Note: Descriptions are shown in the official language in which they were submitted.
7~
INDUSTRIAL CONTROL SYSTEM ~IT~ INTERCONNECTED
REMOTELY LOCATED COMPUTER CONTROL UNITS
BACKGROUND OF THE INV~NTION
This application is a divisional of Canadian Serial
No. 368,795 filed January 19, 1981.
The present invention relates to control systems of
the type having a pluralit~ of remotely located process control
units connected together through a communications link and,
more particularly, to a control system in which each of the
remote units sequentially assumes supervisory communication
control of the communication link and in which high reliability
information transfer is achieved between remotes.
Many system type industrial installations, for example,
those related to industrial process-type-manufacturing and
electrical power generation, employ a large number of physically
distributed controlled-devices and associated sensors for
effecting coordinated operation of the overall system. In the
past, coordinated control of the various devices has been
achieved by manual operatlon and various types of semi-automatic
and automatic control systems including electro-magnetic relay
systems, hardwired solid-state logic systems, and various types
of computer control sys~ems. The computer systems have included
central systems in which the various sensors and controlled
devices are connected to a central computer; distributed control
systems in which a remotely located computer is connected to
each of the controlled devices and to one another; and hybrid
combinations of the central and distributed systems. The success-
ful functioning of the control system is vital to any industrial
process, and, accordingly, distributed systems have ~enerally
been preferred over central systems because the failure of one
of the remotely located control computers generally does not
cause a system ~7ide failure as in the case of the failure of the
_ 2 ~ ~
central computer in the central system. However, in many
distributed computer systems, one of the remotes or a specially
designed control unit generally handles supervisory communication
control of the communication buss and, for these systems, failure
of the communication b~ss supervisor can lead to a system-wide
failure.
In many industrial control systems, the various
communication busses that extend between the remotely located
computer process control units are exposed to high electrical
noise environments. Accordingly, the inormation transferred
over the communication buss can be subjected to error-inducing
interference because of the harsh electrical environment. In
view of this, a control system must have a means for detecting
errors within the transmitted information in order to provide
high reliability data transmission between remotes.
SUMMARY OF THE INVENTION
Broadly, the present invention seeks to provide an
industrial control system for control].ing an industrial process
or the llke having a high overall system ope~ating reliability
and to provide an industrial control system which may take the
form of a distributed control system, a central control system,
or a combination thereof to provide high overall operating
efficiency and reliability.
The present invention also see~s to provide an
industrial control system defined by a plurality of remotely
located process control units lremotes) interconnected through
a communication huss which each of the remotely loaated units
adapted assume supervisory control of the communication buss
in accordance with a predetermined se~uence.
The invention to which this divisional application
is directed pertains in one aspect to a control system of the
type having a plurality of process control remotes inter-
connected through a communications link with each remote assigned
- 3
7~
a unique position in a predetermined succession order and each
remote exercising supervisory control of the communication link
on a revolving master basis. Supervisory control of the
communications link is transferred Erom a present system
master to the next successive remote in the succession order
by a method comprising the steps of transmi-tting a control-
transfer command signal along the communication link from the
present system master to the next successive remote in the
succession order, receiving and evaluating the validity of
the control-system command signal at the next successive remote,
and accepting supervisory control of the communication link
by the next successive remote from the present master if the
control-transfer command signal is found valid by the next
successive remote, whereby the next successive remote becomes
the present system master.
The invention in a further aspect in this divisi.onal
application pertains to a system for controlling an industrial
process, which system comprises a plurality of process control-
ling remotes with a common communi.cation link interconnecting
the remotes, each remote being assigned a unique position in
a predetermined succession order and each remote exercising
supervisory control of the communication link on a master
for a moment basis in accordance with the succession order.
Each remote includes a means for transmitting digital in-
formation in block format over the communications link to the
other of the remotes and each includes receiver means for receiving
diaital information transmitted from one other of th~ remotes, and
each remote including means for transferring the supervisory
control to -the next successive remote in the succession order
30 by transmitting a control-transfer block o~er the communication
link to the next successive remote in the succession order
and the next successive remote accepting supervisory control
of the communication lin~: in response to the control-transfer
block.
4 _
More particularly, disclosed is a control system
for controlling an industrial process including a plurality of
remote process control units ~n (remotes) connected to various
controlled devices and sensors and communicating with one
another through a communications link having at least two
independent communication channels. Each remote is assigned
a unique succession number or position in a predetermined
succession order with each remote unit assuming supervisory
communic~tion control of the communications link on a revolving
or master for the moment basis in accordance with the remote's
relative position in the succession order. Information transfer
including process data and command control information is
accomplished between a source remote Rs and a destination remote
Rd by successively transmitting two identical information blocks
over each communication channel with the destination remote Rd
testing the validity of the blocks on one of the channels and,
if valid, responding with an acknowledgement signal (ACK), and,
if invalid, then testing the validity of the two blocks received
on the other, alternate channel. An acknowledgement (~CK) or
a non-acknowledgement signal (NA~) is sent by the destination
remote Rd if the information on the alternate channel is found,
respectively, valid or invalid. The source remote Rs will re-
transmit the information blocks in response to a non-
acknowledgement signal from a destination remote with the
retransmission from the source remote Rs limited to a pre-
determined, finite numberO
The system advantageollsly prcvides a me~ns for
controlling an industrial process in which high overall system
operating reliability is achie~ed. The system is equally sui~-
able for use with central lmaster~slave), distributed, andhybrid system configurations.
57~
BRIEF DESCRIPTION OF THE DRAWINGS
_
The above description, as well as the 1s"ects,
features, and advantages of the present invention will
be more fully appreciated by reference to the following
detailed description of a presently prefe~red ~ut none-
theless illustrative embodiment in accordance with the
present invention when taken in connection with the
accompanying drawings wherein:
FIG. l is a schematic diagram of an exemplary
process control system including a plurality of remote
process control units (remotes), including both primary con-
trol remotes and redundant remotes, connected to a common,
d~al-channel communications link;
FIG~ 2 is a schematic block diagram of an
exemplary remote process contxol unit of the type shown
in FIG. l;
FIG. 3 is a schematic block diagram oE an
exemplary modulator/demodulator (MODEM) for the remote
process control unit sho~n in E1IG. 2;
FIG. 4 is a schematic block diagram of an
exemplary communication protocol controller for the remote
process unlt shown in FIG. 2;
FIG~ 4A is a schemat-c block diagx~ of an
exemplary input~output management device for the remote
~rocess control unit shown in FIG. 2;
FIGo 4B is a flow diagram illustrating the
manner in which the change-in-status events of the
controlled devices of FIG. l are detected by the input/
output management device of FIG. 4A,
FIG. 5 illustrates the format of an exemplary or
illustrative information block for transferrlng information
between remotes;
~2~
FIG. 5A illustrates the format of a header rrame
of the information block shown in FIG. 5i
FIG, SB illustrates the format for a data/
information rrame of the information block shown in
FIG. S;
FIG. 5C illustrates the format for an
acknowledgement block (ACK) for acknowledging
successful receipt of an information block;
FIG. SD illustrates the ~ormat for a non-
acknowledgement block (NAK~ for indicating the
unsuccessful transmission of an information bloc~ between
remotes;
.FIG. 6 illustrates, in pictorial form, two
identical data blocks having the format sho~n in FIG. 5
successively transmitted on each communication chanr.el of
the co~unicaticn link illustrated in FIG. l;
FIG. 7 is a ~low diagram sw~a-y of the manner in
which a source and a destinati.on remote effect communi-~
cations with one another;
FIG. 8A is 2 partial flow diagram illustra~ing
in detail the manner in which a source and a destination
remote communicate and validat2 information transrerred
between one another;
FIG. sa is a partial flow diagram which com-
pletes the f~ow dlagram of FIG. 8A and illustra~es in
detail the manner in whlch a source and a destination
remote communicate and validate infor~ation transferred
between one another;
7~
FIG. 9 is a legend illustrating the manner in
the flow diagrams o~ FIG. 8A and FIG. 8B are to be read;
FIGS. lOA through lOF are exemplary tables
illustrating the manner in which supervisoxy control of
the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an
exemplary redundant remote that is adapted to assume control
from a failed or otherwise inoperative primary remote;
FIGS. llA and llB are flow diagrams of the manner
in which the central processing unit of the redundant
remote R.4 monitors the operating condition of its assigned
primary remotes Rl, R2, and R3 and takes over operation when
one of the primary remotes fails;
~ IG. 12 is a flow diagram summary of the manner
by which an interrogating remote Rx tests the integrity
of the co~munication link bètween it and the remotes R
and RX+1 immediately adjacent thereto in the succession
order;
FIG. 12A is a partial flow diagram illustrating
in detail the manner by which an interrogating remote R~
tests the colNmunications integrity ~f the communica~ions
link between it and the next lower number remote R~_l in
the succession order;
FIG. 12B is a partial flow diagram illustrating
in detail ~he manner in which an interrogating remote Rx
tests the communiations integrity of the communications
link between it and the next higher number remote RX+l in
the succession order;
FIG. 12C is a partial flow diagram illustrating
in detail the manner by which a line termination impedance
is applied to the communications link in the event of a
communications link degradation or intexruption;
S7~2
FIG. 13 is a legend illustrating the manner in
which the flow diagrams of FIGS. 12A, 12B, and 12C are to
be read; and
~ IG. 14 is an exemplary table illustrating the
status of various counters when an interrogating remote Rx
is evaluating the integrity of the communications link in
accordance with the flow diagram shown in FIG. 12A~
DESCRIPTION OF THE PREFERRED E~BODIMENT
An industrial control system in accordance with the
present invention is shown in schematic form in FIG. 1 and
includes a communications link CL (C-link) having a plurality
of remotely located process control units (remotes) Rl,
R2,...R7, R8 connected thereto with the eight remotes
(Rl-R8) shown being exemplary; it being understood that the
system is designed to be used with a much laryer number of
remotes. Of the eight remotes illustrated, the remotes Rl-R3
and R5-R7 are 'primary' remotes and the remotes R4 and R8 are
'redundant' remotes. The communications link CL is shown
as an open line, double channel configuration formed from
dual coax, dual twisted pair, or the like with the
individual co~munication links identified, respectively,
by the reference characters CL~ and CLl. While the
system configuration shown in FIG. 1 is a distributed open
loop or shared global bus type, the invention is equally
suitable for application to central systems or central/
distributed hybrid con~iguration~O The system of FIG~ 1
is adapted for use in controlling an industrial process,
e.g., the operation of a power generating plant, with each
primary remote unit Rl-R3 and R5-R7 connected to one or more
associated or corresponding input/output devices I/Ol-
I/03 and I/05-I/07, respectively. Each input/output
device is, in turn, connected to an associated controlled
device CDl-CD3 and CD5-CD7 (of which only CD6 and CD7 are
~2~7;~
illustrated in FIG. 1) such as, but not limited to, various
types of sensors (temperature, pressure, position, and motion
sensors, etc.) and various types of actuators (motors,
pumps, compressors, valves, solenoids, and relays, etc.).
Each primary remote may control a large number of output
devices and respond to a large number of input devices, and
the blocks labeled I/O in FIG. 1 can each represent many
input and output d~vices.
The redundant remote R4 monitors the operation of
primary remotes Rl, R2, and R3; and the redundant remote
R8 monitors the operation of primary remotes R5, R6,
and R7. Should any one of the remotes Rl R2, and R3
fail, the failure will be detected by the remote R4 in
a manner to be described and the remote R4 will take over
control of the input an~ output devices of the failed remote
by receiving the data from the failed remote over the
communications link CL and sending commands to -the failed
remote over the communications link CL in formated information
blocks. Similarly, if one of the remotes R5, R6, o~ R7 fails,
the redundan-t remote R8 will take over control of ~he operation
of the inputtoutput devices for the failed remote as described
abovewithrespect to redundant remote R4. Although only eight
remotes have been .shown in Figure 1, any number of remotes
Rl, R2, R3, ...... Rn 1' Rn could be utilized in a particular
system.
The architecture of an exemplary remote Rn is
shown in FIG. 2. ~hile the architecture of the remote
Rn can vary depending upon the control process require-
ments, the remote shown in FIG. 2 includes a mo~em 10; a
communication protocol controller 12; an input/output
management device 14; a central processing unit (CP~) 16;
- 10 -
S7~
a memory 18; a peripheral device 20 that can include,
e.g., a CRT display, a printer, or a keyboard; and a
common bus 22 which provides addressing, control, and
informaticn transfer between the various devices which
constitute the remote. The devices shown in dotted line
illustration in FIG. 2 (that is, the central processing
unit 16, the memory 18, and the peripheral device 20)
are provided depending upon the process control require-
ments for the remote Rn. For example, in those primary
remotes Rn ~hich function as an elemental wire replacer,
only the modem 10, the communication protocol controller
12, and the input/output management device 14 are pro-
vided. In more complex process control requirements, an
appropriately programmed central processing unit 16 and
associated memory 18 are provided to effect active con-
trol according to a resident firmware program. In still
other remotes requiring a human interface, the appropriate
peripheral device~s) 20 may be connected to the common buss
22.
As shown in more detail ln FIG. 3, the mod~m 10
provides two independent communication channels CH0 and
CHl connected, respectively, to the communication links
CL0 and CL1. Each of the communication channels CH~
and CH1 is provided with substantially identical communi-
cation devices, and a description of the communication
devices of the first communication channel CH~ is
sufficient to provide an understanding of the second
communication channel CH1. The communication channel
Cl~ includes an encoder/decoder 240 for providing appropriate
modulation and demodulation of the digital data trans-
mitted to and received from the communication link CL~.
-- 11 --
zs~
In the preferred form, the encoder/decoder 240 converts
digital information in non-return-to-zero binary (NRZ)
format to base-band modulation (BB~) signal format for
transmission and effects the converse for reception.
.~mplifiers 26~ and 280 are provided, respectively, to drive
a passive coupling transformer T0 with digital information
provided from the encoder/decoder 240 from the coupling
transformer T0. A set of selectively operable relay
contacts 300 are provided between the coupling transformer
T0 and the corresponding communication link CL0 to effect
selective interruption thereof to isolate the remote Rn
from the communications link CL, and another set of relay
contacts 320 are provided to selectively connect the signal
output o~ the coupling transformer T~ with a termination
impedance Z0. The termination impedance Z~ is used when
the particular remote Rn .is at the end of the communicatio
link CL to provide proper line termination impedance for
the llnk, or, as described in more detail below, to assist
in terminating an open or degraded portion of the communi-
cations link CL.
A selectively operable loop-back circuit 34 is
provided to permit looping back or recirculation of test
data duxing diagnostic checking of the remote Rn. While
not specifically shown in FIG. 3, the loop back CirCllit
34 can take the form of a double pole, single throw relay
that effects connection between the channels CH0 and CH1
in response to a loop-back command signal 'LB'. During
the diagnostic checking of a remote, which checking takes
place when a ~articular remote is a mastex-for-the-moment
as explained below, the relay contacts of the loop-back
- 12 -
57~
circuit 34 are closed and a predetermined test word is sent
from the channel CH~ to the channel CHl and from the channel
CHl to the channel CH~ with the received word in each case
being checked against the original test word to verify the
transmit/receive integrity of the particular remote.
The isolation relays 300 and 311, the
impedance termination relays 32~ and 321, and the loop-back
circuit 34 are connected to and selectively controlled by
a communications link control device 38 which receives its
communication and control signals from the communlcations
protrocol controller 12 described more fully below. A
watch-dog timer 40 is provided to cause the C-link control
device 38 to operate the isolation relays 30~ and 301 to
disconnect the remote Rn from the communication link CL in
the event the timer 40 times-out. The timer 40 is
normally prevented from timing out by periodic reset
signals provided from the communication protocol controller
12. In this way, a remote Rn is automatically disconnected
from the co}~unication link CI. in the event of a failure
of its con~unication protocol controller 12.
As shown in more detail in FIG. 4, each communi-
cation protocol controller 12 includes input/output ports
42, 44, and 46 which interface with the above described
modem 10 for the communication channels CH0 and CHl and the
modem C link control device 38 (FIG. 3). A first-in first-
out (FIFO) serializer 48 and another first-in first-out
serializex 50 are connected between the input/output
ports 42 and 44 and a CPU signal processor 52. The
first-in first-out serializers 48 and 50 function as
temporary stores for storing information blocks
provided to and from the modems 10 as described more
fully below. The CPU 52, in turn, interfaces with the
buss 22 thxough buss control latches 54. A read only
memory (ROM) 56 containing a resident firmware program
for the CPU 52 and a random access memory (RAM) 58 ar~
provided to permit the CPU 52 to effect its communication
protocol function as described more fully below. Timers
62 and a register 60 (for example, a manually operable
DIP switch register or a hardwixed jumper type register)
tha-~ includes registers 60a and 60b are also provided to
assist the CPU 52 in performing its communication proto-
col operation. An excess transmission detector 64,
connected to input/output porks 42 and 44 (coxresponding
to communication channels CH~ and CHl) determines when
the transmission period is in excess of a predetermined
limit to cause the C-link control device 38 (FIG. 3) to
disconnect the transmitting remote from the com~lunications
link CL and thereby prevent a remote that is -trapped in
a transmission mode from monopolizing the coI~nunications
link CL.
The input/output management device 14, the
architecture of which is shown in FIG. 4A, is prefer~bly
a firmware controlled microprocessor-based device which
- 14 -
7~2
is adapted to scan the various input/output hardware points
of the controlled device, effect a point-by-point status
comparison with a prior scan, and record the change-in-
status events along with the direction of the change and
the time the event occurred (time-tagging), effect data
collection and distribution to and from the input/output
points, format the collected data in preferred pa-tterns,
and assemble the patterned data in selected sequences.
As shown in FIG. 4A, the input/output
management device 14 includes a processor 14A connected
to the remote buss 22 through a processor buss 14B; read-
only-memories 14C a.nd 14D connected to the processor 14A
through appropriate connections with these memories in-
cluding the firmware necessary to effect the abnve-
described functions of the input/output management device
l4 including the change-in-status event rnonitoring
(described in more detail below); a read/write memory
14E (RAM) for temporari.ly storing information incident to
the operation of the processor 14A including the change-
in-status event information; a time base l4F for providing
time information for time tagging the change-in-status
events; and an input/output intexface 14G for connection,
either directly or indirectly, to the controlled devices.
In the preferred embodiment, the input/output
interface 14G is defined by one or more printed circuit
control cards generally arranged in rack format~on with each
card having hardware poin~s arranged in predetermined sets
of eight points with each hardware point carrying a binary
- 15 -
7~
indication for controlling or sensing the operation of the
controlled device. The control and operational status of the
controlled device can generally be represented ~y one or
more eight-bit words (e.g., 000100011 with each bit position
representiny a control or operational characteristic of the
controlled device.
As described in further detail below in connection
with FIG. 4B, the input/output management device 14 effects
the aforedescribed change-in-status monitoring and associated
time-tagging by periodically scanning the input/output hard-
ware points in eight-bit groups and effecting a comparison
between the so-obtained eight-bit group and the eight-bit group
obtalned during the previous scan. If a change is detected
in one or more of the bit positions, the latest eight-bit
group, along with the time-of-day information obtained from
the time base 14F, and other information, if desired,
representing the direction of change, is placed in a
first~in first-discard memory (FIFO) of predetermined
size. Thus, each change-of-status event along with its
time tag and other information such as direction of
change, etc. is placed in a memory of selected size as
the changes occur. When all the memory locations are
filled, the first entered event (which now represents
the oldest chronological event) is discarded as the
latest event enters the memory. ~he memory loading is
inhibited by the occurrence of any one of a selected
number of inhibit signals. In the system, various con-
ditions including alarm conditions which represent partial
or ~ull system failures can be assigned a priority with
- 16 ~
those conditions or combinations thereof designated as
"high" priority signals being permitted to disable or
inhibit further accessing of the memory. In the event
one of these high priority conditions occurs, the memory is
inhibited from storing additional change-in-status
information and the change-in-status events occurring prior
to the high priority,condition are preserved for
subsequent analysis. Alarm conditions which are not
designated as high priority, of course, do not inhibit the
memory. This technique advantageously differs from those
prior techniques in which the controlled device status was only
placed in memory at the moment of a high priority signal
(in which case a historical pre-failure record-of-events
was not available) or those techniques in which the change-
in-status events were logged in a memory which was
periodically cleared, refilled, and cleared in which case
the probability of obtaining a complete history of events
prior to a predetermined high priority condition diminished
in those instances in which the logging memory was cleared
just prior to the occurrence o the high priority condition.
The manner by which the input/output management
device 14 effects the change-of-status event logging is shown
in FIG. 4B. During initialization, the processor 14B (referred
to also as the RTZ in FIG. 4B) moves an image of the various
input/output points, that is, the current status o~ the
various input/output hardware points, to preassigned locations
in the memory 14~ (local) of the input~output management
device 14 and the memory 18 (syst~m) of the remote Rn (FIG. 2).
Thereafter, the address(s) of the first input/output card is
obtained and the input/output hardware points for ~hat card
are scanned to obtain an input/output image whi,ch takes the
5~2
form of an eight-bit word (e.g., 00000000) with each bit
posi-tion representing the control or operational status of the
controlled device. The input/output points so obtained
are then compared with the previously obtained image of the
points (e.g., 00100000), for example, by effecting a bit-
by~bit exclusive OR (XOR) comparison. If the comparison
indicates no change in status, (that is, the words are
identical) the input/output points in the remaining cards
are likewise scanned with the process repeated on a
cyclic or looped basis. However, if a change is detected in
the exclusive OR comparison, that new input/output scan,
along with the time tag information and the direction of
change is placed in the memory 18 of the remote Rn, and,
in addition, the latest scan is moved to the memroy 14E
of the input/output management device. This process continues
with each new change-in-status event loaded into the memory
18 of the remote on a first-in first-discarded basis. The
first-in first discard rnemory may be configured by assiyning
a preselected number of memory locations in the memory 18
of the remote Rn (e.g., fifty locations) for the logging
information and providing an address pointer that points
to each successive location in a serial manner with the
pointer returning to the first location after pointing at
the last available pre-assigned location in the mernory.
In the preferred embodiment, the processor
14A of the input/output management device 14 (FIG. 4A)
and the processor 52 (FIG. 4) of the communication
protocol controller 12 is 8X300 micro~controller
manufactured by the Slgnetics Company of S~nnyvala,
- 18 ~
7;~:
~alifornia, and the central prooessin~ unit 16 (FIG. 2)
is an 86/12 single board 16-bit micro-computer manu-
factured by the Intel Company o~ Santa Clara, Califo~nia
~nd adapted to an~ configuxed fox the Intel MULTIBUS~M
Each remote Rn iS adapted to commu~icate with
the other by transitting digital data organi ed in pre-
determlned block forma~s. A su~table and illustrative
block format 66 is shown in FIG. 5 and includes a multi-
word head~x frame 66A, a multi-word data fram~ 66B, and a
lock termination frame or word 66C. Sol~actod of the
information block configuration~ ~re adapted to transfer
process control information to and from s~locted remot~
unit~ Rn and othe~ of the block configurations ar~ adapted
to transfer super~isory control of the communications link
CL from on~ remote to the other remote as explained in
greater detail below.
An exemplary format for the header ancl data
frames of an information block 66 is shown, respectively,
in FIGS. 5A and SB. The header frame 66A preferably
includes a 'start of header' word(~) that indicates to
all remotes that information is being transmitted; a 'source'
identification word(~) that indlcates th~ identity of the
source remot2 Rs that ic tr~n~ferring the infor~ation, a
'destination' word(s) that indica~e~ the ide~ify o th~
receiviny or des~ination r~mot~ Rd; a 'header-type' word(s)
th~t indicates whether th~ data block is txan~ferring data,
a parametered com~and block, or a p~rameterle~s command block;
'block-type' word indicating the type o~ block ~that is, a
command block or a dat~ block)7 a 'block number' word that
~ 19 ~
indicates the number of blocks being sent; a 'block size'
word indicating the length of the data frame; a 'security
code' word(s) that permits alteration of the resident soft-
ware programming in a remote; and, finally, a two-byte
'cyclic redundancy code' (CRC) validity word. The data
frame for each data block, as shown in FIG. 5B, can in-
clude a plurality of data carrying bytes or words Bl,
B2,...B~ of variable length terminated with a two-byte
cyclic redundancy code word. As described more fully
below, each of the remotes is adapted to acknowledge (~CK)
successful receipt of data and command blocks and non-
acknowledge (NAK) the receipt of data in which a trans-
mission error is detectedO When transmitting an
acknowledgement bl.ock or a non-acknowledgement block, the
header format used is show~ in F~GS. 5C and 5D in which an
acknowledgPment (ACK) or non-acknowledgement (NAK) word
occupie~ ths 'block type' word position. The hlock
formats disclosed above are intended to be illustrative
only and not limiting.
The various remote units Rl, R2~ R3,... Rn communi-
cate with one another by having each remote successively
take control of the communications link CL and the controlling
remote Rs then sending digital information between ikself
and a destination remote Rd using a double transmission
alt~rnate line technique that provides for high
reliability data transfer between remotes even when one of
the two communication links CL~ or CLl is inoperativa, for
example, when one of the two communication cables is
severed or otherwisa degraded as occassionally occurs in
harsh industxial environments~
- ~0 -
5~
When a remote unit assumes control of the communi-
cation link CL (as explained more fully below) and, as a
source remote Rs~ desires to send data blocks to another,
destination remote Rd, the data block is assembled at the
source remote Rs.in accordance with the block formats
discussed above in connection with FIGS. 5-5D and trans-
mitted through tha information channels CL~ and CL1 of the
source remote Rs to the communication links CL~ and CLl
with the hPader frame containing both the source remote
Rs and the destination remote Rd identification info:cmation.
In accordance with the data transmission
technique, the communication protocol controller 12
of the source remote RS transmi~s ~he information
blocks ~wice on each communication link CL~ and CLl
as schematically illustrated in FIG. 6 to provide a
first data block DBA and ~hen a second, following data
block DBB on each communication link CL~ and CLl.
The transmitted information block headers include the
identity o~ the destination remote, Rd, which causes the
d~tination remote Rd to receive and act upon the
informa~ion blocks. At tha destination remote ~d~ the
two data blocks D8A0 and DBB~ on the communication link
CL~ are passed through ~he communication channel CH~
and the two data blocks DBAl and DBBl on the communicaLion
link CLl are passed through the communication channel CHl
to, respectively, the first-in firs~-out serialize~s
48 and 50 (FIG. 4).
As shown in the summary flow diagram o~ FIG. 7,
the destingation remote Rd checks ~he validity of the
received data by selecting one of the two communication
links (eOg., CL0 in FIG. 7) and then checks the first
- 21 -
i7~
data block on the selected line (that is, DBA~) by
performing a cyclic redundancy check of the header frame
and, if valid, performing a cyclic redundancy check of the
data frame. If the data frame is valid, the communi-
cation protocol controller 12 of the destination remote
Rd khen performs a bit-for-bit comparision between the
CRC-valid first data block ~BA~ and the second following data
block DBB~. If tha bit~Eor-bit comparision is good, an
acknowledgement (ACK) signal s sent ~rom the destinat.ion
remote Rd to the source remote R5 to indicate the receipt
of valid information and complete that data block
information transaction. On the other hand, if the CRC
validity checks of the header or the data frame or the
bit for-bit comparison check indicate invalid data, ~he
protocol controller 12 of the destination remote Rd then
selects ~he other, alternate line ~in this case, CLl)
and performs the aforementioned cyclic rerlundancy checks
of the header and data frame and the blt-fox-b.it co~parison
between the ~irst and second data blocks D~l and D3
on the alternate line CLl. If these checks indicate
valid data on the ~lternate line, the destination remote
Rd responds with an acknowledgement sign21 (ACK) to
conclude the data block transmission transaction. On
the other hand, if these checks indicate invalid data
on the alternate line (which means that the data blocks
on both the first-~elected line and the alternate line
are invalid) the destination remote Rd r~sponds with a
non-acknowledg~ment signal (NAK) ~o cause re~ransmission
of the data blocks from the source remote Rs. The non
acknowledgement block (NAK) includes a by~e or bytes
- 22
indicating the identity of the data block or blocks
which should be retransmitted. A counter (not shown) is
provided that counts the number of retransmissions from the
source remote Rs and, after a fini.te number of re-
transmissions (e.g., four), halts fuxther retransmission
to assure tha~ a souxce remote Rs and a destina~ion remote
Rd do not become lost in a repetitive transmit/NAK/re
transmit/NAR... sequence in the event of a hardware or
software failure of the destination remote Rd error checking
mechanism.
The double message alternate line checking
sequence sun~arized in FIG~ 7 may be more ~ully appreciated
by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read in accordance with the flow diagram map of
FIG. 9~. ~t the start of the information validity
checking procedure, the 'line ~-first' flag register is
checked; if a flag is present, the 'first-attempt ail'
flag register is checked, and, i there is no flag in this
register, the two data ~locks DB~l and DBB~ on channel C~l
are stored while the two da~a blocks DBA~ and DBB0 on channel
CH~ are used for the first attempt information check.
Thereater, the header frame o the first data block DBA~
on channel CH~ undergoes a CRC check, and, if acceptable,
the data frame of this data block DBA~ undergoes a CRC check.
If the header and data frames CRC checks indicate valid data
a 'good message' register is incremented. I the number of
good messages is less than two, the error checking procedure
~eturns to the initial part of the flow diagram and, after
- 23 -
7~
determining there is no channel CH~ first flag or first-
attempt flag present, checks the second following data
block DBB~ by repeating the header and data CRC cyclic
redundancy checks. If the header and data frames pass the
CRC checks, the 'good message' register is incremented
again to indicate that a total of two messages in succession
(that is, DBA~ and DBB0) have passed the cyclic redundancy check
for the header and data framesO Thereafter, the two data hlocks
DBA~ and DBB0 received on line CEI~ ~re checked by perorming
a bit-by-bit comparision between the two. If the data blocks
DBA~ and DBB~ pass the bit-by-bit comparision test, the communi-
cations protocol controller 12 o the destination remo~e Rd
sends an acknowledgement (ACK) message to the source remote
Rs to conclude the information block transfer and resets the
various registers. If, on the other hand, eithex the data
block DB~ or DBB0 on line CL0 fail the header and data frame
CRC checks or these two data bloc~s ~ail the bit~by-bit
comparison check, the communication protrocol cont.roller 12
sets ~he 'first-attempt fail' flag and re~urns to the start
o~ the procedure to determine that the lline 0-first' flag
and the 'irst-attempt' fail flag are present. The communi-
cation protocol controller 12 then uses the stored data blocks
DBAl and DBB1 from line CLl (which data blocks were previously
stored in FIFO 50). The header block and data block of
the data blocks DBAl and DBBl rom line CLl undergo the CRC
check and, if successful, cause tha incrementing o~ the 'good
- 24 -
~ 111 L~ t~~tr,~,
message' re~ister to cause the communication protocol
controller 12 to then check the validity of the second
data block DBBl. If the data blocks DBAl and DBBl pass the
CRC checks, they are compared with one another in a bit-
by-bit comparison test and if this comparison check is
successful, an acknowledgement (ACX) is sent. If, on the
other hand, either data block DBAl or DBBl does not pass the
CRC check or the data blocks do not pass the bit-by-bit
comparison test, a non-acknowledgement (NAK) is sent to the
source remote ~5 including information requesting the
retransmission of the data blocks which ailed the validity
test at the destination remote Rd. The source remote RS then
retransmits the improperly received information blocks as
described above with retransmission limited to a finite number.
A register i5 provided for each o~ the communication links for
recording, in a cumulative manner, the number of times an
invalid message is received for each communication link. In
this manner, it can be determined, on a statistical basis,
~hether one of the two communication links has suffered a
deterioration in signal transmission capability and, of course,
whether one of the com~uniGation links is severed.
As can be appreciated, the dual txansmission of the
identical messages on plural communication ~inks vastly
enhances the ability of the destination remote Rd to detect
errors and determine whether the infonma~ion being transmitted
is valid or not. In addition, the de~tination xemote Rd is
able to operate and successfully receive messayes even if one
of the communicatlon links CL~ or C~l is severed since the
communication protocol con~roller 12 at the destination R~
- 25 -
~2~
will examine the received signals on each line and will find
invalid data on the severed line, but will al~7ays examine
the data blocks on the other line and, if necessary, request
retransmission of the information blocks.
In selecting one of the two channels CH~ or CHl for
the first validity check, it is preferred that one of the two
channels (e.g., CH0) be selected for the first check on every
other information transaction and that the other of the two
channels (e.g.~ CH1) be selected for the first check for the
other intermediate information transactions. While the system
has been disclosed as having dual communication links CL~ and
CLl, the invention is not so limited and can encompass more
than two communication links with the remotes adapted to
sequentially examine signals received on the various channels.
As mentioned above, each remote Rn f the control
system is adapted to accept and then relinquish supervisory
control of the communication link CL on a master-for-the-
moment or xevolvlng mastar arrangement. The communication
protocol controller 12 of each remote Rn includes a register
which contains the remote succession numher, anothex register
which contains the total number of remotes in the system, and
another register which contains the relative position of the
remote from the present system master. The first two registers
are schematically illustrated by the reference character 60 in
FIG. 4. In addition, each remote Rn includes a variable transfer-
monitor timer having a time-out interval that is set in accordance
with a predetermined control-transfer time constant (50 micro-
seconds in the preferred embodiment) and the position of the
- 26 -
57~
particular remote relative to the present system master
to permit, as explained in more detail below, the master-
for-the-moment transfer to continue even in the event of
a disabled remote (that is, a remote that is unable to
accept supervisory control because of a malfunction).
Anothex timer is provided to force transfer of supervisory
control of the communications link CL in the ~vent a
remote, because of a malfunction, is unable to transfer
supervisory control to its nex~ successive remote. The
operation of the master-for-the-moment transfer technique
can be appreciated by consideration of the following
example of an illustrative system tha~ includes five
remotes arranged in the open loop configuration of FIG. 1
and transferring supervisory control of the co~munications
link CL in accordance with the tables of FIGS. lOA-lOF. The
upper row of each table indicates the succession sequence
or order of the five ~emotes Ror Rl, R2, R3 and R4 that
comprise the system; the intermediate row identifies the
remote that is the present master-for-the-moment and also
identifies the relative successive posikion of the other
remotes from the present master, that is, the first (or
next) successive remote from ~he present master, the second
successive remote from the present master, the third remote
from the present master, etc.; and the third row of each
table lists the setting of the variable transfer-monitor
timer for the particular remote.
- 27 -
The system is provided with initialization
software so that the first remote in the succession, R
assumes supervisory control oE the communication link
CL after system start-up and becomes the initial master
of the system (FIG. lOA). When the initial master Ro
is in control of the communications link CL, it can send
data to any of the other remotes, request status or
other data from another remote, and send control blocks and
the like ove- the communications link CL. When the master
Ro determines that it no longer deslres possession of the
communications link CL, it passes supervisory control of
the comm~nications link CL to the next or first successive
remote in accordance with the succession order. Thus, when
the present master Ro concludes its in~onmation transfer
transactions, it transfers supervisory control of the
com~unications link C~ to its next or first successive
remote Rl by transmitting a control block to the remote R
with all the remaining remotes ~that is, R~, R3, R~)
being cognizant of the transfer of supervisory control
rom the present mas~er R~ to its first or next succ~ssive
remote Rl. Since, in the present system, the transfer of
supervisory control of the communications link CL is
expected to take place within 50 micro-seconds, the
second successive remote R2, as shown in the third row o~
the table of FIG. lOB, sets its variable transfer-moni~or
timer to 50 micro-seconds, the third succe~sive remote R3 sets
its variable transfer-monitor timer to 100 micro-seconds,
- ~8 -
7~
and the fourth successive remote R4 sets it transfex-
monitor timer to lSO micro-seconds. When the first
successive remote Rl receives the control block from the
present master Rnl it accepts supervisory control of
the communlcations link CL by re~ponding with an
acknowledgement message (ACK). If the control block
is misreceived, the first successive remote Rl can
re3pond with a non-acknowledgement (NAK) to request
retransmission of the control block transferring
supervisory control of the communications link CL. During
the time interval that the present master remote Ro is
attemp~ing to transfer supervisoxy control of the communi-
cation link CL to its next successive remote Rl, the
transfer-monitor timers of the remaining remotes are
counting down. I, for any reason, the next or first
successive remote Rl fails to take control (e.g., a
malfunction of the remote), the transfer-monitor timer
of the second successive remote R2 will time-out at 50 micxo-
seconds and cause the second successive remote R2 to then
accept supervisory control of the cornmunication link CL
from the present master Ro and thus bypass the apparently
malfunctioniny ~irst successive remote Rl.
Aassuming that the initial system master Ro
successively transfers supervisory control of the communi
catins link C~ to its first successive remote Rl, that
successive remote Rl then becomes tha present master with the
remaining remotes changing their position relative to the
present master and setting their transfer-monitor timers
in accordance with the second and third rows of the table
of FIG~ lOB. ~hen the present master Rl concludes its
-- 2g --
information transfer transactions, if any, it attempts to
transfer supervisory control to its first or next successive
remote R2 by sending an appropriate control block to remote
R2 which responds with an acknowledgement signal (ACK) or,
in the event of a mistransmission of the con rol block, a
non-acknowledgement signal (NAK) which causes re-
transmission of the control block. When the control block
requesting transfer of supervisory con~rol of the communi-
cation link CL is sent from the present master ~1 to its
next successive remote R2, all the remaining remotes reset
their transfer-monitor timers in accordance with their
posi~ion relative to the present remote as shown in the third
row of the table of FIG. 10C. Should the next successive
remote R2 be unable to accept supervisory control of
the communicatlon link CL from the present master Rl,
the transfer-monitor timer of the second successive remote
R3 will time-out in 50 micro-seconds and cause the second
successive remote R3 to assume supervisory control of the
communiations link CL to thereby bypass an apparently
malfunctioning first successive remote R2 As can be
appreciated from a review of the transfer-monitor tirne-out
set~ings o the various remotes, supervisory control of the
communications link CL will transfer even if one or more
successive remotes are malunctioning, when the transfer-
monitor timer of the next operable remote times out. This
tr~nsfer sequence continues in succession as shown in the
remaining tables of FIG5. 10D to 10F with supervisory
control of the communication link CL being passed from
remote to remote in succession with the last remote R4
returning supervisory control to the first remo~e Ro~
- 30 -
'7~
By employing a master-fox-the-moment transfer
technique in which the receiving remote acknowledges
control from ~he transferring remote and in which re-
transmission of a mis-received control block is provided
for ln response to a non-ack~owled~ement signal from the
receiving remote, it is poss~ble to positively transfer
' supervisory control o~ the communication linkO This
technique advantageously transfers co~trol u~ing the
data and infoxmation carrying com~unication link rather
than, as in other systems, by providing ~epaæate communi
cation lines or channel3 dedicated solely to ~upervisory
control transfer functions. Also, the provl~ion of a
~ariable transfer-monitor timer at each remote that is s~t
in eccordance with the remote's relative position to the
present master and a transfer time-constank automatically
transfers supervisory control of the communicatio~s 7ink
even if one or more of the succe~ive remote are mal-
functioning~
The architecture of a r~dundant remote (R4 and
~8 in FIG~ 1~, as shown in FIG. 11, ~ essentially the same
as tha~ of a primary remote except that it ha~ no input/
output devices assigned to it. Each redundant remote
functions to take over control responsibility of a controlle~
device ~rom a primary remote in ~he event the primary
remote malfunctions.
- 31 -
7~
In each primary remote, preassigned memory
locations are designated to act as a 'mailbox' register
for that remote. Each time the central processing unit
16 of the primary remote cycles through its applications
program, in which it responds to and controls the input/
outpu. devices of the remote via the input/output management
device 14, it stores a predetermined number in its mailbox.
Each time the processor 14A of the input/output management
device 14 cycles through its program, it decrements the
number stored in the mailbox. The time for the CPU 16
to oycle through its program and for the input/output
management device 14 to cycle through its program is
approximately 1:1 so that the number stored in the mailbox
will be maintained at or near the predetenmined value set
by the applications program of the CPU 16 unless khe
CPU 16 ceases to cycle through its applications program.
Should this happen, the number stored in the mailbox memory
18 will be decremented by the input/output management
detrice 14 until it reaohes a zero value.
~ach time a redundant remote which is serving
as a back-up for its associated primary remotes ta~es its
tuxn in the master-for-the-moment saquence described above,
the redundant remote will request and obtain the value of
the number in the mailbox of its assigned primary remotas.
If the number in the mailbox is not zero, the redundant remote
will ~now that the central processing unit 16 in the 50-
queried primary remote is carrying out its applications
program and has not gone into an emergency mode of operation
or otherwise ceased to operate. If the redundant remote
32
2~7~
detects that the number in the mailbox for one of its
assigned primary remotes is zero, then the redundant remote
will determine that the central processing unit 16 of the
zero-mailbox remote is not carrying out the applications
program and, in response to this determination, the redundant
remote will first attempt to res~art the applications program
in the central processing unit 16 of the primary remote. If it
fails to successfully restart the applications program, the
redundant remote will carxy out the applications program
for the failed remote. In carrying out the applications
program, the redundant remote will respond to the input
devices and control the output devices assigned to the
ailed primary remote by sending commands and receiving
data from the failed remote over the communications link CL.
The redundant remote, in addition to checking the
status of its assigned primary remotes for which the
redundant remote serves as a back up, also must maintain
an up-to-date record o the sta~us of the applications
program in each of these assigned primary remotes. The
redundant remote checks the status of the mailbox and gets
the current applications program status from each of the
primary remote~ by sending request~ for information over the
communications link CL when the redundant remote takes its
turn in the master-for-the-moment sequenee as described
above.
- 33 -
57~
The operation of the redundant remote in carrying
out its function as a back-up for the primary remotes will
be more fully understood with reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant
remote R4 (FIG. 1), which ser~es as a back-up for its assigned
primary remotes Rl, R2, and R3. The other redunclant remote
R8 will have the same program except that it will be
applied to its assigned remotes R5, R6, and R7.
As shown in FIGS. llA, after the program in the
redundant remote R4 is started, it enters into a decision
instruction sequence 101 to check the status of remote
Rl. As explained above, it does this by sending a request
for information over the communications link CL to remote
Rl asking for the current number in the mailbox of remote
Rl. It then determines whether this number is greater than
zero. If the number is greater than zero, the status of
remote Rl is determined to be operating and the program of
the redundant remote R4 advances to instxuction step 103
ln which it resets a fail flag for Rl to 'off' and then enters
subroutine 105, in which the current applications program
status in remote Rl is obtained. This means that the
redundant remote R4 requests and obtains the current status
of the input and output devices in remote Rl and the current
status of the timers and ~he counters and the flags being
used in the applications program of remote Rl. In other
34 -
72
words, in subroutine 105, all of the information that
would be needed for the redundant remote R4 to take over
the applications program is obtained from remote Rl.
This information is obtained by sending requests for
data and recei~lng data back over the communications
link CL.
Following the obtaining of the current appli-
cations program status of remote Rl, the redundant remote
R4 program proceeds to decision instruction sequence 107,
in which the status of remote R2 is chec~ed in the same
manner that was done with respect to Rl. If the status
of remote R2 is opexating, the program advances to
instruction step 109, in which the program sets a fail
flag for remote R2 and then proceeds into subroutine 111,
in which the status of the applications program for
remote R2 is obtained in the same manner as for Rl in sub-
routine 105. The program then proceeds into a decision
instruction sequence 113 to chec~ the status of remote
R3. If the status of remote R3 is operating, then the
program resets the fail flag for remote R3 in instruction
step llS and proceeds into subroutine 117 to obtain the
applications program status for remote R3 in the same manner
as ~or Rl in subroutine 105. Following subroutine 111, the
program returns again to decision instructlon sequence 101
to check the status of remote Rl and the process cyclically
repeats~
If in decision instr.uction sequence 101, the
program determines that the status Rl is not operating as
indicated by the number in the mailbox of the remote Rl,
being zero, the program then advances to decision instruction
sequence 113, in which the program determines if the fail
flag for Rl is 'on' or 'off'. lf the fail flag is 'off', the
program proceeds into instruction sequence 121, in
~hich the pxogram attempts to restart the applications
program for remote Rl. It does this by sending a command
over the communications link CL to remote Rl to direct
the communications protocol controller 12 (FIG. 2) to
attempt a hardware restart of the applications program.
This is carried out by the communications protocol controller
12 pulling a restart wire to ground in the com~on buss
22. When ~his restart wire is pulled to ground, it starts
the applications program back through its initialization
program and sets all of the flags, timers, and counters
just as if power had been turned on. Such a restart
is calle~ a hardware restart. Alternatively, the
redundant remote R4 could ef~ect a software restart in
the failed remote. A software restart would merely start
the applications program through its initialization program
with the timers, counters and flags left in their present
status.
After completing instruction sequence 121,
the redundant remote R4 program then sets the fail flag
for remote Rl to 'on' in instruction step 123 and then
proceeds into decision instruction sequence 125 to again
check the status of remote Rl by chec~ing the num~er in
the mailbox o~ remote Rl in the same manner as in decision
instruction sequence 101. If the applications program
in remote R~ was successfully starked in instruction
sequence 121, the number in ~he mailbox will not be zero
and the program will determine that the status of remote
Rl is operating, whereupon the program will jump to
decision instruction sequence 107 to cheok the s~atus of
remote R2 as already described.
- 36 -
If the proyram determines that the status.
of remote Rl is not operating in decision instruction
sequence 125, then this means that the attempt to restart
the applications program in remote Rl in instruction
sequence 121 failed and Lhe redundant remote R4 program
then proceeds into instruction sequence 127 to initialize
the input/output management device 14 (also identified
in FIG. llB as 'RTX') in remote Rl to receive instructions
and data from the redundant remote R4 instead of from the
central processing unit 16 in the remote Rl and to send
data on the status of the input and output devices to the
redundant remote R4.
If the program of the redundant remote R4
determines that the fail flag was 'on' instead of 'off' in
decislon instruction sequence 119, the redundant remote
pxogram would proceed directly into the instruction
sequence 127 to initialize the input/output management
device 14 of remote Rl to respond to the redundant remote
R4 7
The purpose of the fail flag which is set to 'on'
in instruction step 123 and is reset to 'off' in instruction
step 103 i~ to prevent the xedundant remote program from
getting hung-up in a condition in which i~ successfully
restar~s the remote Rl only to have the remote Rl fail again
by the ~ime the program of the redundan~ remote recycles
around to checking the mailbox of th~ remo~e Rl again in
desision instruction sequence 101. If this should happen,
the fail ~lag for remo~e Rl will have been set to 'on' in
in~ruction s~ep 123 after the successful restarting of the
- 37 -
7~
applications program. Then, the next time that the
redundant remote program cycles back to decision
instruction sequence lO1, and determines that the status
of remote Rl is not operating, the fail flag for remote
Rl will be 'on'. Accordingly, the program will jump from
decision instxuction sequence ll9 into the instruction
sequence 127 to initialize the remote R1 to respond to
redundant remote R4. If the next time the redundant remote
program recycles back to decision instruction sequence
lOl to check the status of Rl, it determines that the
status of Rl is operating, the program will then reset
the fail flag to 'off' in instruction step 103 so that in
subsequent cycles, should the program determine that the
remote Rl has again failed, the progr~m will again go into
the restart instruction sequence 121 instead of immediately
jumping to the initialization instruction sequence 127.
After the redundant remote program has completed
the initialization instruction sequence 127, it then proceeds
to subroutine 129. In this subroutine, the ~tatus of the
applications program of remote R1 last received by the
redundant remote R4, which status is stored in the memory
of the redundant remote R4, is loaded into predetermined
registers of the memory of the redundant remote R4 in order
to carry out the applications program of remote Rl in ~he
redundant remote R4. After this subroutine i~ completed,
the program proceeds into instruction sequence 130 and
then into the subroutine 131 in which it starts and
carries out the applications program. The redundant remote
R4 carries out the Rl applications program by receiving data
from remote Rl as to the status o the input and output devices
- 38 ~
of the remote Rl and sending instructions to remote Rl
to direct operation of the input/output management device
14 of the remote Rl. The program in the redundant remote
R4 will then continue to cycle through -the applications
program for the remote Rl until it receives a command from
the operator to reset it back into its main cycle of checking
the status of the remotes Rl, R2, and R3.
Should the redundant remote R4 determine that
the status of remote R2 or remote R3 is not operating,
it then performs the same program with respect to these
remotes as described with respect to remote Rl as is
illustrated in FIGS. llA and llB.
The redun~ant remote R8 ~ill take over the
applications program should any of the primary remotes
~5-R7 become nonoperative in the same manner as described
above with respect to R4 serving as a back-up for the
primary remotes Rl-R3.
It will be appreciated that the provision of
the redundant remotes decreases malfunctioniny o.f the control
~0 system due to one of the primary remotes becoming inoperative
as a result of failure of the central processing unit 16 of the
primary remote. Because each redundant remote serves as
a back-up for several primary remotes, the cost of providing
the redundancy is significantly reduced~ Because the
redundant remotes are themselves each a remote control unit
which takes its turn in the master-for a-moment sequence
communicating with the other remotes over the dual channel
communications link/ the redundant remotes can be provided
in the system very inexpensively.
- 39 -
J~t~ od
Each remote Rn, as described above, is provided
with termination impedances Z~ and Zl for the first and
second communication channels CH~ and CHl (FIG. 3) and a
line termination relay 32~ and 321 under the control of the
comm~nications link control device 38. The termination
impedances are connected across each channel of the communi-
cations link when the particular remote is the first or the
last remote in the system (e.g., Rl and R8 in FIG~ 1) to
establish proper line termination impedance to prevent
signal level degradation and the presence of reflected
signals, both conditions which can adversely affect the
perormance of the system. ~he termination impedances
Z~ and Zl are also applied acro,ss the appropriate communi-
cations channels when a remote dete~mines, as described
below, that the communications link CL between it and its
immediately adjacert higher or lower number remote is
severed or sufficiently degraded that reliable data
transmission cannot be maintained the~ebetween~ The
determination as to communications link degrada~ion can be
made by providing each remote with a register for each
communications channel that records, in a cumulative manner,
the numbex of invalid messages received from the immediately
adjacent remote(s) and terminate oné or both of the
communications link CL0 and C~l in the direction of the
remote from which the number of invalid messages raceived
exceeds a threshhold value. More preferably, however, each
remote is pro~ied with an acti~e testir.g diagnostic routine
to enable it to test the communication integrity of the
communications link between it and its immediately adjacent
remote(s) in accordance with the fl'ow diagrams illustra~ed
in FIGS. 12, 12A, 13B and 12C as read in accordance with
FIG. 13 and the table of FIG. 14.
~ ~0 -
The flow diagram illustrated in FIG. 12 is a
summary of the manner by which each remote is capable of
testing the communication integrity of the communications
link CI. between it and its immediate adjacent remote or
remotes and terminating one or both of the communications
links, C~0 and CLl, when a degraded or interrupted line
conditiop is detected. As shown in FIG. 12, the remote
Rx is initialized and then, in sequence, tests the communi-
cations integrity of the communications link CL~ in the
downstream direction between it and its immediately adjacent
lower number remote (that is, Rx 1) and then tests the
communication integrity of the communicaticns link CLl
in the downstream direction with the same remote. If
either the communications link CL~ or CL1 in the downstream
direction is faulty, an appropriate flag is set in a
register in the remote Rx reserved for this purpose. In
a similax manner, the remote ~x then tests the communications
integrity of the communications link CL~ and CLl in the up-
stream direction with its immediately adjacent higher number
remote (that is, remoke RX+l) and sets the appropriate flag,
as and if required. After this initial diagnostic chec~ing
takes place, the r~mote Rx will terminate the failed communi-
cations line CL~ and/or CL1 by actuating the appropriate
relay contacts.320 and/or.321 as required. The I~ne checking
test utilized in FIG. 12 preerably take place when the
remote R is master-for-the=moment (that is, R ~.
x m
A more detailed explanation of the communica~ions
line integrity check and automatic line termination may be had
by referring to FIGS. 12A, 12B and 12C tas read in accordance
57~
with the flow chart legend of FIG. 13) in which FIG. 12A
represents the downstream integrity check with the next
lower number remote, FIG. 12B represents the upstream
integrity check with the next higher number remote, and
FIG. 12C represents ~he line termination function in
response to the results of the integrity test performed
in FIGS 12A and 12B.
In FIG. 12A, the line checking diagnostic is
started by first loading three registers or counters,
namely, a 'retry counter', a 'CL0 retry counter', and a
'CL1 retry counter' with an arbitrarily selected number,
for example, five. The 'retry counter' is then decremented
by one and a message sent from the remote Rx to the
remote Rx 1 requesting an acknowledgement ACK signal. If the
communications link Ch~ and C~l between the interrogating
remote and the responding remote is fully functional, a
valid ACK signal will be received by the interrogating
remote Rx on both CL~ and CLl. The diagnostic checking will
then route to the part o~ the program (FIG. 12B) for
checking the communications integrity of the communications
link CL0 and CLl between the interrogating remote Rx and
the ~ext higher number remote in the system~ that is,
RX+l. On the other hand, if a valid ACK signal i5 not received
on one or both of the communications links CL~ or CLl by
the requesting remote Rx from the immediately adjacent lower
number responding remote Rx 1~ the appropriate retry counter
(that is, 'CL0 retry counter' or 'CLl retry co~nterl) will
be decremented by one and the procedure repeated until the
'retry counter' is zero at which time tne appropriate CL0
- 42 -
5~
and/or CLl terminate flag register will be set; thereafter,
the program will route to the upstream communications
integrity check sho~ in FIG. 12B.
~ he flow diagram of FIG. 12B is basically the same
as that of FIG. 12A except that the communications integrity
check occurs for that portion o the communications link
CL between the interrogating remote Rx and the next
higher number responding remote RX+1. More specifically,
the three registers or counters, that is, the 'retry
counter', the 'C~0 retry counter', and the 'CLl retry
counter' are loaded with the arbitrarily selected value of
five. The 'retry counter' is then decremented by one and
a message sent from the interrogating remote R~ to the
remote RX+l requesting an acknowledgement signalO If the
communications link CL0 and CLl between the interrogating
remote Rx and the responding remote RX+l is integral, a valid
acknowledgement signal will be recei~ed by the interrogating
remo~e Rx and the program will route to the termina~ion
impedance portion of ~he procedure shown in FIG. 12C.
On the other hand, if a valid acknowledgement signal is
not received on one or both o the communications lines CL~
or CLl by the interrogatlng remote Rx from the highex order
responding remote RX~1, the appropriate retry counter, thzt is,
the 'CL0 or CLl retry counter' will be decremented by one
and the procedure repeated until the 're~ry counter' is
zero at which point the appropriate C~ and/or CLl
terminztion flag register will be set; thereafter, the
program diagnostic will rou~e to the line impedance
termination portion shown in FIG. 12C.
- 43 -
Z57~
In the flow diagram of FIG. 12C, the various
termination registers are examined for set flags and
appropriate commands issued to the C-link control device
38 ~FIG. 3) to terminate the line by appropriate actuation
of the relay contacts 320 and/or 321. As is also shown in
FIG. 12C, a line termination relay can also be released
(that is, reset) to remove a previously applied line
termination impedance. Accoxdingly, the system provides
each remote with the ability to remove a line termination
as well as apply a line termination. This particular
feature is desirable when a communication link is
temperarily degraded by the presence of non-recurring
electrical noise to permit the system to automatically re~
configure its line impedances.
The following specific example illustrates the
operation of the line termination procedure in which it is
assumed that ~he communications link CL~ in FIG. 1 is
severed at polnt A as shown therein and that the remote
R4 is the present master (Rm) of the system and testing the
communications integrity of the communications link between
itself as ~he interrogating remote (Rx) and its next lower
order number remote R3 (that is, Rx 1) In accordance with
the flow diagram of FIG. 12A, the 'retry counter' r and the
'CL~ retry counter', and the 'CLl retry counter', as shown
in the tabulation table of FXG. 14, are set to the pre~
determined valus of five. The 'retry counter' is
decremented by one and the requesting interrogating remote
R4 (Rx) requests an acknowledgement from the responding
remote R3 (tha~ is, Rx 1) The requested acknowledgement
will be provided o~ line CLl but not line CL~ because of the
- 4~ ~
57~
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested
acknowledgement signal on communications li.nk CL~, will
decrement the 'CL~ retry counter' by one. Thereafter,
the retest procedure will be sequentially continued with
the 'CL0 retry counter' being decremented with each
additional unsuccessful attempt to obtain an acknowledgement
from remote R3 through the communications link CL~. When
the 'retry counter' decrements to zero, the 'CL~ retry
counter' will also be decremented to zero at which time the
CL~ lower order termination flag will be set. The remote
R4 will thereafter continue the diagnostic checking procedure
to test the communications integrity of that portion of
the communications link between the remote R4 (Rx) and the
next adjacent higher remote R5 (that is, RX+l) in accordance
with the flow diagram of FIG. 12B. At the conclusion of
the test of the communications link between ths inter-
rogating remote R4 and the immediately adjacent lower number
and higher number remotes R3 and R5, the termination relay
contacts 32~ (FIG. 3) will be set to terminate the communi-
cations link CL~ at the remote R4. In a similar manner, the
remote R3, when it becomes master-for-the-moment, will also
apply a termination impedance across the communications link
CL~.
As can be appreciated from the foregoing, the
remotes Ro~Rn have the ability, even when one or both of
the communication links CL0 and CLl are severed to still
- 45 -
7~
function on a master-for-the-moment basis and also to
effect appropriate line termination to minimize the adverse
effect on digital data signal strength and the generation
of reflected signals from mismatched line impedance caused
by deteriorated or se~ered communication lines. In
addition, the system is self-healing, that is, when
reliable communications is restored over the severed or
degraded portion of the communications link the remotes
Rn wilL then again function to remove the line impedances
to resume full system operation.
As will be apparent to those skilled in the art,
various changes and modifications may be made to the
industrial control system of the present invention without
departing from the spirit and scope of the invention as
recited in the appended calims and their legal equivalent.
~ 46 ~
