CA1182569A - Industrial control system with interconnected remotely located computer control units - Google Patents
Industrial control system with interconnected remotely located computer control unitsInfo
- Publication number
- CA1182569A CA1182569A CA000442691A CA442691A CA1182569A CA 1182569 A CA1182569 A CA 1182569A CA 000442691 A CA000442691 A CA 000442691A CA 442691 A CA442691 A CA 442691A CA 1182569 A CA1182569 A CA 1182569A
- Authority
- CA
- Canada
- Prior art keywords
- information
- remote
- received
- block
- mentioned
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Landscapes
- Communication Control (AREA)
- Selective Calling Equipment (AREA)
Abstract
INDUSTRIAL CONTROL SYSTEM WITH INTERCONNECTED REMOTELY LOCATED COMPUTER CONTROL UNITS A control system for controlling an industrial process includes a plurality of remotely located process control units (remotes) each coupled to an associated input/output device(s) and adapted to communicate with one another through a dual channel communications link. Each remote has a unique succession number within a predetermined succession order with supervisory communication-control of the communication link sequentially transferred to each remote according to its succession number to provide a revolving or master for the moment control of the system. Digital information in the form of data and control information blocks is transmitted between the remotes with the blocks transmitted twice on each channel of the communications link. The destination remote tests the block validity on one of the two dual channels and, if validated, responds with an acknowledgement signal (ACK) and, if invalid, tests the blocks on the other, alternate channel and then responds with an acknowledgement or non-acknowledgement signal (NAK) depending upon whether the data blocks tests on the alternate channel are found valid or invalid. A nonacknowledgement from the destination remote re-triggers the transmission of the blocks from the source remote. The system provides high overall operating efficiency since the remotes will maintain a system-like integrity on each side of a severed communication link and the redundant block transmission with alternate line checking provides very high information transfer reliability.
Description
INDUSTRIAI. CONTROL S~STEM WITH INTERCONNECTED
REMOTELY LOCATED_COMPUTER CONTROL UNITS
BACKGROUND OF THE INVENTION
This application is a division of Canadian Serial No. 368,795, filed January 19, 1981.
The present invention relates to control systems of the type having a plurality of remotely located process control units connected together through a communications link and, more particularly, to a control system in which each of the remote units sequentially assumes supervisory communication control of the communication link and in which high reliability information transfer is achieved between remotes.
Many system type industrial installations, for example those related to industrial process-type manu-facturing and electrical power generation, employ a large number of physically dis-tributed controlled-devices and associat:ed sensors for effecting coordinated operation of the overall system. In the past, coordinated control of the various devices has been achieved by manual op-eration and various types of semi-automatic and automatic control syste~ns including electro-magnetic relay systems, hardwired solid-state logic systems, and various types of computer control systems. The computer systems have included central systems in which the various sensors and controlled devices are connected to a central computer;
distributed control systems in which a remotely located computer is connected to each of the controlled devices and to one another; and hybrid combinations of the central and distributed systems. The successful functioning of the control system is vital to any industrial process, and, accordingly, distributed systems have generally been preferred over central systems because the failure o~
one of the remotely located control computers generally does not cause a system wide failure as in the ca~ of the failure of the central computer in the cer,tral system However, in many distributed computer systems, one of the remotes or a specially designed control unit generally handles supervisory communication control of the communic-ation buss and, for these systems, failure of ~he communication buss supervisor can lead to a system-wide failure.
In many industrial control systems, the various communication busses that extend between the remotely located computer process control units are exposed to high electrical noise environments. Accordingly, the information transferred over the communication buss can be subjected to error-inducing interference because of the harsh electrical environment. In view of this, a control system must have a means for detecting errors within the transmitted informa-t.ion in order to provide high reliability data transmission between remotes.
SUMMARY OF THE INVENTION
In view of the above~ the present invention seeks to provide an industrial control systern for controlling an industrial process or -the like having a high overall system operating reliability and to provide an industrial control system which may take the form of a distributed control system, a central control system, or a combination thereof to provide high overall operating e~ficiency and reliability.
The invention to which this divisional applicat-ion is directed pertains to an information transfer sys-tem for transferring digital information between stored-program controlled means and for testing the validity of the trans-ferred i.nformation. The system comprises at least one stored-program controlled means for
REMOTELY LOCATED_COMPUTER CONTROL UNITS
BACKGROUND OF THE INVENTION
This application is a division of Canadian Serial No. 368,795, filed January 19, 1981.
The present invention relates to control systems of the type having a plurality of remotely located process control units connected together through a communications link and, more particularly, to a control system in which each of the remote units sequentially assumes supervisory communication control of the communication link and in which high reliability information transfer is achieved between remotes.
Many system type industrial installations, for example those related to industrial process-type manu-facturing and electrical power generation, employ a large number of physically dis-tributed controlled-devices and associat:ed sensors for effecting coordinated operation of the overall system. In the past, coordinated control of the various devices has been achieved by manual op-eration and various types of semi-automatic and automatic control syste~ns including electro-magnetic relay systems, hardwired solid-state logic systems, and various types of computer control systems. The computer systems have included central systems in which the various sensors and controlled devices are connected to a central computer;
distributed control systems in which a remotely located computer is connected to each of the controlled devices and to one another; and hybrid combinations of the central and distributed systems. The successful functioning of the control system is vital to any industrial process, and, accordingly, distributed systems have generally been preferred over central systems because the failure o~
one of the remotely located control computers generally does not cause a system wide failure as in the ca~ of the failure of the central computer in the cer,tral system However, in many distributed computer systems, one of the remotes or a specially designed control unit generally handles supervisory communication control of the communic-ation buss and, for these systems, failure of ~he communication buss supervisor can lead to a system-wide failure.
In many industrial control systems, the various communication busses that extend between the remotely located computer process control units are exposed to high electrical noise environments. Accordingly, the information transferred over the communication buss can be subjected to error-inducing interference because of the harsh electrical environment. In view of this, a control system must have a means for detecting errors within the transmitted informa-t.ion in order to provide high reliability data transmission between remotes.
SUMMARY OF THE INVENTION
In view of the above~ the present invention seeks to provide an industrial control systern for controlling an industrial process or -the like having a high overall system operating reliability and to provide an industrial control system which may take the form of a distributed control system, a central control system, or a combination thereof to provide high overall operating e~ficiency and reliability.
The invention to which this divisional applicat-ion is directed pertains to an information transfer sys-tem for transferring digital information between stored-program controlled means and for testing the validity of the trans-ferred i.nformation. The system comprises at least one stored-program controlled means for
2~
transmitting digital information in blocks of predetermined format which blocks include an error detecting code word.
At least one other stored-program controlled means is provided for receiving digital information in the block format and it is adapted to test the validity of the re-ceived block using the error detecting code word. Plural independent communication channels are connected to and extend between the first-mentioned and the second-mentioned stored-program controlled means for transferring inform-ation blocks therebetween. The second-mentioned stored-program controlled means has validity testing means for selecting a one of the plural communication channels and testing the validity of the block received thereon and for selecting another of the plural communications channels and testing the validity of the block received on the other communication channel when the block received on the first-selected communication channel fails its validity test.
The invention in this divisional applica-tion also comprehends a system for controlling an industrial process, which system includes a plurality of process controlling remotes each connected by a common communicat-ions link, the system including at least one process controlling remote for transmitting process control inform-ation in digital form, the information arranged in groups of predetermined format with each of the information groups including an error détecting code word. At least one other process controlling remote is provided for receiving process control information in the information group format and testing the validity of the received blocks based on the error detecting code. The communication link inter-connecting the first-mentioned and the second-mentioned remotes includes a'c least two independent communication channels, the first-mentioned remote transmitting an identical information group on each of the communication channels, the second-mentioned remote operable to select a one of the communication channels and evaluate the valid-ity of the received inEormation group and select the other of the communication channel.s when the received inform-ation group on the first-selected communication channel fails its validity test.
A still further aspect of the invention in this divisional application pertains to a method for-transfer-ring digi-tal information formatted in predetermined blocks between an inEormation transmitting device and an inter-connected information receiving device, the method comp-rising the steps of transmitting iden-tical information blocks from a transmitter over plural independent communi-cation channels to a receiver, receiving and storing the received information blocks at the receiver, selecting the information block received on one of the plural com-munication channels and testing the validity thereof, selecting the information block received on the other of the communication channels and testing the validi-ty thereof in the event the first-selected information block fails its validity check, and re~uesting retransmission of the information blocks in the event both the first-selected and the second-selected information blocks fail their validity test.
More particularly disclosed is a control system for controlling an industrial process including a plurality of remote process control units Rn (remotes) connected to various controlled devices and sensors arld communicat-ing with one another through a communicatlons link having at least two independent communication channels. Each remote is assigned a unique succession number or position in a predetermined succession order with each remote unit assuming supervisory communication control of the com-munications link on a revolving or master for the moment basis in accordance with the remote's relative position in the succession order. Information transfer including process data and command control information is accomplished between a source re~mote Rs and a des-tination remote Rd by successively trans-mitting two identical information blocks o~er each communicat-ion channel with the de~stina-tion remote Rd testing the validity of the blocks on one of the channels and, if valid, responding with an acknowledgement signal (ACK), and, if invalid, then -testing the validity of the two blocks received on the other, alternate channel. An acknowledgement (ACK) or a non-acknowledgement signal (NAK) is sent by the destination remote Rd if the informat-ion on the alternate channel is found, respectively, valid or invalid. The source remote Rs will retransmit the information blocks in response to a non-acknowledgement signal from a destination remote with the re-transmission from -the source remote Rs limited to a predetermined, finite number.
Such a control system provides a means for controlling an industrial process in which high overall system operating reliability is achieved. The system is equally suitable for use with central (master/slave), distributed, and hybrid system configurationsO
2~
BRIE:F DESCRIPTION OF THE DRAWINGS
The above description, as well as the asL~ects, features, and advantages of the present invention will be more fully appreciated by reference to the following detailed description of a presently prefe.red but none-theless illustrative embodiment in accordance with the present invention when taken in connection with the accompanying drawings wherein:
FIG. 1 is a schematic diagram of an exemplary process contxol system including a plurality of remote process control units (remotes), includin~ both primary con-trol remotes and redunda~t remotes, connected to a co~non, d~al-channel co~nunications link;
FIG. 2 .is a schematic block diagram of an exemplary remote process control unit of the type shown i~ FIG. l;
FIG. 3 is a schematic block diagram of an exemplary modulator/demod~lator (MODEM) for the re~lote process control unit shown in FIG. 2;
FIG. 4 is a schematic block diagram of an exemplary co~nunication protocol controller ror the remote process urit shown in FIG. 2;
FIG. 4A i5 a schemat-.c block diagram of an exemplary input/output management device for the remote ~roces~ control unit shown in FIG. 2;
FIG. 4B is a flow dlagram illustrating the .anner in which the change-in-status ~venis of the controlled devices of FIG. 1 are detected by the input/
output management device of FIG. 4A;
FIG. 5 illustrates the format of an exemplary or illustrative information block for transferring infonnation between remotes;
FIG. 5A illustrates the format of a header frame of the information block shown in FIG. 5;
FIG. SB illustrates the forma-t for a data/
information rrame of the information block shown in FIG. S, FIG. 5C illustrates the format ~or an ac~nowledgement block (ACK) for acknowledging successful receipt of an information block;
FIG. 5~ illustrates the format for a non-acknowledgement block (NAK) for indicating the unsuccassful trans.~ission of an information bloc~ betweer.
remotes;
FIG. 6 illustrates, in pictorial form, two identical data b~ocks having the format sho~n in FIG. 5 successively transmitted on each communication chanrel of the com~unication link illustrated in FIG. 1;
FIG. 7 is a flow diagram summa-y of the manner in which a source and a destination remote effect communi~
cations with one another;
FIG. 8A is a partial flow diagram illust~ating in detail the manner in which a sourc~ and a destination remote communicate and validate information transferred be~ween one another;
FIG. 8B is a partial flow diagram wh.ich com-pletes the flow diagram of FIG. 8A and illustrates in detail the manner in which a source and a destination remote communicate and validate infor~ation transferreZ
bet~een one another;
FIG. 9 is a legend illustrating the manner in the flow diagrams of FI~. 8A and FIG. 8B are to be read;
FIGS. lOA through lOF are exernplary tables illustrating the manner in which supervisory control of the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an e~emplary redundant remote that is adapted to assume control from a failed or otherwise inoperative primar~ remote;
FIGS. llA and llB are flow dia~rams of the manner in which the central processing unit of the redundant remote R4 monitors the operating condition of its assigned primary remotes Rl, R2, and R3 and takes ove.r operation when one of the primary remotes fails;
FIG. 12 is a flow diagram summary of the manner by which an interrogating remote Rx tests the integrity of the communication link between it and the remotes Rx 1 and RX~l immediately adjacent thereto in the succession order;
FIG. 12A is a partial flow diagram illustra-ting in detail the manner by which an interrogating remote R~
tests the communications integrity of the communications link between lt and the next lower number remo~e Rx 1 in the succession order;
FIG, 12B is a partial flow diagram illustrating in detail the manner in which an interrogating remote Rx tests the communiations integrity of the communications link between it and the next highex number remote RX+1 in the succe~sion order;
FIG. l~C is a partial flow diagram illus~rating in detail the manner by which a line termination impedance is applied to the communications link in the event of a communications link degradation or interruption;
~2~
FIG. 13 is a legend illustrating the manner in which the flow diagrams of FIGS. 12A, 12B, and 12C are to be read; and FIG. 14 is an exemplary table illustrating the status of various counters when an interrogating remote Rx is evaluating the integrity of the communications link in accordance with the flow diagram shown in FIG. 12A.
DESCRIPTION OF THE PREFERRED EMBODIMENT
An industrial control system in accordance with the present invention is shown in schematic form in FIG. 1 and includes a communications link CL (C-link) having a plurality of remotely located process control units (remotes) Rl, R2,...R7, R8 connected thereto with the eight remotes (Rl-R8) shown being exemplary; it being understood that the system is designed to be used with a much larger number of remotes. Of the eight remctes illustrated, the remotes Rl-R3 and R5-R7 are 'primary' remotes and the remotes R4 and R~ are 'redundant' remotes~ The communications link CL is shown as an open line, double channel con.~iguration formed ~rom ~o dual coax, dual twisted pair, or the like with the individual co~munication links identi~ied, respectively, by the reference characters G~ and CLl. While the system configuration shown in FIG. 1 is a distributed open loop or shared global bus type, the invention is equally suitable for application to central systems or central/
distributed hybrid configura~ions. The system of FIG. l is adapted for use in controlling an industrial process, e.g., ~he operation of a power generating plan~, with each primary remote unit Rl-R3 and R5-R7 connected ~o one or more associated or coxresponding input/output de~ices I/O
I/03 and I/05-I/07, respectively. Each input/output device is, in turnl connected to an associated controlled device CDl-CD3 and CD5-CD7 (o which only CD6 and CD7 are illustrated in FIG. 1) such as, but not limited to, various types of sensors (tempera-ture, pressure, position, and motion sensors, etc~) and various types of actuators lmotors, pumps, compressors, valves, solenoids, and relays, etc.).
Each primary remote may control a large number of output devices and respond to a large number of input devices, and the blocks labeled I/O in FIG. 1 can each represent many input and output devices.
The redundant remote R4 monitors the operation of primary remotes R1, R2, and R3; and the redundant remote R8 monitors the operation of primary remotes R5, R6, and R7. Should any one of the remotes Rl R2, and R3 fail, the failure will be detected by the remote R4 in a manner to be described and the remote R4 will take over control of the input and output devices of the failed remote by receiving the data from -the failed remote over the communications link CL and sending commands to the failed remote over the co~nunications link CL in formated inEormation blocks. Similarly, if one of the remotes R5, R6, or R7 fai:Ls, the redundant remote R8 will take over control of the operatlon of the input/ou-tput devices for the failed remo~e as described above withrespect to redundant remote R4. Although only eight remotes have been shown in Figure 1, any number of remotes Rl, R2, R3, ...... Rn 1~ Rn could be utilized in a particular system.
The architecture of an exemplary remote Rn is shown in FIG. 2. While the architecture of the remote Rn can vary depending upon the control process require-ments, the remote shown in FIG. 2 includes a modem 10; a communication protocol controller 12; an input/outpu-t management device 14; a central processing unit ~CPU) 16;
%~
a memory 18; a peripheral device 20 that can include, e.g., a CRT display, a printer, or a keyboardi and a co~non bus 22 which provides addressing, control, and information transfer between the various devices which constitute the remote. The devices shown in dotted line illustration in FIG. 2 (that is, the central processing unit 16, the memory 18, and the peripheral device 20) are provided depending upon the process control require-ments for the remote Rn. For example, in those primary remotes Rn which f~mction as an elemental wire replacer, only the modem 10, the communication protocol controller 12, and the input/output management device 14 are pro-vided. In more complex process control requirements, an appropriately programmed central processing unit 16 and associated memory 18 are pxovided to effect active con-trol according to a resident firmware program. In still other remotes requiring a human interface, the appropriate peripheral device(s) 20 may be connected to the common buss 22.
As shown in more detail in FIG. 3, the modem 10 provides two independent communication channels CH~ and CHl connected, respectively, to the communication links CL~ and CLl. Each of the communication channels C~
and CHl is provided with substantially identical communi-cation devices, and a description o the communication devices of the first communication channel CH0 is sufficient to provide an understanding of the second communication channel CHl. The communication channel CH~ includes an encoder/decoder 240 for providing appropriate modulation and demodulation of the digital data trans-mitted to and received from the communication link CL~.
In the preferred form, the encoder/decoder 240 converts digital information in non-return-to-zero binary (NRZ) format to base-band modulation (BB.~) signal format for transmission and effects the converse for reception.
.~mplifiers 260 and 28~ are pro~ided, respectively, to drive a passive coupling transformer T0 with digital information provided from the encoder/decoder 24~ from the coupling transformer T0. A set of selectively operable relay contacts 30~ are provided between the coupling transformer T0 and the corresponding communication link CL~ to effect selective intexruption thereof to isolate the remote Rn from the communications link CL, and another set of relay contacts 32~ are provided to selectively connect the signal output of the coupling transformer T~ with a termination impedance Z~. The termination impedance Z~ is used when the particular remote Rn is at the end of the communication link CL to provide proper line termination impedance for the link, or, as described in more detail below, to assist in terminating an open or degraded portion of the communi-sations link CL.
A selectively operable loop-back circuit 34 is provided to permit looping back or recirculation of test data during diagnostic checking of the remote Rn. While not specifically shown in FIG. 3, the loop-back circuit 34 can take the form of a double pole, single throw relay that effects connection between the channels CH~ and CHl in response to a loop-back command signal 'L3'. 3uring the diagnostic checking of a remote, which checking takes place when a par~icular remote is a master-for-the-moment as explained below, the relay contacts of the loop-back f~2~
circuit 34 are closed and a predetermined test word is sent from the channel CH~ to the channel CHl a~d from the channel CHl to the channel CH~ with the received word in each case being checked against the original test word to verify the transmit/recei~e integrity of the particular remote.
The isolation relays 30~ and 311, the impedance termination relays 320 and 321, and the loop~b~ck circuit 34 are connected to and selectively controlled by a communications link control device 38 which receives its communication and control signals from the communications protrocol controller 12 described more fully below. A
watch-dog timer 40 is provided tc cause the C-link control device 38 to operate the isolation relays 30~ and 301 to disconnect the remote Rn from the communication link CL in the event the timer 40 times-out. I'he timer 40 is normally prevented from timing out by periodic reset signals provided from the com~unication protocol controller 12. In this way, a remote Rn is automatically disconnected from the comm-mication link CL in the event of a failure of its comm~nication protocol controller 12.
As shown in more detail in ~IG. 4, each communi-cation protocol controller 12 includes input~output ports 42~ 44, and 46 which interface with the above described modem 10 for the coi~munication channels CH~ and CHl and the modem C-link control device 38 (FIG. 3). A first-in first-out (FIFO) serializer 48 and another first-in first-out serializer 50 are connected be-tween the input/output ports 42 and 44 and a CPU signal processor 52. The first-in first-out serializers 48 and 50 function as temporary stores for storing inform2tion blocks provided to and from the modems 10 as described more fully below. The CPU 52, in turn, interfaces with the buss 22 through buss control latches 54. A read only memory (ROM) 56 containing a resident firmware program for the CPU 52 and a random access memory (R~) 58 are provided to permit the CPU 52 to effect its communication protocol function as described more fully below. Timers 62 and a register 60 (for example, a manually operable DIP switch register or a hardwired jumper-type register) that includes registers 60a and 60b are also provided to assist the CPU 52 in performing its communication proto-col operation. An excess transmission detector 64, connected to input/output ports 42 and 44 (corresponding to communication channels CH0 and CHl) determines when the transmission period is in excess of a predetermined limit to cause the C-link control device 38 (FIG. 3) to di.sconnect the transmitting remote from the communications link CL and thereby prevent a remote that is trapped in a transmission mode from monopolizing the communications link CL.
The input/output management device 14, the architecture of which is shown in FIG. 4A, is preferably a fi~mware controlled microprocessor-based device which - 14 ~
is adapted to scan the various input/output hardware points of the controlled device, effect a point-by-point status comparison with a prior scan, and record the change-in-status events along with the direction of the change and the time the event occurred (ti~e-tagging), effect data collection and distribution to and from the input/output points, format the collected data in preferred patterns, and assemble the patterned data in selected sequences.
~s shown in FIG. 4A, the input/output management device 14 includes a processor 14A connected to the remote buss 22 through a processor buss 14B; read-only-memories 14C and 14D connected to the processor 14A
through appropriate connections with these memories in-cluding the firmware necessary to effect the above-described functions of the input/output managemen-t device 14 including the change~in-status event monitoring (described in more detall below); a read/write memory 14E (RAM) for temporarily storing information incident co the operation of the processor 14A including the change-in-status event inforrnation; a time base 14F for providing time information for time tagging the change-in-status events; and an input/output interface 14G for connection, either directly or indirectly, to the controlled devices.
In the preferred ernbodiment, the input/output interface 14G is defined by one or more printed circuit control cards generally arranged in rack formation with each card having hardware points arranged in predetermined sets of eight polnts with each hardware point carrying a binary indica~ion for controlling or sensing the operation of the controlled device. The control and operational status of the controlled device can generally be represented by one or more eight-bit words (e.g., 00010001) with each bit position representing a control or operational characteristic of the controlled device.
As described in further detail below in connection with FIG. 4B, the input/output management device 14 effects the aforedescribed change-in-status monitoring and associated time-tagging by periodically scanning the input/output hard-ware points in eight-bit groups and effecting a comparison between the so-obtained eight-bit group and the eight-bit group obtained during the previous scan. If a change is detected in one or more of the bit positions, the latest eight-bit group, along with the time-of-day information obtained from the time base 14F, and other information, if desired, representing the direction of change, is placed in a first-in first-discard memory ~FIFO) of predetermined size. Thus, each change-of-status event along with its time tag and other information such as direction of change, etc. is placed in a memory of selec~ed size as the changes occur. When all the memory locations are filled, the first entered event (which now represents the oldest chronological event) is discarded as the latest event enters the memory. The memory loading is inhibited by the occurrence of any one of a selected number of inhlbit signals. In the system, ~arious con-ditions including alarm conditions which represent partial or full system failures can be assigned a priority with - 16 ~
~hose conditions or combinations thereof designated as "high" priority signals being pexmitted to disable or inhibit further accessing of the memory. In the event one or these high priority conditions occurs, the memory is inhibited from storing additional change-in-s-tatus information and the change~in-status events occurring prior to the high priority condition are preserved for subsequent analysis. Alarm conditions which are not designated as high priority, of course, do not inhibit the memory. This technique advantageously differs from those prior techniques in which the controlled device status was only placed in memory at the moment of a high priority signal (in which case a historical pre-failure racord-of-events was not available) or those techniques in which the change-in-status events were logged in a memory which was periodically cleared, refilled, and cleared in which case the probability of obtaining a complete histor~ of events prior to a predetermined high priority condition diminished in those instances in which the logging memory was cleared just prior to the occurrence of the high priority condition.
The manner by which the input/output management device 14 effects the change-of-status event logging is shown in FIG. 4B. During initialization, the processor 14B (referred to also as the RTZ in FIG. 4B) moves an image of the various input/output points, that is, the current status of the various input/output hardware points~ to preassigned locations in the memory 14E (local) of the input/output management device 14 and the memory 13 (system) of the remote Rn (FIG. 2).
Thereafter, the address(s) of the first input/output card is obtained and the input/output hardware points for that card are scanned to obtain an input/output image which takes the form of an eight-bit word (e.g., 00000000) with each bit position representing the control or operational status of the controlled device. The input/output points so obtained are then compared with the previously obtained image of the points (e.g., 00100000), for example, by effecting a bit-by-bit exclusive OR (XOR) comparison~ If the comparison indicates no change in status, (that is, the words are identical) the input/output points in the remaining cards are likewlse scanned with the process repeated on a cyclic or looped basis. However, if a change is detected in the exclusive OR comparison, that new input/output scan, along with the time tag information and the direction of change is placed in the memory 18 of the remote Rn, and, in addition, the latest scan is moved to the memroy 14E
of the input/output manaqement device. This process continues with each new change-in-status event loaded into the memory 18 o the remote on a first-in first-discarded basis. The first-i.n first discard memory may be configured by assigning a preselected number of memory locations in the memory 18 of the remote Rn (e.g., fifty locations) for the logging information and providing an address pointer that points to each successive location in a serial manner with the pointer returning to the first location after pointing at the last available pre-assigned location in the memory.
In the preferred embodiment, the processor 14A of the input/output management device 14 (FIG. 4A) and the processor 52 tFIG. 4) of the communication protocol controller 12 is 8X300 micro-controller manufactured by the Siqnetics Company of Sunnyvale, ~alifornia, and the central proce~si~g unit 16 (FIG. 2) is an 86/12 singLe board 16-bit micro-computer manu-factured by the ~ntel Company of Santa Clara, California and adapted to and configured for the ~ntel MULTIBUSIM
Each remote R~ s adapted to communicate with the other by transitting digital data organized in pre-determined block formats. A sultable and illu~trative bloc~ format 66 is shown in F~G. 5 and includes a multi-word header frame 66A, a multi-word data frame 66B, and a -'~ block termi~ation frame or woxd ~6C. Selected of the information block configuration~ are adap~od to transfer process control information to ~nd from s~lected remo~e ~mits ~n and other of th~ block configur~tions are adapted to transfer supervisory control o~ the communications link CL from one remote to the other remote as explained in greater detail below.
An exemp].ary format ~or the h~ader and data fram~s o~ an lnformation bloc~ 66 is shown, respectively, in FIGS. SA and 5B. The head~r frame 66A preferably 2~ include5 a 'start of h~der' word(s) that indicates to all remotes that informat~on is being transmitted; a 'source' identification word(s) that ind~cates ~h~ identity of the source remote Rs that i~ tran~forring the infor~ation: a 'des~ina~ion' word(s) that indicate~ th~ iden~ify of th~
receiving or destinatio~ r~mote Rd; a 'header-typ~' word(~) that indicates whether the dat~ block i~ tran~erring data, a parametered command block, or ~ param~erlo~ command block;
'block-type' word iodicating the type o~ block ~that is, a command block or a data bloc~ a 'block number' word that - 1 9 ~
2s~
indicates the number of blocks being sent; a 'block size' word indicating the length cf the data framei a 'security code' ~ord~s) that permits alteration of the resident soft-ware programming in a remote; and, finally, a two-byte 'cyclic redundancy code' (CRC) validity word. The data frame fox each data block, as shown in FIG. 5B, can in-clude a plurality o data carrying bytes or words Bl, B2~...Bn f ~ariable length texminated with a two-byte cyclic redundancy ~ode word. As described more fully below, each of the xemotes is adapted to acknowledge (ACX) successful receipt of data and command blocks and non-acknowledge (N~C) the receipt of data in which a trans-mission error is de~ec~ed. When transmitting an acknowledgement block or a non~acknowledgement block, the header format used is shown in FIGS. 5C and 5D in which an acknowledgement (ACK) or non-acknowledgement (NAX) word occupies the 'block type' word position. The block formats disclosed above are intended to be illustrative only and not limiting.
The vaxious remote units Rl, R2, R3,.Rn communi-cate with one another by having eac~ remote successlvely take control of the communications link CL and the controlling remote Rs then sending digital information between itself and a destlnation remote Rd using a double transmission alternate line technique that provides for high reliability data transfer between remotes even when one of the two communication links CL~ or CLl is inoperative, for example, when one of the two communication cables is severed or otherwise degraded as occassionally occurs in harsh industrial environments.
~ 20 -~z~
When a remote unit assumes con~trol of the communi-cation link CL (as explained more fully below) and, as a source remote Rs, desixes to send data blocks to another, destination remote Rd, the data block is assembled at the source remote Rs in accordance with the block formats discussed above in connection with FIGS. 5-5D and trans-mitted through the inormation channels CL0 and CLl of the source xemote Rs to the communication links CL~ and CLl with the header rame containing both the source remote ~5 and the destination remote Rd identification information.
In accordance with the da~a transmission technique, the communication protocol controller 12 of the source remote Rs transmits the information blocks twi~e on each communication link CL0 and C~l as schematically illustrated in FIG. 6 to provide a first data block DBA and then a second, following data block DBB on each communication link C~0 and CLl.
The transmitted informatio~ block headers include the identity o~ the destination remote, Rd, which causes the destination remote Rd to receive and act upon the information blocks. At the destination remote Rd, the two data blocks DBA~ and DBB0 on the communication link CL0 are passed through the communication channel CH0 and the two data blocks DBAl and DBBl on the communication link CLl are passed through the communication channel CHl to, respectively, the first-in firs~-out serializers 48 and 50 (FIG. 4).
As shown in the summary flow diagram of FIG. 7, the destingation remote Rd checks the validity o-f tne received data by selecting one of the two communication links (e.g., CL0 in FIG. 7~ and then checks the first data block on the selected line (that is, DsA~) by perfonning a cyclic redundancy check of the header frame and, if valid, performing a cyclic redundancy check o ~he data rame. I the data fr~ne is valid, the commlmi-cation protocol controller 12 of the destination remote Rd then per~orms a bit-for-bit comparision between the CRC-valid first data block DBA~ and the second following data block DBB~. If the bit~for~bit cornparision is good, an acknowledgement (ACK3 signal s sent from the destination remote Rd to the source remote RS to indicate the receipt of valid information and comple~e that data block information transaction. On the other hand, if the CRC
validity checkq of the header or the data fr~ne or the bit-for-bit comparison check indicate invalid data, the protocol controller 12 o~ the destination remote R~ then selects the other r alternate line (in this case, CLl) and per~onns khe afor~nentioned cyclic redundan~y checks of the header and data frame and the bit-for-bit COInpariSOn between tha first and second data blocks DB~l and DB
on the alternate line CLl. If these checks indicate valid data on the alternate line, the destination remote Rd responds with an acknowledgement signal ~ACK) to conclude the data block txansmission transaction. On the other hand, i~ these chscks indicate invalid data on the alternate line (which means that the data blocks on both the first-selected line and the alternate lina are invalid) ~he destination remo~e Rd responds wikh a non-acknowledyement signal (NAK~ ko cause retransmission of the data blocks from the source remote R5. The non~
acknowledgemenk block (NAK) includes a byte or bytes - 2~ -indicating the identity of the data block or blocks which should be retransmitted. A counter (not shown~ is provided that counts the number of retransmissions from the source remote R5 and, after a finite number of re-transmissions (e~g., four), halts further retransmission to assure that a source remote Rs and a destination remote ~d do not become lost in a repetiti~e transmit/NAK/re-transmit/NAK... sequence in the event of a hardware or sotware failure of the destination remo~e Rd error checking mechanism.
The double message alternate line checking sequence summarized in FIG. 7 may be more fully appreciated by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read in accordance with the flow diagram map of FIG. 9). At the start of the information validity checking procedure, the 'line ~-firsk' flag register is checked; if a flag is present, the 'first-attempt fail' flag register is checked, and, if there is no flag in this register, the two data blocks DBAl and DBBl on channel CHl are stored while the two data blocks DBA0 and DBE0 on channel C~ are used for the first attempt in~ormation check.
Thereafter, the header frame of ~he first data block D~A~
on channel CH~ undergoes a CRC check, and, if acceptable, the data frame of this data block DBA~ undergoes a CRC checkO
If the header and data frames CRC checks indicate valid data a 'good message' register is incremented. If ~he number of good messages is less than two, the error checking pr~ceduxe returns to the initial part of the flow diagram and, after ~ 23 -determining there is no channel CH0 first flag or first-attempt flag present, checks the second following data block DBB0 by repeating the header and data CRC cyclic redundancy checksO If the header and data frames pass the CRC checks, the 'good message' register is incremented again to indicate that a total of two messages in succession ~that is, DBA~ and DBB0) have passed the cyclic redundancy check for the header and data frames. Thereafter, the two data blocks DB~0 and DBB~ received on line C~ are checked by performing a bit-by-bit comparision between the two. If ths data blocks DBA~ and DBB~ pass the bit-by-bit comparision test, the communi-cations protocol controllex 12 of the destination remote Xd sends an acknowledgement (ACK) meCsage to the source remote Rs to conclude the in~ormation block transfer and resets the various registers. I~, on the other hand, either the data block DBA~ or DBB0 on line CL~ fail the header and data ~rame C~C checks or these two data bloc~s fail the. bit-by-bit comparison check, the communication protrocol controller 12 sets the 'first-attempt fail' flag and xeturns to ~he start of the procedure ~o determine that the 'line 0 first' flag and the 'first-attempt' fail flag are present. The communi-cation protocol controller 12 then uses the stored data blocks DBAl and DBBl from line CLl (which data blocks were previously stored in ~IFO SO). The header block and data block of the data blocks DBAl and DBBl from linP. CLl undergo the CRC
check and, if successful, cause the incrementing of the 'good message' register to oause the communication protocol controller 12 to then check the validity of the second data block DBBl. If the data blocks DB~l and DBBl pass the CRC checks, they are compared with one another in a bit-by-bit comparison test and if this comparison check is successful, an acknowledgement (ACK) is sent. If, on the other hand, either data bloek DBAl or DBBl does not pass the CRC check or the data blocks do no~ pass the bit-by-bit comparison test, a non-acknowledgement (NAK) is sent to the source remote RS including information requesting the xetransmission of the data blocks which failed the valldity test at the destination remote Rd. The source remote RS then retransmits the improperly received information bloeks as described above with retransmission limited to a finite numbex.
A register is provided for each of the commt~ication links for recording, in a cumulative manner, the number of times an invalid message is received for each communication link. In this manner, it can be determined, on a statistical basis, whether one of the two communication links has suffered a deterioration in signal transmission capability and, of course, whether one of thP communication links is severed.
As can be appreciated, the dual transmission of the identica~ messages on plural communication links vastly enhances the ability of the destination remote Rd to de~e~t errors and determine whether the information heing.transmitted is valid or not. In addition, the destination remote Rd is able to opexate and successfully receive messages e~en if one of the communication links CL~ or CLl is severed since the communication protocol controller 12 at the destination Rd will examine the received signals on each line and will find invalid data on the severed line, but will always examine the data blocks on the other line and, if necessary, request retransmission of the information blocks.
In selecting one of the two channels CH~ or CHl for the first validity check, it is preferred tha~ one of the two channels (e.g., CH0) be selected fox the first check on every other information transaction and that the other of the two channels ~e.s., CHl) be selected for the first check for the other intermediate information transactions. ~nile the system has been disclosed as having dual communication links CL~ and CLl, the invention is not so limited and can encompass more than two communication links with the remotes adapted to sequentially examine signals received on the various channels.
As mentioned above, each remote R~ of the control system is adapted to accept and then relinquish supervisory control of the communication link CL on a master-for-the-moment or revolving master arrangement. The communication protocol controller 12 o each remote Rn includes a register which contains the remote succession nu~ber, another register which contains the total number of remotes in the system, and another register which contains the relative position of the remote from the present system master. The first two registers are schematically illustrated by ~he reference character 60 in ~IG. 4. In addition, each remote Rn includes a variable transfer-monitor timer having a time-out interval that i5 set in accordance with a pxedetermined control~tra~sfer time constant (50 micro-seconds in the preferred embodimen~) and the position of th~
s~
particular remote relative to the present system master to permit, as explained in more detail below, the master-for-the-moment transfer to continue even in the event of a disabled remote (that is, a remote that is unable to accept supervisory control because of a malfunction).
Another timer is provided to force transfer of supervisory control of the communications link CL in the event a remote, because of a malfunction, is unable to transfer supervisory control to iks next successive remote. The operation of the master-fox-the-moment transfex technique can be appreciated by consideration of the following example of an illustrative system that includes five remotes arranged in the open loop configuration of FIG. 1 and t.ransferring supervisory control of the communications link CL in accordance with the tables of FIGS. lOA-lOF. The upper row of each table indicates the successisn sequence or order of the five ~emotes Ror Rl, R2, R3 and R4 tha~
comprise the system; the intermediate row identifies the remote that is the present master-for-the-moment and also identifies the relative successive position of the other remotes from the present master, that is, the first (or next) successive remote from the present master, the second successive remote from the present master, the third remote from the present master, etc.; and the third row of each table lists the setting of the variable transfer-monitor timer for the particular remote.
s~
The system is provided with initialization software so that the first remote in the succession, Ro~
assumes supervisory control of the communication link CL after system start-up and becomes the initial master of the system (FIG. lOA). When the i~itial master Ro is in control of the communications link C~, it can send data to any of the other remotes, request status or other data from another remote, and send control blocks and the like over the communications link CL. When the master Ro determines that it no longer desires possession of the co~m~ications link CL, it passes supervisory control of the communications link CL to the nex or first successive remote in accordance with the succession order. Thus, when the present master Ro concludes its in~ormation transfer transactions, it transfers supervisory control of the communications link CL to its next or first successive remote Rl by transmitti~g a control block to the remote R
with all the remaining remotes (that is, R2, R3, R4) being cognizant o~ the transfer o~ supervisory cont.rol from the present master Ro to its firs~ or next successive remote Rl Since, in the present system, the transfer of super~isory control of the communications link CL is expected to take place within 50 micro-seconds, tha second successive remote R2, as shown in the third row of the table of FIG. lOB, sets its variable ~ransfer-monitor timer to 50 micro-se~onds, the third successive remote R3 sets its variable transfer~monitor timer to 100 micro-seconds, - 28 ~
and the fourth successive remote R4 sets it transfer-monitor timer to 150 micro-seconds. When the first successive remote R1 receives the control block fro~ the present master Ror it accepts supervisory control of the co~unication~ link CL by responding with an acknowledgement message (AC~). If the control block is misreceived, the first successive remote Rl can respond with a non-ac~nowledgement (NAK) to request retransmission of the control block transferring supervisory control o the communications link CL. During the time interval that the present master remote Ro is attempting to transfer supervisory control of the communi-cation link CL to its next successive remote Rl, the transfer-monitor timexs of the remaining remotes are couIIting down. I~, for any reason, the next or first successive remote Rl fails to take control (e.g., a malfunction of the remote), the transfer-monitor timer of the second successlve remote R2 will time-out at 50 micro-seconds and cause the second successive remote R2 to then accept supervisory contxol of the communication link CL
from the present master R~ and thus bypass the apparently malfunctioning first successive remote Rl.
Aassuming that the initial system mas~er Ro successively transfers supervisory control of the communi-catins link CL to its first successive remote Rl, that successive remote Rl then becomes the present master with the remaining remotes changing their position relative ts the present master and setting their transfer-monitor tim~rs in accordance with the second and third rows of the table of FIG. lOB. When the present master Rl concludes its ~ 29 -~25;~
information transfer transactions, if any, it attempts to transfex supervisory control to its first or next successive remote R2 by sending an appropriate control block to remote ~2 which responds with an acknowledgement signal (ACK) or, in the event of a mistransmission of the control block, a non-ack~owledgement signal (N~X) which causes re-transmission of the control block. When the control block requesting transfer of supervisory con~rol of the communi-cation link CL is sent from the present master Rl to its next successive remote R2, all the remaining remotes reset their transfe.r-monitor timers in accordance with their position relative to the present remote as shown in the third row of the table of FIG. lOC. Should the next successive remote R2 be unable to accept supervisory control of the communication link CL from the present master Rl, the transfer-monitor timer of the second successive remote R3 will time-out in 50 micro-seconds and cause the second successi~e remote R3 to assume supervisory control of the communiations link CL to thereby bypass an apparently malfunctioning first successive remote R2. As can be appreciated from a review o the transfer-monitor time-out settings of the various remotes, supervisory control of the communications link CL will transfer even if one or more successive xemotes are malfunctioning, when the txansfer-monltor timer of the next operable remo~e times outO This transfer sequence continues in succession as shown in the remaining tables of FIGS. lOD to lOF with supervisory control of the communication link CL being passed from remote to remote in succession with ~he last remote R~
returning supervisory control to the first remote Ro~
By employing a master-for-the-moment transfer technique in which the rece~ving remote acknowledge~
control from the trans~erring remQts and in which re-transmission of a mis-received control block is provided ror in response ~o a non-acknowledgement slgnal from the receiving remote, it is po~sible to positively transfe.r supervisory control of the commu~icativn link~ This technique advantageou~ly transfer~ co~trol using the data and information carry~ng communicatio~ link rather 1o than, as in other systems, by providing ~eparate communi-cation lines or channel~ dedicated solely to supervisory control transfer functions. Also~ the provi~ion of a variable transer-monitor timer at each remote that is set in accordance with the remote's relative position to the present master and a trans~er time-constant automatically transfer~ supervisory control of the com~unications llnk even if one or more o~ the succe~iv~ remotes are mal-functioning r The architecture of a redundant remQte (R4 and ~0 R~ in FIG . 1), a~ shown in ~IG. 11 , is essentially ~he sama as that of a primary remote except that it ha~ no i~pu~/
output devices as~igned to lt. Each redundan~ remote functions to take over control re~pon~ibility of a controlled device from a primary remot~ in the ev~nt the primary remot~ malunction~.
25~1 In each primary remote, preassigned memory locations are designated to act as a 'mailbox' register for that remote. Each time the centra] processing unit 16 of the primary remote cycles through its applications program, in which it responds to and controls the input/
output devices of the remote via the input/output management device 14, it stores a predetermined number in its ~ailbox.
Each time the processor 14A of the input/output man~gement device 14 cycles through its program, it decrements the number stored in the mailbox. The time for the CPU 16 to cycle through its program and for the input/output management device 14 to cycle through its program is approximately 1:1 so that the number stored in the mailbox will be maintained at or near the predetermined value set by the applications program of the CPU 16 unless the CPU 16 ceases to cycle through its applicati.ons program, Should this happen, the number stored in the mailbox memory 18 will be decxemented by the input/output management device 14 until it reaches a zero value.
Each time a redunda~t remote which is serving as a back up for its associated primary remotes takes its turn in the master-for-the-moment sequence described above, the ~edundant remote will request and obtain the value of the number in the mailbox of its assigned primary remotes.
If the number in the mailbox is not zero, the xedundant remote will know that the central processing unit 16 in the so-queried primary remote is carrying out its applications program and has not gone into an emergency mo~e of operation or otherwise ceased to operate. If t~e redund2nt remote detects that the number in the mailbox for one of its asslgned primary remotes is zero, then the redundant remote will determine that the central processing unit 16 of the zero-mailbox remote i5 not carrying out the applications program and, in response to this determination, the redundant remote will first attempt to restart the applications program in the central processing unit 16 of the pximary remote. If it fails to successfully restart the applications program, the redundanc remote will carry out the applications program for the failed remote. In carrying out the applications program, the redundant remote will respond to the inpu~
devices and control the output devices assigned to the .ailed primary remote by sending commands and receiving data from the failed remote over the communications link CL.
The redundant remote, in addition to checking the status of its assigned primary remotes for which the redundant remote serves as a back-up, also must maintain an up~to-date record of the status of the applic~tions program in each of these assigned primary remotes. The redundant remote checks the status of the mailbox and gets the current applications program status from each of ~he primary remotes by sending requests for information over the communications link CL when the redundant remote tak~s its turn in the master~for-the-moment sequence as descxibed above.
The operation of the redundant remote in carrying out its function as a back-up for the primary remotes will be more fully understood with reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant remote R4 (FIG. l), which serves as a back-up for its assigned prima~ remotes Rl, R2, and R3. The other redundant remote R8 Will have the same program except that it will be applied to its as~igned remotes R5, R6, and R7.
As shown in FIGS. llA, after the program in the redundant remote R4 is started, it enters into a decision instruction sequence lOl to check the status of remote Rl. As explained above, it does this by sending a request for information over the communications link CL to remote Rl asking for the current number in the mailbox of remote Rl. It then determines whether this number is greater than zero. If the nu~er is greater than zero, the status of remote Rl is determined to be operating and the program of the redundant remote R4 advances to instruction step 103 in which i.t resets a ~ail 1ag for Rl to 'off' and then enters subroutine 105, in which the current applications program status in remote Rl is obtained. This means that the redundant remote R4 requests and obtains the current status of the input and output devices in remote Rl and the current status of the timers and the counters and the flags being used in the applications program of remote Rl. In other ~ 34 -words, in subroutine 105, all of the information that would be needed for the redundant remote R~ to take over the applications program is obtained from remote Rl.
This informat.ion is obtained by sending requests for data and receiving data back over the communications link CL.
Following the obtaining of the current appli-cations program status of remote Rl, the redundant xemote R4 program proceeds to decision instruction sequence 107, in which the status of remote R2 is chec~ed in the same manner that was done with respect to Rl. If the status of remote R2 is operating, the program advances to instrNction step 109, in which the program sets a fail flag for remote R2 and then proceeds into subroutine 111, in which the status of the applications program for remote R2 is obtained in the same manner as for Rl in sub-routine 105. The program then proceeds into a decision instruction sequence 113 to chec~ the status o~ remote R3. If the status of remote R3 is operating, then the program resets the fail flag or remote R3 in instruct,ior-step 115 and proceeds into subroutine 117 to obtain the applications program status for remote R3 in the same manner as Lor Rl ln subroutine 105O Following subrou~ine 111, the program returns again to decision instruc~ion sequence 101 to check the status of remote Rl and the process cyclically repeats.
If in decision instruction sequence 101, the program determines that the status Rl is not operating as indicated by the number in the mailbc,x of the remote Rl, being zero, the program then advances to decision instruction sequence 119, in which the program dete~mines if the fail flag for Rl is 'on' or 'off'. If the fail flag is 'off', the
transmitting digital information in blocks of predetermined format which blocks include an error detecting code word.
At least one other stored-program controlled means is provided for receiving digital information in the block format and it is adapted to test the validity of the re-ceived block using the error detecting code word. Plural independent communication channels are connected to and extend between the first-mentioned and the second-mentioned stored-program controlled means for transferring inform-ation blocks therebetween. The second-mentioned stored-program controlled means has validity testing means for selecting a one of the plural communication channels and testing the validity of the block received thereon and for selecting another of the plural communications channels and testing the validity of the block received on the other communication channel when the block received on the first-selected communication channel fails its validity test.
The invention in this divisional applica-tion also comprehends a system for controlling an industrial process, which system includes a plurality of process controlling remotes each connected by a common communicat-ions link, the system including at least one process controlling remote for transmitting process control inform-ation in digital form, the information arranged in groups of predetermined format with each of the information groups including an error détecting code word. At least one other process controlling remote is provided for receiving process control information in the information group format and testing the validity of the received blocks based on the error detecting code. The communication link inter-connecting the first-mentioned and the second-mentioned remotes includes a'c least two independent communication channels, the first-mentioned remote transmitting an identical information group on each of the communication channels, the second-mentioned remote operable to select a one of the communication channels and evaluate the valid-ity of the received inEormation group and select the other of the communication channel.s when the received inform-ation group on the first-selected communication channel fails its validity test.
A still further aspect of the invention in this divisional application pertains to a method for-transfer-ring digi-tal information formatted in predetermined blocks between an inEormation transmitting device and an inter-connected information receiving device, the method comp-rising the steps of transmitting iden-tical information blocks from a transmitter over plural independent communi-cation channels to a receiver, receiving and storing the received information blocks at the receiver, selecting the information block received on one of the plural com-munication channels and testing the validity thereof, selecting the information block received on the other of the communication channels and testing the validi-ty thereof in the event the first-selected information block fails its validity check, and re~uesting retransmission of the information blocks in the event both the first-selected and the second-selected information blocks fail their validity test.
More particularly disclosed is a control system for controlling an industrial process including a plurality of remote process control units Rn (remotes) connected to various controlled devices and sensors arld communicat-ing with one another through a communicatlons link having at least two independent communication channels. Each remote is assigned a unique succession number or position in a predetermined succession order with each remote unit assuming supervisory communication control of the com-munications link on a revolving or master for the moment basis in accordance with the remote's relative position in the succession order. Information transfer including process data and command control information is accomplished between a source re~mote Rs and a des-tination remote Rd by successively trans-mitting two identical information blocks o~er each communicat-ion channel with the de~stina-tion remote Rd testing the validity of the blocks on one of the channels and, if valid, responding with an acknowledgement signal (ACK), and, if invalid, then -testing the validity of the two blocks received on the other, alternate channel. An acknowledgement (ACK) or a non-acknowledgement signal (NAK) is sent by the destination remote Rd if the informat-ion on the alternate channel is found, respectively, valid or invalid. The source remote Rs will retransmit the information blocks in response to a non-acknowledgement signal from a destination remote with the re-transmission from -the source remote Rs limited to a predetermined, finite number.
Such a control system provides a means for controlling an industrial process in which high overall system operating reliability is achieved. The system is equally suitable for use with central (master/slave), distributed, and hybrid system configurationsO
2~
BRIE:F DESCRIPTION OF THE DRAWINGS
The above description, as well as the asL~ects, features, and advantages of the present invention will be more fully appreciated by reference to the following detailed description of a presently prefe.red but none-theless illustrative embodiment in accordance with the present invention when taken in connection with the accompanying drawings wherein:
FIG. 1 is a schematic diagram of an exemplary process contxol system including a plurality of remote process control units (remotes), includin~ both primary con-trol remotes and redunda~t remotes, connected to a co~non, d~al-channel co~nunications link;
FIG. 2 .is a schematic block diagram of an exemplary remote process control unit of the type shown i~ FIG. l;
FIG. 3 is a schematic block diagram of an exemplary modulator/demod~lator (MODEM) for the re~lote process control unit shown in FIG. 2;
FIG. 4 is a schematic block diagram of an exemplary co~nunication protocol controller ror the remote process urit shown in FIG. 2;
FIG. 4A i5 a schemat-.c block diagram of an exemplary input/output management device for the remote ~roces~ control unit shown in FIG. 2;
FIG. 4B is a flow dlagram illustrating the .anner in which the change-in-status ~venis of the controlled devices of FIG. 1 are detected by the input/
output management device of FIG. 4A;
FIG. 5 illustrates the format of an exemplary or illustrative information block for transferring infonnation between remotes;
FIG. 5A illustrates the format of a header frame of the information block shown in FIG. 5;
FIG. SB illustrates the forma-t for a data/
information rrame of the information block shown in FIG. S, FIG. 5C illustrates the format ~or an ac~nowledgement block (ACK) for acknowledging successful receipt of an information block;
FIG. 5~ illustrates the format for a non-acknowledgement block (NAK) for indicating the unsuccassful trans.~ission of an information bloc~ betweer.
remotes;
FIG. 6 illustrates, in pictorial form, two identical data b~ocks having the format sho~n in FIG. 5 successively transmitted on each communication chanrel of the com~unication link illustrated in FIG. 1;
FIG. 7 is a flow diagram summa-y of the manner in which a source and a destination remote effect communi~
cations with one another;
FIG. 8A is a partial flow diagram illust~ating in detail the manner in which a sourc~ and a destination remote communicate and validate information transferred be~ween one another;
FIG. 8B is a partial flow diagram wh.ich com-pletes the flow diagram of FIG. 8A and illustrates in detail the manner in which a source and a destination remote communicate and validate infor~ation transferreZ
bet~een one another;
FIG. 9 is a legend illustrating the manner in the flow diagrams of FI~. 8A and FIG. 8B are to be read;
FIGS. lOA through lOF are exernplary tables illustrating the manner in which supervisory control of the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an e~emplary redundant remote that is adapted to assume control from a failed or otherwise inoperative primar~ remote;
FIGS. llA and llB are flow dia~rams of the manner in which the central processing unit of the redundant remote R4 monitors the operating condition of its assigned primary remotes Rl, R2, and R3 and takes ove.r operation when one of the primary remotes fails;
FIG. 12 is a flow diagram summary of the manner by which an interrogating remote Rx tests the integrity of the communication link between it and the remotes Rx 1 and RX~l immediately adjacent thereto in the succession order;
FIG. 12A is a partial flow diagram illustra-ting in detail the manner by which an interrogating remote R~
tests the communications integrity of the communications link between lt and the next lower number remo~e Rx 1 in the succession order;
FIG, 12B is a partial flow diagram illustrating in detail the manner in which an interrogating remote Rx tests the communiations integrity of the communications link between it and the next highex number remote RX+1 in the succe~sion order;
FIG. l~C is a partial flow diagram illus~rating in detail the manner by which a line termination impedance is applied to the communications link in the event of a communications link degradation or interruption;
~2~
FIG. 13 is a legend illustrating the manner in which the flow diagrams of FIGS. 12A, 12B, and 12C are to be read; and FIG. 14 is an exemplary table illustrating the status of various counters when an interrogating remote Rx is evaluating the integrity of the communications link in accordance with the flow diagram shown in FIG. 12A.
DESCRIPTION OF THE PREFERRED EMBODIMENT
An industrial control system in accordance with the present invention is shown in schematic form in FIG. 1 and includes a communications link CL (C-link) having a plurality of remotely located process control units (remotes) Rl, R2,...R7, R8 connected thereto with the eight remotes (Rl-R8) shown being exemplary; it being understood that the system is designed to be used with a much larger number of remotes. Of the eight remctes illustrated, the remotes Rl-R3 and R5-R7 are 'primary' remotes and the remotes R4 and R~ are 'redundant' remotes~ The communications link CL is shown as an open line, double channel con.~iguration formed ~rom ~o dual coax, dual twisted pair, or the like with the individual co~munication links identi~ied, respectively, by the reference characters G~ and CLl. While the system configuration shown in FIG. 1 is a distributed open loop or shared global bus type, the invention is equally suitable for application to central systems or central/
distributed hybrid configura~ions. The system of FIG. l is adapted for use in controlling an industrial process, e.g., ~he operation of a power generating plan~, with each primary remote unit Rl-R3 and R5-R7 connected ~o one or more associated or coxresponding input/output de~ices I/O
I/03 and I/05-I/07, respectively. Each input/output device is, in turnl connected to an associated controlled device CDl-CD3 and CD5-CD7 (o which only CD6 and CD7 are illustrated in FIG. 1) such as, but not limited to, various types of sensors (tempera-ture, pressure, position, and motion sensors, etc~) and various types of actuators lmotors, pumps, compressors, valves, solenoids, and relays, etc.).
Each primary remote may control a large number of output devices and respond to a large number of input devices, and the blocks labeled I/O in FIG. 1 can each represent many input and output devices.
The redundant remote R4 monitors the operation of primary remotes R1, R2, and R3; and the redundant remote R8 monitors the operation of primary remotes R5, R6, and R7. Should any one of the remotes Rl R2, and R3 fail, the failure will be detected by the remote R4 in a manner to be described and the remote R4 will take over control of the input and output devices of the failed remote by receiving the data from -the failed remote over the communications link CL and sending commands to the failed remote over the co~nunications link CL in formated inEormation blocks. Similarly, if one of the remotes R5, R6, or R7 fai:Ls, the redundant remote R8 will take over control of the operatlon of the input/ou-tput devices for the failed remo~e as described above withrespect to redundant remote R4. Although only eight remotes have been shown in Figure 1, any number of remotes Rl, R2, R3, ...... Rn 1~ Rn could be utilized in a particular system.
The architecture of an exemplary remote Rn is shown in FIG. 2. While the architecture of the remote Rn can vary depending upon the control process require-ments, the remote shown in FIG. 2 includes a modem 10; a communication protocol controller 12; an input/outpu-t management device 14; a central processing unit ~CPU) 16;
%~
a memory 18; a peripheral device 20 that can include, e.g., a CRT display, a printer, or a keyboardi and a co~non bus 22 which provides addressing, control, and information transfer between the various devices which constitute the remote. The devices shown in dotted line illustration in FIG. 2 (that is, the central processing unit 16, the memory 18, and the peripheral device 20) are provided depending upon the process control require-ments for the remote Rn. For example, in those primary remotes Rn which f~mction as an elemental wire replacer, only the modem 10, the communication protocol controller 12, and the input/output management device 14 are pro-vided. In more complex process control requirements, an appropriately programmed central processing unit 16 and associated memory 18 are pxovided to effect active con-trol according to a resident firmware program. In still other remotes requiring a human interface, the appropriate peripheral device(s) 20 may be connected to the common buss 22.
As shown in more detail in FIG. 3, the modem 10 provides two independent communication channels CH~ and CHl connected, respectively, to the communication links CL~ and CLl. Each of the communication channels C~
and CHl is provided with substantially identical communi-cation devices, and a description o the communication devices of the first communication channel CH0 is sufficient to provide an understanding of the second communication channel CHl. The communication channel CH~ includes an encoder/decoder 240 for providing appropriate modulation and demodulation of the digital data trans-mitted to and received from the communication link CL~.
In the preferred form, the encoder/decoder 240 converts digital information in non-return-to-zero binary (NRZ) format to base-band modulation (BB.~) signal format for transmission and effects the converse for reception.
.~mplifiers 260 and 28~ are pro~ided, respectively, to drive a passive coupling transformer T0 with digital information provided from the encoder/decoder 24~ from the coupling transformer T0. A set of selectively operable relay contacts 30~ are provided between the coupling transformer T0 and the corresponding communication link CL~ to effect selective intexruption thereof to isolate the remote Rn from the communications link CL, and another set of relay contacts 32~ are provided to selectively connect the signal output of the coupling transformer T~ with a termination impedance Z~. The termination impedance Z~ is used when the particular remote Rn is at the end of the communication link CL to provide proper line termination impedance for the link, or, as described in more detail below, to assist in terminating an open or degraded portion of the communi-sations link CL.
A selectively operable loop-back circuit 34 is provided to permit looping back or recirculation of test data during diagnostic checking of the remote Rn. While not specifically shown in FIG. 3, the loop-back circuit 34 can take the form of a double pole, single throw relay that effects connection between the channels CH~ and CHl in response to a loop-back command signal 'L3'. 3uring the diagnostic checking of a remote, which checking takes place when a par~icular remote is a master-for-the-moment as explained below, the relay contacts of the loop-back f~2~
circuit 34 are closed and a predetermined test word is sent from the channel CH~ to the channel CHl a~d from the channel CHl to the channel CH~ with the received word in each case being checked against the original test word to verify the transmit/recei~e integrity of the particular remote.
The isolation relays 30~ and 311, the impedance termination relays 320 and 321, and the loop~b~ck circuit 34 are connected to and selectively controlled by a communications link control device 38 which receives its communication and control signals from the communications protrocol controller 12 described more fully below. A
watch-dog timer 40 is provided tc cause the C-link control device 38 to operate the isolation relays 30~ and 301 to disconnect the remote Rn from the communication link CL in the event the timer 40 times-out. I'he timer 40 is normally prevented from timing out by periodic reset signals provided from the com~unication protocol controller 12. In this way, a remote Rn is automatically disconnected from the comm-mication link CL in the event of a failure of its comm~nication protocol controller 12.
As shown in more detail in ~IG. 4, each communi-cation protocol controller 12 includes input~output ports 42~ 44, and 46 which interface with the above described modem 10 for the coi~munication channels CH~ and CHl and the modem C-link control device 38 (FIG. 3). A first-in first-out (FIFO) serializer 48 and another first-in first-out serializer 50 are connected be-tween the input/output ports 42 and 44 and a CPU signal processor 52. The first-in first-out serializers 48 and 50 function as temporary stores for storing inform2tion blocks provided to and from the modems 10 as described more fully below. The CPU 52, in turn, interfaces with the buss 22 through buss control latches 54. A read only memory (ROM) 56 containing a resident firmware program for the CPU 52 and a random access memory (R~) 58 are provided to permit the CPU 52 to effect its communication protocol function as described more fully below. Timers 62 and a register 60 (for example, a manually operable DIP switch register or a hardwired jumper-type register) that includes registers 60a and 60b are also provided to assist the CPU 52 in performing its communication proto-col operation. An excess transmission detector 64, connected to input/output ports 42 and 44 (corresponding to communication channels CH0 and CHl) determines when the transmission period is in excess of a predetermined limit to cause the C-link control device 38 (FIG. 3) to di.sconnect the transmitting remote from the communications link CL and thereby prevent a remote that is trapped in a transmission mode from monopolizing the communications link CL.
The input/output management device 14, the architecture of which is shown in FIG. 4A, is preferably a fi~mware controlled microprocessor-based device which - 14 ~
is adapted to scan the various input/output hardware points of the controlled device, effect a point-by-point status comparison with a prior scan, and record the change-in-status events along with the direction of the change and the time the event occurred (ti~e-tagging), effect data collection and distribution to and from the input/output points, format the collected data in preferred patterns, and assemble the patterned data in selected sequences.
~s shown in FIG. 4A, the input/output management device 14 includes a processor 14A connected to the remote buss 22 through a processor buss 14B; read-only-memories 14C and 14D connected to the processor 14A
through appropriate connections with these memories in-cluding the firmware necessary to effect the above-described functions of the input/output managemen-t device 14 including the change~in-status event monitoring (described in more detall below); a read/write memory 14E (RAM) for temporarily storing information incident co the operation of the processor 14A including the change-in-status event inforrnation; a time base 14F for providing time information for time tagging the change-in-status events; and an input/output interface 14G for connection, either directly or indirectly, to the controlled devices.
In the preferred ernbodiment, the input/output interface 14G is defined by one or more printed circuit control cards generally arranged in rack formation with each card having hardware points arranged in predetermined sets of eight polnts with each hardware point carrying a binary indica~ion for controlling or sensing the operation of the controlled device. The control and operational status of the controlled device can generally be represented by one or more eight-bit words (e.g., 00010001) with each bit position representing a control or operational characteristic of the controlled device.
As described in further detail below in connection with FIG. 4B, the input/output management device 14 effects the aforedescribed change-in-status monitoring and associated time-tagging by periodically scanning the input/output hard-ware points in eight-bit groups and effecting a comparison between the so-obtained eight-bit group and the eight-bit group obtained during the previous scan. If a change is detected in one or more of the bit positions, the latest eight-bit group, along with the time-of-day information obtained from the time base 14F, and other information, if desired, representing the direction of change, is placed in a first-in first-discard memory ~FIFO) of predetermined size. Thus, each change-of-status event along with its time tag and other information such as direction of change, etc. is placed in a memory of selec~ed size as the changes occur. When all the memory locations are filled, the first entered event (which now represents the oldest chronological event) is discarded as the latest event enters the memory. The memory loading is inhibited by the occurrence of any one of a selected number of inhlbit signals. In the system, ~arious con-ditions including alarm conditions which represent partial or full system failures can be assigned a priority with - 16 ~
~hose conditions or combinations thereof designated as "high" priority signals being pexmitted to disable or inhibit further accessing of the memory. In the event one or these high priority conditions occurs, the memory is inhibited from storing additional change-in-s-tatus information and the change~in-status events occurring prior to the high priority condition are preserved for subsequent analysis. Alarm conditions which are not designated as high priority, of course, do not inhibit the memory. This technique advantageously differs from those prior techniques in which the controlled device status was only placed in memory at the moment of a high priority signal (in which case a historical pre-failure racord-of-events was not available) or those techniques in which the change-in-status events were logged in a memory which was periodically cleared, refilled, and cleared in which case the probability of obtaining a complete histor~ of events prior to a predetermined high priority condition diminished in those instances in which the logging memory was cleared just prior to the occurrence of the high priority condition.
The manner by which the input/output management device 14 effects the change-of-status event logging is shown in FIG. 4B. During initialization, the processor 14B (referred to also as the RTZ in FIG. 4B) moves an image of the various input/output points, that is, the current status of the various input/output hardware points~ to preassigned locations in the memory 14E (local) of the input/output management device 14 and the memory 13 (system) of the remote Rn (FIG. 2).
Thereafter, the address(s) of the first input/output card is obtained and the input/output hardware points for that card are scanned to obtain an input/output image which takes the form of an eight-bit word (e.g., 00000000) with each bit position representing the control or operational status of the controlled device. The input/output points so obtained are then compared with the previously obtained image of the points (e.g., 00100000), for example, by effecting a bit-by-bit exclusive OR (XOR) comparison~ If the comparison indicates no change in status, (that is, the words are identical) the input/output points in the remaining cards are likewlse scanned with the process repeated on a cyclic or looped basis. However, if a change is detected in the exclusive OR comparison, that new input/output scan, along with the time tag information and the direction of change is placed in the memory 18 of the remote Rn, and, in addition, the latest scan is moved to the memroy 14E
of the input/output manaqement device. This process continues with each new change-in-status event loaded into the memory 18 o the remote on a first-in first-discarded basis. The first-i.n first discard memory may be configured by assigning a preselected number of memory locations in the memory 18 of the remote Rn (e.g., fifty locations) for the logging information and providing an address pointer that points to each successive location in a serial manner with the pointer returning to the first location after pointing at the last available pre-assigned location in the memory.
In the preferred embodiment, the processor 14A of the input/output management device 14 (FIG. 4A) and the processor 52 tFIG. 4) of the communication protocol controller 12 is 8X300 micro-controller manufactured by the Siqnetics Company of Sunnyvale, ~alifornia, and the central proce~si~g unit 16 (FIG. 2) is an 86/12 singLe board 16-bit micro-computer manu-factured by the ~ntel Company of Santa Clara, California and adapted to and configured for the ~ntel MULTIBUSIM
Each remote R~ s adapted to communicate with the other by transitting digital data organized in pre-determined block formats. A sultable and illu~trative bloc~ format 66 is shown in F~G. 5 and includes a multi-word header frame 66A, a multi-word data frame 66B, and a -'~ block termi~ation frame or woxd ~6C. Selected of the information block configuration~ are adap~od to transfer process control information to ~nd from s~lected remo~e ~mits ~n and other of th~ block configur~tions are adapted to transfer supervisory control o~ the communications link CL from one remote to the other remote as explained in greater detail below.
An exemp].ary format ~or the h~ader and data fram~s o~ an lnformation bloc~ 66 is shown, respectively, in FIGS. SA and 5B. The head~r frame 66A preferably 2~ include5 a 'start of h~der' word(s) that indicates to all remotes that informat~on is being transmitted; a 'source' identification word(s) that ind~cates ~h~ identity of the source remote Rs that i~ tran~forring the infor~ation: a 'des~ina~ion' word(s) that indicate~ th~ iden~ify of th~
receiving or destinatio~ r~mote Rd; a 'header-typ~' word(~) that indicates whether the dat~ block i~ tran~erring data, a parametered command block, or ~ param~erlo~ command block;
'block-type' word iodicating the type o~ block ~that is, a command block or a data bloc~ a 'block number' word that - 1 9 ~
2s~
indicates the number of blocks being sent; a 'block size' word indicating the length cf the data framei a 'security code' ~ord~s) that permits alteration of the resident soft-ware programming in a remote; and, finally, a two-byte 'cyclic redundancy code' (CRC) validity word. The data frame fox each data block, as shown in FIG. 5B, can in-clude a plurality o data carrying bytes or words Bl, B2~...Bn f ~ariable length texminated with a two-byte cyclic redundancy ~ode word. As described more fully below, each of the xemotes is adapted to acknowledge (ACX) successful receipt of data and command blocks and non-acknowledge (N~C) the receipt of data in which a trans-mission error is de~ec~ed. When transmitting an acknowledgement block or a non~acknowledgement block, the header format used is shown in FIGS. 5C and 5D in which an acknowledgement (ACK) or non-acknowledgement (NAX) word occupies the 'block type' word position. The block formats disclosed above are intended to be illustrative only and not limiting.
The vaxious remote units Rl, R2, R3,.Rn communi-cate with one another by having eac~ remote successlvely take control of the communications link CL and the controlling remote Rs then sending digital information between itself and a destlnation remote Rd using a double transmission alternate line technique that provides for high reliability data transfer between remotes even when one of the two communication links CL~ or CLl is inoperative, for example, when one of the two communication cables is severed or otherwise degraded as occassionally occurs in harsh industrial environments.
~ 20 -~z~
When a remote unit assumes con~trol of the communi-cation link CL (as explained more fully below) and, as a source remote Rs, desixes to send data blocks to another, destination remote Rd, the data block is assembled at the source remote Rs in accordance with the block formats discussed above in connection with FIGS. 5-5D and trans-mitted through the inormation channels CL0 and CLl of the source xemote Rs to the communication links CL~ and CLl with the header rame containing both the source remote ~5 and the destination remote Rd identification information.
In accordance with the da~a transmission technique, the communication protocol controller 12 of the source remote Rs transmits the information blocks twi~e on each communication link CL0 and C~l as schematically illustrated in FIG. 6 to provide a first data block DBA and then a second, following data block DBB on each communication link C~0 and CLl.
The transmitted informatio~ block headers include the identity o~ the destination remote, Rd, which causes the destination remote Rd to receive and act upon the information blocks. At the destination remote Rd, the two data blocks DBA~ and DBB0 on the communication link CL0 are passed through the communication channel CH0 and the two data blocks DBAl and DBBl on the communication link CLl are passed through the communication channel CHl to, respectively, the first-in firs~-out serializers 48 and 50 (FIG. 4).
As shown in the summary flow diagram of FIG. 7, the destingation remote Rd checks the validity o-f tne received data by selecting one of the two communication links (e.g., CL0 in FIG. 7~ and then checks the first data block on the selected line (that is, DsA~) by perfonning a cyclic redundancy check of the header frame and, if valid, performing a cyclic redundancy check o ~he data rame. I the data fr~ne is valid, the commlmi-cation protocol controller 12 of the destination remote Rd then per~orms a bit-for-bit comparision between the CRC-valid first data block DBA~ and the second following data block DBB~. If the bit~for~bit cornparision is good, an acknowledgement (ACK3 signal s sent from the destination remote Rd to the source remote RS to indicate the receipt of valid information and comple~e that data block information transaction. On the other hand, if the CRC
validity checkq of the header or the data fr~ne or the bit-for-bit comparison check indicate invalid data, the protocol controller 12 o~ the destination remote R~ then selects the other r alternate line (in this case, CLl) and per~onns khe afor~nentioned cyclic redundan~y checks of the header and data frame and the bit-for-bit COInpariSOn between tha first and second data blocks DB~l and DB
on the alternate line CLl. If these checks indicate valid data on the alternate line, the destination remote Rd responds with an acknowledgement signal ~ACK) to conclude the data block txansmission transaction. On the other hand, i~ these chscks indicate invalid data on the alternate line (which means that the data blocks on both the first-selected line and the alternate lina are invalid) ~he destination remo~e Rd responds wikh a non-acknowledyement signal (NAK~ ko cause retransmission of the data blocks from the source remote R5. The non~
acknowledgemenk block (NAK) includes a byte or bytes - 2~ -indicating the identity of the data block or blocks which should be retransmitted. A counter (not shown~ is provided that counts the number of retransmissions from the source remote R5 and, after a finite number of re-transmissions (e~g., four), halts further retransmission to assure that a source remote Rs and a destination remote ~d do not become lost in a repetiti~e transmit/NAK/re-transmit/NAK... sequence in the event of a hardware or sotware failure of the destination remo~e Rd error checking mechanism.
The double message alternate line checking sequence summarized in FIG. 7 may be more fully appreciated by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read in accordance with the flow diagram map of FIG. 9). At the start of the information validity checking procedure, the 'line ~-firsk' flag register is checked; if a flag is present, the 'first-attempt fail' flag register is checked, and, if there is no flag in this register, the two data blocks DBAl and DBBl on channel CHl are stored while the two data blocks DBA0 and DBE0 on channel C~ are used for the first attempt in~ormation check.
Thereafter, the header frame of ~he first data block D~A~
on channel CH~ undergoes a CRC check, and, if acceptable, the data frame of this data block DBA~ undergoes a CRC checkO
If the header and data frames CRC checks indicate valid data a 'good message' register is incremented. If ~he number of good messages is less than two, the error checking pr~ceduxe returns to the initial part of the flow diagram and, after ~ 23 -determining there is no channel CH0 first flag or first-attempt flag present, checks the second following data block DBB0 by repeating the header and data CRC cyclic redundancy checksO If the header and data frames pass the CRC checks, the 'good message' register is incremented again to indicate that a total of two messages in succession ~that is, DBA~ and DBB0) have passed the cyclic redundancy check for the header and data frames. Thereafter, the two data blocks DB~0 and DBB~ received on line C~ are checked by performing a bit-by-bit comparision between the two. If ths data blocks DBA~ and DBB~ pass the bit-by-bit comparision test, the communi-cations protocol controllex 12 of the destination remote Xd sends an acknowledgement (ACK) meCsage to the source remote Rs to conclude the in~ormation block transfer and resets the various registers. I~, on the other hand, either the data block DBA~ or DBB0 on line CL~ fail the header and data ~rame C~C checks or these two data bloc~s fail the. bit-by-bit comparison check, the communication protrocol controller 12 sets the 'first-attempt fail' flag and xeturns to ~he start of the procedure ~o determine that the 'line 0 first' flag and the 'first-attempt' fail flag are present. The communi-cation protocol controller 12 then uses the stored data blocks DBAl and DBBl from line CLl (which data blocks were previously stored in ~IFO SO). The header block and data block of the data blocks DBAl and DBBl from linP. CLl undergo the CRC
check and, if successful, cause the incrementing of the 'good message' register to oause the communication protocol controller 12 to then check the validity of the second data block DBBl. If the data blocks DB~l and DBBl pass the CRC checks, they are compared with one another in a bit-by-bit comparison test and if this comparison check is successful, an acknowledgement (ACK) is sent. If, on the other hand, either data bloek DBAl or DBBl does not pass the CRC check or the data blocks do no~ pass the bit-by-bit comparison test, a non-acknowledgement (NAK) is sent to the source remote RS including information requesting the xetransmission of the data blocks which failed the valldity test at the destination remote Rd. The source remote RS then retransmits the improperly received information bloeks as described above with retransmission limited to a finite numbex.
A register is provided for each of the commt~ication links for recording, in a cumulative manner, the number of times an invalid message is received for each communication link. In this manner, it can be determined, on a statistical basis, whether one of the two communication links has suffered a deterioration in signal transmission capability and, of course, whether one of thP communication links is severed.
As can be appreciated, the dual transmission of the identica~ messages on plural communication links vastly enhances the ability of the destination remote Rd to de~e~t errors and determine whether the information heing.transmitted is valid or not. In addition, the destination remote Rd is able to opexate and successfully receive messages e~en if one of the communication links CL~ or CLl is severed since the communication protocol controller 12 at the destination Rd will examine the received signals on each line and will find invalid data on the severed line, but will always examine the data blocks on the other line and, if necessary, request retransmission of the information blocks.
In selecting one of the two channels CH~ or CHl for the first validity check, it is preferred tha~ one of the two channels (e.g., CH0) be selected fox the first check on every other information transaction and that the other of the two channels ~e.s., CHl) be selected for the first check for the other intermediate information transactions. ~nile the system has been disclosed as having dual communication links CL~ and CLl, the invention is not so limited and can encompass more than two communication links with the remotes adapted to sequentially examine signals received on the various channels.
As mentioned above, each remote R~ of the control system is adapted to accept and then relinquish supervisory control of the communication link CL on a master-for-the-moment or revolving master arrangement. The communication protocol controller 12 o each remote Rn includes a register which contains the remote succession nu~ber, another register which contains the total number of remotes in the system, and another register which contains the relative position of the remote from the present system master. The first two registers are schematically illustrated by ~he reference character 60 in ~IG. 4. In addition, each remote Rn includes a variable transfer-monitor timer having a time-out interval that i5 set in accordance with a pxedetermined control~tra~sfer time constant (50 micro-seconds in the preferred embodimen~) and the position of th~
s~
particular remote relative to the present system master to permit, as explained in more detail below, the master-for-the-moment transfer to continue even in the event of a disabled remote (that is, a remote that is unable to accept supervisory control because of a malfunction).
Another timer is provided to force transfer of supervisory control of the communications link CL in the event a remote, because of a malfunction, is unable to transfer supervisory control to iks next successive remote. The operation of the master-fox-the-moment transfex technique can be appreciated by consideration of the following example of an illustrative system that includes five remotes arranged in the open loop configuration of FIG. 1 and t.ransferring supervisory control of the communications link CL in accordance with the tables of FIGS. lOA-lOF. The upper row of each table indicates the successisn sequence or order of the five ~emotes Ror Rl, R2, R3 and R4 tha~
comprise the system; the intermediate row identifies the remote that is the present master-for-the-moment and also identifies the relative successive position of the other remotes from the present master, that is, the first (or next) successive remote from the present master, the second successive remote from the present master, the third remote from the present master, etc.; and the third row of each table lists the setting of the variable transfer-monitor timer for the particular remote.
s~
The system is provided with initialization software so that the first remote in the succession, Ro~
assumes supervisory control of the communication link CL after system start-up and becomes the initial master of the system (FIG. lOA). When the i~itial master Ro is in control of the communications link C~, it can send data to any of the other remotes, request status or other data from another remote, and send control blocks and the like over the communications link CL. When the master Ro determines that it no longer desires possession of the co~m~ications link CL, it passes supervisory control of the communications link CL to the nex or first successive remote in accordance with the succession order. Thus, when the present master Ro concludes its in~ormation transfer transactions, it transfers supervisory control of the communications link CL to its next or first successive remote Rl by transmitti~g a control block to the remote R
with all the remaining remotes (that is, R2, R3, R4) being cognizant o~ the transfer o~ supervisory cont.rol from the present master Ro to its firs~ or next successive remote Rl Since, in the present system, the transfer of super~isory control of the communications link CL is expected to take place within 50 micro-seconds, tha second successive remote R2, as shown in the third row of the table of FIG. lOB, sets its variable ~ransfer-monitor timer to 50 micro-se~onds, the third successive remote R3 sets its variable transfer~monitor timer to 100 micro-seconds, - 28 ~
and the fourth successive remote R4 sets it transfer-monitor timer to 150 micro-seconds. When the first successive remote R1 receives the control block fro~ the present master Ror it accepts supervisory control of the co~unication~ link CL by responding with an acknowledgement message (AC~). If the control block is misreceived, the first successive remote Rl can respond with a non-ac~nowledgement (NAK) to request retransmission of the control block transferring supervisory control o the communications link CL. During the time interval that the present master remote Ro is attempting to transfer supervisory control of the communi-cation link CL to its next successive remote Rl, the transfer-monitor timexs of the remaining remotes are couIIting down. I~, for any reason, the next or first successive remote Rl fails to take control (e.g., a malfunction of the remote), the transfer-monitor timer of the second successlve remote R2 will time-out at 50 micro-seconds and cause the second successive remote R2 to then accept supervisory contxol of the communication link CL
from the present master R~ and thus bypass the apparently malfunctioning first successive remote Rl.
Aassuming that the initial system mas~er Ro successively transfers supervisory control of the communi-catins link CL to its first successive remote Rl, that successive remote Rl then becomes the present master with the remaining remotes changing their position relative ts the present master and setting their transfer-monitor tim~rs in accordance with the second and third rows of the table of FIG. lOB. When the present master Rl concludes its ~ 29 -~25;~
information transfer transactions, if any, it attempts to transfex supervisory control to its first or next successive remote R2 by sending an appropriate control block to remote ~2 which responds with an acknowledgement signal (ACK) or, in the event of a mistransmission of the control block, a non-ack~owledgement signal (N~X) which causes re-transmission of the control block. When the control block requesting transfer of supervisory con~rol of the communi-cation link CL is sent from the present master Rl to its next successive remote R2, all the remaining remotes reset their transfe.r-monitor timers in accordance with their position relative to the present remote as shown in the third row of the table of FIG. lOC. Should the next successive remote R2 be unable to accept supervisory control of the communication link CL from the present master Rl, the transfer-monitor timer of the second successive remote R3 will time-out in 50 micro-seconds and cause the second successi~e remote R3 to assume supervisory control of the communiations link CL to thereby bypass an apparently malfunctioning first successive remote R2. As can be appreciated from a review o the transfer-monitor time-out settings of the various remotes, supervisory control of the communications link CL will transfer even if one or more successive xemotes are malfunctioning, when the txansfer-monltor timer of the next operable remo~e times outO This transfer sequence continues in succession as shown in the remaining tables of FIGS. lOD to lOF with supervisory control of the communication link CL being passed from remote to remote in succession with ~he last remote R~
returning supervisory control to the first remote Ro~
By employing a master-for-the-moment transfer technique in which the rece~ving remote acknowledge~
control from the trans~erring remQts and in which re-transmission of a mis-received control block is provided ror in response ~o a non-acknowledgement slgnal from the receiving remote, it is po~sible to positively transfe.r supervisory control of the commu~icativn link~ This technique advantageou~ly transfer~ co~trol using the data and information carry~ng communicatio~ link rather 1o than, as in other systems, by providing ~eparate communi-cation lines or channel~ dedicated solely to supervisory control transfer functions. Also~ the provi~ion of a variable transer-monitor timer at each remote that is set in accordance with the remote's relative position to the present master and a trans~er time-constant automatically transfer~ supervisory control of the com~unications llnk even if one or more o~ the succe~iv~ remotes are mal-functioning r The architecture of a redundant remQte (R4 and ~0 R~ in FIG . 1), a~ shown in ~IG. 11 , is essentially ~he sama as that of a primary remote except that it ha~ no i~pu~/
output devices as~igned to lt. Each redundan~ remote functions to take over control re~pon~ibility of a controlled device from a primary remot~ in the ev~nt the primary remot~ malunction~.
25~1 In each primary remote, preassigned memory locations are designated to act as a 'mailbox' register for that remote. Each time the centra] processing unit 16 of the primary remote cycles through its applications program, in which it responds to and controls the input/
output devices of the remote via the input/output management device 14, it stores a predetermined number in its ~ailbox.
Each time the processor 14A of the input/output man~gement device 14 cycles through its program, it decrements the number stored in the mailbox. The time for the CPU 16 to cycle through its program and for the input/output management device 14 to cycle through its program is approximately 1:1 so that the number stored in the mailbox will be maintained at or near the predetermined value set by the applications program of the CPU 16 unless the CPU 16 ceases to cycle through its applicati.ons program, Should this happen, the number stored in the mailbox memory 18 will be decxemented by the input/output management device 14 until it reaches a zero value.
Each time a redunda~t remote which is serving as a back up for its associated primary remotes takes its turn in the master-for-the-moment sequence described above, the ~edundant remote will request and obtain the value of the number in the mailbox of its assigned primary remotes.
If the number in the mailbox is not zero, the xedundant remote will know that the central processing unit 16 in the so-queried primary remote is carrying out its applications program and has not gone into an emergency mo~e of operation or otherwise ceased to operate. If t~e redund2nt remote detects that the number in the mailbox for one of its asslgned primary remotes is zero, then the redundant remote will determine that the central processing unit 16 of the zero-mailbox remote i5 not carrying out the applications program and, in response to this determination, the redundant remote will first attempt to restart the applications program in the central processing unit 16 of the pximary remote. If it fails to successfully restart the applications program, the redundanc remote will carry out the applications program for the failed remote. In carrying out the applications program, the redundant remote will respond to the inpu~
devices and control the output devices assigned to the .ailed primary remote by sending commands and receiving data from the failed remote over the communications link CL.
The redundant remote, in addition to checking the status of its assigned primary remotes for which the redundant remote serves as a back-up, also must maintain an up~to-date record of the status of the applic~tions program in each of these assigned primary remotes. The redundant remote checks the status of the mailbox and gets the current applications program status from each of ~he primary remotes by sending requests for information over the communications link CL when the redundant remote tak~s its turn in the master~for-the-moment sequence as descxibed above.
The operation of the redundant remote in carrying out its function as a back-up for the primary remotes will be more fully understood with reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant remote R4 (FIG. l), which serves as a back-up for its assigned prima~ remotes Rl, R2, and R3. The other redundant remote R8 Will have the same program except that it will be applied to its as~igned remotes R5, R6, and R7.
As shown in FIGS. llA, after the program in the redundant remote R4 is started, it enters into a decision instruction sequence lOl to check the status of remote Rl. As explained above, it does this by sending a request for information over the communications link CL to remote Rl asking for the current number in the mailbox of remote Rl. It then determines whether this number is greater than zero. If the nu~er is greater than zero, the status of remote Rl is determined to be operating and the program of the redundant remote R4 advances to instruction step 103 in which i.t resets a ~ail 1ag for Rl to 'off' and then enters subroutine 105, in which the current applications program status in remote Rl is obtained. This means that the redundant remote R4 requests and obtains the current status of the input and output devices in remote Rl and the current status of the timers and the counters and the flags being used in the applications program of remote Rl. In other ~ 34 -words, in subroutine 105, all of the information that would be needed for the redundant remote R~ to take over the applications program is obtained from remote Rl.
This informat.ion is obtained by sending requests for data and receiving data back over the communications link CL.
Following the obtaining of the current appli-cations program status of remote Rl, the redundant xemote R4 program proceeds to decision instruction sequence 107, in which the status of remote R2 is chec~ed in the same manner that was done with respect to Rl. If the status of remote R2 is operating, the program advances to instrNction step 109, in which the program sets a fail flag for remote R2 and then proceeds into subroutine 111, in which the status of the applications program for remote R2 is obtained in the same manner as for Rl in sub-routine 105. The program then proceeds into a decision instruction sequence 113 to chec~ the status o~ remote R3. If the status of remote R3 is operating, then the program resets the fail flag or remote R3 in instruct,ior-step 115 and proceeds into subroutine 117 to obtain the applications program status for remote R3 in the same manner as Lor Rl ln subroutine 105O Following subrou~ine 111, the program returns again to decision instruc~ion sequence 101 to check the status of remote Rl and the process cyclically repeats.
If in decision instruction sequence 101, the program determines that the status Rl is not operating as indicated by the number in the mailbc,x of the remote Rl, being zero, the program then advances to decision instruction sequence 119, in which the program dete~mines if the fail flag for Rl is 'on' or 'off'. If the fail flag is 'off', the
- 3~ -program proceeds into instruction se~uence 121, in ~hich the program attempts to restart the applications program for remote Rl. It does this by sending a command ov~or the communications link CL to remote Rl to direct the communications protocol controller 12 (FIG. 2) to attempt a hardwaxe xestart of the applications program.
This is carried out by the communications protocol controller 12 pulling a restart wire to ground in the common buss 22. When this restart wire is pulled to ground, it starts the applications program back through its initialization program and sets all o the flags, timers, and counters just as if power had been turned on. Such a restart is called a hardware restart. Alternatively, the redundant remote R~ could e~fect a software restart in the failed remote. A so~tware restart would merely start the applications program through its initializatlon program with the timers, counters and ~lags left in their present status.
After completing instruc~ion sequence 121, the redundant remote R4 program thén sets the fail flag for remote Rl to 'on' in instruction step 123 and then proceeds into decision instruction sequence 125 to again check the status of remote Rl by checking the number in the mailbox of remote ~1 in the same mannex as in decision instruction sequence 101. If the applica~ions program in remote Rl was successfully started in in~truction sequence 121, the number in the mailbox will not be zero and the program will determine that the status o remote Rl is operating, whereupon the program will jump to decision instruction sequence 107 to check the status of remote R2 as already described.
If the program determines that the status.
of remote Rl is not operating in decision instruction sequence 125, then this means that the attempt to restart the applications program in remote Rl in instruction sequence 121 failed and the redundant remote R4 program then proceeds into instruction sequence 127 to initialize the input/output managemen~ device 14 ~also identified in FIG. llB as 'RTX') in remote Rl to receive instructions and data from the redun~ant remote R4 instead of from the central processing unit 16 in the remote Rl and tG send data on the status of the input and output devices to the redundant remote R4.
If ~he program of the redundant remote R4 determines that the ail flag was 'on' instead of 'off' in decision instruction sequence 119, the redundant remote program would proceed directly into the instruction sequence 127 to initiali.~e the input/output management device 14 of remote Rl to respond to the redundan~ remote R4.
The purpose of thç fail flag which is set to 'on' in instruction step 123 and is reset to 'of' in iIlStrUGtiOIl step 103 is to pre~ent the redundant remote program from getting hung-up in a condition in which it successfully restarts the remote Rl only to ha~e the remote Rl fail again by the time the program of the redundant remote recycles around to checking the mailbox of the remote Rl again in decision instruction sequence 101. If this should happ2n, the fail flag for remote Rl will have been set to 'on' in ins~ruction step 123 after the successful restarting of the s~
applications program. Then, the next time that the ~edundant remote program cycles back to decision instruction sequence 101, and determines that the status of remote Rl is not operating, the fail flag for xemote Rl will be 'on'. Accordingly, the program will jump from decision ins~ruction sequence 119 lnto the instruction sequence 127 to initialize the remote Rl to respond to redundant remote R4. If the next time the redundant remote program recycles back to decision instruction sequence 101 to check the status of Rl, it determines that the status of Rl is operating, the program will then reset the ail flag to 'off' in instruction step 103 so that in subsequent cycles, should the program determine that the remote Rl has again failed, the program will again go into the restart instruction sequence 121 instead o~ immediately jumping to the initialization instruction sequence 127.
After the redundant remote program has compleked th~ initialization instruction sequence 127, it then proceeds to subroutine 129. In this subroutine, the status of the applications program of remote Rl last received by the redundant remote R~, which status is stored in the memory of the redundant remote R4, is loaded into predeterm~ned registers of the memory of the redundant remote R4 in order to carry out the applications program of remote Rl in the redundant remote R4O After this subroutine i5 completed, the program proceeds into instruction sequence 130 and then into the subroutine 131 in which it starts and carries out the applications program. The redundant remote R4 carries out the Rl applications program by receiving data ~rom remote Rl as to the status of the input ana output devices of the remote Rl and sending instructions to remote Rl to direct operation of the input/output management device 14 of the remote Rl. The proyram in the redundant remote R4 will then continue to cycle through the applications program for the remote Rl until it receives a command from the operator to reset it back into its main cycle of checking the status of the remotes Rl, R2, and R3.
Should the redundant remote R4 determine that the status of remote R2 or remote R3 is not operating, it then performs the same program with respect to these remotes as described with respect to remote Rl as is illustrated in FIGS. llA and llB.
The redundant remote R8 will take over the applications program should any of the primary remotes R5-R7 become nonoperative in the same manner as described above with respect to R4 serving as a back-up Eor the primary remotes Rl-R3.
It will be appreciated that the provision of the redundant remotes decreases malfunctioning of the control system due to one of the primary remotes becoming inoperative as a result of failure of the central processing unit 16 of the primary remote. secause each redundant remote serves as a back-up for several primary remotes, the cost of providing the redundancy is signi~icantly reduced. Because the redundant remotes are themselves each a remote control unit which takes its turn in the master-for-a-moment sequence communicating with the other remotes over the dual channel communications link, the redundant remotes can be provided in the system very inexpensively.
Eacn remote Rn, as described above, is provided with termina~ion impedances Z~ and Zl for the first and second communication channels CH~ and CH1 (FIG. 3) and a line termination relay 32~ and 321 under the control of the communications link control device 38. The termination impedances are connected across each channel of the communi-cations link when the particular remote is the first or the last remote in the system (e.g., Rl and R8 in FIG. 1) to establish proper line termination impedance to prevent signal level degradation and the presence of reflected signals, both conditions which can adversely affect the performance of the system. The tenminatiGn impedances Z0 and Zl are also applied across the appxopriate communi-cations channels when a remote determines, as described below, that the communications link C~ between it and its ~mmediately adjacent higher or lower number remote is severed or sufficiently degraded that reliable data transmission cannot be maintained therebetween. The determination as to communications link degradation can be made b~ providing each remote with a register for each communications channel that records, in a cumulative manner, the number of invalid messages received from ~he immediately adjacent remote(s) and terminate one or both of the communications link C~ and CLl in the direction of -the remote from which the number of invalid messases xeceived exceeds a threshhold value. More preferably, however, each remote is provied with an active testing diagnostic routine to ena~le it to test the communication integrity of the communications link between it and its immediately adjacent remote~s) in accordance with the flow diagrams illustrated in FIGS. 12, 12A, 13B and 12C as read in accordance with FIG. 13 and the table of FIG. 14.
The flow diagram illustrated in FIG. 12 is a summary of the manner by which each remote is capable of testing the communication integrity of the communications link CL between it and its immediate adjacent remote or remotes and terminating one or both of the communications links, CL~ and CLl, when a degraded or interrupted line condition is detected. As shown in FIG. 12, the remote Rx is initialized and then, in sequence, tests the communi-cations integrity of tha communications link CL~ in the downstream direction between it and its immediately adjacent lower number remote (that is, R~ 1) and then tests the communication integrity o~ the communications link CTl in the downstream direction with the same remote. If either the communications link CL~ or CLl in the downstream direction is faulty, an appropriate flag is set in a register in the remote Rx reser~ed for this purpose. In a similar manner, the remote Rx then tests the conununications integrity of the communications link CL~ and CLl in the up-stream direction with its immediately adjacent higher number remote (that i9, remote RX+l) and sets the appropriate flag, as and if required. After this initial diagnostic checking takes place~ the remote Rx will terminate the failed communl-cations line CL0 and/or CLl by actuating the appropriate relay contacts.320 and/or.3~1 as required. The line checking test utilized in FIG. 12 preerably takes place when the remote Rx is master-for-the-moment (that is, Rm).
A mcre detailed explanation of the communications line integrity check and automatic line termination may be had by re~err~ng to FIGS. 12A~ 12B and 12C (a~ read in accordance ~1 -~2~
wi~h the flow chart legend of FIG. 13) in which FIG. 12A
represents the downstream integxity check with the nzxt lower number remote, FIG. 12B represents the upstream integrity check wi~h the next higher number remote, and FIG. 12C represents the line termination function in response to the results of the integrity test performed ln FIGS 12A and 12B.
In FIG. 12A, the line checking diagnostic is started by first loading three registers or counters, namely, a 'retry counter', a 'CL~ retry counter', and a 'CLl retry counter' with an arbitrarily selected number, for example, five. The 'retry counter' is then decremented by one and a message sent from the remote Rx to the remote Rx 1 requesting an acknowledgement ACK signal. If the communications link CLp and CLl between the interrogating remote and the responding remote is fully functional, a valid ACK signal will be received by the interrogating remote Rx on both CL~ and CLl. The diagnostic checking will then route to the part of the progra~ (FIG. 12B~ for checking the communications integrity of the communications link CL~ and CLl between the interrogating remote Rx and the next higher number remote in the syst~ml tha~ is, RX~l. On the other hand, if a valid ~CK signal i5 not received on one or both of the communications links CL~ or CLl by the requesting remote Rx from the immediately adjacent lower number responding xemote Rx l~ ~he appropriate retry counter (that i~, 'CL0 retry counter' or 'CLl retry counterl) will be decremented by one and the pxocedure repeated until the 'retry counter' is zero at which time the appropriate CL~
and/or CLl terminate flag register will be set; thereafter, the program will route to the upstream communications integrity check shown in FIG. 12B.
The flow diagram of FIG. 12B is basically the same as that of FIG. 12A except that the communications integrit~
check occurs for that por~ion of the communications link CL between the interrogating remote Rx and the next higher number responding remote RX~1. More specifically, the three registers or counters, that is, the 'retry counter', the 'CL~ retry counter', and the 'CLl retry counter' are loaded with the arbitrarily selected value of ~ive. The 'retry counterl is then decremented by one and a message sent from the interrogating remote Rx to the remote RX+l requesting an ac~nowledgement signal. If the communications link CL~ and CLl between the interrogatlng remote Rx and the responding remote RX~l is integral, a valid acknowledgement signal will be received by the interrogating remote Rx and the program wi.ll route to the termination impedance portion of the procedure shown in FIG. 12C.
On the other hand~ if a valid acknowledgement signal i5 not received on one or both of the communications lines CL~
or CLl by the interrogating remote Rx from the higher order responding remote RX~l, the appropriate retry counter, that is, the 'CL~ or CLl ratry counter' will be decremented by one and the procedure repeated until the 'retry counter' is zero at which point the appropriate CL~ and~or CLl termination flag register will be set; thereafter, the program diagnostic will rout~ to the line impedance termination portion shown in FIG. 12C~
- ~3 -In the flow diagram of FIG. 12C, the various termination registers are examined for set flags and appropriate commands issued to the C-link control device 38 (FIG. 3) to tenninate the line by appropriate actuation of the relay contacts 320 and/or 321. As is also shown in FIG. 12C, a line termination relay can also be released (that is, reset) to remove a previously applied line termination impedance. Accordingly, the system provides each remote with the ability to remove a line termination as well as apply a line termination. This particular feature is desirable when a communication link is temperarily degraded by the presence of non-recurring electrical noise to permit the system to automatically re-configure its line impedances.
The ~ollowing specific example illustrates the operation of the line termination procedure in which it is assumed that the communications link CL~ in FIG. 1 is severed at point A as shown therein and that the remote R4 is ~he present master (Rm) of the system and testing the communications integrity of the communications link between itself as the interrogating remote tRX) and its next lower order number remote R3 (that is, Rx 1) In accordance with the flow diagram of FIG. 12A, the 'retry counter', and the 'CL~ retry counter', and the 'CL1 retry countarI, as shown in the tabulation table of FIG. 14, are set to the pre-determined ~alue of five~ The 'retry counter' is decremented by one and the requesting interrogating remote R4 (Rx) requests an acknowledgement from the responding remote R3 (that i5, RX_l). The requested acknowledgement will be provided on line CL1 but not line CL0 because of the
This is carried out by the communications protocol controller 12 pulling a restart wire to ground in the common buss 22. When this restart wire is pulled to ground, it starts the applications program back through its initialization program and sets all o the flags, timers, and counters just as if power had been turned on. Such a restart is called a hardware restart. Alternatively, the redundant remote R~ could e~fect a software restart in the failed remote. A so~tware restart would merely start the applications program through its initializatlon program with the timers, counters and ~lags left in their present status.
After completing instruc~ion sequence 121, the redundant remote R4 program thén sets the fail flag for remote Rl to 'on' in instruction step 123 and then proceeds into decision instruction sequence 125 to again check the status of remote Rl by checking the number in the mailbox of remote ~1 in the same mannex as in decision instruction sequence 101. If the applica~ions program in remote Rl was successfully started in in~truction sequence 121, the number in the mailbox will not be zero and the program will determine that the status o remote Rl is operating, whereupon the program will jump to decision instruction sequence 107 to check the status of remote R2 as already described.
If the program determines that the status.
of remote Rl is not operating in decision instruction sequence 125, then this means that the attempt to restart the applications program in remote Rl in instruction sequence 121 failed and the redundant remote R4 program then proceeds into instruction sequence 127 to initialize the input/output managemen~ device 14 ~also identified in FIG. llB as 'RTX') in remote Rl to receive instructions and data from the redun~ant remote R4 instead of from the central processing unit 16 in the remote Rl and tG send data on the status of the input and output devices to the redundant remote R4.
If ~he program of the redundant remote R4 determines that the ail flag was 'on' instead of 'off' in decision instruction sequence 119, the redundant remote program would proceed directly into the instruction sequence 127 to initiali.~e the input/output management device 14 of remote Rl to respond to the redundan~ remote R4.
The purpose of thç fail flag which is set to 'on' in instruction step 123 and is reset to 'of' in iIlStrUGtiOIl step 103 is to pre~ent the redundant remote program from getting hung-up in a condition in which it successfully restarts the remote Rl only to ha~e the remote Rl fail again by the time the program of the redundant remote recycles around to checking the mailbox of the remote Rl again in decision instruction sequence 101. If this should happ2n, the fail flag for remote Rl will have been set to 'on' in ins~ruction step 123 after the successful restarting of the s~
applications program. Then, the next time that the ~edundant remote program cycles back to decision instruction sequence 101, and determines that the status of remote Rl is not operating, the fail flag for xemote Rl will be 'on'. Accordingly, the program will jump from decision ins~ruction sequence 119 lnto the instruction sequence 127 to initialize the remote Rl to respond to redundant remote R4. If the next time the redundant remote program recycles back to decision instruction sequence 101 to check the status of Rl, it determines that the status of Rl is operating, the program will then reset the ail flag to 'off' in instruction step 103 so that in subsequent cycles, should the program determine that the remote Rl has again failed, the program will again go into the restart instruction sequence 121 instead o~ immediately jumping to the initialization instruction sequence 127.
After the redundant remote program has compleked th~ initialization instruction sequence 127, it then proceeds to subroutine 129. In this subroutine, the status of the applications program of remote Rl last received by the redundant remote R~, which status is stored in the memory of the redundant remote R4, is loaded into predeterm~ned registers of the memory of the redundant remote R4 in order to carry out the applications program of remote Rl in the redundant remote R4O After this subroutine i5 completed, the program proceeds into instruction sequence 130 and then into the subroutine 131 in which it starts and carries out the applications program. The redundant remote R4 carries out the Rl applications program by receiving data ~rom remote Rl as to the status of the input ana output devices of the remote Rl and sending instructions to remote Rl to direct operation of the input/output management device 14 of the remote Rl. The proyram in the redundant remote R4 will then continue to cycle through the applications program for the remote Rl until it receives a command from the operator to reset it back into its main cycle of checking the status of the remotes Rl, R2, and R3.
Should the redundant remote R4 determine that the status of remote R2 or remote R3 is not operating, it then performs the same program with respect to these remotes as described with respect to remote Rl as is illustrated in FIGS. llA and llB.
The redundant remote R8 will take over the applications program should any of the primary remotes R5-R7 become nonoperative in the same manner as described above with respect to R4 serving as a back-up Eor the primary remotes Rl-R3.
It will be appreciated that the provision of the redundant remotes decreases malfunctioning of the control system due to one of the primary remotes becoming inoperative as a result of failure of the central processing unit 16 of the primary remote. secause each redundant remote serves as a back-up for several primary remotes, the cost of providing the redundancy is signi~icantly reduced. Because the redundant remotes are themselves each a remote control unit which takes its turn in the master-for-a-moment sequence communicating with the other remotes over the dual channel communications link, the redundant remotes can be provided in the system very inexpensively.
Eacn remote Rn, as described above, is provided with termina~ion impedances Z~ and Zl for the first and second communication channels CH~ and CH1 (FIG. 3) and a line termination relay 32~ and 321 under the control of the communications link control device 38. The termination impedances are connected across each channel of the communi-cations link when the particular remote is the first or the last remote in the system (e.g., Rl and R8 in FIG. 1) to establish proper line termination impedance to prevent signal level degradation and the presence of reflected signals, both conditions which can adversely affect the performance of the system. The tenminatiGn impedances Z0 and Zl are also applied across the appxopriate communi-cations channels when a remote determines, as described below, that the communications link C~ between it and its ~mmediately adjacent higher or lower number remote is severed or sufficiently degraded that reliable data transmission cannot be maintained therebetween. The determination as to communications link degradation can be made b~ providing each remote with a register for each communications channel that records, in a cumulative manner, the number of invalid messages received from ~he immediately adjacent remote(s) and terminate one or both of the communications link C~ and CLl in the direction of -the remote from which the number of invalid messases xeceived exceeds a threshhold value. More preferably, however, each remote is provied with an active testing diagnostic routine to ena~le it to test the communication integrity of the communications link between it and its immediately adjacent remote~s) in accordance with the flow diagrams illustrated in FIGS. 12, 12A, 13B and 12C as read in accordance with FIG. 13 and the table of FIG. 14.
The flow diagram illustrated in FIG. 12 is a summary of the manner by which each remote is capable of testing the communication integrity of the communications link CL between it and its immediate adjacent remote or remotes and terminating one or both of the communications links, CL~ and CLl, when a degraded or interrupted line condition is detected. As shown in FIG. 12, the remote Rx is initialized and then, in sequence, tests the communi-cations integrity of tha communications link CL~ in the downstream direction between it and its immediately adjacent lower number remote (that is, R~ 1) and then tests the communication integrity o~ the communications link CTl in the downstream direction with the same remote. If either the communications link CL~ or CLl in the downstream direction is faulty, an appropriate flag is set in a register in the remote Rx reser~ed for this purpose. In a similar manner, the remote Rx then tests the conununications integrity of the communications link CL~ and CLl in the up-stream direction with its immediately adjacent higher number remote (that i9, remote RX+l) and sets the appropriate flag, as and if required. After this initial diagnostic checking takes place~ the remote Rx will terminate the failed communl-cations line CL0 and/or CLl by actuating the appropriate relay contacts.320 and/or.3~1 as required. The line checking test utilized in FIG. 12 preerably takes place when the remote Rx is master-for-the-moment (that is, Rm).
A mcre detailed explanation of the communications line integrity check and automatic line termination may be had by re~err~ng to FIGS. 12A~ 12B and 12C (a~ read in accordance ~1 -~2~
wi~h the flow chart legend of FIG. 13) in which FIG. 12A
represents the downstream integxity check with the nzxt lower number remote, FIG. 12B represents the upstream integrity check wi~h the next higher number remote, and FIG. 12C represents the line termination function in response to the results of the integrity test performed ln FIGS 12A and 12B.
In FIG. 12A, the line checking diagnostic is started by first loading three registers or counters, namely, a 'retry counter', a 'CL~ retry counter', and a 'CLl retry counter' with an arbitrarily selected number, for example, five. The 'retry counter' is then decremented by one and a message sent from the remote Rx to the remote Rx 1 requesting an acknowledgement ACK signal. If the communications link CLp and CLl between the interrogating remote and the responding remote is fully functional, a valid ACK signal will be received by the interrogating remote Rx on both CL~ and CLl. The diagnostic checking will then route to the part of the progra~ (FIG. 12B~ for checking the communications integrity of the communications link CL~ and CLl between the interrogating remote Rx and the next higher number remote in the syst~ml tha~ is, RX~l. On the other hand, if a valid ~CK signal i5 not received on one or both of the communications links CL~ or CLl by the requesting remote Rx from the immediately adjacent lower number responding xemote Rx l~ ~he appropriate retry counter (that i~, 'CL0 retry counter' or 'CLl retry counterl) will be decremented by one and the pxocedure repeated until the 'retry counter' is zero at which time the appropriate CL~
and/or CLl terminate flag register will be set; thereafter, the program will route to the upstream communications integrity check shown in FIG. 12B.
The flow diagram of FIG. 12B is basically the same as that of FIG. 12A except that the communications integrit~
check occurs for that por~ion of the communications link CL between the interrogating remote Rx and the next higher number responding remote RX~1. More specifically, the three registers or counters, that is, the 'retry counter', the 'CL~ retry counter', and the 'CLl retry counter' are loaded with the arbitrarily selected value of ~ive. The 'retry counterl is then decremented by one and a message sent from the interrogating remote Rx to the remote RX+l requesting an ac~nowledgement signal. If the communications link CL~ and CLl between the interrogatlng remote Rx and the responding remote RX~l is integral, a valid acknowledgement signal will be received by the interrogating remote Rx and the program wi.ll route to the termination impedance portion of the procedure shown in FIG. 12C.
On the other hand~ if a valid acknowledgement signal i5 not received on one or both of the communications lines CL~
or CLl by the interrogating remote Rx from the higher order responding remote RX~l, the appropriate retry counter, that is, the 'CL~ or CLl ratry counter' will be decremented by one and the procedure repeated until the 'retry counter' is zero at which point the appropriate CL~ and~or CLl termination flag register will be set; thereafter, the program diagnostic will rout~ to the line impedance termination portion shown in FIG. 12C~
- ~3 -In the flow diagram of FIG. 12C, the various termination registers are examined for set flags and appropriate commands issued to the C-link control device 38 (FIG. 3) to tenninate the line by appropriate actuation of the relay contacts 320 and/or 321. As is also shown in FIG. 12C, a line termination relay can also be released (that is, reset) to remove a previously applied line termination impedance. Accordingly, the system provides each remote with the ability to remove a line termination as well as apply a line termination. This particular feature is desirable when a communication link is temperarily degraded by the presence of non-recurring electrical noise to permit the system to automatically re-configure its line impedances.
The ~ollowing specific example illustrates the operation of the line termination procedure in which it is assumed that the communications link CL~ in FIG. 1 is severed at point A as shown therein and that the remote R4 is ~he present master (Rm) of the system and testing the communications integrity of the communications link between itself as the interrogating remote tRX) and its next lower order number remote R3 (that is, Rx 1) In accordance with the flow diagram of FIG. 12A, the 'retry counter', and the 'CL~ retry counter', and the 'CL1 retry countarI, as shown in the tabulation table of FIG. 14, are set to the pre-determined ~alue of five~ The 'retry counter' is decremented by one and the requesting interrogating remote R4 (Rx) requests an acknowledgement from the responding remote R3 (that i5, RX_l). The requested acknowledgement will be provided on line CL1 but not line CL0 because of the
- 4~ -~2~
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested acknowledgement signal on communications link CL0, will decrement the 'CL~ retry counter' by one. Ther~after, the retest p~ocedure will be sequentially continued with the 'CL0 retry counter' being decremented with each additional unsuccessful attempt to obtain an acknowledgement from remote R3 throug~ the communications link CL0. When the 'retry counter' decrements to zero, the 'CL~ retry coun~er' will also be decremented to zero at which time the CL0 lower order termination flag will be set. The remote R4 will thereafter continue the diagnostic checking procedure to test the communications integrity of that portion of the communications link between the remote R4 (Rx) and the next adjacent higher remote R5 (that is, RX+l) in accordance with the flow diagram of FIG. 12B. At the conclusion of the test of the communications link between the intex-rogating remote R4 and the immediately adjacent lower number and hlgher number remotes R3 and R5, the termination relay contacts 32~ (FIG. 3) will be set to terminate the communi-cations link CL~ at the remote R4~ In a similar manner, the remote R3, when it becomes mastex-for-the-moment, will also apply a termination impedance across the communications link CL0.
As can be appreciated from the foregoing, the remotes Ro...Rn have the ability, even when one or both of the communication links CL0 and CL1 are severed to still function on a master-~or-the-moment basis and also to effect appropriate line termination to minimize the adverse effect on digital data signal strength and the generation of reflected signals from mismatched line impedance caused by deteriorated or severed communication lines. In addition, the system is self-healing, that is, when reliable communications is restored over the severed or degraded portion of the communications link the remotes Rn will then again function to remove the line impedances to resume full system operation.
As will be apparent to those skilled in the art, various changes and modifications may be made to the industrial control system of the present invention without departing from the spirit and scope of the invention as recited in the appended calims and their legal e~uivalent.
~ 46 -
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested acknowledgement signal on communications link CL0, will decrement the 'CL~ retry counter' by one. Ther~after, the retest p~ocedure will be sequentially continued with the 'CL0 retry counter' being decremented with each additional unsuccessful attempt to obtain an acknowledgement from remote R3 throug~ the communications link CL0. When the 'retry counter' decrements to zero, the 'CL~ retry coun~er' will also be decremented to zero at which time the CL0 lower order termination flag will be set. The remote R4 will thereafter continue the diagnostic checking procedure to test the communications integrity of that portion of the communications link between the remote R4 (Rx) and the next adjacent higher remote R5 (that is, RX+l) in accordance with the flow diagram of FIG. 12B. At the conclusion of the test of the communications link between the intex-rogating remote R4 and the immediately adjacent lower number and hlgher number remotes R3 and R5, the termination relay contacts 32~ (FIG. 3) will be set to terminate the communi-cations link CL~ at the remote R4~ In a similar manner, the remote R3, when it becomes mastex-for-the-moment, will also apply a termination impedance across the communications link CL0.
As can be appreciated from the foregoing, the remotes Ro...Rn have the ability, even when one or both of the communication links CL0 and CL1 are severed to still function on a master-~or-the-moment basis and also to effect appropriate line termination to minimize the adverse effect on digital data signal strength and the generation of reflected signals from mismatched line impedance caused by deteriorated or severed communication lines. In addition, the system is self-healing, that is, when reliable communications is restored over the severed or degraded portion of the communications link the remotes Rn will then again function to remove the line impedances to resume full system operation.
As will be apparent to those skilled in the art, various changes and modifications may be made to the industrial control system of the present invention without departing from the spirit and scope of the invention as recited in the appended calims and their legal e~uivalent.
~ 46 -
Claims (34)
1. An information transfer system for transmitting digital information between active devices and testing the validity of the transmitted information, said system comprising:
at least one active device for transmitting information in digital form;
at least one other active device for receiving information in digital form;
plural independent communication channels connected to and extending between said first-mentioned and said second-mentioned active devices for conveying information therebetween;
said first-mentioned active device including a trans-mission means for transmitting digital information arranged in blocks of predetermined format, said transmission means transmitting an identical block on each of said plural communication channels; and said second-mentioned active device including receiving means for receiving digital information transmitted by said first-mentioned active device and for selecting one of said plural communication channels and testing the validity of the received block and, when said received block from said first-selected communication channel is found invalid, for selecting another of said plural communication channels and testing the validity of the received block on said other communication channel.
at least one active device for transmitting information in digital form;
at least one other active device for receiving information in digital form;
plural independent communication channels connected to and extending between said first-mentioned and said second-mentioned active devices for conveying information therebetween;
said first-mentioned active device including a trans-mission means for transmitting digital information arranged in blocks of predetermined format, said transmission means transmitting an identical block on each of said plural communication channels; and said second-mentioned active device including receiving means for receiving digital information transmitted by said first-mentioned active device and for selecting one of said plural communication channels and testing the validity of the received block and, when said received block from said first-selected communication channel is found invalid, for selecting another of said plural communication channels and testing the validity of the received block on said other communication channel.
2. The information transfer system claimed in Claim 1 wherein:
said second-mentioned active device includes respond-ing means for transmitting an acknowledgement signal over at least one of said channels to said first-mentioned active device when the block received over said first-selected communication channel is valid, for transmitting over at least one of said channels an acknowledgement signal to said first-mentioned active device when the block received over said other selected communication channel is found valid, and for trans-mitting over at least one of said channels a non-acknowledgement signal to said first-mentioned active device when the block received over said other selected communication is found invalid.
said second-mentioned active device includes respond-ing means for transmitting an acknowledgement signal over at least one of said channels to said first-mentioned active device when the block received over said first-selected communication channel is valid, for transmitting over at least one of said channels an acknowledgement signal to said first-mentioned active device when the block received over said other selected communication channel is found valid, and for trans-mitting over at least one of said channels a non-acknowledgement signal to said first-mentioned active device when the block received over said other selected communication is found invalid.
3. The information transfer system claimed in Claim 2 wherein:
said transmission means is responsive to the non-acknowledgement signal from said second-mentioned active device to retransmit the invalidly received block.
said transmission means is responsive to the non-acknowledgement signal from said second-mentioned active device to retransmit the invalidly received block.
4. The information transfer system claimed in Claim 3 including means to limit the number of retransmissions of an invalidly received block to a predetermined value.
5. The information transfer system claimed in Claim 1 wherein:
said transmission means is operable to transmit said block at least twice in succession on each communication channel.
said transmission means is operable to transmit said block at least twice in succession on each communication channel.
6. The information transfer system claimed in Claim 5 wherein:
said receiving means includes means to test the validity of the plural blocks received on a communications channel by effecting a comparison between the first-received and the second-received block.
said receiving means includes means to test the validity of the plural blocks received on a communications channel by effecting a comparison between the first-received and the second-received block.
7. The information transfer system claimed in Claim 1 further comprising:
memory means for storing the block received by said receiving means on said other communication channel while the block received on said first-selected communication channel is tested for validity.
memory means for storing the block received by said receiving means on said other communication channel while the block received on said first-selected communication channel is tested for validity.
8. An information transfer system for transferring digital information between stored-program controlled means and for testing the validity of the transferred information, said system comprising:
at least one stored-program controlled means for transmitting digital information in blocks of predetermined format which blocks include an error detecting code word;
at least one other stored-program controlled means for receiving digital information in said block format and adapted to test the validity of said received block using the error detecting code word;
plural independent communication channels connected to and extending between said first-mentioned and said second-mentioned stored-program controlled means for transferring information blocks therebetween; and said second-mentioned stored-program controlled means having validity testing means for selecting a one of said plural communication channels and testing the validity of the block received thereon and for selecting another of said plural communication channels and testing the validity of the block received on said other communication channel when the block received on said first-selected communication channel fails its validity test.
at least one stored-program controlled means for transmitting digital information in blocks of predetermined format which blocks include an error detecting code word;
at least one other stored-program controlled means for receiving digital information in said block format and adapted to test the validity of said received block using the error detecting code word;
plural independent communication channels connected to and extending between said first-mentioned and said second-mentioned stored-program controlled means for transferring information blocks therebetween; and said second-mentioned stored-program controlled means having validity testing means for selecting a one of said plural communication channels and testing the validity of the block received thereon and for selecting another of said plural communication channels and testing the validity of the block received on said other communication channel when the block received on said first-selected communication channel fails its validity test.
9. The information transfer system claimed in Claim 8 wherein:
said second-mentioned stored-program controlled means includes responding means for transmitting over at least one of said channels an acknowlegement signal to said first-mentioned stored-program controlled means when the block received over said first-selected communication channel is valid, for transmitting over at least one of said channels an acknowledge-ment signal to said first-mentioned stored-program controlled means when the block received over said other selected communication channel is found valid, and for transmitting over at least one of said channels a non-acknowledgement signal to said first-mentioned stored-program controlled means when the block received over said other selected communication channel is found invalid.
said second-mentioned stored-program controlled means includes responding means for transmitting over at least one of said channels an acknowlegement signal to said first-mentioned stored-program controlled means when the block received over said first-selected communication channel is valid, for transmitting over at least one of said channels an acknowledge-ment signal to said first-mentioned stored-program controlled means when the block received over said other selected communication channel is found valid, and for transmitting over at least one of said channels a non-acknowledgement signal to said first-mentioned stored-program controlled means when the block received over said other selected communication channel is found invalid.
10. The information transfer system claimed in Claim 9 wherein:
said first-mentioned stored-program controlled means is responsive to the non-acknowledgement signal from said second-mentioned stored-program controlled means to retransmit the invalidly received block.
said first-mentioned stored-program controlled means is responsive to the non-acknowledgement signal from said second-mentioned stored-program controlled means to retransmit the invalidly received block.
11. The information transfer system claimed in Claim 10 including means to limit the number of retransmissions of an invalidly received block to a predetermined value.
12. The information transfer system claimed in Claim wherein:
said first-mentioned stored-program controlled means is operable to transmit said block at least twice in succession on each communication channel.
said first-mentioned stored-program controlled means is operable to transmit said block at least twice in succession on each communication channel.
13. The information transfer system claimed in Claim 12 wherein:
said second-mentioned stored-program controlled means includes means to test the validity of the plural blocks received on a communications channel by effecting a comparison between the first-received and the second-received block on the channel.
said second-mentioned stored-program controlled means includes means to test the validity of the plural blocks received on a communications channel by effecting a comparison between the first-received and the second-received block on the channel.
14. The information transfer system claimed in Claim 8 further comprising:
memory means for storing the block received on said other communication channel by said second-mentioned stored-program controlled means while the block received on said first-selected communication channel is tested for validity.
memory means for storing the block received on said other communication channel by said second-mentioned stored-program controlled means while the block received on said first-selected communication channel is tested for validity.
15. A system for controlling an industrial process, said system including a plurality of process controlling remotes each connected by a common communications link, said system comprising:
at least one process controlling remote for transmitting process control information in digital form, said information arranged in groups of predetermined format with each of said information groups including an error detecting code word;
at least one other process controlling remote for receiving process control information in said information group format and testing the validity of the received blocks based on said error detecting code;
the communication link interconnecting said first-mentioned and said second-mentioned remotes including at least two independent communication channels, said first-mentioned remote transmitting an identical information group on each of said communication channels, said second-mentioned remote operable to select a one of said communication channels and evaluate the validity of said received information group and select the other of said communication channels when the received information group on said first-selected communication channel fails its validity test.
at least one process controlling remote for transmitting process control information in digital form, said information arranged in groups of predetermined format with each of said information groups including an error detecting code word;
at least one other process controlling remote for receiving process control information in said information group format and testing the validity of the received blocks based on said error detecting code;
the communication link interconnecting said first-mentioned and said second-mentioned remotes including at least two independent communication channels, said first-mentioned remote transmitting an identical information group on each of said communication channels, said second-mentioned remote operable to select a one of said communication channels and evaluate the validity of said received information group and select the other of said communication channels when the received information group on said first-selected communication channel fails its validity test.
16. The industrial process control system claimed in Claim 15 wherein:
said second-mentioned remote includes responding means for transmitting over said communications link an acknowledgement signal to said first-mentioned remote when the information group received over said first-selected communication channel is valid, for transmitting over said communications link an acknowledge-ment signal to said first-mentioned remote when the information group received over said other selected communication channel is found valid, and for transmitting over said communications link a non-acknowledgement signal to said first-mentioned remote when the information group received over said other selected communication channel is found invalid.
said second-mentioned remote includes responding means for transmitting over said communications link an acknowledgement signal to said first-mentioned remote when the information group received over said first-selected communication channel is valid, for transmitting over said communications link an acknowledge-ment signal to said first-mentioned remote when the information group received over said other selected communication channel is found valid, and for transmitting over said communications link a non-acknowledgement signal to said first-mentioned remote when the information group received over said other selected communication channel is found invalid.
17. The industrial process control system claimed in Claim 16 wherein:
said first-mentioned remote is responsive to the non-acknowledgement signal from said second-mentioned remote to said first-mentioned remote to retransmit the invalidly received information group.
said first-mentioned remote is responsive to the non-acknowledgement signal from said second-mentioned remote to said first-mentioned remote to retransmit the invalidly received information group.
18. The industrial process control system claimed in Claim 16 including means to limit the number of retransmissions of an invalidly received information group to a predetermined value.
19. The industrial process control system claimed in Claim 15 wherein said first-mentioned remote is operable to transmit said information groups at least twice in succession on each communication channel.
20. The industrial process control system claimed in Claim 19 wherein:
said second-mentioned remote includes means to test the validity of the plural information groups received on a communications channel by effecting a comparison between the first-received and the second-received information group on the channel.
said second-mentioned remote includes means to test the validity of the plural information groups received on a communications channel by effecting a comparison between the first-received and the second-received information group on the channel.
21. The industrial process control system claimed in Claim 15 further comprising:
memory means for storing information groups received on said other communication channel by said second mentioned remote while the information group on said first-selected communication channel is tested for validity.
memory means for storing information groups received on said other communication channel by said second mentioned remote while the information group on said first-selected communication channel is tested for validity.
22. A system for controlling a process, said system including a plurality of process controlling remotes inter-connected by a common communications link, said system comprising:
at least one process controlling remote for transmitting process control information in digital. form, said information arranged in information groups of predetermined format and including an error detecting code word;
at least one other process controlling remote for receiving process control information in said information groups and testing the validity of the received groups based on said error detecting code word;
the communication link interconnecting said first-mentioned and said second-mentioned remotes including at least two independent communication channels, said first-mentioned remote transmitting identical information groups on each of said channels, said second-mentioned remote testing the validity of the received information groups on each communication channel and concluding the information transfer transaction if the received information group on at least one of said plural communication channels passes its validity check test.
at least one process controlling remote for transmitting process control information in digital. form, said information arranged in information groups of predetermined format and including an error detecting code word;
at least one other process controlling remote for receiving process control information in said information groups and testing the validity of the received groups based on said error detecting code word;
the communication link interconnecting said first-mentioned and said second-mentioned remotes including at least two independent communication channels, said first-mentioned remote transmitting identical information groups on each of said channels, said second-mentioned remote testing the validity of the received information groups on each communication channel and concluding the information transfer transaction if the received information group on at least one of said plural communication channels passes its validity check test.
23. The industrial process control system claimed in Claim 22 wherein:
said second-mentioned remote includes responding means for transmitting over said communications link an acknowledge-ment signal to said first-mentioned remote when the information group received over a first-selected communication channel is valid, for transmitting over said communications link an acknowledgement signal to said first-mentioned remote when the information group received over the other communication channel is found valid, and for transmitting over said communications link a non-acknowledgement signal to said first-mentioned remote when the information group received over said other communication channel is found invalid.
said second-mentioned remote includes responding means for transmitting over said communications link an acknowledge-ment signal to said first-mentioned remote when the information group received over a first-selected communication channel is valid, for transmitting over said communications link an acknowledgement signal to said first-mentioned remote when the information group received over the other communication channel is found valid, and for transmitting over said communications link a non-acknowledgement signal to said first-mentioned remote when the information group received over said other communication channel is found invalid.
24. The industrial process control system claimed in Claim 23 wherein:
said first-mentioned remote is responsive to the non-acknowledgement signal from said second-mentioned remote to retransmit the invalidly received information group.
said first-mentioned remote is responsive to the non-acknowledgement signal from said second-mentioned remote to retransmit the invalidly received information group.
25. The industrial process control system claimed in Claim 22 wherein:
said first-mentioned remote is operable to transmit said information groups at least twice in succession on each communication channel.
said first-mentioned remote is operable to transmit said information groups at least twice in succession on each communication channel.
26. The industrial process control system claimed in Claim 25 wherein:
said second-mentioned remote includes means to test the validity of the plural information groups received on a communications channel by effecting a comparison between the first-received and the second-received group.
said second-mentioned remote includes means to test the validity of the plural information groups received on a communications channel by effecting a comparison between the first-received and the second-received group.
27. The industrial process control system claimed in Claim 22 further comprising:
memory means for storing the information groups received on one of said communication channels by said second-mentioned remote while the information groups received on the other communication channel is tested for validity.
memory means for storing the information groups received on one of said communication channels by said second-mentioned remote while the information groups received on the other communication channel is tested for validity.
28. A method for transferring digital information formatted in predetermined blocks between an information transmitting device and an interconnected information receiving device, said method comprising the steps of:
transmitting identical information blocks from a transmitter over plural independent communication channels to a receiver;
receiving and storing the received information blocks at the receiver;
selecting the information block received on one of said plural communication channels and testing the validity thereof;
selecting the information block received on the other of said communication channels and testing the validity thereof in the event the first-selected information block fails its validity check; and requesting retransmission of said information blocks in the event both the first-selected and the second-selected information blocks fail their validity test.
transmitting identical information blocks from a transmitter over plural independent communication channels to a receiver;
receiving and storing the received information blocks at the receiver;
selecting the information block received on one of said plural communication channels and testing the validity thereof;
selecting the information block received on the other of said communication channels and testing the validity thereof in the event the first-selected information block fails its validity check; and requesting retransmission of said information blocks in the event both the first-selected and the second-selected information blocks fail their validity test.
29. The method claimed in Claim 28 wherein said first-selection step further comprises the step of transmitting an acknowledgement signal from the receiver to the transmitter when the first-tested information block is found valid.
30. The method claimed in Claim 29 wherein the second selection step further comprises the steps of transmitting an acknowledgement signal from the receiver to the transmitter when the second-tested information block is found valid.
31. The method claimed in Claim 30 wherein the requesting step further comprises the step of transmitting a non-acknowledge-ment signal from the receiver to the transmitter when the second-tested information block is found invalid.
32. The method claimed in Claim 31 further comprising the step of:
retransmitting the information blocks in response to a non-acknowledgement signal.
retransmitting the information blocks in response to a non-acknowledgement signal.
33. The method claimed in Claim 32 further comprising the step of:
limiting the number of retansmissions to a predetermined value.
limiting the number of retansmissions to a predetermined value.
34. The method claimed in Claim 29 wherein said transmitting step further comprises the step of transmitting identical information blocks on each channel at least twice in succession and the steps of testing the validity of an information block include a comparison between the first and second information blocks received on a channel.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US06/115,161 US4304001A (en) | 1980-01-24 | 1980-01-24 | Industrial control system with interconnected remotely located computer control units |
| US115,161 | 1980-01-24 | ||
| CA000368795A CA1171543A (en) | 1980-01-24 | 1981-01-19 | Industrial control system |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442691A Division CA1182569A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442691A Division CA1182569A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA1182569A true CA1182569A (en) | 1985-02-12 |
Family
ID=25669230
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442691A Expired CA1182569A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
| CA000442692A Expired CA1182572A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000442692A Expired CA1182572A (en) | 1980-01-24 | 1983-12-06 | Industrial control system with interconnected remotely located computer control units |
Country Status (1)
| Country | Link |
|---|---|
| CA (2) | CA1182569A (en) |
-
1983
- 1983-12-06 CA CA000442691A patent/CA1182569A/en not_active Expired
- 1983-12-06 CA CA000442692A patent/CA1182572A/en not_active Expired
Also Published As
| Publication number | Publication date |
|---|---|
| CA1182572A (en) | 1985-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4410983A (en) | Distributed industrial control system with remote stations taking turns supervising communications link between the remote stations | |
| US4347563A (en) | Industrial control system | |
| CA1171543A (en) | Industrial control system | |
| EP0147046B1 (en) | Fault-tolerant communications controlller system | |
| US4402082A (en) | Automatic line termination in distributed industrial process control system | |
| US4352103A (en) | Industrial control system | |
| US4501021A (en) | Fiber optic data highway | |
| US4628504A (en) | Distributed bus control communication protocol | |
| US4159470A (en) | Data communications systems employing redundant series transmission loops | |
| CA1201170A (en) | Hybrid optical/electrical data highway | |
| JP2864741B2 (en) | Communication system that guarantees data integrity | |
| EP0282628A2 (en) | Dual path bus structure for computer interconnection | |
| US4783733A (en) | Fault tolerant communications controller system | |
| CA1182569A (en) | Industrial control system with interconnected remotely located computer control units | |
| CA1182567A (en) | Automatic line termination in distributed industrial process control system | |
| CA1182568A (en) | Industrial control system | |
| RU2430400C1 (en) | Backup software-hadware system for automatic monitoring and control | |
| KR100237613B1 (en) | Remote redundant system and control method in plc | |
| JPS60223249A (en) | Control system of signal transmission line | |
| JP3149047B2 (en) | Redundant data processor | |
| JP2644571B2 (en) | Remote IPL control method | |
| JP2841559B2 (en) | Duplex digital trunk test method | |
| JP3064448B2 (en) | Line setting method | |
| JPH02161840A (en) | Message communication equipment | |
| JPS639707B2 (en) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MKEX | Expiry |