The present invention relates to a method of data base maintenance, and more particularly, to a method for insuring that any data item stored in a primary slave processor commanded by a master controller is also stored in a secondary slave processor.
Process Control Systems with backup process controllers such as described and claimed in U.S. Pat. No. 4,133,027, issued to J. A. Hogan on Jan. 2, 1979, and U.S. Pat. No. 4,141,066, issued to Y. Keiles on Feb. 20, 1979, include a backup controller having a dedicated Random Access Memory (RAM) and a dedicated Read-Only Memory (ROM). The backup controller is essentially idle or can be doing some background tasks, but not tasks relating directly to the process control function. Upon detection of a failure of one of the primary process controllers, the data stored in the RAM of the failed controller must be transferred to the RAM of the backup controller to perform the operations of the primary controller. These systems describe a 1:N redundancy system.
Existing systems, such as that described in U.S. patent application, Ser. No. 07/299,859, filed on Jan. 23, 1989, now U.S. Pat. No. 4,958,270, and assigned to Honeywell Inc., the assignee of the present application, provide for a 1:1 redundancy system, whereby the data base of a secondary device (i.e., secondary or backup controller) is updated periodically such that the updating process is transparent to the primary functions and does not tie-up (or penalize) CPU or processor performance and utilizes a minimum amount of time. When a failover condition occurs, there is a period of time when no communications can take place (i.e., an outage) between the primary controller and the remainder of the system. Further, the primary and secondary controllers are in a predefined location, and the software utilized for implementing this redundancy feature (i.e., redundancy software) is not transparent to other layers of software above the redundancy software. For example, if a Universal Station of a plant control network were to interrogate a controller (i.e., a primary controller since the secondary controller cannot be interrogated), of a process controller of a process control system, for a value, during failover the controller is unable to respond and the universal station outputs question marks on the display to the operator.
The present invention provides a method which ensures that a data item written into a primary slave processor by a master controller is also received by a secondary slave processor and the data base of each slave processor (i.e., the primary and secondary) is updated identically. The method of the present invention does not require the primary and secondary slave processors to be running in a synchronous (i.e., lock-step) manner. Further, according to the method of the present invention, the data item to be stored is transmitted to the primary slave processor only. The present invention has the advantage over previous systems mentioned above in that there is no guaranteed store check in these earlier systems, and the guaranteed store is implied in the design rather than explicitly tested and verified. Also in the previous system mentioned above, the primary must send the data to the secondary. Where the primary and secondary do not communicate with one another, the previous method doesn't work. Further, the present invention does not require that the redundant processors perform their functions in an asynchronous manner with respect to time.