The present invention relates to industrial controllers used for real time control of industrial processes, and in particular, to a high reliability industrial controller appropriate for use in devices intended to protect human health and life.
Industrial controllers are special purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the process. The inputs and outputs may be binary, that is, on or off, or analog, providing a value within a continuous range. The inputs may be obtained from sensors attached to the controlled process and the outputs may be signals to actuators on the controlled process.
“Safety systems” are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include, but are not limited to, the electronics associated with emergency stop buttons, interlock switches, and machine lockouts.
Safety systems were originally implemented by hard-wired safety relays, but may now be constructed using a special class of high reliability industrial controllers. “High reliability” refers generally to systems that guard against the propagation of erroneous data or signals to a predetermined high level of probability defined by safety certification standards. Such high reliability is obtained by detecting error or fault conditions and entering into a predetermined fault state. High reliability systems may be distinguished from high availability systems, however, the present invention may be useful in both situations, and therefore as used herein, high reliability should not be considered to exclude high availability systems.
A high reliability industrial controller may connect separated components of the controller with a high-speed serial network. In this case, the networks must also provide high reliability and, in particular, must have provisions for detecting both errors in network messages (for example, caused by electrical interference) and error in the destination of the messages (for example, correct messages delivered to the wrong device).
This latter problem of misdirected messages may be addressed by providing each communicating pair of devices with a unique safety address. U.S. patent application Ser. No. 09/667,145 filed Sep. 21, 2000, assigned to the assignee of the present invention and hereby incorporated by reference, describes a system where each message contains a unique “safety address”. During an initialization of the network, each device is provided with a list of “legal” safety addresses of the messages the device should receive. Later, when a particular message is received by the device, the safety address of the message is compared with the stored legal safety addresses. If there is no match, it is assumed that the given message has been misdirected.
Adding a safety address to each message increases the message length and thereby reduces the capacity of the network. This reduced capacity may adversely affect the response time for the industrial controller and/or limit additional reliability enhancing features that might be added to the message to otherwise improve its reliability.
An alternative would be to use specialized hardware and firmware between the transmitter and the receiver that is inherently highly reliable without the need for a safety address. Such specialized hardware and firmware may be costly and cannot take advantage of existing network infrastructure.