GB2146810A - Achieving redundancy in a distributed process control system - Google Patents

Achieving redundancy in a distributed process control system Download PDF

Info

Publication number
GB2146810A
GB2146810A GB08422694A GB8422694A GB2146810A GB 2146810 A GB2146810 A GB 2146810A GB 08422694 A GB08422694 A GB 08422694A GB 8422694 A GB8422694 A GB 8422694A GB 2146810 A GB2146810 A GB 2146810A
Authority
GB
United Kingdom
Prior art keywords
processor
control
highway
mbu
processors
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB08422694A
Other versions
GB8422694D0 (en
Inventor
David Michael Oravetz
Robert Alan Smee
Thomas Henry Schwalenstocker
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CBS Corp
Original Assignee
Westinghouse Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Westinghouse Electric Corp filed Critical Westinghouse Electric Corp
Publication of GB8422694D0 publication Critical patent/GB8422694D0/en
Publication of GB2146810A publication Critical patent/GB2146810A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2023Failover techniques
    • G06F11/2028Failover techniques eliminating a faulty processor or activating a spare
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2038Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant with a single idle spare processing component
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2002Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant
    • G06F11/2007Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant using redundant communication media

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

A distributed process control system in which redundant local processors are provided at each drop is described. The individual processors each monitor one another and are connected by means of a flip- flop circuit arrangement 60,78 whereby if any one of them is enabled to take control of local processing and communications functions, all others are disabled from doing so, in order that conflicts are avoided. The inactive processors monitor highway activity and store updated values for process control data transmitted over the highway, so that in the event of transfer of control, each processor is ready to assume all local process control and highway communications functions. <IMAGE>

Description

SPECIFICATION Apparatus and method for achieving redendancy in a distributed process control systems This invention relates to a distributed process control system in which a number of processors performing local data acquisition and control functions are interconnected by a single data cable or "highway" in which certain local processor operations are duplicated for reliability. More particularly, the invention relates to the way in which plural redundant processors at a particular location can transfer control of local operations from one to the other.
Distributed process control systems, for con trolling industrial processes such as power generation, petro-chemical refining or the like, comprising a number of data processing devices at differing locations throughout the plant being controlled are becoming increasingly common. In such distributed process control systems, use of a host computer having a central data bank is avoided in favor of distributing all process control and data acquisition functions as well as the data base itself among the various processors comprising the entire system. Avoidance of a host computer has several advantages, perhaps most notably that a distributed process control system can continue to operate despite a portion of its processing "intelligence" being unavailable, whereas if a central or host computer malfunc.
tions, the entire system ceases operation.
In any process control system it is desirable that key system components be provided in a redundant fashion, so that in the event of failure of a component, another similarly functioning component is available to take its place, so that the system can continue to function. A number of copending applications have been filed relating to a distributed process control system of which the present invention is a part. One such application is Serial No. 509,122, filed June 29, 1983 (Attorney's Docket No. 51,275), incorporated herein by reference. The particular invention in that case relates to providing redundant interconnections between the data highway and the various "drops" making up a distributed process control system. That invention involves use of two "data highway communications processors" at each drop, which both examine messages received over the single data highway.When a message has been properly decoded, the data highway processors each output a "good message interrupt" signal to the drop. The drop takes the messsage from the processor which first outputs the "good message interrupt" signal. In this way the two redundant processors are operated in a masterless fashion, that is, neither processor is master or slave. Instead both operate identically, eliminating problems in transfer of control, and the like.
The drops according to the inventions described in the copending application each comprise two processors, the "data highway communications processor" referred to above, and a "functional" processor used to perform the local drop functions, such as data acquisition, process control, operator interface, and the like. It is desirable that these be provided in a redundant fashion as well. However, in order to avoid problems of contention, i.e. in which the duplicated processors issue conflicting or unsynchronized commands, means must be provided to determine which is "in control" at all times. Moreover, it is desirable again that this redundancy be provided in a masterless fashion, so that control transfers smoothly and automatically between the processors as required, without operator intervention.
Another area in which redundancy is important is in providing the interface between the local processors, which run software programs associated with the function of the particular drop, for example, terminal software at an operator interface station, or data acquisition and process control functions at control locations, and the local operations which need to be monitored or controlled. For example, according to the preferred embodiment of the system described in the copending application incorporated by reference above, the data highway and functional processors which between them perform communications and local data acquisition and control functions are desirably "Multibus compatible"; that is to say, they are designed to interface with an industry standard bus referred to as Multibus (a trademark of Intel (RTM) Corporation).This is done so that a number of commonly available devices can all be used as part of the local processor, which eases system design.
Other elements of the drop, such as the shared memory unit which is used in common by the functional processor and the data highway communicatins processor, are also Multibus compatible, so that these devices all use this bus to make their various intercommunications. However, the Multibus was not the first choice for the bus to which logic-controlled devices such as relays, thermocouples, solenoid valves and the like are coupled. In particular, the assignee of the present invention desired to use the "point cards" previously available from the assignee for local data acquisition and control functions. As these are adapted to interface with a different bus structure, referred to herein as a "distributed output/input bus" or "DIOB" a device must be provided to "translate" Multibus data and commands to their DIOB counterparts.
Clearly it is desirable that redundancy be provided at this level as well. Again it is desirable that neither of the redundant tran slating or interfacing components be master or slave, whereby both co-exist equally, so that transfer of control can be made with a minimum of complexity, should that suddenly become desiraoie for some reason.
By the sbme totcén it is jeslratie Lhat tile data stored ill lile memories of aii the redundant components concerning variable process parameters ano the like be kept equally up to date so that should control be transferred, this canbe accomplished in a ' bumpiess manner whereby no sudden changes in process variables are directed by the processor newly obtaining control.
Clearly it would be desirable in such a distributed process control system to provide a fail-safe system in which redundant processors would be arranged such that only one of them could assert control of a given function at any particular time.
It would also be desirable if the functions described above could be provided in a redundant control system in which identical cards, i.e., circuit boards having components therein, could be used for both processors, with the least possible modification required to adapt them for use together.
It would furthermore be desirable if the control signals output by one redundant processor could be used directly as the signals required by the other upon transfer of control, while still employing the same circuit design for both processors.
It is accordingly an object of the invention to provide a distributed process control system in which plural processors are provided for interfacing between a data highway and local processor means.
One aspect of the invention resides broadly in a distributed process control arrangement having data acquisition and control drops connected by a data highway, each said drop comprising: first and second identical processors for performing local process control functions and communications interfacing functions with respect to said highway, being connected in a flip-flop circuit arrangement, circuitry for connecting the Enabled signal required of each processor to be inverted and supplied to an AND gate of the other processor.
Another aspect of the invention resides broadly in a method of operating a distributed process control arrangement having a number of data acquisition and process control drops connected by a data coirin#ui0i',ations higti- way, each of said drops comprising p;urai processor means each comprising a highway interface processor for performing communications functions with respect to said highway, and a functional processor for performing local data acquisition and control functions, said mehod comprising the steps of: controlling a first one of said processor means to be in an active mode, during which it performs said functions, and controlling all other processor means of each drop to be in a passive mode, at any given time; and causing said active mode to be ended for said first one of said processor means upon failure of its ;functional processor or of its highway interface processor and causing another one of saio processor means to end said passive mode anu enter the active mode to perform saio functions, if the functional processor and highway interface processor of said another one of said processor means of said drop are both operational.
The needs of the art and objects of the invention mentioned above are provided according to the present invention in which plural procesors are provided for redundant capability in a distributed process control system. The two processors are connected effectively in a flip-flip circuit arrangement such that if one asserts control over local operations the other is automtically disabled from doing so, thus avoiding conflict therebetween. The two processors in the preferred embodiment are of identical construction and are interconnected by a flat cable which is given a half twist between the two, thus inverting the order of the signals carried by the cable between the identical terminations. In this way, for example, an "I'm OK" signal output by one processor automatically becomes a "Partner OK" signal to the other.This enables identical circuit boards to work together.
The invention will be better understood if reference is made to the accompanying drawings, in which; Figure 1 shows a block diagram version of the typical configuration of a drop in the distributed processing system according to the invention; Figure 2 shows a more detailed version of a drop according to the system of the invention provided with redundant data highways and redundant processors according to the invention; Figure 3 shows a detailed block diagram view of the Multibus to DIOB Interface (MBU) unit which provides interconnection between the two processors used for redundancy purposes according to the invention; Figure 4 shows a circuit diagram describing the redundancy logic used in the MBU; Figure 5 shows how the two MBU's are eftectively connected in a flip-flop configuratiori; ; .~:igu.c- C shows the connection of the flat cable Gse i tointerconnect the two processors and the s;y-#riais carried thereby; Figu,#e ; shows a flowchart of the operations undergone upon restart of one processor; Figure 8 shows the flowchart of the operations undergone bj each processor when in the control mode; and Figure 9 shows a corresponding flowchart of the operations undergone by each processor when in stand-by mode.
Fig. 1 shows broadly the configuration of a typical drop in the distributed data processing system according to the invention. A data highway cable 10 which, in the preferred embodiment, is a simple coaxial cable, is connected to a data highway controller 12 which is connected to a random access memory (RAM) unit 14, which is shared by the data highway controller and a local processor (CPU) 1 6. In the preferred embodiment of the invention, described in the copending application incorporated by reference above, the data highway controller 12 selects bits received serially from the data highway, decodes them and stores data of interest to the operations of the local CPU 16 in locations in shared RAM 14. When the CPU 16 requires that data it then simply accesses the shared RAM 14. In this way, the operations of the data highway controller 12 and the CPU 16 need not be synchronized.
Communications between the shared RAM and the CPU are made via a Multibus 18. As discussed above, this bus is conventional in the industry, and a wide variety of peripheral devices are available which are "plug compatible" therewith.
As mentioned above, in the preferred embodiment of the system according to the invention sold by the assignee, local data acquisition and process control functions are carried out by devices known as "point cards" 20. These are, in the preferred embodiment, designed to be coupled to a different sort of bus structure than the Multibus 18, referred to as a distributed input-output bus (DIOB) 22. Interface between the Multibus 18 and the DIOB 22 is made by a Multibus to DIOB interface (MBU) card 24.
According to the invention, the data highway controller 12, the shared RAM 14, the CPU 16. and the MBU 24 are all duplicated at each drop, as is the data highway 10 connecting the various drops. In the preferred embodiment, the MBU's 24 determine which CPU 16 and data highway controller 12 actually perform the local control and communications functions; the two MBUs 24 at each drop communicate with one another so as to settle all questions of priority. A block diagram of a drop having redundancy of this kind is shown in Fig. 2. MBU-A 24 corresponds with MBU-B 24a via communication line 26 which is discussed in detail below.
The redundant data highways 10 and 1 0a are connected as shown to redundant data highway controllers 12 and 1 2a. These communicte via shared RAMs 14 and 1 4a with CPUs 16 and 1 6a over dual Multibuses 18 and 1 8a. An additional degree of redundancy can be provided by additionally attaching each data highway controller 12 to a second data highway 10a a shown in phantom. This is in accordance with the invention discussed above and forming the subject matter of the copending application incorporated by reference above (Attorney's Docket No. 51,275).
The two MBUs 24 and 24a are both connected, however, to the same distributed input-output bus 22 and thence to the point cards 20 which are not provided in redundant fashion. Those skilled in the art will recognize that it is therefore essential that at any given time, only one local processor 16, one data highway controller 12 and one MBU 24 be operated in an active or 'in control" mode and that the other remain in the stand-by or "back-up" mode at these times. This is so because if both are simultaneously attempting to perform communications and control functions, there are bound to be discrepancies detected as errors which could be quite serious. According to the present invention this is avoided by designating one of the MBUs as primary and one secondary at the time of manufacture of the drop.Thereafter, the primary MBU and its associated functional processor 16 and data highway controller 12 will assume control, and the other MBU will be subordinated thereto, unless a problem with the primary system or its communications should arise. Thereupon, the redundant processor 16, data highway controller 12 and MBU 24 will be called upon to serve. The fact that the redundant apparatus is required is communicated from the failed MBU 24 to the other via communications line 26. The redundant MBU 24 can also detect that it is required by noticing failure of the primary system to act within a given time and will then assume control without specific instruction from its partner.
As was discussed above, it is desirable that the MBU as well as the other circuits found in each half of the redundnt drop be identical so as to simplify their construction and reduce cost. Fig. 3 shows the block diagram of a MBU circuit design which achieves this goal while providing the Multibus to DIOB interface and control logic functions required. On the left side of Fig. 3 are shown the various signals conventionally arriving from the Multibus 18, 19 bits of address signals at 32 and two 8-bit data lines at 34 and 36, as well as five control signals at 38. All these are conventionally understood, in accordance with the Intel Corporation's specification of the Multibus. The output signals to the distributed input-output bus 22, shown on the right side of Fig. 3, are eight address bits at 40 and eight data bits at 42. Five control signals at 44 are also provided.The use of these signals will be generally understood by those skilled in the art.
In the preferred embodiment, the MBU unit operates as a memory-mapped peripheral with respect to the functional processor, as is typi cally done in the Multibus environment. The MBU comprises processor and control logic 46 which converts the address signals received from the Multibus 32 into proper driver enabling signals used in the DIOB 22.
The processor and control logic receives inputs from the other MBU board via a disable controls connector 48, to which is connected cable 26 (Fig 2). The signals received from the partner MBU are also supplied to a status register 50 and to redundant controller logic 52 which is also supplied with inputs from a control register 54. The redundant controller logic 52 is that portion of the circuit in which the determination of which MBU and hence which functional processor and data highway processor are to be used is made; its operation is detailed below in connection with Fig.
4.
The MBU boards are each provided with two switches 56 and 58. Switch 56 is operator set to either RUN or SERVICE positions.
i.e. to permit the board to be tested when in the service mode. Switch 58 is used to define whether a particular MBU and hence the associated CPU 16 are the primary or the back-up units of a given drop. Switch 58 thus determines which MBU and which associated functional processor 16 and data highway processor 12 is in control if both at a given drop are functioning correctly; otherwise whichever redundant unit is functional will automatically take control. The remaining major element of the MBU board is a command decode and data bus control unit 60. This, as well as the other drivers, inverters, latches and the like shown, does not relate to the invention claimed herein; the function and design of these units will generally be understood by those skilled in the art.
Fig. 4 details the redundancy logic 52 shown in Fig. 3. The two switches 56 and 58 are shown as providing inputs to the status register 50. The connection of control register 54 is also shown. Input signals are shown on the left of Fig. 4 and output signals on the right. Generally, the object of this logic is to enable the associated MBU and processor circuitry, i.e. allow it to take control of communications and of local processing operations, only if the associated redundant circuitry is not enabled. Accordingly, for example, one input signal is "Partner Ena bled", appearing at 80. This signal, inverted at 78, is supplied to AND gate 60. If ''Partner Enabled is true, the output of AND gate 60, which outputs the Enabled signal, (and indicates it is doing so by lighting an LED 62) thus cannot be true.Similarly, another input to the AND gate 60 is the "Alive" signal from the control register 54; this sianal indicates that the associated functional processor is operating properly. If it is not, the "Enabled" signal cannot be given. "Enabled" is transmitted to the partner MBU at 76 where it is interpreted as "Partner Enabled" i.e. at 80. A second output signal is "I'm OK" at 66. This means that all is well with the MBU and its associated functional processor and data highway processor, and is transmitted to the other MBU, where it is interpreted as 'Partner OK" at 68. The "cable-in-place" signal 70 is also shown. Clearly if the interconnectina cable 26 (Fig. 2) is not in place. the status register 50 should be informed of this fact so that the proper action can be taken.A "Request Control" signal received from the functional processor via the control register 54 Is shown at 72. Clearly if there is no need for the MBU to take control, i.e. if the functional processor does not have an operation pending. there is no reason for the MBU to assert control: accordingly. this signal is also applied to the AND gate 60.
A one-shot 74 is also provided and has a jumper 76 across its terminals. Typically, this one-shot 74 will be used at intervals to provide the "Alive" signal 75; that is, if the oneshot is not periodically enabled, by the functional processor's setting the Alive bit in the control register 54, this is an indication to the MBU that something is wrong with the functional processor, so that the "Enabled" signal should not be given. The jumper varies the length of the interval at which the one-shot must be reset; the interval is chosen in accordance with the length of the program running on functional processor. The one-shot signal is therefore applied to the AND gate 60, if ANDing it at 59 with the RUN signal is trug that is, if the switch 56 is in the RUN position.The "I'm OK" signal output at 66, which is the result of ANDing at 57 the "I'm OK" bit in the control register 54, indicating that the functional processor is working, and the ALIVE signal 75 received from the oneshot 74, as discussed above, becomes "Part- ner OK" at 68 to the other MBU.
Fig. 5 shows how the two MBU's interact essentially in a flip-flop circuit arrangement, whereby only one MBU is activated-i.e. can output the "Enabled" signal, asserting control at any time. The two AND gates shown at 60 in Fig. 5 are the same as those of Fig. 4.
Again, the inputs to the AND gates are the "Alive" signal 75, derived via one-shot 74, from the control register, the "Request Controt" signal 72, also from the control register, and the "Partner Enabled" signal 80 shown in Fig. 4. inverted at 78. Thus, upon all three of these signals being "true", the corresponding MBU Is enabled and the appropriate "Enabled" signal 76 output. Since this signal is inverted at 78 and applied to the other AND gate. the flip-flop structure shown is effectuated: that is. only one of the AND gates 60 can output a "True" at any one time. The MBU with this AND gate on its circuit board will thus be that which is in control at any given moment.
Fig. 6. comprising Figs. 6a and 6b. shows the connection made by the interconnecting cable 26 between the two MBUs 24 and 24a.
Fig. 6a shows the physical connection, in which the 20-conductor flat ribbon cable 26 which is used is given a 180 degree twist and connected to the identical port on the other board, so that one MBU's output signals become the other's input signals, and vice versa. Fig. 6b shows the sequence of signals used. For example, "I'm OK" output at pin number 20 on both boards becomes "Partner OK" at pin 1 on the other board. Similarly, "Output Enabled" at pin 18 becomes "Partner Enabled" at pin 3. "Card in place" is common to both and "Disable output" at 14 with respect to one board is "Disabled input" on pin 7 of the other.In this way, the flip-fiop connection shown in Fig. 5 is effectuated while permitting the two MBU boards to be made identically; inasmuch as tooling for a given printed circuit board is usually a fairly large portion of the cost of manufacture of a given component, this represents a significant saving indeed.
Fig. 7 shows a decision tree of the operation of each MBU upon restart. The first question considered, at 92, is whether the partner is in control; that is, if the Partner Enabled signal 80 is high. If this is true, then the MBU under consideration should execute in the stand-by mode as at 94. If the partner is not in control, at 96 the question of whether the MBU executing the decision tree is the primary processor is considered. If it is, and if cross-communications are OK, that is, if the connecting cable 26 is in place, at 90, it begins to execute in the control mode 104. If it is not the primary MBU, it begins to execute in the stand-by mode at 100 for a predetermined minimum amount of time during which it will determine whether if the other processor is ready to come back on line.
If, on the other hand, the cable in place was not in place at 90, the MBU executes in the stand-by mode at 106.
Fig. 8 shows a decision-tree of MBU operations undergone in the control mode, that is, upon the control mode bit being set high, as detected at 110. If it is, but the partner MBU is in control at 112, then the MBU simply executes in the stand-by mode at 11 4. If the partner is not in control and if the data highway is OK at 116, then the MBU executes in control mode at 11 8. If the data highway were not OK, while the partner and its highway were OK at 120. then this MBU executes in stand-by mode at 122. If neither data highway were OK, as determined at 116 and 120, then the MBU continues to execute in the control mode at 124, assuming that it has the best chance of proper operation.The operation undergone in Fig. 8 is done periodi cally upon updating of the one-shot 74, which is referred to as a "watch-dog timer": when the one-shot 74 times-out, the MBU scans the status bits and takes the actions shown in Fig.
8.
If the processor is in stand-by mode, the decision tree of Fig. 9 is followed. If its partner is in control at 128 the MBU stays in stand-by mode at 130. If the partner does not appear to be in control but the cross communications are not OK, at 132, then the MBU stays in stand-by mode at 134, effectively assuming that the other processor is operating. If the communications are okay at 132, and if control has failed in the past at 136, then the MBU stays in stand-by mode at 138, presuming the communications are all that has failed. If control has not previously failed, then it is presumed at 140 that something has gone wrong with the other processor, and the functional processor begins to assume the control mode. In this way, a failsafe type of operation is provided so that one processor takes over if either the communications between processors or the other processor fails.This provides a useful level of safety to the system.
Restating the invention, redundancy at the dta highway controller and functional processor level is provided to protect the system from failure of either of these units. Both data highway controller and functional processor are duplicated and each have their one data highway interfaces, Multibus chassis and MBU card. The MBU card makes the interface to a common distributed input-out bus shared by the two processors.
The distributed processor unit redundancy according to the invention is implemented via a masterless scheme. Both functional processors have the same software program. However only one is allowed to run in control mode at any give time. The partner processor runs in back-up mode.
In the control mode, the functional processor operates as it normally does in a nonredundant drop, i.e., one at which redundancy of these parts is not provided. It reads and writes to the distributed I/O bus and performs the various data acquisition and process control functions excepted of it. In addition, it monitors the status of its partner by scanning signals passed from the partner's MBU to it MBU via the cross connecting cable.
When in back-up mode, the functional processor executes diagnostics and monitors the state of its partner. It monitors the health of the functional processor in control and its data highway by scanning the signals sent over the cross connecting cable.
As described in the copending application incorporated by reference above, according to the broadcast technique used in the system within which the present invention forms a part, all information required to perform local operations is transmitted over the data highway. According to the present invention, this data is received by the back-up functional processor, as well as by the control functional processor. The back-up functional processor monitors the controlled process by receiving all the process information tne various drops process controllers send over the data highway. In this way, transfer of controi from one to the other can be made without delay or undue complexity.
The circuitry of the MBU described above forbids the functional processor when in backup mode from writing to the distributed inputoutput cards. In the event the functional processor in control fails, its MBU will disable it and will inform the back-up functional processor via its MBU of the control processor's failure. At this time. the back-up processor will take control of the bus, begin running the process control program previously being executed by its partner and will begin broadcasting the information previously originated by its partner.
As described above. in the preferred embodiment. this is implemented by providing a circuit on the I jO interface (MBU) circuit boards which arbitrate control of the I/O. and special software/logic built in the processors to support the l/O interface. Each l/O interface's control circuit has the following inputs: Information from the processor: An alive, status bit used to check the health of the processor; An I/O control request bit; and A processor status bit.
Information from the "partner's" I/O interface control circuit received over a crossconnecting cable: A bit indicating whether the partner has control of the I/O; A A bit indicating whether the partner is healthy; and A bit indicating whether the cross-connecting cable is in place.
Information from the user via two switches: A A bit that disables write operations to (or control of) the I/O; and A bit indicating which drop should control the I/O in the event both start up at the same time.
At restart, both procesor write to the redundancy control circuitry to indicate their own and their data highway's health. (Failing to write anything will make the processor look unhealthy). The processor whose redundancy control circuitry is configured to be primary by setting of switch 58 then sets a "request control" bit requesting control of the I/O.
Once granted control, the primary processor is given exclusive rights to control the I/O until one of the following events occurs: The processor resets the "request control" bit; The processor fails to have the one-shot update a watchdog timer bit on a periodic basis; or The Run/Service switch on the control circuit is user set to the service position.
If the processor in control detects its communications (data highway) has failed. and its partner is indicating that it is healthy, it relinguishes control of the I/O by resetting the request control" bit.
A procesor running in standby (non-control) mode generally waits until control is relinquished by the primary processor (for one of the above reasons). When this happens. the standoy processor can request and be granted the privilege of writing to the I; 0.
With the control now in the hands of the second (previously back-up) processor, the failed processor can be powered down, repaired or replaced and subsequently powered up without any detrimental effects to the control functions being performed by the partner. Upon power-up of the repaired or replaced functional processor. it will detect that its partner is already in control and will take the role of back-up processor.
Automatic switchover of control to the backup processor occurs upon either of the following conditions occurring: failure of the control processor, or failure of the data highway associated with the control processor. if the health of the back-up functional processor and its data highway are both indicated as good.
The Run/Service switch 56 can be used to manually switch control for service of one or the other processors. The Primary/Back-up switch 58 also allows control to be assumed by one processor in preference to the other upon both restarting. The MBU in which the switch 58 is set to the back-up position simply delays slightly longer before assuming that it has to take control, so that the other has by that time assumed control.
The interconnecting cable connections can be described in more detail as follows. There are three inputs: Cable In Place, Partner OK, and Partner Enabled, and three outputs: Card In Place, l'm OK, and Output Enabled. These can be specified as follows: INPUTS: CABLE-I N-PLACE-indicates to the processor (through a bit in the Status Register) that the cable is in place on both MBU Connec tors. This is done by tying CARD IN-PLACE to ground on one MBU, and this is connected to CABLE IN-PLACE on the other MBU: PARTNER-OK-indicates to the processor (through a bit in the Status Register) that the redun dant processor s Data Highway is OK and that the redundant pro cessor is ALIVE, and that the re dundant processor has not previ ously failed to control l/O; and PARTNER ENABLED-indicates that the redundant processor is in Control Mode.
As long as this input is active, the processor cannot go into Control Mode. This line activates the CONTROL AVAILABLE bit in the Status Register when inactive.
OUTPUTS: CARD-IN-PLACE-is tied to ground so that the signal CABLE IN-PLACE on the redundant MBU will be active if the DISABLE CONTROLS cable is in place on both boards; I'm-OK-is active when the ALIVE one-shot and the I'm OK bit in the Control Register are both active; and OUTPUT-ENABLED-is active when the processor is in Control Mode. To be active, the alive one shot must be active, the RE QUEST CONTROL bit must be high, the RUN/SERVICE switch must be in RUN mode and PART NER-ENABLED must be inactive (allowing, at most, one processor in Control Mode at any point in time).
OUTPUT-ENABLED is connected to PART NER-ENABLED on the redundant MBU, to prevent the redundant processor from gaining control when this signal is active.
It will be appreciated that there has been described a redundant processor configuration and method of operation thereof which satisfies the needs of the art and objects of the invention mentioned above. Redundant processors are operated in masterless mode, whereby switching from one to the other takes place automatically, yet in such a way that only one-can be enabled at any one time, thus precluding the possibility of conflicting instructions. The design of the processor is such that identical boards can be used with both processors with but a single ribbon cable with a 180 degree twist required to provide the interconnecting signal connections between common cable terminations.

Claims (5)

CLAIMS:
1. A distributed process control arrangement having data acquisition and control drops connected by a data highway, each said drop comprising: first and second identical processors, for performing local process control functions and communications interfacing functions with respect to said highway, being connected in a flip-flop circuit arrangement, circuitry for connecting the Enabled signal required of each processor to be inverted and supplied to an AND gate of the other processor.
2. An arrangement of claim 1 including circuitry for transferring control from one of said processors to the other upon failure of said first processor, when the other of said processors is capable of performing.
3. A method of operating a distributed process control arrangement having a number of data acquisition and process control drops connected by a data communications highway, each of said drops comprising plural processor means each comprising a highway interface processor for performing communications functions with respect to said highway, and a functional processor for performing local data acquisition and control functions, said method comprising the steps of: controlling a first one of said processor means to be in an active mode, during which it performs said functions, and controlling all other processor means of each drop to be in a passive mode, at any given time; and causing said active mode to be ended for said first one of said processor means upon failure of its functional processor or of its highway interface processor and causing another one of said processor means to end said passive mode and enter the active mode to perform said functions, if the functional processor and highway interface processor of said another one of said processor means of said drop are both operational.
4. A method of claim 3 further comprising the step of controlling said processor means so that only one of said processor means is performing said functions in said active mode at any given time.
5. A method of claim 4 wherein said step of controlling said processors so that only one of said processor means is performing said functions at any given time is achieved by connecting all of said processor means in a flip-flop circuit arrangement whereby if any one of said processor means is in the active mode all others of said processor means are prevented from entering the active mode.
GB08422694A 1983-09-13 1984-09-07 Achieving redundancy in a distributed process control system Withdrawn GB2146810A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US53182183A 1983-09-13 1983-09-13

Publications (2)

Publication Number Publication Date
GB8422694D0 GB8422694D0 (en) 1984-10-10
GB2146810A true GB2146810A (en) 1985-04-24

Family

ID=24119194

Family Applications (1)

Application Number Title Priority Date Filing Date
GB08422694A Withdrawn GB2146810A (en) 1983-09-13 1984-09-07 Achieving redundancy in a distributed process control system

Country Status (3)

Country Link
JP (1) JPS60173602A (en)
FR (1) FR2551897A1 (en)
GB (1) GB2146810A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999052245A1 (en) * 1998-04-03 1999-10-14 Siemens Aktiengesellschaft Bus master switch unit
US11822802B2 (en) 2021-12-21 2023-11-21 Hewlett Packard Enterprise Development Lp Simplified raid implementation for byte-addressable memory

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS63200201A (en) * 1987-02-16 1988-08-18 Hitachi Ltd Duplex system for controller
JPH01231101A (en) * 1988-03-11 1989-09-14 Toshiba Corp Duplex process input/output controller

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1241363A (en) * 1968-11-08 1971-08-04 Int Standard Electric Corp Improvements to data processing systems duplicated for reliability purposes
US3991407A (en) * 1975-04-09 1976-11-09 E. I. Du Pont De Nemours And Company Computer redundancy interface
GB2006488A (en) * 1977-10-20 1979-05-02 Euteco Spa Computer system for controlling the operation of an industrial plant
GB2032149A (en) * 1978-09-08 1980-04-30 Fujitsu Ltd Transferring from Working to Standby Processor on Fault
EP0083422A2 (en) * 1981-12-31 1983-07-13 International Business Machines Corporation Cross checking among service processors in a multi-processor system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3882455A (en) * 1973-09-14 1975-05-06 Gte Automatic Electric Lab Inc Configuration control circuit for control and maintenance complex of digital communications system
US4276593A (en) * 1979-03-30 1981-06-30 Beckman Instruments, Inc. Transfer system for multi-variable control units

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1241363A (en) * 1968-11-08 1971-08-04 Int Standard Electric Corp Improvements to data processing systems duplicated for reliability purposes
US3991407A (en) * 1975-04-09 1976-11-09 E. I. Du Pont De Nemours And Company Computer redundancy interface
GB2006488A (en) * 1977-10-20 1979-05-02 Euteco Spa Computer system for controlling the operation of an industrial plant
GB2032149A (en) * 1978-09-08 1980-04-30 Fujitsu Ltd Transferring from Working to Standby Processor on Fault
EP0083422A2 (en) * 1981-12-31 1983-07-13 International Business Machines Corporation Cross checking among service processors in a multi-processor system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999052245A1 (en) * 1998-04-03 1999-10-14 Siemens Aktiengesellschaft Bus master switch unit
US6757777B1 (en) 1998-04-03 2004-06-29 Siemens Aktiengesellschaft Bus master switching unit
US11822802B2 (en) 2021-12-21 2023-11-21 Hewlett Packard Enterprise Development Lp Simplified raid implementation for byte-addressable memory

Also Published As

Publication number Publication date
JPS60173602A (en) 1985-09-07
GB8422694D0 (en) 1984-10-10
FR2551897A1 (en) 1985-03-15

Similar Documents

Publication Publication Date Title
US5313386A (en) Programmable controller with backup capability
EP0147046B1 (en) Fault-tolerant communications controlller system
EP1690186B1 (en) Protective bus interface and method
AU607206B2 (en) Input/output system for multiprocessors
US5251299A (en) System for switching between processors in a multiprocessor system
US5345566A (en) Method and apparatus for controlling dual bus system
US6845467B1 (en) System and method of operation of dual redundant controllers
US6434712B1 (en) Method and apparatus for fault tolerant execution of computer programs
US5392424A (en) Apparatus for detecting parity errors among asynchronous digital signals
JPS6334494B2 (en)
US5406472A (en) Multi-lane controller
GB2146810A (en) Achieving redundancy in a distributed process control system
US5140593A (en) Method of checking test program in duplex processing apparatus
JP2774675B2 (en) Bus controller
EP0251234A2 (en) Multiprocessor interrupt level change synchronization apparatus
KR0122456B1 (en) Mode detection method for hot back-up apparatus
JP2626127B2 (en) Backup route test method
JP2000347706A (en) Plant controller
JPS6113627B2 (en)
JPH07114521A (en) Multimicrocomputer system
US5548716A (en) Recording medium dualizing system
KR20000021045A (en) Method and system for performing dual operating of computer control
JPH0346855B2 (en)
JPH1011102A (en) Duplex system
JPS6160445B2 (en)

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)