Programmable controllers are a common type of industrial computer for operating a wide variety of manufacturing equipment, such as assembly lines and machine tools, in accordance with a stored program. The program comprises a series of process control instructions which are read out and executed to examine the state of selected sensing devices on the controlled equipment, and to energize or deenergize selected operating devices contingent upon the state of one or more of the examined sensing devices.
The state of many sensing and operating devices can be represented by a single bit of data which is manipulated by the control program instructions. Other devices, such as position sensors, provide multiple bits of data representing a condition of the equipment being controlled. For these latter devices, instructions are provided to manipulate bytes and words of data representing the state of the sensing and operating devices. Additional program instructions perform arithmetic operations, timing and counting functions, and complex statistical reporting operations. Such instructions have become quite standardized in the industry and are directly associated with the elements of a ladder logic diagram which is easily understood by process control engineers. Program panels such as those described in U.S. Pat. Nos. 3,798,612; 3,813,649 and 4,070,702 have been developed to assist the user in developing and editing ladder logic control programs comprised of such programmable controller instructions.
There are many applications of programmable controllers in which "down time" resulting from malfunction of the controller must be minimized. For example, the cost of shutting down an automobile assembly line is enormous and extraordinary measures are taken to insure that quality components are employed in the control systems. In other manufacturing systems, such as chemical processing, failure of the control system can result in the loss of a large quantity of the product being produced. Despite these efforts it is statistically certain that malfunctions or failures will occur in the electrical and mechanical components.
One system which provides redundant control utilizes two programmable controllers interfaced to the same set of input and output (I/O) circuits. One programmable controller, considered as the primary device, executes a control program and actively exchanges data with the I/O circuits to control the operation of the machine. The other programmable controller, designated the backup device, executes or waits to execute the same control program, but does not exchange data with the I/O circuits. A cable extends between the two programmable controllers for the exchange of a number of control signals which coordinate the mutual operation of the two devices. The accurate transmission of the control signals through the cable is critical to the proper operation of the redundant system. Thus it is desirable to employ a technique to detect errors in the transmission.
Parity bits are a common technique for detecting errors in digital signals. In this method, the transmitter of the signals computes a parity bit which indicates whether an odd or an even number of logical one bits is being sent. The parity bit is sent in parallel along with the data. The receiver computes its own parity bit from the received data and compares that bit to the parity bit sent by the transmitter. If the data was uncorrupted during transmission, the two parity bits will be the same.
However, a conventional parity test cannot be applied to the control signals sent between the redundant programmable controllers. Those signals are sent asynchronously in parallel. As a consequence, any given signal many change logic levels at any time and reach the recipient device before the parity bit from the transmitter has changed states. In this case the recipient would erroneously conclude that a transmission error has occurred. An erroneous conclusion of parity errors could adversely affect the proper transfer of control between the programmable controllers should the primary one malfunction.