This invention relates generally to fault-tolerant electronic communication networks, and, in particular, to a fault-tolerant network that operates rapidly to correct faults occurring when network components fail and which is suitable for real-time industrial control.
Industrial controllers are special-purpose computers that provide for real-time, highly reliable control of manufacturing equipment and machines and processes. Typically, an industrial controller executes a stored program to read inputs from the machine or process through sensors connected to the industrial controller through a set of input/output (I/O) circuits. Based on those inputs, the industrial controller generates output signals that control the machine or process through actuators or the like.
Often, the components of the industrial control system will be distributed throughout a factory and will therefore communicate over a specialized communication network that provides for high-speed operation (to allow real time control) with specialized protocols to ensure that data is reliably and predictably transmitted.
Desirably, the components of an industrial control system might be interconnected using common network components, for example, commonly available Ethernet network components. Such an ability could cut the costs of establishing and maintaining the network and in some cases would allow the use of existing network infrastructures. In addition, the ability to use a common network, such as Ethernet, could facilitate communication with devices outside of the industrial control system or that are not directly involved in the control process.
One obstacle to the adoption of Ethernet and similar standard networks is that they are not fault-tolerant, that is, failure in as little as one network component can cause the network to fail—an unacceptable probability for an industrial control system where reliability is critical.
The prior art provides several methods to increase the fault tolerance of Ethernet and similar networks. A first approach is to use a ring topology where each end-device (node) is connected to the other nodes with a ring. Failure of one component or media segment in the ring still provides a second path between every node. A drawback is that multiple faults (e.g. the failure of two segments of media) cannot be accommodated.
A second approach equips each node with software “middleware” that controls the connection of the node to one of two or more different networks. In the event of component or media failure, the middleware changes the local network interface to transmit and receive messages on the back-up network using a new Ethernet address. This approach can tolerate multiple faults, but the time necessary to reconfigure the network can be as much as 30 seconds. An additional problem with this latter approach is that multiple independent networks are needed (one for primary use and one for backup) which can be difficult to maintain, inevitably having differences in configuration and performance.
In a third approach, a single network with two or more redundant network infrastructures is used and each device is provided with multiple ports, and each port is connected to a redundant infrastructure of that network. Again, middleware in each device is provided with alternate paths through multiple infrastructures to all other devices in the network.
This need to reconfigure each node when there is a network failure fundamentally limits the speed with which network failures may be corrected in these approaches both because of the need for complex software (middleware) to detect the failure and coordinate address or path status changes, and because of the time required for communication with other nodes on the network.
For this reason a fourth approach has been developed as described in U.S. Pat. No. 7,817,538 entitled: Fault-Tolerant Ethernet Network” issued Oct. 19, 2010 assigned to the assignee of the present invention and hereby incorporated by reference. This approach uses end-devices with multiple ports having the same address. A hardware system monitoring a beacon signal rapidly switches ports in the event of a failure substantially eliminating the time required for the network to relearn new addresses for network devices. The detected failure triggers a “learning update” message to other network components to facilitate learning new paths for the network devices.
This approach may be expanded to handle multiple faults affecting a single end-device by increasing the number of ports on the end-devices, for example, from two to three. With three ports, double faults may be accommodated; with four ports triple faults may be accommodated. Etc. As a practical matter, the additional hardware costs of adding additional ports to every end-device may not be justified beyond two ports.