The present invention relates to industrial controllers and in particular to an industrial controller system having two industrial controllers operating as active and back-up controllers.
Industrial controllers are special purpose computers used for controlling factory automation and the like. Under the direction of a stored program, a processor of the industrial controller examines a series of inputs reflecting the status of a controlled process and changes outputs effecting control of the controlled process.
Typically, an industrial controller is constructed in a modular fashion, having one or more functional modules connected together through a common backplane in a rack or the like. The modular construction allows the circuitry of the industrial controller to be customized to some degree for each application and simplifies maintenance and repair of the industrial controller in the event that one or more modules fail.
Industrial controllers must often provide uninterrupted and reliable operation for long periods of time. One method of ensuring such operation is by providing a second industrial controller operating in a back-up mode to an active industrial controller. If the active industrial controller should fail, the back-up controller may take over the controlled process or equipment with minimal interruption. The back-up controller may also be used to facilitate maintenance or testing of the control program. Such modifications may be performed on one controller (either the active or back-up controller) reverting to the other controller if problems develop. In such circumstances, it is desirable that the two controllers be completely symmetric with either one having the capability of assuming an active or back-up capacity.
A loss of power can disable both the active and back-up controller or power may be lost to either controller individually. In both circumstances, it is desirable that when power is restored the control process resume smoothly with a single controller acting as the active controller and a single controller acting as the redundant controller.
One method of resolving controller status in the event of a power loss is taught in U.S. Pat. No. 5,313,386 issued May 17, 1994, and assigned to the assignee of the present invention. Using this method, each controller after completing an initialization, checks to see if the other controller has taken the first steps toward assuming the role of active controller. If so, the other controller adopts a back-up role; if not, the other controller proceeds to assume the active controller role.
In the case where both controllers simultaneously attempt to take the active role, for example, when power is applied to both controllers at exactly the same time, a tie-breaking procedure is invoked in which a single designated controller previously having a jumper set assumes the active role.
This approach has the advantage of avoiding needless disruption of the controlled process if active control is already being performed by one controller regardless of whether it was the controller having the active role prior to power loss. It is particularly well suited to the case where only one controller has experienced a power loss. When that controller returns to power, it is prevented from disrupting the ongoing control of the controller that did not experience power loss.
On the other hand when both controllers lose power, this approach creates a race condition in which active control is awarded to the controller which has taken the first steps to assume active control, even if active control has not yet been established. In a tie situation, the active control is awarded arbitrarily to one controller. In both cases, control may revert to less than the ideal controller.
This problem can be minimized by ensuring that both controllers are equally qualified to assume active control of the process, but to insist on such qualification at all times limits the usefulness of a back-up controller, for example, to be used in testing upgrades.