The present invention relates to industrial controllers used for real time control of industrial processes, and in particular, to a high reliability industrial controller appropriate for use in devices intended to protect human life and health.
Industrial controllers are special purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the controlled process. The inputs and outputs may be binary, that is, on or off, or analog providing a value within a continuous range. The inputs may be obtained from sensors attached to the controlled equipment and the output may be signals to actuators on the controlled equipment.
“Safety systems” are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include but are not limited to the electronics associated with emergency stop buttons, interlock switches, and machine lockouts.
Safety systems were originally implemented by hardwired safety relays but may now be constructed using a special class of high reliability industrial controllers. “High reliability” refers generally to systems that guard against the propagation of erroneous data or signals to a predetermined high level of probability (defined by safety certification standards) by detecting error or fault conditions and signaling their occurrence and/or entering into a predetermined fault “safety” state. High reliability systems may be distinguished from high availability systems, however, the present invention may be useful in both such systems and therefore, as used herein, high reliability should not be considered to exclude high availability systems.
Standard high-speed communication networks are frequently used to join the various components of an ordinary industrial control system that may extend throughout a factory. The protocols used in such standard networks, however, are not adequate for high reliability industrial controllers used for safety systems. In particular, such network protocols may not ensure that communication delay (“data age”) is limited or provide a method of monitoring such communication delays.
Modifying standard network protocols to allow monitoring of data age is difficult because standard network interface circuits (NICs) do not normally provide high-level access to network timing information, for example the time of arrival and transmission of messages. Further, precise, synchronized clocks that allow simple timing of data transmission times, are not normally available in the communicating components.
Watchdog timers, operating at the receiving end of the transmission, have been used to monitor network delay with respect to known periodic transmissions. The watchdog ensures that the delay between successive transmissions is not too long. Unfortunately, such watchdog systems do not provide protection against slow increases in the age of the data over time.