The present invention relates to industrial controllers used for real-time control of industrial processes, and in particular to high-reliability industrial controllers appropriate for use in devices intended to protect human life and health. xe2x80x9cHigh reliabilityxe2x80x9d refers generally to systems that guard against the propagation of erroneous data or signals by detecting error or fault conditions and signaling their occurrence and/or entering into a predetermined fault state. High reliability systems may be distinguished from high availability system, however, the present invention may be useful in both such systems and therefore, as used herein, high reliability should not be considered to exclude high availability systems.
Industrial controllers are special purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the industrial process. The inputs and outputs may be binary, that is, on or off, or analog, providing a value within a continuous range. The inputs may be obtained from sensors attached to the controlled equipment and the outputs may be signals to actuators on the controlled equipment.
xe2x80x9cSafety systemsxe2x80x9d are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include the electronics associated with emergency stop buttons, interlock switches and machine lockouts. Traditionally, safety systems have been implemented by a set of circuits wholly separate from the industrial control system used to control the industrial process with which the safety system is associated. Such safety systems are xe2x80x9chard-wiredxe2x80x9d from switches and relays, some of which may be specialized xe2x80x9csafety relaysxe2x80x9d allowing comparison of redundant signals and providing internal checking of conditions such as welded or stuck contacts. Safety systems may use switches with dual contacts providing an early indication of contact failure, and multiple contacts may be wired to actuators so that the actuators are energized only if multiple contacts close.
Hard-wired safety systems have proven inadequate, as the complexity of industrial processes has increased. This is in part because of the cost of installing and wiring relays and in part because of the difficulty of troubleshooting and maintaining the xe2x80x9cprogramxe2x80x9d implemented by the safety system in which the logic can only be changed by rewiring physical relays and switches.
For this reason, there is considerable interest in implementing safety systems using industrial controllers. Such controllers are easier to program and have reduced installation costs because of their use of a high-speed serial communication network eliminating long runs of point-to-point wiring.
The redundant control signals used to detect failures in hard-wired systems (when they don""t match) do not always change at exactly the same time. Accordingly a window of time is established during which lack of coincidence of the signals is ignored. Ideally, this window is short so that actual failures can be quickly identified.
A short coincidence window creates problems, however, when a high reliability system is implemented on a standard serial network such as is used in control systems. This is because for reasonable network bandwidths, queuing of messages introduces skew in the transmission of the redundant signals, requiring an undesirable lengthening of the transmission window. This is particularly true when the communications of signals requires reply messages with separate network transmissions.
What is needed is a safety network that is compatible with conventional industrial controller serial networks and components yet that provides the benefits that come from using redundant control signals. Ideally such a safety network would work the currently available bandwidths of industrial control networks.
The present invention facilitates the transmission and use of redundant control signals on standard serial networks by moving the coincidence detection step to the message producers prior to transmission of the control signal on the network. A single coincidence signal is developed with a short coincidence window that may then be redundantly transmitted over the network. Because the coincidence is resolved prior to transmission, network skew does not require a lengthening of the coincidence window.
Specifically, the present invention provides a high reliability industrial control system having a controller with a first network interface to a shared serial network. The industrial control system also includes an input module with at least two interface circuits for receiving at least two redundant input signals, the interface circuits communicating with at least one processor via an internal bus. The processor further communicating with a second network interface to the shared serial network and executes a stored program to: receive the redundant input signals processed by the interface circuits; determine a coincidence of the redundant input signals within a window of a predefined time period; and only when there is coincidence within the window, transmit via the second network interface, at least one coincidence signal indicating a coincident state of the redundant input signals to the controller.
Thus it is one object of the invention to permit the use of a relatively short predefined time period for the coincidence window by eliminating the effect of network skew of the input signals.
The processor may further execute the stored program to transmit to the controller at least two redundant messages on the shared network indicating the coincident state of the redundant input signals when there is coincidence within the window.
Thus it is another object of the invention to eliminate the effect of network skew on the processing of redundant signals while preserving the redundant communications channels.
The interface circuit may include two processors with each interface circuit communicating with a different processor, and the processors may communicate with each other via an internal bus to each receive a different of the redundant input signals processed by the interface circuits and to communicate with the other processor to determine a coincidence of the redundant input signals within a window of a predefined time period; and only when there is coincidence within the window, to transmit to the controller via the second network interface, a common coincidence signal indicating a coincident state of the redundant input signals. The second network interface may include two redundant interface circuits each dedicated to one of the processors.
Thus it is a further object of the invention to provide the benefit of a reduced coincidence window while reserving redundancy in hardware components.
The input circuits may sample the redundant input signal at regular sample times and the processor may determine a coincidence as existing within the window by detecting a lack of coincidence and reviewing a predetermined number of samples commensurate with the period of time of the window and determining a coincidence only if coincidence is obtained at one of the predetermined number of samples.
Thus it is another object of the invention to provide a simple method of determining coincidence within a window such as may be executed by input and output circuits.
The invention may further include a third network interface to the shared serial network for creating an output signal related to at least one of the redundant input signals and the output circuit may communicate its output signal to the input module via the third network interface and wherein the communicated output signal is the coincidence signal.
It is a further object of the invention to prevent the accumulation of network skew, and its adverse effect on the coincidence window, in messages that may be multiply transmitted first to an output circuit, then back to the originating input circuit.
The invention may provide four input circuits for receiving at least two pairs of redundant input signals and the processor may further execute the stored program to receive the two pairs of redundant input signals processed by the interface circuits; determine a first and second coincidence of the respective pairs of redundant input signals within at least one window of the predefined time period; and only when there is coincidence within the window for each of the two pairs of input signals map the state of the two pairs of inputs to a lesser number of transmission states, transmitting via the second network interface, at least one coincidence signal indicating a transmission state of the redundant input signals to the controller.
Thus it is another object of the invention to provide for further compression of data to be sent over the network by abstracting from input data a subset of states that may be either expressed in smaller amounts of data or that may be less frequently transmitted at fewer times of state changes.
The foregoing and other objects and advantages of the invention will appear from the following description. In the description, reference is made to the accompanying drawings, which form a part hereof, and in which there is shown by way of illustration a preferred embodiment of the invention. Such embodiment does not necessarily represent the full scope of the invention, however, and reference must be made to the claims herein for interpreting the scope of the invention.