The invention relates to a method for operating a user terminal in a network, and associated systems and structures, such as a user terminal for a network, a storage medium with a program, and so forth.
In network communication according to the Profibus DP specification, user data can be transmitted between master and slaves in equidistant cycles. The master is the network user that has the right to access the bus and that calls the other users, i.e. the slaves, in a polling procedure to transmit data. In equidistant operation, the transmission of user data between the master and the slaves occurs in precisely equal, i.e., equidistant cycles. The duration of a cycle can be predefined through configuration and typically amounts to a few milliseconds. In equidistant operation, high synchronicity is achieved on the bus between the master and the associated slaves, which is required, in particular, for clock synchronized drive couplings in the area of motion control.
From the Siemens manual entitled xe2x80x9cSIMATIC NETxe2x80x94Programming Interface DP Base for CP 5613/CP 5614,xe2x80x9d 05/2000 edition, Order No. C79000-G8900-C139-04, a communications processor (CP) is known, which can be inserted as a plug-in module into a personal computer (PC) with a PCI bus. It can be run as a master in equidistant mode in a network according to the Profibus DP specification. The program of a DP application runs on the PC while the CP with its integrated microprocessor handles the communication via the field bus. The interface between the DP application running on the PC and the communications processor is a dual port RAM (DPR), which is arranged on and thus integrated into the plug-in module of the communications processor. This DPR stores a process image, as it were. It includes, in particular, the input, output, and diagnostic data of the slaves, as well as status and configuration data. If the DP application is reading, e.g., data of a slave from the process image and the communications processor overwrites this data with new data at the same time, the DP application might receive the first bytes of the data set of the previous DP cycle and the last bytes of the current cycle. The data would thus be corrupted and inconsistent. The rules for equidistant operation, e.g., in clock synchronous drive couplings, therefore specify that the DP application may record actual values of the slaves or specify set points to the slaves only during time segments within a cycle when no user data is being transmitted between the master and the slaves.
FIG. 2 shows a simplified representation of a cycle according to the Profibus DP specification in equidistant operation. A time axis t extends from left to right. For joint synchronization of the slaves, a global control message GC,xxe2x88x921 is transmitted before each start of an equidistant cycle Z,x. Cycle Zx starts with a cyclic part ZYK,x, in which the user data are exchanged between master and slaves. The start and end of the cyclic part ZYK,x can be indicated to the DP application in a PC by outputting a cycle start interrupt ZSI,x or a cycle end interrupt ZEI,x. The cyclic part ZYK,x is followed by an acyclic part AZYK,x of the equidistant cycle Z,x. After the end of the acyclic part AZYK,x, another global control message GC,x is transmitted to synchronize the slaves prior to the start of the next equidistant cycle Z,x+1. The start of a cyclic part ZYK,x+1 in the equidistant cycle Zx+1 (not fully depicted) can again be signaled to the DP application in the PC by another cycle start interrupt ZSI,x+1. The duration TDP of a cycle in equidistant operation is thus the time interval between the cycle start interrupt ZSI,x and the following cycle start interrupt ZSI,x+1. This duration can be set when the network is configured. In a time segment TDPR, which is composed of the acyclic part AZYK,x and the transmission time of the global control message GC,x, the DP application in the PC can access the dual port RAM of the communications processor without jeopardizing the consistency of the data sets of the process image.
The synchronization between a thread on the PC which executes the DP application (hereinafter referred to as DP thread) and the communications processor can thus be interrupt-controlled via a device driver integrated into the operating system, e.g., Windows NT. In each cycle Z,i the communications processor sends a cycle start interrupt ZSI,i and a cycle end interrupt ZEI,i to the driver. Via mechanisms of the operating system, e.g., setting a Windows semaphore, the driver then activates the DP thread of the DP application waiting at the semaphore. Because of the multitude of operating systems and computer characteristics, e.g., CPU speed, number of installed plug-in modules, displacement effects due to task changes and priority schemes, competing operation of several drivers, etc., the time between generating the interrupt and activating the DP thread is in many cases not deterministic. As a consequence, activation of the DP application can be continuously or sporadically delayed such that access to the process image in the communications processor occurs at an unallowed instant. As a consequence of such an access violation, the data of the process image is read and updated at the wrong time from a control point of view. This can cause serious operation interruptions or damage in a process technology plant that is controlled by the field bus components of the Profibus DP network. For example, if all rolls in a rolling mill must move absolutely synchronously when steel is being processed, an incorrect adjustment could result in irregular thickness of the rolled steel.
One object of the invention is to provide an improved method for operating a user terminal in a network. Another object is to provide a user terminal in a network and a storage medium with a program for such a user terminal. A further object is to provide a user terminal that detects and signals access violations, such as those described above, during operation, so that suitable fault handling measures can be introduced.
According to one formulation, these objects are addressed by a method for operating a user terminal in a network wherein data is transmitted in equidistant cycles, the network having a user terminal with a communications processor and with an arithmetic unit that accesses memory. The method includes the communications processor performing the cyclic data transmission by (i) reading the data from a memory in a cyclic part (ZYK,x) of each of the cycles (Z,x) and transmitting the read data to other user terminals and/or (ii) receiving the data from other user terminals and writing this data into a memory; and the communications processor sending at least a first synchronization signal (16) respectively at a fixed instant (Tsx) of each cycle (Z,x) to the arithmetic unit, the arithmetic unit being configured to release the first synchronization signal. The method further includes blocking the first synchronization signal (16) after the first synchronization signal has been sent, and the arithmetic unit releasing the first synchronization signal only when the arithmetic unit fails to access the memory within the cyclic part (ZYK,x). Finally, the method includes determining a time interval (xcex94Txe2x80x2sx,xxe2x88x921; xcex94Txe2x80x2ex,xxe2x88x921) between two successive first synchronization signals, and detecting and signaling an unauthorized access if the time interval is greater than the duration (TDP) of each cycle (Z,x).
Other aspects of the present invention include an inventive user terminal and an inventive communications processor.
The invention has the advantage that access violations can be safely and reliably detected. The fixed instant when the communications processor sends a first synchronization signal to the arithmetic unit can in principle be selected at any point within the cycle. If this instant lies a certain time period before the start of the cyclic part of a cycle, suitable measures must be taken in the arithmetic unit to ensure that, after the synchronization signal is released again, the arithmetic unit will at most access the memory only until this time period has elapsed. Possibilities for signaling access without access authorization include a corresponding message being output to an operator panel, or a message to a fault handling routine being generated in the arithmetic unit or the communications processor, so that a controlled process can be brought to a safe state. Particularly during a test run in the development phase it is possible to take suitable countermeasures after such an access violation has been detected. For example, a faster CPU can be used in the PC, the BIOS of the operating system can be optimized, or the configured equidistant time can be increased. Since the occurrence of inconsistent data sets in a DP application are already detected at the source of the fault, suitable fault handling measures can be introduced in time to avoid any operation interruptions or damage in a process technology plant that would be caused as a result.
If the communications processor sends the first synchronization signal by outputting an interrupt to the arithmetic unit at the start of the cyclic part of a cycle, the interrupt can be simply released after the last access by the arithmetic unit to the memory in order to detect access violations reliably. Since the arithmetic unit, once the interrupt has been released, no longer accesses the memory in any case, a timely release of the interrupt means that the arithmetic unit does not access the memory during the cyclic part of a cycle. The output of an interrupt as a first synchronization signal is a proven means for event-controlled processing of sequences implemented through programming.
If the communications processor sends a second synchronization signal by outputting a second interrupt to the arithmetic unit at the end of the cyclic part of a cycle, this has the additional advantage that no parameterization of the duration of the cyclic part of a cycle is required. This eliminates the need for measuring the time from the start of the cyclic part, which could ensure, without such a synchronization signal, that the arithmetic unit does not access the memory while user data is being transmitted. The DP application of the arithmetic unit can be activated immediately when the second interrupt is received and the memory can be accessed. In this case, the arithmetic unit releases again the first interrupt and the second interrupt once it has accessed the memory. The interval between two successive interrupts of the second type can also be used to detect an access without access authorization.