Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
2000-09-18
2004-04-13
Iqbal, Nadeem (Department: 2184)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
Reexamination Certificate
active
06721900
ABSTRACT:
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
BACKGROUND OF THE INVENTION
The present invention relates to industrial controllers used for real-time control of industrial processes, and in particular to high-reliability industrial controllers appropriate for use in devices intended to protect human life and health. “High reliability” refers generally to systems that guard against the propagation of erroneous data or signals by detecting error or fault conditions and signaling their occurrence and/or entering into a predetermined fault state. High reliability systems may be distinguished from high availability system, however, the present invention may be useful in both such systems and therefore, as used herein, high reliability should not be considered to exclude high availability systems.
Industrial controllers are special purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the industrial process. The inputs and outputs may be binary, that is, on or off, or analog, providing a value within a continuous range. The inputs may be obtained from sensors attached to the controlled equipment and the outputs may be signals to actuators on the controlled equipment.
“Safety systems” are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include the electronics associated with emergency stop buttons, interlock switches and machine lockouts. Traditionally, safety systems have been implemented by a set of circuits wholly separate from the industrial control system used to control the industrial process with which the safety system is associated. Such safety systems are “hard-wired” from switches and relays, some of which may be specialized “safety relays” allowing comparison of redundant signals and providing internal checking of conditions such as welded or stuck contacts. Safety systems may use switches with dual contacts providing an early indication of contact failure, and multiple contacts may be wired to actuators so that the actuators are energized only if multiple contacts close.
Hard-wired safety systems have proven inadequate, as the complexity of industrial processes has increased. This is in part because of the cost of installing and wiring relays and in part because of the difficulty of troubleshooting and maintaining the “program” implemented by the safety system in which the logic can only be changed by rewiring physical relays and switches.
For this reason, there is considerable interest in implementing safety systems using industrial controllers. Such controllers are easier to program and have reduced installation costs because of their use of a high-speed serial communication network eliminating long runs of point-to-point wiring.
The redundant control signals used to detect failures in hard-wired systems (when they don't match) do not always change at exactly the same time. Accordingly a window of time is established during which lack of coincidence of the signals is ignored. Ideally, this window is short so that actual failures can be quickly identified.
A short coincidence window creates problems, however, when a high reliability system is implemented on a standard serial network such as is used in control systems. This is because for reasonable network bandwidths, queuing of messages introduces skew in the transmission of the redundant signals, requiring an undesirable lengthening of the transmission window. This is particularly true when the communications of signals requires reply messages with separate network transmissions.
What is needed is a safety network that is compatible with conventional industrial controller serial networks and components yet that provides the benefits that come from using redundant control signals. Ideally such a safety network would work the currently available bandwidths of industrial control networks.
BRIEF SUMMARY OF THE INVENTION
The present invention facilitates the transmission and use of redundant control signals on standard serial networks by moving the coincidence detection step to the message producers prior to transmission of the control signal on the network. A single coincidence signal is developed with a short coincidence window that may then be redundantly transmitted over the network. Because the coincidence is resolved prior to transmission, network skew does not require a lengthening of the coincidence window.
Specifically, the present invention provides a high reliability industrial control system having a controller with a first network interface to a shared serial network. The industrial control system also includes an input module with at least two interface circuits for receiving at least two redundant input signals, the interface circuits communicating with at least one processor via an internal bus. The processor further communicating with a second network interface to the shared serial network and executes a stored program to: receive the redundant input signals processed by the interface circuits; determine a coincidence of the redundant input signals within a window of a predefined time period; and only when there is coincidence within the window, transmit via the second network interface, at least one coincidence signal indicating a coincident state of the redundant input signals to the controller.
Thus it is one object of the invention to permit the use of a relatively short predefined time period for the coincidence window by eliminating the effect of network skew of the input signals.
The processor may further execute the stored program to transmit to the controller at least two redundant messages on the shared network indicating the coincident state of the redundant input signals when there is coincidence within the window.
Thus it is another object of the invention to eliminate the effect of network skew on the processing of redundant signals while preserving the redundant communications channels.
The interface circuit may include two processors with each interface circuit communicating with a different processor, and the processors may communicate with each other via an internal bus to each receive a different of the redundant input signals processed by the interface circuits and to communicate with the other processor to determine a coincidence of the redundant input signals within a window of a predefined time period; and only when there is coincidence within the window, to transmit to the controller via the second network interface, a common coincidence signal indicating a coincident state of the redundant input signals. The second network interface may include two redundant interface circuits each dedicated to one of the processors.
Thus it is a further object of the invention to provide the benefit of a reduced coincidence window while reserving redundancy in hardware components.
The input circuits may sample the redundant input signal at regular sample times and the processor may determine a coincidence as existing within the window by detecting a lack of coincidence and reviewing a predetermined number of samples commensurate with the period of time of the window and determining a coincidence only if coincidence is obtained at one of the predetermined number of samples.
Thus it is another object of the invention to provide a simple method of determining coincidence within a window such as may be executed by input and output circuits.
The invention may further include a third network interface to the shared serial network for creating an output signal related to at least one of the redundant input signals and the output circuit may communicate its output signal to the input module via the third network interface and wherein the communicated output signal is the coincidence signal.
It is a further object of the invention to prevent the accumulation of network skew, and its adverse effect on the coincidence wi
Hall Kenwood H.
Lenner Joseph A.
Vandesteeg Kerry W.
Vasko David A.
Gerasimow Alexander M.
Iqbal Nadeem
Quarles & Brady
Rockwell Automation Technologies Inc.
Speroff R. Scott
LandOfFree
Safety network for industrial controller having reduced... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Safety network for industrial controller having reduced..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Safety network for industrial controller having reduced... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3238519