The advantages of digital communication systems, in accurately communicating information, is well documented in the literature. The statistical properties of many communication systems naturally leads to a requirement for greater and greater complexity as a necessity in attempting to reach lower and lower probabilities of error. The particular error level that can be tolerated in a communication sytem, of course, depends on the type of information being communicated. For example, it is well-known that digitally quantized speech is relatively tolerant of errors. In the field of traffic control (for example railroad or the like) the past practice has been to communicate non-vital information from a control center to field equipment (switches, signals, etc.) and this required the vital (safety) functions to be field implemented. If the communications could be effected vitally, even though the link itself were non-vital, then considerable savings could be effected. In noncommunication systems, efforts are made in the design to ensure that the occurrence of a failure or errors are "fail safe" in that the system is arranged to limit the probability of an error resulting in a less restrictive situation to a vanishingly small number of improbable situations. In a system which is 100% fail safe, errors can be tolerated, but those errors lead to a control condition which is no more dangerous than had the error not occurred. In other words, errors tend to result in a more restrictive condition, rather than a less restrictive condition.
Because of the complexity of present day control systems there is no quantative measure of the degree to which a system is fail safe; however, there are well developed techniques which can be used to increase the probability that a particular component or set of components is fail safe. One particular area which has received attention is that of communicating vital information over a non-vital communication links. One system for effecting this function is shown in my prior U.S. Pat. No. 4,090,173, assigned to the assignee of this application.
In that system a particular message is composed of a pair of words, one being the complement of the other, separated by a framing pattern to allow for ready identification of the message words themselves. For example, a six bit message word, while capable of transmitting any one of 64 messages, is, in the arrangement shown in the referenced patent used to transmit a lesser number of messages by restricting the valid words to words which have a constant ratio of marks ("1") to spaces ("0"). In the example disclosed in the patent, each six bit word has two marks thus allowing 15 different messages to be communicated by a single pair of words. This message required 12 bits, 6 for each word, plus in the example shown in the patent, four bits, two for each framing pattern, for a total of 16 bits. While restricting the word makeup does reduce the system efficiency, it has the advantage of increasing the probability of identifying errors in that any word which does not have the specified ratio of marks to spaces can be clearly identified as an error.
While the communication system disclosed in the above-referenced patent works quite well, there is a desire to increase the capability of the communication system so that the system is capable of sending more than 15 different messages, as well as the capability of multiplexing, so that more than one message at a time can be transmitted.
The above-referenced patent illustrates a system which may use discrete logic or random logic such as a microprocessor, and in the latter case identifies exemplary operating routines to ensure that the microprocessor element is no more likely to be the cause of errors, than any other component. However, the limited capability of the disclosed system, does not provide for the transmission of multiple messages.
Therefore, it is an object of the invention to provide a vital communication system which has the capability of transmitting multiple messages. It is another object of the present invention to provide such a system which can be accurately termed fail safe notwithstanding the fact that a communication link coupling a transmitter and a receiver, is nonvital. The system to be disclosed hereinafter employs a number of techniques to increase the fail safe qualities. One technique that is employed is cycle checking.
Digital systems, especially binary, are vulnerable to "stuck bits" unless they are implemented with specially designed fail safe logic. Since it is an object of the invention to capitalize on the advantages of commercially available microprocessors, to the extent that such devices are employed it is clear that they do not employ fail safe logic elements. The cycle checking technique, used as a safeguard against the stuck bit, provides ready proof that all devices can be controlled to both their states, thus ensuring that a stuck bit error has not occurred. This is effected by processing data along with its logical complement so that all devices in the processing stream are driven to both their states.
A second technique employed is diversity. This is especially important in employing commercially available microprocessors since a failed device in a memory location or instruction decoder can result in a program being executed incorrectly. By using more than one program segment to do the same task and requiring complete agreement in the results at all critical points, incorrect execution, without recognition of that incorrect execution, is minimized. To employ diversity properly, there must be no common elements in the diverse systems that could result in compensating errors.
Notwithstanding these two techniques, however, if two lines at an input or an output port of a microprocessor were connected together as the result of an insulation failure, cycle and diversity checking may not reveal this fault. Accordingly, a port test, which has some similarity to the port test disclosed in the above-referenced patent, is employed to detect failures of this type.