The present invention relates to a method of data base maintenance, and more particularly, to a method of synchronizing and maintaining synchronization of a secondary slave processor to a primary slave processor, wherein the primary and secondary slave processors are each utilizing separate clocks. Further, the two slave processors cannot initiate messages to one another or communicate directly with one another.
Process Control Systems with backup process controllers such as described and claimed in U.S. Pat. No. 4,133,027, issued to J.A. Hogan on Jan. 2, 1979, and U.S. Pat. No. 4,141,066, issued to Y. Keiles on Feb. 20, 1979, include a backup controller having a dedicated Random Access Memory (RAM) and a dedicated Read-Only Memory (ROM). The backup controller is essentially idle or can be doing some background tasks, but not tasks relating directly to the process control function. Upon detection of a failure of one of the primary process controllers, the data stored in the RAM of the failed controller must be transferred to the RAM of the backup controller to perform the operations of the primary controller. These systems describe a 1:N redundancy system.
Existing systems, such as that described in U.S. Pat. No. 4,958,270, and assigned to Honeywell Inc., the assignee of the present application, provide for a 1:1 redundancy system, whereby the data base of a secondary device (i.e., secondary or backup controller) is updated periodically such that the updating process is transparent to the primary functions and does not tie-up (or penalize) CPU or processor performance and utilizes a minimum amount of time. When a failover condition occurs, there is a period of time when no communications can take place (i.e., an outage) between the primary controller and the remainder of the system. Further, the primary and secondary controllers are in a predefined location, and the software utilized for implementing this redundancy feature (i.e., redundancy software) is not transparent to other layers of software above the redundancy software. For example, if a Universal Station of a plant control network were to interrogate a controller (i.e., a primary controller since the secondary controller cannot be interrogated), of a process controller of a process control system, for a value, during failover the controller is unable to respond and the universal station outputs question marks on the display to the operator.
The present invention provides a method which synchronizes and maintains synchronization of a data base in a primary and secondary slave processor pair that exists on a communication network where neither processor can initiate communications to the other processor. The present invention accomplishes a one-time transfer of data from the primary to the secondary, which is achieved by the secondary eavesdropping on all communications between the primary and master. The secondary, which eavesdrops on all messages to the primary, also acts on all messages internally. However, the secondary does not respond to the master controller but does eavesdrop on communications from the primary to the master controller to verify valid communications. The primary and secondary slave processor cannot initiate communications to each other, and have no direct data path but the communications path to the master controller. The eavesdropping of messages to the primary by the secondary has no impact on communications throughput by the addition of the secondary (or redundant) processor. Further, the initial synchronization occurs in parallel with other communications, hence communications with other processor on the network of a process control system is not disturbed during the one-time synchronization of the primary and secondary slave processors.