) in accordance with the fl'ow diagrams illustra~ed in FIGS. 12, 12A, 13B and 12C as read in accordance with FIG. 13 and the table of FIG. 14.
~ ~0 -The flow diagram illustrated in FIG. 12 is a summary of the manner by which each remote is capable of testing the communication integrity of the communications link CI. between it and its immediate adjacent remote or remotes and terminating one or both of the communications links, C~0 and CLl, when a degraded or interrupted line conditiop is detected. As shown in FIG. 12, the remote Rx is initialized and then, in sequence, tests the communi-cations integrity of the communications link CL~ in the downstream direction between it and its immediately adjacent lower number remote (that is, Rx 1) and then tests the communication integrity of the communicaticns link CLl in the downstream direction with the same remote. If either the communications link CL~ or CL1 in the downstream direction is faulty, an appropriate flag is set in a register in the remote Rx reserved for this purpose. In a similax manner, the remote ~x then tests the communications integrity of the communications link CL~ and CLl in the up-stream direction with its immediately adjacent higher number remote (that is, remoke RX+l) and sets the appropriate flag, as and if required. After this initial diagnostic chec~ing takes place, the r~mote Rx will terminate the failed communi-cations line CL~ and/or CL1 by actuating the appropriate relay contacts.320 and/or.321 as required. The I~ne checking test utilized in FIG. 12 preerably take place when the remote R is master-for-the=moment (that is, R ~.
x m A more detailed explanation of the communica~ions line integrity check and automatic line termination may be had by referring to FIGS. 12A, 12B and 12C tas read in accordance 57~
with the flow chart legend of FIG. 13) in which FIG. 12A
represents the downstream integrity check with the next lower number remote, FIG. 12B represents the upstream integrity check with the next higher number remote, and FIG. 12C represents ~he line termination function in response to the results of the integrity test performed in FIGS 12A and 12B.
In FIG. 12A, the line checking diagnostic is started by first loading three registers or counters, namely, a 'retry counter', a 'CL0 retry counter', and a 'CL1 retry counter' with an arbitrarily selected number, for example, five. The 'retry counter' is then decremented by one and a message sent from the remote Rx to the remote Rx 1 requesting an acknowledgement ACK signal. If the communications link Ch~ and C~l between the interrogating remote and the responding remote is fully functional, a valid ACK signal will be received by the interrogating remote Rx on both CL~ and CLl. The diagnostic checking will then route to the part o~ the program (FIG. 12B) for checking the communications integrity of the communications link CL0 and CLl between the interrogating remote Rx and the ~ext higher number remote in the system~ that is, RX+l. On the other hand, if a valid ACK signal i5 not received on one or both of the communications links CL~ or CLl by the requesting remote Rx from the immediately adjacent lower number responding remote Rx 1~ the appropriate retry counter (that is, 'CL0 retry counter' or 'CLl retry co~nterl) will be decremented by one and the procedure repeated until the 'retry counter' is zero at which time tne appropriate CL0 5~
and/or CLl terminate flag register will be set; thereafter, the program will route to the upstream communications integrity check sho~ in FIG. 12B.
~ he flow diagram of FIG. 12B is basically the same as that of FIG. 12A except that the communications integrity check occurs for that portion o the communications link CL between the interrogating remote Rx and the next higher number responding remote RX+1. More specifically, the three registers or counters, that is, the 'retry counter', the 'C~0 retry counter', and the 'CLl retry counter' are loaded with the arbitrarily selected value of five. The 'retry counter' is then decremented by one and a message sent from the interrogating remote R~ to the remote RX+l requesting an acknowledgement signalO If the communications link CL0 and CLl between the interrogating remote Rx and the responding remote RX+l is integral, a valid acknowledgement signal will be recei~ed by the interrogating remo~e Rx and the program will route to the termina~ion impedance portion of ~he procedure shown in FIG. 12C.
On the other hand, if a valid acknowledgement signal is not received on one or both o the communications lines CL~
or CLl by the interrogatlng remote Rx from the highex order responding remote RX~1, the appropriate retry counter, thzt is, the 'CL0 or CLl retry counter' will be decremented by one and the procedure repeated until the 're~ry counter' is zero at which point the appropriate C~ and/or CLl terminztion flag register will be set; thereafter, the program diagnostic will rou~e to the line impedance termination portion shown in FIG. 12C.
Z57~
In the flow diagram of FIG. 12C, the various termination registers are examined for set flags and appropriate commands issued to the C-link control device 38 ~FIG. 3) to terminate the line by appropriate actuation of the relay contacts 320 and/or 321. As is also shown in FIG. 12C, a line termination relay can also be released (that is, reset) to remove a previously applied line termination impedance. Accoxdingly, the system provides each remote with the ability to remove a line termination as well as apply a line termination. This particular feature is desirable when a communication link is temperarily degraded by the presence of non-recurring electrical noise to permit the system to automatically re~
configure its line impedances.
The following specific example illustrates the operation of the line termination procedure in which it is assumed that ~he communications link CL~ in FIG. 1 is severed at polnt A as shown therein and that the remote R4 is the present master (Rm) of the system and testing the communications integrity of the communications link between itself as ~he interrogating remote (Rx) and its next lower order number remote R3 (that is, Rx 1) In accordance with the flow diagram of FIG. 12A, the 'retry counter' r and the 'CL~ retry counter', and the 'CLl retry counter', as shown in the tabulation table of FXG. 14, are set to the pre~
determined valus of five. The 'retry counter' is decremented by one and the requesting interrogating remote R4 (Rx) requests an acknowledgement from the responding remote R3 (tha~ is, Rx 1) The requested acknowledgement will be provided o~ line CLl but not line CL~ because of the - 4~ ~
57~
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested acknowledgement signal on communications li.nk CL~, will decrement the 'CL~ retry counter' by one. Thereafter, the retest procedure will be sequentially continued with the 'CL0 retry counter' being decremented with each additional unsuccessful attempt to obtain an acknowledgement from remote R3 through the communications link CL~. When the 'retry counter' decrements to zero, the 'CL~ retry counter' will also be decremented to zero at which time the CL~ lower order termination flag will be set. The remote R4 will thereafter continue the diagnostic checking procedure to test the communications integrity of that portion of the communications link between the remote R4 (Rx) and the next adjacent higher remote R5 (that is, RX+l) in accordance with the flow diagram of FIG. 12B. At the conclusion of the test of the communications link between ths inter-rogating remote R4 and the immediately adjacent lower number and higher number remotes R3 and R5, the termination relay contacts 32~ (FIG. 3) will be set to terminate the communi-cations link CL~ at the remote R4. In a similar manner, the remote R3, when it becomes master-for-the-moment, will also apply a termination impedance across the communications link CL~.
As can be appreciated from the foregoing, the remotes Ro~Rn have the ability, even when one or both of the communication links CL0 and CLl are severed to still 7~
function on a master-for-the-moment basis and also to effect appropriate line termination to minimize the adverse effect on digital data signal strength and the generation of reflected signals from mismatched line impedance caused by deteriorated or se~ered communication lines. In addition, the system is self-healing, that is, when reliable communications is restored over the severed or degraded portion of the communications link the remotes Rn wilL then again function to remove the line impedances to resume full system operation.
As will be apparent to those skilled in the art, various changes and modifications may be made to the industrial control system of the present invention without departing from the spirit and scope of the invention as recited in the appended calims and their legal equivalent.
~ 46 ~
Claims (13)
1. In a control system for controlling an industrial process of the type that includes a plurality of remote units each connected to an associated input/output device and interconnected through a communications link and in which each remote is assigned a unique position in a predetermined succession order, 0, 1, 2, 3, ... m, ... n, and each remote accepts supervisory control of the communications link on a master for the moment basis in accordance with the succession order, a method for transferring supervisory control of the communications link from a present system master Rm to the first successive remote Rm+1 comprising the steps of:
transmitting a control-transfer command signal through the communications link from the present system master Rm to the next successive remote Rm+1;
evaluating the validity of the control-transfer command signal at the next successive remote Rm+1;
sending an acknowledgement signal through the communications link from the next successive remote Rm+1 to the present system master Rm when the control-transfer command signal is found valid;
and accepting supervisory control of the communications link by the next successive remote Rm+1 from the present master Rm whereby the next successive remote Rm+1 becomes the present master Rm.
2. In a control system for controlling an industrial process of the type that includes a plurality of remote units each connected to an input/output device and interconnected through a common communications link and in which each remote is assigned a unique position in a predetermined succession order,0, 1, 2, 3, ... m, ... n, and in which each remote accepts supervisory control of the communications link on a
transmitting a control-transfer command signal through the communications link from the present system master Rm to the next successive remote Rm+1;
evaluating the validity of the control-transfer command signal at the next successive remote Rm+1;
sending an acknowledgement signal through the communications link from the next successive remote Rm+1 to the present system master Rm when the control-transfer command signal is found valid;
and accepting supervisory control of the communications link by the next successive remote Rm+1 from the present master Rm whereby the next successive remote Rm+1 becomes the present master Rm.
2. In a control system for controlling an industrial process of the type that includes a plurality of remote units each connected to an input/output device and interconnected through a common communications link and in which each remote is assigned a unique position in a predetermined succession order,0, 1, 2, 3, ... m, ... n, and in which each remote accepts supervisory control of the communications link on a
Claim 2 - cont'd ...
master for the moment basis and in which each remote includes a settable variable transfer-monitor timer, a method for suquentially transferring supervisory conrol of the communications link from the present master Rm to the next successive remote Rm+1 in the succession order and for transferring supervisory control of the communications link from the present system master Rm to the second successive remote Rm+2 in the event the next successive remote Rm+1 fails to accept supervisory control from the present system master Rm comprising the steps of:
transmitting a control-transfer command signal through the communications link from the present system master Rm to the next successive remote Rm+1;
setting the transfer-monitor timer of at least the second successive remote Rm+2 to a time-out interval based on a function of the successive remote's position relative to the present system master Rm;
said method in a normal mode of operation comprising the further steps of:
(1) evaluating the validity of the control-transfer command signal at the next successive remote Rm+1;
(2) sending an acknowledgement signal through the communications link from the next successive remote Rm+1 to the present system master Rm when the control-transfer command signal is found valid; and (3) accepting supervisory control of the communications link by the first successive Rm+1 from the present system master;
said method in an abnormal method of operation comprising the further step of:
accepting supervisory control of the communications link by the second successive remote Rm+2 when the transfer-monitor timer of the second successive remote Rm+2 times-out before the first successive remote Rm+1 accepts supervisory control of the communications link.
master for the moment basis and in which each remote includes a settable variable transfer-monitor timer, a method for suquentially transferring supervisory conrol of the communications link from the present master Rm to the next successive remote Rm+1 in the succession order and for transferring supervisory control of the communications link from the present system master Rm to the second successive remote Rm+2 in the event the next successive remote Rm+1 fails to accept supervisory control from the present system master Rm comprising the steps of:
transmitting a control-transfer command signal through the communications link from the present system master Rm to the next successive remote Rm+1;
setting the transfer-monitor timer of at least the second successive remote Rm+2 to a time-out interval based on a function of the successive remote's position relative to the present system master Rm;
said method in a normal mode of operation comprising the further steps of:
(1) evaluating the validity of the control-transfer command signal at the next successive remote Rm+1;
(2) sending an acknowledgement signal through the communications link from the next successive remote Rm+1 to the present system master Rm when the control-transfer command signal is found valid; and (3) accepting supervisory control of the communications link by the first successive Rm+1 from the present system master;
said method in an abnormal method of operation comprising the further step of:
accepting supervisory control of the communications link by the second successive remote Rm+2 when the transfer-monitor timer of the second successive remote Rm+2 times-out before the first successive remote Rm+1 accepts supervisory control of the communications link.
3. In a control system of the type having a plurality of process control remotes interconnected through a communications link with each remote assigned a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a revolving master basis, a method for transferring super-visory control of the communications link from a present system master to the next successive remote in the succession order comprising the steps of:
transmitting a control-transfer command signal along the communiction link from the present system master to the next successive remote in the succession order;
receiving and evaluating the validity of the control-system command signal at the next successive remote; and accepting supervisory control of the communication link by the next successive remote from the present master if the control-transfer command signal is found valid by the next successive remote, whereby the next successive remote becomes the present system master.
transmitting a control-transfer command signal along the communiction link from the present system master to the next successive remote in the succession order;
receiving and evaluating the validity of the control-system command signal at the next successive remote; and accepting supervisory control of the communication link by the next successive remote from the present master if the control-transfer command signal is found valid by the next successive remote, whereby the next successive remote becomes the present system master.
4. A system for controlling an industrial process, said system comprising:
a plurality of process controlling remotes, a common communication link interconnecting said remotes, each remote being assigned a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a master for a moment basis in accordance with the succession order;
each remote including a means for transmitting digital information in block format over said communications link to the other of the remotes and each including receiver means for receiving digital information transmitted from one other of the remotes; and each remote including means for transferring the supervisory control to the next successive remote in the succession order by transmitting a control-transfer block over said communication link to the next successive remote in the succession order and the next successive remote accepting supervisory control of the communication link in response to said control-transfer block.
a plurality of process controlling remotes, a common communication link interconnecting said remotes, each remote being assigned a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a master for a moment basis in accordance with the succession order;
each remote including a means for transmitting digital information in block format over said communications link to the other of the remotes and each including receiver means for receiving digital information transmitted from one other of the remotes; and each remote including means for transferring the supervisory control to the next successive remote in the succession order by transmitting a control-transfer block over said communication link to the next successive remote in the succession order and the next successive remote accepting supervisory control of the communication link in response to said control-transfer block.
5. The system for controlling an industrial process claimed in Claim 4, wherein:
each remote includes means for evaluating the validity of a received control-transfer block and for responding to a validly received control-transfer block by sending an acknowledgement signal to the transmitting remote to conclude the transfer of supervisory control.
each remote includes means for evaluating the validity of a received control-transfer block and for responding to a validly received control-transfer block by sending an acknowledgement signal to the transmitting remote to conclude the transfer of supervisory control.
6. The system for controlling an industrial process claimed in Claim 5, wherein:
said evaluating means is operable to respond to an invalidly received control-transfer block by sending a non-acknowledgement signal to the transmitting remote.
said evaluating means is operable to respond to an invalidly received control-transfer block by sending a non-acknowledgement signal to the transmitting remote.
7. The system for controlling an industrial process claimed in Claim 6, wherein:
the transmitting remote is operable in response to a non-acknowledgement signal to retransmit said control-transfer block.
the transmitting remote is operable in response to a non-acknowledgement signal to retransmit said control-transfer block.
8. In a control system of the type having a pourality of process control remotes interconnected through a communicat-ions link with each remote assigned a unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a revolving master basis, a method for transferring supervisory control of the communications link from a present system master to the next successive remote in the succession order comprising the steps of:
transmitting a control-transfer command signal along the communication link from the present system master to the next successive remote in the succession order;
receiving and evaluating the validity of the control-transfer command signal at the next successive remote; and sending an acknowledgement signal to the present system master from the next successive remote and accepting super-visory control of the communications link by the next successive remote from the present master if the control-transfer command signal is found valid by the next successive remote whereby the next successive remote becomes the present system master.
transmitting a control-transfer command signal along the communication link from the present system master to the next successive remote in the succession order;
receiving and evaluating the validity of the control-transfer command signal at the next successive remote; and sending an acknowledgement signal to the present system master from the next successive remote and accepting super-visory control of the communications link by the next successive remote from the present master if the control-transfer command signal is found valid by the next successive remote whereby the next successive remote becomes the present system master.
9. In a control system claimed in Claim 8, said method further comprising the step of:
sending a non-acknowledgement signal from the next successive remote to the present system master if the evaluated control-transfer command signal is found invalid.
sending a non-acknowledgement signal from the next successive remote to the present system master if the evaluated control-transfer command signal is found invalid.
10. In a control system claimed in Claim 9, said method further comprising the step of.
retransmitting the control-transfer command signal from the present master to said next successive remote in response to a non-acknowledgement signal from the next successive remote.
retransmitting the control-transfer command signal from the present master to said next successive remote in response to a non-acknowledgement signal from the next successive remote.
11. In a control system of the type having a plurality of process control remotes interconnected through a communicat-ions link with each remote assigned the unique position in a predetermined succession order and each remote exercising supervisory control of the communication link on a revolving master basis, each remote having a variable transfer monitor timer, a method for transferring supervisory control of the communication link from one remote to another comprising:
transmitting a control transfer command signal along the communication link from the present system master to the next successive remote in the succession order;
setting, when said control-transfer command signal is transmitted from the present system master to the next successive master, the transfer-monitor time-out interval of at least the second successive remote from the present master to a time-out interval that is a function of a pre-determined supervisory control transfer value and the position of the particular remote relative to the present master;
said method operating in a normal mode comprising the further steps of:
(1) receiving and evaluating the validity of the control transfer command signal at the next successive remote;
(2) sending an acknowledgement signal to the present system master from the next successive remote; and (3) accepting supervisory control of the communications link by the next successive remote from the present system master if the control transfer command signal is found valid by the next successive remote whereby the next successive remote becomes the present system master, said method operating in an abnormal mode comprising the further step of accepting supervisory control of the communications link by the second successive remote from the present system master in the event the transfer-monitor timer of such second successive remote times out before the first successive remote accepts supervisory control in said normal mode of operation.
transmitting a control transfer command signal along the communication link from the present system master to the next successive remote in the succession order;
setting, when said control-transfer command signal is transmitted from the present system master to the next successive master, the transfer-monitor time-out interval of at least the second successive remote from the present master to a time-out interval that is a function of a pre-determined supervisory control transfer value and the position of the particular remote relative to the present master;
said method operating in a normal mode comprising the further steps of:
(1) receiving and evaluating the validity of the control transfer command signal at the next successive remote;
(2) sending an acknowledgement signal to the present system master from the next successive remote; and (3) accepting supervisory control of the communications link by the next successive remote from the present system master if the control transfer command signal is found valid by the next successive remote whereby the next successive remote becomes the present system master, said method operating in an abnormal mode comprising the further step of accepting supervisory control of the communications link by the second successive remote from the present system master in the event the transfer-monitor timer of such second successive remote times out before the first successive remote accepts supervisory control in said normal mode of operation.
12. The system for controlling an industrial process claimed in claim 4 wherein at least one of the remotes includes means for logging change-in-status information, with respect to a plurality of devices controlled by said one remote, the controlled devices having associated sensors each having input/
output data-points associated therewith, said controlled devices and associated sensors being interconnected through a communications buss, said means for logging change-in-status information including a computer-based controlling means for effecting control thereover, first and second memory files for storing input/output data associated with said controlled devices and sensors, said second memory of a predetermined size and of the first-in first-discard type;
scanning means for obtaining the input/output data associated with each of said controlled devices and sensors and storing the so-obtained data in said first memory and thereafter obtaining the input/output data on a cyclic basis;
comparing and detecting means for comparing the input/
output data obtained during the latest of said cyclic scans with the input/output data stored in said first memory file, and, in the event a difference between the latest obtained data and the stored data is detected indicating a change-in-status, updating the appropriate input/output data in said first memory and storing information relating to the so-detected change-in-status in said second memory on a first-in first-discard basis;
\
means at least responsive to selected ones of said input/
output data or combinations thereof for providing an inhibit signal to said second memory to inhibit further storage therein.
output data-points associated therewith, said controlled devices and associated sensors being interconnected through a communications buss, said means for logging change-in-status information including a computer-based controlling means for effecting control thereover, first and second memory files for storing input/output data associated with said controlled devices and sensors, said second memory of a predetermined size and of the first-in first-discard type;
scanning means for obtaining the input/output data associated with each of said controlled devices and sensors and storing the so-obtained data in said first memory and thereafter obtaining the input/output data on a cyclic basis;
comparing and detecting means for comparing the input/
output data obtained during the latest of said cyclic scans with the input/output data stored in said first memory file, and, in the event a difference between the latest obtained data and the stored data is detected indicating a change-in-status, updating the appropriate input/output data in said first memory and storing information relating to the so-detected change-in-status in said second memory on a first-in first-discard basis;
\
means at least responsive to selected ones of said input/
output data or combinations thereof for providing an inhibit signal to said second memory to inhibit further storage therein.
13. The system for controlling an industrial process claimed in claim 4 wherein at least one remote includes a processor-based controller for providing control signals to a controlled device and obtaining device-responsive signals from a sensor therefor and providing a historical log of change-in-status events for said device and sensor, said controller comprising:
a processor connected to said controlled device for providing control signals thereto for effecting control thereover and for receiving device-responsive signals from a sensor operatively associated with said control device, said controlled device having input/output status data-points associated therewith;
first and second memory files connected to said processor, said second memory of the first-in first-discard type;
means operatively associated with said processor for scannning the input/output status data-points and storing the so-obtained status information in said first memory file and, thereafter scanning said input/output status data-points and comparing the thereafter obtained input/output status information with the input/output status information stored in said first memory file and, in the event that a difference between the thereafter obtained status information and the status information stored in said first memory is detected, for updating the appropriate status information in said first memory and storing information related to the detected difference in said second memory file;
(claim 13 cont'd) means responsive to selective ones or combination thereof of said input/output status information for providing an inhibit signal to said second memory file to prevent storage therein.
a processor connected to said controlled device for providing control signals thereto for effecting control thereover and for receiving device-responsive signals from a sensor operatively associated with said control device, said controlled device having input/output status data-points associated therewith;
first and second memory files connected to said processor, said second memory of the first-in first-discard type;
means operatively associated with said processor for scannning the input/output status data-points and storing the so-obtained status information in said first memory file and, thereafter scanning said input/output status data-points and comparing the thereafter obtained input/output status information with the input/output status information stored in said first memory file and, in the event that a difference between the thereafter obtained status information and the status information stored in said first memory is detected, for updating the appropriate status information in said first memory and storing information related to the detected difference in said second memory file;
(claim 13 cont'd) means responsive to selective ones or combination thereof of said input/output status information for providing an inhibit signal to said second memory file to prevent storage therein.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US06/115,161 US4304001A (en) | 1980-01-24 | 1980-01-24 | Industrial control system with interconnected remotely located computer control units |
| CA000368795A CA1171543A (en) | 1980-01-24 | 1981-01-19 | Industrial control system |
| US115,161 | 1987-10-30 |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442692A Division CA1182572A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442692A Division CA1182572A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA1182572A true CA1182572A (en) | 1985-02-12 |
Family
ID=25669230
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442691A Expired CA1182569A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
| CA000442692A Expired CA1182572A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442691A Expired CA1182569A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Country Status (1)
| Country | Link |
|---|---|
| CA (2) | CA1182569A (en) |
-
1983
- 1983-12-06 CA CA000442691A patent/CA1182569A/en not_active Expired
- 1983-12-06 CA CA000442692A patent/CA1182572A/en not_active Expired
Also Published As
| Publication number | Publication date |
|---|---|
| CA1182569A (en) | 1985-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4410983A (en) | Distributed industrial control system with remote stations taking turns supervising communications link between the remote stations | |
| US4347563A (en) | Industrial control system | |
| CA1171543A (en) | Industrial control system | |
| US4402082A (en) | Automatic line termination in distributed industrial process control system | |
| US4352103A (en) | Industrial control system | |
| US4628504A (en) | Distributed bus control communication protocol | |
| US4511958A (en) | Common bus access system using plural configuration tables for failure tolerant token passing among processors | |
| CA1185375A (en) | Dual path bus structure for computer interconnection | |
| CA2068805C (en) | Acquiring the identification of a node in a data processing input/output system | |
| CA1201170A (en) | Hybrid optical/electrical data highway | |
| CN101286940A (en) | Dual-redundant CAN bus communication system and communicating method thereof | |
| US4583089A (en) | Distributed computer control system with variable monitor timers | |
| JPH04245746A (en) | Intelligent communication network interface circuit | |
| CA1191919A (en) | Communications network access rights arbitration | |
| AU611068B2 (en) | System for internetwork communication between local area networks | |
| CA1182572A (en) | Industrial control system with interconnected remotely located computer control units | |
| CA1182567A (en) | Automatic line termination in distributed industrial process control system | |
| US20110093767A1 (en) | System and method to serially transmit vital data from two processors | |
| CA1182568A (en) | Industrial control system | |
| KR100237613B1 (en) | Remote redundant system and control method in plc | |
| JP2003140704A (en) | Process controller | |
| JP2644571B2 (en) | Remote IPL control method | |
| JPS6412144B2 (en) | ||
| JP2907233B2 (en) | Upper link system of programmable controller | |
| WO2022186723A1 (en) | Dual-redundant bus for automated monitoring systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MKEX | Expiry |