The present invention relates to industrial controllers used for real-time control of industrial processes, and in particular to high-reliability industrial controllers appropriate for use in devices intended to protect human life and health. xe2x80x9cHigh reliabilityxe2x80x9d refers generally to systems that guard against the propagation of erroneous data or signals by detecting error or fault conditions and signaling their occurrence and/or entering into a predetermined fault state. High reliability systems may be distinguished from high availability systems, however, the present invention may be useful in both such systems and therefore, as used herein, high reliability should not be considered to exclude high availability systems.
Industrial controllers are special purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the industrial process. The inputs and outputs may be binary, that is, on or off, or analog, providing a value within a continuous range. The inputs may be obtained from sensors attached to the controlled equipment and the outputs may be signals to actuators on the controlled equipment.
xe2x80x9cSafety systemsxe2x80x9d are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include the electronics associated with emergency stop buttons, interlock switches and machine lockouts. Traditionally, safety systems have been implemented by a set of circuits wholly separate from the industrial control system used to control the industrial process with which the safety system is associated. Such safety systems are xe2x80x9chard-wiredxe2x80x9d from switches and relays, some of which may be specialized xe2x80x9csafety relaysxe2x80x9d allowing comparison of redundant signals and providing internal checking of conditions such as welded or stuck contacts. Safety systems may use switches with dual contacts providing an early indication of contact failure, and multiple contacts may be wired to actuators so that the actuators are energized only if multiple contacts close.
Hard-wired safety systems have proven inadequate, as the complexity of industrial processes has increased. This is in part because of the cost of installing and wiring relays and in part because of the difficulty of troubleshooting and maintaining the xe2x80x9cprogramxe2x80x9d implemented by the safety system in which the logic can only be changed by rewiring physical relays and switches.
For this reason, there is considerable interest in implementing safety systems using industrial controllers. Such controllers are easier to program and have reduced installation costs because of their use of a high-speed serial communication network eliminating long runs of point-to-point wiring.
Unfortunately, high-speed serial communication networks commonly used in industrial control are not sufficiently reliable for safety systems. For this reason, efforts have been undertaken to develop a xe2x80x9csafety networkxe2x80x9d being a high-speed serial communication network providing greater certainty in the transmission of data. Currently proposed safety networks are incompatible with the protocols widely used in industrial control. Accordingly, if these new safety networks are adopted, existing industrial controller hardware and standard technologies may be unusable, imposing high costs on existing and new factories. Such costs may detrimentally postpone wide scale adoption of advanced safety technology.
What is needed is a safety network that is compatible with conventional industrial controller networks and components. Ideally such a safety network would work with a wide variety of different standard communication protocols and would allow the mixing of standard industrial control components and safety system components without compromising reliability.
The present invention provides high reliability communications over standard control networks by opening redundant xe2x80x9cconnectionsxe2x80x9d under the connected messaging protocols of such standard networks and by adopting an echoing of messages sent that reveals to both message producers and message consumers failure of either connection. Dual connections thus serve in lieu of dual media traditionally used in such systems making the imposition of high reliability possible with existing network media.
Specifically, the present invention provides a method of establishing high reliability communication among components of an industrial controller some of which receive control signals from a controlled process, the components communicating over a standard network. The method includes the steps of establishing at least two redundant logical message producers associated with a given received control signal and opening a logical connection between each of the two logical message producers and two corresponding logical message consumers. Data, including a given received control signal, is transmitted on the connections from the logical message producers to the logical message consumers and after receipt of uncorrupted data at each logical message consumer, transmitting reply data including the given received control signal on the connection to the logical message producers. The logical message producers respond to an absence of an uncorrupted receipt of a transmission of reply data by entering a predetermined safety state.
Thus it is one object of the invention to provide for high reliability communications under standard connected messaging communications protocols. The redundant connections and reply messages provide resistance to undetected message corruption.
The uncorrupted reply data may be compared between the two logical message producers which may be responding to a failure of the reply data to match by causing the logical message producers to enter the predetermined safety state.
Thus it is another object of the invention to provide an indication to upstream devices of communications failure using a standard network, such as is normally realized in high reliability systems by complex wire routings from output to inputs.
Determining whether data is uncorrupted may use a cyclic redundancy code incorporated into the data and a function of the received control signal and/or a message sequence count to indicate a relative order of messages holding the transmitted data.
Thus it is another object of the invention to provide more sophisticated signal loss detection that may be provided with standard wiring to discrete relays but that is suitable for network use.
The method may include comparing uncorrupted messages at the two logical message consumers and responding to a failure to match by causing the logical message consumers to enter the predetermined safety state.
Thus it is another object of the invention to detect failures that are not manifest in the network transmission process or that arise outside of the transmission process from failure of input or output devices.
The two logical message producers and/or the two logical consumers may be in a single physical device having one physical connection to a standard serial network or the two logical message producers and two logical message consumers may each be in separate physical devices each having two physical connections to a standard serial network.
Thus it is another object of the invention to provide a high reliability communications system that is largely indifferent to the hardware used to implement the producers and consumers.
The method may include the step of transmitting a signal to the two logical message consumers instructing them to enter a predetermined safety state.
It is therefore another object of the invention to provide for a general broadcast of detected failure so that components of the system may react appropriately even if the failure is not directly detectable at those components.
The method may include the step of responding at the logical message consumers to an absence of an uncorrupted receipt of the data subsequent within a periodic interval by entering a predetermined safety state.
Thus it is another object of the invention to provide for an indication of media failure such as would affect both connections on a network without producing erroneous or mismatched redundant messages.
The foregoing and other objects and advantages of the invention will appear from the following description. In the description, reference is made to the accompanying drawings, which form a part hereof, and in which there is shown by way of illustration a preferred embodiment of the invention. Such embodiment does not necessarily represent the full scope of the invention, however, and reference must be made to the claims herein for interpreting the scope of the invention.