The present invention relates to industrial controllers for controlling industrial processes and equipment, and more generally to an operating system suitable for a distributed industrial control system having multiple processing nodes spatially separated about a factory or the like.
Industrial controllers are special purpose computers used for controlling industrial processes and manufacturing equipment. Under the direction of a stored control program the industrial controller examines a series of inputs reflecting the status of the controlled process and in response, adjusts a series of outputs controlling the industrial process. The inputs and outputs may be binary, that is on or off, or analog providing a value within a continuous range of values.
Centralized industrial controllers may receive electrical inputs from the controlled process through remote input/output (I/O) modules communicating with the industrial controller over a high-speed communication network. Outputs generated by the industrial controller are likewise transmitted over the network to the I/O circuits to be communicated to the controlled equipment. The network provides a simplified means of communicating signals over a factory environment without multiple wires and the attendant cost of installation.
Effective real-time control is provided by executing the control program repeatedly in high speed xe2x80x9cscanxe2x80x9d cycles. During each scan cycle each input is read and new outputs are computed. Together with the high-speed communications network, this ensures the response of the control program to changes in the inputs and its generation of outputs will be rapid. All information is dealt with centrally by a well-characterized processor and communicated over a known communication network to yield predictable delay times critical to deterministic control.
The centralized industrial controller architecture, however, is not readily scalable, and with foreseeably large and complex control problems, unacceptable delays will result from the large amount of data that must be communicated to a central location and from the demands placed on the centralized processor. For this reason, it may be desirable to adopt a distributed control architecture in which multiple processors perform portions of the control program at spatially separate locations about the factory. By distributing the control, multiple processors may be brought to bear on the control problem reducing the burden on any individual processor and the amount of input and output data that must be transmitted.
Unfortunately, the distributed control model is not as well characterized as far as guaranteeing performance as is required for real-time control. Delay in the execution of a portion of the control program by one processor can be fatal to successful real-time execution of the control program, and because the demand for individual processor resources fluctuates, the potential for an unexpected overloading of a single processor is possible. This is particularly true when a number of different and independent application programs are executed on the distributed controller and where the application programs compete for the same set of physical hardware resources.
One problem in ensuring timely execution of tasks in a distributed environment arises in the processing of interrupts. Interrupts are electrical signals acting directly on the hardware of the processor to cause the processor to stop its current execution of a program and respond, typically, to an external device requiring immediate attention. Interrupts avoid inefficient polling by the processor of asynchronous signals and thus greatly improve the efficiency of some types of processing. Implicitly, interrupts normally have the highest priority with respect to response by the processor. A distributed control system with its attendant increased need for intercommunication among disparate components, may make extensive use of interrupts.
Unfortunately, because interrupts occur asynchronously to the execution of task on the processor, there exists the possibility that a large number of interrupts will occur within a small window of time thus preventing the timely execution of the task which is being interrupted. When the interrupts are caused by low priority tasks, the effects of this is a priority inversion where lower priority tasks displace higher priority tasks. This may lead to the failure of time critical tasks.
The present invention provides two methods of managing interrupts in the context of a real-time control system where task execution must proceed according to guaranteed completion times. For those interrupts associated with incoming messages and remote services provided by the operating system, the interrupts are embedded into a proxy task which is scheduled along with other tasks executed by a multitasking operating system. The proxy task may preempt the current task or may wait its turn depending on its priority.
All interrupts, are allocated to an interrupt window being a fixed percentage of time of the processor bandwidth. If interrupt window time is available, the interrupt is processed. Nested interrupting is allowed providing for a high degree of responsiveness of the control system. The interrupt window is subtracted from the of bandwidth of the processor that may be allocated in pre-allocation of bandwidth to application programs. Accordingly, guarantees of timely execution of programs having pre-allocated bandwidth may be ensured despite asynchronous interrupts such as may occur during run time.
Specifically, the present invention provides an interrupt manager for use with a processor forming part of a distributed control system. The interrupt manager includes interrupt reception circuitry receiving interrupt signals including a current interrupt. An interrupt window counter stores a value indicating the time remaining in a current window for the service of interrupts. The interrupt window counter is reset by a window timer at the expiration of each window period. A masking circuit masks current interrupts when the current interrupt would cause the value of the interrupt window counter to exceed the pre-allocated interrupt period.
Thus, it is one object of the invention to limit the servicing of interrupts to a finite period within each processing window. In this way, an arbitrary confluence of interrupts will not upset the deterministic execution of control tasks that must adhere to deadlines. The interrupt manager may mask interrupts until the determination is made as to whether the current interrupt may be executed.
Thus, it is another object of the invention to allow the initial evaluation of an interrupt to proceed without further interruptions.
The interrupt manager may determine whether the current interrupt may be processed by adding an estimate of the time for processing the current value of the interrupt window counter. The estimation may be modified during actual execution of the interrupt.
Upon the determination that the current interrupt may be executed within the interrupt window, the interrupts are unmasked.
It is yet another object of the invention to permit nested interrupts such as provides for responsive operation of the interrupt process.
Thus, it is another object of the invention to provide for simple before-the-fact determination of whether an interrupt can proceed by allowing the use of a conservative estimate that is refined during run time.
It is yet another object of the invention to allow for the processing of subsequent nested interrupts by pre-estimating the amount of time required by each interrupt as it is received. In this way, nested interrupts may be accepted prior to an initial interrupt being completed.
Upon completion of the interrupt, the interrupt manager may add the estimate of the interrupt processing time and subtract the actual interrupt processing time from the value of the interrupt window counter.
Thus, it is another object of the invention to provide accurate accounting of actual interrupt time used while allowing pre-allocation of the interrupt time window.
The interrupt manager may cease masking the current interrupt upon resetting of the interrupt window counter by the timer.
It is, therefore, another object of the invention to allow stalled interrupts to nevertheless execute in order.
The interrupt manager may include a resource allocating operating system pre-allocating portions of the window period, excluding the predetermined interrupt window, to multiple tasks to be executed on the processor so as to guarantee timely execution of those tasks.
Thus, it is another object of the invention to allow pre-allocation of hardware resources to particular control tasks while guaranteeing interrupts will not usurp that allocation.
For the communication circuit in which the interrupts are related to incoming messages, the interrupt manager may include a task scheduler receiving tasks and arranging them in a queue according to priorities for execution by the processor. The communication circuit may receive messages having priorities to generate a communication interrupt. An interrupt reception circuit may receive the communication interrupts and the priorities and generate corresponding proxy tasks having the priority and enroll the proxy task on the task scheduler queue.
Thus, it is another object of the invention to provide a mechanism for processing interrupts for communication devices when messages form connections between tasks executed on spatially separate hardware making use of the same scheduling framework as the rest of the tasks thereby guaranteeing timely execution of the task as is necessary for real-time control.
The task scheduler may consider both the priority and time constraint value.
Thus, it is another object of the invention to provide for a mixed priority scheduling of interrupts through the use of a proxy task.