The present invention relates to industrial controllers and in particular to an industrial controller system having two chassis, one operating as an active controller and one operating as a back-up controller.
Industrial controllers are special purpose computers used for controlling factory automation and the like. Under the direction of a stored program, a processor of the industrial controller examines a series of inputs reflecting the status of a controlled process and changes outputs effecting control of the controlled process.
Typically, an industrial controller is constructed in a modular fashion, having one or more functional modules connected together through a common backplane in a chassis or the like. The modular construction allows the circuitry of the industrial controller to be customized to some degree for each application and simplifies maintenance and repair of the industrial controller in the event that one or more modules fail.
Industrial controllers must provide uninterrupted and reliable operation for long periods of time. One method of ensuring such operation is by providing a second controller chassis operating in a back-up mode to a primary or active controller chassis. If the active chassis should fail, the back-up chassis may take over the controlled process or equipment with minimal interruption. The back-up chassis may also be used to facilitate maintenance or testing of the control program. Such modifications may be performed on one chassis (either the active or back-up chassis) reverting to the other chassis if problems develop. In such circumstances, it is desirable that the two chassis be completely symmetric with either one having the capability of assuming an active or back-up capacity.
Each chassis in a redundant controller system must keep track of its redundancy status as a primary or secondary chassis so as to prevent conflicting control signals from being received by the controlled process from two chassis. For this reason it is desirable that each chassis have access to redundancy status information indicating whether it has a partner chassis and whether that partner is a primary or secondary chassis, and if a secondary chassis, whether it is `qualified`, that is, ready to assume control.
Qualification requires that the chassis have a full complement of functional modules (at least all the functional modules of the primary chassis) and the chassis have an up-to-date copy of the control program and the current data used by that control program. Qualification also requires that the two chassis are synchronized to the same point of execution in the control program. Generally, it is acceptable for the primary chassis to cede control to the secondary chassis only when that chassis is qualified. The status information for each chassis may be contained in a specialized backup module associated with each chassis which coordinates a switching over of control between chassis.