CA2334499A1 - Secure front end communication system and method for process control computers - Google Patents

Abstract

A secure front-end communication system which couples a plurality of actively redundant process control computers to a computer network. The system includes a front end computer which is capable of establishing time limited communication contracts with one or more computer entity on the computer network. Each time limited communication contract is based upon an acceptable response to the transmission of an unpredicable signal from the front end computer, such as an encrypted transformation of a pseudo-random number generated by the front end computer. A security table is used to identify the network entities that are permitted to send write command messages to the process control computers to which the front end computer is connected. The front end computer also includes at least one permissive table which is used to determine whether a write command message from the network entity should be transmitted to the process control computer for which the message was intended.

Description

SECURE FRONT END COMMUNICATION SYSTEM AND METHOD
FOR PROCcSS CONTROL COMPUTERS

The present mvenuon generally relates to "front-end" communication technmues between process control computers ano a oianVlocal area network.
More soecificaily, the present mvennon relates to a front-end communication system which is capable of securely handling messages from the plant area network which could affect the ~ 0 operation or a process control computer.
In chemical manufactunng plants and other relatively large processing plants, a networK of control computers ano operator workstations may tie needed to achieve automated control of an onoomg pnys~cal process in the plant. For example, the Jones et. ai U.S. Patent No. 4,663,704, issueo on May S, 1987, shows a distributed processing system for a ~ 5 plant m which a smgie data highway connects all the vanous inoutlautaut terminals. data acquisition stations, control demces, record keeping devices and so forth.
Similarly, the Henzel U.S. Patent No. 4,607,256, issued on August 19, 1986, shows a plant management system which utilizes a plant control bus for the purpose of transmitting data to physical computer modules on the network.
20 In some of these process control computer networks, redundant process control computers are employed to enhance the reliability of the plant control and monitoring system.
For example, the Fiebig et. al U.S. Patent No. 5,008.805, issued on April 16, 1991, shows a networked control system which includes a "hot standby" redundant processor that synchronously processes a control schedule table for comoar~son with control messages from a ~~ SenQer DroC?55or that are tranSm; ttc'CI on the network. T %1e reaunQant lstener processor maintains a duplicate configuration in ns memory ready to take over control of the system in the event of a failure of the sender processor. As another example. the McLaughiin et. al U.S.
Patent No. 4.953,270, issues on Se>'temoer 18, 1990, shows a networked control system which employs a primary controller ano a secondary controller. In oraer to mamtaln consistency 30 between the onmary oats base and a secondary image of the gala base. only predetermined areas changed are undated as a way or increasing the efficiency of the update function.
Similarly, the Slater U.S. Patent No. 4,872,106, issued on October 3, 1989, shows a networked control system which employs a onmary oats processor and a back- uo data processor.
Normally, the back-uo processor mIl be m a back-uo mode of ooeravon, and it will not operate 35 to exercise control over the mouvoutDUt oemces or recewe data concerning the states of the mouVoutput devices. Accordingly, control over the inputloutout devices ~s exclusively carried out by the primary processor. !-~owever, ~_ne pnmary processor periodically transfers status data relating to its operation in the control of the input/output devices to the back-up data processor via a quaff ported memory connected between the two processors.
In contrast with the above networked control systems, another control technique for redundant process control computers exists in which both of the process control computers operate on input data and issue control commands to the same output devices. This type of control technique may be referred to as active redundancy, because each of the redundant process control computers operate independently and concurrently on common input data. A discussion of this type of control technique may be found in the Glaser et. al U.S. Patent 5,428,769, filed on March 31, 1991, entitled "Process Control Interface System Having Triply Redundant Remote Field Units".
The use of active redundancy as a control technique presents a difficult problem in terms of communication with the plant computer network, as each actively redundant process control computer will receive a set of input values and each of these process control computers will generate a set of output values. In the case where the actively redundant process control computers arbitrate or resolve some or all of the input and/or output values, to the extent that differences do exist, then multiple sets of input and output values could be created.
For example, a set of pre-arbitration and post-arbitration input data values could potentially be available from each of the actively redundant process control computers. Accordingly, it would be desirable to enable some or all of these data sets to be matched up and analyzed by another computer on the plant network without interfering with or slowing down the operation of the actively redundant process control computers.

Additionally, it would be desirable to permit one or more of the computers on the plant network to modify certain values used by the program in each of the actively redundant process computers as the need may arise, such as analog constants. However, it should be appreciated that such an activity would need to be restricted in some manner, as predictable changes in the operation of physical devices should be assured.
Accordingly, it is a principal objective of the present invention to provide a secure front-end communication system and method for controlling signals transfers between an actively redundant process control computer and a plant/local area network.
It is another objective of the present invention to provide a secure front-end communication system which is capable of evaluating an instruction from the plan/local that could affect the operation of the actively redundant process control computer.
It is also an objective of the present invention to provide a secure front-end communication system which insures that there is proper alignment with the operating program in the actively redundant process control computers.
It is a further objective of the present invention to provide a secure front-end communication system which enables one of the actively redundant process control computers - 2a -:o rece,ve a rev,seo ooeraung program w,tnout adversely affectly the oderat,on of the other act,veiv redundant process control computer.
n,s an addiuonai ootecnve of the oresent,nvennon to oromde a secure front-end commun,cat,on system and metnoo wn,cn ~s tadpole of ut,liz,ng a plummy of different commun,cation protocols and encrydt,on tecnn,ques dedend,ng upon the type of message oeing transmitted.
SUMMARY OF THE INVENTION
To ach,eve me foregoing ootect,ves, the present,nvent,on provides a secure ~0 front-end commun,cauon system wn,cn ~s,nterposed between a plurality of attiveiy redundant process control computers and a computer network. The secure front-end communal anon System includes a front end COmduter wh,ch is capable of establishing nine lim,ted commun,caudn contracts w,tn one or more computer entity on the computer network. In accordance wash the method of the oresenmnvenvon, each of these ume limned S commun,cauon contracts ,s oared upon an accentatJie response to the transmiss,on of an unpredicable s,gnal from the front eno computer. More part,culariy, the acceptable responses preferably in the form of an encrypted transformation of a psueao-random numoer generated by the front end computer. Addmonally, before the time limited commumcanon contract expires. the front end computer w,ll negotiate a new ume limited commun,cat,on contract 20 wash the computer ent,ty on the computer network using a new psuedo-random number.
In one form of the present ,nvenvon, the front end computer also includes at least one permissive table which ,s used to determined whether a waste command message from the network entity snould be transmitted to the process control computer for which the message was intended. A secur,ty servers also included on the computer network for 25 transm,ttmg a security table to the front end computer The secur,ty taole ,s uses to ~denti'ry the network entities tnat are Aerm,tted to sena wr,te command messages to the process control computers to which the front end computers connected.
Additional features and advantages of the present ,nvent,on w,ll become more fully apparent from a reading of the detailed descr,pt,on of the preferred embodiment and the 30 accompany,ng draw,ngs ,n wn,cn:
BRIEF DESCRIPTION OF THE DRAWINGS
Figure t is a mock d,agram of an intelligent front-end commun,cat,on system for a omramy of actively redundant process control computers whmh uni,zes a steanh interface 3~ according to the present,nvent,on.
Figures 2A and 2B oromde a d,aorammauc representation of the data tables stored m a vine af,gneo refiectme memory buffer and the Corre~ate buffer snown ,n Figure t .
Figure 3 ,s a block d,agram of the stealth interlace snown in Fioure t F,gures 4A aria 48 comprise a scnemam o~agram of the stealth interface of ~~aures 1 and 2.
Figures ~A and Si3 illustrate two timing oiagrams for the stealth interface.
F;gures 6A-6E compose a set of flow charts ~flustranng parncular aspects of the security grip validation metnoas accordwg to the present mvennon.
F;gure 7 is a block diagram of the application software for the front end computers shown ~n Figure t .
Figure 8 is a diagrammatic illustration of the configuration for the front end computers.
Figure 9 is a a aiagrammatic illustration of the relauonsnip between the reflective memory buffers m the front end computers, the transfer map in the IFS circuit and the data memory in the process control computers.
Figure 10 is a olock diagram of the IFS circuit shown ~n Figure 1.
Figure 1 1 is a block diagram of the IFQ circuit shown in Figure 1.
'S

Referring to F;gure ? , a block diagram ~s shown of an intelligent f root-ena commurncanon system 10 whmh ~s coupieo to a pair of actively redundant process control computers 12a-12b. Each of the process control computers 12a-12b recewe common input data 20 from field computer units (not shown! or other suitable field instrumentation. In this regard, the Glaser et. al. U.S. Patent Application Serial No. 07/864,931, referenced above, describes in detail the communication and control links between a pair of actively redundant process control computers, such as process control computers 12a-12b, and the input/output devices directly associated with the physical process being controlled.
While the redundancy of two act~veiy ooeranng process control computers rigs certain fault tolerance apvantages over a single dec~s~on making process control computer, it snouid be understood that the prinaples of the present invention are not limited to any particular configuration of process control computers. Thus, for example, ~t may be desirable to employ three process control computers in the place of the two process control computers 30 12a- 12b shown m Figure 1 under the appropriate circumstances.
In the present embodiment, the process control computers 12a-12b preferably operate concurrently on ail of the signals transmitted from one or more field computer units.
in other words, each of the process control computers 12a- t 2b are capable of making moepenoent decisions based upon the data received by these redundant computers from the 3~ ~~e!d. The decisions made by the process control computers 12a-12b determine the output signal values whmh are ultimately o~rected to soeufic output oemces (for example, valves, pump motors grip reactor heaters) by the appropriate yield computer units.
While the output signal values are preferably reconciled at least to some extent petween the two acnveiy ~eounaant process control computers 12a-t 2b before the transmission of tnese signals to the field, it snould be unoerstooo tnat two moepenoent sets of output s~gnai vames could be communicated to the field computer units. In this regaro, the input values received from a field computer unit coma pe armtrateo, wh~cn shoulp maKe n unnecessary to reconcne or arbitrate output va~ues. This ~s oecause porn of the process control computers t 2a-t 2b would then be working with the same process control program ana operating on the same set of arbitrated input values.
As an example of a preferred form of possible value recanc~iianon, corresponding input value tables m each of the process control computers t 2a-12b could be compared during a Preset time period, and one or the values could be chosen for each input value signal to be subjected to the process control program. This selection of input values could be made on a suitapie criteria to the process aemg controlled, sucn as the use of the value determined by the Left process control computer t 2a when the value determined by the Right process control computer 12b is mthin a certain predetermined percentage limit (for example, 2.5%).
~ S Othermse, the distinct input vames of both the Left and Right process control computers could each be employed when these vames are found to be oumde the preoetermmed percentage lima. Alternatively, the selection of different input/output values from the Left and Right process control computers could be made on the bass of a software ~mpiememed preference.
Thus, for example, under certain process conditions, n may be considered more appropriate to select either the high or low value, regardless of whether the value was determined by the Left or Right process control computer.
To facilitate this arbnrat~on or reconciliation process. a parallel communication link 14 is provided between the process control computers 12a-12b. Parallel communication link 14 is referred to as the "major" Fink, as it oermiu a direct transfer of data and timing 2c signals between the process con2ro~ computers. n should also pe noted that the _eft process control computer 12a is labeled "fox", wniie the Right process control computer 12b is labeled "dog". These are logical designanons for alternative operavng modes of the process control computers t2a-12b.
Vllhile each of the process control computers 12a-t 2b make independent decisions, which may be subject to arpnra2on, the process control computer currently in the fox mode has the ability to force the process control computer m the oog mode to move to a subsevuent step m a programmed sequence in order to keep the cooperanve efforts of the two process control computers m relauve syncnronmanon. Additionally, the process control computer m the fox moae mfl transmit a timing signal to the process control computer m the dog moue at the beom~na of its process control program cycle (for example, a one second period), so that the process control computer m the oog moue mil know to pegm a new process control program cyae as well. As the process control computers t 2a- t 2b operate under their own clock osaliators, the petection ono mterpretabon of this program cycle timing signal by Lne DfOCesS control COfTIDULer In the ooa moue well help LO perI001Cally keep tnese process control computers m relative syncnronizauon. rrowever, It snouio be appreciated that the program cycle of the process control computer In the dog moue wIII typically follow the program cycle of the process control combuter in the fox moue by the period or time It takes to transmit ana then detect the program cycle timing signal (for example, 20-microseconds.to 20-milliseconds).
In the event that process control computers t 2a-12b are temporaniy not able to communicate over the major link t4, each of these process control computers will continue their operations in a mode wnicn assumes that they are operating atone. In this mode of 1 .0 operation, it should be appreciated tnat the program cycles of the process control computers t 2a-t 2b may gradually daft apart In vine relative to each other.
Nevertheless, as will be seen from the discussion below, the front end communication system t 0 is designed to enable data received from the process control computers t 2a-t 2b to be time aligned for real-time analysis.
As illustrated in Figure t , eacn or the process control computers t 2a- t 2b includes a stealth interlace according to the present Invention. In particular, process control computer ' 2a includes stealth interlace circuit t 6a, wniie process control computer t 2b includes stealth interface circuit 16b. As the stealth interface circuits t6a-t6b comprise Identical arcuits, these stealth interface circuits are sometimes referred to generally herein as stealth interface circuit t 6. Due to the redundant nature of the front end communication system 10, a general 20 reference number mil also be used for other duplicative components In the system.
The stealth interface 16 provides transparent data transfers between the process control computer to which it is connected and external communication devices.
In this regard, the data transfers are transparent to the process control computer 12 in that the operation of the process control computer Is not delayed or otherwise adversely affected by a transfer of its 25 data to one or more external communlcauon devices. The stealth Interlace 16 also enables the transfer of messages from an external communication device without affecvng the operation of the process control computer t 2. The primary example of such an external communication device is shown in Figure t to be comprised of a pair of redundant front end computers t Ba-t8b. The front end computers t8a-18b are redundant, because communication paths are 30 Provided for enabling each of these front end computers to exchange data and messages with both of the stealth interface arcults t 6a-t 6b.
Each of the front eno combuters 18a-t8b provide a highly intelligent Interface between the stealth Interface circuits t 6a-t 6b and a plantllocal area network, which is generally designates by reference numeral 20. However, since each of the reounoant front 35 end computers t8a-18b are capable or communicating with each of the stealth ~ntertace circuits 16a-16b. It should be aApreaatea that this redundancy Is not re4uired, and that a sinoie front end computer could be utilized m the appropriate application.
Additionally, as will be-more apparent from the discussion below, each of the stealth interface arcults are caoaole of _a.

exchanging aata and messages wnn other external communication demces, as well as the front end computers 18a-18b.
As illustrated m Figure 1. the stealth interface orcun 16 features a dual-ported !-iemory "DPM" 22 which res~aes on the bus structure of the process control computer 12.
- inaeed, m the empodiment d~scloseo nerem, the dual- ported memory 22 provides the primary or only data memory, for the process control computer t 2. Thus, .n accordance wnh the present invention, the stealth mterTace c~rcun 16 mil se~ecnvely grant external demces direct access to the data memory of the process control computer nself. The dual-ported memory 22 includes an internal port which ~s connected to the bus structure of the process control computer 12 and t 0 an external port. which is sometimes referred to herein as the stealth port. While the dual-ported memory 22 cauid be configured to promde additional ports, the dual-ported memory preferably includes an arbitration arcun whmh enables a plurality of external communication devices to have alternative access to the stealth port. In other words, only one external device mll be able to use the data and address lines of the stealth port at any given time when access to the dual-ported memory ~s permitted tnrougn the stealth port, even though more than one external devme may ultimately be coupled to the data and address Imes of the stealth port. In the present embodiment. the stealth interface aronration circuit employs a first-come, first-serve approach to granting access rights.
However, in accordance wnh the present invention, this arbitration urcuit 20 operates only on the stealth port. There ~s no armtration per se between the internal and external ports of the stealth intertace c~rcu~t 16. Rather, access to the dual-ported memory 22 from the externailsteaith part is available only during those times when the process contral computer 12 cannot access the dual- ported rnemorv. More specifically, in the form of the invention disclosed herein, the machine cycle or the process control computer 12 is utilized to ~ 5 control access to the dual-oortea memory t 6. As ~s well known, the central process umt of any computer must fetch and decode one or more programmed ~nstrucnons m order to operate on one or more data words. In computers based upon the von Neumann architecture, it typically takes several computer clock cycles to fetch, decode and execute an instruction. However, in the present embodiment, the process control computer 12 is based on the Harvard architecture, 30 '~~h~ch Permits both an op-code instruction and the operand data for this instruction to be fetched in the same clock cyUe_ This is because a computer based upon the Harvard architecture includes physically separate mstrurion and data stores, and each of these stores have their own address and data lines to the central processing unn. Thus, during the portion of the clock cyCie for the prOCe55 control Computer 12 that is aevotea to fetcmng grip decoding 3 J an instruction, the dual-ported data memory 22 may be accessed from the stealth port. Then, outing the portion of the ciocx cycle for the process control computer 12 that is devoted to vetcmng the operand from the data store, the process control computer will have access to the cuat- ported data memory 22 from the internal por.

m accoroance with the present invention. the steaitn interface arcuit t 6 watches -or a speanc transition m the memory cock signal of the process control computer 12 in order :o petermine when the stealth port may nave access to the dual-ported data memory t 6. In this ~egaro, it should be unperstood that the process control computer itself is not affected by this external access. as external access ~s permitted by the stealth interlace circuit 16 only during :nose time periods when the process control computer 12 will not need to access the duai-ported data memory 22. Indeeo, the process control computer 12 does not even have to know that externally generates reao/wnte activity is actually occurring with rescect to its data store.
Nevertheless, in accordance with the present invention, an important disvnction is made between the ability to "read" from the ouai-ported data memory 22 and the ability to "write"
to the dual-ported data memory, as far as the stealth port is concerned. While it may be aesirable to enable an external communication device to read each and every memory location ~ n the dual-ported data memory 22, this may not be true with respect to the ability of an external device to waste to memory locations in the dual-ported memory. In this regard, the ~ 3 goal-ported data memory 22 will store not only dynamic data assoaatea with the pnysicai process being controlled, but it may also store other process control variables. such as analog grip digital constants.
Accordingly, the goal-portea memory 22 includes two "logical" memory sections, namely variable section 24 and mailbox section 26. These memory sections are logically distinct, because they are treated separately, even though they may both reside in the same pnysicai memory circuit chip or chip set. In the present embodiment, the mailbox section 26 is comprised of a set of 256 memory word locations ( 16 bits each) in the dual-ported data memory 22. and the variable section 24 is comprised of the remaining memory locations in the duai-ported data memory 22 (for example, a block of 64k memory word locations). The variable section 24 may aise include a message area for holding system messages from the flrocess control computer 12 to the front ena computer 18. The mailbox section 26 is used to provide a specific region in memory for storing messages from external devices, such as the front end computers 18a-18b. In this regard, it should be appreaated that the memory focauons of the mailbox section 26 do not need to be physically contiguous. While the mailbox section 26 may be configured to hold more than one message at any one vine, depending upon the message transmission protocol employed, the mailbox section need only be large enough to hold one complete message. These messages may be as simple as an external reQUest for the process control computer 12 to garner and transmit health/status data from a remote field computer unit that it may obtain less freouently. A message may also inciuoe a commano to change a particular variable stored in the oual-ported pats memory 22. Additionally, the mailbox section 26 of the dual-ported gars memory 22 may also pe uses to electronically convey a program revision to the process control computer 12.
g_ AS WIII pe more ~uIIV oI5GU5sea pelOW, the stealth Interlace clrcun 16 Incmdes a guardian clrcmt wmcn prevents any external enmy from wnnng to any memory locations In the variable secvon 24 of the dual-oorteo data memory 22. Thus, wnlle some or all of the memory locations In the oual-portea aata memory 22 may oe reaa from the stealth port, an external entity is only permuted to write to the memory locations in the mailbox secvon 26 of the dual-ported memory 22. This feature of the present invention promdes a nardware safe-guard at the process control computer t 2 which insures that no external entity mil be able to maavertentfy interfere with the data processing operations of the process control computer t 2.
As will be more apparent from the dlscuss~on below, tins feature of the present Invention could 0 also be employed to grant or deny external write access to any pan:~cuiar memory location or set of memory locations in the dual-ported data memory 22.
In order to rapidly pump data into or out from the stealth port, the front end communication system t 0 of Figure t is also shown to include an interface to stealth "IFS"
circuit 28, an interface to Q-bus "IFQ" circuit 30. and a set of fiber optic cables 32 interposed S tnereoetween. The IFS clrcun 28 Is connected to the stealth port of the dual-ported data memory 22, white the IFQ circuit 30 resides on the "Q bus" of the front end computer t 2. Due to the redundant nature of the front end communication system 10, it mould be appreciated that the IFS arcuit 28a is connectea to the stealth port of dual-ported data memory 22a, while IFS circuit 28b is connected to the stealth port of dual- ported data memory 22b. Similarly, the 20 IFQ circuit 30a is connected to the Q bus of the front end computer 18a, while the IFQ circuit 30b is connected to the Q bus of the front end computer t8b. In the embodiment disclosed herein, the front end computer t8 is preferably composed of a MICROVAX 3400 computer using the real-time ESN operating system from the Digital Eauipment Corporation "DEC".
While the VAX family of computers from OEC offer considerable speed aria networking 25 advantages, It should be appreciated that other suitable front end computers may pe employed In the appropriate application.
In order to permit each of the front end computers 18a-18b to conduct bi-directional communications with both of the stealth interface urcuits 16a-16b, the fiber optic cables 32 actually include two sets of send and recewe optical fibers (for example, 30 62.5/125/0.275NA type fibers). However, the separate send and receive optical fibers for each of the front end computers 18a-18b are represented as single channels in Figure t for simplicity.
Thus, fiber opvc channel 34a includes a separate optical fiber for sending informavon from the front end computer t8a to the stealth interface circuit 22a and an optical fiber for receiving information from the stealth Interface circuit 22a. Similarly, the fiber optic channel 36a 3~ Induces a separate optical finer for senorng information from the front end computer 18a to :tie stealth interface arcult 22b and an optical fiber for receiving information from the stealth interface arcult 22b. This arrangement of optical fibers ~s also duplicated for the front end computer t8b.

'n the present emooa~ment. the comomanon of the IFS orcun 28. the ~FQ arcun 30 and the fiber oom caoies 32 oromoe an oomai transmission mterTace wnon Dermas the front end computers t8a-18b to be remotes iocateo from the process control computers 12a 12b. For examine. m this emooaiment n ~s oossmie for the front ena computers 18a-18b to be located uo to 2 km from the process control computers 12a-12b. Addiuonaily, ~t should be noted that the Fiber Distriouted Data Interface "FDDI" protocol may be used to transmit ~nformauon between the iFQ and IFS circuits over the fiber oom cables 32.
The IFS circuit 28 inciuaes the appropriate aodress and data buffer arcuits (not shown) for transferring information to and from the stealth port of the dual-ported data memory 22. The IFS circuit 28 also incur des a transfer map 37 wmcn enables aata from selected locations m the dual-ported data memory 22 to oe gathered and transferred as one contiguous block of data. The transfer map 37 may be comprised of a slam rZAM with sufficient address storage capability to gather data from all of the available memory locations in the dual- ported data memory 22.
~ 5 Additionally, the IFS circuit 28 includes a separate transmitter and recewer circuit for each of the two front eno computers 18a-t 8b, such as transmitter 38a and receiver 40a. The transmitter 38a is adaptea to convert parallel data words (for example, 16 pits) from the stealth port into a serial on stream suitable for transmission over one of the fiber opuc caoies 32.
Similarly, the receiver 40a ~s adapted to convert a serial bit stream from the front end computer 18 into a parallel data word for transmission to the stealth port through one or more of the IFS
circuit buffers. A corresponding set of transmitters and receivers are also provided in the IFQ
circuit 30, sucn as transmitter 38b and receiver 40b. From the above, it should be appreciated that the use of two sets of transmitter-receiver pairs enables data to be transferred and/or received s~multaneousiy between both of the IFS circuits 28a-28b and both of the IFQ circuits 30a-30b. Thus. for example, the IFS circuit 28a is capable of s~muftaneousiy transm~ttmg data acquired from the process control computer l2a to both of the front end computers 18a-18b.
White not shown for illustration simplicity, it should appreciated that a laser or LED light source is interposed between each of the transmitters (for example, transmitters 38a-38b) and their respective oamaf fibers. Similarly, a photo- detector ~s also interposed between each of the recemers (for example, receivers 40a-40b) and their respective optical fibers. For example, these tight converters may be comprised of a hair of AT&T OD1200 series converters.
While fiber optic cables are preferred for their speed, low error rate aria security advantages over mediums such as coaxial cable, n should be understood that that other sunabie data transmission medium could be employed in the appropriate application.
In the present emood~ment, the transmitters ano recemers m the IFS and IFQ
circmts are preferably comprised of a high-performance Gallium Arsemae ch~oset, such as the "Gazelle" GA9011 transmitter and GA9012 recemer from Triqmnt Semmonouctor, Inc., 2300 Owens St.. Santa C:ara, Ca. These particular transmitters ano recemers permit data ."
,"-:ransmlsslOn rates In exCesS OT 2~0 M bItSJSetOno. These transmitters ana receivers utilize a 40-01 t wlae Darailel pus wnlCn enaoies aata to be encoaea into a 50-baud word using FDDI-stanaaro 48/58 encoalng. In this encoomg, 4-oIt aata nobles are transiatea into a S-baua coae symool. Accorolng,y, the 48/58 encoolng oroouces ten 5-baua symoois from ten 4-bit data mbbies m oroer to comonse a aata >'rame. The GA901 1 transmitters also convert the serial Stream from a Non-Return to Zero "NRZ" format to a Non-Return to Zero, Invert on ones "NRZI" format, wnmn comomes rite transmission of data ano clock signals into a single waveform. The NRZI waveform aenotes a logical one wnn a oolanty transition and a logical zero with no transition wltnln the oIt-time-frame. These logical ones and zeros are called t 0 bands, ana each group of rive bauas are called a symool. For example, a "0000" 4-bit binary input mil be convertea to a " t 1 1 t 0" 5-baud binary symbol output, while a " 10t t " 4_bit binary snout mil be convertea to a ' 1011 t " 5-baud binary symbol output.
The use of 48/58 encoalng and NRZI formatvng comoine to substantially enhance the reliability of high-speed data transmissions over the fiber optic carves.
The GA9012 ~ 5 receivers nave built in ciocK and aata recovery (for example, NRZI to NRZ
conversion), and they also monitor the Incoming 58 symoois for validity. In this regara, the 48/58 encoding creates a number of invalid symools wmcn may be cnecked f or at the GA9012 receivers. As the presence of nose or fitter across the fiber optic IinK could cause one or more of the bands to change to an unintended value, the detection of Invalid symbols reauces the possibility of a transmission 20 error going undetected.
As an additional layer of protection from poten2al errors, data transmissions from the IFS circuit 28 are formea into complete aata frames, which are comprised of the data to be transferred (that is, the 40-bit input data frame), a t 6-bit destination address field, a 4-bit control code field ana a 4-bIt error oetectlon code field. These complete oata frames are z5 oreferaoly separated from eacn otner on the fiber optic ilnK by at least one sync frame. As potential physical IInK errors may have a burst or clustering nature, the error code needs to be able to detect up to four contiguous bit errors. In this regard, a Longitudinal Redundancy Check "LRC" code is employed to prevent masked errors from potentially corrupting , subsequent data processing operations. This type of error code is also referred to as a 30 "Longitudinal Parity Check". In a LRC cone, a 4-bit nibble composed of parity bits is generated ana Insertea into the encoded data stream for a oreoetermlned number of data nibbles in the encoaed data stream, as snown below:
b4 b3 b2 b1 aata mbbfe t ; x x x x ;
jc aata nibble 2 ; x x x x ;
aata nibble 3 ; x x x x ;

aata nlbole 8 ; X X X X '.
data nlbole 9 ; x x x x aata nibble 10 ; p4 n3 p2 p1 ;
~Nnere pl = bi t Xor bit Xor.....Xor big, and I - bit locavon t to 4. Thus, the ith bit of this parity c.neck character chetks the ith information bit poslnon In oata nibbles t througn 9 under even panty conditions. The comolnauon of the LRC error checking, the 48/58 encoding and the NZRI
conversion enable the front end communication system 10 to provide a targeted Baud Error Rate "8ER" of 1 E- 12. While a Cyclic Redundancy Check "CRC" code could be employed in lieu t 0 or the LRC code, the more complicated CRC code would also increase the complexity of the IFQ
and IFS circuits. Additionally, the I.RC coding more readily permits dual fiber optic channel signal transmlsslons between the IFS and IFQ cir_uits, and the intrinsic synchronlzatlon features of the the Gazelle transmitters 38a-38b and receivers 40a-40b may be used to frame the LRC
posed protocols.
t 5 The IFQ circuit 30 incluaes a microprocessor 42 (for example, an Intel 80186 chip) wnlch provides the data pump for the front end computer 18. The microprocessor 42 is not piny responsible for all IFQ/IFS protocol control and relaying Qata from the process control computers 12a-12b to a aestlnauon on the network 20, but it is also responsible for controlling the integrity of write acvwtles to the IFS and IFQ circuits. For example, the microprocessor 42 20 may be used to program the transfer map 37 in the IFS circuit 28. so that only a particular sub-set of data in the dual-ported data memory 22 may be gathered and transmitted to the front end computer 18, if less than all of the available variables (for example, input/output values, alarms and events) is desired. In this way, the actual contents of the transfer moo 37 may be oeoendent upon a specific process control application.
25 All signal transmissions oetween the IFQ circus 30 one the IFS circuit are unoer the control of IFQ circuit mlcrocrocessor 42. In this regard, there are three types of data transmissions from the IFQ circuit 30 to the IF5 circuit 28, namely "load transfer map", "send command messages" and "receive data". The load transfer map transmission mil enable the IFQ circuit 30 to load the transfer moo 37 of the IFS circuit 28 with the specific variaole 30 aodresses which will steer the data memory transmit bursts from the IFS
circuit. The receive oata transmission will cause the IFS circuit 28 to return the reauested segment or memory from the dual-ported data memory 22.
A command message transmission will start with a Write-! ock reouest to the IFS
circuit 28. Assuming tnat incoming puffer is free, the IFS circuit 28 well assert a Write-! ock on 3~ rite mailbox section 26 of the dual-ported data memory 22, and return a positive acKnowledgement to the IFQ urcult 30. The IFQ circuit 30 may tnen transmit its message with cite assurance that no other device mil be able to write to the mailbox section 26 until its message has been completely stored and preferably read by the process control computer 12.

However, a Llme IITIL may De Imoosea on the Write Locx to ensure that the flow of commumcanons ~s not imoened Dy one of the externa~ enmles connected to the stealth interface circuit t 6. It shoal a also De aooreclateo that message transmlss~ons should not take place during any nine m wmcn a nata burst should be recelveD from the IFS
urcun 28.
As anomer measure or data transmission Drotectlon, the iFQ arcuit 30 will cause the IFS circuit 28 to read back a message transmitted to and stored In the mailbox section 26 of the dual-ported data memory 22 i n order to be sure that the message was transmitted and stored correctly. Once the IFQ circuit 30 determines that the message has been accurately recemed and stored, then the IFQ clrcumlll cause a flag to be set which mil signal the process t 0 control computer t 2 to nick uo the new message. In me event that this data verification fails.
then the entire message transmission process will be repeated.
The IFQ circuit 30 also Incluaes a process data buffer 44, which is shown as block in Figure t for illustration slmolluty. However, the process data buffer 4a should include sufficient memory capacity to stare a set'arate data table for each of the process control c computers 12a-12b (for example, 262. t 44 bytes). Each of these data rabies wail include both the SDSS and DSS data transmissions. Addmonaily, a DMA buffer (not shown) may also be provided to allow some eias2cny In processing the data being recemed. In tins regard, it should be noted that the both the ~F5 urcun 28 and the IFQ circuit 30 are configured to facilitate bi-directlonal Direct Memory Access "DMA" transfers between the IFQ circuit 30 and the Q-bus of 20 the front end computer t 8. In this way, the central processing unit 45 of the front end computer t 8 does not need to devote substantial time to processing data transfers to and from the iFQ circuit 30. Accordingly, the DMA buffer is preferably used as a bucket brigade area to perform DMA transfers on blocks of data from the process data buffer 44 (for example, 8K
bytes at a rime) to a suitable memory residing on the Q-bus of the front end computer t 8.
25 The use of DMA transfers also enhances the aDlilty of the front end communication system t 0 to achieve the goal of making available real-rime data from the process control computers 12a-t 2b to one or more computers on the network 20.
More specifically, the front end communication system 10 is designed to request, receive and answer network queues on both ore-Ilnk and post- arbitrated data from each of the process control 30 computers t 2a-t 2b within a one- second time resoluvon. For example. in this particular embodiment, each of the process control computers t 2a-t 2b mil issue a Seouence Data Stable Strobe "SDDS" signal in every one-second program cycle. which indicates that approximately t 024 ( 16 bit) words of Dre-link dynamic analog/digital input data ~s stable and available in the nuai-ported data memory 22. Tf115 specific oata set Is referred to as pre-link data, as this data 3 ~ ras not yet Deen arbitrated between the process control comauters t 2a-t 2b ma data transmissions across the rnafor link t4. Subsequenuy, in the same one-second program cycle, each of the Drocess control computers t2a-12b will issue a Data Stable Strobe "DDS" signal, winch indicates that a complete set of post-arbitrated Input and putout data ~s stable and .3-available in the auai-ported oata memory 22. This gala set is referrea to as post-aroitrated, as -ne input values wni have peen arm tratea or resomeo by tins point m the program cycle. In the present embodiment, tins post- armtratea oats set may be compassed of uo to 65,536 ( 16-bit) words, as it will incmae ooth input gasp output vames land any otner variables storeo in the dual- ported data memory 221.
It shou~d also be notes at this point that one of the first functions m the program cycle of the process control computers 12a-t 2b ~s to make output value deasions from the post-aroitrated input data obtamea in the ~mmeoiately preceding program cycle.
Accordingly, it should be aporeuated rust the post- arbitrated data set will include the arbitrated input values t 0 from the current program cycle and the output values from the immediately previous program cycl e.
It ~s also ~moortant to understand that the funcnon of obtaining a copy of the pre-link and post-arbnrateb data sets cannot be permuted to delay the operations of the process control computers t 2a-12b. Thus, for example, the front end communmation system 10 t 5 must be sufficiently fast to ootam a cony of the are-nnk data sets before the process control computers 12a-t 2b neea to nave the ao~lny to cnange one or more of these data values through the arbnranon process. Accordingly, m the context of the present embodiment, the front end commumcanon system t 0 neeas to be ~bie to acquire a pre-link data set within ten milliseconds of the time that the SD55 s~onal was initially asserted in order to have the 20 assurance of data stab~lny. Similarly, the front end communication system t 0 needs to be able to acquire a post-arbitrated data set wnhm fifty mnliseconds of the time that the DSS signal was initially asserted. In this regard, n should be appreciated that each of these data sets need to be independently acdmred from ooth of the process control computers t 2a-t 2b by each of the front end computers t 8a-18b. Aoditionally, eacn of the front end computers 18a-18b must ~~ also be able to send messages to the one o~ ooth of the process control computers ~ 2a-12b during time penods outsiae of the SD55 and 055 data acomsmon mndows.
In order to further facilitate the ab~iity of the front end communication system to acquire the 5055 and 055 data sets washout any data transfer blocknecks, and also provide the ability to group and time align the gars sets being receweo. each of the front end computers 30 t 8a-t 8b includes a set of at least three refiecnve buffers for each of the process control computers 12a-12b. Each of tnese ioa~cally distinct reflective buffers or shadow memories may reside in the same physmal memory cmp or cnip set in the front end computer 18. As shown in Figure t, the set of refiecnve puffers contained m the front end computer t8a is generally compassed of a ZERO buffer "Z." 4ba for the Left process control computer t 2a. a ZERO buffer 3~ "~R" 48a for the Rignt process contro~ computer t2b. a ONE buffer "OL"
fortne Deft process control computer, a ONE buffer "OR" for the Right process control computer, a T WO buffer "T~" for the left process control computer, and a TWO buffer "TR" for the Right process control computer. Additionally, ~t snomd be unoerstood that a corresponding set of refiecnve puffers are contamea m the rront ena computer t 8b, sucn as the ZERO buffer "ZL" 46b for the _eT-t process control computer t 2a ano the ZERO buffer "ZR" a8b for the Right process control computer t 2b.
T he nQ orcun 30 writes to tnese left ano ngnt bu ffers m a 'round rooin"
fashion - using DMA data transfers. in otner woros, the IFQ circuit 30 wnl fill the ZERO buffer 46a with ore-link and post-aronrated data or a parmular process control cycle trom the Left process Control Computer 1 2a. Then, wnen pre-IInK aria OOSt-arpitrateo pata for the neXt DfOCe55 control cycle ~s receweo from the Left process control computer t2a, the IFQ
circuit will ncrement to the ONE buffer 50a m oraer to store this data. S~m~iarfy, the IFQ
circuit 30 will ~ 0 :urn to the TWO buffer 54a wnen pre-link ano post-arbitrated data for the third process control cycle is recemed from the ~ett process control computer 12a in order to store this data.
Then, when pre-link and post-arbitrated data for the forth m time process control cycle from the Left process control computer t 2a is to be stored, the IFQ arcmt 30 mfl return to address The ZERO buffer 46a for oata storage. Of course, it should be aooreaated that the IFQ circuit 30 ~ mll employ the same rouno robin seauence for individually transfernno ore-link aria post-aroitrated data to the three reflective buffers 48a, 52a and 56a that are used for the Right process control computer 12b.
For purposes of iiiustrat~on, Figure t shows three reflective memory buffers (46a, 50a and 54a) for the Left process control computer t 2a, and three refiectwe memory buffers 20 (48a, 52a and 56a) for the Right process control computer t 2b. ~lowever, as the SDSS and OSS
data transfers are treated as independent DMA events, the reflective memory buffers preferably include distinct refiect~ve memory buffers for each of these events. Accardingiy, a total of twelve reflective memory buffers are preferably promded in the front eno computer t 8. Additionally, eacn or these re>aecuve memory buffers are individual ly tracked. so that the z5 ordering of these oufrers oo not necessaniy have to >:otlow the ~ey men snown oeiow:
Secono N: (ZERO-SDSS-L ZERO-DSS-L ZERO-SDDS-R ZERO-DSS-R) Second N + t : (ONE-SDSS-L ONE-DSS-L ONE-SDDS-R ONE-DSS-R) Second N + 2 (TWO-SDSS-L TWG-DSS-L TWO-SDDS-R TWO-DSS-R) Rather, the ordering of these buffers could also proceed unoer other regimens, sucn as shown 30 oeiow:
Second N: (ONE-SDSS-L TWO-DSS-L ZERO-SDDS-R ONE-DSS-R) Second N + t : (TWO-SDSS-L ZERO-DSS-L ONE-SDDS-R TWO-DSS-R) Secono N + 2 (ZERO-SDSS-L ONE-DSS-L TWO-SDDS-R ZERO-DSS-R) It is important to understand that the corresponding left ano ngnt reflective.
35 puffers (for example, puffers a6a ano a8a) mil generally not oecome filleo at the same time, as the program time tine of the process control Computer m the oog mode snould follow the program time lne of the process control computer m the fox mope by a oreoete.~mmable oenod of time ffor example, 20-mmroseconos to 20- m~ii~seconos). however, tnese time tines --,ay DecOme consioerabiy separates In the event that communications acroSS
the major link 14 are not po55ibfe, a5 menttoneo above. even wnen the left and ngnt SDSS Or DSS
signals are asserted at near the same time, the Delays reauired to transfer this information to the IFQ
C:rCUit 30 and then transfer this Information into the aODfODrlate reflective memOrteS may result in a wiper time skew between tnese events as seen oy the application software of the r~ont end computer 18 than as seen by the process control computer and IFS
circuit hardware.
Vevertheiess, it is the responsibility or the front end computer i8 to ensure that the data sets ultimately made available to the computer network 20 represent data from the process control computers 12a-12b in the same program type (for example, a one second period).
In this regard, the application software of the front end computer 18 includes a procedure, referred to as "MI Sync", which groups individual data transfer events into a cohesive set of buffers that represent a "snapshot" of the ore-link and post- arbitrated data for a particular process control cycle.
The MI Sync proceoure uses a set of refiecvve memory buffer management structures (MI-RMBMS) to track the status or mcommo data transfers. When the IFQ circuit dnver software signals to the Ml Sync proceoure that a DMA transfer has completed, MI Sync records the required information in the aporopnate MI_RMBMS data structure.
When MI Sync determines that a complete set or buffers has been received and stored (that is, left 5D55, right SD55, left D55 and right DSS), it updates a global data structure (MI RM DATA) with the ootnters to the newly received data. These pointers are copied from the MI_RMBMS data structure. Accordingly, MI-RM_DATA includes the pointers to the currently available "complete" or time aligned set of reflective memory buffers. Depending upon where the front end computer 12 is in the round robin procedure, the most current nine aligned set of reflernve memory buffers may be TWO buffers 54a and 56a at one nine interval, the ONE
3; buffers 50a and 52a at the next nine ~n~erval, and the ZERO buffers 46a and ~8a at ,;~a following nine interval. In the event that the SDSS or DS5 data from one of the process control computers 12a-12b is not received by the IFQ circuit 30, MI Sync will still maintain time alignment by using an appropriate timeout (for example, 700 milliseconds) for updating the MI_RM_DATA pointers. An indication mll also be provided as to which buffer or buffers are unavailable.
The buffer pointers within MI_RM-DATA are protected by a mutual exclusion semaphore or "murex". MI SYNC reauests this murex before copying the new pointers to MI-RM_OATA ano releases n immeaiateiy after the cony is complete. When a network entity ~eeas to access reflective memory aata, a cony of the MI_RM-DATA pointers ~s made by 'e~uesting the murex, copyng tnese Duffer pointers to a total oats structure, and then ~eteasing the murex. Since the appmation for 4uerying or reading the data uses a copy of the pointer, contention for the murex is minimizes, and MI Sync mil be sole to upaate ~~ll-RM_DATA witty new pointers as soon as the next complete set or data nas peen stored. In -.nis regard. it is important to note that tr,is metnod mil enapie the reading application to still access the same set of reflective memory duffers wnile MI Sync updates MI
RM_DATA with new pointers. Since reading applications will access the most current time aligned set of refiecvve memory buffers. it snouid oe understood that a reading aooiication could be accessing one set of reflective memory buffers tfor example, the TWO buffers 54a and 56a), while a suosequent reading application could be given access to another set of reflective memory buffers (for examine, the ONE buffers 50a and 52a) once MI Sync upaates MI RM DATA with new pointers.
It should also be understood that applications which access the reflettrve t 0 memories will be able to run to complevon before the referenced buffers are overwritten with new incoming data. In one empodiment of the front end communication system t 0, applications requiring refiecvve memory data are assigned execution priorities high enough to allow them to run to completion in less than one second. However, it should be appreciated that the front end computer 18 could be configured with additional sets of buffers to allow the c development of an application tnat may take longer to run to completion.
It should also be appreciated from the above that the use of the front end computers t 8a-t8b also enables the communication system 10 to have the necessary intelligence to answer specific data requests. The use of the front end computers t 8a-18b also permit a rapid check to be made that the process control computers 12a-12b are in fatt 20 continuing to send real-time data. Additionally, the front end computers t8a-t8b are also preferably programmes to make determinations as to whether read or write requests from the process control computers t 2a-t 2b should be granted with respect to the entity on the computer network 20 which has forwarded the request. As will be discussed more fully below the front end computers 18a-t 8b contain ooth a security table ano two permissive tables in z5 their memories for facilitating tnese determinations. The security table is used determine whether commurncations will be permitted at all with various entities on the computer network 20, while the permissive tables are used to evaluate write command messages from an entity on the computer network wnich could affect specific locations in the dual-ported data memories 22a-22b.
30 The front ena computers 18a-18b may also utilize at least one set of additional reflective buffers, such as Correlate buffers 58a and 60a. In light of the fact that the DSS data set will contain the post-arbitrated input value data from the current program cycle and the output value data that was based upon the post-arbitrated input values of the immediately preceding program cyoe, it may tie desiraple to correlate into one data taole the output values 35 'or a particular program cycle witn the input values uses to deade tnese output values.
Accordingly, the front end computer t 8a may employ the Correlate buffers 58a and 60a to store a copy of the post-aroitrated snout values from the current DSS data set, and then wait for the alignment of the next OSS data set in order to store a coot' of the output values from this ;;_ :uoseauent data set ~n the same Corre~ate puffers. in ;ms regara. a snouts be aooreaatea that -.ms copyng proceaure mil be mane from the most current time aiignecf set of reflective ~iemory buffers. Thus, for example, Figure 2A shows a a~aarammanc example of a data table ~n a time aiigneo puffer, wni~e F,gure 28 shows a s~mnar example of a data taole m the Correlate buffer CL. In any event, it snould be understooa that the time alignment capabilities of the front end computers 18a-18b oromoe a powerful diagnostic tool for analyzing both the ooeranon of the process control computers 12a-12b ano the onysmal process being controlled.
For example, the arbnranon performed wash respect to the incur data values may be analyzed for both of the crocess control computers 12a-t 2b, as are-link and past-arbitrated input data ~, 0 values are time aiignea aria made available by the front end computers 18a-18b.
The computer network 20 is shown in Figure 1 to generally include a direct control segment, a process mformanon segment ano a connection to a Wide Area Network "WAN". Each of these network segments preferably employ Ethernet compliant mediums and IEE~ 802.3 compatible communication protocols. The direct control segment ~s comprised of ~ S dual PIantArea Networks "PAN-1" ano "PAN-2", while the process information segment is compared of Plant Area Network "PAN-3". At least one oadge 62 is used to mterconnett the PAN-1 and PAN-2 segments. Additronaily, at least one bodge 64 is used to interconnect the PAN-2 segment with the PAN-3 segment. Another badge may be used to interconnect the PAN-t segment wash the PAN-3 segment. One or more baoges 66 may also be used to 20 interconnect the PAN-3 segmem wash the WAN.
It should be noted that the front eno computer 18a is coupled to the PAN-1 segment, while front end computer 18b is coupled to the PAN-2 segment. While a single plant area network could be provided, the use of dual plant area networks shown herein have certain communication and redundancy aovantages over a single plant area network. In this 25 regard, the bridges will typically filter communmauons by Ethernet hardware addresses to repute the amount of traffic an each of the networK segments. For example, a communication between the security server 68 and the operator sta2on 70 will not be transmuted across the bridge 62 to the PAN-1 segment. The badges 62-56 also orov,de a layer of physmai separation between the network segments, so that if a fault occurs on one of the network segments, then 30 the fault will be prevented from adversely affecting the otner network segments.
Additionally, one or more of the bridges are also used to filter communications on the basis of specific data communication protocol ~dennficanons to enhance the overall security of the network 20. For example, the bridge 64 may tie uses to prevent the transmission of messages employng the Ethernet compliant protocol used by the security server 68 from one of the PAN-3~ 2 and PAN-3 segments to the otner. S~m~lariy, the baoge 64 may oe urea to prevent the transm~ss~on or messages emoloyng the Ethernet Compliant protocol uses to waste ~nformanon into the mailbox section 26 of the dual-portea oata memory.
v g_ The computer network 20 also includes a oluramv of operator workstations, such as operator worxstanons 70 and 72. As shown m Figure t , these operator worxstations may be located on different networx segments, and the numoer of operator worKStavons will be oeoendent noon the particular process control appmanon. One or more of these operator worxstanons may be used to mew or analyze data recemed from the front end computers 18a-' 8b. Additionally, these operator workstations may be used by an authorized control room operator to transmit the aporopr~ate mstrucnons to the front ena computers 18a-t 8b which will cause a command message to oe conveyed to the process control computers 7 2a-12b.
The network 20 further includes a process informavon computer 74 which may 0 perform a variety of functions. For example, the process information computer may be used to store a history of process data received from the front end computers 12a- t 2b. Additionally, the process information computer 74 may be used to store the compilers needed to change the computer programs residing ~n the front end computers t8a-t8b, as well as the programs residing in the process control computers t 2a-12b. The process informavon computer 74 may also include loaning assistant software for transferring operating program revisions to the process control computers t 2a-12b. The network also includes a control room data manager computer 76, which may oe used to perform various file serving and tracking functions among the computers connected to the network.
An expert download assistant 78 is also provided to facilitate program revisions m 20 the front end computers t 8a-18b. In contrast, the loaning assistant software m the process information computer 74 may be used to cause a new computer program to be downloaded to one of the process control computers 12a- 12b through at least one of the front end computers t8a-18b and the mailbox section 2fi of the dual-ported data memory 22. While the download assistant 78 may be resident in its own network computer, the download assistant could also 25 reside in a suitable network computer, such as the process information system comau ter 74.
The loading assistant may also be used to cause the process control computer with the revised program to start operating in a mode which will enable real-time testing of the revised program. 1n this mode of operation, the process control computer will receive input data and make output decisions, but these output decisions will not be transmitted to the field 30 ~rtstrumentation devices. This will permit the plant engineer to evaluate the revisions, and even make further revisions if necessary before instructing the process control computer to assume an active mode of ooeranon, such as the fox or doo modes.
Whenever it is decided that the manner in which the process control computers i2a-t 2b perform their partouiar manufacturing control operations should be changed 35 through a program rems~on, the revised program far the process control computers t 2a-t 2b must be compiled from the the source programming language to an executable file or set of oynam~cally linked files. in the preferred embodiment, a umoue identifier ~s emoedded into the executable code during the como~ie procedure. This identifier represents for is otnermse .;o-a550c1ated Wtth) Lhe ver510n OT the revlseC SOTTware TOr the DrOCesS COntr01 COrTIDUtefS 12a-12b.
t1e program vefslOn Identlfler IS USe9 Lo ensure OrOper alignment between the VerslOn Of the program petng executed by the process control computers 12a-12b and the files/tables in the =roast ena computers 18a-18b useo to evaluate ~Nnte commana messages to these process control computers.
As mentioned above, each of the front ena computers 18a-18b include two permissive tables, such as the "P! " permtssme tale 80a for the t_eft process control computer 12a, and the "PR" permissive table 82a for the Right process contro~ computer t 2b. These permissive tables are used by the front eno computers 18a-t8b to determine whether any t 0 entity on the computer network 20 should be permitted to change the contents of specific locations In the dual- ported data metrories 22a-22b. However, it should be appreciated that the data strurure of the permissive table could be constructed to protect the contents of any memory location or area In the process control computers 12a-i 2b which could altered from a write command messaoe.
When a message Is received py a front ena computer 18 from an enmy on the network which uses the write command protocol, such as a write commanp message from one of the operator workstations 70-7 2. a "data write check" sub- routine will be tailed by the central process unit of front ena computer. The aata write check routine mil perform a comparison between the vanaple elements idenW led in the write command message and the 20 variable elements In the permissive table for which changes should be authorized or denied.
For example, if the front end computer t 8a receives a write command message which seeks to increaseldecrease an analog gam "AG" factor used by the program being executed by the Left process control computer 12a, the front end computer 18a will look up the element word for this particular AG factor in permissive taple 80a and determine If a bit has been set to deny the ~c authortzatton needed to change this factor. If authonzauon Is denied, then -.ne ~ront end computer 18a wilt not transmit the write command message to the process contro~ computer t 2a. Instead, the front end computer 18a will preferably send a reply message to the host entity on the computer network 20 that originally sent the write command message, to inform the host envty that a write error has occurred.
30 From the above, it should be appreaated that the PL and PR permtsswe rabies stored in the front ena computers 18a-18b neea to be closely coordinated with the version of the program being executed by each of the process control computers 12a-12b.
in order to ensure that each of these permissive rabies are sufficiently matched with the programs being executed by their rescecme process control computers t 2a-12b, the program versron identifier 3~ dtscusseo above Is also embeddep into these permtssme tables when they are complied. This program version Identifier may then be sent to the process control computer 12 aloha with a verified waste commana message, so that the process control computer t 2 will oe able to confirm that the commanded variable change Is appropriate to ass program version.
'GJ-o enhance The secur~LV OT tins ver~iicauon process. the program version ioentiiier from the permisswe tame ~s preferapiy altered by a sunaoie encryption algorithm before it is transmuted with the write command message to the mailbox section 26 of the stealth interface arcun t 6 for the ~ntenoea process contro~ computer t 2. The process control computer t 2 recemng the write commano message mll then decooe this version identifier, and compare it with the program version ~oenvfier empeaaed m m program to oetermme ~f their is a match.
v the program version ~aennfiers match, then the process control computer t 2 mli perform the commanded variable chance. Othermse. the process control computer 12 mil respond by oiscarding the write command message and transmmung an aparopnate error message to the 0 front eno computer 18.
The PL ano PR perm~ssme taoles are also preferably provided with a data structure which permits write commano authorization determinations to be made for specific host entities on the computer network 20. In other woros, the perm~ssme table 80a may permit particular variable chances to pe made from operator woricstauon 70 that are not allowed to S be matte from operator worxstauon 72. Thus, the Aerm~ssme rabies may nave several stavon specific table sections, as we~i as a default table section. Nevertheless, the ability may also be provided to bypass a cnecx of the appropriate perm~ssme table, through the use of a suitable password at a host entity on the computer netw~ric 20. However, in this event, a log should be created and stored m the Trout end computer t 8 wh~cn mll identify this transacvon and the 20 identity of the host entrty (for example, a CPU identifier).
It should be notes that the use of separate permissive tables for the process control computers t 2a-t 2b has the aovantage of enabling a program downloading operation to be performea on one of the process control computers wh~ie the other process control computer continues to acvveiy control a manufacturing process. lndeea, even after a revised c program has been successTUilv transierrea to the process control computer t 2a (and the corresponding perm~ssme taple 80a loaoea in front end computer 18a), the use of separate permissive tables mll enaole the front end computer t8a to evaluate a waste command message intended for the process control computers t 2a ~Nhoh .s disRnct from a wit to command message intenoed for the process control computer 12b. White it may not be 30 advisable in some circumstances to run the process control computers t 2a-12b with different program versions in an active control mode, a passwe operating mode may be used for the process control computer wnn the revised program wmie the other process control computer is in an active control mope. m such an event, the giant engineer may use the download assistant 78 during final program testing to issue waste commano messages iorthe passme process ~ control computer, wh~ie another plant engineer issues write commana messages to the active process control computer through the same front eno computer t 8.
The security server 68 is used to inform each of the computers residing on the networx 20 who they may communicate with on the networx. in this regard, the security server -2 ~-Stores a SD2C1?IC SeCl:rltV table fOr eaCn Ot the valid ent12le5 On Lne netWOrK. taCn Of LheSe SeCUflty tables WIII ~dennfy WrllCh Of the netWOrK computer entILIeS a pafTICUiar netWOfk computer may conduct ol- directional communications. ~or example. in the case of the front eno computers 18a-18b, one of one first functions on start up mil be to obtain their respective security tables from the security server 68. Accordingly, the security server 68 is shown in Figure t to store a security table "S 1 " for the front end computer t 8a, and a security table "S2" for the roast end computer t 8b. While the security server could also be used to send the PL and PR
permissive tables discussed above to the front end computers t 8, it is preferred that newly compiled permissive taoles be received from the download assistant 78. In this regard, it should ~ 0 ce noted that the download assistant ~s also preferably used to send the transfer map 37 intended for the IFS circuit 28 to the front end computer 18 along with the appropriate permissive table.
In order to assure the Integrity of security table transfers from the security server 68 to the front end computers 18a-18b, a method of validating these transfers is utilized in the ~ present embodiment. In accordance with this method. the front end computer 18 will embed a random or pseudo-random number in a broaacast networx message to request that the security server 68 identify itself as a prelude to sending the appropriate security table. The security server will respond to this request with an acknowledgement message that utilizes a security protocol identifier which Is different than that used with other types of network 20 messages. Importantly, this acknowledgement message will include the random number from the front end computer 18 in a transformed state. In this regard, a suitable encryption algorithm may be used to alter the random number, and the random number should have a bit length which will make it difficult for any unauthorized entity to decode (for example. 32 bits).
Upon receipt of the acknowledgement message, the front end computer 18 will then either ~c reverse the encryption process to ootain case random number or snc~~pt ass orrainai random number to make a comparison between the transmitted and received random numaers.
Assuming that these random numbers match, then the front end computer 18 will determine that the acknowledgement message has been received from a valid securny server, aria the transfer process will proceed.
30 in order to further enhance the security of communicavons petween the front end computers 18a-18b and ocher entities on the computer network 20, an additional validation procedure is preferably implemented. More specifically, this addrtionai validation procedure is utilized to permit communication between the front end computers 18a-18b and any network entity for wnich a waste command message may be recognized. In accordance 3~ wash this validation metnod. the front end computer t8 will send a contract offer message on a periodic basis to the Ethernet oppress of each host entities on the network 20 which it recognizes as having a write message caoaoility. Each of these contract offer messages will include a ransom or pseudo-ranoom number or other Suitably unpredicabie message component. m order for a post entity to apse to nave ass write commano messages recoamzed, must respond to as contract offer message wm~n a oreaetermmea period of vine Ifor example, t 0 seconosl witn a contract acceptance message that mctudes a transformea version o~ this unpredicable message component. While any appropriate encryption algorithm oe used for this purpose, n ~s preferred that this encryption aigoritnm be different than the encryption algorithm used to validate the transfer of a securny table from the security server 58. Additionally, it snouia be noted that the security message protocol may oe used for these conuatt offer and acceptable messages.
The front eno computer t 8 w,ll then decrypt the random number embedded in t 0 the contract acceptance message to aetermme ~f a rime limited communication contract will be estab~ished between the front end computer and this host enmy at the specific Ethernet address for the host entity that was contained in the security table. This time fimiteo commumcanon contract mll ensure that a write command message link between a front end computer t 8 and a particular post entity mil be reliable and specific. Thus, for example, the t ~ front end computer t Sa will send a contract offer message to the Ethernet address of the operator worxstation 72 which mil contain a new ranoom numper (for example. 32 bass in length). The operator workstation 72 w,fl respond with a contract acceptance message that mciuaes an encrypted version or this partmuiar random number. Then, the front end computer t 8a will either decrypt this numoer wash the contract algorithm Key stored in its memory for 20 this curpose or use the same encryption algorithm to compare the offer and acceptance numbers. If these numbers mach, then the front end computer 18a will be process write command messages from the operator workstation 72 for a predetermined period of time.
Otherwise, if the numbers do not match, then the front end computer t 8a will disable a waste command authorization bit for the Ethernet address of the operator workstation 72 from its 25 security table 5 t to indicate that write command messages from tins operator workstation snouid be ignored.
The commurncauon contract established forwrne command messages ~s time i~mned to enhance the transmission security of these parncular messages. In the preferred emood~ment, the commurncanon contract mll automatically exa~re within twenty seconds 30 after being initiated. Nevertheless, in order to ensure that the ability to send write command messages is not interrupted, the contract offer messages should be sent from the front end computer t 8 to each of the appropriate host entities on the networK 20 on a periodic basis winch will promde this connnuny. For example, with a communmation contract of twenty seconas, n is preferred that the contract offers be transmuted at a rate of approx~mateiy every > j ten seconos. In other words, every ten seconds, each or the post entwes that are caoapie of transmmnng recogmzapie write command messages will receive a new random numoer from each of the wont ena computers t 8 -?3-In Lhe event that a host entity Tans to respond to a contract offer message from a wont end computer 18, the wont eno computer mil oreteraoly maKe three tees to establish or maintain a time iimiteo commumcauon contract. If no response ~s recewed from these three tees, then the the front eno computer 18 mil disaola the waste command authorization bas for the Ethernet address of this host entity from ass security table. In such an event, the affetted host entity mil not be aoie to have ass write command messages processed by the front end computer 18 until the security server 68 transmits a new security taole to the front end computer 18.
It should be appreaated from the above that only the random numbers need to be encrypted to fac~firate a transfer of the security table or to establish the time limited communication contract ~ or waste command messages. However, ~t should be understood that the security table itself or the vvrne command messages could be encrypted as well in the appropriate appmanon. NevErtneless, the use of different Ethernet protocols for security messages and waste command messages, the use of different encryption algorithms for security 5 taole transfers and wane commano communication contracts, the fimnanon of the rime of the write command commumcauon contracts to snort durauons, and the use of specific permissive tables for each of the front end computers 18, ail combine to provide a very high degree of communication ano write commano security for the process control computers t 2a-12b.
Additional protec2on ~s also suostanually provided by the guardian circuit in the stealth interface urcuit 16, the emoeadmo of a program version identifier in the PL
and PR permissive tables, and the encryption of the these program version identifiers by the front end computers t 8a-t 8b when a verified wrne command message is transmitted to the process control computer t 2a-7 2b. In this regard, n should be noted that the encryption algorithm used by the front end computers t 8a-18b for the program version ~denufiers ~s preferably different than the encryption algorithm uses for securmv taoie transfers or the encryption aigoritnm used to estaoiish the rime i~mnea commumcauon contracts for waste command messages.
Turning to Figure 3, a block diagram of the stealth interface arcuit 16 is shown.
Reference will also be mane to the schematic diagram of the stealth interface circuit t 6,which is shown in Figures 4A-48. The stealth interface c~rcun t6 is interposed between the internal bus structure 100 of the process control computer 12 and the externally directed stealth port t 02.
The stealth interface c~rcmt 16 is connected to bus structure 100 ma a set of suitable buffers. In this regard, buffer block 104 includes two 8-bas buffer arcuns U t 7- U 18, which receive address information from the address pus on the process control computer 12.
Similarly, buffer block 106 includes two 8-bit buffer circuns U6-U7, whmh receme oata information from the data bus ~ of the process control computer 12.
The steal tn interface circuit t 6 also inciuaes a data control block 108, which ~s also connected to the bus structure 100 of the process control computer 12. As indicated in Figure 4A, the Bata control block 108 ~s preferably comprised of a Programmable Array Logm "PAL"

c~rcun U 15 (for example. _?512), wmcn ~s usea to oetect the SDSS ono DSS
signals from the process control computer 12. As wen known m the art, a PAL circuit has fusible links which may oe programmed so tnat a pmramy or internal AND gates and OR gates will be configured to oerTOrmea a des~rea loop ~unc2on. Wh~le a PAL orcun oromaes a relaUveiy low cost way of ~motemennng logic functions, it snouid be understood that other suitable arcuit devices may oe used for this apoi~cauon. It snould also be noted that the PAL urcun is programmed to detect two extra strobe signals that may oe generateo by the process control computer 12, namely the "EX51 " and "EX52" signals. One or both or these extra strobe signals may be used oy the process control computer 12 to mdmate that certain data stored in the dual-ported data t 0 memory 22 is stable, sucn as aata used to oisoiay graphical information.
The stealth mterTace circuit t 6 also recemes four control signals from the process control computer t 2 wnmh are uses to access the dual-ported data memory 22.
These signals are "IEN_DATAMEM", "/EMR", "R/V1/° and "MEMCLK. The first three of these signals relate to whether the process control computer t 2 seeks to read or write to the dual-ported data 1 ~ memory 22. However, MEMCLK ~s the memory clock signal referred to above which effectively divides the time m the macmne cyc~e or the process control 12 available for accessing the dual-oorted data memory 22. The MEMCLK signal ~s a fifty percent duty clock signal, as shown in the timing diagram of Figure 5A. In accordance with the method illustrated in this timing diagram, the dual-ported data memory 22 may be accessed from the internal process control computer 20 port 100 when MEMCLK is Low. Then, wnen MEMCLK undergoes a transition to a High state, the dual- ported data memory 22 may oe accessed from the external stealth port 102. Vl/hile the MEMCLK signal is shown to have a penod of 400 nano-seconds (that is, a frequency 2.5 MHz), it should be understood that other suitable penods and duty cycles may be provided in the appropriate application.
25 On the steaitn port sloe or the stealth interface orcun t 6, a set or suitable buffers are also promded to hanole the transfer or address and data information. In this regard, buffer block 1 10 includes two 8-bit buffer urcmu U 1-U2, which recewe address information from the external stealth port 102. Similarly, buffer block t 12 includes two 8-bit buffer circuits U4-U5, which are capable of transmuting and recewing data information between the dual-ported 30 data memory 22 and the stealth port 102.
Additionally, the steanh mterTace circuit 16 incluaes a aronrauon circuit 1 14 which receives bus reauest s~anais from external ensues on the stealtn port 102. As shown in Figure 58, the present embodiment orov~oes Tour individual channel lines for the incoming bus request signals "/BRt../BR4". T hus, the steann interface arcun 16 enaoies up to Tour different 35 external entities to be connecteo to the steaitn port 102. The aronrauon arcun t 14 is shown in Figure 48 to campnse a tour input asyncnronous bus arbiter circuit U9 which mil grant bus access to the first bus reauest s~onai recemed. in this regard, a soec~fic bus grant signal "IBG t../BG4" will ultimately be generated to inform the particular external envty who won the pus tnat the manner rs pear for its use. The arDitranon circuit 1 t 4 also pas an internal AND
gate which mil oroouce the any-pus-reouest signal "/ANY-8R" shown in the umrng oiagram of Figure SA.
The steaitn interlace circuit 7 6 furtner inciuoes a stearth port contror circuit 1 16, wnich is useo to control access to the ouai-ported oata memory 22. The control circuit 1 16 is snown in Figures 4A-48 to comprise a PAL circuit U 16, a timer arcuit U 10 and a set of tri-state puffers which are contarnea in cnio U8. In the case of memory access for the internal arocess control computer bus 7 00, the PAL urcurt U 16 will transmit the chip select signal "ICS" to the buffers 104 and 106 to latch or capture address ono data information from the internal bus.
t 0 The PAL arcuit U t 6 will also send the enaole memory read signal "IB_EMR"
to the buffer t 06 when the process control computer t 2 needs to latch or capture data from the data bus t t 8 of the stealth interface circuit t 6. In tnis regard, the PAL circuit U 16 is responsive to both the MEMCLK signal and the centrar process unit dock signal "C?" of the process control computer t2.
t S In the case of memory access from the external stealth port 702, the PAL
tircurt U 16 will transmit the enable signal "/SP-EN" to the duffers t 7 0 and 112 to latch or capture address and data information Trom the external bus. T he PAL crrcmt U 16 will also send the enable memory read signal "SW/R" to the buffer t t 2 when an external entity is permuted to latch or capture data from the data bus t t 8 of the stealth interface circuit t 6. The SW/R signal 20 is received at the stealth port bus 702, and it provides an rndicauon from the external entity the direction of data flow desired. In this particular embodiment, the SR/V1/
signal is active High for a read cycle and active Low for a wine cycle. The SR/W signal is common to ail four potential external users, and it should be held in a tri-state unul the external user winning the bus receives its active low /BR signal.
25 The ~A~ U t 6 also transmits the SW/R signal to the cnecx point guaraian urcurt ' 20 fPAL circuit U 13) to initiate an evaluation to be mane on the aoaress of the dual-ported data memory 22 selected by the external enuty for a wnte oAeravon. In this regard, the guardian urcuit 120 is programmed to inhibit the transition needed in the chip enable signal "ICE" for accessing the dual- ported data memory chips U 1 7-U 14, whenever the aadress rs outside of the 3p mailbox section 26.
With rescect to the seouence of operation for the stealth interface circuit t 6, it should be aopreaated that a memory read/wnte cycre from the stealth port t OZ
must be initiated by the external entity seeKing to access the ouai-ported data memory 22. This cycle is begun with the transmission or a pus revuest signal IBR >'rom the external entity, sucn as front ~ eno Computer 18a. Upon the receipt of any bus reauest srgnars, the aroitrator circuit 1 14 will transmit an active low any-pus-reouest signal /ANY_3R to the PAL circuit U 16.
The any-bus-reouest signal ~s drrec:eo to an internal ilio-flop of the PAL circuit U t 6.
wnich operates under the clock signal CP. Accordingly, the any-bus- recruest signal needs to be present 5efore t>,e -L' b--ammo edge of the oocx s~gna~ CP m order for stea~th port access to occur when MEMCLK goes r:gn, as shown m the timing a~aaram of Figure 5A. if the latched any-bus-reduest s~enal is actwe, the stealth interface urcun 16 will beam a stealth port memory cycle.
Otherwise, the stealth interface urcun 16 min not ornate a stealth port memory cycle until the next MEMCLK
signal oer~od.
When a stealth port memory cycle occurs, the /SP-EN signal is generated from we PAL cvrcmt U ? 6. As ~noicated aoove, tins signal will enable the address ano data buffers on the stealth port. The /SP_EN signal mil also enable the arbitration circmt t 14, which issues a s~eafic bus grant signal /BG for the external user which wins the bus. Once the external entity ~ 0 detects its bus grant s~gnai, then n may transmit ether the memory address n seeks to read or the aadress and data necessary for a write operation. The chin enable signal ICE is delayed by the PAL circuit U 13 to allow for the delay introduced from the address buffer t t 0, as the aQaress needs to be stadie before the RAM chins U 1 1- U 14 are actually accessed.
For a stealth port read cycle, the data placed on the data bus t t 8 will become S stable approximately 45ns after ICE becomes active. in this regard, n should be noted that symbols such as "TCc'"' in the timing diagram of Figure 58, indicate the appropriate delay time auration. A reaa latch signal RDLA T CH directed to the PAL circuit U 16 may then be used by the external entry to either iauh the aata into the puffer t 12 or md~cate that data ~s available. For a stealth port write cycle, the aadress lines on the address bus 122 will be monitored by the 20 guardian circmt t 20 to ultimately permit or deny write access to the stealth port t 02. When write access is denied, the guardian circuit will not generate the active Low chip enable signal /Cc, and thereby restrict an external entity on the stealth port 102 from writing to the particular address location in the dual-ported data memory 22 that it has selected. W this event, the guardian circuit ?20 will also generate a write address vai~d signal "WR AO VAL", 25 wrnch is transmitted to the PAL orcun U t 6 of the control circuit ? ? 6 The PAL circuit U ? 6 will respond by generating a write aadress error signal "WR AD ERR" for transmission to the external entity. The write address error signal is active High and valid only during the current memory access cycle, and this signal ~s Common to all external entries.
For stealth port accesses to valid write addresses. the guardian circuit 120 will 30 activate the /CE signal. Additionally, the SR/V1/ signal from the external entity should become active when the bus grant signal /8G is Low. The PAL U t 6 will also cause the write enable signal /WE for the RAM chips U 1 t-U t4 of the dual-parted data memory 22 to become active, and the using edge of the /WE signal is urea to write data into these RAM chips.
The control c~rcm t t ? 6 also includes a timer arcun U 10, which mil generate a 35 GEAR signal aooroximateiy 150ns after one of the bus grant signals /8G
becomes active. The CLEAR signal is useo to cause the tit-state buffers m buffer corn U8 to generate individual bus grant clear signals "8G t_CLR..BG4-CSR" to each external user. The CLEAR
s~gnai is also used to gear the stealth port memory cycle by deactivating the stealth port enable signal /SP EN.

Referring to Figures 6A-6c, a set of flow marts ~s shown to rurtner illustrate various aspects of the security and vanoavon metnogs discussed above. In tnis regard, Figure 6A shows the part of the boot up procedure of the f ront ena computer 18 which is directed to a searcn fortne security server 68. Then, once the security server rigs properly identified itself to -tie front end computer 18, Figure 68 shows the procedure for transferring the security table (for example, security table 51 ). Thereafter, Figure 6C shows the procedure for establishing a :~me limned communmation contract wnn each of the operator stations identified in the security table as having write command ability. Finally, Figures 6D-fiE
combine to illustrate the procedure far validavng a write command message sent from an operator station (for example, operator station 72).
Turning first to Figure 6A, block 200 indicates that the front end computer "FEC"
sends a broadcast message over the computer network 20 to rectuest that the security server 68 identify itself to this front end computer. This message preferably utilizes the Ethernet protocol for security messages. The content of tins broadcast network message ~s generally 5 shown in block 202. In this regard, the network message includes a destina2on address_ "FF-FF-FF- FF-FF-FF" which will cause the message to pe sent to every entity that is operatively coupled to the PAN-1 and PAN-2 segments of the computer network 20. The network message also includes the source address of the front end computer. The network message also includes a type indication, namely "REQUEST SECURITY SERVER". In the data portion of the network 2C message, the CPU identification ~s gmen for the process control computer 12 to which the front end computer 18 is connected. Additionally, and ~mportantiy, the data portion of the network message also includes an unpredicable key, such as a 32 bit random number. As discussed above, this random key is used to verify the idenmy of the security server 68.
Block 204 shows that the security server 68 will check all of the informavon in the 25 broadcast network message, sucn as the onys~cal E~.~ernet address of the f ront end computer and the CPU ID of its process control computer t2. Assuming tnat this information corresponds to the information stored in the security server for this front eng computer, an acknowledgement message 2C6 ~mll be sent bacx to the pnysmal Ethernet address of the front end computer. In order to enable the front end computer to verify the idenvty of the security 30 server 68, the acknowledgement message 206 inctuaes a transformation of the random key sent from the front end Computer 18. As indicated above, tins transformation ~s performed mth an encryption algorithm which is umoue to messages from the security server 68.
Diamond 208 shows tnat the front end computer 18 will wan a predetermined amount of time to receme the acxnowiedgement message. If the acxnowiedgement message is 3~ not recemea wnn,n tins nmeout period, then the front eng computer will use the fast security ;able stored m ns memory or the aefauit securny table ~f this ~s the first rime the front end computer 18 is being brougnt into operation (block 210). However, ~f the acKnowiedgement message 206 is received in time, tnen the front end computer t 8 will check its random key against the trapsf ormeo version of the Key wmcn was containeo in the acKnowieagement message lbiock 212). As mo~catea above, tins comparison may oe accomplished by ether performing a transformation on the random key using the encryption algorithm for security messages or using a corresponamg oecrypuon aigorimm. If the transformed key matches the expected key number (diamond 214), then the front end computer 18 will proceed to the procedure shown in Figure 68 for transferring a copy of the current security table from the security server 68 (block 2 ? 6). Othermse, the front end computer mll exit this portion of the boot up procedure and stop accumulating further network communication cacability (block 218). In one form of the present mvenuon, the front end computer 18 may be permitted to ? 0 conauct network communications at this point, but not process any write command messages recewed from an entity on the computer network 20, until such time as a security table is successfully transferreo to the front end computer.
Turning now to Figure 68, block 220 shows that the front end computer 18 starts the arocedure for transferring a copy of the security table by sending a reouest message to the ? 5 specific (logical or physmai) Ethernet address of the security server 68.
This physical Ethernet address ~s the address learned and stored through the boot up procedure discussed above in connection with Figure 6A. Block 222 ino~cates that this request message includes an identification of the CPU ID for the process control computer being serviced by the front end comauter 18. Additionally, the front end computer t 8 will also inform the security server 68 as 20 to wnetherthis CPU ID is for the Left process control computer 12a or the Right process control computer 12b through the Mode data (for example, ML for the Left process control computer).
Once the security server receives this request message, it will check the data contained in the message, and build a control message for the front end computer 18 (block 224). As shown in block 226, this control message will inform the front end computer 18 how ' J many bytes are contained m the security table for the process control computer identified in the request message. The front end computer 18 will respono with an acknowledgement message that will contain a new random key (blocks 228-230). The security server will then transmit the security table (for example, security table S 1 for the Lent process control computer 12a) mth the transformea random key (blocks 232-234). The front end computer 18 will then 30 oetermine ~f the transformed key matches the expected key (diamond 236). If the keys do not match, then the front end computer 18 w,ll use the ofd or existing security table stored in its memory (block 238). Otherwise, the front end computer 18 will store the new security table for use, and sang an acknowledgement message back to the security server (blocks 240-244), While the front eno computer t 8 could also pe provided with the editing capability to create its 35 own security table, n ~s preferrea that a separate network security server be employed m order tnat the front eno computer tie deaicateo to the >'uncnons ~oennfied above.
Referring to Figure 6C, the procedure for establishing a rime i~mited communication contract is snown. The wont aria computer 18 begins by creating a new watch-og_ aog key, winch ~s representea oy a 32 pit ransom numoer (block 246). The front eno computer 18 mil then sena a watcn-aog message ~n turn to the pnys~cai rtnernet aadress of each of the operator stations (identified m the security table as namng write command message capability).
.n this regara, n snouio pe aoorec~atea that these are mamduai watch-oog messages whmh include a new watch-aog key for eacn message (block 248f. Eacn operator station which receives such a watch-dog message mil respond mth a watch-dog reply message that includes a transformation of the watch-dog Key (blocks 250-252).
Since n is possible that an operator station may not currently be m communication with the computer network 20, the front end computer 18 mll preferably wait 0 for a suitable umeout perioa for a reply, such as ten seconds (diamond 254).
If the operator station noes not reply to the watch-dog request message 248 within this nmeout period, the front ena computer 18 will make aaait~onal attempts to make contact (diamond 256 and block 258). If a reply is not received from this operator station after all of these attempts, then the front end computer 18 mil disable the write command apiiity of this particular operator sta2on ~ (block 260). However, it shouio be appreaatea that this write commana ability may suosequentiy be re-established, sucn as wnen an upaatea security table is transferred to the front end computer 18. In this regara, n should be noted that the security server 63 may nmate the security table transfer procedure discussed above through a suitable network message to the front end computer 18.
0 In the event that the operator station does reply to the watch-dog request message, then the front end computer 18 will determine wnether the transformed watch-dog key contained in the reply message matches the expected key number (diamond 262). If a match is not found through this comparison (as discussed above), then the front end computer 18 will ignore the reply message (264). At this point, the front end computer 78 could again S attempt to establish a time iimneo communication contract with this operator station or disable its write command abilities. in the event that a match was round, then the front end computer 18 will cony the oremous, valid watch-dog key of this operator station from the current key position to the old key position (block 266). Then, the front end computer 18 will save the transformed watch-dog key received in the reply message in the current key position.
30 As will be aiscussed below, the current and old keys are used to evamate the validity of write command messages from the operator station during the period in which a time limited communication contract is in force. in this regard, it should be understood that the procedure shown in Figure 6C is reoeatea for earn of the operator stations with write command privileges before the time limited communication contract expires in oraer to maintain a continuous s5 ability or the operator stations to nave their write commana messages processed by the front end computer 18.
Referring to Figures 6D-6E, tnese figures combine to illustrate the procedure for validating a write commana message sent from an operator station (for example, operator itctlOn 72) to the frOrlt ena Computer 18 I his Oroceaure OegWS Wltn an operator StatIOn SenOlng a Wflte COmmanO me55age to the wont eno computer t8 IbIOCk 268). This message oreferaoiy uuii2es the stanoaro Ethernet protocol for communication between the front end computer t 8 gasp other entities on the computer network 20. In -ms regara, the waste - commano message will mcluae not only the variaoieis) sought to changed, but also the watch-aog Key from the Ume limited communicatlOn Contract, the CPU identification of the recipient process control computer, and the program version Ioentl ~ icauon of this process control computer 12. The front end computer 18 will then perform several checks on this waste command message. nor example, the front end computer 18 will examine the security table to v C aetermine ~f it has an entry for tins particular operator station (diamond 270). If this operator station was not founa in the security table, then the front end computer will return the write command message to the operator station gasp create a stored log or this error (blocK 272).
Assuming that tnE operator station was identified in the security table, tnen the front eno computer will checK the security table to determine if the write commano bas was set for tnis operator station (oiamono 27G) At this point, n snomd be understooa that the security taole contains not only the Ethernet address or every valid entity on the computer network 20 who can comrnunmate wltn the front ena computer, but also an Indication of wnetner these entities have waste command privileges. The security table may contain additional information pertaining to eacn of these entities, sucn as a CPU identification and whether or not these ~~ entities may request saecific types of Information from the process control computer, such as alarm messages. If the security table does not have the bit set to indicate write command privileges, then the front end computer mil rewrn the waste command message to the oeerator station (or other source entity), and log this error (block 276).
In the event that the operator station ones nave waste commana privileges, then J the front ena computer mil oetermlne wnether or not the watcn- oog key (containeo m the waste commano message) matcnes eitner the current or olo watcn-dog keys (diamond 278). If a match is not found, then the front ease computer will return an invalid watch-dog message to the operator station (block 2801. If a match was found, then the wont end computer will preferably check to see if the program version idenvfication contained In the waste command 3C message matches the program version identification stored In the front end computer for the recipient process control computer 12 (diamond 282). If these program version identifications 0o not match, then the front end computer will return an invalid program version message to the operator station (block 284).
The front end computer 18 will also cnecK to see if the write commano message E contains an indication that the oermissme taole for the recipient process control computer snould be oypassed (diamono 286). The ability to oyoass the permissive table may oe conslderea a soeael on viiege which should reauire the use of a password or pnysicai Key which ~s assigned to the ooeratorwith this privilege. If the bypass bas was set m the waste command message, tnen the rront ena computer mil still breferably checx the oermlssme table (for 2xamDle, perm1551Ve table 80a) to petermlne If a DypaSS IS permitted for Lhe SD2CIfIC DermI551ve table or table section that would otherwise be addressed (diamond 2881. If a bypass of this permissive table Is not bermltted, then the front end computer will return a message to the - operator station to Indicate that no write access Is available In this way (block 290). If a bypass of the permissive table Is Dermitted, then the front end computer will transmit the write command message to the reuoient process control computer with a transformed version of the program version identification stored in the permissive table of the front end computer (block 292). The recipient process control computer 12 may then determine whether this transformed 1 p program version Identlficauon matches the program version identification or its operating program before deciding to change the variables) listed in the write command message.
In the event tnat the write command message does not have the bypass bit set, then the front end computer t 8 will examine the permissive table to determine if the the variabie(s) to be changed have their waste command bit set (diamond 294). If the waste 1 ~ command bit is not set for any one of these variables, then the front ena computer will return a no write access message to the operator station (block 296). Otherwise, if the front end computer oetermines that the waste command message is acceptable, then It will transmit the message to the recipient process control computer as discussed above (block 292).
Referring to Figure 7, a block diagram of the application software 300 for the 20 front end computer t8 is shown. In this regard, Figure 7 shows the interaction of the application software with the Q-bus 302 of the front end computer t8 and wash the Ethernet services 304 for the computer network 20. Thus, for example, a bi-directional line is provided between the Q-bus 302 ano the IFQ driver 308. The IFQ driver 308 represents the device driver software for controlling the communlcatlng wash the CPU of the front end computer 18. The ~ ;FQ driver 308 is coupled to the "MI Sync" subsystem 310 througn a aata store event 312. In this regard, the MI Sync subsystem receives notification of DMA compietions from the IFQ driver 308, such as when the SDSS data from one of the process control computers t 2a-t 2b has been completely received in the aDDroprlate Interim buffer (for examDie, interim buffer 46a or 48b).
The reflective memories 46a-56a from Figure t are shown in Figure 7 as reflective memories 30 314. Figure 7 also illustrates that the reflective memories 314 are operatively coupled to the Q-bus 302 of the front end computer t 8.
The MI Sync subsystem 3 t 0 represents that pornon of the application software 300 which is responsible for synchronizing the incoming SDSS and DSS data frames from each of the Drocess control computers t 2a-t 2b througn the operation or the reflective memories 314, ~ as aiscussed above. The MI Sync subsystem also notifies the "MI MOD Health"
moaule 316 and "System Messages" module 318 when a data frame Is available for Drocessmg.
Additionally, :ne MI Sync subsystem 3 t 0 Is also used to oetect whether or not reflective memory updates are not occurring, such as when one of the Drocess control computers has stopped sending data to _~2_ -_.ne front ena computer 18. This oroceoure ~s ~mo!emented through the "MOD
Status' mooule 320 aria the "MI Watcnaog ' moauie 322. The MI Watcnoog moouie 322 uses a two-secona umer to detect ~f the franc ena computer t 8 has stop~ea receiving data from either of the process control computers t 2a-12b.
The MI MOD Heath moaule 3 t 6 processes health bit changes in the data being ~ecemed by the front eno computer t 8 from the process control computers 12a-12b. In this regard, the MI MOD Heaitn modu~e 3 t 6 sends these changes to the "EVT Event Handler"
moaule 324. Similarly, the MI System Messages module 318 processes incoming system messages from the process contro~ computers, and it aueues any requests to the EVT Event t 0 Hanaier module 324. The EVT Event Handler module 324 processes event buffers, formats text for output to the ?Tint Sermces moauie 326, and records errors and other events in an event log.
The reflectme memories 3 t4 are coupled to the "MI CISS Memory Read" module 328, which performs read operations on the reflective memories. In this regard, the Ml C1S5 S Memory Reaa moaule 328 formats ouery responses into the standard Ethernet protocol for transferring data~messages, and directs the response to the reauesting network entity via port 330. The "NI CISS" module 332 receives incoming query requests from a network entity using the standard protocol for transferring data/messages. The NI CISS module 332 performs an mnial security check on the message, and routes the reauest to the appropriate process as 20 determined by the message type. For example, the NI C155 module 332 will route a read data message to the MI CISS Memory Read module 328. Additionally, the NI CiSS
module 332 will route program download requests to the "MI Download Handler" module 334. Other request messages will be routed to the "MI Message Services" module 334.
The aopiicauon software 300 also includes moduieswhich facilitate ~5 commumcanon with a User Interface. m this regard, the User Interface ~s used :o provide a mndow into the operation of the front end computer 18, as opposed to an interface to one of the process control computers t 2a-t 2b. The User Interface software may be accessed "locally"
through a terminal connected directly to the front end computer t 8. The User Interface software may also be accessed "remotely" through an application that could be run from the 30 security server 68. The User Interface ~s used to disable or re-enaoie network communications for a specific protocol, perform aiagnostic functions, re-boot the front end computer t8, monitor reflective memory updates, monitor network activity, and otherwise manage access to privileged front ena computer functions.
The aoplica2on software modules that handle User Interface reauests are the "NI
35 Remote User" moaule 338, the "UI focal" moaule 340 aria the "UI Servmes ' module 342. The NI Remote User moouie 338 recemes ail messages honing the protocol for User Interlace communications, and n forwards vai~d requests to the UI Services module 342.
The UI Services moaule 342 Dromaes a data server for ooth focal and remote user reauests. The UI Local ~~oaule 340 hanaies the local user interlace a~soiay screens m order to aispiay resaonses on the ocal terminal.
The aooiicanon software 300 also includes an "NI Transmit Done" module 344, wn~cn receives notification of ahernet-write compienons aria maintains a free aueue of J
network intertace transmn message butlers. Addi2onatly, an "EVT File Maint"
mooule 346 is used to delete aged event log files. Furthermore, an "NI Watchdog" module 348 and an "NI
SCSP" module 350 to ~molement the watchdog security process a~scussed above.
In this regard, the NI Watchdog module 348 sends watchdog reauest messages to the operator stations, and the NI SCSP module 350 processes the reply messages (as well .as all other network messages t 0 using the security protocolt. The NI Watchdog moauie 348 also checks to see if reply messages were received to each of the watchdog reauest messages.
Other than watchdog repay messages, the NI SCSP module 350 forwards all other security protocol messages to the "CFG Config Manager" module 352. The CFG
Config Manager module 352 processes the security reauests and performs the initial loading of the t 5 permissive tables 80a-82a. The CFG Config Manager module 352 also performs the loading of a memory map to be discusseo oe~ow m connecnon with Figure 8. The application software 300 also indudes a "MIF Master Process" module 354, whmh performs the basic initialization routines to create all of the other front end computer processes. The MIF
Master Process module 354 is also used to detect an unexpected terminanon of any of these processes.
20 Referring to Figure 8, a diagrammatic illustration of the configuration for the front end computer t 8a is shown. Soec~fically, Figure 8 illustrates that the CFG Config Manager module 352 interacts with the security server 68 and the download assistant 78 to obtain the information necessary to configure the front end computer t8a on boot up. In this regard, the CFG Config Manager module 352 is responsive to requests from the MIF Master Process module z5 354 to perform these configuration acnvmes. in other words, the CFG Config Manager module 352 will locate the security server 68 through the broadcast network message (as described above) and load the security table S t which is ultimately received from the security server.
Additionally, the CFG Config Manager module 352 mll also load both of the permissive rabies 80a-82a from the download assistant 78. The CFG Config Manager module 352 also receives a 30 memory map for each of the process control computers t 2a-t 2b, such as the memory map 356 shown in Figure 8. The memory maps are used to enable the front end computer t 8a to build the transfer tables (for example, transfer table 37) and interpret the data received m each of the refiecnve memory buffers 3 t 4. m other woras, each of the memory mans identify the data which ~s stored in each aaaressa~le iocat~on of the dual-ported data memory 22 f or each of the 35 process control computers t 2a-t 2b. As part of this process, the memory map dimdes the dual-oorted data memory 22 or the process control computer t 2 into logical segments. The first set or segments are used for SDSS data values, wh~ie the DSS data values include the SDSS memory segments, as well as addivonal segments.

As a~scusseo aoove, the MI Svnc suosystem 310 ~s responsible for groumng the ~~JIA comoiet3on events re~auve to the transTer of SDSS and DSS oata for porn process control computers t ~a-t 2b into a cohesme pair of data tables tnat represent data for a given process control cycle snap-snot. =or purposes of this a~scussion tnese DMA comoienon events will be referred to as the Left SDSS buffer, the Right SDSS buffer, r-ne Left DSS
buffer and the Right DSS
buffer. The exact order m whmh these data buffers are received may vary, but the SDSS buffers ~.vnl precede the DSS butlers.
The MI Sync subsystem 310 is responsive to the aoove identified DMA events. In tins regard, the MI Sync subsystem 310 will wan for the completion of a DMA
event, and then ~ 0 cneck the status to oetermme the type of buffer recewed. If the buffer received is an SDSS
buffer and the front end computer t 8 has already recewed a corresponding DSS
buffer, then f,nal compienon processing mil be performed. L~kemse, ~f the buffer for this type has already peen recewed, final compienon processing mll be performed. If the buffer recewed is not the first buffer, then the MI Sync subsystem 310 mil check the nine o~fference between the current S t!me and the nine at whmn the first bu>'fer was received. ~f this difference exceeds a predetermined tolerance, sucn as 0.7 seconos, then the steps for final comoleuon processing mil be performed. If this ~s the first buffer (for example, the Left SDSS
buffer), then the ume that this buffer was recemed wil l be recoroed. tf this buffer was not expected at this point, tnen ns statuswiil be changed to expected. The pointer to this buffer will also be recorded, 20 and the buffer will be marked as received.
The MI Sync subsystem 3 t 0 will also check to see if ail expected buffers have been received (for example, the Left/Right SDSS and LeftIRight DSS buffers). If all the expected buffers have been received, then final compievon processing mll be performed.
Dunng final completion processing, the buffer pointers for the recemed buffers mll be corned to a system ~5 card structure which will allow otner aooncauons to access tnis data. This procedure ~s protected by a mutual exclusion semaphore, which ~s referred to as the "murex". Additionally, the error counters mll be zeroed for all recewed buffers. If any expected buffers were not received, the associated error counters wnl be incremented. If the error counters exceed the allowed threshold, then the affected buffers will be marked as not exoetted.
Then all buffers 30 '~~~il be marked as not recemed m order to set up the processing for the next set of buffers.
Aoplicanons that access the memory buffers recemed may then cony the buffer pointers out of the shared system data structure for use.
In order to more fully illustrate the operation of the MI Sync suosystem 310, a module synopsis ano the pseudo-code for tins software mll be presented below.
Additionally, 3 ~ tie data structures for the refiecnve memory buffers 314 mil also be set fortn as well to assist ;ne mteroretanon of the pseudo-code. The data structures are contained m Tables t-3, the module synopsis ~s contained m Table a, ano the pseudo-cope follows immediately thereafter.

'ABLE ' : Reflecvve Memory Data Structures data Item data rorr~at Descrmtion data Structure BATA
MI RM

_ -RM- MUTEX i~lutex Murex uses to protect tins data structure RM_ STATUS Word inoicates current reflective memory status LIFT SDSS-PTR ~omter Pointer to current left SDSS reflective memory buffer RIGHT_SDSS-PTR ?ointer Pointer to current right SDSS reflective memory buffer L_FT DSS PTR ?omter ?omter to current left DSS refiectme memory buffer t0 -RIGHT_DSS-PTR Pointer ?ointer to current right DSS reflecvve memory buffer FOX_DSS PTR pointer Pointer to current fox DSS reflettive memory buffer DOG-DSS_PTR Pointer Pointerto current dog DSS reflective memory buffer FOX_MAP-PTR Pointer Pointer to current memory map (left or right) for the current fox buffer DOG_MAP-PTR ?omter Pointer to current memory map (left or right) for the current dog buffer FOX SIDE L ongwora indicates the channel that is the fax. 0 = left, t = right, -t = undefined.
DOG SIDE Longwora Indicates the channel that is the dog. 0 = left, t = right, -t = undefined.
LEFT-INFO BYTE Byte Info byte for outbound CISS requests satisfied from the left buffer. Includes tox/dog status.

RIGHT_INFO_BYTE 9yte Info byte for outbound CISS requests satisfied from the right buffer. Includes foxldog star =OX_INFO_BYTE 3yte Info byte for outbound CISS reouests satisfied from the fox buffer. Indudes leftlright status.

DOG-INFO- BYTE Byte Info byte for outbound C!SS requests satisfied from the dog buffer. Includes left/nght status.
TABLE 2: Reflective Memor Data Structures Data item Data Format Description Data Structure MI RMBMSf41 - Structure Arrav NOTE: The Reflecvve Memory Buffer Management Structure (MI RMBMS) array consists of four MI-RMB_STATUS TYPE (define oeiow data structured. cacti RMBMS entry ~s usea to keen tracK or a specific ~et~ecnve memory type (iefvngnt SDSS ono DSS1. Symooiic indices are aeiinea to access this array: MI_RM_L_SDSS, V1I-RM-R SDSS, MI-RM_L-DSS, ono MI_RM-D_DSS.
LAST_RECEIVED Time Soec~fies the time or receipt of the last buffer for this type.
DMA-EVENT Object Contains the VAXELN object ID for the event signaled Janable oyIFQ DriverwhenaDMACOmp~etionforthistypeof t 0 memory buffer completes.
ENABLE_EVENT Object Contains the vAXELN obfect ID for the event signaled Variable by calling MI_ENABLE STROBES toteil MI Sync that strobes have been enabled.
DISABLE_EVENT Object Contains the VAXELN obfect ID for the events~gnafed by Variable IFQ Driver when a DMA compietions for this type of memory by calling MI DISABLE_STROBES to tell MI
Sync that strobes nave been disabled.
PENO BUFF_PTR Pointer Contains a pointer to the DMA buffer received for this memory type in the current time window. Reset to null by MI Sync upon copying pointers to MI RM DATA.
RMB 5 T 5 :.ongworo i_ongworb bn masks mdicanng the status of this reflective memory buffer. The individual bit fields are listed below.
RMB STS V Bit Bit in RMB_STS that indicated that EXPECTED the assoaatea strobe for this refiectwe memory type is enabled, thus indicating that DMA
completions are expected.
RMB STS V_ B~t Bit m RMB STS used by MI Sync RECEIVE) to md~cate that a DMA completion ~or this reflective memory type has occurred in the current DMA time 'NtnpOw. Ciearefl WneneVer a complete set of buffers nas been recewed, and then set for each individual buffer type as n is received.
RMB STS V_ Bit MI Sync to Indicate that a DMA
DSS_BUFF completion for this refiettive memory type has occurred in the current DMA time window.
Cleared whenever a complete set of buffers has been received, and then set for each individual buffer type as It Is received.
~ 5 Indicates If the reflecvve buffer type in quesuon is either for the left or right DSS reflectwe memory buffer.
RMB STS V_ Bit Indicates if the associated strobe ZO ENABLE_ is enabled.
CONS_ERR COUNT Longword Specifies the number of consecutive receive failures for this buffer type.
DMA-ERR COUNT Longword Specifies the number of consecunve DMA completion failures for this buffer type.
ADSB Structure Specifies the Asynchronous Data Status Block used by the dnve to indicated DMA completion status. This strutture is of the IFQS_ADSB type and includes a status field and a buffer number field.
BUFFER-PTR Pointer The dUFFER_PTR array the aodresses of uo to eight Array(8] DMA buffers used for this reflective memory type, In the order the buffers wnere speufied m the IFQS_ENABLE-DSS or SDSS call. This array ~s subscnpted by the buffer number field returned in the ADSB to retrieve the vase aaaress of the DMA buffer lust received. This aimens~on of this array allows for the maximum numoer of DMA buffers supported by the !FQ driver 3UFF_HIST-IDX Longwora Index to the BUFF_HIST_PTR array. Indicates the most recently upaates buffer.
BUFF_HIST_PTR Pomte.~ Circular buffer of most recently received buffers. DMA
' 0 Array(8] Indicates the buffers recemed in the last eight seconds.
BUFF_HIST_IDX paints to the most recent entry.
MQO TASK Longworo Indicates the PCC task state as indicated by the most recent reflective memory update. Valid only if .' RMB STS V DSS BUFF Is set.
z0 TABLE 3: Reflective Memory Data Structures Data Item Data Format Description Data Structure MI RM AUX
LAST-DSS-L-PTR Pointer Pointer to most recent left DSS buffer. Set by MI Sync and used by MI Health Check and MI System Messages.
LAST_DSS-R-PTR Pointer Pointer to most recent right DSS buffer. Set by MI Sync and used by MI Health Check and Ml System Messages.
V1ID_FLAG longworo Flag used by MI Sync and MI Watchdog to check for MI
Sync activity.
DMA-BUFFER- Longwore Specifies the number of DMA buffers currently in use.
COUNT Cooled from MIF-MP.NUM DMA BUFFERS on startup.
TIME_CHANGE Event Set when a ume change occurs. Tells MI Sync tore-Object determine the ume of the first DMA receipt.

SYSMSG-~ SEMA Semaonore Set by MI Sync to trigger MI System Messages to Object process left refiecvve memory.
SYSMGR-R SEMA Semaonore Set by MI Sync to trigger MI System Messages to Obtect process right reflective memory.
HEALTH-L SEMA Semaphore Set by MI Sync to rugger MI Health Check to process Object process left reflective memory.
HEALTH-R SEMA Semaphore Set by MI Sync to trigger MI Health Check to process Object right reflective memory.
TABLE a~ Reflective Memory Data Structures Data Ite'n 'Data Format Descri tion Module Synopsis for MI SYNC_MAIN
ABSTRAC7 Synchronizes receipt of in-incoming DMA buffers MODULE TYPE Process mainline EVENTS/ MI-RMBMS('). The four (leftlright DSS/SDSS) completion SEMAPHORES EVENT events signaled by the IFQ DMA Driver process on -receipt of a new reflectme memory buffer. Inoices to the MI-RMBMS array are MI_RM_L_DSS, MI-RM-R-DSS, MI-RM-L SDSS and MI RM R SDSS.
MI-RMBMS(*). The four (IeftJright DSSISDSS) DMA enable ENABLE- events. These are signaled by MI_ENABIE_ EVENT STROBES to notify MI Sync of changes in the receipt of SDSS and DSS DMA updates.
3' MI_RMBMSf'). The four (leftlright DSS/SDSS) DMA disable DISABLE- events. These are s~gnated by MI DISABLE

EVEN T S T ROBES to notify MI Sync of changes m the receipt of SDSS and DSS DMA
uoaates.
MI_RM AUX- Signaled to tell MI MOD Health to process left HEALTH L health bits.
SEMA
P.~I-RM AUX- Signaled to tell MI MOD Health to process HEALTH_R- right health bits.
SEMA
MI-TM AUX- Signaled to tell MI System Messages to process SYSMSG_L_ left system messages.
t 5 SEMA
MI TM AUX_ Signaled to tell MI MOD Health to process SY51V1SG_R_ right system messages.
SEMA
ZO
OTHER INPUTS MI_RMBMS('). Asyncronous Data Status Blocks for each of the ADSB four DMA completion events.
DSS data buffer Accessed at offset MI_TASK_STATE_L or 25 MI_TASK_STAT~_R to cetermme FOXIDOG
status.
OTHER OUTPUTS MI_RM_OATA Structure containing current reflective memory poi nters.
30 MI-RM AUX. Set to t to md~cate rece~ot of data.
WD FLAG
CALLED KERSWAIT_ANY
ROUTINES
35 KERSCLE.4R EVENT
KERSLOCK MUTER
KERSUNLOCK_MUTEX
CONDITION MIF NORMAL

CODES MIF iFQ ERROR
MIF APP ERROR
MI SYNC MAIN Pseudo-cone PROGRAM MI SYNC MAIN
'~~a~ting for first DMA = true REPEAT
~* Issue the wan any Tot the tour DMA completion events, the an enable or o~sabie or strobes, or time changes: */
CALL KERSWAIT_ANY with P~11 _RMBMS(OJ.DMA_EVENT, MI _RMBMS( 1 j. DMA_E~JENT, MI _RM3MS(2J.DMA EVENT, MI _RMBSM(3].DMA EVENT, MI -RMBSM(O].ENABL~_EVENT, MI -RMBMS(t].ENABLE EVENT, MI _RMBMS(2J.ENABLE_EVENT, MI _RMBMS(3].ENABLE_EVENT, MI -RMBMS(Oj.DISENABLE_~VENT, '~'y RMBMS( t j. DISENABLE_EVENT, MI -RMBMS(2].DISENABLE_EVENT, MI_ RMBMS(3].DISENABLE EVENT, MI_ RM AUX.T1ME CHANGE. and wan result RMBMS_iax = (wait_result- t) MOD 4 case lox = wait result DIV 4 CASE (case idxj (0] CaIIOMA Comoietion ( t J Call _;~ame DMA

(1j Cail Disaoie DMA

(3J Call Change Time_ CNDCASt _"z REPEAT for ~ - 0 to 3 still waning = ~V11-RMgMS(i).RMB_STS_v_EXPECTED ~s set and RMB_STS_~/-RECEIVED is gear S
UNTIL (still waiting or final iteration) IF 'still waiting THEN
t 0 We have a complete set of buffers;
Check MOO TASK values for valid comoination CALL uoaate-pointer (MIF NORMAL) waiting for_first-DMA = true 'S
ENDIF
UNTIL MIF shutoown required EXIT
SUBROUTINE DMA Completion CALL KERSCLEAR_EVENT MI_RMBMS(RMBMS_idx].DMA EVENT
MI RM AUX.WD FL,4G = t current time = Current system time IF waiting for first_DMA
first dma time = current_t~me waiting_for_first_DMA = false ELSE
If current nine- first dma_Ume>MI Sync_TOLEFtANCE
log Error "Out of sync-- Did not receive required DMA"
Check for excesswe failures:
FORT = Oto3 IF MI-RMBMS[i].RMS-STS-V_EXPECTED ~s set and RMB STS v_RECEIVED is clear MI_RMBMS(i].PEND BUFF PTR = null -.:3-:.og error ' Faiiea to receive DMA for [DMA typej"
MI-RMBMS[i].RMB CONS ERRORS =
RMB CONS ERRORS + 1 IF MI_RMBMS[i].RMB_CONS_cRRORS > tolerance then dog Error "No longer expecnng (DMA type]--too many consecutive failures"
(broadcast error message) ClearMl_RMBMS[i].RMB STS.V EXPECTED
END IF
ENDIF
ENDFOR
Update pointers wnn ava~labie data:
t 5 CALL update-pointers (MIF NO SYNC) first dma_nme = current nine /* Fall through to use this buffer as the first buffer in the next set...
ENDIF
ENDIF
If buffer type is SDSS and DSS and corresponding DSS received, then CALL update_pomters ENDIF
WITH MI-RMBMS(RMBMS idx) If *.RMB_STS_V_RECEI'JED is set Log Error ("Out of Sync-- DMA collision") CALL update_pomters (MIF DMA COLL) first dma_nme= current ti me /* Fall through to use this buffer as the first in the next set... 'i ENDIF
IF *:RMB-STS V_EXPEC T cD is not set log Error ("Unexpected DMA completion") ENDIF
GG.

~f'.RMB_STS-V-DISABLED ~s set Log Error (" Recewed comoiete for disabled strobe") Return ENDIF
Check DMA completion status m ADS2 I F error *.CONS_ERR-COUNT = '.CONS ERR COUNT + 1 t0 IF *.CONS ERR COUNT < S Then Log Error ("DMA failure on channel") E! SE
!F *.CONS_ERR_COUNT MOD 300 = 1 Log Error ("DMA still failing") ENDIF
ENDIF
ELSE
*.CONS ERR_COUNT = 0 ENDIF
rm-buffer_ptr = *.BUFFER_PTR(*.ADSB.buffer number- 1) *.RECEIVED_DATE_T1ME = current_time *.PEND_BUFF_PTR = rm_buffer-otr *.RMB STS V_EXPECTED = true Set'.RMB STS V RECEIVE) IF *.RMB-STS V_DSS_BUFF is set get mod state using rm_buffer_ptr offset 5y *. RM_TASK_OFFSET
*.MOD TASK _ moa_state IF RMBMS-IDX - MI RM_L _DSS
MI_RM AUX.LEFT_RM_PTR = rm-buffer-otr Signal M1_RM AUX.HEALTH_L_EVENT
Signal MI_RM AUX.SYSMSG_L_EVENT
ELSE
MI_RM AUX.RIGHT_RM_PTR = rm_buffer-otr _.;S_ Signal MI_aM-AUX.HEALTH_R_E'~IENT
Signal MI-RM AUX.SYS(V1SG_R_EVENT
ENDIF
ENDIF
ENDWITH
RETURN
END SUBROUTINE
SUBROUTINE DMA ENABLE
.5 Clear MI-RMBMS(RMBMSydx).DMA_'cNABLE (KERSCLEAR EVENT) MI-RMBMS [RMBMS_idxj.RMB S T S V DISABLED = false MI RMBSM (RMBMSydxj.RMB_ST5 V EXPECTED = true RETURN
END SUBROUTINE
SUBROUTINE DMA DISABLE
Clear MI_RMBMS [RMBMSydxj.DMA_DISABLE (KERSCLEAR cVENT) MI_RMBMS [RMBMS_idxj.RMB STS V DISABLE = true MI_RMBMS (RMBMS_~dx).RMB_STS_V_EXPECTED = false MI_RMBMS [RMBMSydxj.PEND_BUFF-pTR = Null RETU RN
END SUBROUTINE
~ 5 .....
SUBROUTINE TIME CHANGE
,:6-CALL KERSCLEAR-EVENTmtn MI-?m_AUX.T1ME CHANGE
current-time = Current system time =first oma time = current time RETURN
END SUBROUTINE
0 SUBROUTINE uoaate pointers (state) Lack MI RM GLOBALS murex MI_RM_DATA.RM STATUS = state Copy the LE=T/SICE
SDSS/DSS
pointers:

MI RM DATA.LE=T SDSS PTR =

MI _RMBMS (MI SDSS_L_IDX).PEND-BUFF
PTR

MI _RM-_ DATA. RIGHT SDSS_PTR =

20 MI _RMBMS (MI_SDSS_R-IDX).PEND_BUFF
PTR

MI _RM__ DATA.Lc'F T _DSS_PTR =

MI _RMBMS (MI-DSS_L_IDX).PEND_BUFF
PTR

MI _RM-_ DATA. RIG HT DSS_PTR =

MI-RMBMS
(MI_DSS-R-IDX).PENO_BUFF
PTR

Clear FOX/DOG
pointers:

MI- RM- DATA.FOX_DSS_PTR = null MI_ RM_ DATA.DOG_DSS PTR = null Ml_ RM_ DATA.FOX MAP PTR = null 30 MI_ RM- DATA. DOG MAP PTR = null Mark the info byte as "not prime-' until proven otherwise:
Clear Ml-RM_DATA.RIGNT-INFO-BYTE prime bit I'BitO'/
Clear MI_RM-DATA. LEFT INFO-BYTE Ar~me bit Set Fox sloe and dog side to "unKnown" ( 1 ):
MI RM DATA.FOX_SiDE c -1 MI RM DATA.DOG SIDE = -t .:7-Determine new FOX/DOG information:
IF MI_RMBMS (MI-DSS-L-IDX).MOD-STATUS = fox status or eagle status MI_RM-DATA. FOX DSS PTR =
MI_RMBMS (MI_DSS-l._IDX).PEND BUFF PTR
MI RM OATA.FOX_MAP-PTR = Addr (MEMORY MAP L TABLE) Set MI_RM_DATA.FOX-INFO_BYTE IeftJright bit /* bit 0 '/
Set MI_RM_DATA.L~FT-INFO-BYTE pnme bit /* bit ~ */
t0 MI_RM_DATA.FOX_SIDE = O /' Left */
IF MI-RMBMS (MI_OSS_R-IDX).MOD STATUS - dog status or "task B"
MI_RM_ DATA.DOGDSS_PTR -MI -RMBMS -p55_R_IDX). PEND
(MI BUFF
PTR

S MI-RM- DATA.DOG_MAP _ _ _PTR = Addr (MEMORY MAP L
TABLE) Clear MI_ RM_DATA.DOG_ INFO_gYTE left/right bit MI_RM_ DATA.DOG-SIDE= t /* Right "/

ENDIF

ZO ELSE
IF MI_RMBMS (MI_DSS-R_IOX).MOD-STATUS = fox status or eagle status MI_RM-DATA.FOX_DSS_PTR =
MI-RMBMS (MI-DSS_R_IDX).PEND BUFF PTR
~5 MI-RM_~ATA.FOX-MAP-pTR = Addr (MEMORY MAP R_TABLE) Clear MI-RM-DATA.FOX_INFO_BYTE feftlr~ght bit Set MI_RM-DATA. RIGHT_iNFO-BYTE prime bit MI_RM-DATA. FOX SIDE = t /* Right *1 3C IF RMBMS (MI_DSS_L_IDX).MOD-STATUS = dog status or "task B"
MI_RM_OATA.DOG DSS_PTR =
MI-RMBMS (MI_DSS~~_IDX).PEND_BUFF_PTR
MI_RM_DATA.OOG_MAP-PTR = Addr (MEMORY MAP _TABLE) 35 Set MI_RM_DATA.DOG-INFO-BYTE lefvngnt bit vtl_RM-DATA.DOG SIDE = 0 /* Left '!
ENDIF
.VH-ENDiF
~NDIF
Release MI RM G~OBALS mutex Clear context:
t 0 FOR ~ - 0 to 3 MI-RMBMS fi).PEND BUFF-PTR = null Clear MI-RMBMS (i).RMB STS V RECEIVED
ENDFOR
END SUBROUTINE
END PROGRAM
Referring to Figure 9, a diagrammatic illustration is shown of the relationship between the reflettive memory puffers 3 t 4 m the front eno computer t 8a. the transfer map 37 in the !F5 circuit 28 and the dual-oorteo oata memory 22 in the process control computers t 2a-12b. For purposes of illustration, the aata memory 22 is shown to include only two segments. The transfer map 37 indicates that oata memory addresses 2000 to 2002 (hex) ~n the first segment, and data memory addresses 4 t 00 to 4 ~ 05 (hex)in the second segment are to be transferred to the reflective memory buffer 46a. More specifically, it should be ooserved that the transfer map 37 creates a blocK or contiguous data elements from memory iocauons m the data memory 22 wnich are not necessarny contiguous.
Referring to Figure t 0, a block diagram of the IFS arcun 28 is shown. In this block diagram, the individual transmitters and recemers (for example, transmitter 38a and receiver 40a) are shown in a single oiocx 400 which also includes the AT&T ODL200 series light 3~ converters. The IFS arcmt 28 also ~ncmdes control blocks 402-404 wnmn govern the transfer of datalaaaress signals to aria from the transmntenrecemer block 400. In this regard, the IFS
circuit 28 includes porn an aaoress puffer a06 ano a data buffer 408 to faaiitate these signal transfers. An address latch 4t 0 is a~so promoed for senoing a data memory adorers to the ug_ stealth port. Similarly, a transceiver 4t z is oromoea to enaole the iF5 circuit 28 to seno or ~eceive gars information ma the gars pus of the steaitn mterrace arcun 16.
The IFS circuit 28 also mcmdes a stealth timing ano control c~rcmt 414. The stealth timing and Control circmt 4t4 mauoe5 one or more Programmaoie Array Logic circmts to ~mpiement a State machine for processing speClfic signals to or from the stealth interface circuit t 6. For example, when the SDSS signal is recewea, it promdes an indication to the the IFS circuit 28 that a valid window exists for reading from the data memory 22. Assuming that the arbitration circuit on the stealth interface circuit 16 also grants access to the data memory 22, then the stealth riming and control c~rtmt 414 will appropriately set the control status register t 0 416. The data out control circus 404 will respond by causing a DMA counter urcuit 418 to start counting down to zero from a pre-set value. The DMA counter 418 will decrement with each oats word read from the data memory 22, The OMA counter 418 in turn controls a DMA word count urcuit 420 which generates an address in the transfer map 37. In other words, the DMA
word count circuit 420 points to an aodress in the transfer map 37, which in turn points to an aadress in the data memory 22. Through this form of indirection, the IFS
circmt 28 will read each of the locations of the data memory 22 that are specified in the transfer map 37 for the part~cuiar window permntea by the process control computer t 2 througn the stealth interface circuit t6.
Referring to Figure t 1, a block diagram of the IFQ circuit 30 is shown. The IFQ circuit 30 20 includes the Intel 80186 microprocessor, as discussed above, and the program for this microprocessor is stored in EPROM 420. Additionally, an address latch 422 is coupled to the address bus 424 of the microprocessor 42. Similarly, a data buffer 426 is connected to the data bus 428 of the microprocessor 42. A 64Kb RAM circuit 430 is also coupled to both the address bus 424 and the data bus 428. The RAM circuit 430 is used to store system data, such as one or 2c more stacks and other operational data structures for the microprocessor 42.
The IFQ circuit 30 also includes a fiber interface "daughter" board 432, wnich contains the circuits directly responsible for transmitting and receiving signals over the fiber optic cables 32. In this regard, block 434 includes the two channels of light converters and rece!ver circuits, and block 436 includes the two channels of light converters and transmitter/recewer arcuits, as 0 discussed above. With the Gazelle sepal transmnter/recemer pairs, each of the fiber optic links to the IFS circuits 28a-28b is capable of transmitting 2.5 million, 40 bit frames per second. Block 44 represents the two 128Kb data buffers used for initially storing SDSS and OSS data which is asynchronously received from the process control computers 12a-12b, as discusses in connection with Figure t. These "link" data buffers are preferably impiementeo using two 3c independent memories an a dual-port configuration, one for eacn fiber optic cnannei, in order to promoe real-time uninterrupteb gathering of process data and messages from the IFS
c~rcuns. The block 438 reflre5ents the promsion of at least one word register (for each fiber -SO-pout cnannei) uses to noio serial oats to be transmitteo to one of the process control computers t2a-12b.
The blocK 440 represent the logic circuits for controlling the storing of informavon into .~e oata buffers 44 grip the worn register 438. Tie logic circuits 440 includes one or more Programmaoie Array Logic ("PAL") circuits for impiemenvng a state machine for handling these aata write operations. For example, when a forty bit data frame is received from one of the process control computers t 2a- t 2b, the logic circuits 440 wilt decode the address and control bit in order to steer the data biu to the appropriate memory location in the data buffers 44. The fiber interface aaughter board 432 also includes an interrupt circuit block 442 t 0 which contains the interrupt logic for helping me microprocessor 42 understand the state of the data write activities. In this regard, at least two separate interrupt lines are used to interconnect the interrupt urcuit block 442 witn the microprocessor 42 (one per fiber optic channel). Both the IFS circuit 28 grip the fiber interface daughter board 432 of the IFQ circuit 30 also include a PAL state machine which examines incoming frames for errors (for example, t 5 panty errors and 48158 link errorsf. in one emoodiment of the front end communication system t 0, ail of the state machines on the IFQ circuit 30 operate from a 20MHz clock signal which is derived from the t OM Hz clock signal of the microprocessor 42.
The microprocessor 42 is programmed to provide at least two DMA engines for moving data. For example, the microprocessor 42 will respond to appropriate interrupt signals from 20 the interrupt circuit blocx 442 by moving data from the data buffers 44 to a dual-ported 64Kb RAM circuit 444, which acts to provide a bucket brigade storage medium. Then, once sufficient data is stored in the dual-ported RAM circuit 444 (for example, 8Kb), the DMA
state machine in the first in, first out ("FIFO") DMA control block 446 will move this data over the Q-bus 302 of the front end computer 18. Memory cycles are preferably interleaved between both the ~c microprocessor 42 system pus grip ~he Q-bus, with the system bus of the ~~icroorocsssor 42 given top priority. A status register urcuit 448 and a CSR circuit 450 are provided to transfer status and control information. Additionally, as shown in Figure 1 t, an address buffer452 and a DMA/FIFO counter 454 are also coupled to the address lines of the dual-ported RAM circuit 444. Similarly, a DMA/FIFO data buffer 456 for the Q-bus 302 and a data buffer for the 30 microprocessor 42 are also coupled to the data lines of the dual-ported RAM
circuit 444.
The present invention rigs been described in an illustrative manner. In this regard, it is evident that those skit led in the art once given the benefit of the foregoing disclosure, may now make modifications to the specific embooiments described herein without departing from the spirit of the present invention. Such mooifications are to be cansiaered within the scope of 35 the present invention which is iimiteo solely oy the scope grip spirit of the appended claims.

Claims (9)

1. A method controlling the communication of a command message from a computer entity on a computer network to a process control computer which seeks to change at least one of a plurality of operating variables employed by said process control computer to control a physical process, comprising the steps of:
A) providing a front end computer which is connected between said process control computer and said computer network;
B) storing a permissive table in said front end computer that identifies which of said operating variables may be changed by said computer entity;
C) receiving a command message from said computer entity;
D) determining if said command message includes an instruction which seeks to change at least one operating variable in said process control computer;
E) determining whether to transmit said command message from said front end computer to said process control computer by checking the status of an enable indicator in said permissive table which is associated with the corresponding operating variable identified in said command message;
F) transmitting a program version identifier from said front end computer to said process control computer when it is determined to enable the transmission of said command message to said process control computer; and G) determining at said process control computer whether to implement the command message received from said front end computer on the basis of whether the transmitted program version identifier matches a program version identifier stored in said process control computer.

2. The method according to claim 1, including the step of encrypting said program version identifier at said front end computer before its transmission to said process control computer.

3. The method according to claim 1 or 2, wherein said at least one permissive table is installed in said front end computer via communication from a separate computer means upon initialization of said front end computer.

4. The method according to one of claims 1 to 3, wherein only those command messages referring to a change of at least one operating variable and which are received from a computer entity having a valid communication contract are transmitted to said process control computer.

5. A secure front end communication system, for at least one process control computer which controls the operation of a physical process, comprising:
a computer network for enabling communication between a plurality of computers;
at least one computer entity connected to said computer network; and at least one front end computer connected between said process control computer and said computer network, said front end computer having means for storing at least one permissive table, means for determining whether a predetermined type of instruction from said computer entity will be transmitted to said process control computer by checking the status of an enable indicator in said permissive table for the variable which corresponds to said variable from said instruction, and means for transmitting a program version identifier from said front end computer to said process control computer along with said predetermined type of instruction when said enable indicator has the corresponding status;
with said process control computer having means to determine whether to implement said predetermined type of instruction on the basis of whether the transmitted program version identifier matches a program version identifier stored in said process control computer.

6, The secure front end communication system according to claim 5, including at least two actively redundant process control computers, and said front end computer is connected to each of said actively redundant process control computers.

7. The secure front end communication system according to claim 6, wherein said front end computer includes a distinct permissive table for each of said actively redundant process control computers.

8. The secure front end communication system according to claim 7, wherein at least one of said permissive tables is associated with a compiled version of the operating program of one of said actively redundant process control computers which is different than the compiled version of the operating program of one of the other of said actively redundant process control computers.

9. The secure front end communication system according to one of claims 5 to 8, wherein said at least one permissive table is installed in said front end computer via communication from a separate computer means upon initialization of said front end computer.