The present invention relates to industrial controllers used for real-time control of industrial processes, and in particular to high-reliability industrial controllers appropriate for use in devices intended to protect human life and health.
Industrial controllers are special purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the industrial process. The inputs and outputs may be binary, that is, on or off, or analog, providing a value within a continuous range. The inputs may be obtained from sensors attached to the controlled equipment and the outputs may be signals to actuators on the controlled equipment.
“Safety systems” are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include, for example, the electronics associated with emergency stop buttons, interlock switches and machine lockouts.
Safety systems were originally implemented by hard-wired safety relays but may now be constructed using a special class of high reliability industrial controllers. “High reliability” refers generally to systems that guard against the propagation of erroneous data or signals to a predetermined high level of probability (defined by Safety Certification Standards) by detecting error or fault conditions and signaling their occurrence and/or entering into a predetermined fault state. High reliability systems may be distinguished from high availability systems, however, the present invention may be useful in both such systems and therefore, as used herein, high reliability should not be considered to exclude high availability systems.
Standard protocols for high-speed serial communication networks normally used in industrial control are not sufficiently reliable for high reliability industrial controllers used for safety systems. For this reason, efforts have been undertaken to develop a “safety network protocol” for high-speed serial communication providing greater certainty in the transmission of data. Such safety network protocols employ a variety of error detecting means to ensure that even small errors may be detected at a very high probability and are described in co-pending application Ser. No. 09/663,824 filed 18 Sep. 2000 entitled “Network Independent Safety Protocol for Industrial Controllers” and Ser. No. 09/667,145 filed 21 Sep. 2000 entitled “Safety Network for Industrial Controllers Allowing Installation on Standard Networks”, both assigned to the same assignee as the present invention and hereby incorporated by reference.
A common part of many high-speed serial communication networks is a standard network interface circuit (NIC) that handles the low level protocol of the network. Such NICs may make use of one or more specialized integrated circuits produced at high volumes for low cost.
As part of the network protocol, the NIC may attach a cyclic redundancy code (CRC) to messages transmitted on the network. The CRC is functionally derived from the transmitted message and allows the detection of errors introduced into the message during transmission such as from electromagnetic interference. When the message is received, if the message and attached CRC no longer agree, corruption of the message may be inferred.
Ideally, the CRC used by the standard network interface circuit could be relied on in part to meet Safety Certification Standards. Unfortunately, error detection measures relied on under the most common Safety Certification Standards must be capable of being periodically tested. Common NICs do not allow errors to be injected into network messages and/or CRC's to test the receiving network interface circuits.
Accordingly, either the CRC error detecting circuitry of the standard NIC must be disregarded under the Safety Certification Standards or specialized NICs (that allow error injection) must be used. As a practical matter, these choices increase the cost or decrease the performance of the safety network.