Note : Les descriptions sont présentées dans la langue officielle dans laquelle elles ont été soumises.
~ q~ ~
~L~ ~
INDUSTRIAL CONTROT, SYSTEM
BACKGROUND OF THE INVENTION
___ _
This application is a division of Canadian Serial
No. 368,795, filed January 19, 1981.
The present invention relates to control systems of
the type having a plurality of remotely located process control
units connected together through a communications link and,
more particularly, to a control system in which each of the
remote units sequentially assumes supervisory communication
control of the communication link and in which high reliability
information transfer is achieved between remotes.
Many system type industrial installations, for
example, those related to industrial process-type manu-
facturing and electrical power generation, employ a large
number of physically distributed controlled-devices and
associated sensors for effecting coordinated operation of
the overall system. In the past, coordinated control of
the various devices has been achieved by manual operation
and various types of semi automatic and automatic control
systems including electromagnetic relay systems, hardwired
solidwstate logic systems, and various types of computer
control systems. The computer systems have included central
systems in which the various sensors and controlled devices
are connected to a central computer; distributed control
systems in which a remotely located computer is connected -to
each of the controlled devices and to one another; and
hybrid cornbinations of the central and distributed systems.
The successful functioning of the control system is vital
to any industrial process, and, accordingly, distributed
systems have generally been preferr~a over central systems
-- 1 --
because the failure of one of the remotely located control
computers generally does not cause a system jlide failure as
in the case of the failure of the central computer in the
central system. However, in many distributed computer
systems, one of the remotes or a specially designed control
unit generally handles supervisory communication control of
the communication buss and, for these sys.ems, failure of
the communication buss supervisory can lead to a system-
wlde failure.
In many industrial control systems, the various
communication busses that extend between the remotely
located computer process control units are exposed to
high electrical noise environments. Accordingly, the
information transferred over the communication buss can
be subjected to error inducing interference because of
the harsh electrical environment. In view of this, a con-
trol system must have a means for detecting errors within
the transmitted information in order to provide high
reliability data transmission between remotes.
32~
S[JMMARY OE' THE INVENTION
The present invention seeks to provide an industrial
control system for controlling an industrial process or the like
having a high overall system operating reliability.
The invention in one aspect to which this divisional
is directed pertains to an information transfer system for
transmitting digital information between active devices and
testing the validity of the transmitted information. The system
includes at least one active device for transmitting information
in digital form, at least one other active decice for receiving
information in digital form, and at least a first and a second
independent communication channel connected to and e~tending be-
tween the first-mentioned and the second mentioned active devices
Eor conveying information there~etween. A transmitter means is
associated with the first-mentioned active device for trans-
mitting digital information arranged in blocks of predetermined
format, the transmitter means transmitting, for each information
transfer transaction, an identical block on each of the first
and second communication channels. Receiving means is associated
with the second-mentioned active device for receiving digital
information transmitted by the first-mentioned active device
and for selecting a one of the first and second communication
channels and testing the validity of the received block and,
when the received block from the first selected col~munication
channel is found invalid, for selecting the other of the first
and second communication channels and testing the validity of
the received block on the other communication channel. Means
associated with the receiver means is provided for first-selecting
the first of the communication channels on alternate information
transfer transactions and for first-selecting the second of the
communication channels on the remaining information transfer
transactions.
The invention herein also contempla~es a method for
transferring digital information formatted in predetermined blocks
3 --
between an .information transmitting device and an interconnected
information receiving device, the method comprising the steps of
transmltting, for each information transfer transaction, identical
information blocks from a transmitter over plural independent
communication channels to a receiver, receiving and storing the
received information blocks at the receiver, selecting the
information block received on one of the plural communication
channels and testing the validity thereof, selecting the
information block received on other of the plural COmmUniCatiOn
channels and testing the validity thereof in the event the first-
selected information block fails its validity check, and
requesting retransmission of the information blocks in the event
both the first selected and the second-selected information
blocks fail their validi.ty test, the one communication channel
first-selected on alternate information transfer transactions
and the other communication channel first-selected on the
remaining information transfer transaction.
More particularly, the disclosed invention provides a
control system for controlling an industrial process including
a plurality of remote process control units Rn (remotes) connected
to various controlled devices and sensors and communicating with
one another through a communicatio~ link having a-t least two
independ~nt communication ~hannels. ~ach remote is assigned a
unique succession number or position in a predetermined
succession order with each remote unit assuming supervisory
communication control of the communications link on a revolving
or master for the moment basis in accordance with the remote's
relative position in the succession order. Information transfer
including process data and command control information is
accomplished between a source remote Rs and a destination remote
Rd by successively transmitting two identical in~ormati.on blocks
over each communication channel with the destination remote Rd
testing the validity of the blocks on one of the channels and,
if valid, responding with an acknowledgement signal (ACK),
and, if invalid, then testing the validity of the two blocks
received on the other, alternate channel. An acknowledgement
(ACK) or a non-acknowledgement signal (NAIC) is sent by the
destination remote Rd if the information on the alternate
channel is found, respectively, valid or invalid. The source
remote Rs will retransmit the information blocks in response
to a non-acknowledgement signal from a destination remote with
the retransmission ~rom the source remote Rs limited to a
predetermined, finite number.
A control system in accordance with the present invention
advantageously provides a means for controlling an industrial
process in which high overall system operating reliability
is achieved. The system is equally suitable for use with
central (master1slave), distributed, and hybrid system
configurations.
6~
BRIEF DESCRIPTION OF THE DRAWIMGS
The above description as well as the as~ects
features and advantages of the present invention will
be more fully appreciated by reference to the following
detailed description of a presently preferred but none-
theless illustrative embodiment in accordance with the
present invention when taken in connection with the
accompanying drawings wherein:
FIG. 1 is a schematic diagram of an exemplary
process control system including a plurality of remote
process control units (remotes), including both primary con-
trol remotes and redundant remotes connected to a common
dual-channel communications link;
FIG. 2 is a schematic block diagram of an
exemplary remote process control unit of the type shown
i~ FIG. l;
FIG. 3 is a schematic block diagram of an
exemplary modulator/demodulator (MODEM) for the remote
process control unit shown in FIG. 2;
2 n FIG. 4 is a schematic block diagram of an
exemplary communicatlon protocol controller ror the remote
process unit shown in FIG. 2;
~IG. 4A is a schemat c block diagram of an
exemplary input/output management device for the remote
?rocess control unit shown in FIG. 2;
FIG. 4B is a flow diagram illustrating the
.anner in which the change-in-status evenis of the
controlled devices of FIC-. 1 are detected by the input/
output management device of FIG. 4A;
FIG. 5 illustrates the format of an exemplarv or
illustrative information block for transferring information
between remotes;
FIG. 5A illustrates the format of a header frame
of the information block shown in FIG. 5;
FIG. 5B illustrates the format for a data/
information frame of the information block shown in
FIG. 5;
FIG. 5C lllustrates the format for an
acknowledgement block (ACK) for acknowledging
successful receipt of an information block;
FIG. 5~ illustrates the fo1~at for a non-
acknowledgement block ~NAK) for indicating the
unsuccessful transmission of an information bloc~ Detween
remotes;
.FIG. 6 illustrates, in pictorial form, two
identical data blocks having the format shown in FIG. 5
successivel~ transmitted on each communication channel of
the co~unication link illustrated in FIG. 1;
FIG. 7 is a flow diagxam summa-y of the manner in
which a source and a destination remote effect communi
cations with one another;
FIG. 8A is 2 partial flow diagram illust.a'ing
in detail the manner in which a source and a destination
remote communicate and validate information transferred
between one another;
FIG. 8B is a partial flow diagram w~ich com-
pletes the flow diagram of FIG. 8A and illustrates in
detail the manner in which a source and a destination
remote communicate and validate infor~ation transferred
between one another;
5~
FIG. 9 is a legend illustrating the manner in
the flow diagrams of FIG. 8A and FIG. 8B are to be read;
FIGS. lOA through lOF are exemplary tables
illustrating the manner in which supervisory control or
the communication link is transferred from remote to remote;
FIG. 11 is a schematic block diagram of an
exemplary redundant remote that is adapted to assume control
from a failed or othexwise inoperative primary remote;
FIGS. llA and llB are flow diagrams of the manner
in which the central processiny unit of the redundant
remote R4 monitoxs the operating condition of its assisned
primary remotes Rl, R2, and R3 and takes over operation when
one of the primary remotes fails;
FIG. 12 is a flow diagram summary of the manner
by which an interrogating remote Rx tests the integrity
o~ the communication link between it and the remotes Rx 1
and RX~l i~nediately adjacent thereto in the succession
order;
FIG. 12A is a partial flow diagram illustrating
in detail the manner b~ whlch an interrogating remote R~
tests the cor~nunications i~tegrity of the comm~ications
link between it and the next lower number remote Rx 1 in
the succession order;
FIG. 12B i.s a partial flow diagram illustrating
in detail the manner in which an interrogating remote Rx
tests the communiations integrity of the communications
link between it and the next higher number remote RX~1 in
the succession order;
FIG. 12C is a partial flow diagram illustrating
in detail the manner by which a line termination impedance
is applied to the cor~nunications lin}c in the event of a
co~nunications link degradation or interruption;
~2~i8
FIG 13 is a legend illustrating the manner in
which the flow diagrams of FIGS. 12A, 12B, and 12C are to
be read; and
FIG. 14 is an exemplary table illustrating the
status of various counters when an interro~ating remote
is evaluating the integrity of the communications link in
accordance with the flow diagram shown in FIG. 12A.
DESCRIPTION OF THE PREFERRED EMBODIM~NT
An industrial control system in accordance with the
present invention is shown in schematic form in FIG. 1 and
includes a communications link CL (C-link) having a plurality
of remotely located process control units (remotes) Rl,
R2,...R7, R8 connected thereto with the eight remotes
(Rl-R8) shown being exemplary; it bein~ understood that the
system is designed to be used with a much larger number of
remotes. of the eight remotes illustrated, the remotes Rl-R3
and R5-R7 are 'primary' remotes and the remotes R4 and R8 are
'redundant' remotes. The communications link CL is shcwn
as an open line, double channel configuration formed from
dual coax, dual twisted pair, or the like with the
individual co~munication links identified, respectively,
by the reference characters CL0 and CLl. While the
system configuration shown in FIG~ 1 is a distri~uted open
loop or shared global bus type, the invention is equally
suitable for application to central systems or central/
distributed hybrid configurations. The system of FIG. 1
is adapted for use in controlling an industrial process,
e.g., the operation of a power generating plant, with each
primary remote unit Rl-R3 and R5~R7 connected to one or more
associated or corresponding input/output devices I/Ol-
I/03 and I/05-I/07, respectively. Each input/output
device is, in turn, connected to an associated controlled
device CDl-CD3 and CD5-CD7 (of which only CD6 and CD7 axe
illustrated in FIG. 1) such as, bu-t not limited to, various
types of sensors (temperature, pressure, position, and motion
sensors, etc.) and various types of actuators (motors,
pumps, compressors, valves, solenoids, and reiays, etc.).
Each primary remote may control a large number of output
devices and respond to a ]arge number of inpllt devices, and
the blocks labeled I/O in FIG. 1 can each represent many
input and output devices.
The redundant remote R4 monitors the operation of
primary remotes Rl, R2, and R3; and the redundant remote
R8 monitors the operation of primary remotes R5, R6,
and R7. Should any one of the remotes Rl R2, and R3
fail, the failure will be detected by the remote R4 in
a manner to be described and the remote R4 will take over
control of the input and output devices of the failed remote
by receiving the data from the failed remote over the
communications link CL and sending commands to the failed
remote over the communications link CL in formated information
blocks. Similarly, if one of the remotes R~, R6, or R7 fails,
the redundant remote R8 will take o~Jer control of the operation
of the input/output devices for the failed remote as described
above withrespect to redundant remote R4. ~lthough only eight
remotes have been shown in Fiyure 1, any number of remotes
Rl, R2, R3, .-.. Rn_l, Rn could be utilized in a particular
system.
The architecture of an exemplary remote Rn is
shown in FIG. 2. While the architecture of the remote
Rn can vary dependiny upon the control process require-
men-ts, the remote shown in FIG. 2 includes a modem 10; a
communication protocol controller 12; an input/output
management device 14; a central processing unit (CPU) 16;
-- ~.0 --
a memory 18; a peripheral device 20 that can include,
e.g., a CRT display, a printer, or a keyboard; and a
common bus 22 which provides addressing, control, and
information transfer between the various devices which
constitute the remote. The devices shown in dotted line
illustration in FIG. 2 (that is, the central processing
unit 16, the memory 18, and the peripheral device 20J
are provided depending upon the process control require-
ments for the remote Rn. For example, in those primary
remotes Rn which function as an elemental wire replacer,
only the modem lO, the communication protocol controller
12, and the input/output management device 14 are pro-
vided. In more complex process control requirements, an
appropriately programmed central processing unit 16 and
associated memory 18 are provided to ef~ect active con-
trol according to a resident firmware program. In still
other remotes requiring a human interface, the appropriate
peripheral device(s) 20 may be connected to the common buss
22.
As shown in more detail in PIG. 3, the modem lO
provides two independent communication channels CH0 and
CHl connected, respectively, to the communication links
CL0 and CLl. Each of the col~unication channels C~0
and CHl is provided with substantially identical communi
cation devices, and a description of the communicatlon
devices of the first communication channel CH0 is
sufficient to provide an understanding of the second
communic~tion channel C~l. The communication channel
CH~ includes an encoder/decoder 24~ for providing appropriate
modulation and demodulation of the digital data trans-
mitted to and received from the communication link CL0.
2~
In the preferred form, the encoder/decoder 24~ converts
digital information in non-return-to-zero binary (NRZ)
format to base-band modulation (BB.~) signal format for
transmission and effects the converse for reception.
.~mplifiers 26~ and 280 are provided, respectively, to drive
a passive coupling transformer T0 with digital information
provided from the encoder/decoder 24~ from the coupling
transformer T~. A set of selectively operable relay
contacts 30~ are provided between the coupling transformer
~0 and th~ corresponding communication link CL~ to effect
selective interruption thereof to isolate the remote Rn
from the communications link CL, and another set of relay
contacts 32~ are provided to selectively connect the signal
output of the coupling transformer T~ with a termination
impedance Z~. The termination impedance Z~ is used when
the particular remote Rn is at the end of the communication
link CL to provlde proper line termination impedance for
the llnk, or, as described in more detail below, to assist
in termi.nating an open or degra-led portion of the communi--
cations link CL.
A selectively operable loop-back circuit 34 is
provided to permit looping back or recirculation of test
data during diagnostic checking of the remote Rn. While
not specifically shown in FIG. 3 7 the loop-back circuit
34 can take the form of a double pole, single throw relay
that effects connection be~ween the channels CH~ and CHl
in response to a loop-back command signal 'L~'O During
the diagnostic checking of a remote, which checking takes
place when a particular remote is a master-for~the-moment
as explained below, the relay contacts of -the loop-back
~ 12 -
circuit 34 are closed and a predetermined test word is sent
from the channel CH~ to the channel CHl and from the channel
CHl to the channel CH0 with the received word in each case
being chec]ced against the original test word to verify the
transmit/receive integrity of the particular remote.
The isolation relays 300 and 311, the
impedance termination relays 320 and 321, and the loop-back
circuit 34 are connected to and selectively controlled by
a communications link control device 38 whi.ch receives its
communication and control signals from the communications
protrocol controller 12 described more fully below. A
watch~dog timer 40 is provided to cause the C-link control
device 38 to operate the isolation relays 30~ and 301 to
disconnect the remote Rn from the communication link CL in
the event the timer 40 times-out. The timer 40 is
normally prevented from timing out by periodic reset
signals provided from the communication protocol controller
12. In this way, a remote Rn is automatically disconnected
rom the co~nunication link CL in the event of a failure
of its communication protocol controller 12.
As shown in more detail in FIG. 4, each communi-
cation protocol controller 12 includes input/output ports
42, 44~ and 46 which interface with the above described
modem lO for the communication channels CH0 and CHl and the
modem C-link control device 38 (FIG. 3). A first-in first-
out (FIFO) serializer 43 and another first-in first-out
- 13 -
serializer 50 are connected between the input/output
ports 42 and 44 and a CPU signal processor 52. The
first-in first-out serializers 48 and 50 function as
temporary stores for storing information blocks
provided to and from the modems 10 as described more
fully below~ The CPU 52, in turn, interfaces with the
buss 22 through buss control latches 54. A read only
memory (ROM) 56 containing a resident firmware program
for the CPU 52 and a random access memory (R~M) 58 are
provided to permit the CPU 52 to effect its communication
protocol function as described more fully below. Timers
62 and a register 60 (for example, a manually operable
DIP switch register or a hardwired jumper-type register~
that includes registers 60a and 60b are also provided to
assist the CPU 52 in performing its communication proto-
col operation. An excess transmission detectox 64,
connected to input/output ports 42 and 44 (corresponding
to communication channels CH0 and CHl) ~etermines when
the transmission period is in excess of a predetermiIIed
limit to cause the C-link control device 38 (FIG. 3) to
disconnect the transmitting remote from the communications
link CL and thereby prevent a remote that ls trapped in
a transmission mode from monopolizing the communications
link CL.
The input/output management device 14, the
architecture of whlch is shown in FIG. 4A, is preferably
a firmware controlled microprocessor-based device which
- 14 -
is adapted to scan the various input/output hardware points
of the controlled device, effect a point-by-point status
comparison with a prior scan, and record the change-in-
status events along with the direction of the change and
the time the event occurred (ti~e-tagging), effect data
collection and distribu~ion to and from the input/output
points, format the collected data in preferred patterns,
and assemble the patterned data in selected sequences.
As shown in FIG. 4A, the input/output
management device 14 includes a processor 14A connected
to the remote buss 22 through a processor buss 14B; read-
only-memories 14C and 14D connected to the processor 14A
through appropriate connectlons with these memories in-
cluding the firmware necessary to effect the above~
described functions of the input/output management device
14 including the change-in-status event monitoring
(described in more detail below); a read~write memory
14E (RAM) for temporarily storing information incident to
the operation of the processor 14A including the change-
in-status event information; a time base 14F for providing
time information for time tagging the change-in-status
events; and an input/output interface 14G for connection,
either directly or indirectly, to the controlled devices.
In the preferred embodiment, the input/output
interface 14G is defined by one or more printed circuit
control cards generally arranged in rack formation with each
card having hardware points arranged in predetermined sets
of eight points with each hardware polnt carrying a blnary
- 15 -
indication for controlling or sensing the operation of the
controlled device. The control and operational status of the
controlled device can generally be xepresented by one or
more eight-bit words (e.g., 00010001) with each bit position
representing a control or operational characteristic of the
controlled device.
As described in further detail below in connection
with FIG. 4B, the input/output management device 14 effects
the aforedescribed change-in-status monitoring and associated
time-tagging by periodically scanning the input/output hard-
ware points in eight-bit groups and effecting a comparison
between the so-obtained eight-bit group and the eight-bit group
obtained during the previous scan. If a change is detected
in one or more of the bit positions, the latest eight-bit
group, along with the time-of-day inEormation obtained from
the time base 14~, and other in~ormation, if desired,
representing the direction of change, is placed in a
first-in first-discard memory (FIPO) of predetermined
size. Thus, each change-o~-status evenk along with its
time tag and other information such as direction of
change, etc. is placed in a memory of selected size as
the changes occur. When all the memory locations are
filled, the first entered event (which now represents
the oldest chronological event) is discarded as the
latest event enters the memory. The memory loading is
inhibited by the occurrence of any one of a selected
number of inhibit signals. In the system, various con-
ditions including alarm conditions which represent partial
or full system failures can be assigned a priority with
- 16 -
those conditions or cor~inations thereof designated as
"high" priority signals being permitted to disable or
inhibit further accessing of the memory. In the event
one of these high priority conditions occurs, the memory is
inhibited from storing additional change-in-status
information and the change-in-status events occurring prior
to the high priority condition are preserved for
subsequent analysis. Alarm conditions which are not
designated as high priority, of course, do not inhibit the
memory. This techni~ue advantageously differs from those
prior techniques in which the controlled device status was only
placed in memory at the moment of a high priority signal
(in which case a historical pre~failure record-of-events
was not available) or those techniques in which the change-
in-status events were logged in a memory ~hich was
periodically cleared, refilled, and cleared in which case
the probability of obtaininy a complete histor~ of even~s
prior to a predetermined high priority condition diminished
in those instances in which the logging memory was cleared
just prior to the occurrence of the high priority condition.
The manner b~ which the input/output management
device 14 effects the change-of-status event logging is shown
in FIG. 4B. During initialization, the processor 14B (referred
to also as the RTZ in FIG. 4B) moves an image of the various
input/output points, that is, the current status of the
various input/output hardware points, to preassigned locations
in the memory 14E (local) of the input/output management
device 14 and the memory 18 (system) of the remote Rn (FIG. 2).
Thereafter, the address~s) of the first input/output card is
obtained and the input/output hardware points for that card
are scanned to obtain an input/output image which takes the
- 17 -
form of an eight-bit word (e.g., 00000000) with each bit
position representing the control or operational status of the
controlled device. The input/output points so obtained
are then compared with the previously obtained image of the
points (e.g., 00100000), for example, by effecting a bit-
by-bit exclusive OR (XOR) comparison. If the comparison
indicates no change in status, (that is, the words are
identical) the input/output points in the remaining cards
are likewise scanned with the process repeated on a
cyclic or looped basis. Howevex, if a change is detected in
the exclusive OR comparison, that new input/output scan,
along with the time tag information and the direction o~
change is placed in the memory 18 of the remote Rn, and,
in addition, the latest scan is moved to the memroy 14E
of the input/output management device. This process continues
with each new change-in-status event loaded into the memory
18 of the remote on a first-in first-discarded basis. The
first-in first discard memory may be configured by assigning
a preselected number o~ memory locations in the memory 18
of the remote Rn (e.g., fifty locations) for the logging
information and providing an address pointer that points
to each successive location in a serial manner with the
pointer returning to the first location arter pointing at
the last available pre-assigned location in the memory.
In the preferred embodiment, the processor
14A o~ the input/output management device 14 (FIG. 4A)
and the processor 52 (FIG. 4) of the communication
protocol controllex 12 i5 8X300 micro-controller
manufactured by the Signetics Company of Sunnyvale,
18 -
5~
~alifornia, and the central proce33ing unit 16 (FI5. 2)
is an 86/12 single board 16-bit micro-com~uter manu-
factured by the Intel Company of Santa Clara, California
and adapted to and configured for the ~ntel MULTIB~5~M
Each remote Rn is adapted to communicate with
the other by transi~ting digital d~ta organized in pre-
determined block formats. A sultable and illustrative
block format 66 is shown in FIG. S and include~ a multi-
word header frame 66A, a multi-word data frame 66a, and a
look termination frame or word 66C. Selscted of the
information block configuration~ aro adapt~d to transfer
process control information to ~d from s~lected r~mote
~mits Rn and other of th~ block configuration~ ar~ adapted
to transfer supervisory control of the c~mmunications llnk
CL from one remote to the other remote AS explained in
greater detail below.
An exemplary format for the header and data
frames o~ an informlltion block 66 is shown, rèsp~ctively,
in FIGS. 5A and SB~ The head~ frame 66A preferably
2~ include~ a 'start of header~ word(~) that indica~es to
all remotes that infor~ation is b~ing transmitted; a 'source'
identification word(s) that indlcate~ th~ identity of the
sou~ce remote Rs that i~ transferring the infor~ation; a
'destination' word(s) that indicat~s the identi~y of the
receiving or destination r~mote Rd; ~ Ih~ad~r-type' word(s)
th~l~ indica~es whethex the data block i~ tran~ferring data,
a parametared command block, or a paramet~rle~s ccmmand block;
'block-type' word indicating the type o~ block (that is, a
command block or a data b~ock)s a 'block number' word that
-- 19 --
5~
indicates the number sf blocks beiny sent; a 'block size'
word indicating the length of tha data frame; a 'security
code' word(s) that permits altexation of the resident soft-
ware programming in a remote; and, finally, a two-byte
'cyclic redundancy code' (CRC) validity word. The data
frame for each data block, as shown in FIG. 5B, can in-
clude a plurality of data carrying bytes or words Bl,
B2~...Bn of variable length terminated with a two-byte
cyclic redundancy code word. As described more fully
below, each of the remotes is adapted to acknowledge (ACK)
successful receipt o data and ~ommand blocks and non-
acknowledge ~NAR) the receipt of data in which a trans-
mission error i5 detected. When transmitting an
acknowledgement block or a non-acknowledgement block, the
header format used is shown in FIGS. 5C and 5D in which an
acknowledgement (ACK) or non-acknowledgement (NAK) word
occupies the 'block type' word position. The block
formats disclosed above are intended to be illustrative
only and not limiting.
~rhe vaxious remote uni~s Rl, R2~ R3,.. Rn communi-
cate with one another by having each remote successively
take control of the communications link CL and the controlling
remote Rs then sending digital inormation between itself
and a destination remote Rd using a double transmission
alternate line technique that provides for high
reliability data transfer between remotes even when one of
the two communication links CL~ or CLl is inoperative, for
example, when one of the two co~munication cables i5
severed or otherwise degraded as occassionally occurs in
harsh industrial environments.
~ 20 -
~ en a remote unit assumes control of the communi-
cation link GL (as explained more fully below) and, as a
source remote Rs~ desires to send data blocks to another,
destination remote Rd, the data block is assembled at the
source remote Rs.in accordance with the block formats
discussed above in connection with FIGS. 5-5D and trans-
mitted through the information channels CL~ and CLl of the
source remote R5 to the communication links CL~ and CLl
with the header frame containing both the source remote
Rs and t~.e destination remote Rd identification information.
In accordance with the data transmission
technique, the communication protocol controller 12
of the source remote Rs transmits the in~ormation
blocks twice on each communication link CL~ and CLl
as schematically illustrated in FIG. 6 to provide a
first data block DB~ and then a second, following data
block DBB on each communication link CL~ and CLl.
The transmitted info~nation block headers include the
id~ntity o~ the destination remote, Rd, which causes the
des~ination remote Rd to receive and act upon the
information blocks. At the destlnation remote Rd, the
two data blocks DBA0 and DBB0 on the communication link
CL0 are passed through the communication cha~nel CH~
and the two data blocks DBAl and DBBl on the communication
link CLl are passed through the communication channel CHl
to, respectively, the first-in first-out serializers
48 and 50 (FIG. 4).
As shown in the summary flow diagram o FIG. 7,
the destingation remote Rd checks the validity o the
received data by selecting one of thP two communication
links (e.g., CL0 in F~G. 7) and then checks the first
- 21 -
data block on the selected line (that is, DBA~3 by
performing a cyclic redundancy check of the header frame
and, if valld, performing a cyclic redundancy check of the
data frame. If the data frame is valid, the commur.i-
cation protocol controller 12 of the destination remote
Rd then performs a bit-for-bit comparision between the
CRC-valid first data block DBA~ and the second following data
block DBB~. If the bit-for-bit comparision is good, an
acknowledgement (ACR) signal is sent from the destination
remote Rd to the source remote RS to indicate the receipt
of valid information and complete tha~ data block
information transaction. On the other hand, if the CRC
validity checks of the header or the data frame or the
bit-for-bit comparison check indicate invalid data, the
protocol controller 12 of the destination remote Rd then
selects the other, alternate line (in this case, CLl)
and perorms the aforementioned cyclic redundancy checks
of the header and data frame and the bit-for-bit comparison
between the fixst and second data blocks DBA1 and DB
on the alternate line CLl. If these checks indic2te
valid data on thP alternate line, the destination remote
Rd responds with an acknowledgement signal (ACK) to
conclude the data block transmission transaction. On
the other hand, if these checks indicate invalid data
on the al~Prnate line (which means that the data blocks
on both the first-selected line and the alternate line
are invalid) the destination remote Rd responds with a
non-acknowledgement signal (NAK) to cause retransmission
of the data blocks from the source remote Rs. The non-
3~ acknowledgement block (NAK) includes a byte or bytes
- 2~ -
indicating the identity of the data block or blocks
which should be retransmitted. A counter (not shown) is
provided that counts the number of retransmissions from the
source remote Rs and, after a finite number of re-
transmissions (e.g., four~, halts further retransmission
to assure that a source remote RS and a destination remote
Rd do not become lost in a repetitive transmit/NAX/xe-
transmit/NAK... sequence in the event of a hardware or
software failure of the destination remote Rd error checXing
10 mechanism.
The double message alternate line checking
sequence summarized in FIG. 7 may be more fully appreciated
by referring to the detailed flow diagram shown in FIGS. 8A
and 8B (as read in accordance with the flow diagram map of
FIG. 9). At the start of the information validity
checking procedure, the 'line ~-first' flag register is
checked; if a flag is present, the 'irst-attempt fail'
flag register is checked, and, if there is no flag in th~s
register, the two data blocks DBAl and DBBl on channel OEIl
are stored while the two data blocks DBA~ and D~B~ on channel
CH~ are used for the first attempt information check.
Thereafter, the header ~xame of the first data block DBA0
on channel CH~ undergoes a CRC check, and, if acceptable,
the data frame of this data block DBA~ undergoes a CRC check.
If the header and data frames CXC chec~s indicate valid data
a 'good message' register is incremer~ted. If the number of
good messages is less than two, the error checking procedure
returns to the initial part of the flow diagram and, after
- 23 -
~L~8~
detenmining there is no channel CH~ first flag or first-
2ttempt flag present, checks the second following data
block DB3~ by repeating the header and data CRC cyclic
redundancy checks. If the header and data frames pass the
CRC checks, the 'good message' register is incremented
again to indicate that a total of two messages in succession
(that is, D~A0 and DBB~) have passed the cyclic redundancy check
for the header and data rames. Thereafter, the two data blocks
DBA~ and DBB0 received on line CH~ are checked by performing
a bit-by-bit comparision between the two. I the data blocks
DBA~ and DBB~ pass the bit-by-bit comparision test, the co~muni-
cations protocol controller 12 of the destination remote Rd
sends an acknowledgement (ACK) message to the source remote
Rs to conclude the information block transfer and xesets the
various registers. If, on the other hand, eithex the data
~lock DBA~ or DBB0 on line CL~ ~ail the headex and data fxame
CRC checks or these two data blocks fail the bit~by bit
comparison check, the communication protrocol controller 12
sets the 'first-attemp~ fail' flag and xeturns ~o the start
of the procedure ~o determine that the 'line ~-first' flag
and the 'first-attempt' fail flag are present. The communi-
cation protocol controller 12 then uses the s~ored data blocks
DBAl and DBBl from line CLl (which data blocks were previously
stored in FIFO SO). The header block and data block of
the data blocks DBAl and DBBl from line CLl undergo the CRC
check and, if successful, cause the incrementing of the 'good
2~ -
message' register to cause the communication protocol
controller 12 to then check the validity of the second
data block DBBl. If the data blocks DB~l and DBBl pass the
CRC checks, they are compared with one another in a bit-
by-bit comparison test and if this comparison check is
successful, an acknowledgement (ACK) is sent. If, on the
other hand, either data block DB~l or DBBl does no~ pass the
CRC check or the data blocks do not pass the bit-by-bit
comparison test, a non-acknowledgement (NAK) is sent to the
source remote Rs including information requesting the
retransmission of the data blocks which ailed the validity
test at the destination remote Rd. The source remote Rs then
retransmits the improperly received information blocks as
described above with retransmission limited to a finite number.
A register is provided for each of the communication links ~or
recording, in a cumulative manner, the number of times an
invalid message is received ~ox each communication link. In
this manner, i~ can be dete~mined, on a statistical ba~is,
whether one o~ the two communication links has suffered a
deterioration in signal transmission capability and, of course,
whether one of the communication links is severed.
As can be appreciated, the dual transmission of the
identical messages o~ plural communication links vastly
enhances the ability o~ the des~ination remote Rd to detect
errors and determine whether the in~ormation being.transmitted
is valid or not. In addition, the destination remote Rd is
able to operate and successfully receive messages even if one
of the communicatiQn links C~ or CLl is severed since the
communication protocol controller 12 at the dP.stination Rd
- - -
will examine the received signals on each line and will find
invalid data on the severed line, but will always e~amine
the data blocks on the other line and, if necessary, request
retransmission of the information blocks.
In selecting one o the two channels CH~ or C~1 for
the first validity check, it is preferred that one of the two
channels ~e.g., CH0) be selected for the first check on every
other information transaction and that the other of the two
channels (e.g., C~1) be selected or the first check for the
other intenmediate information transactions. While the system
has been disclosed as having dual communication links CL~ and
CLl, the invention is not so limited and can encompass more
than two communication links with the remotes adapted to
sequentially examine signals received on the various channels.
As mentioned above, each remote Rn of the control
system is adapted to accept and then relin~uish supervisory
control of the communication link CL on a master-for-the-
moment or revolving master arrangement. The communicakion
protocol controller 12 o~ each remote Rn includes a register
~Jhich contains the remote succession number, another register
which contains the total number of remotes in the system, and
another xegister which contains th~ relative position of the
remote from the present system master. The first two registers
are schematically illustrated by the reference character 60 in
FIG. 4. In addition, each remote Rn includes a variable transfer-
monikor timer having a time-out interval that is set in accordance
with a predetermined con~rol-tran~fer time constant (50 micro-
seconds in the preferred embodiment) and the position of the
- 26 -
particular remote relative to the present system m~ster
to permit, as explained in more detail below, the master-
for-the-moment transfer to continue even in the event of
~ disabled remote (that i5, a remote that is unable to
accept supervisory control because of a malfunction).
Another timer is provided to force transfer of supervisory
control of the communications link CL in the event a
remote, because of a malfunction, is unable to transfer
supervisory control to its next successive remote. The
operation of the master-for-the-moment transfer techni~ue
can be appreciated by consideration of the followiny
example of an illustrative system that includes five
remotes arranged in the open loop configuration of FIG. 1
and transferxing supervisory control o the communications
link CL in accord~nce with the tables of FIGS. lOA-lOF. The
upper row of each ~able indicates the succession sequence
or order of the five ~emotes Ro~ Rl, R2, R3 and R4 that
comprise the system; the intermediate row identifies the
remote that is the present master-for-the~moment and also
identifies the relative successive position of the other
remotes from the present master, that is, the first (or
next) successive remote from the prese~t master, the second
successive remote from the present master, the third remote
from the present master, etc.; and the third row of each
table lists the setting of the variable transfer-monitor
timer for the particular remote.
- 27 -
The system is provided with initialization
software so that the first remote in the succession, R
assumes supervisory contxol of the communication link
CL ater system start-up and becomes the initial master
of the syst~m (FIG. lOA). When the initial ma~ter Ro
is in control of the communications link CL, it can send
data to any o the other remotes, request s~at~ts or
other data from another remote, and send control blocks and
the like over the communications link CL. ~en the master
Ro determines that it no longer desires possession of the
communications link CL, it passes supexvisory control of
the communications link CL to the next or first successive
remote in accordance with the succession order. Thus, when
the present mastex Ro concludes iks information transfer
transactions, it transfers supervisory control of the
communications link C~ to its next ox first successive
remote Rl by transmitting a control block to the remote R
with all the remaining remotes (that is, R~, R3, R4)
being cognizant of the transfer of supervisory control
from the present mastex Ro to its fixst or next ~uccessive
remote Rl. Since, in the present system, the txansfer o
super~isory control of the communications link CL is
expected to take place within 50 micxo-seconds, the
second successive remote R2, as shown in the thlrd row of
the table of FIG. lOB, sets its variable transfer-monitor
tlmer to 50 micro-seconds, the third successive remote R3 sets
its vaxiable transf~r~monitor timer to 100 micro-seconds,
- 28 -
and the fourth successive remote R4 sets it trans~er-
monitor timer to 150 micro-seconds. When the first
successive re~ote R1 receives the control block from the
present master Ro~ i~ accepts supervisory control of
the communications link CL by responding with an
acknowledgement message (ACR). If the control block
is misreceived, the ~irst successive remote Rl can
respond with a non-acknowledgement (NAK) to request
retransmission of ~he control block transferring
supervisory control of the communications link CL. During
the time interval that the present master remote Ro is
attempting to transfer supervisory control of the communi-
cation link CL to its next successive remote Rl, the
transfer-monitor timers of the remaining remotes are
counting down. If, for any reason, the next or first
successive remote Rl fails to take control (e.g., a
malfunction of the remote), the transfer-monitor timer
of the second successive remote R2 will time-out at 50 micro-
seconds and cause the second successive remote R2 to then
accept supervisory control of the cornmunication link CL
from the present master Ro and thus bypass the apparently
malfunc~loning irst successive remote Rl.
Aassuming that the initial system master Ro
successively ~ransexs supervisory con~rol of the communi-
catins link CL to its first successive remote Rl, that
successive remote Rl then becomes the present master with the
remaining remotes changing their position relative ~o the
present master and setting their transfex-monltor timers
in accordance with the second and third rows of the table
of FIG. lOB. When the present master Rl concludes its
- 29 -
in~ormation transfer transactions, if any, it attempts ~o
transfer supervisory control to its first or next successive
remote R2 by sending an appropriate Gontrol block to remote
~2 which responds with an acknowledgement signal (ACK) or,
in the event of a mistransmission of the control block, a
non-acknowledgement signal (N~K) which causes re-
transmission of the control block. When the control block
requesting transfer of supexvisory control of the communi-
cation link CL is sent from the present master Rl to its
next succassive remote ~2~ all the remaining remotes reset
their transfer-monitor timers in accordance with their
position relative to the present remote as shown in the third
row o the table of FIG. lOC. Should the next successive
remote R2 be unable to accept supervisory control of
the communication link CL from the present master Rl,
the transfer-monitor timer o~ the second successive remote
R3 will time-out in 50 micro-seconds and cause -the second
successive remote R3 to assume supervisory control of the
communiations link CL to thereby bypass an apparently
malfunctioning ~irst successlve remote R2. As can be
appreciated from a review of the transfer-monitor time-out
settings of the various remotes, supervisory control of the
communications link CL will transfer even if one or more
succe~sive remotes are malfunctioning, when the transer-
monitor timer of the next operable remote times outO This
transfer sequence continues in succession as shown in the
remaining tables of FIGS. lOD to lOF with supervisory
control of the communication link CL being passed from
remote to remote in succession with the last remote R~
returning supervisory control to the first remotP Ro~
- 30
5~i~
By employing a master~for-the-moment transfer
technique in which the receiving remote acknowledges
control from the transferrlng remote and in which re-
transmission of a mis-received control bloc~ i5 provided
for in response to a non-acknowledqement signal from the
receiving remotP, it is poss~ble to positively transer
supervisory control of the communication link~ Thi~
technique ad~antageously transfers co~trol u~ing the
data and inormation carry~ng communication lin~ rather
than, as in other systems, by proviaing ~eparate communi-
cation lines or channels ded~cated solely to supervisory
control transfer function. Al~o, the provls~on of a
variable trans~er-monitor timer at each remo e that i~ set
in accordance with the remote's relative position to the
present master and a transfex time-constant automa~ically
txansfers supervisory control o~ the con~unicatio~s li.nk
even i~ one or more o~ the succe~iv~ remote~ are mal~
func~ioning.
The architecture of a radundant remote (R4 and
~8 in FIG. 1), as sho~n in ~IG. 11, i~ essentially the same
as that of a primary remote except that it has no input~
output devices asslgned to it. Each redundant remot2
functions to take over control responsibility of a controlled
device from a primary xemote in the event the primary
remote malfunctionY.
- 31
In each primary remote, preassigned memory
locations are designated ~o act as a 'mailbox' register
for that remote. Each time the central processing unit
16 of the primary remote cycles through its applications
program, in which it responds to and controls the input/
output devices of the remote via the input/output management
device 14, it stores a predetermined n~nber in its mailbox.
Each time the processor 14A of the input/outpu-t management
device 14 cycles through its program, it decrements the
number stored in the mailbox. The time for the CPU 16
to cycle through it~ program and for the input/output
management device 14 to cycle through its prosram is
approximately 1:1 so that the number stored in the mailbox
will be maintained at or near the predetermined value set
by the applications program of the CPU 16 unless the
CPU 16 ceases to cycle through its applications program.
Should this happen, the number ~tored in the mailbox memory
18 will be decremented by the input/output management
device 14 until it reaches a zero value.
Each time a redundant remote which i5 serving
as a back-up for its associated primary remotes takes its
turn in the master-for-the-moment sequence described above,
the redundant remote will request and obtain the value of
the number in the mailbox of its assigned primaxy remotesO
Xf the number in the mailbox i5 not zero, the redundant remote
will know that the central processing unit 16 in the so~
queried primary remote is carrying out its applications
program and has not gone into an emergency mode of operation
or otherwise ceased to operate. If the redundant remote
detects that the number in the mailbox for one of its
assigned primary remotes is zero, then the redundant remote
will determine that the central processing unit 16 of the
zero-mailbox remote is not carrying out the applications
program and, in response to this determination, the redundant
xemote will first attempt to restart the applications program
in the central processing unit 16 of the primary remote. If it
fails to successfully restart the applications program, the
redundant remote will carry out the applications program
for the failed remote. In carrying out the applications
program, the redundant remote will respond to the input
devices and control the output devices assigned to the
failed primary remote by sending commands and receiving
data from the failed remote over the communications link CL.
The redundant remote, in addition to checking the
status of its assigned primary remotes for which the
redundant remote sexves as a back-up, also must maintain
an up-to-date record of the status of the applications
program in each of these assigned primary remotes. The
redundant remote checks the status of the mailbox and gets
the current applications program status fxom each of the
primary remotes by sending requests for information over the
communications link CL when the redundant remote takes its
turn in the master~for-the~moment sequence as described
above.
~ 33 -
2S~8
The operation of the redundant remote in carrying
out its function as a back-up for the primary remotes will
be more fully understood ~ith reference to FIGS. llA and llB
which illustrate a flow chart of the program in the redundant
remote R4 (FIG. 1), which serves as a back-up for its assigned
primary remotes Rl, R2~ and R3. The other redundant remote
R8 will have the same program except that it will be
applied to its assigned remotes R5, R6, and R7.
As shown in FIGS. llA, after the program in the
redundant remote R4 is started, it enters into a decision
instruction sequence 101 to check the status of remote
Rl. As explained above, it does this by sending a request
for information over the communications link CL to remote
Rl as~ing for the current number in the mailbox of remote
Rl. It then determines whether this number ls greater than
zero. If the number is greater than zero, the status of
remote Rl is determined to be operating and the program of
the redundant remote R4 advances to instruction step lG3
in which it resets a fail fl~g for Rl to 'off' and then enters
subroutine lOS, in which the current applications program
status in remote R1 is obtained. This means that the
redundant remote R4 requests and obtains the current status
of the input and output devices in remote Rl and the current
status of the timers and the counters and the flags being
used in the applications program of remote Rl. In other
~ 34 -
words, in subroutine 105, all of ~he information that
would be needed for the redundant remote R4 to take over
the applications program is obtained from remote Rl.
This information is obtained by sending requests for
data and receiving data back over the communications
link CL.
Following the obtaining of the current appli-
cations program status of remote Rl, th~ xedundant remote
R4 progxam proceeds to decision instruction sequence 107,
in which the status of remote R2 is checked in the same
manner that was done with respect to Rl. If the status
of remote R2 is operating, the program advances to
instruction step 109, in which the program sets a fail
flag for re~ote R2 and then pro~eeds into subxoutine 111,
in which the status of the applications program for
xemote R2 is obtained in the same manner as for Rl in sub-
routine 105. The program then proceeds into a decision
instruction sequence 113 to check the status of remote
R3. If the status of remote R3 is operating, then the
program resets the fail flag for remote R3 in instruction
step 115 and proceeds into subroutine 117 to obtain the
applications program st~tus for remote R3 in the same manner
as ~or Rl in subroutine 105. Following subroutine 111, the
program return~ again to decision instruction sequence 101
to check the status of remote Rl and the process cyclically
repeats.
If in decision instruction se~uence 101, the
program determines that the status Rl is not operating as
indicated by the number in the mailbox of the remote Rl,
bein~ zero, the program then advances to decision instruction
sequence 119, in which the program determines if the fail
flag for Rl is 'on' or 'off'. If the fail flag is 'off', the
- 35 -
program proceeds into instruction sequence 121, in
~hich the program attempts to restaxt the applications
program for remote Rl. It does this by sending a co~mand
over the communications link CL to remote Rl to direct
the communica-tions protocol controller 12 (FI5. 2) to
attempt a hardware restart of the applications program.
This is carried out by the communications protocol controller
12 pulling a restart wire to ground in the common buss
22. When this restart wire is pulled to ground, it starts
the applications program back through its initiali~ation
program and sets all of the flags, timers, and counters
just as if power had been turned on. Such a restart
is called a hardware res~art. Alterna~ively, the
redundant remote R~ could effect a software restart in
the failed remote. ~ software restart would mexely start
the applications program through its initialization proyram
with the timexs, eo~mters and flags left in their present
status.
Ater completing instruction sequence 121,
the redundant remote R4 progxam then sets the fail flag
for remote Rl to 'on' in instruction step 123 and then
proceeds into decision instruction sequence 125 to again
check the status of remote Rl by checlcing the number in
the mailbox of remote Rl in the same manner as in decision
instruction sequence 101. If the applicatio~s program
in remote Rl was successully started in instruction
sequence 121, the number in the mail~ox will not be zero
and the pxogram will determine that the statlls of remote
Rl is operating, whereupon the program will jump to
decision inst~uction sequence 107 to check the status of
remote R2 as already described.
- 3~ -
If the program determines that the status
of remote Rl is not operating in decision instruction
sequence 125, then this means that the attempt to restart
the applications program in remote Rl in instruction
sequence 121 failed and the xedundan~ remote R4 program
then proceeds into instruction sequence 127 to initialize
the input/output management device 14 (also identified
in FIG. llB as 'RTX') in remote Rl to recei.ve instructions
and data from the redundant remote R4 instead of from the
central processing unit 16 in the remote Rl and to send
data on the status of the input and output devices to the
redundant remote R4.
If the program of the redundant remote R4
determines that the fail flag was 'on' instead of 'off 7 ln
decis.on instruction sequence 119, the redundant remote
program would proceed directly into the instruction
sequence 127 to initialize the input/output management
device 14 of remote Rl to respond to the redundant remote
R4.
The purpose of the fail flag which is set to 'on'
in instruction step 123 and is reset to 'off' in instruction
step 103 is to prevent the redundan~ remote program from
getting hung-up in a csndition in which it success~ully
restar~s the remote Rl only to have the remote Rl fail again
by khe time the program of the redundant remote recycles
around to checking the mailbox o~ the remote Rl again in
decision instruction sequence 101. If this should happen,
the fail flag for remote Rl will have been set to 'on' in
instruction step 123 after the successful restarting of the
37 -
applications program. Then, the next time that the
redundant remote program cycles back to decision
instruction sequence 101, and determines that the status
of remote Rl is not operating, the fail flag for remote
Rl will be 'on'. Accordingly, the program will jump from
decision instruction sequence 119 into the instruction
sequence 127 to initialize the remote Rl to respond ~o
redundant remote R4. If the next time ~he redundant remote
program recycles back to decision instruction sequence
101 to check the status o Rl, it determines that the
status of Rl is operating, the program will then reset
the fail flag to 'off' in instruction step 103 so that in
subsequent cycles, should the program determine that the
remote Rl has again failed, the program will again go into
the restart instruction sequence 121 instead of immediately
jumping to the initialization instruction sequence 127.
After the rPdundant remote program has comple-ted
the initialization instruction sequence 127, it then proceeds
to subroutine 129. In this subroutine, the status of the
applications program oE remote Rl last received by the
redundant remote R4, which status is stored in the memory
o~ the redundant remote R4, i5 loaded into predetermined
registers o the memory of the redundant remote R~ in order
to carry out the applications program of remote Rl in the
redundant remote R4. After this subroutine is completed,
the program proceeds into instruction sequence 130 and
then into the subroutine 131 in which it start~ and
carries out the applications program. The redundant remote
R4 carries out the R~ applications program by receiving data
from remote Rl as to the sta~us of the input and output devices
- 3a -
of the remote Rl and sending instructions to remote R1
to direct operation of the input/output management device
14 of the remote Rl. The program in the redundant remote
R4 will then continue to cycle through the applications
program for the remote R1 until it receives a command from
the operator to reset it back into its main cyc]e of checking
the status of the remotes Rl, R2, and R3.
Should the redundant remote R4 determine that
the status of remote R~ or remote R3 is not operating,
it then performs the same program with respect to these
remotes as described with respect to remote Rl as is
illustrated in FIGS. llA and llB.
The redundant remote R8 will take over the
applications program should any of the primary remotes
R5-R7 become nonoperative in the same manner as described
above with respect to R4 serving as a back-up for the
primary remotes Rl-R3.
It will be appreciated that the provision of
the redundant remotes decreases malfunctioning of the control
system due to one of the primary remotes becoming inoperative
as a result of failure of the central processing unit 16 of the
primary remote. Because each redundant remote serves as
a back-up for several primary remotes, the cost of providing
the redundancy is significantly reduced. Because the
redundant remotes are themselves each a remote control uni-t
which takes its turn in the master-for-a-moment sequence
communicating with the other remotes over the dual channel
communications link, the redundant remotes can ~e provided
in the system very inexpensively.
- 39 -
Each remote Rn, as described above, is provided
with termination impedances Z~ and Zl for the first and
second communication channels CH0 and CHl (FIG. 3) and a
line termination relay 32~ and 321 under the control of the
communications link control device 38. The termination
impedances are connected across each channel of the communi-
cations link when the particular remote is the first or the
last remote in the system ~e.g., R1 and R8 in FIG. 1) to
establish proper line termination impedance to prevent
signal level degradation and the presence of reflected
signals, both conditions which can adversely affect the
performance of the system. The termination impedances
Z0 and Zl are also applied across the appropriate communi-
cations channels when a remote determines, as described
below, that the communications link CL between it and its
immediately adjacent higher or lower number remote i5
severed or sufficiently degraded that reliable data
transmission cannot be maintained therebetween. The
detenmination as to communications link degradation can be
made by providing each remote wi~h a regi~ter fox each
communications channel that records, in a cumulative manner,
the numbex of invalid messages received from the immediately
~a~jacent remote(s) and terminate one or both of the
communications link CL0 and CL1 in the direction of the
remote from which the number of invalid messag~s received
exceeds a threshhold value. More preferably, however, each
remote is provied with an active testing diagnostic routine
to enable it to test the communication integxity of t~e
communications link betw~en it and its immediately adjacent
remote(s) in accordance with the flow diagrams illustrated
in FIGS. 12, 12A, 13B and 12C as xead in accordance with
FIG. 13 and the table of FIG~ 14~
- 40 -
~2~
The flow diagram illustrated in FIG. 12 is a
summary of the manner by which each remote is capable o
testing the communication integrity of the communications
link CL between it and its immediate adjacent remote or
remotes and termina~ing one or bo~h of ~he communications
links, CL~ and CLl, when a degraded or interrupted line
condition is detected. As shown in FIG. 12, the remote
Rx is initialized a~d then, in sequence, tests the communi-
cations integrity of the communications link CL~ in the
downstream directio~ between it and its immediately adjacent
lower number remote (that is, R~ 1) and then tests the
communication integrity of the communications link CLl
in the downstream direction with the same remote. If
either the communications link CL~ or CLl in the downstxeam
direction is faulty, an appropriate ~lag is set in a
register in the remote Rx reserved for this purpose. In
a sLmilax manner, the remote Rx then tests the communications
integrity of the communications link CL~ and CLl in the up-
stream direction with its immediately adjacent higher number
remote (that is, remote RX~l) and sets the appropriate ~lag,
as and if required. Aft~r ~his initial diagnostic checking
takes place, the remote Rx will terminate the failed communi-
cations lire CL~ and~or CLl by actuating the appropriate
relay contacts.320 and/or.321 as requixed. The line checking
test utili~ed in FIGo 1~ preferably takes place when the
remote Rx is master-for-the-moment (that is, Rm).
A more de~ailed explanation of the communications
line integrity chec~ a~d automatic line termination may be had
by referriny to FIGS, 12A, 12B and 12C (as xead in accordance
~ 41 -
with the flow chart legend of FIG. 13) in which FIG. 12A
represents the downstream integrity check with the next
lower number remote, FIG. 12B represents the upstream
integrity check with the next higher number remote, and
FIG. 12C represents the line termination function in
response ~o the results of the integrity test performed
in FIGS. 12A and 12B.
In FIG. 12A, the line checking diagnostic is
started by first loading three registers or counters,
namely, a 'retry counter', a 'CL0 retry counter', and a
'CLl retry counter' with an arbitrarily selected number,
for example, five. The 'retry counter' is then decremented
by one and a message sent from the remote Rx to the
remote Rx 1 requesting an acknowledgement ACX signal. If the
communications link CL~ and CLl between the interrogating
remote and the responding remote is fully ~unctional, a
valid ACK signal will be received by the interrogating
remote Rx on both CL~ and CL1. The diagno~tic checking will
then route to the part o~ the program (FIG. 12B) for
checking the communications integrity of the communications
link CL0 and CLl hetween the interrogating remote Rx and
the n~xt higher nu~ber remote in the system, that i5,
RX~l. On the other hand, if a valid ACK signal is not received
on one or both of the communications links CL~ or CLl by
the requesting remote Rx from the immediately adjacent lower
number responding remote Rx l~ the appropriate retry counter
(that is, 'CL~ retry co~nter' or ICLl retry co~nter ? ) will
be decremented by one and the procedure repeated until the
'retry counter' is ~ero at ~hich time the appropriate C~
- 4~ -
and/or CLl terminate flag register will be set; thereafter,
the program will route to the upstream communications
integrity check shown in FIG. 12B.
The flow diagram of FIG. 12B is basically the same
as that oE ~IG. 12A except that the communications integrity
chec~ occurs for that portion of the co~nunications link
CL between the interrogating remote Rx and the next
higher number responding remote R~l. More specifically,
the three registers or counters, that is, the 'retry
counter', the 'CL~ retry co~nter', and the 'CLl retry
counter' are loaded with the arbitrarily selected value of
five. The 'retry counter' is then decremented by one and
a message sent from the interrogating remote R~ to the
remote RX~l requesting an acknowledgement signal. If the
communications link CL0 and CLl ~etween the interrogating
remote Rx and the respondiny remote RX~l is i~tegral, a valid
acknowledgement signal will be received by the interrogating
remote Rx and the program will route to the tennlnation
impedance portion of the procedure shown in FIG. 12Co
On the other hand, if a valid acknowledgement signal is
not received on one or both of the communications lines CL~
or CLl by the interrogating remote Rx from the higher order
responding remote RX~1, the appropriate retry counter, that is,
the 'CL0 or CLl retry counter' will be decremented by one
and the procedure repeated until the 'retry counter' is
zero at which point the appropriate CL~ and~or CLl
termination ~lag register will be set; thereafter, the
program diag~ostic will route to the line i.mpedance
termination portion shown in FlG. 12C.
- 43 -
~256~
In the flow diagram of FIG. 12C, the various
termination registers are examined for set flags and
appropriate commands issued to the C-link control device
38 (FIG. 3) to terminate the line by appropriate actuation
of the relay contacts 32~ and/or 321. As is also shown in
FIG. 12C, a line termination relay can also be released
(that is, reset) to remove a previously applied line
termination impedance. Accordingly, the system provides
each remote with the ability to remove a line texmination
as well as apply a line termination. This particular
feature is desirable when a communication link is
temperarily degraded by the presence of non-recurring
electrical noise to permit the system to automatically re-
configure its line impedances.
The following specific example illustrates the
operation of the line termination procedure in whi~h it is
assumed that the communicatio~s link CL~ in FIG~ 1 is
severed at point A as shown therein and that the remot~
R4 is the presen~ master.(Rm) of the system and testing the
~ommunications integrity of the comm~nications link between
itself as the interroyating remote (Rx) and its next lower
order number remote R3 (that is, Rx 1) In accordance with
the ~low diagram of FIG. 12A, the 'retry counter', and the
'CL0 retry counter'/ and the 'CLl retry counter', as shown
in the tabulation table of FIG. 14, are set to the pre
determined value o~ five~ The 'retry counter' is
decremented b~ one and the requesting interrogating remote
R4 (Rx) requests an acknowledgement from the responding
remote R3 (tha~ is~ ~x-l) The requested acknowledgement
will be provided on line CLl but not line CL~ because of the
- ~4
aforementioned interruption at point A (FIG. 1).
The interrogating remote R4, not receiving the requested
acknowledgement signal on communications link CL~, will
decrement the 'CL~ retry counter' by one. Thereafter,
the retest procedure will be sequentially continued with
the 'C~0 retry counter' being decremented with each
additional unsuccessful attempt to obtain an acknowledgement
from remote R3 through the communications link CL0. When
the 'retry counter' decrements to zero, the 'CL0 retry
counter' will also be decremented to zero at which time the
CL0 lower order termination ~lag will be set. The remote
R4 will thereafter continue the diagnostic checking procedure
to test the communications integrity of that portion of
the co~unications link between the remote R~ (Rx) and the
next adjacent higher remote R5 (that is, RX~l) in accordanc0
with the 10w diagrc~m of FIG. 12B~ At the conclusion of
the test o the communications link between th~ inter-
rogating remote R~ and the immediately adjacent lower number
and higher n~mber remotes R3 and R5, the termination relay
contacts 32~ ~FIG. 3) will be set to texminate the communi-
cations link CL~ at the remote R4. In a similar manner, the
remote R3, when it b~comes master-for-the-moment, will also
apply a termination impedance ~cross the communications link
CL~.
As can be appreciated from the foregoing, the
remotes Ro~Rn have the ability~ even when one or both of
the communication links CL~ and C~l are severed to still
- 45 -
~25~
function on a master-for-the-moment basis and also to
effect appropriate line termination to minimize the adverse
effect on digital data signal strength and the generation
of reflected signals from mismatched line impedance caused
by deteriorated or severed communication lines. In
addition, the system is self-healing, that is, when
reliable communications is restored over the severed or
degraded portion of the communications link the remotes
Rn will then again function to remove the line impedances
to resume full system operation.
As will be apparent to those skilled in the art,
various changes and modifications may be made to the
industrial control system of the present invention without
departing from the spirit and scope of the invention as
recited in the appended calims and their legal e~uivalent.
- 46 -
