Multiplex communications – Fault recovery
Reexamination Certificate
1997-10-17
2002-10-15
Nguyen, Chau (Department: 2663)
Multiplex communications
Fault recovery
C370S241000
Reexamination Certificate
active
06466539
ABSTRACT:
FIELD OF THE INVENTION
The invention refers to a bus system.
BACKGROUND OF THE INVENTION
Busses connect subscribers via electric transmission lines. The interfaces to the bus subscribers are located anywhere along the transmission line. A serial bus transmission line can consist of a coaxial or a twisted pair cable. In comparison to conventional wiring, busses represent a significant cost advantage, as well as the central availability of a wide variety of information and flexibility. Serial busses are known for example under names such as Profibus, Bitbus etc. Subscribers are for instance input and output modules for sensor signals and/or functional elements such as actuators.
For transmission of safety-critical signals only busses or bus systems of fault-tolerant or redundant design can be used. Safety-critical signals are any such signals whose purpose is safety-related and which are used to prevent or quickly rectify hazardous situations which could lead to human casualties or damage caused by electrical equipment. A redundant data bus system meeting safety requirements is described in DE-Z, messen, prüfen, automatisieren, 10/95, page 10, 12-14 and 16. In this known data bus system a fault-proof automation processor and subscribers are connected via two bus interfaces. The fault-proof automation processor consists of two processor systems containing a microprocessor, memory and system bus each. Both processor systems process the same program cycle-synchronously. A comparator which is checked in certain time intervals for perfect working order monitors both processor systems. If a fault is detected in one of the processor systems, all subscriber outputs are set to a defined signal which causes all actuators controlled by the subscribers to move into a pre-defined safe state. The fault-proof automation processors are connected to a plant bus via two automation processors. Only one of the two automation processors, both of which contain the same components, must be in working order. The automation processors run in pattern-stand-by operation. To detected a fault in the system with certainty, apart from self-tests, the communication connections and other hardware components are checked in cycles. In case of a fault, the defective automation processor is switched to a defined stop state.
A system shut-down due to a detected fault means that the machines, manufacturing plants and similar equipment is rendered harmless, i.e. brought into state where it is not hazardous to people. A fault must be detected within an error reaction time of for instance 20 ms. The emergency shut-down of electrical equipment must be effected within this time period also. A completely double bus design not only requires double two-channel bus module design for the sensors and the 2 bus masters for system monitoring and fault-proof system shut-down but also two independent wiring systems. The double bus design partly offsets a decisive advantage of a bus system in comparison to common individual wiring i.e. of every sensor switch. The double cabling, however, can be avoided by forced dynamisation of an individual bus line. This is known as dynamic redundancy, a method already known. Dynamisation means that all bus modules are continuously and cyclically polled by the processing master in relation to working order and signalling state (master-slave system) or that the modules signal themselves on a regular basis (multi-master system).
Busses in multi-master systems are able to signal immediately (i.e. in case of switch actuation) within the &mgr;sec range (so-called real-time capability) so that no continuous module polling would be required for safety monitoring of a plant. However, to detect faults in the monitoring bus system itself, for instance the failure of a bus module within the fault reaction time (e.g. 20 ms, see above), all bus module subscribers are checked as to their functionality at least once within this period of time. As the messages consist of extensive data protocols (50 . . . 80 bits) to guarantee a high degree of data transfer safety (Hamming distance 4), dynamisation means that the data flow (data transfer rate) increases proportionally in relation to the number of subscribers required for system monitoring.
On the other hand the data transfer rate of a bus system is limited due to signal propagation time (length of line) as well as module reaction times (number of subscribers).
Thus, there is a conflict between the requirement of longer lines (for instance 100 . . . 300 m) and a large number of bus subscribers, e.g. 50 . . . 100 on the one hand and the technical requirements for transmission and processing of higher data transfer rates (typical 125 . . . 1000 Kbits) on the other hand.
To reduce the data transfer rate, there is the possibility, as bus modules for a safety bus are designed as two-channel/redundant anyway, that the busses monitor each other in pairs for fault-free operation so that in case of an internal difference a subscriber of a bus module pair must send an error signal. However, the method assumes that the bus line between the processing master and every module is error-free and fully operational at any time. As the line is not intended to be doubled and/or spatially separated, it therefore must be checked dynamically up to all subscribers. A fault in the line must be detected within the fault tolerance time. Due to the high data transfer rates, cyclic checking of all bus subscribers requires so much time that the required fault reaction time cannot be met or fallen below.
Also known is a local network which is designed with two serial bus systems connected to the network nodes for redundancy reasons. Each network node is connected to both busses with two separate couplers. One of the bus systems is used to transfer process data in fault-free operation, while the other one transmits status information. Each coupler contains at least one communication controller, a communication CPU and a transceiver. Each communication CPU monitors the proper working order of the other communication CPU in a network node and thus fulfils the function of a watchdog processor. Any faults in the lines as well as malfunctioning of communication controllers will cause falsification of bus messages which are detected by error detection mechanisms. Errors occurring in the components between bus and communication CPU are detected by cyclic functional monitoring of the components. In case of a fault, each bus will be used as a watchdog bus to inform the other network subscribers of the fault detected in the other bus system. If a fault occurs in the bus system transmitting process data, the bus is locked out and the process data traffic is re-routed using the other bus (DE 195 09 558 AI).
SUMMARY OF THE INVENTION
The invention is based on the problem to provide a bus system suitable for safety-critical signals and a large number of bus subscribers as well as long bus lines, and which also has a short reaction time in case of a fault while being less expensive, and in which lines should be monitored for faults using simple measures.
This problem is solved with the invention particularly by a bus system involving a serial data bus with a transmission medium with the first active bus subscriber at the one end and the second active bus subscriber at the other end as well as further bus subscribers physically passed through by the transmission medium, whereby at least the first active bus subscriber and/or the second active bus subscriber contains a facility for regular transmission and/or receiving of status messages, whereby at least one of the subscribers monitors the status messages sent by the other bus subscribers for their non-presence within a defined period of time or for deviation from the form indicating the error-free state of the bus system, and whereby then, if the status messages are not received within the defined period of time or if status messages deviating from the form indicating a fault-free bus system are received, the bus system is brought into a state which meets def
Kramer Manfred
Schneider Volkmar
Thüringer Rainer
Ziegler Olaf
Dennison, Schultz & Dougherty
ELAN Schaltelemente GmbH & Co. KG
Hyun Soon-Dong
Nguyen Chau
LandOfFree
Bus system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Bus system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Bus system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2998313