The present invention relates to a method of exchanging primary and secondary roles of a redundant pair of processors, and more particularly, to a method of enacting failover wherein the secondary processor, of a redundant pair of processors operating in a primary and secondary role, can detect and enact a failover (ie, exchange) when the primary processor has failed.
Process Control Systems with backup process controllers such as described and claimed in U.S. Pat. No. 4,133,027, issued to J. A. Hogan on Jan. 2, 1979, and U.S. Pat. No. 4,141,066, issued to Y. Keiles on Feb. 20, 1979, include a backup controller having a dedicated Random Access Memory (RAM) and a dedicated Read-Only Memory (ROM). The backup controller is essentially idle or can be doing some background tasks, but not tasks relating directly to the process control function. Upon detection of a failure of one of the primary process controllers, the data stored in the RAM of the failed controller must be transferred to the RAM of the backup controller to perform the operations of the primary controller. These systems describe a 1:N redundancy system.
Existing systems, such as that described in U.S. patent application, Ser. No. 07/299,859, filed on Jan. 23, 1989, and assigned to Honeywell Inc., the assignee of the present application, provide for a 1:1 redundancy system, whereby the data base of a secondary device (i.e., secondary or backup controller) is updated periodically such that the updating process is transparent to the primary functions and does not tie-up (or penalize) CPU or processor performance and utilizes a minimum amount of time. When a failover condition occurs, there is a period of time when no communications can take place (i.e., an outage) between the primary controller and the remainder of the system. Further, the primary and secondary controllers are in a predefined location, and the software utilized for implementing this redundancy feature (i.e., redundancy software) is not transparent to other layers of software above the redundancy software. For example, if a Universal Station of a plant control network were to interrogate a controller (i.e., a primary controller since the secondary controller cannot be interrogated), of a process controller of a process control system, for a value, during failover the controller is unable to respond and the universal station outputs question marks on the display to the operator.
The present invention provides a method wherein the primary and secondary processors of a redundant pair of processors can exchange roles without resynchronizing (ie, recopying) the data base from the primary processor to the secondary processor, and permits the secondary processor to exercise the control function of a primary processor immediately without any delay (for initialization, updating data bases, . . . ) In the preferred embodiment the system in which the present invention can be found, the primary and secondary processors cannot initiate communications between each other on a communication network. In the present invention, the processors utilize control lines to a common output circuit to indicate status information between the processors. Further, the processor failover is transparent with respect to data access to all data users of the master node, including external nodes that communicate with the master, in which the primary and secondary processor are included.