The present invention relates to industrial controllers used for real-time control of industrial processes, and in particular to high-reliability industrial controllers appropriate for use in devices intended to protect human life and health. xe2x80x9cHigh reliabilityxe2x80x9d refers generally to systems that guard against the propagation of erroneous data or signals by detecting error or fault conditions and signaling their occurrence and/or entering into a predetermined fault state. High reliability systems may be distinguished from high availability systems, however, the present invention may be useful in both such systems and therefore, as used herein, high reliability should not be considered to exclude high availability systems.
Industrial controllers are special purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the industrial process. The inputs and outputs may be binary, that is, on or off, or analog, providing a value within a continuous range. The inputs may be obtained from sensors attached to the controlled equipment and the outputs may be signals to actuators on the controlled equipment.
xe2x80x9cSafety systemsxe2x80x9d are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include the electronics associated with emergency stop buttons, interlock switches and machine lockouts. Traditionally, safety systems have been implemented by a set of circuits wholly separate from the industrial control system used to control the industrial process with which the safety system is associated. Such safety systems are xe2x80x9chard-wiredxe2x80x9d from switches and relays, some of which may be specialized xe2x80x9csafety relaysxe2x80x9d allowing comparison of redundant signals and providing internal checking of conditions such as welded or stuck contacts. Safety systems may use switches with dual contacts providing an early indication of contact failure, and multiple contacts may be wired to actuators so that the actuators are energized only if multiple contacts close.
Hard-wired safety systems have proven inadequate, as the complexity of industrial processes has increased. This is in part because of the cost of installing and wiring relays and in part because of the difficulty of troubleshooting and maintaining the xe2x80x9cprogramxe2x80x9d implemented by the safety system in which the logic can only be changed by rewiring physical relays and switches.
For this reason, there is considerable interest in implementing safety systems using industrial controllers. Such controllers are easier to program and have reduced installation costs because of their use of a high-speed serial communication network eliminating long runs of point-to-point wiring.
Unfortunately, high-speed serial communication networks commonly used in industrial control are not sufficiently reliable for safety systems. For this reason, efforts have been undertaken to develop a xe2x80x9csafety networkxe2x80x9d being a high-speed serial communication network providing greater certainty in the transmission of data. Currently proposed safety networks are incompatible with the protocols widely used in industrial control. Accordingly, if these new safety networks are adopted, existing industrial controller hardware and standard technologies may be unusable, imposing high costs on existing and new factories. Such costs may detrimentally postpone wide scale adoption of advanced safety technology.
What is needed is a safety network that is compatible with conventional industrial controller networks and components. Ideally such a safety network would work with a wide variety of different standard communication protocols and would allow the mixing of standard industrial control components and safety system components without compromising reliability.
The present invention provides a high-reliability communications system that can make use of standard networks for initialization.
One requirement of a high reliability system is that messages not be mis-directed.
This ordinarily can be assure by giving each communicating device a way of identifying itself and making sure that each device establishes the identity of all other parties with whom it communicates. Ideally, the identities will be unique to a given xe2x80x9cconnectionxe2x80x9d or communication pair of one message producer and one message consumer.
Another requirement is that all parties know the parameters of communication. Errors in communication parameters can cause messages to be misinterpreted or unintelligible.
The need to notify each device of its identity and to communicate common communication parameters is best met by transmitting parameters and identities to the devices over the standard network as the high reliability communications system is initialized. Unfortunately, the distribution of identities and parameters over a standard network can work against establishing a high reliability communications system, if there is appreciable chance that the identities or parameters will be mis-directed or garbled.
The present invention allows the configuration of a highly reliable communications system over a standard network by use of a configuration tool (possibly a separate device) symmetrically communicating configuration data to two devices intended to communicate with each other during control time. The configuration data provides both identities to the communicating parties (unique to a connection or communication pair) and also coveys important parameters of the communication. After receiving the configuration data, the two intercommunicating parties may compare configuration data to ensure that they are correctly part of a connection.
Specifically, the present invention provides a method of establishing high reliability communication among components of an industrial control system exchanging control signals with a controlled process, the components communicating over a standard network. The method includes the first step of transmitting a configuration message from a configuration source to a first component and a second component over the standard network using a standard network protocol, the configuration message providing data related to a high reliability communications protocol usable on the standard network. In a next step, the configuration source receives a configuration response message from the first component and the second component, the configuration response message describing data of a configuration message previously received by the first component and the second component. Communication of control signals between the first and second component, as defined by the data of the configuration message, is enabled only if the configuration response message received by the configuration source describes the same data as the configuration message transmitted from the configuration source.
Thus it is one object of the invention to permit a standard network to be used to configure and identify devices that will be communicating as part of a high reliability communications system. The symmetrical transmission of the configuration data to the two intercommunicating devices and the need for a response message reflecting the configurations data reduces many types of errors to which standard networks are prone.
The data of the configuration message may be stored at the first component and the second component and if the configuration response message received by the configuration source describes different data from the data of the configuration message, the method may include the further step of sending a clear message from the configuration source to the first component and the second component causing the clearing of the configuration message stored at the first component and the second component.
Thus it is another object of the invention to prevent later miscommunications in a high reliability system that may result from detected error caused by the standard network.
The configuration response messages may describe data by sending a ones complement transformation of the data in the configuration message.
Thus it is another object of the invention to detect errors that would not be revealed in a simple echo acknowledgement.
When the configuration response message received by the configuration source describes the data of the configuration message transmitted by the configuration source, the method may communicate a configuration apply message from the configuration source to the first component and the second component, and the communication of control signals between the first component and the second component using the high reliability communication protocol on the standard network may only be enabled if the apply message is received by the first component and the second component. Further, if the apply message is not received within a predetermined period of time, the first and second components may clear their configuration messages.
Thus it is another object of the invention to ensure that the parties to high reliability communications receive positive indication of correct configuration.
When the configuration apply message is received by the first component and the second component, the method may communicate an apply acknowledgement message from the first component and the second component to the configuration source and the communication of control signals between the first and second components may be enabled only if the apply acknowledgment message is received by the configuration source.
Thus it is another object of the invention to provide an indication of correct initialization to a central location for, if necessary, stopping other ostensibly proper communications connections.
The invention may open a connection on the standard network between the first and second component and send a message from the first component to the second component using the standard communication protocol and identifying the data of the configuration message. Only if the data of the configuration message received at the second component matches configuration data previously received from the configuration source and stored at the first and second component is an acknowledgement signal sent from the second component to the first component the communication of control signals between the first and second components allowed.
Thus it is another object of the invention to reduce the possibility of mis-directed messages caused by mis-direction of the original configuration message from the configuration source to the first and second components. By having the components also check their configurations data to match, such mis-direction may be detected.
The data of the configuration message includes data uniquely identifying the first and second components as parties of communication on the standard network and may include: a serial number, a device type, a functional type, a vendor identification, a produce code used by the vendor to identify the first component, or a revision number of programming of the first or second components.
Alternatively or in addition, the configuration data may include data defining parameters of operation of the high reliability protocol for communication between the first and second components such as: a periodic time interval indicating a minimum expected frequency of initiation of transmission of data between the first and second components, a reply timer interval indicating a maximum expected delay between an initiation of transmission and a reply to that transmission between the first and second components, a filter count indicating a window of time within a coincidence of redundant control signals must exist for no error condition to occur, a retry limit indicating how many transmission message retries are allowed before a error condition occurs, a safety state to which outputs of the first or second components will revert to upon an error condition, and an I/O family indicating other output of the first or second components which should revert to a safety state upon an error condition related to a single output of the first or second device.
Thus it is another object of the invention to simultaneously establish identity and communication parameters for devices that will communicate using highly reliable protocols.
The foregoing and other objects and advantages of the invention will appear from the following description. In the description, reference is made to the accompanying drawings, which form a part hereof, and in which there is shown by way of illustration a preferred embodiment of the invention. Such embodiment does not necessarily represent the full scope of the invention, however, and reference must be made to the claims herein for interpreting the scope of the invention.