CA2244009A1 - Networked facilities management system - Google Patents

Abstract

A network system having a wide variety of applications and particularly applicable to facilities management systems has multiple levels of software in processing nodes. The levels include a "features" processing level which communicates requests for data to a software object level containing databases of processes and attributes and database managers. The database managers in the software object level operate to provide data to the high level features in the same format. The software object level communicates with a hardware object level which also contains databases and database managers to mask differences between operational hardware units. By categorizing operational units by type, additional units of a known type can be added with only low level hardware object database changes. Adding units of a new type is facilitated by software changes confined to the lower level hardware and software objects, avoiding software changes at high level features. Individual software objects are tailored for typical types of inputs and output devices encountered by facilities management systems. Universal drive circuitry also provides applicability to a broad range of devices.

Description

WO 9~ 766 PCT/US91/0055 NETWORKED FACILITIES MANAGEMENT SYSTEM

Backq-ound of the Invention 1. Field of~the I~vention The invention relates to automated processing systems which can operate independently or be interconnected to form a network. In particular the invention can be used in a Facilities Management Systems (FMS), although it is not limited to such systems.

2. Related Art State of the art automated systems operating under processor control pass data to and from processors, operational units such as sensors and other physical parameter monitoring units, and other data acquisition and control instruments implemented in hardware. Facilities Management Systems (FMS) performing automated industrial and environmental control are among such contemporary systems. since there is no uniformity among various types of data acquisition and control instruments, automated systems must be compatible with a multitude of non-~ ...... ~ ..... . .. . .. ... .

W O 9~ 766 PCT/US91/0055 standard operational units. To achieve compatibility, such systems have often relied on software tailored to specific interfa/ce requirements. This requires numerous compromises in software design. In addition, when new operational units are added, or existing operational units are changed, it often becomes necessary to rewrite one or more entire software package. This is because requirements of new operational units are often incompatible with software written for earlier units. Since the interfaces among various portions of the software and between operational units and the proces$or are an integral part of the software, the entire software package must be rewritten.
One approach to reducing t~e extent of software affected by changes in operational units is the use of logical point information nodes. This is a modular approach which seeks to isolate high level software features from operational unit specific characteristics. However, this approach remains relatively dependent on the physical or logical ~
location of operational units and on their individual characteristics. While some level of isolation of high level software features could be achiaved by such a modular approach, it is still necessary to write operational unit specific software to accommodate inputs and outputs. Thus, using known technology, it has not been possible to provide software which would be relatively unaffected by the differences in operational unit hardware. As a result, it has also not been WOgl~l1766 PCT/US91/00551 possible to produce software which need not be extensively modified when new operational units are added or existing data acquisition units are substantially changed.
A further limitation cf the related art, especially in systems e~ploying data acquisition and other remotely controlled hardware, is the limited data constructs available. Data acquisition and other remotely controlled hardware typically provide and require specifically formatted data and often do not allow convenient access to desired portions of the data. As a result, in current systems it is sometimes necessary to duplicate data to be used for different purposes or again access data previously obtained. Similarly, it is sometimes difficult in e such systems to access intermediate data developed by a processing apparatus rather than data gathered directly by a data acquisition device.
Automated systems, including those used for facilities management, can operate using centralized or distributed processing techniques. As a result, data at a host node can be accessed for processing at another node (a referencing node) connected to the host node over a network. In distributed real time processing systems, processor nodes operating relatively independently co~m~nicate over one or more data buses to exchange information. In order for a referencing node to access a data element within the data base of a host node, a convention - 30 must be established whereby the referencing node can identify the host node whose data base contains the WO91/117~ PCTtUS91~551 required data element and the specific location of the data element within the host node.
Such a convention should avoid relying on a central node to translate a data access request to the appropriate host node address or address within the host node. This is because a failure of the central node performing this function would prevent operation of the entire system.
It would also be unacceptable to search an entire real time network or even the data base of one node for a particular data element. This is because the time consumed by such a search would be excessive. Thus, a direct access mechanism to obtain the required data from within the host node is needed. Moreover, the data base at each node of the distributed system should be independent of data bases at other nodes of the system. It should not be necessary to synchronize the nodes by downloading new data into referencing nodes each time a host data base is changed. Data that was available previously from a host node should, if still present, be available to referencing nodes regardless of how the host node data base addresses are changed. Moreover, the data should still be available to the referencing node, even when the data element moves from one node to another.
Conventional techniques for referencinc~ data between nodes on such distributed real time systems cannot meet all of the above requirements simultaneously. One known approach is the use of hard memory addresses. A referencing node maintains W091/117~ ~T/US91/~551 in its data base a fixed memory address of the data within the host data base. The address is normally bound to a named element of data when the referencing data base is generated, usually in an off-line generation device. The results are then downloaded to the on-line nodes to allow direct access to the data within the host node. While this technique provides quick access to data and does not require a central node to translate addresses, there is no adaptability to changes in the host node data base.
Host node data base c~anges that result ln address changes within the node cause fixed memory addresses associated with the data elements in the referencing nodes to become obsolete. The same problem arises when a data element moves from one node to another. As a result, all the referencing nodes must be re-synchronized to tne new addresses of the data elements. Especially in large systems, this is a time consuming task which causes the referencing nodes to be taken off line until the update is complete. In a facilities management syste~, (~MS) the referencing nodes perform industrial and environmental control functions which often can no longer be maintained when the node is off line.
A second technique uses a "soft" address or record number to locate a data element within the host node. Using this technique, the relative position within a logical data base structure or a unique identifying number is assigned to a data W091/1~76~ PCT/US91/~551 element. As with the hard memory address technique, high speed and reliable access to the data is achieved. However, if the host node data base changes so that the relative position of the element in the data base is now different, the reference nodes are again obsolete and new information must be downloaded to the referencing devices. An additional problem occurs when attempting to assign a unique identifying number to a data item. Without further processing, it is impossible to guarantee that the same identifying number is not used by more than one host in the distributed system. This would create an intolerable conflict on the network.
Finally, after referencing nodes are updated, it would not be possible to download an old data base to the host node since this would now invalidate the information in the referencing nodes.
A third conventional approach involves assigning a name to each data element in the system.
The names are stored in a central node which is used to locate the data. While this allows increased flexibility because data elements can move at will, this central node containing the mapping of names to physical locations becomes a reliability problem.
This is because a failure in the central node would eliminate all communication on the network.
The fourth conventional approach also assigns a name to each data element but avoids t~e central look~p node by searching the network each time the reference is made. However, in most systems, searchinq an entire network for a data element each WO91/11766 PCT/US91/~551 time it is requested would result in an intolerable data communication and processing burden.
Networked systems with a plurality of nodes further require synchronizing time and global data for consistent operation. This is especially true in a facilities management system in which scheduled activities, such as temperature control of areas of a building, may operate routinely based on time of day and other variables. Thus, one of the nodes on the system must accurately track time and coordinate the time information among the other nodes.
However, current systems employing master nodes risk loosing time coordination should the master node fail.
As additional nodes are brought onto a networked system, it also becomes necessary to synchronize the data base of each new node with the most current data base of global variables.
Traditional systems which employ a master node to perform these functions also ris~ reliability problems in this area should the master node fail.
Similarly, operational units communicating with individual nodes or intermediate processors between the nodes and the operational units can be connected to the nodes using data bus networks or similar structures. For consistency, it is necessary that operational and processing units connected to the individual nodes receive the most current values of system variables. Networked systems under master node control introduce similar reliability risks at this level.

WO91/117~ PCT~US91/~551 In automatic processing systems, high level software features and routines may be triggered by events occurring in other processors at the same level or in lower level processors controlled by one S of the nodes on the system. However, data base changes occurring from down-loading new information into one of the nodes could result in errors in such event triggering. Current systems which do not track these event triggering synchronization problems are una~le to guarantee that important software functions will be performed after downloading new information into one of the nodes.
Similarly, reports of results produced by processes performed in the system, or of commands issued by the system, must be routed to appropriate display or storage devices. Current systems which do not accommodate changing the locations of such devices are severely restricted in dynamic environments. Similarly, current systems which do not synchronize changes in the location data of such devices downloaded into the nodes cannot guarantee that reports or messages will arrive at the correct device. Indeed, in some systems, messages which cannot be routed are discarded. This is a potentially serious limitation to applying such desiyns to facilities management systems.
Often, especially in facilities management systems, displays and reports include standardized summarizes of system data. In a typical approach to generating standard su~maries, a processor retrieves individual records, eit~er in response to a command W091/11766 PCT~US91/~5~1 or as part of routine polling of devices for data awaiting transmission. The processor must then test the retrieved data to determine if incorporation into the data summary being assembled is appropriate. Such dedicated summary report generation tests occupy the processors and intensify data co~unications, resulting in reducing achievable processing speeds.
In some cases, it is desirable to obtain reports by routing messages to devices which were not part of the network when confi~ured. Fo~
example, ease of maintenance may be enhanced by allowing connection of a personal computer (PC) to an unoccupied port on a network node. It may also be desirable to provide other non-configured devices, such as printers, access to the nodes on the network. Traditional systems restrict the use of such non-configured devices, since there is no way to communicate with a device whose presence has not previously been made known to the network, for example, by assignment and storage of an address.
As previously noted, networked systems have at least 2 nodes with components for performing processing functions appropriate to the system and communicating with each other over communication links. In a facilities manage~ent system (FMS) such nodes can contain processors, A/D and D/A converters and other equipment interface circuits to obtain sensor data required for processes implemented in the node and to issue equipment commands. The communication links include various communication WO91/11766 PCT/US91/~5~1 media facilitating communication among nodes on the same bus, subnet or network or between nodes on different networks over gateways. Nodes are configured on a system when they are defined in one or more storage devices as members of a network.
Node configuration may occur by storing data defining a path to the node. Thus, the system has knowledge of the node's existence. Depending on the system, storage of configuration information may be centralized or distributed. Such configuration information may include data indicating the type of node, its location on the system, and other information defining a path to the node.
A number of techniques for communicating among nodes interconnected on a networked system currently exist. In broadcast communications methods, all nodes on a network receive a broadcast message or pass the message sequentially from one node to the next. Inefficient communications result from each node's handling of the broadcast message.
Thus, other routing strategies have been developed to improve network efficiency.
' Routing strategies may be adaptive or non-adaptive and systems may contain elements of both strategies. Non-adaptive routing strategies route messages independently of measurements or estimates of current traffic or topology. These may include flooding or broadcast, selective flooding, and static routing. One such non-adaptive routing strategy involves building a graph of communication paths from every node to every other node within the WO91/11766 PCT/US91/~551 network and between networks interconnected by a gateway. Graph analysis techniques for determining the shortest path between pairs of nodes are employed and this information is then programmed into a static routing table. In one such routing table, each node stores partial path data identifying the next intermediate destination for a message ultimately targeted for a final destination node. Since each node has a static routing table which is defined at the time of node configuration, it is inconvenient to alter the routing table to facilitate communications by temporary or extraneous nodes which are not normally part of the network.
This is because only nodes listed in the routing table are available for use in the data communications path.
Dynamic or adaptive routing strategies route messages over communications links in response to message traffic and topology. Adaptive strategies include centralized, isolated or decentralized, and dynamic routing. Centralized routing strategies have a central node monitoring the number and length of messages transmitted over communications links and dynamically issuing routing strategies based on message traffic patterns. This is usually accomplished ~y updating and changing routing tables in response to the changing traffic patterns.
Decentralized strategies distribute partial routing tables among the nodes. For example, when a message is routed to an intermediate node along a path to its final destination, the intermediate node WO91~117~ PCT/US91/~55 examines the traffic pattern among alternative remaining paths to the destination node and dynamically selects one of the several alternatives according to certain measures of efficiency. Thus, adaptive strategies provide for reconfiguring routing tables in response to changed conditions, including the addition of new devices. However, in many cases it is not possible to incorporate non-configured devices. Even where this is possible, the temporary incorporation of a previously non-configured device often does not justify the added processing required for dynamically adjusting routing tables. Such processing increases message transmission time and reduces overall system efficiency.
Regardless of the routing strategy employed by various parts of the system, in certain applications, such as maintenance, diagnostics, and administrative functions, it is desirable to allow data communications between a node on one of the communications links in the system and a temporary node or processing -device. This is particularly true in automated networked control systems. Such systems often have need for emergency maintenance and diagnostic activities and for temporary load analysis. Present techniques are cumbersome because these require temporarily disabling at least portions of the network while a new node is configured onto the network. Configuring new nodes on a network is difficult since new data communication path strategies must be worked out.

,, " ~, , ",, , " , , ,,. . ". . " .. ~ .. . .. . .

W091/117~ PCT/US91/~551 Moreover, developing temporary data path strategies could result in inefficient communication strategies between the temporary or non-configured device and the nodes configured on the network.
In networked automated processing or computer systems multiple processors requiring access to the same data may exist. Often this data is acquired by one of the processors which communicates with a particular sensor. Other processors requiring the same data communicate with the processor containing the data, either directly or through an intermediary, over a data bus. Using currently existing methods, a processor requiring sensor data not available through its own sensors, communicates over the data bus to signal the processor interfacing with the sensor that data is required.
In response, the processor connected to the sensor polls the sensor and retrieves the data. It then transmits this data to the requesting processor for use in the remote processing routine. In another known arrangement, the remote processors signal a master node that data is required from a sensor controlled by a different processor. The master node then signals the sensor controlling processor which then retrieves the data and transmits it to the master node. The master node then provides the data to the requesting remote processor. Thus, each time a processor requires data from a sensor, the sensor controlling processor must access the sensor and transmit the information either to the requesting processor or the master node. If WO91/1~766 PCT/US91/~5~1 numerous processors request frequent access to sensor information, the data bus connecting the remote processors to each other and/or to a master node quickly becomes bogged down with message traffic.
In another known method, slave sensors connected on a bus to a master sensor are set up with a filtering increment. When a filtering increment is used, the slave processor controlling the sensor defines a certain "delta" value that the sensor must change before the slave will report the new value to the master. The master keeps a copy of the data as the slave transmits it. When a filtering increment is employed, the slave processor determines how often data is sent to the master.
Thus, even if the master processor has no requirement for updated sensor information, the slave processor signals the master that the information is to be transmitted. If the sensor parameter is one which changes frequently, the slave processor may inordinately occupy the data JUS with - unnecessary updates of information to the master processor.
In another known method, the master regularly polls each processor for sensor updates. This also results in excessive message traffic on the interconnecting bus, since data is transmitted automatically, even when updates are not needed. In addition, polling systems risk missing important transient data transitions which might occur in a sensor while the master is polling another sensor.

WO91/117~ PCT/US91/~551 In each of the above cases, unnecessary message traffic on the data bus tends to create bottlenecks and reduces the ability of the data bus to respond quickly to higher p~iority message traffic.
Another factor often not considered in modern automated processing and data communication systems is the reliability or integrity of data acquired and communicated among the elemQnts of the system. The level of data integrity and reliability is especially important to facilities management systems which seek to achieve robust control of an environment or process by updating manipulated variables to desired states based on measured parameters of the process. Current systems fail to develop and effectively use reliability or data integrity indicators to produce controlled variations of system performance based on the quality of measuréd data.
In conventional system, operation of proportional plus integral plus derivative controllers used in Facilities Management Systems has traditionally involved control of one loop-at a time. Multiple instances of such PID loops have not been controlled using a single software approach due to the variations in such loops.
Another factor in the design of facilities management and other systems is the design of control systems which are tolerant of system component failures has been an objective for decades. The motivations for increasing levels of ~091~117~ PCT/US91/~5~1 fault tolerance include improved human safety, equipment safety, and control of system performance.
The most basic form of fault tolerance involves the application of fail-safe system components. In the traditional pneumatic HVAC controls industry, this often involves the use of normally open valves for heating applications and normally closed actuators for mixed air damper applications. Under these circumstances, a system failure ~e.g., loss of compressed air, temperature transmitter failure) returns the mechanical system to a safe, although potentially uncomfortable and uneconomic state. In electronic control systems, electric actuators can be specified with automatic spring returns to provide a similar fail-safe functionality.
With the introduction of digital control systems, a higher degree of fault tolerance is possible. The digital controller has the ability to trap specific input signal fault conditions, such as a sensor malfunction, and can then partially compensate for that failure in software. The flexible software response is referred to as a fail-soft feature. Examples of fail-soft functionality in the event of a sensor failure include: l) maintaining the current control signal, 2) commanding the control device to an intermediate safe position, or 3) computing an appropriate control signal based on an alternative s'.rategy.
Aside from the application of redundant components, the use of an alternative or backup control strategy provides the best opportunity for WO91/117~ PCT~US91/~51 simultaneously maintaining equipment safety, occupant comfort, and energy efficiency in the event of an instrumentation failure. An extension of the fail-soft concept involves the application of an intelligent strategy which individually adapts to a specific controlled process and can satisfy nominal system performance requirements over extended periods of time in the event of a failure. Some intelligent strategies ~re -currently applied in advanced military aircraft and nuclear power plants.
The method and apparatus described below is an intelligent backup control strategy to be applied in the HVAC industry.
Facilities management systems employ both demand limiting and load rolling for energy optimization. The demand limiting feature monitors the current energy consumption over a sliding interval of time corresponding to the demand interval used by the power company. This feature controls the system to maintain an average energy consumption below an established limit.
Conventional systems which do not use historical data to predict future demand, tend to overreact to sudden peak$ in energy consumption, and as a result shed excessive loads. The load rolling feature reduces total energy consumption by periodically shutting loads off for short periods of time. The user specifies a target amount of load to remain off. Systems that do not accommodate environmental conditions may cause extremes in areas controlled by loads that are shed for too long a period of time.

WO91/11766 PCT/US91/~1 In a distributed facilities management system, loads might be distributed over multiple control nodes. However, one node runs the demand limiting and load rolling features, shedding loads on its and other nodes in the system. After shedding a load, a problem can occur where communications can be lost between the node issuing the shed command and the node that contains the load. In such a ~ituation the load could remain shed indefinitely causing environmental extremes in areas controlled by the load. The node commanding the load shedding may also experience time delays and information bottlenecks in its attempt to monitor every load and its environmental overrides.
Another important factor in achieving high level performance of facilities management systems is reducing effects of both external and self-induced noise. In addition, it is necessary for a system to provide immunity to external electromagnetic interference (EMI) and prevent the generation of unwanted levels of EMI which may effect other systems. This is particularly critical where wide dynamic range is required, for example, to accommodate both extremely low level sensor signals and much larger digital and binary signals.
Systems which employ a single power supply and other known power supply filtering techniques may fail to provide sufficient isolation from spurious signals or sufficient reliability, due to their reliance on a sole power-supply. Similarly, many contemporary systems al50 fail to sufficiently isolate digital signal lines from sensors which are subject to extremes of environmentally induced spurious signals. This is particularly important in systems employing bus structures and networks. An unpredictable variation in a single sensor on a network can result in systemic problems, if the signal is communicated to other devices connected to the same communications media. A further need for isolation from effects of failures of devices interconnected on a common communications media also exist. Omitting such isolation exposes networks and sub-networks to complete breakdown should a failure occur in a single node. Thus, it is desirable at all levels of system interconnection to provide for isolating interconnected system components from each other. Si~ilarly, it~ is also desirable to provide graceful system degradation in the presence of a failure.
Other limitations of facilities management systems arise in the connections of various devices to control nodes. Multiple devices, especially if connected on a bus, introduce noise on the transmission medium. In addition, the transmission medium may be susceptible to noise from other internal and external sources. Both differential noise, in which opposite polarity voltages appear on two leads of a transmission medium, e.g., a twisted pair, and common mode noise, in which the same noise is induced on both lines of the bus, are possible.
Even where optical coupling of devices to the bus is WO91/117~ PCT/US91/~551 used, it may be necessary to take steps to further reduce noise effects.

SummarY of the Invention To address the limitations of the related art described above, the invention provides a method and apparatus for substantially isolating the software providing the interface between higher level software features and operational units and for allowing changes to operational units without requiring extensive higher level software changes.
An intermediate level of software treats all inputs and outputs in the same way independent of the characteristics of the operational units. A
further intermediate level of software controls interfaces between a higher software level and operational unit hardware. The first intermediate level of software treats all higher level software requests for data from operational units in the same way. ~he further intermediate level of software categorizes hardware units into types which can be manipulated according to a standardized approach for the type.
All intermediate levels of software have a database of attributes and a common method and set of messages for manipulating the attributes which provides broad data constructs for accommodating remotely controlled operational units. Such data constructs minimize the need to reproduce the same data or data attributes for multiple operational WO91/117~ PCT/US91/~51 units. The data constructs are provided with attributes defining paths to at least one other data construct. Thus, the invention provides data constructs containing attributes of associated data constructs.
The invention provides a flexible, reliable method of accessing data among nodes in a distributed system with a method of accessing data in a distributed system without requir;ng a central look up node and without requiring a search of the entire network on every reference t~ the data.
This ~ethod of accessing data within a distributed system assigns a unique name to a data element when it is first defined. The unique name of the data element is bound to a host node at the time the data élement is first accessed. This allows accessing data in a distributed network using a multi-level naming convention based on a user defined name and the physical location of the data element on the networX. In this naming convention, a user assigns names to data elements independent of --where the data element is located on a network.
According to the naming convention, a name is bound to a unique address, such as a physical location and data base location within the node, when it is referenced for the first time in the running network. Subsequent references to data elements are provided by using the user assigned name bound to the unique address.
It is also useful to provide a distributed system having time synchronization of system nodes WO91/117~ PCT/US91/~51 and synchronized data bases of global variables among the nodes. Nodes periodically broadcast their presence on a system using time stamps indicating when the node's data base of global variables was last updated. As a result, it is possible to coordinate all nodes on a network to incorporate the global data base of the node having the most recently updated global data base.
The invention further detects and reports inconsistencies and duplication of data constructs in their respective data bases. This is accomplished in the system by recognizing directory entries in the nodes' data bases which have multiple definitions in other locations on the system.
Nodes without routing tables identify other nodes with routing tables in order to identify paths to route download requests from the nodes without routing tables to devices containing download information.
Within the system, data constructs allow high level features in the nodes to be notified or triggered by changes -of state in attributes and objects on other nodes. In addition, changes in locations of objects and attributes in the system can be detected to notify features activated or triggered by the objects or attributes.
Results produced by system processes are reported to appropriate display and storage devices.
Thus, the system according to the invention detect changes in physical locations of display and storage devices and route reports to the correct devices.

WO91/11766 PCT~US91~551 .

To reduce the volume of data traffic required to produce standard or predefined summaries of data for storage or display, a system or method according to the invention filters data used in producing standard summaries. This is accomplished by defining criteria for data retrieval in a high level feature directory routed to a task in the same node as a directory of the data to be retrieved. The system can retrieve standard summary data according to nodes identified in a directory and assemble the data in the node containing the directory into a message for transmission to a feature generating the summary.
In another aspect of the invention it is also desireable for a system to allow devices not included in the original network configuration to communicate with configured nodes on the network.
Thus, non-configured devices can receive messages from configured nodes on the network. Such non-conflgured devices can access networks which employeither adaptive or non-adaptive routing strategies without requiring the down loading or updating of static or dynamic routing tables in existing nodes.
A system according to this aspect of the invention allows such non-configured devices to be attached to a first configured node on a network using one of either an adaptive or non-adaptive routing strategy and to receive messages from other nodes on other networks using the same or a different routing strategy, without requiring shutdown of the system.

W091/117~ PCT/US91/~551 Access to a communication system on demand by processing devices is provided without requiring their membership in a network on the system. Such processing devices access a system to perform diagnostics, maintenance, and administrative functions from anywhere in the system. These processing devices access a data communication system on demand without requiring changes to global variables or static or dynamic routing tables or directories.
The invention also provides a data communications approach which allows access to data remote from the requesting processor without creating unnecessary message traffic. It further reduces unnecessary access to sensor data in a facilities management system and prevents slave controllers from providing unnecessary information to a master controller which does not require it.
Access to sensor information is controlled based on the expected rate of change of the parameter measured by the sensor. A master - controller regulates access to sensor information by remote slave controllers according to the validity of the sensor and the data transfer needs of the system. In addition, it is possible to regulate access to data by remote master controllers connected on a network bus to a master controller regulating the data producing processor on a local bus.

W O 91/11766 PC~r/US91/00551 It is another aspect of the invention to test reliability of data elements and tag a status of the tested data with an indicator of its reliability.
It is also useful to report the reliability indicators associated with data elements throughout the system. By associating a reliability indicator with data used in intermediate calculations throughout a system, a reliability indication of a result obtained through one or more calculations can be determined.
A portion of the software is provided in the form of a generalized proportional plus integral plus derivation control object to translate commands from high-level software features in control systems and convert these commands to appropriate signals which activate and control a proportional plus integral plus derivative (PID) control loop (e.g., activate and control devices as part of a closed top control process). This software object also provides a predictable and controlled transfer from control by a scheme outside a PID loop to control by PID automatic control means. Other features of a software object include eliminating the hysteresis effect that a controller may experience between the output controlling a process and a sensed feedback from the process and providing an adjustable dead band to PID control. The software mechanism in the form of a PID device object also prov~d~s the ability to interface actual PID hardwaré to other software objects and a scheduling means for PID
loops.

W091/117~ PCT/US91/~5~1 In view of desirability of implementing improved back-up control strategies in HVAC
applications, the invention provides an HVAC control system with the ability to maintain control over a process when an input variable becomes unreliable.
Operation of a process, even when feedback from the process is lost or unreliable, is provided based on a model of the system or process and other system inputs. A set of parameters is locked at the time that the system or feedbac~ becomes unreliable.
Thus, a manipulated variable is adjusted based on the state of process variables just prior to the system or process becoming unreliable and based on current status of process variables. This also provides the ability to control response of an HVAC
system to a changing setpoint in the presence of an unreliable variable.
Another aspect of the invention provides the ability to predict energy demand in a future demand time period based on the current demand and historical collected data. With this information, the system can automatically vary on and off times of a -load to accommodate the predicted energy demand, thereby maintaining average demand below a target. In addition, it is possible to adjust operating time of a load to minimize costs by shifting energy consumption from expensive periods of high de~and to less expensive perio~s e- lower demand and to adjust the operating time of a load to accommodate environmental conditions in areas affected by the load.

WO91/11766 PCT/US91/~551 In another aspect, communications between demand limiting and load rolling features in one node and objects in other nodes do not become impaired ~y excessive traffic. Loads shed as a result of demand limiting remain shed until communications with the demand limiting feature are restored. A load shed as a result of load rolling is restored even if communication with the node containing the load rolling feature are not restored.
Shed and restore characteristics are provided as attributes as part of an object rather than as part of a higher level software feature.
A message to an object manager redirects load related characteristics for the load local to the node using a restore task localized within the node.
To reduce noise coupling among local devices connected to a node, optical coupling of signals between the nodes and local devices connected to a local bus is employed. Effects of differential mode noise induced on the bus are ameliorated by biasing the leads of the bus to a predetermined voltage.
OpticaI isolators are protected from large common mode voltages by using tranzorbs and metal oxide varistors to shunt such high voltages safely to ground. Indicators of when a node is transmitting and receiving data are provided.
Separate digital and communications power supplies to portions of the local bus interface circuits are provided. An optocoupler isolates the digital and communications power supplies. As a WO91/117~ PCT/US91/~551 result, a system can be operated with no ill effects with up to 2500 volts, peak, noise on the communication power supply.
In one aspect of the invention, software is organized into multiple levels. The highest or "features" level communicates with a software object level containing software object database managers and databases. The software object level treats all inputs and outputs to and from the features level the same way. In addition, the software object level communicates with a lower intermediate level, the hardware object level. The hardware object level contains a hardware object database manager and databases. The hardware object level operates to mask the differences between individual operational units to the software object level. The hardware object level categorizes data acquisition units so that additional units of a known type can be added with no more than a minor database change.
Additional types of operational units can also be added while software changes are confined to the hardware object level. Thus, new units can be incorporated without any major impact on overall system software.
The software also employs points and pseudo points. One or more attributes define a point as a vector quantity. The values of the attributes which characterize the vector quantity are obtained from operational units, such as sensors. Each individual point is an independent vector quantity which is defined without reference to any other point in the WO91/117~ PCT~US91/~551 system. A pseudo point is also a vector quantity defined by attributes. However, at least one of the attributes of a pseudo point identifies an associated point or attribute of a point.
Additional attributes of the pseudo point are then obtained from the identified point to facilitate intermediate calculations without requiring repeated access to the operational unit associated with the point.
Other aspects of the invention are accomplished by a multi-level naming convention.
First, each data element is assigned a name unique to the system, so that it is a unique identifier which is used only for that piece of data. The name assignment is done when the data element is created in a network generation process. When the name is referenced the first time in the running network, the name is assigned or bound to a unique address identifying both the node location and the data base location within the node. This is done by searching the network for the data element by name the first time it is referenced. Thereafter, this bound reference is used to locate the data element ~t each subsequent reference to that data element during run time.
In another aspect, consistency among global variables in the nodes is maintained. At regular intervals each node broadcasts its presence and a time stamp indicating the most recent update of its data base of global variables. The nodes receiving the broadcast compare their time stamps with the one W 0 91/11766 P ~ tUS91/00551 most recently broadcast. If the time stamps are not the same, the receiving node requests the broadcasting node with the latest data to download the more recent global variable data base. This occurs so that all the nodes have the most recent global variables.
In another aspect of the invention a facilities management system is divided into a plurality of individual systems with each of a plurality of nodes having a list of all the names in systems defined on the nodes. In order to allow the systems to be distributed over one or more interconnected networks, the system definitions include a directory of objects for the system stored on the system defining node. The directory defines which node the object is located on so that it is not necessary for all the objects of the system to be resident on a single node. When objects are moved around from the control of one node to another, the directories are updated.
Another aspect of the invention involves using a single node to coordinate timing within the system. The time keeping node monitors calendar date and time of day to assure that regularly scheduled activities take place as required. In addition, should the node monitoring calendar date and time become disabled, a second node performs this function.
Calendar date and time of day information also can be maintained in all the nodes distributed on a system. The nodes are time synchronized by WO91/11766 PCT~US91~00~51 redistributing to all the nodes date and time information at a fixed time every day under normal operating conditions. This permits routine updating and synchronization on a regular basis of the plurality of nodes.
In another aspect, nodes are provided the ability to cascade download requests through other nodes. A node without a routing table identifies another node with a routing table which can identify a path to route a download request. Thus, once a first node contains a routing table a second node without a routing table can receive download information from an external device through the node with the routing table.
In another aspect of the invention, triggering attributes of objects is accomplished in response to changes of state. Object managers and high level software features "sign-up" to be notified when specific events occur. For example, an alarm might be triggered when a sensor exceeds a known threshold. It is not necessary that the object manager which handles the sensor information and the feature be located at the same node. The feature need only "sign-up" to be notified by the appropriate object manager. However, in the event that the object manager is changed the sign-up becomes invalid. This is detected and the feature is notified.
In another aspect, the routing of reports is distributed. Routing information is retained within each node on the network as global data. Reports ~, .

WO91/117~ PCT/US91/~1 emanating from the node are routed through a report router task for ultimate distributions to the destination device. The report routing task acts as intermediary between inputjoutput routines of the nodes. The report router determines if the input/output routine can route the report to a destination device. If not, the report router determines if a second or default device is available. If not the message is discarded and the report routers are so notified. If a default device is available, the report is routed to the default device.
In another aspect, the volume of data traffic required to produce the standard or predefined summaries-of data for storage or display is reduced.
This is accomplished by localizing filtering of data at the node of which the particular object directory of interest is located. Standard summary data is obtained from the nodes identified in a directory of a first node. The data need not be obtained from devices connected to the first node, but obtained from the nodes identified in the directory. When the data is obtained it is assembled in the node containing the directory into a message for transmission to the high level software feature generating the summary. The high level software feature may be located in any node.
In another aspect of the invention a non-configured device can be attached to a port on a configured node of a network. The non-configured device, which contains its own process identifiers, ,~ , . .~.

WO91/117~ PCTJUS91~51 communicates via that port with the configured ne~work node. The configured network node communicates with other configured network nodes to route messages from the non-configured device to their destinations. Destination nodes recognize the message source as the configured network node or as a non-configured device dropped from a port on a configured node. Thus, at the destination node, responses generated are transparenr to the status of the source as a non-configured device. The final destination node responds as though the message is from a configured node and the response message follows the same or an alternate data co~munication path back to the configured node having the non-configured device connected to its port. Based oncommunications over a drop between the non-configured node and the configured node, the configured node provides the message- to the non-configured device which delivers it to a process identified in the message. This allows any configured node to respond to data requests made by a non-configured device.
. Another aspect of the invention provides a method and apparatus in which a master controller stores sensor values in a data aging table and associates each sensor value with a valid time frame. All re~uests for data during the valid time frame are serviced by transmitting the value from the data aging table in the master controller. This prevents further data requests to the slave controller and reduces message traffic on either the , . ., " .~

WO91/117~ PCT/US91/~551 local or the network bus. This also allows matching the aging timer value to the characteristics of the sensor data.
In another aspect, the invention provides an indicator to detect the status of data reliability.
Each data element is assigned a reliability indicator which is propagated throughout all the calculations involving the data element. As a result, it is possible to determin~ an overall certainty of the accuracy of a calculation, since each intermediate calculation also considers the reliability of the data elements.
Another aspect of the invention provides a proportional and integral and derivative controller software object which is based on sampling a feedback value at consistent time intervals. The object incorporates the proportional, integral, and derivative terms independently so that the individual terms may be removed. This facilitates having any combination of proportional, integral and derivative controis. The PID software object employs points and pseudo points on which input conditi-oning is performed and which are processed according to a sample period, proportional band, and other parameters. By outputting a percentage of full scale deflection of a variable, the corresponding output port may be driven.
In addition, a fault tolerant control strategy to predict steady state change in a controlled variable for a given change in inlet process conditions can also be used. Applying a .. , .~

WOgl/1176~ PCT/US91/~551 simplified model based on measures of effectiveness, the change in effectiveness--due to a change in a process variable is derived. Further assuming that the process model will only be valid for a limited region around the current bperating point allows calculation of a manipulated variable value based on previous values of the manipulated variable, other manipulated variables, primary and secondary process variables, the initial value of the controlled variable, and a setpoint. By incorporating the setpoint and primary and secondary process variables into a system dependent only on the initial value of the controlled variable, a variable can be manipulated based on current inputs and system history, even though the controlled variable or feedback signal is presently unreliable.
In another aspect the invention allows predicting energy demand in a future demand period based on a window of previous energy consumption.
In response to the predicted energy demand, commands can be issued to shed loads contributing to the demand so that a demand limit is not exceeded.
Loads that are shed either by the demand limiting or load rolling feature will be restored either due to a defineable time period expiring or as a result of an extreme in àn environmental condition being detected in an area affected by the load.
A high level feature which sheds a icad may lose communication with the load since loads are distributed over multiple nodes in a system. To be certain that a load shed as a result of a load WO91~11766 PCT~US91/~51 .

rolling co~mand is restored after a prescribed time interval for that load, a restore task is localized within each node. Specific shed and restore characteristics are stored -as attributes of the object in the node with the load and not as part of the demand limit/load rolling high level software feature. This allows high level software features in one node to shed loads distributed over the system without requiring that communications be maintained with the load in order to restore the load at the proper time.
A localized restore task also will monitor environmental conditions affected by the load and, thus, eliminate the extra traffic on the network by removing that task from the node running the demand limit/load rolling feature.
The invention also provides an optical interface to a local optical bus compatible with the RS/485 Electronic Industries Association specification. The interface employs bias circuitry which is used to "swamp out" differential mode noise on the leads of the bus and transorb and MOV
circuitry to shunt common mode voltage and excessive differential mode noise to ground. Optical isolators provide isolation between digital and communications power supplies and retriggerable one shots are used to activate data transmission and reception indicators such as LEDs.

Brief Descri~tion of the Drawinqs W O 9~/11766 PCT/US91/00~51 The above objects of the invention are accomplished as described below in accordance with the following figures:
Figure 1 is a network control module according to the invention.
Figure 2 shows a digital control module according to the invention.
Figure 3 shows an expansion module according to the invention.
Figure 4 shows a network control unit in a five slot configuration.
Figure 5 shows a network control unit in a two slot configuration.
Figure 6 shows a single slot configuration network control unit.
Figure 7 tabulates modules used in one, two, and five slot configurations of a network control unit.
Figure 8 tabulates modules used in one, two, and five slot configurations of a network expansion unit.
Figures 9A and 9B illustrate a sample facilities management system configuration.
Figure 10 illustrates a lighting controller used in a network according to the invention.
Figure 11 illustrates a card access controller used in a network according to the ~ invention.
Figure 12 illustrates an intelligent fire controller used in a network according to the invention.

WO91/11766 PCT/US91/~551 Figure 13 illustrates a facilities management configuration for small buildings.
Figure 14 illustrates a facilities management configuration for mid-size buildings.
Figure 15 illustrates a facilities management configuration for large buildings.
Figure 16 illustrates a facilities management configuration for remote buildings.
Figure 17 shows one system configuration according to the present invention.
Figure 18 shows a more detailed view of various software levels.
Figure 19 illustrates the use of points and pseudo points according to the invention.
Figure 20 is another overview of a system according to the present invention.
Figure 21 is a flow diagram illustrating a first embodiment of the method of the invention.
Figure 22 is a flow diagram illustrating a second embodiment of the method of the invention.
Figure 23 illustrates a further optimization of the method in Figure 22.
Figure 24 illustrates an embodiment of the method of the invention using multiple levels of names.
Figurè 25 illustrates an example of the invention when a name changes its address within a node.
Figure 26 illustrates an example of the invention when a name moves between nodes.

,.

Figure 27 illustrates a method of time synchronizing nodes according to the invention.
Figure 28 illustrates downloading global variables to nodes on the network according to the invention.
Figure 29 is a more detailed illustration of downloading variables according to the invention.
~ igure 30 illustrates cascading of download devices according to the invention.
Figure 31 is a table showing transmission of messages when a download request originates from an archive unit.
Figure 32 is a table illustrating a sequence of message passing when a node without a routing table initiates a download request.
Figure 33 illustrates triggering of features from attributes of objects.
Figure 34 illustrates distributive report routing according to the invention.
Figure 35 illustrates filtering of summary report data at local nodes.
Figure 36 shows a more detailed description of the events which occur in applying selection criteria to filtered attributes.
Figure 37 shows an example of a non-configured device attached to a configured node for communicating over communications links with one or more configured nodes.
Figure 38 illustrates the message path between the non-configured and configured nodes in Figure l along with various data communication layers.
Figure 39 illustrates the transmission of a request from a non-configured de~ice or a response 5from a configured device.
Figure 40 illustrates the receipt of a request from a non-configured device or the receipt of a response from a configured device.
Figure 41 tabulates a possible routing l0strategy for messages between the non-configured device and a configured node.
Figure 42 shows the general configuration of a facilities management system.
Figure 43 shows a basic configuration in 15which a master node communicates with slave nodes over a local bus.
Figure 44 shows another embodiment in which multiple master nodes communicate over a network bus.
20Figure 45 illustrates a method of tagging data with reliability indicators.
Flgures 46A and 46B illustrate processing of a PID Loop Object.
Figure 47 shows a typical HVAC control system 25with a fault tolerant control strategy implementation.
Figure 48 shows the phases of implementing a fault tolerant control strategy.
Figure 49 illustrates the inputs and outputs 30of the phases of the strategy.

WO91/11766 PCT/US91/005~1 Figure 50 illustrates one configuration of a system with a digital control module and a network controller.
Figure 51 shows a configuration of a system with distributed load shedding and localized restore tasks.
Figure 52 shows a fault tolerant control configuration.
Figures 53A and 53B show process monitoring steps.
Figure 54 shows steps in operating a fault tolerant controller.
Figure 55 shows steps in switching a manipulating and backup variable.
Figure 56 illustrates nodes operating slave devices over a local or slave bus.
Figures 57A and 57B illustrate an optical interface between a node and a bus having slave devices.

Detailed Descri~tion of the Preferred Embodiments --Figure 1 shows generally network control module 1-1 which has a processor 1-3, dynamic random access memory 1-5, and electronically programmable read only memory 1-7. Network control module 1-1 communicates with high speed bus 1-9, the Nl bus, so that network control module 1-1 can be interconnected in a local area network configuration to other network control modules. A plurality of network control modules 1-1 connected over high WO9l/11766 - PCT/US91/~551 speed bus 1-9 form a network which can be interconnected through gateways to other networks of network control modules interconnected on high speed buses. Network control module 1-l further has standard RS-232 interface 1-11 with a plurality of ports to provide communication through a modem over port 1-13, a specialized network terminal over port 1-15 and a computer, or printer over port 1-17.
Field trunk controllers 1-19 and 1-21 allow network control module 1-1 to communicate with field devices interconnected on communications media 1-23 and 1-25.
Subnet controller 1-27 allows devices 1-29, 1-31, 1-33 to com~unicate with network control module 1-1 over N2 bus 1-35. To isolate network control module 1-1 from spurious signals and power surges which may become impressed on N2 bus 1-35, N2 subnet controller 1-27 incorporates an opto-22 interface 1-37, as shown. A network control module according to the invention functions as a central part of a network control unit described below. ~
Network control modules, either alone or as part of network control units, function as controllers for nodes interconnected by the high speed N1 bus l-9.
Thus, a primary function of the network control module is to supervise peer to peer to communications-with other network control modules or network control units and operator work stations on high speed bus 1-9.
In a facilities management system (FMS) the network control module performs supervisory control of an area of a building. Thus, in accordance with specialized programs, the network control module supervises maintaining environmental conditions according to program parameters and communicating with operational units, such as sensors and other devices connected to the network control module l-l via N2 bus 1-35. Network control module l-l further manages co~munications over a RS-232 interface l-ll to various person machine interfaces (PMI).
Specialized devices in the facilities management system can be connected via field trunk controllers 1-2l and l-l9 and corresponding communication media 1-25 and 1-23. In a facilities management system (~MS) according to the invention, the network control module l-l, which is sometimes referred to as a network controller, is configured as a plug in module which mates with a connector on a backplane.
Figure 2 shows digital control module 2-l which also in~erfaces with a connector on a backplane. Digital control module 2-l includes processor 2-3 and memory 2-5. Memory 2-5 is divided into a static random access memory section 2-7, and electronically programmable read only memory (EPROM) section 2-9, and an electronically erasable programmable read only memory (EEPROM) 2-ll. In addition, digital control module 2-l has input/output sections 2-13 and 2-15. A digital control module 2-l may also be incorporated into a network control unit according to the invention, as discussed below. A digital control module conditions sensor inputs received through WO9l/11766 PCT/US91~551 input/output sections 2-13 and 2-15 and reports changes to the network controller or network control module 1-1. In addition, in a facilities management system (FMS) the digital control module performs closed loop control for a plurality of control loops. Thus, closed loop control can be accomplished without a network control module. In addition, the digital control module 2-1 executes commands received from network con~rol module 1-1.
Digital control module 2-1 further may ac~ept inputs either directly or through a function module. A
function module (FM) also performs conditioning of an input or output signal. While a digital control module according to the invention can accept inputs directly (100-1,000 ohms RTD (resistive temperature device), 4-20 mA, 0-10 volts DC) or through an input function module, all outputs from a digital control module 2-1 are characterized by function module selection. A function module (not shown) conditions signals but does not perform sophisticated processing. Such function modules, according to the - invention, are tailored to accommodate the specific conditioning function required. Thus, a function module may contain sophisticated electronics tailored to perform a specific task or may be as simple as a single resistor.
Network control module 1-1 also performs numerous background tasks, as discussed below, to assure that each of the nodes on the system is operating with the same global variables, is time synchronized, and has consistent directories of system names. In addition, software in the network control modules l-l to reduce data communications, to track the aging of data, and to provide a uniform mean- of isolating high level software features from specialized operational units is discussed below.
Typical input function modules in a facilities management system include pressure/electric transducers, binary input contacts or AC line voltage conditioners, -differential pressure inputs, and binary frequency inputs.
Typical output function modules include analog outputs, analog outputs with isolated grounds, electric/pressure transducers, binary polarity reversing, triac incremental function modules, motor start/motor stop function modules, electrically maintained relay outputs, magnetically latched relay outputs, and solenoid air valve function modules.
As shown in Figure 3, expansion module (XM)

3-l according to the invention, includes processor 3-3 and memory 3-5. The memory is typically divided into static random access memory (SRAM) 3-7 and electronically erasable programmable read only memory.(EEPRON) 3-9. Point multiplex modules 3-ll provide a configurable input~output for the expansion modules. The expansion module is also a plug in module which plugs into a connector on a back plane in a node of a facilities management system. The expansion modules condit?on:r,inary, analog and pulse inputs and report changes to the network controller or network control module l-l.
In addition, the expansion module executes binary wn91/117~ PCT/US91/00551 output commands from network controller 1-1. Point multiplex modules 3-11 provide five configurations of expansion modules. These include a first configuration having 32 binary inputs, a second configuration having 8 binary inputs and 8 pairs of outputs using momentary relays, a third configuration having 8 binary inputs and 8 magnetically latched relay outputs, a fourth configuration having 8 analog inputs and a fifth configuration having 8 binary inputs and 8 electrically maintained relay outputs.
Network control modules, digital control modules, and expansion modules, can be combined in various configurations to form a network control unit according to the invention. A network control unit (NCU) in a facilities management system monitors and supervises heating ventilating and air conditioning (HVAC), lighting, and building functions. Network control units are interconnected by the Nl bus 1-9. As part of an N1 network, the NCU shares all data with all other NCUs in a dynamic data access relationship. A distributed system is formed because peer-to-peer communications allow each network control unit to access and use data acquired under the control of any other network control unit. Thus, information at any level is accessible to every NCU to integrate and optimize all components within a building. Netwcr~ control units can also be interconnected to perform other control functions involving the use and monitoring of diverse physical sensors and equipment, such as WO 91/11766 PcT/us9l/oo5

-4~-a broad array of industrial control processes and other processes involving control systems.
Figure 4 shows one configuration of an NCU 4-1 in which five slots 4-3, 4-5, 4-7, 4-9 and 4-11 are available. Slot 4-3 contains a network control module as previously discussed relative to Figure 1.
The network control module provides the sole means of communication along the high speed Nl bus 4-15 through communication terminal board 4-13. It should be noted that only a network control module can communicate on the high speed Nl bus 4-15.
Slots 4-5 through 4-ll can be occupied by digital control modules, expansion modules, or additional network control modules as shown. Communications between these devices and with the network control module is via the ~2 bus 4-16. Slots 4-5 and 4-9 can also accommodate network control modules. These network control modules may also communicate over the N1 bus 4-15 as indicated by dotted lines 4-17 and 4-19 in Figure 4.
As shown in Figure 1, network control unit 4-1 is provided an interface to an operator through RS-232 interface portion 1-11 of network control module 1-1. Using a dial-up modem 1-13, specialized network terminal 1-15 or an operator work station such as a personal computer, an operator may generate or respond to commands and provide program changes and organizing data to user specified data ~ bases.
The five slot NCU configuration in Figure 4 also shows connectors 4-21 and 4-23 for a plurality ,, " ., , ,, 1l~ M . ~ . ~, SU6S I !T~TE SHEET

WO91/117~ PCT/US91/~551 of input function modules and corresponding input function module terminal boards 4-27 and 4-25.
Similarly, connectors 4-29 and 4-31 accommodate a plurality of output function modules and corresponding output function module terminal boards 4-33 and 4-35 are provided. It should also be noted that each individual slot 4-3 through 4-11 is provided with its own power supply 4-37 through 4-45. Expansion module input ter~inal boards are provided at 4-47 and 4-49 and expansion module inputs/output terminal boards are provided at 4-51 and 4-53. Line voltage, V, is applied to the power terminal board 4-55.
An alternative configuration of a network control unit is the two slot configuration 5-1 shown in Figure 5. Slots 5-3 and 5-5 can each accommodate an expansion module-. Slot 5-3 can also accommodate a digital control module while slot 5-5 can also accommodate a network control module. It should be noted that in order to constitute a,network control unit, at least one network control module is required. This is because, as previously noted, it is only a network control module which can communicate in a peer-to-peer relationship with other network control units over the N1 bus. Thus, slot 5-5 has a connection to the N1 bus 5-7.
Devices installed in slots 5-3 and 5-5 communicate with each other over N2 bus 5-9. Both the N1 and N2 buses are connected to communications terminal board

5-11 to provide further communications with the remaining parts of the system.

SU~iTlTUTE St~EET

W091/117~ PCTJUS91/~551 In a manner analogous to that discussed in Figure 4, a plurality of input function modules can be located at connectors 5-13 and the plurality of output function modules can be located at connectors 5-15. Input function module terminal board 5-17 and a corresponding output function module terminal board 5-l9 are also provided. Similarly, expansion module input terminal board 5-21 and expansion module input/output terminal board 5-23 provide access to the expansion module. It should be further noted that devices in slots 5-3 and 5-5 also have independent power supplies 5-25 and 5-27. Line voltage, V, is provided to power terminal board 5-29.
Figure 6 shows a single slot configuration according to the invention. Slot 6-3 can contain a network control module in which case the device operates as a network control unit with the ability to communicate on a peer-to-peer basis with other devices via the Nl bus 6-5. Communication with devices on the N2 bus external to the NCU 6-l is over N2 bus 6-7.
As Figure 6 shows, line voltage, V, is connected to power terminal board 6-9 and power supply 6-ll supplies the device in slot 6-3. Figure

6 also shows that device in slot 6-3 can be an expansion module. Thus, the single slot configuration in Fi~ure 6 also has expansion module ~ input ter~inal board 6-13 and expansion module input-output terminal board 6-15.

5V~B,sTlT~J rE S~E

-~a-As previously stated, a network control unit must have a network control module in order to SUBSTITUTE SHEET, WO91/11766 PCT/US91/~5~1 accomplish peer-to-peer communications over the Nl bus. However, as the single slot configuration in Figure 6 shows, it is possible for a device to be constructed having an expansion module without a S network control module. Since an expansion module could not communicate over the Nl bus, the device can not be a network control unit. It is possible, according to the invention, to construct in either the 5 slot back plane shown in Figure 4, the two slot back plane shown in Figure 5 and the one slot back plane shown in Figure 6 a device which does not have the capability of communicating over the Nl bus. Such devices are called network expansion units (NEU). Network expansion units serve two functions. First, they serve as a collection platform for I/0 points in order to increase the point and control loop capacity of an NCU. Second, network expansion units can be remotely located from an NCU to monitor and distribute control to points and then transfer the data from these points back to --the NCU over the N2 bus.
~ Since the back planes can be used to construct either a network control unit or a network expansion unit, alternative configurations are possible. Figure 7 shows fully loaded alternative configurations possible for network control units having l, 2 and 5 slot back planes. Figure 8 shows fully loaded possible configurations of network expansion units having l, 2-and 5 slot back planes.

S~JBSTITUTE SHEET

., . ~ , . , , ., . ., . .. . ~, . . . . . .. . .

7~ PCT/US9l/~551 --S I -- ~_ Figure g illustrates a possible configuration of a facilities management system according to the invention. Five slot NCU 9-1 communicates with one slot NCU 9-3 over Nl bus such as ARCNET 9-5. N1 bus 9-5 is also connected to personal computer 9-7.
Personal computer 9-7 can be used as a download device to download new information and data bases to NCUs 9-1 and 9-3 and other devices connected to NCUs 9-1 and 9-3. N1 bus 9-5 is ~connected to communication terminal board 9-9 in NCU 9-1 and terminal cormunication board 9-11 in NCU 9-3.
Within NCU 9-1 N1 bus 9-13 is connected to network control module 9-15. Since this is the only network control module shown in five slot NCU 9-1, there are no further connections within the five slot NCU to the N1 bus ~-13. Five slot NCU 9-1 also has expansion modules 9-17 and 9-19-and digital control modules 9-21 and 9-23. These modules perform the functions discussed previously and are interconnected with the five slot NCU via N2 bus 9-25. An interface communicates directly with the five slot NCU N1 and devices on its N2 bus via lap-top PC 9-27. As Figure 9 shows, lap-top 9-27 is connected to an RS-232 interface 9-29 which is part of network control module 9-15. A network terminal unit for specialized network terminal 9-31 is also accommodated on RJ-ll interface 9-33. Network control module 9-15 also has sub-modules 9-35 and 9-37. Such su~-modules may include devices such as subnet controller 1-27, field truck controller 1-21 and RS-232 interface 1-11. Function modules, for SUBSTITUTE SHEEl-;

WO 91/11766 PCr/US91/00551 --';l a--example, 9-41a through 9-41f .are also SUB~TITUTE SHEET

WO91/l17~ PCT/US91~00551 used in the five slot NCU 9-1. As Figure 9 shows, each device in the five slots has its own power supply, for example, 9-43a through 9-43f. The power supplies all receive line voltage or AC power through power terminal boards, for example, 9-45a through 9-45d. The individual power supplies exist to isolate spurious signals and noise in one device from being communicated via the power supply lines into a second device.
One slot NCU 9-3 is formed from a single network control module 9-47. Within network control module 9-47 sub-module 9-49 provides an interface to a personal computer 9-51 and RS-232 interface 9-30 is provided to printer 9-53. The NCU may also have RJ11 interface 9-32. Network control module 9-47 communicates from networ~ control unit 9-3 over N2 bus 9-55 to fire system 9-57 and access control system 9-59. Fire system 9-57 is used to detect dangerous smoke and fire conditions in the building and access control system 9-59 is used to provide security services. Such systems are known in the art and are shown to illustrate the capabilities of a facilities management system according to the invention.
Five slot NCU 9-l communicates over N2 bus 9-61 with one slot expansion unit 9-63, two slot network expansion unit 9-65, application specific controller 9-67 and lighting controller 9-69.
One slot networ~ expansion unit 9-63 has an expansion module 9-71 which communicates with the N2 bus 9-61 via communication terminal board 9-73 SUBSTITUTE ~;HEET

WO91/117~ PCT/US91/~551 5~-within the one slot NCU 9-63. Expansion module 9-71 has its own power supply 9-75. As with expansion SUBSTITUTE SHEET

WO91/117~PCT/US91/~551 -~3-modules 9-19 and 9-37 in five slot NCU 9-1, expansion module 9-71 may have any of the five configurations previously described. As previously noted, the expansion modules condition ~inary, analog and pulse inputs, report changes to the network controller and execute binary output commands, which command a connected operational unit to one of two stable states, from the network controller.
10Two slot network expansion unit (NEU) 9-65 has expansion module 9-77 and digital control module 9-79, each with its own power supply 9-81 and 9-83, respectively. Function modules, for example, 9-85a through 9-85c interface with digital control module 159-7g. Both the expansion module 9-77 and the digital control module 9-79 are connected to N2 bus 9-61 within the two slot network expansion unit 9-65 to communication terminal board 9-87. This provides access to N2 bus 9-61 for communications with the rest of the sample FMS configuration shown in Figure 9.
Specialized lighting controller 9-69 is also attached to the N2 bus 9-61 in order to receive commands and provide lighting status information to five slot network control unit 9-1. Known application specific controllers, for example, 9-67 can also be attached to N2 bus 9-61, according to the invention. Such application specific controllers perform dedicated tasks while communicating over N2 bus 9-61. The overall software structure to accommodate various network SUB5TITUTE S~EET

.. . . .. . .

-~4-expansion units and application specific controllers is discussed below.
Figure 10 is an expanded view of lighting controller 9-69 in operation on the system. Figure 10 shows lightin~ controller 10-1 connected over N2 OPTOMUX bus 10-3 to network control unit 10-5 which communicates with operator work station 10-7 over N1 bus 10-9. NEU 10-15 is also shown connected to the N2 bus. The lighting controller has 32 override switch inputs 10-11 and forty relay outputs. ~orty latching relays are possible or 20 remote relays 10-13 via a low voltage cable connect are also possible.
Figure 11 further illustrates an access control system such as that described at Figure 9, 9-59. Here card access controller 11-1 communicates with network control unit 11-3 via N2 bus 11-5, e.g.
an OPTOMUX bus. To provide security, the card access controller 11-1 is connected to a smart terminal interface 11-6 with a reader 11-7, such as a Weigand effect, barium ferrite, or magnetic strip reader and 8 alarm inputs 11-9. The card access controller also accommodates 8 proximity readers 11-11 and communicates over RS-232 interfaces to CRT
display 11-13 and printer 11-15. Typically, one access controller would be used for each network control unit. The N2 bus may also accomodate other units such as NEU 11-17, while the Nl bus 11-21 may be connected to other units such as workstation 11-~ 30 19.
Figure 12 shows a fire system as in 9-57 SUBST-ITUTE SHEET

WO9ltll766 PCT/US9lt~551 _, 4, _ operating on a facilities management system.
Network control unit 12-1 communicates with operator work station 12-3 and other network control units over Nl bus 12-5. N2 bus 12-7 is connected to intelligent fire controller 12-9 which receives inputs from a fire detection/signalling loop 12-11.
Smart detectors, for example, 12-13a through 12-13c, detect smoke, 5UBST~TUTE SHEET

WO91/11766 PCT/US91/00~51 thermal conditions and alarms activated at pull stations. Also connected to the fire detection signal loop 12-11 is control module 12-15 which activates a signalling device. Monitor module 12-17 monitors the status of puIl stations 12-19, heat detectors 12-21 and water flow alarm switches 12-23.
Intelligent fire controller 12-9 is also connected over an RS-485 bus 12-25 to annunciators 12-27.
Similarly, intelligent fire controller 12-9 communicates over RS-232 interface to CRT display 12-29 and printer 12-31. The N2 bus 12-7 can also be connected to binary input expansion module 12-33 which itself is connected to switch panel 12-35.
The binary expansion module 12-33 and switch panel 12-35 can operate together to form a smoke control station which transmits information to network control unit 12-1 and intelligent fire controller 12-9 over N2 bus 12-7.
Figures 13-16 illustrate the use of various configurations according to the invention in different size buildings. Figure 13 shows a facilities management system configured for a small building. This is a stand-alone configuration in which the network control unit automatically controls and optimizes heating, ventilating, air conditioning and other electro/mechanical building systems with directly connected input/output points.
Using a local I1O device 13-1, such as a network terminal, an operator can set up a network control unit 13-3, having functions and schedules, with adjustment and override capabilities. N2 bus 13-5 WO91/11766- PCT/US91/~551 provides communication from the network control unit to the controlled system shown generally at 13-7.
Such a system may have temperature sensor 13-9, flow controller 13-11 and chiller 13-13.
Figure 14 shows a typical configuration for a mid-sized building in which several network control units, for example, 14-1, 14-3 simultaneously manage heating ventilating and air conditioning, and various other electro/mechanical systems. NCUs 14-1 and 14-3 can communicate with each other through high speed N1 bus 14-5 and with operator work station 14-7. NCU 14-3 has expanded capacity and range by implementing remote network expansion units 14-9 and 14-11. This eliminates the necessity of wiring line voltages for the separate devices back to the network control unit 14-3.
Local input/output to network control unit 14-1 is provided by local I/O device 14-13. Both network control units 14-1 and 14-3 communicate with their respective control devices 14-15, 14-17, 14-19, 14-21, 14-23 and network expansion units over an N2 bus 14-15, 14-27.
Figure 15 shows a facilities management system configured for a large building. In Figure 15, multiple network control units 15-1, 15-3, 15-5 are interconnected o~er the N1 bus 15-7. In addition, a plurality of operator workstations such as 15-9 and 15-11 are also connected to the Nl bus.
For example purposes, Figure 15 shows network control unit 15-3 connected via its N2 bus 15-13 to card access controller 15-15 with proximity reader SUB5~1~UTE SHEE~

-56a-15-30 and smart terminal interface 15-32 connected to magnetic strip reader 15-34. Card access controllers were discussed relative to Figure 11.

WO9l/1~7~ PCT/US91f~551 _51-Figure 15 further shows network control unit 15-5 connected over its N2 bus 15-17 to fire controller 15-19 with fire detection/signalling device loop 15-28. Such fire controllers were discussed relative to Figure 12. Network control unit 15-1 is connected over its N2 bus 15-21 to various control systems, for example, 15-23 and 15-25. In addition, local input/output to network control unit 15-1 is provided via local I/O terminal 15-27.
According to the invention, a facilities management system can also be configured for remote buildings. Figure 16 shows such a system. As ~hown in Figùre 16, remote links can exist either on the Nl or the N2 bus. Operator work station 16-1 is directly connected on a Nl bus 16-3 to network control unit 16-5 and network control unit 16-7.
Network control unit 16-9, however, is connected to the N1 bus 16-3 via remote links 16-11. Network control unit 16-7, directly connected to operator work station 16-1, is further connected over its N2 bus 16-13 to controller 16-15 and 16-17. Similarly NCU 16-9 is directly connected over its N2 bus 16-19 to controllers 16-21 and 16-23. Local I/O to net~ork controller 16-9 is provided by local I/O
terminal 16-25. In contrast, network control unit 16-5 is directly connected over an N2 bus 16-27 to controller 16-29 and 16-31 but is connected to controller 16-33 over remote link 16-35. Thus, according to the invention, peer-to-peer communication over the N1 bus can be accomplished by a remote link and master/slave communications over SU~STITUTE SHEET

WO9l/11766 PCT/US91/00551 the N2 bus can also be accomplished by a remote lin~.
According to Figure 17, a plurality of network controllers 17-1 each having a processor 17-2 and a memory 17-4 are connected by high speed bus 17-3 to form, for example, a networked Facilities Management System (FMS) 17-6. It should be noted that processor 17-2 may be centralized or distributed to accommodate software layers in the node as discussed herein. Each network controller functions as a master control node for operational units attached to it and incorporates several layers of software. The software levels are structured to provide increasing isolation between the software levels and the operational units. The highest software level is the features level 17-5. Features level 17-5 implements specific functions to be performed by the network controller in operating the facilities management system. One example of a specific function would be a user display tabulating or graphically showing certain values. Features conta,r. a control program and a list of data objects on which the control program operates.
~ Any number of high level software features can be implemented depending upon the requirements of the system and the capabilities of the master control node. Some other examples of features performed in a facilities management system would include trend analysis, totalization, and other statistical features providing measures of facilities management systems performance. An .. , ; . ...... . ~, .. ",~ ...... . .
, .. . . . ... , . ~ ., . . ~ .

WO91/11766 PCT/US91/~551 _7~_ important factor is that the increasing level of isolation from the hardware allows the software features to be unaffected by changes in the facilities management system hardware.
Software features at the highest level communicate with the software object level 17-7.
The software object level is an intermediate level which determines how to carry out the action requested by one of features 18-21, 18-23, 18-25 at the features level 18-5. Information is passed between the software object level 17-7 and 18-7 and the features level 17-5 and 18-5 independent of differences at the lower levels of hardware.
Similarly, the software object level forms an interface with another level of software called the hardware object level 17-9 and 18-9. The hardware object level allows for a common interface to be established between the software object and hardware object levels regardless of the peculiarities of operational units, such as sensors and other data acquisition and control instruments, connected to the network controller. This is accomplished by configuring the hardware object level to mask the differences between the operational units to the various entities in the software object level 17-7 and 18-7. In accordance with requirements of local bus communications interface 17-11 and 18-11, network controller 17-1 communicates over local bus ~ 17-13 with slave controllers, for example Type A 17-15, 17-17, and Type B 17-19. As shown in Figure 1, any number of types of slave controllers is SUBSTITUTE SHEET

- ,q2 possible. The slave SUBSTlTUTE SHEET

W091tll766 PCT/US91/~551 controllers are connected to operational units, for example, to sensors T~, T2, T3, Sl, S2, S3. Such sensors are binary or analog field sensors which read values of real world data (e.g., outdoor air temperature).
Figure 18 provides a more detailed illustration of the configuration described in Figure 17. The software object level contains a plurality of software object managers 18-27, 18-31, 18-35. A software object manager is a database manager which handles all requests for a particular type of software object. An object is a named data element stored in the networ~ controller. Objects are categorized in types and each instance of an object has its own set of data, such as object name, current value, alarm limit, etc. Therefore, each software object manager is associated with a corresponding database, 18-29, 18-33, 18-36. One example of a software object manager is an analog input object manager 18-27. This would be the database manager for all instances of analog input objects, such as instances T1, T2, T3 of temperature objects T in the following example. Another is a Binary Input Object Manaqer 18-31. All of the elements of the database for a given manager are objects of the same type. In the following example, the software objects include analog input points, and binary input points. Each object type may have several instances, each of which has its own set of data values called attributes. For example, the analog input objects stored in database 18-29 are SUBSTITUTE SHEET

W09~/11766 PCT/US91/~551 each an instance of a type of object. Each of these SUBSTITUTE SHEET

WO9l/117~ PCT/US9l/~551 three instances has its own set of attributes.
These attributes are data which includes the object name, the current value, the alarm limits, etc.
The hardware object level contains a similar plurality of hardware object managers 18-37, 18-41, 18-45. Each hardware object manager is a database manager which handles all requests for a particular type of hardware device on the local low speed bus 17-13 connecting the network controller to the slave hardware devices 17-15, 17-17, 17-19. For example, a slave controller type A hardware manager 18-37 is the database manager for all slave controller objects of type A (Al, A2, in the example given below). As with the software object managers, each lS hardware object manager has a database 18-39, 18-43, 18-47 associated with it containing all objects of that type. For example, database 39 for Type A
hardware objects includes A1 data 18-49 and A2 data 18-51. Each object has a set of attributes unique to that particular object.
Transparency is achieved at two levels.
First, software objects are transparent to features;
and second, hardware devices or operational units are transparent to software objects. These transparencies are best illustrated by examples. In the first case, the transparency of software objects to features, assume Feature x, 18-21 needs to read a current value field or attribute of sensor T2.
This is accomplished by directing the request from Feature x to the software object manager controlling T2. As shown in Figure 17, in this case T2 is S~IBSTITUT~ !~;HEET

WO9l/l1766 PCT/US91~51 controlled by the Type A slave controller 17-17.
The analog input object manager 18-27 is responsible ~o identify the data structure of T2 and return the attribute required by the feature, e.g. the value attribute,to Feature x. As a result, Feature x need only understand the various possible types of data that can be returned as single values and it does not need to know the entire database structure for an analog input object.
Feature x also need not be concerned with the particular object type when it~requests the current value of an object. Because all information is transferred between the Features level 17-5 and 18-5 and the software object level 17-7 and 18-7 in the same way, the feature need only ask for the current value of an object. Thus, the method for requesting the current value of an analog input object and the value of a different type object, such as a binary input object, does not vary. Feature x only sends a request for the current value attribute to the appropriate object manager. The feature uses the object type only to determine which software object manager controls the data. The actual request issued by the feature for the value is the same regardless of which type of object is being queried. This avoids requiring high level software features to request current value differently for each different object type.
An added advantage of this approach is that the feature can always obtain the information the same way regardless of where the hardware is located WO91/11766 PCT~US91/~5~1 in the system. Because the feature only requests the object by name, the feature is insensitive to the physical location in the system of the hardware which produces the named object. Thus, hardware differences and physical location of hardware are masked out by the hardware and software object managers.
The software object database managers and the hardware object database managers transfer information as previously described and shown in Figures 17 and l~. It should be noted that this is for illustration purposes only and that any confiquration of information transferred is possible depending upon the functions performed by the lS software object database manager and the data provided by the hardware object database manager.
Therefore, features are not concerned with the type of slave controller hardware device to which actual sensors or data ac~uisition or control instruments are attached. When a feature requests the values of the attributes of an object, it is insensitive to the type of slave controller used to manage the sensor which generates the raw data. The software and hardware object levels isolate the features and present the same set of data values the same way to all features for a given object type regardless of the physical slave controller to which the operational unit is attached. Thus, the features need not be changed for each type of slave controller.

WO91/l1766 PCT/US91J005~1 This leads to the second level of transparency, the transparency of hardware devices to software objects. By interposing a hardware object manager between the software object managers and the slave controllers, it is possible to mask the hardware differences from the software managers.
This frees the software object managers' processing capabilities in the node to perform higher level control and reporting of predefined conditions. For example, software object managers report alarms, and notify high level features of changes to act as a trigger mechanism independent of the hardware used to generate the data.
One example based on Figure 18 occurs when Feature x 18-21 reads the values of analog type temperature points Tl, T2, and T3. As previously discussed, the feature is not concerned with the hardware and therefore makes the same request for each temperature point to the analog input object manager 18-27. This is because the object requested is of the analog type. The analog input object ~-manager 18-27 itself is also not concerned with the slaves on which Tl, T2, and T3 are located. As far as the Feature x, and analog input object manager 18-27 are concerned, all communications to the various hardware managers are the same for T1, T2, and T3.
The analog input object manager 18-27 requires a plain floating point (real) number, such as 72.3~F from the hardware object level 17-9. The hardware object managers 18-37 and 18-41 for slave . , , " . , , . , .. .. ~ ~ .

WO9l/1l7~ PCT/US9l/00551 types A and B condition the data to supply the analog input object manager 18_27 with values of the required type. In order to determine the value, any number of individual calculations in the hardware object manager may be required. For example, assume the value of the temperature sensor arrives at the slave controller as a count, such as a digital count produced by an analog to digital converter, which must be spread over a predefined range to compute lo the floating point value. Further modifications may be required by a span equation, a square root equation, and a filter before the final temperature value of the sensor is obtained.
As shown in Figure 17, Type A slave controllers 17-15 and 17-17 deliver T1 and T2 raw data. Type B slave controller delivers T3 raw data.
Assuming that controllers A and B have completely different levels of capability, the differences in the controllers would create significant problems in existing computerized facilities management systems.
For example, one controller may implement a square root equation while the other may not, or the controllers may have different range equations. In conventional facilities management systems, the high level software would be required to compensate for these differences. However, in the present invention, the hardware object managers for the slave controllers access the node processor (or a separate processor) to condition the data and mask these differences from the analog input obiect manager 18-27.

WO9l/11766 PCT/US91/~551 Assume that Type A slave controllers 17-15 and 17-17 are highly simplistic devices which provide only the analog digital count to the network controller. In this case, the hardware object 18-37 manager for type A slave controllers must perform the other calculations necessary to obtain the final temperature values Tl and T2 to be provided to the analog input object manager 18-27. In contrast, assume slave controller type B is a highly sophisticated device which performs most of the ranging and filtering prior to sending the information on to the network controller. In this case, the hardware object manager 18-41 for type B
controllers performs relatively little processing.
In either case, the processing performed by the hardware object manager is transparent to the software object manager 18-27 which manipulates data and sends it to the high level feature. This is because there is a common information interface between the hardware object managers 18-37 and 18-41 and the analog input object manager 18-27. Thus, all hardware object managers communicate with the software object level 17-7 according to the same rules. Thus, the analog input object manager 18-27 can be written to deal with a generic object type, in this case, the analog input object. It need not contain alternative code for each single possible slave controller implementation of an analog input.
It should be further noted that as shown in Figure 18, communication is possible between all the features and a-ll the object managers in software WO91tl17~ PCT~US91/~l object level 18-7 and all the object managers in software object level 18- 7 and hardware object level 18-9. The actual communications paths used are a function only of the function performed by the feature and the data required. Thus, Feature y may - also request software object T1, thus accessing analog input object manager 18-27. Similarly, Feature n may request data from one or more object managers in software object level 18-7 which may further request data from one or more object managers in hardware object level 18-9. The commonality of interface between the hardware object and software object level simplifies the addition of new slave controllers and object instances. An object instance would be added in the above example if a fourth temperature sensor T4 were to be added to the system. A new slave controller of the same type would be added if a third type A slave controller, A3, were added. In both cases, all the necessary software exists on the network controller because there are no changes to the informational - interfaces between the software object level 18-7 and the hardware object level 18-9. The user need only modify the database to create a new instance of the 18-29 analog input object T4 or the database 18-39 to create another instance of type A controller object, e.g. A3, in the network controller.
It is àlso possible to add a new slave controller type with minimal impact on the existing facilities management system software. Assume a new controller type, type C, is to be attached to the WO91/11766 PCT/US91/~551 local bus 17-13. This would require adding (by download or other means) a new hardware object manager to the existing software in the network controller acting as the master control node for operational units on that local bus. This hardware object manager would map the capabilities of the new controller into the software objects already defined in the system. For example, the new hardware controller may monitor analog temperature data in an unconventional manner, requiring a new hardware object manager. If the new controller produces analog temperature data, the new hardware object manager can map the data into a new instance T5 of the analog input objects. The existing software object managers and high level features in the software object level 17-7 and features level 17-5 of the network control software would be unaffected, since they would operate the same way as before.
The only exception would be when the new hardware supports a new data type which is so different in operation from the existing types of objects that it could not be mapped into one of the existing software object managers at the software object level 17-7. In that case, a new software object might also have to be created.
Thus, the hardware object managers have again been used to mask out the differences in the hardware to the software objects. T~us, the software object managers need not have different hardware dependent versions. A software object manager handles a data element the same way, whether WO9~/11766 PCT/US91/~551 the data element comes from a sensor operated under type A control or another sensor operated under type B control. The hardware object managers format or map the data into the form required by the software object managers needs. This allows the software object managers to provide a hardware independent interface to the higher level software features.
According to another aspect of the invention, Figure l9 illustrates that a software or hardware object manager provides a construct to handle data generated during a calculation in much the same way that data obtained directly from an operational unit such as a sensor is handled. According to the invention, a point is defined as a type of object.
For example, an analog input point is a type of object. Therefore, the point has attributes such as its current value, high limit, low limit, alarm state, its hardware address, etc. These multiple dimensions to the point define the point as a vector quantity. A point is always associated with an operational unit such as a sensor in the field.
Thus, operational unit l9-l provides data to the network controller 19-3 which processes the data in a hardware object manager 19-5 into a form required by ~oftware object manager 19-7. The data corresponding to the point is stored as attributes l9-9 in a storage means, such as processor memory 17-4.
Intermediate calculations at features level l9-ll sometimes require that the software object level 19-13 supply data which is not gathered WO91~11766 PCT/US91/~551 directly from an operational unit. In order to facilitate a common method of handling such data, pseudo points 19-15 are created at the software object level 19-13. A pseudo point is handled by software object manager 19-7 in exactly the same way as a point 19-9. The difference between a point and a pseudo point is that a point gets its values from operational units while a pseudo point obtains one or more of its attributes from an associated object.
The pseudo point stores the identity of the associated object as one of its attributes. Thus, pseudo point 19-15 could recognize its associated object as point 19-9. In this case, pseudo point l9-lS could obtain one or more of its attributes from the attributes of point 19-9. This allows the software object manager 19-7 to treat all data requests from the features level 19-11 in the same way. Thus no distinction need be made between data obtained as points from operational units and other data used in intermediate calculations which is not directly obtained from such operational units.
Figure 20 shows network controllers 20-1, 20-3, 20-5 interconnected on high speed network bus 20-7. High speed network bus 20-7 is used to transmit data among the nodes into computer 20-9. Computer 20-9 further transfers information to storage device 20-11 which contains archived data bases, such as archive data base 20-13 for network controller 20-1 and archive data base 20-15 for network controller 20-3.

WO91/l17~ PCT/US91/~551 Computer 20-9 contains generation software 20-10 which allows the user to create data elements at whatever level of data is appropriate to a specific application and to assign names to the data elements. Since no two elements may have the same name, the generation software checks the archived data bases or online databases and verifies that each data element is assigned its own unique name.
When the name has been assigned, the name and the data element are both downloaded to the host node using high speed bus 20-7. This is shown generally in Figure 21 at generation time as reference numbers 21-20 and 21-22. As a result, the host nodes contain named data elements.
As further shown in Function Block 21-24 in Figure 21, during run time a referencing node transmits a request for a data element by name. As shown in Function Block 21-26, if this is a first request for the named data element, the entire network is searched until the data element is ound.
This is shown generally in Function Block 21-28. As shown in Function Block 21-30, if the name cannot be found anywhere on the network, an error message 21-32 is transmitted and the search for the name is terminated in Block 21-38. On the other hand, if the name is found, as shown in Function Block 21-34, the name is tagged with binding information. This binding information is a node address on the network and an internal address of the data element within the node's data base. The node address and internal address of the data element can have any convenient W O 9~ 766 PCT/USgl/00~51 format. In accordance with Function Block 21-36, the ~inding information and the data element itself are returned to the referencing node which stores the binding information.
As shown in Block 21-26, if the referencing node is not making a first request for the data element, control passes to Function Block 21-40 where the ~inding information is read. Using the binding information, at Block 21-42 the name at the location specified (host node and data element location) is read and compared in Block 21-44 with the name requested. If the name found at the location specified matches the name requested, the data is returned to the requesting node in accordance with step 21-46 and the data acquisition routine is terminated.
However, it is possible that the name found at the specified location does not match the name requested. This indicates that the binding information has become out of date. Typically the verification is done in the host node. The host verifies that the data requested is still at the same address by comparing the name passed with the name of the element stored at the bound address. As previously noted, if they are the same the binding is still valid and the data is returned as requested. However, if the data element has moved, either within the host node's data base or to another node, the host node detects the mismatch between the name now stored in that location in its data base and the name passed in the request. The WO91/11766 PCT/US9l/~551 referencing node is informed that the binding information is out of date.~ The binding information can become out of date when a download, deletion, or other data base generation is performed on the host node, either deleting the data element or moving the data within the node to another location on the data base or moving the data to a different node. Any of these events can happen without the referencing node being informed. When the binding information is out of date, the referencing node executes a search of the network for the element name in accordance with step 21-28, again following the steps previously described for the first request of a data element name. If the data element name has been deleted, an error message 21-32 will be returned. However, if the data element name has been moved either within the node or to a different node, in accordance with steps 21-34 and 21-36, the name will be tagged with the new binding information. The new binding information and the data element will be returned to the referencing node.
As a result of the above, the network is self healing. References which become out of date are corrected the first time a reference is made after the change of address has occurred. Further, if a referencing node is downloaded before a data element it references is downloaded, an error message is returned until-the name is downloaded and then can be found. Thus, in accordance with the above invention, a search of the network need only be made either the first time the data element is requested WO91/117~ PCTJUS91/~551 or the first time a data element is re~uested after it has been moved.
Figure 22 illustrates a variation of the above described method. Figure 22-3 illustrates that after name generation 22-50 the names are downloaded at step 22-52 to the referencing nodes.
At step 22-54, the referencing nodes create a name table. The reference table can be constructed to optimize memory usage in the node by keeping only one copy of the data element. All references and applications in a referencing node which require the data element are then replaced by a reference table index which typically requires fewer data bytes than an ASCII name. Thus, the name is kept in only one place, the reference table entry, as shown in steps 22-54 and 22-56 of Figure 22.
It should be noted that in this method each referencing node keeps its own name table. Thus, after step 22-58 when the referencing node requests the data element, step 22-60 is executed to determine if this is the first request by the ~
referencing node. If it is the first request by the referencing node, steps 22-62 through 22-72 in Figure 22 would be executed. This would involve searching the network for the element name, if the name is found returning the binding information and the data, and placing it in the table created in the referencing node as shown in step 22-72. Errors would be treated as previously discussed.
If this is not the first re~uest by the referencing node, then at step 22-74 the location of W091/117~ PCT/US91/~551 the data element is read from the name table and the request sent to the host. The name is then compared by the host node with the name at the location specified in the name table. Based on the result of the comparison at step 22-78, the data will be returned to the requesting node or the network will be searched for the element name. It is important to note that within the referencing node, it does not matter in what application or feature the request for the data element originates. Once the binding occurs for one reference to that element, it occurs for all references in that node to that element. This means that the binding needs to occur only once for all references in the node instead of once for each place the reference occurs in the node. This reduces the time spent making initial bindings for all of the references by the node. It should be further noted that a separate reference table is built for each node. Thus, if the location of the data element is changed within the host node or to another host node, the process of updating the reference table will be repeated by each referencing node the first time that node requests the data element.
Figure 23 shows a further optimization of the arrangement shown in Figure 22. Assuming a node has made a first request for a data element, the name of the location identified by the binding information is compared with the name of the data element currently being requested. In this case, if no match occurs, a local search is first performed at step 23-82 by searching the host identified by the binding information. This is because it is likely that the data element will be found within the same host. If this is the case, control passes to step 23-70 where the binding information and data are returned to the referencing node. However, if this is not the case, the remainder of the network is searched beginning at step 23-62.
A further embodiment avoids searching the network for references to data elements where the data element is stored in the same node as the requesting node (i.e., the host node and the referencing node are the same node). As previously described, the reference name table must contain an entry for each name in the referencing node. This is necessary even if the referencing and host nodes are the same because the data may at some time move from this node to another node. Thus, it is not possible to eliminate an entry from the name table in the reference node even though the referencing node is also the host node for the named element.
However, in these situations only, it is possible to eliminate searching the network the first time the referencing node requests a data item for which the referencing node is also the host node. This is achieved by having the data base software and the host node add the reference table entry when the element is downloaded. The table entry contains the correct binding infor~ation since the host node owns the data element and, hence, knows the binding.
When the first reference from somewhere else on the WOg1/117~ PCTJUS91/~51 same node occurs, the binding information is already in the reference table and-no additional searching is required. Thus, it is advantageous for a data element which is used frequently by a reference node to be hosted on that reference node.
Figure 24 shows a further optimization technique using multiple levels of names. As illustrated, two levels of names are shown.
However, the technique can be extended to an arbitrary depth of the naming hierarchy. Thus, small and hyphenated levels of names can be used.
At each level a directory is formed permitting access to the next higher level. In a two level naming scheme, each name consists of two parts - a group name and an element name within the group. Each group is assigned to one node in the network and may have many elements within the group.
A first directory or group directory, is a directory of all the groups in the network. The directory lists the name of each group and defines the node on which the group resides. Since the group directory -must be kept on each node of the network, it is broadcast to all nodes in the network. The addition or dele~ion of groups must also be broadcasted to all nodes in the network so that they maintain an updated copy of the group directory. For each group on a node, the node contains a second level of directory called the element directory. The element directory lists all the elements in that group and identifies the node address of each element in the ~roup. It is important to note that the elements in WO91/117~ PCT/US91/~l the group need not reside on the node containing the group or element directory, nor need all the elements and the group reside on the same node of the network. _Of course, the element directory is updated whenever an element is added or deleted from the group or moved from one node to another. Figure 24 illustrates how the directories are used. As shown in step 24-100, it is first determined if a reference node is making its first request for a data element. If this is a first request, in step 24-102 the reference node compares the group name to the group directory and identifies the group node.
In step 24-104 if a match has not occurred error 24-106 is indicated and the sequence of events is terminated.
Assuming proper operation at step 24-104, a match occurs and at step 24-108 the request is sent to the group node as identified in the group directory. In step 24-110 at the group node, the element directory is searched to determine if the element appears in that group. Since the element directory contains the location of the data element, if a match occurred at step 24-112 then at step 24-114 the group node reads the host node address from the element directory and at step 24-116 transfers the request to the host node. At step 24-118 the host node obtains the data and returns the binding information and the data to the reference node.
Thus, the initial search for the name of the element is shortened to a search of the group directory followed by a search of the element directory for W~91/117~ PCT/US91/~551 the correct group. The entire network need not be searched. However, it should be noted that the directories must be kept up to date and that a copy of the group directory must-be maintained on each node of the network. The group's element directory need be maintained only on the node where the group directory resides. The added bookkeeping is only required when a group or element is added or deleted or an element is moved. This is considerably less work than downloading all referencing nodes when such changes occur. The actual references of the software of the referencing nodes need not be affected.
As previously discussed, if this is not a first request for data, binding information is read and the name is compared with the name found at the location identified by the binding information. If a match does not occur, then the binding information is no longer up to date and the sequence must again be executed to locate the proper information.
In one application, the above described methods can be carried out in a facilities management system. This application to a facilities management system is by way of example and is not intended to be a limitation of the invention. In Figure 20 several real time network controllers and a personal computer used to generate data bases to download to the network controllers are interconnected on network 20-7. Storage means 20-ll, such as a disk attached to personal computer 20-9 contain~ the data bases to be downloaded to WO91/11766 PCT/US91/~551 networ~ controllers 20-l, 20-3 and 20-5. Each network controller and the personal computer can be considered a node. Assume NC2 is the name of a host node 3 and the host node owns a data object or element called AHUl/FAN.
The system/object name is a two level naming scheme where the system name is the same as the group name in the above description and the object name is the name of the particular data object or element. This object is the return fan for air handler #l. It is a binary output object because it can be controlled to one of two positions and its name is unique on the network. The "group" or system name is AHUl and the "element" or object is FAN. Assume also that NCl is the name of node l and is a referencing node. This means it has several software features which need to reference the FAN
object. As shown in Figure 20 Feature A needs to read the current value of the FAN object and Feature B sends a command to the FAN object to physically start the fan. As shown in the figures, a list of all the system names, group directories 20-200, 20-202, and 20-204 is duplicated in each node. The group directories identify which node contains the directory of objects for a particular system. For the case of the AHUl system, the directory of objects is maintained by NC2 node 20-3. Thus, NC2, node 20-3, also contains a directory of objects in the AHUl system and where they are located in the data base. Similarly, the ob~ects for the AHU2 system are located on NC3 or node 20-5.

WO91/11766 PCT/US91J~551 As previously discussed, using personal computer 20-9, the user creates a data base which can be placed on archived files 20-13, 20-15 on storage disk 20-ll and can be downloaded to network controllers 20-l, 20-3 and 20-5. References, such as those fro~ Features A and B to object AHUl/FAN, are kept in an ASCII name form when downloaded.
This is because they are not yet bound at the time the data base for the network controller is downloaded. The referencing software features are oblivious to the actual physical location of the data object AHUl/FAN.
Upon downloading, an object is given to a data base manager which manages all objects of the same type. In the case of AHUl/FAN, the binary output manager in NC2 is used. The object data base manager software initially enters the names into the reference name table. For example, when the binary output o~ject manager is given the FAN object at download time, it places the FAN object into its own binary output data ba6e and adds an entry in the reference table 20-300. This entry contains the name of the AHUl/FAN object and its binding information; object type (binary output), host node address (NC2), and data base location in the binary output data base (record 3). In this example, the table entry is located at offset 16 as shown in Figure 20. Note that no other nodes besides NC2 know the binding information at this time. These nodes still only have a name reference to AXUl/FAN.
The directory of objects and AHUl will later also WO91/11766 PCT/US91/~551 point to the reference table for the FAN object so that later lookups of the name will find it in the proper place. Data base for the referencing node 20-l, NCl, is also downloaded. This causes entries to be made in the reference table for NCl. When the data base for Feature A is downloaded, an entry is made into the reference table for AHUl/FAN but without the binding information. This "unbound"
reference simply shows that some fea,ture in NCl will be referencing FAN. When the data base for high level software Feature B is downloaded, it will also try to add the unbound reference to the table and find that it is already there (at offset 27 in the reference table 20-302). Both features will then replace the named reference to AHUl/FAN with the offset of 27 into the table. Note that at this point in time the binding information is still not in the table in NCl.
Execution of high level software Feature A in NCl requires reading the value of FAN object. Since the binding is not yet in the reference table in NCl for AHUl/FAN, the software must locate AHUl/FAN on the network. This reguires searching the system name list or group directory in NCl for the system name AHUl. As shown in Figure 20, the list shows that AHUl is located on NC2. Thus, the software directs the request to NC2. NC2 locates the object in its data base using the element directory. This is accomplished by looking up FAN in the directory of objects in AHUl. In the example shown in Figure 20, this is a binary output point located at offset WO91~117~ PCT/US91~551 16 in the reference table in NC2. The reference table of NC2 already has the binding information added for FAN, since this information was put there at download time, as described above. Hence, the software can send the request to the correct data base manager (binary output) object manager on this node and request the correct record, which is record 3.
Once the data is obtained, the information is passed back to Feature A and NC1 along with the binding information. At that time, the reference table entry for FAN is completed in node NC1 with the correct binding information.
Figure 20 also illustrates that for references in the host node, such as from Feature C
in NC2, the binding information is already in the reference table after the data base is downloaded.
Thus, the binding procedure is not required for those references, even the first time the reference is accessed.
Since the binding information has been provided to network controller NCl, subsequent references from--network controller NC1 need not repeat the above procedure. Assuming Peature B
needs to reference FAN, it uses the stored offset of 27 to find FAN in the reference table. This time the binding information is already in the table.
Thus, the software could send a request directly to the binary output data base manager on node NC2 and request record-3. The look-up procedure described above is no longer required. Any other features on WO91/11766. PCT/US91/~551 NCl that subsequently reference FAN will use the same bound reference in the table, so the binding is only required once for all references from NCl. As previously discussed, the reference table reduces memory requirements since the longer ASCII name is replaced by a short table offset in each software feature and since only one table entry is required for all references from that same node.
Figure 25 illustrates the sequence of events when a data element moves within a node. Assume that FAN moves within the data base of NC2 from record 3 to record 5. This could occur, for example, as a result of a data base regeneration on the personal computer so that record 3 is now an object called AHUl/PUMP while AHUl/FAN has been moved to record 5. The binding information used by network controller 25-l to go directly to the binary output data base manager on network controller 25-2 would cause a request for record 3. However, the request also sends the name of AHUl/FAN so that it can be compared with the name found at record 3. In this case, the records no longer match.
Using one of the optimizations described earlier, the binary output data base manager searches its own data base to see if it still has the object AHUl/FAN. In this case it is found at record 5, so the information requested is returned along with the new correct binding information. NCl ~ sees that the binding it was using has been corrected by NC2 and updates its reference table by replacing the reference to record 3 with record 5.

WO91~117~ PCT/US91/00551 Thus, the object has moved within network controller NC2, but network~controller NCl was still able to find the data without any changes to the network controller NCl. Furthermore, all references in network controller 25-l are corrected, since the common reference table entry is updated.
Figure 26 illustrates the situation when, as a result of a download, a data object has been moved to a different network controller. .In this case, the user has generated a data base for NC2 and NC3 moving the system or "group" name AHUl and its objects to NC3. Now, FAN is record 7 in the binary output data base on network controller NC3 (node 5).
Here, a network controller NCl attempt to reference FAN using the binding information it already has fails. This is because the name comparison at network controller NC2, record 3 shows that the AHUl/FAN data object is no longer at that address.
Moreover, a check of the remaining elements in the NC2 data base shows that FAN cannot be found. Thus, Feature A in the network controller l receives an error message.
Network controller 26-l responds by erasing the binding information from its table and following the method discussed above to find the new location of AHUl/FAN.
In this case it would be found on network controller 3 at record 7. Doing this once corrects all references in network controller NCl, since the common reference table is updated.

W O 9~ 766 PCT/US91/OO~SI

It should be noted that had the data element been completely deleted from the network, network controller NC1 would have reported its inability to find FAN via an advisory message to an operator.
This is also true for all references to FAN from NC1 until FAN is downloaded again. Thus, an error occurs until AHU1/FAN is redefined, or the reference is removed. However, after the download the references will bind and begin to work properly.
Hence, the order of node download is not critical.

In order to provide proper time synchronization among nodes interconnected on an Nl bus, it is necessary for one of the nodes to play a limited system manager role. As shown in Figure 27, a node 27-1 is selected as a time synchronizer (a limited system manager) and at 27-2 the node defines the time and transmits this information to the other nodes interconnected on the Nl bus. Shown in 27-3, the nodes monitor the time during the non-update interval. Decision block 27-4 ~tests a clock to determine if it is currently the time for which resynchronization has been set. If not, control is transferred back to 27-3 and time monitoring continues. If it is determined in decision block 27-4 that it is now time to reestablish synchronization of time among the nodes, in block 27-5 the node tests to determine if it is the system time manager. If so, control is transferred to block 27-2 and the system time manager transmits the . .

WO91/117~ PCT/US91~551 current time. If in decision block 27-5 the node recognizes it is no~ the system manager, in block 27-6 the node determines if it has received the time synchronization data. If so, the node resets its time in block 27-7 and time monitoring continues as in block 27-3. If the time synchronization data is not received at block 27-6, the node in block 27-8 determines if it can be the system time manager and, if so, transmits the time as in block 27-2. This allows a new node to assume the time-synchronization responsibility if the original system time manager fails or goes off line.
In addition to synchronizing time among the nodes, it is also necessary to synchronize global data. Figure 28 shows the fundamental steps in the download. In function block 28-l a global data base is defined and loaded onto the network. A global data base can include such items as passwords, a list of system names (although not object names), a list of nodes and printers on the system, report groups which indicate where user advisory messages of certain classifications are to be directed, and other information which would be useful to all the nodes_ Function block 28-3 shows that each node also has a data base defined for it in an archive device. The node data base includes data to be stored in the node and additional data to be transmitted along the N2 bus to other dev~ces controlled by the node. In function block 28-5, a node is configured on a network by giving it an Nl address and storing the identity of its archive .. .. ..

WOgl/11766 PCT/US91/~551 device in non-volatile memory. Following power-up at step 28-7, the node must be synchronized with the other nodes at step 28-9. Step 28-11 tests if the synchronization is complete. If not, control is transferred back to function block 2~-9 to complete the synchronization process. Upon completion of node synchronization, control transfers to function block 28-13 in which the node accesses the archive device to download its own particular data base. As each data element is received, decision block 28-15 tests if the information is to be transmitted to a device on the N2 bus. If not, the information is stored in the node as shown in function block 28-17.
If the information is destined for a device on the N2 network, as shown in function block 28-19 the information is passed onto the device through the N2 network.
Figure 29 further illustrates how synchronization takes place. Upon power up, a node executes code in electronically programmable read only memory to identify the node's archive device def ned in the non-volatile memory section of the node. This is shown in function block 29-1. As shown in function block 29-3, the node then requests the archive device to download the code into its random access memory. At decision block 29-5, the node joining the network tests to see if it has received a broadcast from another node on the network. According to the invention, the nodes on the network all periodically broadcast a time stamp indicating the latest version of the global data WO91/117~ PCT/US91/~551 base in that node. Thus, if a node joining a network has not yet received-a broadcast time stamp as shown in decision bloc~ 25-9, the node waits until it does receive one. Upon receipt of the first broadcast time stamp, the node entering the network requests the global data from the node associated with the time stamp, as shown in function block 29-7. In addition, the new node stores the time it received with the global data base information as its time stamp. Subseguently, in function block 29-9, the node accesses the archive device to obtain its own particular data base, as previously discussed. After receiving its data base, the new node joins the others in the network in broadcasting its time stamp, as shown in function block 29-ll. Synchronization of the data bases is maintained by receiving time stamps from other nodes as shown in function block 29-13. In the event that the time stamp received is later than the time stamp currently in the node, the node requests the global data from the node with a later time stamp, as shown in function bloc~s 29-15 and 29-17. It should also be noted, that it is possible for a node to become hung up waiting for global data which is not available. Thus waiting step 29-l9 is tested against time expiration decision point 29-21. If a time has expired, then to avoid suspending operation of the node, the node accesses the archive device for the global data as shown in step 29-23.
An alternative approach allows a node joining a network to avoid waiting for receipt of its first t~e stamp, a~ descr~bed above. According to this ~lternative, the node ~oining t~e network fir~t acce5Be~ the archive d~ e ~or the g~ob~l da~ and r~cordE the ti~e ~tamp o~~the glob~l data on the archive de~ice ~8 it6 time Bta~p~ The node then ~oinR the network, periodlcally tr~n~mitting i~s ti~e st~p and ~x~ining ~me ~tamps of other nodes a6 de~cribed ~bo~e.
A ~imilar approach is u~ed with slave devices controlled by nod~G on ths N2 network. Every time an N2 da~i~e com~s on line, it reports it~ data ~ase revi3ion level as a time ~amp to its network controller. I~ the n~twork controller haG a new data basa hS indi~ated ~y $t~ ~wn ti~e 6t~p, it downlo~d~ that informa~ion, Wh$~h i~ sQme por~ion of ~;he d~ta ba~e, to the device o~ng on line on the N2 networ)c. If t~e network con~roller d~ee not ha~e ~ more reces~t data ba6e than that ~ndicated ~y the time stamp o~ th~ ~evice op~:rating on the N~
20 network, th~ network controller ~ume6 ~at the ~2 device has ~he correct data base.
Figure 3 0 showe an approach to downloa~ing info~m~tion into a d~vice without a routing table.
The appro~ch consi~ts of G~cadir~g device~ ~o tha~
5 a p~h to a d~viçe without a routlng table c~n be establi~hed th~ough oth~r deviçes wh~ch haYe routing ~le~. ~ i8 i~ p ~ irulA~ly useful ~n case~ where not de~irable ~o requirs p~r~onnel ~o go to an ~ctual site of a device to physically download ~
3 0 up~oad a dQvic:e ' 8 data base . According to the ~nvsntion, each r~guest~n~ n~twork controller ~aintalns at a m$nimu~ in non--volatile m~mory the addr~s of lt~ archiving device. In Add~t~ on, each network controll~3r mainta~ns in non-~rolatile ~e~ory the addre~ of a ne~wo~k ~ntroller thAt will 5 initiate a download on 1 t~ behalf . ~his is called the ~C initiator. The NC initiator must be in~ t~alized in a c~onRi~tsnt ~3tate ~efc~re it can facilitate a downlo~d~upload request fro~a another nod~. Thufi, a cascadin~ mechanism ic employ~d 10 ~har~y noies a~v~ in the hierar~hy are initializsd b~f~re node~ lowe~ ln the hierarc~y ~re initialized.
Two ~ss are po~sible . In F~ gure 3 0, downlo~d deYice 3 Q-l ccul d ini~iate the dow~load with n~twork con~roll~ 3, 6hown as node 3 0-4 which 15 doe~ not ha~e a routing tal~le~ Ta~ls 1 of Figure 31 ~hows the ~e~uence of ~tep6 which are ~mple~en~ed ~y ~he network control l~yex of th~ archiving~ de~ice or P~ It ~hou}d be notea that each node i~; given an addr~ss defining ~ts n~twork, a loca~ ~ddr~ss- on ~he 20 netwc)rk, ~nd a part o~ the node. The node t~self i6 assigned port 0. Thus, download devic~ 30-1 ha~
addre~s l:l:o. ThtS i8 becau~ the device i~ on network 1, loc~l address 1, and b~u~u~a a deYice it~eLf i~ def ined ~15 port 0 . A~ Tab~e 1 ~t Fi~ure 2~ hows, the ~ource of the me~a~ 0, its destination i~ 2: 4: 0 . An interi~ source of the ~es~age a~ it n~vigate~ the nstw~rk i~ al~o ~hown.
For the c~iginator, the source and interi~n source are defined to ~e the ~me~ ~hus, t:he first interim 3 0 sourc~ is ~ o . ~he remaining inter~ so~r~e antri~s in tho table in ~ 31 have the ~ame network and local a~dres~ aB the prs~ding entry.
A rou~ing de~ined ~n a nQtwor~c layer such as that of the Open ~ystem6 Interco~netion model ~ of International standards Organization of the node route~ ths message to NCl which i5 networ~c 1, local addre~6 2, por~ 0. Traoing the st~p~ throu~h the table ~hows th~t ~y routln~ the mes~age f irst throu~h N~1 and then ~¢2 the download in~ormation eventually arrives at NC3. NC3 replies to the sou~ce acknowl~ds~ing the receipt of the me3sage.
sinGe the r~c~ivi~ device doe~ not have a routing table, it replie6 tc) the node from which it received the mes~ge. From t}lers, th~ a~knowledgement could be rcuted ov~r ~he su~le path ~s the ~e~age ~ransmis~ion in rever~e direction or oYer any other con~ani~3n~ path d~fined b~ ths node~ having routing table~ .
In th~ second c~, network corltroller 3 initia~es the ~lownload rsqueE;t to the ~ hlve P~ 30-1. In ~ a~e, nod~ NC3 loca~ed at addr~ss 2:4:0 doe~ not have a routin~ t~le to use for ~endin~ its download r~quest. However, a~ p~eYioUsly mentio;led N~3 ma 1 ntain~ in non-~rolatile ~mory an addre~6 o~
a ne~work cont:ro'l ler tha~ wil}~ initiate ~ do~ d 2S on its behalf~ ~hu~, NC3 routes it~ re~uest to ~his NC inltia~or . NC3 requ~st~ ~he do~mload f rom the d~ta downloaa device at ~d~s~ 0, whic:h i~
identif ~d in NC3 as its ~ ng de~ice . The route t~ n by t~e ~guest, n~ E~hown ~ n Table 2 in ~igure 32, assume~ ~hat NC2 at a~dress 2:3:0 i~ the N~ initia~or for NC3 . NC2 must alxeady ~onta~ n a routing table to ~nd the message to the archiYe device. Thi~; illustrate~ th~t by c~sc:adlhg t~e devics~ th~ m~s~age can be rec~red by the archi~ing PC. It should b~ notsd ~hat thi~ creat~ a hierar~hy of nodes such t:hat a higher le~el node, such a~ NC~, mu~t be fully ~unctional before a lower order node, such ~5 ltt~3 can ~e ~ownlo~ded.
Si~il~rly if ~not}se~ node namsd Nc3 as it~ NC
in~ tiator ~ownload~ to t~at other node could not o take~ place until NC3 col#pleted its download through it~ ln i t ~ ~tor, NC2 .
~hen downtoad~ occur problemg can result from obje~ who~e ~y~tem d~inition li~s on a diff~3ren~
N~ than ~he o~ ect resides on. Thi~ is becauss two lS ~C~ cannot always be gUar~nt~Qd to have mutual~y ~on~i~tent data- bzl~es. ~he88 incons~ stencie~ can not be ~ut~matically corrected, sinc~ ths~ wil~
nat~l~ally ~ri~e when ~everal ~C~F have been ~ected whc~EIe dsf initions in~erla~e ~ e the~ N~E; are b~inçl updat~3d ~downloaded) there wlll ne~es~ar~ly ~e a tlme p~riod ~uxin~ which inconsistencies cannot be avoided. How ver, ~11 p~oblsm c~ec ~an be detected and reported to the U8 ~ .
When one NC i8 do~nloaded the others m~y ~e 2~ temp~rar~ly inconsi~ten~ with it. Tr thls aond$tion persi6t~, or i~ the ~y~t~ - attemp~s to aace6s ob~scts on either ~ during this period of ~ime, err~rc bX a~biguities can occur~
The ~ollowing ex~mple d~mon~t~a~e~ pro~lems ~ 30 wh~ch ~n ari~e when an o~ject is mov~d from one NC
to anot;her. Ot;~er scenarlo~ ~ould be con~t;ructe~

--g3--WO91~11766 PCT/VS91/~551 but the data base inconsistencies resulting would be the same. The following assumptions are made:
a. NCl contains the directory for system S.
b. NC2 contains the original version of an object O.
c. NC3 contains the new version of the same object o.
The normal case is to add object O to the data base for NC3 and delete it from NC2. This can be done either through template generation ~single object changes) or via DDL (data definition language). In either case inconsistencies can occur.
Assume DDL is used for this change. Then three NC DDL files need to be updated (NCs l, 2, and 3) in order to complete the transaction. Each of the NCs must then be downloaded. However, one or more of the downloads could be skipped or an old data base incorrectly downloaded, resulting in inconsistent NCs in the field. Similar problems can occur if a template generation change fails or is cut off in the middle for some reason. The following cases demonstrate the inconsistencies which can arise.
Assume that, after the above changes have been made, NCl is downloaded first. Then the system directory for S will indicate that object 0 should reside on NC3. Until NC3 is downloaded (if it ever is!) object O can not be found, since the directory says it should be on NC3. This is the first problem case - a directory pointing to an object which is W091/117~ PCT/US91/~551 not there. Note that bound references will continue to use the old object O-in NC2 for now. New bindings can not be accomplished since the directory is needed for new bindings and it points to a non-existent object. Further assume that NC2 is downloaded next. This creates the same problem as above with the additional problem that even old bindings will fail, since the old version of object O is now deleted. Until NC3 is downloaded the object does not exist.
Now suppose NC2 is downloaded first. This is ag~in the same problem, since the old directory for S still points to NC2 which no longer contains the object. Current bindings become invalid and new bindings can not be made. After NC2 is downloaded, further assume NCl is downloaded second. Same problem again occurs, since the directo~ points to NC3 which has not been downloaded with the new object yet and the old object is gone.
Now assume NC3 is downloaded first.- As a result of this download, there are two-copies of object O in the field. This demonstrates a second proble~ which can arise - duplicate objects with the same name in multiple NCs. Old name bindings previously discussed will continue to use the old version of O in NC2. New bindings will also go to NC2 since the directory is still not updated. Until NCl is downloaded, the new version of O is inaccessible. This is referred to as an "orphan object" - it cannot be accessed, since its name is in no directory. There is no way for the user to WO91/11766 PCT/US91/~551 examine, change, or even delete this version of the object. This demonstrates that a third problem can arise. After NC3 is downloaded, further assume NCl is downloaded. Now there are still duplicate objects O but features can be bound to BOTH copies of O. Old bindings to O are still valid, since the object can still be found on NC2 but new bindings will go to NC3 since the new object is in the directory. Thus, for example, event.triggers which cause high level features to refocus certain tasks, as discussed below, could be signed-up and received from both copies at the same time. If the object type of O has not changed, then both triggers will be considered valid by the receiving task. This is a variation of problem two (duplicate objects) - now binding can be made to both versions. Other scenarios result in the same problems. That is, downloading NC2 then NC3 or vice versa results in a directory in NCl pointing to a non-existent object in NC2 and an orphan object in NC3.
In summary, then, the following problems can occur after downloading:
a. A directory in a node can point to a non-existent object.
b. Orphan objects cannot be accessed or removed - no directory points to the object; and c. Duplicate objects can occur and binding can be to either copy of the object.
These downloading problems can not be auto~atically corrected, since the software can not .. . .~

W091/11766 PCT/US91/~551 know where in the order of download the user is -i.e., it can not determine what the NC data bases should look like now or when the downloads are completed. However, the problem can be detected and the operator alerted as follows.
Assume the following definitions:
Directory NC - the NC or node containing the directory for syste~ S.
Object NC - the NC or node containing an object in system S.
"Here I am" message - a message which is sent by an object to its directory NC signifying that the object exists, where it is found and its type.
"Are you there" message - a message which is sent by a directory to one of its objects requesting the object respond (to determine if the object is on the correct NC and is the correct type).
Since inconsistencies normally arise out of download, the following scenarios would catch the above errors as they are introduced. The object NC
sees its directory NC come online - in this case the NCs could be out of synch, since one could have had changes made while the other was off-line. Thus, it is necessary to resynchronize the directories. This is done by each object whose directory is in the NC
which came online (as defined by the global system directory data base) sending a "Here I am" message to -ts directory NC. This catches two of the problems. First, it catches orphan objects, since WO91/117~ PCT/US91/~1 the directory NC will not find the object in its directory. It can then report an error to the user.
Second, it catches duplicate objects since both try to report to the same directory. However, one must be an orphan since the directory can only point to one of them at a time. Again an error can be sent by the directory manager of the directory NC to the user. A check could also be made on the object type to guarantee that the object repQrting in is the proper object type as determined by the directory.
In a second case, the directory NC sees the object NC come online. In this case sending an "Are you there" message from the directory to its ob~ects checks for the existence of the objects. This catches the errors in which a directory points to a non-existent object, since the object does not respond if it is not there. Again, object types could also be cross-checked.
In a third case, the directory NC sees the object NC (or vice versa) go off-line. Little can be done here until communications between the two can be established.
In a fourth case, the object NC sees the directory NC downloaded. This is treated the same as the online case. The objects send the "here I
am" message to determine if the download changed anything.
In a fifth case, the directory N~ s~es the object NC downloaded. This is the same as the second case. The "Are you there" message is sent to determine if the object is still there.

WO91/~1766 PCT/US91~55}

In summary, the "Here I am" message is used to catch duplicate and orphan objects at those times when the relationship between the directory and object NC may or may not be used. The "Are you there" message catches non-existent objects, since these will be caught by the references when they occur.
A directory manager tas~ in the node is responsible for performing both halves of the solution. The directory manager task maintains a Reference Identification (RID) table. Thus, it knows all objects that are defined on the NC and can run through this list when a directory NC comes online, etc. It sends the "Here I am" messages for all objects whose system is on that other NC. If necessary, it can run through the directories it owns and send the "Are you there" messages to all objects defined to reside on that other NC.
In addition, the directory manager receives both of these messages on the other end. The "here I am" is sent to the directory manager which checks its directory to ensure that the object is supposed to be-where it is. The "Are you there" message also goes to the directory manager of the object NC who looks in the RID table for that object.
This linkage checking need only be done when the system and object lie on different NCs. The inconsistencies are not possible within a single NC.
If they exist, it is due to a template generation transaction which was interrupted. In that case, the user can be made aware that a problem exists, , " ,~ ~ ~ . ... .. .

W O 9~ 766 PCTtUSgl/005~1 since an error can be issued at the time the transaction was interrupted.
The way in which one NC sees that another is online, downloaded, etc. is done the same as for trigger handling. The node status message is sent to the node manager which distributes it to the directory manager after which the above processing can occur.
Error messages are inevitable when a point lo and its system are on different NCs, since one NC
must be downloaded before the other. This will happen even if the user conscientiously downloads all the affected NCs. However, the number of such cases (split object and directory) typically is few and this will most likely occur only when an object is moved from one NC to another.
In a facilities management system, it is preferable to replace polling type applications where a needed data value is repeatedly read at some interval with an event based scheme which only executes an algorithm when a value changes. This requires recognizing when data has changed and associating the change of data with a triggerable object or feature. In a distributed environment, it must be recognized that the owner and user of the data may be in separate nodes or processors, as data bases may be changed independently of each other.
Introducing a sign-up mechanism allows a feature needing specific data to request the node containing the specific data or data element to inform the feature whenever the specific data or data element WOgltll766 PCT~US91/00551 changes. As a result, polling is no longer required. However, in a distributed environment, a node containing the specified data may experience a download of a new data base resulting in a loss of the sign-up request. The same problem occurs if the data moves from one network node to another. Thus, if a node is updated by data base generation or download, the signing up feature must be informed.
As previously discussed, each node periodically transmits a time stamp indicating its most recent data. Thus, if a node has been detected to go off line or to have been downloaded with new data, the sign-up feature will invalidate its sign-up and attempt a new sign-up with the- new data base. If this is not possible, the binding scheme previously discussed allows the signing up feature to determine where the data has now been located. If the data is no longer available, of course, sign-ups are not possible.
It should be noted that trigger sign-ups can be used to drive several features including event totalization or a customized feature programmed by the user. Similarly,-sign-ups could also be used to drive the refreshing of person machine interface screens rather than interval refreshing of such screens. This would allow immediate notification to a user of changes in the state of the variable or data.
Figure 33 illustrates the process. As shown in block 33-l features sign up for triggering by objects which are named data elements in the system.

WO91~117~ PCT/US91~551 In block 33-2, a processor in the node checks if the object is present on the network. As shown in block 33-3 if not, the feature begins monitoring the network to determine if a new network controller (NC) becomes added. When a new NC is detected as shown in block 33-4, the feature checks the new NC
for the triggerable object and repeats the processing in block 33-2.
When a feature determines the object is present, then the feature tests to determine if new data was downloaded with the object in an NC, as shown in block 33-5. If this is the case, the feature repeats its sign up in block 33-l.
Otherwise, as shown in block 33-6 the feature monitors the triggerable attribute of the object.
Block 33-7 shows that changes to the attribute's status sends a trigger to the feature (block 33-8).
Whether or not the feature receives the trigger, the feature repeats processing beginning at block 33-5.
This allows the feature to recognize downloads of new data to the node having the object so that it can again sign up to be triggered. By repeating step 33-2, the feature can pick up triggerable objects which have been relocated in the network.
According to the invention, global data in the network controllers identify the destinations of various reports created during system processing.
A system produces several types of reports with unique lists of targets. For example, reports can be of the critical type (1-4) maintenance (follow-up), and status. In addition, point history ,. ., .. . .. , , ,. ., . ~ ~ , . .. .. .

W091/11766 PCT/US91/~51 ,~3 reports, totalization reports, trend reports, and transaction log or trace reports are created.
Another requirement is that all critical type reports in a facilities management system be preserved until delivered to at least one of the targets defined for the report type. In order to facilitate report routing, all reports emanating from a given node are routed to a specially designed report router task for ultimate distribution to various hard copy devices, computer files, and other storage devices. As shown in Figure 34, if point 34-1 changes, a message is sent to report router 34-3 in network controller 34-5 through communications task 34-23. Report router 34-3 determines that the message should be sent to its preferred destination, printer 34-7, which is under the control of network controller 34-9. This is accomplished by report router 34-3 sending the change of state information to I/O task 34-11. Report router 34-3 also keeps a COpy of the message. If printer 34-7 prints the message, notification is sent back to report router 34-3 and the copy is deleted.
On the other hand, if printer 34-7 is off-line or for some other reason cannot print the messa~e, I/O task 34-ll notifies report router 34-13, which is the report router available in the same network controller as the destination printer. If report router 34-13 is unable to locate a default device, the message is discarded. Report router 34-3 receives no message from report routers 34-11 or 34-13 and therefore report router 34-3 indicates SUBSTITUTE SHEET, PCr~US~ 5 1 WO91/l1766 _,34 -that the information has not been stored or printed by not indicating a change of state. The report router 34-3 then m~intains its copy of the message.
on the other hand, if report router 34-13 locates a default device, such as printer 34-15 connected to network controller 34-17 to report router 34-19, report router 34-13 routes the message to Io task 34-21 for transmission to printer 34-15.
If the default device also does not operate, the message is discarded and no message is returned to report router 34-3 indicating that the report has been neither printed nor stored. Report router 34-3 then keeps a copy of the message in its save file.
If a printer comes on-line, all report routers are notified. If the save file contains a message, the message is routed to the specified device again. Should the save file be fi~led, the lowest priority and oldest message is removed from the save file and an error is logged on the system.
Figures 35 and 36 illustrate distributed filter processing for generating report summaries.
Report summaries are generated based on an object name and certain selection criteria. One approach is to have the remote device which is to receive the summary retrieve each object directory and then retrieve a record for each object identified in the directory. The remote device then keeps only those records which meet the criteria for the summary.
However, this would require a significant amount of processing and communication among nodes. Thus, localized filtering, e.g., filter task 35-11, of the SUB~T9TUTE SHEET

. " ~.
..

-lC~2-data at the node at which WO9ltl1766 PCT/US91/~551 the particular object directory of interest is located is desireable.
As shown in Figure 35, feature 35-1 and node 35-3 may require transmitting a data summary to PC
35-5. However, the objects required to construct the summary may be scattered throughout the system.
The object directory is directory 35-7 located in NC2, shown at 35-9. As shown in Figure 36, feature 35-1 generates a directive specifying an object name and selection criteria in function b~ock 36-1. In function block 36-5, the object directory 35-7 is located in network controller 2 shown at 35-9. At step 36-3, the object directory is read from the node location and the number of records and attributes with the same system and object name is recorded. Using the object directory 35-7 the objects are retrieved from network control nodes in NCl, NC2, NC3, and NC4. When the objects are retrieved, in step 36-9 the selection criteria included in the directive generated in step 36-1 are applied. As indicated in step 36-11, if the criteria is not met, the element is discarded, while if the criteria is met in the function block 36-13 the attribute is stored in the messa~e buffer.
Decision block 36-15 tests whether all the attributes have been evaluated. If not the selection criteria is applied to the next attribute.
If all the attributes have been evaluated, a message is generated to send a single message to the requesting node 35-1 in the form of a message block with the attributes requested.

WO9l/117~ PCT/US91/~551 For purposes of illustration, system 1 in Figure 37 can be a facilities management system (FMS) having nodes 37-3, 37-5, 37-9 and 37-11 which function as network controllers to process data related to building and industrial, environmental, security and other automated system controls. As illustrative node 37-3 shows, each such node or network controller has at least one processor 37-2, a memory 37-6, and equipment interfac,e circuits 37-

8. Such equipment interface circuits mayaccommodate numerous equipment interconnection arrangements, including, but not limited to, interfaces which use direct and secondary communications links to the node. In operation, network controller 37-3 could be monitoring measurements from air flow sensor 37-10 and temperature sensor 37-12 and in response opening and closing dampers 37-14. It is understood however, that nothing limits the application of this invention to such FMS systems and that numerous types of networked systems can benefit from this invention.
In the system 37-1, network controllers 37-3 and 3i-5 are connected by a first communications link. The first communications link 37-4 is connected via gateway 37-7 to a second communications link 37-17 having network controllers 37-9 and 37~ attached. The nodes attached to communications links 37-4 and 37-17 can be considered to form individual networks. The number of nodes or network controllers on a network and the WO91/11766 PCT/US9l/~51 number of networks interconnected by gateways on a system is a function of systems re~uirements and capabilities. It is understood that the principles of the present invention apply to any number of nodes or network controllers on any number of communication linXs and are not limited in this respect.
According to a routing convention in Figure 37, each node is identified by a network address.
The elements of a network address include at least three fields: first, an identifier of the communication linX called a subnet, and second, a local address of the node on the communications link or subnet. For example, node 37-9 is at subnet 2 local address 1. The third field of the network address is the port number of the node from which a device is dropped, called the Drop ID. As illustrated in Figure 37, each individual configured node itself is Drop ID 0. Non-configured devices, such as lap top computers or other data processing devices, can be connected or dropped to numbered ports of the node. Here it is again understood that the present invention accommodates any number of node ports and introduces no limit on such node port capabilities. A port of non-configured lap-top computer 37-13 can be connected to a port from a node, such as node 37-3 and assigned a network address. For example, if port 2 of non-co~f~gured lap-top computer 37-13 is connected to port 3 (Drop ID 3) of node 3 which is at subnet 1, local address 1, the network address of lap-top 37-13 is 1:1:3 as WO9l/11766 - PCT/USgl/~551 shown in Fig. 37. It should be noted that the port of lap-top computer 37-13 is not part of the network address. Figure 37 further illustrates that another lap-top computer 37-15 can be part of the network as S originally configured. According to the naming convention, such devices are identified as additional nodes on additional subnets, in this case, subnet 3, local address 1, Drop ID 0.
Finally, for convenience, the naming convention allows further appending an identifier of a process in the device, although this is not required. The only requirement is that the subnet, local address and the Drop ID be included in the fields of the network address. Such process identifiers identify the process in the device which is the source of the message and which will usually receive the response, and the process in the device which is the destination of the message and which will usually generate the response. It should be further understood that nodes or network controllers can be organized into any combination of processing layers such as network and data link layers from the open system interconnection architecture of the International Standards Organization or any other convenient architecture, as illustrated in Figure 38.
According to the invention, when a non-configured device is attached to a port of a configured node, the non-configured device establishes its presence on the port. When receiving messages from other configured nodes the W O 9~ 766 PCTJUSgl/00~51 configured node first determines-from the subnet and local address destination portions of the message if it is the destination node. If not, the message is passed on to the next proper configured node defined by the route. At the destination, the configured node evaluates the Drop ID of the received messages to determine if the message is for itself (Drop ID
o) or for the attached-non-configured device (non-zero Drop ID).
Figure 39 illustrates the generation and transmission of a message by a process on non-configured lap-top 37-13 which seeks to communicate over the network with another device. To initiate the communication request shown in block 39-301 an initialization phase first takes place in which the non-configured device establishes its location on the network. Non-configured device 37-13 sends a message requesting the address of the node or FMS
network controller to which it is attached, in this case node 3. The node or FMS network controller responds by activating an initialization task which sends the network address including the subnet, local address and Drop ID back to the non-configured device. The non-configured device then stores this information as its network address.
In function block 39-303 the non-configured device accesses this address and uses it as the source address -portion of messages it generates.
These messages include both the source address and destination address and data or data requests to be transmitted. For illustration, assume that non-WO91/117~ PCTtUS9~/~55 configured lap-top 37-13 has requested data concerning the status of a-damper 37-16 recorded in configured lap-top 37-15. In function block 39-305 the processor in the node transmitting the message determines if the request is for a process remotely located in another node or for a local process in this node. If not, as shown in function block 39-307, the request is delivered to the local process and exit 39-309 is taken. If the request is for a process in another node, function block 39-311 determines if the source and destination network addresses are valid. This requires that network processing layer 38-201 in the node verify that the subnet, the local address of the node or network controller on the subnet, the Drop ID and the process identifier are valid. If not, error processing 39-313 begins and exit 39-309 is taken.
If the network addresses are valid, the network layer 38-201 in the first node references a routing table stored in a memory 37-6; to determine the next hop in the path. As previously discussed, such routing tables may be static or dynamic, centralized or decentralized. For illustrative purposes only and not as a limitation of the invention, a static routing table is assumed. The request is then tagged with the network address of the transmitting node for acknowledgement by the next intermediate destination in the data link layer 38-2b3 o~- the node, as shown in function block 39-317.
Transmission of the request then takes place in function block 39-319.

W O 91/11766 PCT~US91~005~1 As discussed above, Figure 39 illustrates the activities involved following a request from a non-configured device to communicate over the network.
The same processing takes place when a node or 5network controller transmits a response from a configured device. Thus, by using the same processing that takes place when a network controller or node transmits a response from a configured device, a request by a non-configured 10device to communicate over the network can be accommodated.
Figures 37 and 38 and the table in Figure 41 show further detail in routing the request from the non-configured lap-top source 37-13 to the 15configured lap-top destination 37-15. Non-configured lap-top source 1:1:3:PIDX identifies a process on subnet 1, local address 1, Drop ID 3 identified as PIDX. The message from non-configured lap-top 37-13 also identifies the destination as 20subnet 3, local address 1, Drop ID 0, process PIDY.
Thus, the first routing, which would not be defined in a routing table at configuration time, is from 3-PIDX to l:l:O. This represents the path between the non-configured lap-top 37-13 and the 25node or network controller 37-3. The static routing tables which were defined at configuration provide the routing from node or network controller 37-3, network address 1:1:0, to configured lap-top 37-15, network address 3:1:0. As shown in Figures 37, 39, 30and 41 the next stop from node 37-3 identified in the static routing table is to the network 1 side of , . , ~ . .. ,. ~

WO 91~l1766 PCr~US9l/OO~S

gateway 37-7 which is defined as subnet 1, local address location 4, Drop ID 0. The routing table in gateway 37-7 directs this request to the output of the gateway at subnet 2, local address 4 Drop ID 0.
The routing table at the gateway determines that the efficient route for this request is directly to node 11 defined as subnet 2, local address 2, Drop ID 0.
Node 37-11 has its own routing table which routes the message off port 3 to an address defined as lo subnet 3, local address 1, Drop ID 0. The message is then routed to the process identified as PIDY.
Figure 38 illustrates the acti~ities that take place in the network and data link layers at each intermediate stage of the process. As previously discussed, the intermediate receivers and senders of messages are determined by the entries in the static or dynamic routing tables in memory at each node. In the intermediate stages, a message is received and an acknowledge signal is transmitted by - 20 the data link layer 38-203 of the receiving configured node to the intermediate node whic:h forwarded the message. The network layer 38-201 determines if the destination for the message is this configured node or some other configured node and finds the appropriate next intermediate destination from the routing table. The data link layer 38-203 retags the message for acknowledgement by the next intermediate stage and then transmits the message to the next intermediate destination identified by the network layer 38-201.

, .. .~ ., , y , , , . , ~. ~ , .
.. . . .

WO91/11766 PCT/US91/~551 Figure 40 illustrates the activities of any given node which take place upon receipt of a request from a non-configured device. These activities are the same as those that take place upon the receipt of a response from a configured device. Thus, the same approach for handling receipt of responses from configured devices can be used to respond to a request from a non-configured device. As previously discussed, messages from configured nodes are tagged by the forwarding node so that receipt can be acknowledged. As shown in Figure 40, in function block 40-403 the message is first evaluated to determine if the tagged message is from a valid source to a valid destination and whether the message is appropriately tagged, as previously discussed relative to Figure 39. If not, as shown in function block 40-405, the message is discarded and an exit 40-407 is taken. In addition, other known tag functions for reliability such as sliding windows, can be performed. If the processing in the data link layer 38-203 in function --block 40-403 identifies the message as valid, function block 40-409, also a part of the data link layer- 38-203, transmits an acknowledgement of receipt of the message to the forwarding node. At the network layer 38-201, the message is tested in function block 40-411 to determine if the destination process is located at the receiving configured node. If so, function block 40-413 delivers the request to a process local to the receiving node -and takes exit 40-407. If the WO91/117~ PCT/US9l/~551 destination process is not located at this node, network layer 38-201 processing continues as shown in block 40-415. The destination process is then tested to determine if it is for a non-configured node. If this is the case, the network layer readdresses the response for a non-configured device, the data link layer retags the response and it is then transmitted, as shown in function blocks 40-417, 40-419 and 40-421 respectively. ~f the lo processing in block 40-415 is such that the destination process is not at a non-configuring node, the request is readdressed for the next hop in the path, retagged, and transmitted as shown in blocks 40-423, 40-425, and 40-427 respectively. It should be noted that processing in function blocks 40-409-427 is the same for receipt by any node in the system.
Figure 41 shows that the response from configured lap-top 37-15 can be routed to non-configured lap-top 37-13 at network address 1:1:3 by retracing - the exact message path -previously traversed in going from non-configured lap-top 37-13 to configured lap-top 37-15. Using this approach, it is not necessary to actively evaluate an additional data co~munication path to return the information required by the non-configured device.
The response from lap-top 37-15 containing the status of damper 37-16 is routed back through the nodes to node 37-3 which as previously discussed, tests the messages it receives to determine if the message is destined for the node itself or for the .. ..

WO9l/11766 PCT~US91/~SSI

non-configured device on the node. In this case lap-top 37-15 addresses the response to the source of the request, identified as network address 1:1:3.
Since node 37-3 at subnet l, local address recognizes the Drop ID 3 as the node port attached to non-configured device 37-13, the response is sent to lap-top 37-13.
Finally, it should be noted that a response from configured node 37-15 to the request from non-lo configured device 37-13 need not traverse the same path. For example, in adaptive routing systems variations in message traffic conditions may result in the response traversing a different path through the network than the request. Indeed, it is possible for the network on communications link 37-4 to employ a static routing scheme, while the network on communications link 37-17 employs an adaptive routing, or vice versa. All adaptive, all non-adaptive, or any combination of networks can be used with the invention. However, regardless of how the response reaches the configured node, the configured node routes the message to the non-configured device based on the Drop ID in the network address given as the destination of the message. As a result, functions which are not normally incorporated into the network can be performed by attaching a non-configured device to a convenient port from one of the nodes on one of the networks in the system.
This is because the Drop ID of the network address allows responses from configured nodes to be routed W091/l1766 PCT/US91/~551 to non-configured devices dropped from ports on configured nodes.
Figure 42 shows one possible configuration of a facilities management system using a network approach with multiple levels of control. Network controllers 42-l, 42-3 and 42-5 operate at a first level and communicate with each other over a high speed network bus 42-7. The number of network controllers which can be interconnected is limited only by the capabilities of the network controllers themselves and the high speed bus 42-7. Each of the controllers 41-l, 42-3 and 42-5 at this first level are peers because they have access to the same high speed network ~us and operate to control other lower level functions.
Figure 42 illustrates this principle at network controller 42-S. Network controller 42-5 operates as a master node relative to slave controllers 42-ll, 42-13 and 42-15. The network controller 42-5 communicates with slave controllers 42-11, 42-13 and 42-15 over a local bus 42-9 and with other network controllers over high speed bus 42-7.. As the master controller, network controller 42-S allocates resources on the local bus among the slave controllers 42-11, 42-13 and 42-15. Each slave controller performs its individual functions and communicates with data acquisition units 42-17, 42-19 and 42-21, respectively. Data acquisition units connected to sensors provide information needPd for the- slave node to perform its data processing functions.

WO9l/117~ PCT/US91/~55l Certain functions in the slave nodes 42-11, 42-13 and 42-15 may require ac~ess to information obtained by data acquisition units not controlled by the particular slave node. For example, in performing its individualized function, slave node 42-ll may require access to information provided by sensors connected to data acquisition unit 42-19 which is controlled by slave controller 42-13. In order to obtain this data, the slaYe controller 42-ll signals network controller 42-5 over the low speed bus 42-9. In traditional systems, network controller 42-5 then transmits a message over low speed bus 42-9 to slave controller 42-13 requesting the data. Slave controller 42-13 would then respond by transmitting the data to network controller 42-5 over the low speed bus 42-9. Network controller 42-would then pass the required data to slave controller 42-11.
As the above example illustrates, the request from slave controller 42-11 for data available from data acquisition units 42-19 results in a series of messages transmitted over the low speed bus. As the number of data access requests across slave controllers increases, the message traffic across the slow speed bus grows at a high rate resulting in data bus congestion and a reduction in processing efficiency.
The situation is compounded by ad~ltional requests made from peer network control nodes over the high speed bus. For example, for network controller 42-3 to access data available from data , . .. ~ ,, ,j .~ . . " .. . .

WO91/11766 PCT/US91/005~1 acquisition unit 42-l9, a request must first be made to network controller 42-5 over high speed bus 42-7.
Network controller 42-5 then communicates over local bus 42-9 in the manner described above. Thus, additional message traffic occurs both on the local low speed bus 42-9 and on high speed bus 42-7. In addition, if network controller 42-3 is making its request for data based on a request for data based on a lower level slave controller of its own, additional delays are incurred on the local bus connecting network controller 42-3 and its slave controllers. Thus, it is inefficient for each data request to generate a series of messages-resulting in the actual data being obtained from the data acquisition-unit controllin~ the particular sensor.
An additional problem occurs when the network controller 42-5 itself requires access to multiple data items acquired by the data acquisition units 42-17, 42-l9 and 42-21. A "feature" of a system, defined as a function performed by the system, often requires data from one or more sensors which may be at different locations in the system. When one feature implemented by a portion of the program in network controller 42-5 requires access to data available from a data acquisition unit, the network controller must seize control of the local bus and transmit a message to the appropriate slave controller to acquire the information and transmit the information back to the master controller. The slave controller responds by transmitting the requested information. This also results in WO91~11766 PCT/US91/00551 communication bottlenecks and reduced data processing efficiency. As-a result, higher priority functions, such as fire alarm messages, become stacked in a waiting list delaying corrective action.
Figure 43 shows one embodiment of the present invention. Network controller 43-23 is connected to high speed bus 43-25 and slave controllers 43-27, 43-29, 43-31 and 43-33 over local bus 43-35. As previously mentioned, any number of slave controllers can be connected to network controller 43-23 depending on the processing capabilities and requirements of the networ~ controller and on the communication capabilities of the local bus. In figure 43, network controller 43-23 is shown having three representative features, 43-35, 43-37 and 43-39. It is assumed that each of these features is carried out under the control of processor 43-41.
The number of features shown is by way of illustration and is not intended as a limitation.
It is further assumed that each of the features represents a desirable function requiring access to data available through the slave controllers and is carried out in network controller 43-23. Finally, Fig~re 43 shows a stored data table 43-43. The stored data table is a cache memory used to hold values of data items as they are received from the slave controller by the master controller. Aging timers 43-45 are associated with each data item received and represent a predetermined time during which an individual data item in stored data table WO91/1176~ PCT/US91/~51 43-43 is valid. Thus, each data item in stored data table 43-43 is associated with its own aging timer 43-45.
In operation, when a feature within the network controller or another processor or network controller requests data to perform a function, the network controller determines if the data is available in stored data table 43-43. If the data is present in the stored data table, the network controller then determines if the aging timer associated with the data has expired since the data was last acquired. If the aging timer has expired, the network controller then issues messages required to obtain new data from the appropriate processor and data acquisition unit. If the aging timer has not expired, network controller 23 provides the feature, or other processor with the most recent information available in the stored data table. As - a result, it is assumed that no significant change in the value of the sensor has occurred.
Assume that at to Feature 1 represented by reference number 43-35 in Figure 43 requests data from a sensor controlled by slave controller 43-27.
Network controller 43-23, under the control of processor 43-4l, determines that there is no entry in stored data table 43-43. Thus, network controller 43-23 issues messages over the local bus to slave controlier 43-27 directing-slave cont~c1ler 43-27 to obtain the information from a data acquisition unit and provide the information to network controller 43-23. When network controller ~, .. , . ~ . .. . .

WO91/11766 PCT/US91/~5~1 lZl 43-23 receives the data from slave controller 43-27, it stores the information in the stored data table and associates a predetermined aging timer with the data item stored. It should be noted that the aging timer can be implemented in any number of ways known in the art. For example, a count down clock could be set and counted down from the time the information is stored. This could be achieved by preloading a register to a known state and clocking the register up or down until a second logical state, e.g. all logical ones or logical zeros, is attained. Alternatively, the time of storage could - be recorded and compared with the time at the next data access. In this case, we assume, for example, that the aging timer is set for lO0 milliseconds.
The selection of lO0 milliseconds is based on predetermined system characteristics in which it is known that data acquired by this particular sensor will be valid for lO0 milliseconds.
At to plus 50 milliseconds Feature 2 requests access to the same data. Under the control of processor 43-4l, master controller 43-23 determines that the data item requested exists in stored data table 43-43. The master controller then tests the corresponding aging timer. Since data acquired at t~ was valid for lO0 milliseconds and since the data access in this case occurred only 50 milliseconds after the data was acquired, the data aging timer has not expired. Therefore network controller 43-23 will provide the data to be processed by Feature 2 from the stored data table. This is true even if WO91/11766 PCT/US91/~S3 the sensor controlled by slave 43-27 has changed in value. The advantage is that no further data communication is required over the local bus for Feature 2 to have access to a valid value of the required parameter.
At toplus lO0 milliseconds Feature 3 requests data available from a sensor controlled by slave controller 43-29. Since this data has not been recorded in the stored data-table 43-43, network controller 43-23 issues the appropriate data communication messages to acquire the data. When network controller 43-23 receives the data from slave controller 43-29, the data is stored in the stored data table 43-43. At to plu5 lSO milliseconds Feature l again requests access to the same data element obtained by slave controller 43-27 at to.
However, the processor in the network controller determines that the data aging timer has expired.
Thus, network controller 43-23 issues messages to acquire fresh data through slave controller 43-27.
Assuming network delays of l millisecond, the data is stored in the stored data table at to plus 151 milliseconds. Since the data aging timer for this data is lO0 milliseconds, the data will remain valid until to plus 251 milliseconds.
It should be noted that the stored data table was not updated at lO0 milliseconds when the data aging timer for the data acquired at to expired.
Even though the value of the sensor data controlled by slave 2i may have changed by this time, no WO91/11766 PCT/US91/~5~1 feature or other processor required access to this data. Thus, it was not-necessary to update the stored data table until access to the expired data was required. This further reduces unproductive communication on the local and high speed data buses.
Another embodiment of the invention is shown in Figure 44. Figure 44 illustrates a further reduction in communication bottlenecks on a high speed networX bus 44-50. Network controller 44-52 performs representative Features 44-53, 44-56 and 44-58 under the control of processor 44-60. Network controller 44-52 also contains data storage table 44-62 and aging timer 44-64 and is connected over local bus 44-65 to slave controllers 44-66, 44-68, 44-70 and 44-72. SUch slave controllers generally may be connected to one or more sensors, S, or other devices. Similarly, network controller 44-54 performs Features 44-74 and 44-76 under the control of processor 44-78. Network controller 44-54 further includes data storage table 44-80 and aging --~
timer 44-82 and communicates over local bus 44-83 with slave controllers 44-84, 44-86 and 44-88.
By way of example, at time to Feature 44-74 requests data available from a sensor controlled by slave controller 44-84. As previously discussed, network controller 44-54 generates appropriate messages over local bus 44-83 which causes slave controller 44-84 to acquire the data and transmit it to network controller 44-54. Network controller 44-54 then stores the information in the stored data .

WO91/11766 PCTtUS91/~551 table 44-80 and assigns a predètermined aging time value 44-82. At to plus 30 milliseconds, a feature (44-53, 44-56, 44-58) in network controller 44-52 requests the same data over the high speed network bus 44-S0. In response, network controller 44-54 determines from the data storage table 44-80 and the data aging timer 44-82 that the current value in the data storage table is valid and need not be updated.
Thus, network controller 44-54 t~ansmits over network bus 44-50 the requested data as found in the data storage table. In addition, network controller 44-54 transmits the time the data was read (the actual value of to) and the value of the aging timer.
In response, network controller 44-52 stores the data received in its data storage table 44-62 and provides it to the requesting feature for processing. In addition, network controller 44-52 determines the time the data is stored in its data storage table 44-62 and how ~uch longer the data will be valid based on the aging time transmitted by network controller 44-54. Assuming delays of approximately 2 milliseconds in transmitting data, the data is stored in data table 44-62 at to plus 32 milliseconds. Since the data would be valid from to to to plus lO0 milliseconds, network controller 52 determines that the data will be valid for an additional 68 milliseconds. Thus, network controller 44-52 stores an aging time value of 68 milliseconds as aging timer 44-64 corresponding to the data ele~ent obtained from network controller 44-54. Thus, for the next 68 milliseconds, the time CA 02244009 l998-04-23 during which network controller 44-54 will not again access slave controller 44-84 to obtain this data, features in network controller 44-52 or slave controllers connected to network controller 44-52 over local bus 44-65 will obtain this particular data element from data storage table 44-62. As a result, unproductive data requests over network bus 44-50 are also eliminated. Thus, in this embodiment the transfer of the data aging timer value among peer nodes connected on a network can produce significant reductions in data communications requirements. It should also be noted that another alternative to transferring the data aging timer from the network controller containing the requested data in its data storage table is to transfer the remaining time available on the data aging timer.
This would allow the receiving network controller to avoid the requirement to calculate t~e remaining time during which the received data would be valid.
It should also be noted that the use of the aging timer in a distributed facilities management system (FMS) further allows the user to define variable valid time periods for individual pieces of data.. For example, a slave controller accessing data from a sensor sensing outside air temperature need not access the data as frequently as a sensor monitoring the temperature of a furnace. This is because the rate of change of outside air temperature is slower than the rate of change expected in a furnace. Thus, the data aging timer would be different depending on the variability WO91/11766 PCT/US91/~51 characteristic of the data. In lieu of user defined data aging timers, the default values which are automatically implemented in the absence of further user defined information can also be programmed.
In distributed facilities management systems, reliability of the data received (or not received) is often an issue. According to the present invention, as an aid to consistency and completeness, each data value passed between features of the facilities management system is tagged with a reliable/unreliable indicator. As shown in Figure 45, when data is requested in function block 45-l, the received data is tested at decision block 45-3 to determine if the received data was within the expected range. If not, one possible alternative in decision block 45-5 is to execute processing that determines if an alternate source of the data is available. Such processing may include sorting through directories to identify other physical locations in the network where the data is located. For example, the source data may be stored at another memory location in the same or another node, or the same data may be available from another sensor. Such processing could also include determining if a substitute for the unreliable data could be derived from other data available on the network.
Function block 45-7 tests to determine if the alternate sources have been exhausted. If not the data could be obtained from an alternate source and retested in decision bloc~ 45-3. If no alternate source is available or if the alternate sources are exhausted, another option is to use the previous " , ... ", . " ~ , .~ , . . . . . . . ....

WO91/117~ PCT/US91/00~1 _12 -value of the data. Thus, function block 45-9 tests if the previous value is available~ If a previous value is available, it would then be determined if the previous value is useful in this process at 45-ll. If so, the previous value is used as shown in function block 45-13 and the data is tagged with a reliability indicator appropriate to such old data in function block 45-15. If a previous value is not available or not useful, in function block 45-17 a decision is made as whether alternate control is available. If not, or if alternate control is determined not to be useful, as ~hown in function block 45-l9, the data can be used and tagged with an indication of its unreliability. Of course, if alternate control is available, such alternate control techniques can be executed as shown in function block 45-21. New data received in the alternate control process would also undergo reliability testing as shown in function block 45-23. In any case, once data is tagged with a reliability indicator in function block 45-l5, the data can then be passed on to other features as shown in function blocks 45-25 and 45-27. This provides an indication of the reliability of the data which can be included in intermediate calculations as an indication of the reliability of an ultimate calculation. The use of the reliability indicator is discussed further below relative to control of proportion and integral and derivative (PID) control loops.

SUBSTITUTE SHEET

W091/11766 PCT/US91/~551.

~2'-According to another aspect of the invention, Figures 46A and 46B show a proportional plus integral plus derivative (PID) loop object. The PID
loop object SUBSTITUTE SHEET

WO91/11766 PCT/US91/~551 is implemented in software at the software object level, as discussed previously. Thus, the PID loop object has a data base manager which manages processes and attributes stored in a storage means of a node or network controller, as do other software objects. Within the facilities management system, according to the invention, tasks for processing PID loops are divided among a PID data base manager task and 16 PID loop execution tasks.
Thus, a PID controller may control up to 16 instances of the PID loop.
Figure 47 shows a control loop with PID
processing. The PID data base manager first provides an interface to other tasks in the network which may read data, e.g. 47-5, from a PID loop, write to a PID loop, or command a PID loop. The second PID data base manager task is to schedule processing of each of the 16 instances of PID loops.
The third responsibility of the PID data base manager is to execute an auxiliary signal switch processing, output filter processing, high/low signal select processing and reliability switch processing in accordance with the inputs to these processing functions.
As shown in Figure 46, a PID loop object has six inputs 46-l which are used by an input conditioning process 46-3 to calculate a feedback value for the PID loop. Each of six inputs 46-l may be floating point values such as analog parameters or references to attributes of other objects, as previously discussed relative to pseudo points. The references to attributes of other objects must be objects in the same physical digital control module WO91~117~ 129 PCT/US91/~5~1 (DCM) functioning as a PID controller. As an analog value, the input value or the value on other parts that accommodate analog values may change as a result of a command from a network controller. As previously discussed, if a port refers to an attribute of another object, the value of the attribute is obtained each time the corresponding processing is executed. This is achieved by sending a read attribute message to the specified object transmitting the message between tas~s within the digital control module functioning as the network controller rather than over the N2 bus. It is also possible for ports to be individually overridden in which case, the override value is used as the value of the port until a command to release the override is received. If a port is an analog value, the last value commanded by the network controller is remembered and acted upon when the command to release is received. Only the network controller initiates and releases overrides.
The setpoint input 46-5 may also be a floating point value or a reference to an attribute of another object, as previously discussed. The setpoint value 46-5 is the desired value of the feedback value and it is used in PID processing 46-7. -Offset value 46-9 may be a floating point value or a reference to an attribute of another object. The offset value 46-9 performs two functions. If input conditioning processing 46-3 determines that àll 6 scalers 46-ll are o, then PID
processing 46-7 is disabled and offset value 46-9 is used as the output of PID processing 46-7. If any .

W091/117~ PCT/US91/~551 of the 6 scalers 46-11 is not o, offset value 46-9 is added to the output value calculated by PI3 processing 46-7. The offset may be used to introduce other control actions to the PID
processing where it may be used to indicate the first output command the PID processing issues on start-up.
High saturation limit 46-13 may be a floating point value or a reference to an attribute of another object. High saturation limit 46-13 is an input directly to PID processing 46-7. PID
processing is prevented from issuing a command to the PID output above this high saturation limit 46-13. Low saturation limit 46-15 may also be a floating point value or a reference to an attribute of another object. A saturation limit 46-15 is provided directly to PID processing 46-7 and establishes a lower limit below which PID processing 46-7 will not issue a command to the PID output.
Auxiliary signal input 46-17 may be a floating point value or a reference to an attribute of another object. The auxiliary signal input 46-17 is an alternate input that may be passed on to the output of auxiliary signal input processing 46-19 discussed below. High/low signal input 46-21 may be a floating point value or a reference to an output of an another object in the digital control module functioning as a PID controller and is an alternate input that may be selected for passing on by high/low select signal processing 46-23.
The 8 outputs 46-25 are used to adjust manipulated variables, e.g., of a controlled process to desired states so that the setpoint and feedback WO91tl17~ 131 PCT/US91/00~51 variables are equal. The outputs refer to any attribute of any object in the same physical PID
controller. The command from the PID loop is routed to each of the objects defined in these references.
The PID processing also uses this information to determine if the object specified by this reference has been overridden by some other task.
Certain parameters are analog values and cannot be overridden. The six scalers 46-11 are lo each floating point values to represent coefficients for each of the corresponding six inputs 46-1 to input conditioning processing 46-3. Sample period 46-27 has a range of 1-32767 seconds and determines how often the PID processing 46-7 is executed for a PID loop. Proportional band 46-29 is a floating point ~alue which sets the sensitivity of the PID
processing 46-7 to the difference between the feedback value and the setpoint value (the error).
The magnitude of the error causes a swing in output value. A positive value indicates a reverse acting control while a negative value indicates direct acting control. Of course, these controls could be reversed without violating the spirit of the invention.
Integral time 46-31 is a floating point value which p~ovides the PID processing sensitivity to the integral of the error. This is the time it takes the integral term to equal the proportional term given a constant error. Setting this value to o.o removes the integral action from the PID control processing. Derivative weight 46-33 also is a floating point value and gives the PID processing sensitivity to the rate of change of the feedback value. This term in conjunction with the integral time and the proportional band determine the amount of the derivative control provided. Setting this value to 0.0 removes derivative action from the PID
control processing. Dead band parameter 46-35 is a floating point value which is compared to the absolute value of the difference between the set point and the input conditioned feedback. If this dead band value is not exceeded, no error change is considered by the PID processing 46-7. Hysteresis compensation bias 46-37 ranges from 0.0 to 100.0 and represents the amount of hysteresis encountered between the output point and the feedback point.
This proportional value is used to compensate for process hysteresis.
Feedback value 46-39 is calculated by input conditioning processing 46-3 and is a floating point value. PID processing 46-7 attempts to make feedback value 46-3g equal the set point value 46-5.
The start data 46-41 includes information from previously iterations of the PID processing 46-7.
In the first pass to PID processing 46-7, these values are set to 0.0, except for the previous direction value which i5 initialized to 1Ø The -~
historical data includes the previous feedback value applied for derivative control, the previous integral term supplied for integral action and bumpless transfer, the previous hysteresis compensation bias for hysteresis removal, the previous output value for hysteresis removal, and the previous direction of output values for hysteresis removal. The previous direction of W O 91/11766 PCT/US91~00~5 output values is se~ equal to one for increaslng values and equal to minus one for decreasing values.
The processing of PID loops is divided among a data base manager task and 16 PID loop execution tasks. As such, the PID controller digital control module may control up to 16 instances of PID loops.
The PID data base manager task has 3 primary responsibilities. First, to provide an interface to other tasks or objects in the PID controller or node which may want to read data from PID loop, write data to a PID loop, or command a PID loop. The second task of the PID data base manager is to schedule processing upon each of the 16 instances of the PID loop. The third responsibility is execution of subsidiary processing which may include auxiliary signal switch processing 46-19, output filter processing 46-43 in accordance with filter weight 46-61, high/low signal select processing 46-23 to generate H/L selected flag 46-75, and reliability switch processing 46-67 producing reliability value 46-73.
In order to perform these tasks, the PID data base manager can react to two types of write record messages. The first is the ADD LOOP message which adds a PID loop to the data base. It also causes the configuration information for that loop to be written to an EEPROM so tha~ the loop will be automatically added once power is returned after a power failure. The second type of write record message is the DELETE LOOP message. This causes execution of the PID loop to cease and the definition of the loop to be disabled. It also causes the o~ject connected to the output of the SUBSTlTl;Jl-~ SHEET

W 0 91/11766 PCT/US91/~0551 loop to be notified that the loop is no longer defined.

SUBSTITUTE SHEET

W091/11766 l~ PCT/US91/~551 The PID data base manager also accommodates two types of read record messages. The ~EAD
CONFIGURATION read record message causes the current working definition for the 'given PID loop to be formatted and sent back through the N2 bus to the network controller. The other read record message is READ CURRENT STATE. This causes information on the current state of the PID loop along with values used during the last iteration of the processing to be sent via the N2 communication bus to the network controller.
START UP causes a PID processing 46-7 to react as if it had just been added. All historical data for the processing is reinitialized. The first output from the PID processing will the~ be based on the current offset 46-9 and the correction due to the current proportional control.
A write attribute causes the specified attribute of the given PID loop to be set to the value in the message. This causes the output of the PID loop to change as a result. A read attribute causes the current value of the attribute to be returned to the requestor. If the attribute is override, the override value is returned. If the -attribute is a reference to an attribute of another object, the read attribute message is redirected to the destination object.
Where valid, an override attribute causes the value in the message to take precedence over the normal value the input would receive until a release attribute message is received for that attribute.
A release override attribute causes the effect of the override attribute message to be removed.

CA 02244009 l998-04-23 W O 91/11766 135 PCr/US91/

The PID data base manager also causes reporting of change of states. Such change of state reported include changing of a PID loop reliability flag 46-45, changing of a high saturation flag 46-47, changing of a low saturation flag 46-49, and changing of a PID processing reliability flag 46-51.
These flags are discussed below.
The primary function of the PID loop data base manager is to provide scheduling. The PID loop data base manager continuously monitors the amount of time that has elapsed since the last time the PID
loop was processed. When the sample period amount of time 46-27 has elapsed, the PID dàta base manager task collects the current state of the ports used by the PID processing 46-7. To collect the current state of the ports used by PID processing 46-7, the PID data base manager determines if the port is in an override condition or is defined as an analog value or an reference. As previously discussed, if an override, the override value is used as the value of the port. If the port is an analog value its value is used, and if the port is a reference, a read attribute message is sent to the object specified and the value returned is used as the value of the port. The PID data base manager checks the reliability of the data and the response and flags ~he port as reliable if the data received is determined to set that category.
It should be noted that the PID data base manager executes a priority scheme to allow each PID
loop to be processed every sample period-~ithin 15%
of its sample period. This is done through a series of PID executive tasks which are each given a WO91/11766 136 PCT/US91/~551 different priority. When the definition for a PIr loop is added to a PID controller, the PID data base manager determines which PID executive task will provide the execution for that PID loop based on the sample period of the PID loop. PID loops with shorter sample periods are assigned higher priority PID executive tasks. PID loops with longer sample periods are assigned to tasks with lower priorities.
When a PID loop is deleted from the PID controller, the PID data base ~anager task rearranges the association between PID loops and PID executive tasks according to the sample periods. When the sample period of a loop is changed, the priority of the loops is rearranged.
After collecting the current state the PID
executive task also provides any historical data needed. The PID data base ~anager then begins executing input conditioning processing 46-3. Input conditioning processing 46-3 provides for input summation, difference, averaging and various other accumulative functions or for the instantaneous maximum or minimum of the given inputs. The accumulative function, chosen by setting the input ' function attribute 46-lO0 to l, is as follows:

Feedback value =( ~ scalar (n)* input value (n)) n=l It should be noted that if the input is a reference to a object of another attribute and is null, then no point has been specified and a scaler of zero is used. If the scalar is zero then the input is ignored.

WO91/11766 137 PCT/US91/005~1 The minimum function, chosen by, setting the input function attribute to 2 is as follows:
minimum of scalar (l) * input value (l) or, scalar (2) * input value (2) or, scalar (3) * input value (3) or, scalar (4) * input value (4) or, scalar (5) ~ input value (5) or, scalar (6) * input value (6) The maximum function, chosen by setting the input function attribute to 3 is as follows:
maximum of scalar (l) * input value (l) or, scalar (2) * input value (2) or, scalar (3) * input value (3) or, scalar (4) * input ~alue (4) or, scalar (5) * input value (5) or, scalar (6) * input value (6) The 16 PID execution tasks are identical and differ only in their priorities as discussed above.
Upon each iteration of the PID processing 46-7, the PID d~ta base manager sends one of the PID executive tasks all the needed data to perform the processing for one of the instances of the PID loop. Upon completion of the PID processing, the PID executive task sends the calculated output 46-53 along with all the updated intermediate results to the PID data base manager task. It should be noted that no data about a PID loop is stored between iterations.
PID processing in general is as follows:
E(t) - (setpoint (t) - feedback (t)) Pterm (t) = l00 * E (t) / Pband Iterm (t) = ((T / Itime) * Pterm (t)) + (l~T/Itime) + Iterm (t-l) Dterm (t) = Dweight * (Itime / 4T) * (l00 / Pband) * feedback (t-l) - (feedback (t)) OUT (t) = Pterm (t) + Iterm (t-l) + Dterm (t) W091/117~ 138 PCT/US91/~551 t Offset (t) + Hysteresis compensation (t) Where:
F (t) = The value at time t F (t-l) = The value at the previous iteration E (t) = The error at time t Pterm (t) = The proportional control contribution at time t Iterm (t) = The integral control contribution at time t T = The sample period Dterm (t) = The derivative control ~ontribution at time t Setpoint (t) = The set point at time t Feedback (t) = The feedback value at time t Pband = the proportional term coefficient Itime = The integral time coefficient Dweight = The derivative term coefficients Offset (t) = An externally controlled compensation term Hysteresis compensation (t) = The action needed to compensate for hysteresis in the system Whenever the output _ommand from PID
processing 46-7 changes direction of travel (that is the derivative of PID processing output 46-53 changes sign) PID processing 46-7 may be configured to compensate for any hysteresis that occurs in the process between the output of the PID controller and the associated input. This is done by adding (or subtracting) the hysteresis compensation value 46-35 to the output 46-53 of PID processing as the direction of travel is increasing (or decreasing).

W091/117~ PCT/US91/00~1 Bumpless transfer describes the reaction of PID processing 46-7 as control is transferred from one control method such as human control or another PID loop, to PID processing 46-7 of this loop. The control reaction is predictable, and is based on a difference between the feedback and set point as well as the previous command sent to the output just before control was transferred to PID processing 46-7.
Whenever the auxiliary signal switch enable attribute is set, or all the outputs that might receive the command from PID processing are overridden, PID processing 46-7 goes into a tracking mode. In the tracking mode, PID processing 46-7 prepares for bumpless transfer by continuing to calculate Pterm(t). When one of the outputs is released from the override condition, or the auxiliary signal switch enable attribute is reset, the PID executive task obtains the value the output was commanded to and uses it along with Pterm(t) from the previous iteration to perform the bumpless transfer. In the case of an override due to Hand/Off/Auto switch being in the Hand or Of f position, this last commanded value is not available. Therefore, bumpless transfer is not provided once the switch is returned to the Auto position.
The High and Low Saturation Limit inputs 46-12 and 46-15, typically specified in percent full scale deflection of the output, specify the boundaries which the command to the output of PID
processing must stay within.

.. . , ...... . ,. .~ . . ... .

WO91/117~ PCT/US91/~551 PID processing 46-7 provides the facility O r determining and annunciating when PI~ processing has become saturated, that is PID processing can not command the output to reach set point. PID
processing is determined to be saturated when the command for the output for 40 consecutive iterations .has been within 1% of the High Saturation Limit value 46-13, or the output for 40 consecutive iterations has been within 1~ of the Low Saturation Limit value 46-15.
once PID processing has been determined to be saturated, either the High Saturatioh Flag 46-47 or the Low Saturation Flag 46-49 is set accordingly to annunciate the fact. This in turn causes the PID
data base task to issue a change of state message so that functions in the network controller (NC) may act accordingly. These flags are reset once the Auxiliary Signal Enable flag 46-55 is set, or all the outputs are placed in an override condition.
Saturation recovery is also provided by PID
processing 46-7. The processing is designed so that the integral action does not "windup". once the processing attempts to command the output beyond the values specified for the High and Low Saturation Limits.
After executing PID processing 46-7, the PID
executive task sends a message back to the PID data base manager task containing the new value for the PID Output Value attribute 46-53, along with all the updated intermediate results needed for the next iteration of PID processing for this PID.
The PIDEXEC task may then call other specialized processing. This call may suspend the other ongoing processing or it may provide data on the current iterations of the PID processing.
A call to suspend specialized processing is sent when a process loop is determined to be unstable, or when it has been determined PID
processing 46-7 does not have control of the outputs of the PID loop as discussed below relative to fault tolerant processing. This condition is indicated when the PID loop is determined to be unreliable, the PID processing is in the tracking mode, or the Auxiliary signal switch processing 46-l9 is commanded by the Auxiliary signal switch enable attribute 46-55 to pass the Auxiliary signal input 46-17 to output 46-57, or High/Low Signal Select processing 46-23 has selected the High/Low Signal input 46-21.
If none of the aforementioned conditions exist, then the appropriate data on the current iteration of the PID algorithm is sent in calls for further processing.
It is also possible to by-pass PID processing to insert a signal in place of the signal 46-53 which normally comes from the output of PID
processing 46-7. If all 6 scalers 46-ll are 0, PID
processing 46-7 is by-passed and the value of offset 46-9 is used as the PID output value attribute 46-53;
PID loop object 46-2 further provides that the output of PID loops can be effected according to the status of auxiliary signal switch processing 46-l9, output filter processing 46-43 and high/low signal select processing 46-23. This occurs when the PID data base manager task receives a write W O 91~11766 142 PCT/US91~00~51 attribute message that changes the input of one c~
these algorithms or the PID executive task for the PID loop has finished execution and has sent a message to the PID data base manager checking in the changes it has made to the configuration of the PID
loop. The auxiliary signal switch processing 46-l9 examines the state of auxiliary signal enable flag 46-55. If the flag is set, the value of the auxiliary signal input 46-17 is passed to auxiliary switch value attribute 46-57. If auxiliary signal input 46-17 is unreliable, the last reliable auxiliary switch value 46-17 is passed on. If the auxiliary switch enable flag 46-55 is reset, the value of the PID output value attribute 46-53 is passed to the auxiliary switch value attribute 46-57.
Output filter processing 46-43 receives its value from auxiliary switch value attribute 46-57 and performs a first order filtering upon the value.
The output is placed in the output filter value attribute 46-59. Filter weight attribute 46-61 is used to define the effectiveness of the filter and can a range of 1.0 to +10~, wherein a filter weight of 1.0 effectively disables the filtering.
Filtering is performed according to the following equation:

Output filter value = previous filter values +
((1/filter weight)*PID output value - previous filter value)).
.

The previous filter value is the value calculated in the last iteration. The above WO91/11766 l43 PCT/US91/~551 equation is calculated every sample period or every time the auxiliary signal input 46-17 is changed or every time the offset 46-9 is changed when all the scalers are 0. If a previous filter value does not 5exist because the previous iteration's data was unreliable, or because it is the first pass through the processing for this instance, the auxiliary switch value 46-57 is passed directly to the output . filter value attribute 46-59. The last reliable 10output filter value attribute 46-59 is issued to the output filter value if there is a math error while calculating the filter output.
High/low select processing 46-23 compares the output filter value attribute 46-59 with the value 15of the high/low signal input 46-21. If the high/low select state attribute 46-63 is set, the greater of the two inputs is passed to the high/low select value attribute 46-65. If the high/low select state attribute 46-63 is reset, the lesser of the two 20inputs 46-21 and 46-59 is passed on. In the event that the high/low sig~al input 46-21 is unreliable, the PID loop unreliable flag will be set in the high/low select value attribute will remain at its last reliable value. The high/low select flag -attribute is set when the high/low signal input 46-21 is selected. A change in the state of this flag causes a report to be sent over the N2 bus.
Reliability switch processing 46-67 reflects the reliability of the commands issued to the outputs 46-25 of the PID loop. During processing for the PID loop, should the input data for any of the PID loops become unreliable, the output of the processing remains at the last reliable output value ~O9l/l1766 PCT/~S9l/00551 for the loop. In addition, the PID loop reliabi _-y flag 46-45 is set to be unreliable whenever the data supplied by the high/low signal attributes 46-65 is unreliable. This flag is also set to an unreliable state when any of the following conditions occur:

1. If the condition of the auxiliary signal enable flag 46-55 is set to route the auxiliary signal input 46-17 to the outputs of the PID loop, and the auxiliary signal input 46-17 is unreliable.

lo 2. If the PID output attribute 46-53 is routed through the auxiliary signal switch processing 46-19 and the calculations used to generate the PID output attribute 46-53 are determined unreliable. These calculations are deemed unreliable when any of the ports used by the PID processing 46-7 receives unreliable data or when a math error, such as a division by 0, has occurred during the calculatior..

Following the execution of the high/low signal select processing 46-23, the PID data base checks the PID loop reliability flag 46-45. If this flag is reliable, the PID data base issues the output command to the output specified for the given PID loop definition. If the PID loop is unreliable, 2~ and the unreliable response selector flag 46-69 is reset, the PID data base manager issues the last reliable output command from the high/low signal select processing 46-23 to the output. Otherwise, it issues the comma~d specified by reliability default attribute 46-71 to the output.

WO91/11766 PCT/US91/~5~1 The PID data base manager task sends the write attribute co~mand to the appropriate object data base manager specified by the output value attribute 46-73. The following values are supplied by the PID processing 46-7 on completion of execution. The PID data base manager task ensures that the current PID loop data base reflects these changes.
The PID output value is the command to be issued to the output point which drives the controlled variable toward the set point value. It may be thought of as percent of full scale between 0.0 and 100% deflection. The PID processing reliability flag 46-51 is either a 0 or l and indicates whether an error in the calculation has occurred or one of the ports used by the PID
processing 46-7 is unreliable. The PID loop reliability flag 46-45 is either a 0 or l and if 0 indicates that the command being sent to the outputs of the PID loop is based on reliable data.
Additional loop parameters are returned for the next execution of the PID processing 46-7.
These parameters include the feedback value for derivative control, the integral term for integral action and bumpless transfer, the hysteresis compensation bias for hysteresis removal, the output value for hysteresis removal and the direction of the output values (increasing = l, decreasing =
minus l for hysteresis removal, the previous feedback value and the error calculated between the set point and the feedback value). -W091/11766 PCT/US91/~551 The language also has a PI_RESET fu..__ion which is designed to reset a setpoin~ by means of a programmed proportional-integral calculation. It is designed for use in closed loop systems.
The control system 47-l shown generally in Figure 47 has an input device 47-3 which receives inputs along line 47-5 and generates control variables along line 47-7, often known as a feedback variable. A control variable on line 47-7 provides an input to a proportional-integral-derivative (PID~
device for o~ject 47-9 and to an object 47-ll which provides a fault tolerant control strategy. In the present context, typical objects include hardware and software combinations which perform functions desirable for a control loop. Such objects are typically implemented in software and stored in a memory portion of one or more automated processing control nodes 47-2 operating as a network. The organization of a system having hardware and software objects according to the present invention has previously been discussed.
The PID loop 47-4 is typically structured to operate under normal circumstances without assistance from the fault tolerant control strategy object 47-ll in control node 47-2. PID object 47-9 generates and receives PID loop variables 47-13 and also provides inputs and receives outputs from fault tolerant control strategy object 47-ll. The PID
output on line 47-15 is routed both to the fault tolerant control strategy object 47-ll and to switch 47-17. The Output Device Command on line 47-l9 of switch 47-17 can thus be swi~ched between the PID
output and the output of the fault tolerant control SUBSTITUTE SHEET

a-strategy ob j ect SUBSTITUT~ SHEE~T

WO91/11766 147 PCT/US91~551 47-21 based on command on line 47-23 also generatec by the fault tolerant output control strategy. The fault tolerant strategy of object 47-11 also receives process constants on line 47-25 and another output on line 47-27 generated by input device 47-29 which receives input signal 47-31.
The output device driving command on line 47-19 from switch 47-17 constitutes a manipulated variable driving output device 47-33 which generates a related manipulated variable on line 47-35. The related manipulated variable on line 47-35 is input to process 47-37 which completes the control loop by generating signals on lines 47-5 and 47-31 to input devices 47-3 and 47-29.
The purpose of the control loop is to generate manipulated variables on lines 47-19 and 47-35 to control the output device and to accomplish the desired process 47-37. In normal operation, PID
control is accomplished and switch 47-17 is set via signal 47-23 to PID output line 47-15. Thus, the fault tolerant control strategy object 47-11 merely monitors the status of control variable on line 47-9 and does not participate in the actual control of the loop.
Fault tolerant control strategy object 47-11 monitors control variable on line 47-7 to verify that the control variable is within a reliable range of values. When fault tolerant strategy object 47-11 determines that control variable on line 47-7, the feedbac~ variable, is no longer within the reliable range, the fault tolerant control stra~egy object 47-11 directs switch 47-17 to route to the output device command signal on line 47-19, the WO91/11766 PCTfUS91/~551 fault tolerant control strategy object output 47-21.
This is done via switch command line 47-23. At this point, based on process constants on lines 47-25 and signals 47-27, the fault tolerant control strategy object 47-ll implements a strategy which allows the related manipulated ~ariable on line 47-35 to continue to be adjusted even though the feedback, the control variable on line 47-7, is no longer reliable. Thus, the loss of feedback in the PID
control loop does not result in the loss of control over output device 47-33 or related manipulated variable on line 47-35.
Through input device 47-29 which monitors signals on line 47-31 from process 47-37, the fault tolerant strategy object 47-ll responds to dynamic changes in process 47-37 along with process constant 47-25 to generate signals to control the ~anipulated variables on lines 47-19 and 47-35. Thus, even under a failed condition, it is possible to retain a level of control over process 47-37 which minimizes the effect of the failure.
In one example, the fault tolerant control strategy addresses the typical HVAC processes including heating, cooling, and mixed air discharge temperature control.
Figure 48 shows phases of implementing a fault tolerant control strategy. These include commissioning 48-1, initialization 48-3, process monitoring 48-5 and control 48-7.
. Figure 49 outlines inputs and outputs of the process which takes place in implementing a fault tolerant control strategy. During initial commissioning 49-301 the fault tolerant control WO91/11766 PCT/~'S91/~5~1 strategy object is informed where parameters -e stored in a memory accessible to the fault tolerant control strategy object 47-ll, and what parameters are important to the process being controlled. For example, air temperature and flow rate parameters may be used to determine if, for example, a chilled water valve should be open or closed. Thus, initial commissioning identifies the variables which are used in the fault tolerant control strategy.
In a fault tolerant controller used in an HVAC system, there are three classes of information or parameters. The first is a static set of variables 49-303 which is the same for each PID
loop. These include the setpoint, a proportional band, and the control variable. A second set of parameters are process variables 49-305 which are the actual analog inputs obtained. These differ depending on the HVAC process 49-307. For example, some HVAC processes require outdoor air temperature while others require water temperature or pressure.
Finally, there are process constants 49-~09 which are PID loop dependent as a result of their dependency on physical devices used to monitor system performance. In implementing a fault tolerant control strategy object, it is also necessary to provide information concerning the configuration of the PID loop. This can be done either by programming the fault tolerant control strategy in a programming language or as a user block of a graphical programming tool 47-311. In either case, the routine is added to a control system database which can be accessed by the fault W091/11766 PCT/US91J~I

tolerant control strategy object and executed in a control node.
During initialization phase 49-313, a routine in the fault tolerant control strategy object 49-11 collects data concerning the process constants and the static PID loop and performs a stabilization check 49-315. As previously indicated, the constants can be hard coded and need only be read into the fault tolerant control strategy object once. The three classes of PID loop parameters represent the most recent state of the controlled process. The commissioning phase previously discussed provides the information on where these parameters are located in memory. During initialization, the parameters are read by the fault tolerant control strategy software object.
Initialization then verifies that a set of reliable static parameters 49-317 required for process control can be obtained. This is because a full set of reliable PID static data is necessary to allow execution of a fault tolerant control strategy.
Initialization, phase 49-313 verifies stabilization of the PID loop control, rather than ~
the variables or parameters. A PID loop is stable if the controlled variable remains close to the set point and fluctuations in the manipulated ~ariable are small. As part of the initialization phase 49-313, predetermined numerical measures of oscillation and sluggishness 49-319 are evaluated against the performance of the control loop.
During the monitor phase 49-321, the fault tolerant control strategy object 47-11 presumes stable process control and updates the static PID

WO91/11766 PCT/1'~91/OOSSl _ variables and the process variables. The pr--ary function performed during the monitor phase is evaluation of the reliability of the control variable 47-7 or feedback of the PID loop. This may be based on several physical analog inputs in the PID loop itself if, for example, the feedback is multidimensional. If this feedback, the control variable on line 47-7, goes unreliable, then the control mode of operation is entered. It should be also noted that it is not absolutely necessary to monitor the actual feedback or control variable.
Control variable 47-7 may be the output of a software object generating the control variable. In this case, the control variable is defined to be unreliable when any of the inputs to the software object generating the control variable become unreliable. Thus, if an analog input to the software object generating the control variable is detected to have become open or shorted, or if a non-legitimate value is generated during data manipulation in the software object (e.g., dividing by zero), then the fault tolerant control strategy assumes that the control variable 47-7 or the feedback has become unreliable.
When the control function 4g-323 is entered, the fault tolerant control strategy object 47-ll calculates the value to be used in place of the value generated by the PID algorithm. As indicated previously, this is basically an open loop control based on a model of the system and the current state of the variables. There need be no requirement of linearity between the process variables and the calculated-output command. Since the system SUBS~I~UTE SHE~T

W O 91/11766 152 PCT/~ 1/00551 responds to the current state of the process 4,- 7, it is also possible to respond to changes in ~he setpoint, as shown in the equation given below.
It should be noted that the fault tolerant control strategy object 47-11 may attempt to execute control at the same rate as the PID controller.
However, in most cases, control will be slower due to limitations of network performance. As previously indicated, fault tolerant control strategy object 47-11 control is ordinarily implemented in a control node and not in the PID
device which is part of the loop Thus, multiple communications over a local bus between the PID loop and the control node, and perhaps over a network bus lS interconnecting multiple control nodes increase loop response time under fault tolerant control strategies.
As previously discussed, a fault tolerant control strategy can be based in part on a model of the control process. The fault tolerant controller block executes once every twenty sampling periods of the PID controller. The process monitor and output switch functions execute once each sampling interval of the PID controiier. In one system configuration shown in Figure 50, the functions of the process monitor and output switch can be implemented directly in a Digital Control Module while the fault tolerant controller functions are implemented in the Network Controller.
Various variables required to implement a fault tolerant control strategy are listed in Table 1.

,, ~ ~ ~, ... .. . . ...

W091/11766PCTJUS91/~5~1 Inputs l. SP: Setpoint Variable (reference variable) 2. CV: Controlled Variable (feedback variable) 3. MVl: Primary Manipulated Variable (control output variable) 4. MV2: Secondary Manipulated Variable (Interacting control output variable) 5. PVl: Primary Process Variable (feedforward variable #l) 6. PV2: Secondary Process Variable (feedforward variable #2) 7. PB: Controller Proportional Band 8. AT: Controller Sampling Period

9. OUT: Controller High Saturation Limit

10. OUT: Controller Low Saturation Limit

11. BAND: Controller Error Tolerance Outputs 1. FLAG: Fault-Tolerant Enable Flag 2. BACKUP: Fault-Tolerant Output Local Variables l. CVo: Reference Controlled Variable 2. MVlo: Reference Primary Manipulated Variable 3. MV20: Reference Secondary Manipulated Variable 4. PVlo: Reference Primary Process Variable 5. PV20: Reference Secondary Process Variable 6. PBo: Reference Controller Proportional Band Figure 52 is a more detailed illustration of the fault tolerant control of the invention. PID controller 52-l, process monitor 52-3 and fault tolerant controller 52-5 all receive the setpoint SP and control variable CV. PID controller 52-l, process monitor 52-3 and fault tolerant controller 52-5 all perform individual processing which is discussed in more detail below.
Based on conditions in the system, fault tolerant controller 52-5 generates a flag output which is routed WOgl/117~ PCT/US91/~551 _ ., to an output switch 52-7. In addition, fault control_er 52-5 generates a backup output which is also routed to the output switch. The backup output is determined by the following equation:

S MVl=MV1~+EFF*(MV2-MV20)+(100~/PBo)*(SP-CVo+(EFF-l)*(P~1-PVlo) -EFF*(PV2-PV20)); with EFF being limited to a range of 20%-80~

The other input to the output switch is manipulated ~ariable MVl produced in PID controller 52-1. Under nor~al circumstances, i.e. when the system is not experiencing a fault, fault tolerant controller 52-5 sets a flag to output switch 52-7, such that the output of switch 52-7 is a primary manipulated variable from the PID controller 52-1. Generally, the manipulated variable corresponds to one output of a PID
process as shown in Figure 47. When a fault condition exists in the system, the flag causes the output switch 52-7 to route the backup signal from fault tolerant controller 52-5 to its output. As shown in Figure 47, the output of the switch can be used to drive an output device. Thus, a failure in the process control loop is accommodated by the fault tolerant controller, so that the output device remains operational, even if in a degraded state.
Figures 53A and 53B illustrate processing that takes place in process monitor 52-3. Typically, the process monitor operates in a digital control module.
A network controller typically executes the process 20 times slower than the monitor rate possible at the digital control module. Thus, processing is different in the process monitor depending on whether or not a .

~UBSnTUT~ SHEET

CA 02244009 l998-04-23 W O 9~ 766 PCT/~JSQt'~0551 execution has taken place in the network cor.--c ~r.
Prior to initiating processing, it is first determined in test block 53-73 if the control variable is reliable, as discussed herein. If not, the variables shown in block 53-71 are set and control is returned to test block 5~-73. In test block 53-1 the process monitor first determines if the interval is greater than or equal to 20 times the process rate in the digital control module. If this is not the case, t~e manipulated variable is tested as shown in blocks 53-3 and 53-5 to determine if it exceeds maximum and minimum outputs which have already been detected and stored by the monitor process. If the manipulated variable is beyond these stored values, then the appropriate maximum and minimum output is set equal to the manipulated variable in function- blocks 53-7 and 53-9. In either case, in function block 53-11, an error value is determined to be the absolute value of the setpoint minus the control variable. As shown in function blocks 53-13 and 53-15, if the present error exceeds a maximum error previously monitored by the process, the maximum error is set equal to the present error.
The above process continues to repeat until the interval is determined to exceed 20 times the processing time of the digital control module in function block 53-1.- At this point, control transfers to other function blocks which determine whether or not the system is saturated and whether or not the output is stable. If the maximum output as previously determined during processing previously discussed exceeds one percent less than the output high defined for the process, a high saturation variable is incremented. If not, the variable is set equal to zero as shown in .. ,, . . , . , . ~

W O 91/11766 PCT/us91/

_l,,a-comp 1 ete SU~TITUTE ~;HEET

~ O 91/11766 PCT/USq "~0~51 function blocks 53-19 and 53-21. similarly, i~ ;e minimum output as previously described is beyon ne predefined limit of an output low variable, as shown i n block 53-23, a low saturation flag is either incremented or set equal to zero, as shown in function blocks 53-25 and 53-29. At function block 53-31, it is determined if either of the saturation variables exceeds one. If sc, a saturation flag is set "true" as shown in block 53-33 and if not, a saturation flag is set "false," as shown lo in function block 53-35.
Processing in the process monitor then proceeds to identify the number of deviations beyond speciflc percentages of the range of high and low outputs. For example, function block 53-37 determines if the differences between the maximum output and minimum output of the process exceeds 15~ of the high and low outputs allowed. If not, a deviation variable is set equal to zero in function block 53-41. However, if the difference does exceed 1S% of the allowed difference between the high and low outputs, the deviation variable is incremented as shown in function block 53-39 Similarly, function blocks 53-43, 53-45, and 53-47 show a counting of the deviations from 9% while function blocks 53-49, 53-51, and 53-53 show how deviations beyond 5% are counted. It should be noted that since the deviation variables are reset to zero each time the difference between the maximum and minimum outputs is within the specified range, the deviation counts are incremented only in the case of consecutive variations beyond the specified range.
Function block 53-55 is used to determine whether or not the process is stable. If there have been more than nine counts of deviations greater than 5% or five counts of deviations from 9~ or three counts of deviations greater than 15%, function block 51-57 sets a STABLE variable to a "false'l state. This indicates that the system is not stable. If these deviations are within the acceptable ranges, then function block 53-59 compares the maximum error with a band variable which defines an acceptable range of error. Again, if the maximum error is out of the range specified by the band variable, the process is considered to be unstable otherwise, the process is considered stable as shown in function block 53-61. Function block 53-63 resets the variables before returning control to the process monitor executive. It should be noted that the output minimum and maximum are typically set to 100% and 0~
respectively. This assumes that the manipulated variable is provided in the form of a percent of full scale deflection. However, any other arrangement for adjusting a manipulated variable would be within the spirit of the invention.
Figure 54 illustrates processing in a fault tolerant controller object. As shown in function block 54-1, if the interval previously discussed has not expired, function block 54-3 merely updates the interval and no further processing takes place. However, if the interval has expired, fault tolerant control processing occurs. First, the interval is reset to zero as shown in function block 54-5. Next, a reliability status of the control variable is tested in function block 54-7.
When the status of the control variable is reliable, fault tolerant control processing then checks to determine if the output is saturated as shown in function block 54-9. If this is the case, the output is considered stable and no further fault tolerant .

~ 0 91~11766 PCT/~ nss processing occurs. If the output is not saturatec -:~en the routine moves to function block 54-11 which ~_..2cks the status of the STABLE variable previously calculated by the process monitor as discussed relative to Figure 53. If the STABLE variable is not "true", no further processing takes place. However, if the STABLE variable is "true", function block 54-13 determines if the data is reliable. If so, it sets the reference variables of the control variable, primary and secondary manipulated variables MV1 and MV2, primary and secondary process variables PV1 and PV2, and the proportional band PB
equal to the current corresponding values of the variables. Thus, the fault tolerant controller receives the most up to date values of these variables. The flag is set to FALSE as shown in function block 54-27 and control is transfered to function block 54-1 to test the interval.
In function block 54-7, if the control variable status is deter~ined to be unreliable, the fault tolerant control processing then PxA~ines the data. If the data is reliable, the setpoint, the primary and secondary process variables, and the secondary manipulated variable are set equal to the current values in function block 54-15. In function block 54-17, efficiency varlable EFF is set equal to the reference primary manipulated variable stored in the object, limited in value to between 20 and 80% rather than over the full 0-100% range. Function block 54-21 then calculates the backup value which will be transmitted to output switch 52-7. The equation for calculating the backup variable is shown in function block 54-21. As the equation indicates, the backup variable is a combination of the primary manipulated variable stored WO91/11766 159 PCT/US91~

in the object as modified by the secondary manipulated variables in percentages of the stored proportional band. Function block 54-23 shows that the backup ls limited to fall between the low and high outputs specified in the object for the process being controlled. In function block 54-25 the flag is then set "true" to direct output switch 52-7 to route the backup signal to its output. Fault tolerant control processing then returns to function block 54-l.
Figure 55 illustrates output switch processing.
In Figure 55 if the flag is true, the output signal is set to be the backup on the switch, however, if the flag has not been set true by fault toierant controller 52-5, and function block 55-5 determines that the status of the control variable is not reliable. The output at the switch is then routed to a previous or old value of the manipulated variable, as shown in function block 55-7.
If the status of the manipulated variable is shown in function block S5-5 to be reliable, the old manipulated variable is replaced with a new manipulated variable and the output is set equal to the new manipulated variable in ~unction blocks 55-9 and ll. Otherwise an old value of the manipulated variable is used. This terminates processing of the switch.
As a result of the above described processing, it is possible for a process control loop to maintain operation in a degraded state even if the feedback variable has become unreliably an output is unstable or an error is outside of allowable limits.

In order to reduce overall energy consumption, systems, such as facilities management systems, perform load rolling and demand limiting, which attempt to W O 91/11766 160 PCT/r-~~l~00551 manage load induced energy consumption over t ~. -h~-energy consumption is managed, for example, ~i~h a processor and a meter, and energy consuming load devices, or loads, are selectively deactivated, or shed.
According to one aspect of the invention, load shedding can be a high level feature of a first node which operates to shed loads or elements of loads controlled by one or more other nodes of the system. It is also possible for a node to manage energy consumption from lo multiple sources. For example, in one embodiment a node supporting load shedding features monitors four energy meters. The nodes which support operation of the loads and load elements receive load shedding commands from the node supporting the load shedding feature. In response, the nodes receiving the commands deactivate the selected nodes.
Dependance on communications between the node supporting the load shedding feature and the nodes supporting the loads is eliminated by incorporating a restore task into each of the load specific nodes. Fcr example, in Figure 51, first node 51-1 contains a high level load rolling software feature 51-3 which is responsive to system energy consumption monitored by meter 51-5. Based on the level of energy consumption monitored, load rolling feature 51-3 determines the required reduction in energy consumption. This is compared against energy consumption values in load table 51-7 to identify one or more currently active loads which can be shed to achieve the desired energy reduction. Load rolling feature 51-3 then issues a command on high speed Nl bus 51-9 which is read by other nodes 51-11 and/or node 51-13. It should be noted that the communication protocol used between the nodes is not a factor according to this aspect of the invention. ~o~~
example, the command from first node 51-l, could be directed to one or more specific nodes or could be broadcast to all nodes on the high speed bus 51-g.
Nodes receiving load shed commands from load rolling features process the commands and deactivate the loads identified. For example, second node 51-11 would deactivate one or both of loads 51-15 and 51-17 while third node 51-13 would deactivate either or both of nodes 51-19 and 51-21. First node 51-1 could also issue commands to shed loads from more than one node, if that is required to achieve the desired energy consumption and does not violate any other rules programmed to prohibit deactivating specific combinations of loads.
In addition to deactivating the loads, second and third nodes 51-11 and 51-13 perform local processing to restore the loads to operation at an appropriate time.
Performing such processing locally relieves this responsibility from first node 51-ll containing the load rolling feature. This allows node 51-l additional time for processing other tasks and improves system reliability by assuring the load is restored, even if the node which deactivated the load loses communication with the node containing the load rolling feature.
25 - Because load restore processing is localized in the node controlling the load, load restoration is independent of the feature and failure of the communications link 51-9 or first node 51-1 or downloading new information into first node 51-1 before the load is restored does not preclude the load from being restored to operation.
Localized load restore processing is accomplished by defining objects with attributes that follow shed and restore characteristics rather than by incorporating WO91/ll766 162 PCT!~

these characteristics into the load shedding pr- e:- as in previous systems. Localized restore proc_asing distributes processing of high level load shedding features. For example, attributes 51-23, 51-25 of software objects 51-27, 51-29 in nodes S1-11 and 51-13 describe the shedding and restoration characteristics of loads 51-15, 51-17 and 51-19, 51-21 respectively.
Typically, such restoration and shedding characteristics include maximum off times, minimum on time after activation of the load and certain safety features.
For example, a cooler turned off by a load shedding command may be reactivated if a monitored temperature exceeds a predetermined level. Thus, load shed processing is distributed on the network because the node initiating the load shedding is not required for restoring the shed load to operation, unless the node initiating the shedding also controls the particular load being shed. Since the loads again become operational, other features can also direct or monitor the same loads, even if the node initiating the load shedding goes off line at anytime.
In a related aspect of the invention, demand limiting features programmed into nodes seek to maintain energy consumption levels below predetermined targets during known time intervals of peak demand. This reduces system operating costs by reducing energy consumption during such demand periods when a utility charges premium rates. During, for example, a 15 minute interval, demand limiting might evaluate energy consumption over the last 14 minutes and assume that for the next 1 ~inute in the future, consumption will remain constant. The feature then determines the total energy consumption for the 15 minute interval and then, using .... I . ", ,, .~, . , , .. ~ ... . . .

W O 91/1~766 PCT/US91/0055 -.63-load tables 51-7, identifies loads which can be shed to maintain the energy consumption level below a predefined, stored target for the interval.
Demand limiting, according to the invention, can employ the same software object approach as described previously for load rolling. This distributes demand limiting processing and allows restoration of the load by a local restore process stored in the node controlling the load. In the case of demand limiting, the load may be restored when an attribute of the software object indicates an operator initiated command to restore the load. It should also be noted that the objects can accommodate immediate restoration or shedding loads if required in emergency situations, such as fire.
Figure 56 shows a network configuration with a plurality of nodes 56-1, 56-3, and 56-5 communicating with each other over a high speed bus 56-6. As previously discussed, each of the nodes may operate slave devices 56-9, 56-11, 56-13 over a local or slave bus 56-7. In order to reduce errors introduced by noise on the local bus 56-7, optical coupling can be used.
Such optical coupling provides the nodes with signficant levels of isolation from signal noise introduced by the slave devices not optically coupled to the bus leads.
External noise sources al50 produce RFI, EMI and other error inducing effects.
One such optical isolation approach is shown in Figure 57. The general configuration shown in Figure 57 is consistent with the RS/485 Electronic Industrles Association specification. Additional noise isolation is achieved by several techniques shown in Figure 57.

SUE~STITUTE SHEET

WO91/11766 l~ PCT/~S91/~551 one such technique is the use of pull up and pull down resistors to apply DC bias when devices are in a high impedance state. This DC bias is provided by resistor R381 which is connected to a positive 5 volt source, and R382 connected to the communications ground as shown in Figure 57. Thus, outputs JlAl and JlA3 are biased to a DC level where the line drives and receives in device U4~ are in the high impedance state. As a result, low level noise appearing on the signal llnes does not generate a detectable input.
Differential mode noise is noise showing up on the pair of transmit/receive wires as opposite polarity from one wire to the other. The bias voltage placed on the lines is a means of "swamping out" differential mode noise. It can do this because, without the bias, and with high impedance at all nodes, the lines are practically "floating." That is to say, noise is easily induced onto the line, both in common mode or differential mode. The bias placed on the line can easily "swamp out" the differential mode noise on these lines.
Common mode noise is noise induced on both the lines of the local bus (the reference line is not included in this discussion, since data signals are - never sent on that wire) in equal magnitudes with respect to earth ground. Since these noises are "looking" for a path to earth ground the lines from earth ground are isolated with the opto couplers. The circuits handle up to 2500 volts before an optocoupler would "break down" and let noise pass through. The opto isolators are protected with the tanszorbs and MOV
circuitry. Therefore, common mode noises greater than [56V (MOV) ~ 6.5V (TRANSZORB)] 62.5 volts would be ,.

W O 9~ 766 165 PC~US91~OOs~l shunted directly to earth ground via the MOV and transzorbs.
The optical isolation portion of the node has several optical isolators. Optical isolator U50 has two parts. A first part of the optical isolator is responsive to transmit signal TXDN. This signal drives one portion of the pair of optical isolators in U50.
The output of this first portion drives a line transmitter in U49, which as Figure 83 shows contains a lo line transmitter and a line receiver. In addition, retriggerable one shot USl responds to the transmit signal TXDN to source a current to an LED or other indicator which indicates that the node is transmitting data. In the transmit mode, a line transmitter portion of U49 provides signals to the plus and minus lines of the bus which drives the slave devices.
The same plus and minus signal lines connected to the bus provide receive signals which can be received ~y the line receiver portion of U49, as shown in Figure 83.
The output of the line receiver drives optical isolator U53. U53 then provides receive signals RX~N to the node. The received signals also drive another portion of retriggerable one shot U51. This provides an uninterrupted sourcing curren~ to a light emitting diode 25 - or other indicator to show that the node is receiving data It should be noted that the retriggerable one shots provide uninterrupted current to the transmit and receive indicators, so that the indicators remain constantly illuminated while data transitions are occurring in the transmission or reception of data.
This is different from conventional approaches in which the LED or other indicator is flashed as signals are transmitted and received. This flashing introduces W O 9]/11766 166 PCT/US91/005~1 noise currents which do not occur in the presen-.
invention.
It should be noted that the figure shows +5C and +5D power supplies. The +5C power supply is a communications power supply while the +5D power supply is a digital power supply. Separate power supplies are used to further reduce the effects of noise. A signal indicating a failure of one of the power supplies is produced by optical isolator U52. This optical isolator has a light emitting portion connected to the communications power supply and a light receiving portion connected to the digital power supply. If the +5C source goes bad, the POWER LED goes out because of a signal change at the "light receiving" part of the optocoupler. That signal is gated through logic to turn off the power LED. If the +5D goes bad, the power LED
goes out because it is driven by the +SD power supply.
The ~ptocoupler isolates both supplies from each o~her.
Thus, a failure of either power supply will produce an indication of a failure in the node. This is distinguished from conventional approaches in which a failure of the communications power supply would not be recognized in the receive mode and would only be recognized in the transmit mode from the absence of transmissions. In addition, by using the +5D supply on the light receiving portion of optical isolator U52, additional noise immunity is achieved. This is because the communication supply is further isolated from the failure indicating signal. The +SD supply may have high frequency noises present due to the use of crystals and fast logic switching of high-speed CMOS ga~es; the +5C
supply may have noises on it which were brought in from the outside world on the local bus. These noises may be " , ~ , ....

up to 2500 volts, peak, with no effect to the operation of the system.
Finally, the present invention is distinguished from conventional systems by its use of a single pair of signal lines for both transmission and reception of data on the bus driving the slave devices.
Finally, it should be noted that indicia definin~
the operating instructions for causing the system to function as described herein may be stored in EPROM or other suitable storage medium for use by the processors.
The operating instructions may also be contained on other storage media such as a magnetic storage media having indicia defining the operating instructions for conveying the operating instructions into volatile memory should a volatile memory be desired for sequencing such a processor. The magnetic storage medium may therefore be retained for future use should the volatile memory suffer a power outage. Such storage media and processors are well known in the art and therefore have not been described in greater detail herein.
While specific embodiments of the invention have been described and illustrated, it will be clear that variations in the details of the embodiments specifically illustrated and described may be mad~
without departing from the true spirit and scope of the inve~tion as defined in the appended claims.

Claims (40)

THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY OF
PRIVILEGED IS CLAIMED ARE DEFINED AS FOLLOWS:

1. A method of accessing network controllers in a facilities management system with a portable computing unit, the network controllers in the facilities management system being arranged to control a process, the network controllers being configured as at least one network and being interconnected by at least one communication link, each of the network controllers including an equipment interface for receiving data related to the process, and a processor including a drop port, the processor being coupled to the equipment interface, the facilities management system being initialized so that the network controllers are configured to each have a network address indicative of a particular location in the facilities management system, the network address including a subset indicative of an associated communication link to which the network controller is connected, a local address indicative of the network controller, and a node drop ID indicating that the network controller is a configured network controller, the portable computing unit being a non-configured device not part of the network, the method comprising:
connecting the portable computing unit to a first port of a first network controller of the network controllers, the first configured network controller configured on the system at a first location defined by the subset indicative of the communication link and a first local address indicative of the first network controller;

assigning a first network address to the portable computing unit, the first network address including the subset, the first local address and a first drop identifier indicative of the first drop port of the first network controller;
transmitting a request for data received at an equipment interface of a second network controller located at a second network address from the portable computing unit to the second network controller, the request including the second network address as a destination indicator and the first network address as a source indicator;
transmitting the data from the second network controller to the portable computing unit in response to the request for data, the data including the second network address as the source indicator and the first network address as the destination indicator;
receiving the data from the second network controller at the processor of the first network controller according to the subset and local address of the first network address;
transmitting the data to the portable computing unit through the first drop port specified by the first drop identifier portion of the first network address.

2. The method of claim 1 wherein each network controller further includes a network layer, and a data link layer, the facilities management system including intermediate network controllers located between the first network controller and the second network controller, the method further comprising:
transmitting the request for data to the intermediate controllers along a path between the first network controller and the second network controller, the intermediate network controllers receiving the request at the data link layer and decoding the destination address in the network layer, the intermediate network controllers retransmitting the request at the data link layer along the path to a next intermediate controller until the second network controller is reached.

3. The method of claim 2 further comprising:
retrieving the data from the equipment interface of the second network controller in response to the request for data.

4. The method of claim 3 further comprising:
transmitting the data to the intermediate controllers along the path between the first network controller and the second network controller, the intermediate network controllers receiving the request at the data link layer, decoding the destination address in the network layer, the intermediate network controllers retransmitting the request from the data link layer along the path to the next intermediate controller until the first network controller is reached.

5. The method of claim 4 further comprising:
routing the data between the portable computing unit and the second network controller along routes for message traffic between the first network controller and the second network controller in accordance with a routing table stored in the network controllers.

6. The method of claim 5 further comprising:
storing at each network controller a routing table when the facilities management system is initialized, the table having an entry for the destination address, the entry of the table defining the next address along the routes for message traffic.

7. The method of claim 6 further comprising:
storing portions of predetermined routes in sequences of the intermediate network controllers as a series of network addresses, each network address defining a next location along the path from the first network controller to the second network controller.

8. The method of claim 4 further comprising:
receiving the data at the data link layer of the first network controller, and providing the data to the network layer, transmitting the data from the network layer to the first drop port of the processor of the first network controller.

9. The method of claim 8 further comprising:
receiving the data with the portable computing unit at the first drop port.

10. The method of claim 4 further comprising:
storing a static routing table at each network controller, the static routing table having an entry for each destination address, the entries of the table defining the next address along the path from the first network controller to the second network controller.

11. The method of claim 4 further comprising:
storing the predetermined route portion in a table in a central processor in the facilities management system and accessing the table to define the route.

12. The method of claim 4 further comprising:
adaptively routing the request and data between the portable computing unit and the second network controller along the routes for message traffic between the first network controller and the second network controller determined by a dynamic routing strategy sensitive to message traffic throughout the facilities management system.

13. The method of claim 1 further comprising:
predetermining the routes when the facilities management system is initialized; and storing portions of the predetermined routes in sequences of the network controllers as a series of network addresses, each network address defining a next location along a path from the first network controller to the second network controller.

14. The method of claim 13 further comprising:
storing a static routing table at each network controller, the static routing table having an entry for each destination address, the entries of the table defining the next address along paths from the first network controller to the second network controller.

15. The method of claim 13 further comprising:
storing the predetermined route portion in a table in a central processor and accessing the table to define the route.

16. The method of claim 1 further comprising:
routing the data between the portable computing unit and the second network controller along routes for message traffic between the first network controller and the second network controller.

17. The method of claim 16 further comprising:
storing at each network controller a routing table, the table having an entry for the destination address, the entry of the table defining the next address along the routes for message traffic.

18. The method of claim 16 further comprising:
adaptively routing messages between the portable computing unit and the second network controller along the routes for message traffic between the first network controller and the second network controller determined by a dynamic routing strategy sensitive to message traffic throughout the facilities management system.

19. The method of claim 1 wherein the portable computing unit is a lap top computer.

20. The method of claim 1 wherein the process is internal environmental control.

21. A facilities management system configured to allow access to the system by a non-configured portable computing unit, the facilities management system including a plurality of network controllers arranged to control a process, the network controllers being configured as at least one network and being interconnected by at least one communication link, each of the network controllers including an equipment interface for receiving data related to the process, and a processor including a drop port, the processor being coupled to the equipment interface, the facilities management system being initialized so that the network controllers are configured to each have a network address indicative of a particular location in the facilities management system, the network address including a subset indicative of an associated communication link to which the network controller is connected, a local address indicative of the network controller, and a node drop ID indicating that the network controller is a configured network controller, the facilities management system comprising:
a first configured network controller including a first processor having a first port for receiving the portable computing unit, the first configured network controller configured on the system at a first location defined by a first subset indicative of the communication link, a first local address indicative of the first configured network controller and the node drop ID;
a second network controller having a first equipment interface, the second network controller being coupled to the communication link and being configured on the system at a second location defined by a second subset indicative of the communication link and a second local address indicative of the second configured networked controller, the second network controller having a second network address including the second subset, the second local address and the node drop ID;
means for assigning a first network address to the portable computing unit, the first network address including the first subset, the first local address and a first drop identifier indicative of the first port;
means for transmitting a request for data received at the first equipment interface of the second configured network controller located at the second location from the portable computing unit to the second network controller, the request including the second network address as a destination indicator and the first network address as a source indicator;
means for transmitting the data from the second configured network controller to the portable computing unit in response to the request for data, the data including the second network address as the source indicator and the first network address as the destination indicator;
means for receiving the data from the second configured network controller at the first processor of the first network controller according to the subset and local address of the first configured network address; and means for transmitting the data to the portable computing unit through the first drop port specified by the first drop identifier.

22. The system of claim 21 wherein each network controller further includes a network layer, and a data link layer, the facilities management system including intermediate network controllers located between the first configured network controller and the second configured network controller, the system further comprising:
means for transmitting the request for data to the intermediate controllers along a path between the first configured network controller and the second configured network controller, the intermediate network controllers receiving the request at the data link layer and decoding the destination address in the network layer, the intermediate network controllers retransmitting the request at the data link layer along the path to a next intermediate controller until the second configured network controller is reached.

23. The system of claim 22 further comprising:
means for retrieving the data from the equipment interface of the second network controller in response to the request for data.

24. The system of claim 23 further comprising:
means for transmitting the data to the intermediate controllers along the path between the first network controller and the second network controller, the intermediate network controllers receiving the request at the data link layer, decoding the destination address in the network layer, the intermediate network controllers retransmitting the request from the data link layer along the path to the next intermediate controller until the first network controller is reached.

25. The system of claim 24 further comprising:
means for routing the data between the portable computing unit and the second configured network controller along routes for message traffic between the first configured network controller and the second configured network controller in accordance with a routing table stored in the network controllers.

26. The system of claim 25 further comprising:
means for storing at each network controller a routing table when the facilities management system is initialized, the table having an entry for the destination address, the entry of the table defining the next address along the routes for message traffic.

27. The system of claim 26 further comprising:
means for storing portions of predetermined routes in sequences of the intermediate network controllers as a series of network addresses, each network address defining a next location along the path from the first configured network controller to the second configured network controller.

28. The system of claim 24 further comprising:
means for receiving the data at the data link layer of the first network controller, providing the data to the network layer, and transmitting the data from the network layer to the first drop port of the process of the first drop port of the processor of the first configured network controller.

29. The system of claim 28 further comprising:
means for receiving the data with the portable computing unit at the first drop port.

30. The system of claim 24 further comprising:
means for storing a static routing table at each network controller, the static routing table having an entry for each destination address, the entries of the table defining the next address along the path from the first configured network controller to the second configured network controller.

31. The system of claim 24 further comprising:
means for storing the predetermined route portion in a table in a central processor in the facilities management system and accessing the table to define the route.

32. The system of claim 24 further comprising:
means for adaptively routing the request and data between the portable computing unit and the second configured network controller along the routes for message traffic between the first network controller and the second network controller determined by a dynamic routing strategy sensitive to message traffic throughout the facilities management system.

33. The system of claim 21 further comprising:
means for routing the data between the portable computing unit and the second configured network controller along routes for message traffic between the first configured network controller and the second configured network controller.

34. The system of claim 33 further comprising:
means for adaptively routing messages between the portable computing unit and the second configured network controller along the routes for message traffic between the first configured network controller and the second configured network controller determined by a dynamic routing strategy sensitive to message traffic throughout the facilities management system.

35. The system claim 33 further comprising:
means for storing at each network controller a routing table, the table having an entry for the destination address, the entry of the table defining a next address along the routes for message traffic.

36. The system of claim 21 further comprising:
means for predetermining the routes when the facilities management system is initialized; and means for storing portions of the predetermined routes in sequences of the network controllers as a series of network addresses, each network address defining a next location along a path from the first configured network controller to the second configured network controller.

37. The system of claim 36 further comprising:
means for storing a static routing table at each network controller, the static routing table having an entry for each destination address, the entries of the table defining a next address along paths from the first configured network controller to the second configured network controller.

38. The system of claim 36 further comprising:
means for storing the predetermined route portion in a table in a central processor and accessing the table to define the route.

39. The system of claim 21 wherein the portable computing unit is a lap top computer.

40. The system of claim 21 wherein the process is internal environmental control.