The present invention relates to industrial controllers and in particular to an industrial controller system having a secondary controller providing back-up control capability.
Industrial controllers are special purpose computers used for controlling factory automation and the like. Under the direction of a stored program, a processor of the industrial controller examines a series of inputs reflecting the status of a controlled process and changes outputs affecting control of the controlled process. The stored control program is continuously executed in a series of execution cycles.
The inputs received by the industrial controller from the controlled process and the outputs transmitted by the industrial controller to the controlled process are normally passed through one or more input/output (I/O) modules which serve as an electrical interface between the controller and the controlled process. The inputs and outputs are recorded in an I/O data table in processor memory. Input values may be asynchronously read from the controlled process by specialized circuitry. Output values are written directly to the I/O data table by the processor, then communicated to the controlled process by the specialized communications circuitry.
Industrial controllers must often provide uninterrupted and reliable operation for long periods of time. One method of ensuring such operation is by using redundant, secondary controller components (including processors) that may be switched in to replace primary controller components while the industrial controller is running. In the event of a failure of a primary component, or the need for maintenance of the components, for example, the secondary components may be activated to take over control functions. Maintenance or testing of the control program maybe performed with the primary processor reserving the possibility of switching to the secondary processor (and a previous version or state of the control program) if problems develop.
Ideally, the switch-over between controllers or their components should occur without undue disruption of the controlled process. For this to be possible, the secondary processor must be running the same program (and maintaining its current state) and must be working with the same data in its I/O data table as is the primary processor.
The same control program may be simply pre-stored in each of the primary and secondary processors. The data of the I/O data table, however, cannot be pre-stored but changes continuously during the controlled process. Further, because controllers are I/O intensive, there is typically a large amount of data in the I/O data table. For this reason, transmitting the data to the secondary processor is difficult.
In order to effectively update the secondary processor with large amounts of I/O data, prior art controllers have continuously and asynchronously transmitted I/O data from the primary processor to the secondary processor during execution of the control program. Allowing the control program to continue to run, prevents the control process from being interrupted by the data transfer. Nevertheless, there are problems with this approach.
Asynchronous transfer means that at the time of switch-over to the secondary processor, the I/O data table of the secondary controller may have only been partially updated. Further, even the updated part of the I/O data table may be stale because the control program has continued to execute and change that data after its transmission. This I/O data will be termed "time fragmented" because it is not simply a uniformly delayed version of the I/O data table of the primary processor, but a version with different data delayed by sharply different amounts. Time fragmented data represents a control state that never existed because it includes I/O data taken from two or more different execution cycles of the control program.
A second problem that may occur at the time of switch-over is a so-called "data bump" where an output is changed back to an old state by a secondary controller only to be quickly restored to its original value as the secondary controller continues the control process. Data bumps can cause a momentary reversal of the control process with serious consequences to the controlled equipment. Unfortunately, even trivially stale data can cause data bumps.