The present invention relates to industrial controllers and in particular to an industrial controller system having a secondary controller providing back-up control capability.
Industrial controllers are special purpose computers used for controlling factory automation and the like. Under the direction of a stored program, a processor of the industrial controller examines a series of inputs reflecting the status of a controlled process and changes outputs affecting control of the controlled process. The stored control program is continuously executed in a series of execution cycles.
The inputs received by the industrial controller from the controlled process and the outputs transmitted by the industrial controller to the controlled process are normally passed through one or more input/output (I/O) modules which serve as an electrical interface between the controller and the controlled process. The inputs and outputs are recorded in an I/O data table in processor memory. Input values may be asynchronously read from the controlled process by specialized circuitry. Output values are written directly to the I/O data table by the processor, then communicated to the controlled process by the specialized communications circuitry.
Industrial controllers must often provide uninterrupted and reliable operation for long periods of time. One method of ensuring such operation is by using redundant, secondary controller components (including processors) that may be switched in to replace primary controller components while the industrial controller is running. In the event of a failure of a primary component, or the need for maintenance of the components, for example, the secondary components may be activated to take over control functions. Maintenance or testing of the control program maybe performed with the primary processor reserving the possibility of switching to the secondary processor (and a previous version or state of the control program) if problems develop.
Ideally, the switch-over between controllers or their components should occur without undue disruption of the controlled process. For this to be possible, the secondary processor must be running the same program (and maintaining its current state) and must be working with the same data in its I/O data table as is the primary processor.
The same control program may be simply pre-stored in each of the primary and secondary processors. The data of the I/O data table, however, cannot be pre-stored but changes continuously during the controlled process. Further, because controllers are I/O intensive, there is typically a large amount of data in the I/O data table. For this reason, transmitting the data to the secondary processor is difficult.
In order to effectively update the secondary processor with large amounts of I/O data, prior art controllers have continuously and asynchronously transmitted I/O data from the primary processor to the secondary processor during execution of the control program. Allowing the control program to continue to run, prevents the control process from being interrupted by the data transfer. Nevertheless, there are problems with this approach.
Asynchronous transfer means that at the time of switch-over to the secondary processor, the I/O data table of the secondary controller may have only been partially updated. Further, even the updated part of the I/O data table may be stale because the control program has continued to execute and change that data after its transmission. This I/O data will be termed xe2x80x9ctime fragmentedxe2x80x9d because it is not simply a uniformly delayed version of the I/O data table of the primary processor, but a version with different data delayed by sharply different amounts. Time fragmented data represents a control state that never existed because it includes I/O data taken from two or more different execution cycles of the control program.
A second problem that may occur at the time of switch-over is a so-called xe2x80x9cdata bumpxe2x80x9d where an output is changed back to an old state by a secondary controller only to be quickly restored to its original value as the secondary controller continues the control process. Data bumps can cause a momentary reversal of the control process with serious consequences to the controlled equipment. Unfortunately, even trivially stale data can cause data bumps.
The present invention eliminates data bumps by freezing the transmission of outputs to the control process until after those outputs have been successfully communicated to the I/O data table of the secondary processor. This delay in output transmission is made possible by techniques which allow consolidation of the transmission of I/O data to the secondary industrial controller to a short interval that does not unduly interrupt the control process.
Time fragmentation of the data at the secondary controller is likewise reduced by the use of two I/O data tables, one used to quarantine the data before it has been fully transmitted. Partial transmission of data to the secondary controller occurring just before the secondary controller assumes control of responsibilities is not loaded into the I/O data table used by the secondary controller and thus does not cause a time fragmentation of that data.
Specifically, the present invention provides a primary industrial controller providing output values to a controlled process and communicating with a secondary industrial controller over a link. The primary industrial controller includes an electronic memory having a user program describing the control of the process and a primary I/O data table holding the output values provided to the controlled process. A processor communicating with the electronic memory operates to execute the user program to write output values to the I/O data table according to the user program. The processor then transmits the output values in the primary I/O data table to a secondary I/O data table of the secondary industrial controller without transmitting the output values yet to the controlled process. Only after a completion of the transmission of the output values to the secondary I/O data table does the processor transmit the output values to the controlled process.
Thus, it is one object of the invention to eliminate the possibility of data bumps as described above. By ensuring that the data is fully received by the secondary controller prior to its going to the controlled process, there is no possibility of the secondary controller improperly updating the controlled process with stale data at the time of a switch-over.
The transmission of output values to the secondary I/O data table may occur at a predefined point in the execution of the user program such as the end of the user program.
Thus it is another object of the invention to coordinate the transmission of data to the secondary processor and the controlled process to a logical point within the program.
The primary industrial controller may have multiple user programs each having predefined points where the output values are transmitted to the secondary I/O data table.
Thus it is another object of the invention to minimize any single interruption of the control process during the transmission of data to the secondary industrial controller and during the consequent delay in the transmission of output values to the controlled process. By allowing each control program to initiate a transfer of the data it has changed, each interruption of the control process in the transmission of that data is correspondingly reduced.
The electronic memory of the primary industrial controller may include a duplicate I/O data table and the transmission of output values to the controlled process may be performed by first transferring the output values of the primary I/O data table to the duplicate I/O data table and then transmitting the output values held in the duplicate I/O data table to the controlled process so that the primary I/O data table is freed to be modified during execution of a user program.
Thus it is another object of the invention to ensure that the data transmitted to the secondary industrial controller matches that ultimately provided to the outputs. The use of a duplicate I/O data table allows the user program to again begin writing I/O data to the primary I/O data table without corrupting, that data being transmitted to the controlled process.
The secondary industrial controller may include a secondary I/O data table and a quarantine I/O data table and its processor may operate to receive transmission of the output values from the primary industrial controller to the quarantine I/O data table. Only after completion of the transmission of the output values into the quarantine I/O data table are the output values transferred to the secondary I/O data table. At a switch-over time, the secondary industrial controller executes the copy of the user program in its memory to modify the output values in the secondary I/O data table and to transmit the output values to the controlled process.
Thus it is another object of the invention to prevent time fragmentation of the I/O data table of the secondary processor in the event of incomplete transmission of the I/O data from the primary industrial controller to the secondary industrial controller at the time of switch-over. The use of the quarantine I/O data table allows the secondary I/O data table to remain unmodified in the event of such partial transmissions and the control to revert to the use of that secondary I/O data table data in these cases.
The foregoing and other objects and advantages of the invention will appear from the following description. In this description reference is made to the accompanying drawings which form a part hereof and in which there is shown by way of illustration a preferred embodiment of the invention. Such embodiment does not necessarily represent the full scope of the invention, however, and reference must be made therefore to the claims for interpreting the scope of the invention.