N/A
N/A
The present invention relates to industrial controllers and in particular to high reliability industrial controllers such as may be used to implement safety interlocks or other critical control functions.
Industrial controllers are special purpose computers used for controlling industrial processes or manufacturing equipment. Under the direction of a stored program, the industrial controller examines a series of inputs reflecting the status of the controlled process, and changes a series of outputs controlling the industrial process. The inputs and outputs may be binary, that is on or off, or analog providing a value within a continuous range. Typically analog signals are converted to binary words for processing.
A typical industrial controller includes a microprocessor sequentially executing instructions of a control program stored in electronic memory to read and write control values to an input/output (I/O) table. The I/O table is scanned independently of execution of the control program to communicate the control values as electrical control signals between the I/O table and the controlled equipment. The basic functions of the microprocessor in executing the control program and scanning the I/O table are performed by an operating system (OS) program.
Industrial controllers may be programmed in a xe2x80x9crelay ladder languagexe2x80x9d logic in which instructions are represented graphically by rungs composed of xe2x80x9cnormally-openxe2x80x9d or xe2x80x9cnormally-closedxe2x80x9d contacts connected in series or parallel to xe2x80x9ccoilsxe2x80x9d of relays. The contacts represent inputs from the controlled process and the coils represent outputs to the controlled process. This graphical language mirrors early industrial control systems which used actual relays to provide the control logic needed to control machinery or a factory.
The rungs are arranged in parallel across power lines suggesting the parallel operation of such a relay assembly. Execution of the rungs on the industrial controller, however, is performed sequentially, each rung is evaluated one at a time. By performing the sequential scanning and execution of the rungs at high speed, parallel execution of the rungs is simulated.
Industrial controllers differ from conventional computers in that industrial controllers normally control the real-time operation of machinery often in the manufacture of a product. Momentary interruption of the industrial controller can cause damage to equipment or loss of product. In some critical applications, such as the operation or monitoring of safety equipment, failure of an industrial controller can create a risk of injury to humans. It is desirable that industrial controllers be extremely reliable, that they fail in a safe mode, and that their failure be immediately detectable.
One approach to increasing the reliability of an industrial controller is to use a redundant primary and secondary industrial controller. Failure of the primary controller causes a switch over to the secondary controller which assumes the primary controller""s control responsibilities. Such systems are described in U.S. Pat. No. 4,521,871, 5,313,386, and 5,777,874 assigned to the assignee of the present invention and incorporated herein by reference. The switch over between two industrial controllers is performed by special modules within the industrial controllers which monitor hardware or software generated error signals to determine that a switch over is required. Detecting the errors and the switch over process itself can introduce delay in restoring control.
A more general approach to increasing the reliability of an industrial controller which does not require the production or monitoring of error signals (which may also fail) uses multiple industrial controllers operating at the same time. The outputs provided by each industrial controller are compared and only if the outputs are the same are they transmitted to the controlled process. Critical to the effectiveness of this system is the ability to detect and take appropriate actions at run time not only for individual hardware failures but for systemic failures that might have been introduced inadvertently during the design phase. The key to detecting these systemic failures is to ensure that the industrial controllers, if they fail, fail at different times or in different ways so that a difference in their outputs will occur. For this reason, it may be desired to use different industrial controller components and in particular different programs, algorithms, operating systems, development tools, development environments and developers. This later requirement significantly increases the cost of this approach.
When an industrial controller is used for the control of certain safety systems, such as in implementing machine stop commands, fast control response times are necessary. The faster the response from the input (the pressing of an emergency stop button, the breaking of a light curtain or the like) to the output response (the stopping of the machine) the greater the safety margin. For large or complex control programs, such fast response times require powerful processors which are extremely complex and use many millions of transistors. Because a failure of even one transistor in these processors may cause a failure of the entire processor, the complexity of these microprocessors raises its own reliability problems.
The present invention provides a highly reliability industrial controller providing not only higher execution speed and greater predictability of operation but lower cost.
A key to the present invention is replacing microprocessors and their operating systems with programmable gate-arrays. The gate-arrays execute the control program directly as interconnected logic gates in a manner analogous to that of original relay ladders used in industrial control, but of course, at far greater speed. The number of gates in the gate-array may be several orders of magnitude fewer than the number of gates in a typical microprocessor, thereby improving reliability and because of the parallel nature of execution the operation of a gate-array, can be much faster than the operation of a microprocessor. Operating systems and the reliability problems they introduce are eliminated.
In the invention, multiple gate-arrays are programmed to provide the same global control logic (executing the control program) but to implement that control logic in different ways so as to increase the probability of any failure being reflected in different ways in different gate-arrays. Outputs of the multiple gate-arrays are then compared to detect errors and increase reliability. Errors may alternatively be detected independently of the outputs. Variations in the implementation of the control logic may be provided by using gate-arrays with different internal architectures (for example from different vendors) or by modifying the control program or the compiling process itself.
Specifically the present invention provides a high reliability industrial controller for control of an industrial process according to a control program where the controller includes at least two programmable gate-arrays having logic gates interconnected according to programmable memory cells. The programmable gate-arrays have gate-array inputs received by the interconnected logic gates which in turn provide gate-array outputs that are Boolean functions of the gate-array inputs. The programmable memory cells of the first and second programmable gate-arrays are programmed to each independently execute a control program using different interconnections between logic gates. Input circuitry accepts electric inputs from the industrial process and routes the inputs to the gate-arrays of both the first and second programmable gate-arrays. Comparison circuitry receives gate-array outputs from each of the first and second programmable gate-arrays to produce controller outputs dependent on whether corresponding outputs of the first and second programmable gate-array have matching values. Output circuitry receives the controller outputs and connects them to the industrial process.
Thus, it is one object of the invention to provide fundamentally more reliable industrial control than can be achieved by current generations of microprocessors. Errors can be detected through the use of redundant but different hardware systems simply by observing the outputs. The use of different interconnections in the programmable gate-arrays increases the likelihood that a single component failure will produce different outputs in the different implementations of the gate-array.
It is another object of the invention to significantly increase the reliability of industrial controllers by decreasing device complexity. A typical gate-array include one-hundred times fewer gates than a standard microprocessor.
As mentioned, the different interconnections between logic gates may be realized either through use of programmable gate-arrays having fundamentally different architectures, for example from different vendors, or through a manipulation of the implementation of the control program such as produces different interconnections in the logic gates. For example programming one programmable gate-array in inverted logic.
Thus it is another object of the invention to provide some simple mechanisms to reduce the occurrence of systematic failures among gate-arrays which might not be detected.
The outputs of the gate-arrays may be compared and forwarded to the industrial process only if they are logically the same, i.e., either the same logic state or opposite logic states when one programmable gate-array is programmed with inverted logic.
Otherwise one gate-array output may be used or a default output value may be used.
Thus, it is another object of the invention to provide an industrial controller that is xe2x80x9cfail safexe2x80x9d by providing a default xe2x80x9csafexe2x80x9d state output unless the proper output can be unambiguously determined. In a typical embodiment, only if both gate-arrays provide a logical true output will a logical true signal be forwarded to the industrial process. Otherwise, a logical false output will be used.
The outputs from the gate-arrays may be compared to each other and an error signal produced if they do not match.
Thus it is another object of the invention to provide an indication of failure separate from the actual output from the industrial controller. In this way the need for corrective action may be signaled or (in certain situations) the controlled process shut down completely.
More than two programmable gate-arrays may be used in which case the outputs are compared and only the majority output is provided to the controlled process.
Thus it is another object of the invention to provide an industrial controller that has a high reliability of correct operation even when one or more programmable gate-arrays has failed and yet which provides a positive indication of that failure so that corrective action may be taken.
The control program may program the programmable memory cells through the use of a compiler and the programmable memory cells of the first and second programmable gate-arrays may use different compilers.
Thus it is another object of the invention to provide variation between the hardware implementation of the industrial control on otherwise identical gate-arrays through the use of different compilers.
In an alternative embodiment, the error signal may be derived independently of the outputs of the gate-arrays, for example, though the use of a watch dog timer circuit or the like. The error signal may be used to trigger use of the majority output signal from the gate-arrays, an output signal from a pre-selected gate-array, or a default value for the controller output.
Thus it is another object of the invention to allow the detection of error conditions that might not be apparent from the outputs of the gate-arrays alone.
The foregoing and other objects and advantages of the invention will appear from the following description. In the description, reference is made to the accompanying drawings which form a part hereof and in which there is shown by way of illustration a preferred embodiment of the invention. Such embodiment does not necessary represent the full scope of the invention, however, and reference must be made to the claims herein for interpreting the scope of the invention.