1. Field of the Invention
The field of this invention related to computerized control systems for gathering sensor data from field units and triggering alarms or taking other actions based on the sensor data with respect to such control elements. More particularly this invention relates to multiple processor control units which are synchronized and evaluate sensor data for valid data.
2. Related Art
Many multiple processor control systems are available in the related art. These include systems as typified by U.S. Pat. No. 5,455.914 to Hashemi, et al. includes a multiple module processor which is controlled from a central computer station.
U.S. Pat. No. 4,616,312 to Uebel, describes a two-out-of-three selecting facility in a three-computer system for a Triple Redundant Computer System which is especially suitable for use with microprocessors having a large number of outputs. The computers of the three computer system handle the same processor information in parallel, but exchange their results in an asynchronous manner and compares them.
U.S. Pat. No. 4,627,055 to Mori, et al. describes a decentralized processing method and system having a plurality of subsystems of the same type which are connected to one another. Each subsystem has a diagnostic mean for diagnosis of failure in the other subsystems and functions to take suitable counter-measures.
U.S. Pat. No. 5,239,641 to Horst, for a method and a apparatus for synchronizing a plurality of processors. Each processor runs off its own independent clock, indicates the occurrence of a predescribed processor event on one line and receives signals on another line for initiating a processor wait state.
However, the I/O architecture of the present invention is fundamentally different from prior systems, in that the prior systems rely on intelligent I/O modules, with one microprocessor per leg per module, while the present invention relies on centralized I/O logic, with one microprocessor per leg, controlling all the I/O modules. A degree of local intelligence on each I/O module is implemented through gate array logic, acting primarily as a slave to the main processor. This architecture reduces the component cost and eliminates the significant size of such system which are usually housed in a central location. A unique synchronization system keeps the local clocks in synchronization.
The present invention provides a system which is intended to operate adjacent the equipment being controlled.
The control system of the present invention comprises a fault tolerant controller, control system platform or computer system having a triple modular redundant (TMR) architecture. The controller consist of three identical channels, except for the power modules which are dual-redundant. Each channel independently executes the application program in parallel with the other two channels. A voting system with voting mechanisms which qualify and verify all digital inputs and outputs from the field; analog inputs are subject to a mid-value selection process.
Each channel is isolated from the others, no single-point failure in any channel can pass to another. If a hardware failure occurs in one channel, the faulty channel is overridden by the other channels. Repair consists of removing and replacing the failed module in the faulty channel while the controller is online and without process interruption.
The controller of the present invention features triplicated main processor modules (MP), input/output modules (I/O) and optionally one or two Local Communications modules (LCM). Each I/O module houses the circuitry for three independent channels. Each channel on the input modules reads the process data and passes that information to its respective MP. The three MP communicate with each other using a high-speed bus called Channel 11.
The system is a scan based system and once per scan, the MP module synchronizes and communicate with the neighboring MPs over the Channel 11. The Channel 11 forwards copies of all analog and digital input data to each MP, and compares output data from each MP. The MPs vote the input data, execute the application program and send outputs generated by the application program to the output modules. In addition, the controller votes the output data on the output modules as close to the field as possible to detect and compensate for any errors that could occur between the Channel 11 voting and the final output driven to the field. For each I/O module, the controller can support an option hot-spare module. If present, the hot-spare takes control if a fault is detected on the primary module during operation. The hot-spare position is also used for the online-hot repair of a faulty I/O module.
The MP modules each control a separate channel and operates in parallel with the other two MPs. A dedicated I/O control processor on each MP manages the data exchanged between the MP and the I/O modules. A triplicated I/O bus, located on the base plates, extends from one column of I/O modules to another column of I/O modules using I/O bus cables. In this way the system can be expanded. Each MP poles the appropriate channel of the I/O bus and the I/O bus transmits new input data to the MP on the polling channel. The input data is assembled into a table in the MP and is stored in memory for use in the voting process.
Each input table in each MP is transferred to its neighboring MP over the Channel 11. After this transfer, voting takes place. The Channel 11 uses a programmable device with a direct memory access to synchronize, transmit, and compare data among the three MPs.
If a disagreement occurs, the signal value found in two of three tables prevails, and the third table is corrected accordingly. Each MP maintains data about necessary correction in local memory. Any disparity is flagged and used at the end of the scan by built-in fault analyzer routines to determine whether a fault exists on a particular module.
The MPs send corrected data to the application program and then executes the application program in parallel with the neighboring MP and generates a table of output values that are based on the table of input values according to user-defined rules. The I/O control processor on each MP manages the transmission of output data to the output modules by means of the I/O bus.
Using the table out output values, the I/O control processor generates smaller tables, each corresponding to an individual output module. Each small table is transmitted to the appropriate channel of the corresponding output module over the I/O bus. For example, MP A transmits the appropriate table to channel A of each output module over the I/O bus A. The transmittal of output data has priority over the routine scanning of all I/O modules.
Each MP provides a 16-megabyte DRAM for the user-written application program, sequence-of-events (SOE) tracking, and I/O data, diagnostics and communication buffers. The application program is stored in flash EPROM and loaded into DRAM for execution. The MPs receive power from redundant 24 VDC power sources. In the event of an external power failure, all critical retentive data is stored in NVRAM. A failure of one power source does not affect controller performance. If the controller loses power, the application program and all critical data are retained.
In addition, each MP can provide direct development and monitoring computer support and Modbus communication Each MP provides one (IEEE 802.3 Ethernet) Development System computer port for downloading the application program to the Trident controller and uploading diagnostic information., one Modbus RE-232/RS-485 serial port which acts as a slave while an external host computer is the master. Typically, a distributed control system (DCS) monitors and optionally updates the controller data directly through an MP.
The triplicated I/O bus is carried baseplate-to-baseplate using Interconnect Assemblies, extender modules, and I/O bus cables. The redundant logic power distribution system is carried using Interconnect Assemblies and Extender modules.
The Channel 11, which is local to the MP baseplate, consists of three independent, serial links operating at 25 Mbaud. It synchronizes the MPs at the beginning of a scan. Then each MP sends its data to its upstream and downstream neighbors. The Channel 11 takes the following actions: transfers input, diagnostic and communication data, compares data and flags disagreements for the previous scan""s output data and application program memory. A single transmitter is used to send data to both the upstream and downstream MPs. This ensures that the same data is received by the upstream processor and the downstream processor.
Field signal distribution is local to each I/O baseplate. Each I/O module transfers signals to or from the field through its associated baseplate assembly. The two I/O module slots on the baseplate tie together as one logical slot. A first position holds the active I/O module and the second position holds the hot-spare I/O module. Each field connection on the baseplate extends to both active and hot-spare I/O modules. Therefore, both the active module and the hot-spare module receive the same information from the field termination wiring.
The 2 Mbaud triplicated I/O bus transfers data between the I/O modules and the MP. The I/O bus is carried along the DIN mounting rail and can be extended to multiple DIN rails. Each channel of the I/O bus runs between one MP and the corresponding channel on the I/O module. The I/O bus extends between DIN rails using a set of three I/O bus cables.
Logic power for the module on each DIN mounting rail draws power from the power rails through redundant DC-DC power converters. Each channel is powered independently from these redundant power sources.
The controller of the present invention incorporates integral online diagnostics. These diagnostics and specialized fault monitoring circuitry are able to detect and alarm all single fault and most multiple fault conditions. The circuitry includes but is not necessarily limited to I/O loop-back, watch-dog timers, and loss-of power sensors. Using the alarm information, the user is able to tailor the response of the system to the specific fault sequence and operating priorities of the application.
Each module can activate the system integrity alarm, which consists of normally closed (NC) relay contacts on each MP Module. Any failure condition, including loss or brown-out of system power, activates the alarm to summon plant maintenance personnel.
The front panel of each module provides light-emitting-diode (LED) indicators that show the status of the module or the external systems to which it may be connected, PASS, FAULT, and ACTIVE are common indicators. Other indicators are modulexe2x80x94specific. A common module housing structure which accepts all circuit boards for the various modules
Normal maintenance consists of replacing plug-in modules. A lighted FAULT indicator shows that the module has detected a fault and must be replaced.
All internal diagnostic and alarm status data is available for remote logging and report generation. Reporting is done through a local or remote host computer.
Additional special features include fault testing of channels through a loop-back through the base plate to ensure that the transmitting module is accurately transmitting data, and status information.
The MP modules running in parallel rendezvous each scan to vote, and run the application program. At each rendezvous the modules are time synchronized by the adjustment of their time clocks by a specific amount. Dependent on the disparity between time clocks either a positive or a negative adjustment is made to those clocks out of synchronization.
A System Executive runs the application program developed by a control engineer for a specific industrial site which is downloaded from a development PC. A System Input/Output Executive facilitates communication with the input/output modules and the System Executive. Both the System Executive and the System Input/Output Executive are resident on each MP processor modules.
Each processor module MP consists of two semi-independent designs, the processor section and the input/output section. The processor section is dedicated to the System Executive and associated firmware, the input/output section is dedicated to System Input/Output Executive and associated firmware. There are three processor modules in a system.
The three processor modules communicate with each other via an inter-processor bus called the Channel 11. The Channel 11 is a high speed fault tolerant communication path between the processors and is used primarily used for voting data. The three processor modules are time synchronized with each other by a fault tolerant subsystem called the synchronization system. Each processor module contains two ports that can be used for interface with a development computer system or as a slave interface. Each processor module also contains one optional port for System Executive development or LAN support. The System Executive for each processor module communicates with its companion Input/Output section for that processor via a shared memory interface. Each Input/Output section communicates with at least one Input/Output module via a triplicated communications bus. Each processor module also communicates with at least one communications module via a triplicated communications bus. The communication module provides TCP/IP networking connections to the development PC and DCS hosts. The communication module also provides development and slave interface ports.
Several interconnect legs couple each of the processor modules together to form the System Controller. Each leg of the System controller is controlled by separate processor modules and each processor module operates in parallel with the other two processor modules, as a member of a triad. The input/output executive scans each input/output module via the input/output bus. As each input/output module is scanned, the new input data is transmitted by the input/output module to processor module via shared memory located on the printed circuit board supporting the processor module and the input/output module.
The processor module stores the input data into an input table in its memory for evaluation by the application program.
Prior to the application program evaluation, the input table in each processor module is compared with the input tables on the other processor modules via the Channel 11. The Channel 11 is a three channel parallel to serial/serial to parallel communications interface with DMA controller, hardware loop-back fault detection, CRC checking and processor module to processor module electrical isolation.
The complete input data in the table for each MP/IOP module 1 is transferred to the other MP/IOP module 1 in the system and then xe2x80x9cvotedxe2x80x9d by the System Executive firmware SX 15xe2x80x2. After the Channel 11 transfer and input data voting has corrected the input values, the values are evaluated by the application program. The application program is executed in parallel on each processor module by the MPC860 microprocessor which forms the processor module. The application program generates a set of output values based upon the input values, according to the rules built in to the program by the Control Engineer. The processor section transmits the output values to the Input/Output section via a shared memory. The processor section also votes the output values via Channel 11 access to detect faults, i.e. non-compliant component. The input/output module separates the output data corresponding to individual Input/Output modules in the system. Output data for each input/output module is transmitted via an Input/Output bus to the Input/Output modules for application to field units.