CA2131156A1 - Process control interface system having triply redundant remote field units - Google Patents

Process control interface system having triply redundant remote field units

Info

Publication number
CA2131156A1
CA2131156A1 CA002131156A CA2131156A CA2131156A1 CA 2131156 A1 CA2131156 A1 CA 2131156A1 CA 002131156 A CA002131156 A CA 002131156A CA 2131156 A CA2131156 A CA 2131156A CA 2131156 A1 CA2131156 A1 CA 2131156A1
Authority
CA
Canada
Prior art keywords
output
analog
redundant
circuits
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA002131156A
Other languages
French (fr)
Inventor
Robert S. Glaser
Robert S. Hoy
G. Paul Fernandez
Timothy J. Grai
Dean W. Gaudreau
Robert J. Hozeska
Donald J. Grinwis
Gregory J. Gavit
Joseph Sheehan Jr.
Lowell V. Thomas
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dow Global Technologies LLC
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2131156A1 publication Critical patent/CA2131156A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0423Input/output
    • G05B19/0425Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/10Plc systems
    • G05B2219/14Plc safety
    • G05B2219/14123Majority voting, dynamic redundant, persistency and integrity
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24184Redundant I-O, software comparison of both channels
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24187Redundant processors run identical programs
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24189Redundant processors monitor same point, common parameters
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24192Configurable redundancy
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25428Field device

Abstract

A process control interface system (10) having a network of distributed triply redundant input/output field computer units (12).
The system includes a plurality of self-contained remotely located triply redundant field computer units (12) connected to decision making redundant process control computers (14) through a bi-directional communication network having at least two concurrently active communication channels (46, 48). Each of the field computer units include a set of at least three redundant field computers (92, 94, 96) for arbitrating both input and output signals. The field computer units also include individual abort circuits (510, 606) for each output signal to be transmitted to a device (84, 86) which affects the operation of the physical process. These abort circuits effectively enforce the output value signals arbitrated independently through each of the three redundant field computers using a voting procedure.

Description

W093/20488 213~156 PCI~US93/0"53 ,~' j,.

PROCESS CONTROL INTERFACE SYSTEM HAVING
TRIPLY REDUNDANT REMOTE FiELD UNITS

BACKGROUND OF THE INVENTION
The present invention generally relates to the interface between a process control computer and its remotely located field instrumentation. More specifically, the present invention relates to a process control interface system which is comprised of a distributed network of triply redundant remote field units that communicate with redundant process control computers over redundant fiber optic pa~hs.
One of the most dfflicult and elusive goals to achieve in the design of any automated process control system is to provide an accurate, fast and yet highly reliable control systern which is capable of withstanding the rugged demands of controlling a physical process non-stop for years at a time, if possibie. This is particularly true for the process - control applications in a chemical plant where the cost of shutting down a complex large-scale process for computer system repairs may be enormous due to the time, effort and waste incurred in anempting to bring such a process back on line.
In order to achieve maximum economic efficiency and optimum product quality, the dernands for more comprehensive process control automation have continued to - increase in bcth quantity and sophistication. As the reliance on computer-based control for the operation oS a chemical process increases, it is clear that a number of computers are required to work together in order to accomplish all of the desired control tasks. This, of course, adds further complexity to a control system for which ma~imum fault tolerance is i desired.
In order to increase the reliability of a proc0ss control computer system, many i 25 attempts have been made to provide a backup computer for one or more of the computers "~ being used to actively control the process. However, a rapid hand-off of control from an u, active computer to a backup computer is difficult to achieve if the goal is to provide a , seamless or transparent transfer to the devices which affect the operation of the physical process. Additionally, the conditions under which a transfer of control should be made may :, , .

.

, - ~
.2 ~3 ~ ~S 5 2 be complex and consume needed processor time during normal operations.
Another approach to this problem is to provide triple redundancy with three actively operating computers. While the provision of three computer processocs certainly increases the overall cost o~ the control system, it does permit the use of ~majority voting~ for decision making. The benefit of majority voting not only adds to the abil~ of the computer system to withstand a fault in one of the computers, rt alsG helps to ensure that the decisions being made are accurate~ In other words, the agreement of two out of three computers on any particular decision increases ~he likelihood that the decision is ultimately correct.
Nevertheless, even when triply redundant control is found to be desirable, a myriad of design problems must first be confronted in order to achieve a truly effective triply redundant control system, including the handling of internal failures within different areas of the triply redundant control system. While there have been a number of attempts to appropriately manage the interrelationships between a set of three or more computers, there is still considerable room for advancement in this art, particularly as it relates to large scale chemica! process control applications.
Accordingly, it is a principal objective of the present invention to provide a distributed network of triply redundant field computer units which communicate with redundant process control computers to maximi7e both accuracy and the overall system's tolerance to faults in the process control system that could affect the physical process being controlled.
It is another objective of the present invention to provide a distributed network of triply redundant field computer units which enables broadcast downloading of updated software to each of these units w~hout affecting the process being continuously controlled.
It is a further objective of the present invention to provide a triply redundantfield computer unit which permits circuit boards in one of the computers contained in the unit to be replaced without affecting the process being controlled or requiring control to be torced to one or the other of the remaining computers.
It is an additional objectiv0 of the present invention to provide a triply redundant field control unit which enables a unique arbitration process of field inputs and outputs to be achieved.
It is also an objective of the present invention to provide a triply redundant field computer unit which is capable of automatically aborting po~entially erroneous output signals. ~, It is yet another objective of the present invention to provide a triply redundant field computer IJnit which enables any two computers contained in the unit to temporarily 35 reset, and if necessary, more perrnanently reset the remaining computer.
It is still an additional objective of the present invention to provide a triply WO 931204~8 ~ 1 3 l 1 ~ 6 P~/US93tO2253 '.~

.
3 ~

redundant field computer unit which includes one or more ~smart~ multi-function input circuits for interpreting raw sensor information and one or more ~smart~ output circuits for independently determining the manner in which a desired output value is achieved.
It is still a further objective o~ the present invention to provide a method of S testing both digital and analog output circuits which is non-intrusive to the process being continuously controlled.
It is yet another objective of the present invention to provide a triply redundant field computer unit which includes a high current output power supply circuit and a battery backup that may be periodicaily tested under load conditions~
SUMMARY OF THE INVENTION
To achieve the foregoing objectives, the present invention provides a plurality of self-contained remotely located triply redundant field comp~ner units which are connected ~! to decision making redundant process control computers through a bi-directional - 15 communication network having at least two concurrently active communication channels~
Each of the field computer units include a set of at least three redundant field computers for converting raw analog and digital input signals into arbitrated input value signals at predetermined times~ The input arbitration method provided by the redundant field computers enables a plurality of selectable default input conditions for each input signal, such as select 20 HIGH and select LOW, in the event that a majority agreement cannot be reached among valid input signals.
Messages containing these arb`ltrated input value signals are transmitted to the redundant process control computers from each of the ~ield computer units over a multi-level fiber optic ne~vork~ The fiber optic network is designed to permit substantial , , 25 communication testing, and enable the direction of signal transmission on the primary level .
;i of signal distribution to be reversed in the event of a communication fault. Once the appropriate process control decisions are made, the field computer units receive output value signals from the redundant process control computers over the fiber optic network.
The field computer un`its also include a set of individual abort circuits for each 30 output signal to be transmitted to a device which affects the operation of the physical process.
,:'t,~ These abort circuits effectively enforce the output value signals arbitrated independently through each of the three redundant field computers. The software arbitration process involves using a tiered voting procedure which includes a plurality of selectable default output conditions, such as fail SAFE and fail LAST~ Each of the default input and output conditions ;, 35 are determined through software implementation, such as at the redundant process control ~3 computers~ With the software implementation according to the present invention, each of the ':~!&
.....
~:;
:,, W093/~0488 PCI/US93/O'~S3 3~iS 6 4 ` ~

default input and output conditions may be rapidly changed in response to changing process conditions.
Additional features and advantages of the present invention will become more fully apparent from a reading of the detailed description of the preferred embodiment and the accompanying drawings in which: :

BRIEF DEBCRIPTION OF THE DRAWINGS
Figure 1 is a diagrammatic view of a process control interface system according to the present invention.
Figure 2 is a diagrammatic representation of a portion of the fiber optic communication network shown in Figure 1 which particularly illustrates the multi-function breakout circuits of the networi~.
Figure 3 is a block diagram of the process control interface system shown in Figure 1.
Figure 4 is a block diagram which illustrates the flow of data communication in the process control intertace system of Figure 1.
Figure 5 is a perspective view of the processor chassis for the triply redundantfield computer unit shown in Figure 1.
Figures 6A-6U comprise a schematic diagram for one of the triply redundant field computers shown in Figure 5.
Figures 7A-7C comprise a schematic diagram for a smart serial input circuit `~ according to the presen~ invention.
Figures 7D-7M comprise a series of flow charts associated with the operation of the smart serial input circuit of Figures 7A-7C.
Figures 8A-8E comprise a schematic diagram for a multiple-mode pulse input circuit according to the present invention.
Figures sF-sa comprise a series of flow charts associated with the operation of the multiple-mode pulse input circuit of Figures 8A-8E.
Figures 9A-9D comprise a schematic diagram for resistance measurement circuit according to the present invention.
Figure 10A is a block diagram of a portion of the triply redundant field ~; ~ computer which particularly illustrates the abort circuits for the digital output signals. Figure 1 OB is a similar block diagram which particularly illustrates the abort circuits for the analog ~ ~ output signals.
i~ 35 Figures 11A-11C comprise a schematic diagram for a digital output circuit capable of non-intrusive testing.

,,:

W093/20488 PCIII S93/02~53 I~

Figures 12A-1ZF comprise a schematic diagram for a smart analog output circuit according to the present invention.
Figures 1 3A-1 3D comprise a schematic diagram for a network contr~ller circuit according to the present invention.
Figures 1 4A-1 4E comprise a schematic diagram of a breakout ~erial communication circuit shown in Figure 4.
Figure 15A comprises a schematic diagram of a fiber optic receiver circuit employed in the network shown in Figure 1. Figure 15B comprises a schematic diagram of a fiber optic transmitter circuit employed in the network shown in Figure 1.
Figures 1 6A-1 6G comprise a schematic diagram of a power supply circuit for the triply redundant field computer unit.
Figures 17A-171 comprise a set of flow charts which illustrate the arbitration methods according to the present invention for digital input and output values.
Figures 1 8A-1 8T comprise a set of flow charts which illustrate the arbitrationmethods according to the present invention for analog inpu~ and output values.
Figures t 9A-1 9M comprise a set of flow charts which illustrate the method of non-intrusively testing the digital output circuits shown in Figure 10A.
Figures 20A-20V comprise a set of flow charts which illustrate the method of setting the analog abort switches and conducting non-intrusive ~esting of the analog output circuits shown in Figure 10B by a field l/O computer controllen Figures 2~ A-21 S comprise a set of flow charts for the software which controls the operations of each of the smart analog output circuits shown in Figure 10B.
Figures 22A-æR comprlse a set of flow charts which illustrate the output control routine shown in Figure 21B.
Figures 23A-231 cornprise a set of flow charts which illustrate the non-intrusive testing method performed by the analog output circuits.
Figures 24A-24G, 25A-25Z, 26A-26Z and 27A-27M comprise a set of flow charts which illustrate the method of downloading software in accordance with the present , iJ ~ inYention~
, 30 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS ¦.
Referring to Figure 1, a process control interface system 10 having a network of distributed triply redundant inputloutput field computer units 12 is shown. In this regard, . it should be appreciated that Figure 1 includes only two field computer units 12 for purposes of illustration, and that the interface system 10 has the capability of handling a significant ~ number of field computer units. For example, in one embodiment according to the present :', W093/20488 PCr/US93/0'253 ~
2 ~ 6 j ~

invention, the inte~ace system 10 is capable of utilizing a maximum of six~y four field computer units 12.
The field computer units 12 serve as the primary interface between the field instrumentation and a centralized process control computer system. In the embodiment ç 5 discussed herein, the centralized process control computer system is generally comprised of a pair of redundant process control computerst which are generically referred to by reference number 14. While the redundancy of two concurrently operating process control computers has certain fault tolerance advantages over a single decision making process control computer, it should be understood that the principles of the present invention are not limited to any particular process control computer design or configuration. Thus, for example, it may be desirable to employ only one or even three process control computers in the place of the two process control computers 14 shown in Figure 1 under the appropriate circumstances.
In the present embodiment, the redundant process control computers 14 preferably operate concurrently on all of the signals transmitted from the field c:omputer units 12. In other words, each of the process control computers 14 are capable of making independent decisions based upon the data received by these redundant computers from the field computer un~s 12. The decisions made by the process control computers 14 determine the outpu~ signal values which are ultimately directed to specific output devices (for example, valves, pump motors and reactor heaters) by the appropriate field computer units 12. While 2û the output signal values are preferably reconciled at least to scme extent betwaen the two process control computers 14 before the transmission of these signals to the proper field computer units 12, it should be understood that two independent se~s of output signal values ~ could be communicated to the field computer units. In this regard, the input values received .~ from a field computer unit 12 could be arbitrated at the process control computers 14, which .~ 25 should make it unnecessa~y to reconcile or arbitrate output values. This is because both of the process control computers would then be working from the same set of arbitrated input ~-- values.
As an example of a preferred fomn of possible value reconciliation, corresponding output value tables in each of the process control computers 14 could be ~; 30 compared during a preset time period, and one of the values could be chosen for each output :; value signal to be transmitted to the field computer units 12. This selection of output control
3;, vaJues could be made on a suitable criteria to the process being controlled, such as the use of the value determined by the Left process control computer 1 4a when the value determined by the Right process control computer 14b is within a certain predetermined percentage limit ~ 35 ffor example, 2.5%). Othelwise, the distinct output control values of both the Left and Right process control computers 14 could each be sent to the proper field computer units 1 when :
, ,, ,.

WO 93~20488 PCI /~JS93/02253 2 1 3 1 1 ~ 6 ,`~
`~ 7 I, these values are found to be outside the predetermined percentage limit. Alternatively, the selection of different output control values from the Left and Right process control computers could be made on the basis of a software implemented preference. Thus, for example, under certain process conditions, it may be considered more appropriate to select either the high s or low value for transmission to the field computer unit 12, regardless of whether the value was determined by the Left or Right process control computer.
Each of the process control computers t4 preferably include a network controller 16, a debug panel 18 for the network controller, and a tray 20 upon which to support the ~iber mount boards æ to which various fiber optic conduits 24 are connected.
As will be more fully discussed in connection with Figures 13A-13D, the network controller 16 is used to direct communication traffic both to and from the process control computers 14 via the fiber optic condults ~4. The debug panel 18 includes both a display and a set of numeric/function keys in order to provide a window into specific operations of the network controller 1 6.
1~ As will ~e discussed more ful~ in connection with Figures 1 5A-1 5B, each of the fiber mount boards æ contain the transmission circuit required to convert electrical signals to optical signals, as well as the receiver circuit required to convert optical signals to electrical signals. As for the fiber optic conduits themselves, these conventional light conductors may be made of either glass or plastic. However, it should be appreciated that the use of glass 20 fibers permit significantly greater transmission distances to be achieved. While it is preferred that fiber optic conduits be employed to convey messages between the field computer units 12 and the process control computers 14 for their high speed throughput and substantial security, it should be understood that other suitable communication mediums could be used in the appropriate applications.
As illustrated in Figure 1, the fiber optic network which connects each of the process control computers 14 with each of the field computer units 12 includes a set of breakout circuits 26 for each of the redundant process control computers. As will be more fully discussed in connection with Figures 1 4A-1 4E, each of the breakout circuits are designed to facilitate multiplexed sarial communication between a plurality of field computer units 12 30 and one of the redundant process control computers 14.
Thus, for example, the breakout circuit 26a is configured to provide multiplexed serial communication between the Left process control computer 14a and up to ten field computer units 12. The breakout circuit 26a is in tum connected via fiber optic conduits 28 to the breakout circuit 26b which is configured to provide multiplexed serial 35 communication between ths Left process control computer 14a and several groups of field computer units 12. In this regard, the breakout circuit 26a represents one group of field WO g3/2048B PCI /US93/022~3 ~

S

computer units 12 tO the breakout circuit Z6b.
It should be noted that the breakout circuit 26b is connected tO the Left process control computer 14a through both a main port 30 and a repeat port 32. Specifically, the fiber optic conduits 34 provide a connection between the main port 30 of the breakout circuit 26~ and th~ Left process control computer 14a, while the fiber optic c~nduits 36 3 provide a connection between the repeat port 32 ot the breakout circuit and the Leit process control computer. The fiber optic conduits 34~6 thereby form a ring around the Left process control computer 14a and the breakout circuit 26b. As will be discussed in more detail below, the breakout circuits are designed to be multi-functional in that they have the capability of not only multiplexing communication, but also conveying messages that are received at the main port 30 out to the repeat port 32. This ability to repeat messages also enables the network to extend for great distances, as will be described in connection with Figure 4.Additionally, the network controller 16 also has the abilty to direct that messages be transmitted from the process control computer 14a to the repeat port 32 of the breakout circuit 26b. This important feature permits communication to continue without a significant interruption in the event that communication cannot proceed through the fiber optic condults 34. In other words, the direction of signal communication on the ring between the process control computer 14b and the breakout circuit 26b may be reversed in the event of a communication fault.
Additionally, it should be appreciated through Figure 1 that a substantially identical communication network between the Right process control computer 14b and each of the field computer units 12 is provided by the breakout circuits 26c-26d and their associated fiber optic conduits. Thus, it should be appreciated that the capability to change the direction of signal flow at the primary (or first) level of signal distribution is provided for ;~ 25 each of the network communication rings connected to the Left and Right process control computers through their respective network controllers 16.
;~ In accordance with the present invention, the integrity of each of these .. J network communication rings is tested before any signals are transmitted to the field computer units 12. Indeed, it may be possible with the present invention for the integrity of the entire network to be periodically tested as a preliminary part of the signal communication process.
Thus, for example, with an overall process and communication cycle of one second, the 3 integrity of at least the primary network communication rings is preferably tested each second, as this integrity check will help to avoid wasted or incomplete communication efforts.
SpecHically with reference to Figure 1, a synchronization pulse ~for example, a 1 byte message) is transmitted from the network controller 16 to, and around, the ring s formed by fiber optic conduits 34, breakout circuit 26b and fiber optic conduits 36. The t '.1 :/i '~

W093/20488 PCI'/US93/0~53 purpose of this synchronization pulse is to permit the Left process control computer to determine whether or not signals may be successfully transmitted in this counter-clockwise direction. In this regard, a reception of the synchronization pulse from the repeat~port 32 of the breakout circuit 76b via fiber optic conduits 36 within a predetermined amount of time tfor 5 example, a timeout of 300 micro seconds) will indicate that there are no breaks in the communication path or circuit fau~s which would interfere with the proper transmission of ~. signals on this portion of the network. A simiiar synchronization pulse will then be transmXted from the nehNork controller 16 in the opposite direction, namely around the ring ~ormed by fiber optic conduits 36, breakout circuit 26b, and fiber optic condu~s 34, to determine whether or not signals may be successfully transmitted in this clockwise direction.
As will be more fully appreciated from Figure 2, it will be seen that a plurality of breakout circuits 26 may be connected in series to provide the primary level of signal distrib3 3tion for the network. In this regard, the successful circulation of the first synchronization pulse around the ring shown will establish that each of the breakout circuits 26e-26k were able to receive and repeat this pulse. More specifically, each of the breakout circuits 26 preferably respond to the synchronization pulse by transmrtting a signal which identifies itse~ to the network controller 16. However, ~ for example, breakout circuit 26k did not repeat this synchronization pulse back to the network controller 16, then the subsequent ~' transmission of a synchronization pulse in the opposite direction will help to establish not only where the signal interruption occurred, but will enable the process control computer 14 and its ne~vork controller 16 to determine the pa~h required to transmit signals to or receive signals from each breakout circult 26 on the primary level of signal distribution. As a result ,~ of the integrity testing process, the network controller 16 will store the path information -~ necessary to transmit or receive signals from each of the field computer units 12 in random Z5 access memory (~AM')~ In other words, signals directed to some of the field computer units 12 may be transmitted via fiber optic conduits 34, whila signals directed to other field J computer units 12 may be transmitted via fiber optic conduits 36 in the same overall timing cycle ffor example, one second) period.
Figure 2 also serves to point out that the breakout circuits 26 may serve to func~ion as signal repeaters, such as breakout circuits 26e-26f and 26h-26j. Thus, where the field computer units 12 are located at significant distances from the process control computer (for example, 1.6 kilometers), then one or more of the breakout circuits 26 may be used to provide the signal re-transmission necessary to permit an accurate signal reception at such ~ remote field computer units.
,~ 35 Referring again to Figure 1, each of the field computer units 12 are shown to include a processor chassis 38, a DC chassis 40 and an expanded DC chassis 42. The ~,;

W093/~0,~88 PCI`/US93/0'253 ~,~3~i5~j lo `~ 1 - processor chassis 3~ includes three redundant computer circuits, which may also be referred to as field l/0 controllers, and their associated anaiog input (~AI~3, analog output (~A0~) and digital output (~D0~) processing circurts. In one form of the present invention, the digital input (~DI ~ circuits may be contained on ~he field l/0 controller circuit boards. As illustrated in 5 Figure 1, the processor chassis provides a debug panel 44 for each of the redundant computer circuits in the field computer unit 12 to enable a technician to view selective internal operations of these circu~s. The DC chassis 40 generally provides three functions. The primary function oF the DC chassis 40 is to provide a connection point for DC field instrumentation. Additionally, the DC chassis 4û provides a mounting location for the fiber 10 mount board utilized for terminating the fiber optic conduits 46 and 48 of the communication nehNork. The DC chassis also provides a mounting location for a passive element board, which is used to provide protection to circuit elements of the field computer un~ 12 from high energy surges that may be encountered in the field (for example, lightening). The passive element board includes a passive element circuit for each analog and digital input signal.
15 These passive element circuits include positive temperature coefficient (PTC) resistors and zener diodes in conventional circuit protection configuration. The expanded DC chassis 42 provides a mounting location for additional Dl and Al circuits and passive element circuits in the event that the not all of the Dls and Als may be accommodated by the DC chassis 40.
Figure 1 also shows that each of the redundant computer circuits in the 20 processor chassis 38 is preferably connected to a separate power supply 50. The circuit for these power supplies 50 will be discussed in connection with Figures 1 6A-1 6G. Each of these power supplies 50 is preferably provided with its own backup battery 52. The batteries 52 Sacilitate uninterrupted operation by the field computer unit 12 in the event that the source of alternating current normally provided for the power supplies becomes temporarily unavailable.
25 Thus, It should be appreciated that a fault at any one of the power supplies 50 or even an interruption in the supp~y of altemating current power to the field computer unit 12 will not affect the underlying physical process being controlled by the field computer unit 12.
Alternatively, it should be appreciated that a conventional uninterrup~able power supply could be used as an option to avoid a potential loss of electrical power.
Referring to Figure 3, a block diagram of the distributed interface system 10 is shown. In this regard, Figure 3 serves to point out the bi-directional nature of the flow of signal communication through the use of the arrows 54 which are pointed in opposite directions. Additionally, Figure 3 illustrates that each of the breakout circuits 26 is preferably provided with a debug panel 56. Each of the debug panels discussed herein, namely debug 35 panels 18, 44 and 56, are simply provided to assist a field technician during tha maintenance or repair of the various circuits to which these debug panels are attached. Furthermore, ;~.

,.

WO 93/20488 2 1 3 1 1 5 S PCr/US93/02253 11 ' ' Figure 3 illustrates generic devices for the Dl~s, DO~s, Al~s and AO~s which are connected to the field computer unit 12. However, as will be appreciated from the discussions below, each 3 of the field computer units 12 is capable of handling a substantial number of ~uch field instrumentation inputs and outputs.
Referring to Figure 4, a block diagram of the flow of data/command/program signal communication for the in~erface system 1~ is shown. In this regard, three circles 58-6~
are used to illustrate exemplary signal inputs to the field computer un~ 12. Thus, an exemplary Al signal 58 may be comprised of a 4-20 ma current signal input, while an exemplary Dl signal 60 may be comprised of a signal which is indicative of the closure or non-closure of a switch. When these signals are received by the field computer unit 12, they are referred to as ~raw data~ (block 64), and it should be understood that all of the raw data signals are read by each of the redundant computer circuits in the field cornputer unit 12.
" While each of the redundant computer circuits in the field computer unit 12 could be provided with its own set of corresponding input sensors, it is preferred that each of the redundant computer circults receive the same input signals. In the event that it is desirable to provide two or more sensors to detect a particular process condition, it is still preferred that each of the redundant computer circuits receive the input signals from each of these corresponding sensors. In such a case, the redundar~ computer circuits would process each of these corresponding signals as a separate input signal. In other words, if three flow meters were used to detect the ~low rate of a fluid at the same location in a fluid stream, then each of the three redundant computer circuits would process each of these three input signals and share these three input signals with each other through neighbor to neighbor communications. In this way, the full power of these redundant computer circuits may be utilized to enable the best opportunity for accurate decisions to ultimately be made. It should also be noted that block 64 indicates that the raw data signals includes DOT and AOT values. These values are feedback or track signals which are used to permit the appropria~e circuits and software in the field computer unit 12 to determine if the output values sent to the field instrumentation are in accordance with commanded values received from the process control computers 1 4a-1 4b. These feedback or track signals are also transmitted to the process cor~trol computers 14a-14b for possible use as an assurance that the output is in the desired state.
. Once the raw data signals have been received, each of the redundant computer circuits will independently determine whether or not the data is valid (block 66), This initial valid ty check helps to prevent the transmission of inaccurate input data, such as ,~ could occur if an input board was not properly plugged in or it was inoperative. Each of the 35 redundant computer circuits will also exchange the data that they have read from the field.
In the case of analog input signals, each of the redundant computer circuits compares the , ., r~

WO 93/2048~ PCTJUS93/02253 ~

2~3~Js~ 12 difference between its input data signal and the input data signal from Its neighbors, on a channel by channel basis, against a predetermined tolerance boundary to determine if the signal is within both a relativ~ly broad range and a relatively narrow range of ~cceptable levels.
The validated signals for each input are independently arbitrated by the redundan~ computer circuits (block 68), as will be more fully discussed in conne~tion with the flow charts o~ Figures 17A-17E and 18A-1~N. Once the validated data signals have been arbitrated in software, the redundant computer circuits have effectively selected the specific input value tO be transm~ed to the process control computers 14a-14b via the fiber optic conduits 4~48 (block 70). In this regard, it should be understood that three redundant computer circuits are included in the field computer unit 12, while only h~o sets of fiber optic conduits 4648 are employed in this embodiment to convey signals. Accordingly, it should ~e appreciated that the arbitrated data signals will be concomitant~ transmitted from two of the three redundant comp~er circuits to the process control computers 14a-14b via the breakout circuits 26 (blocks 72-74) and the network controller 16 (block 76).
Once the process control computers 14a-14b make their process control decisions, then the (independent or reconciled) output value signals will be transmitted concomitantly to the appropriate field computer units 12 via both the Left and Right network rings. In accordance with the presen~ invention, it is not necessary for the output value signals to be simultaneously transmitted to the appropriate field ccmputer units 12 through both the Left and Right network branches. Specifically, it should be noted at this point that the network controllers 16 for the Left and Right process control computers 14a-14b operate under their own clocks, even though the timing of these clocks are preferably adjusted in soft Nare once per second to a clock signal in their respective process control computers. In a similar way, one ol the process control computers (for example, computer 14b) preferably adjusts its clock signal to the clock signal of the other process control computer (for example, computer ~4a). Iikewise, the clocks for each of the redundant computer circuits in the field computer unit 12 preferaby adjust themseives to one of their clocks (for example, the Left computer circuit) with each process control cycle. Accordingly, it should be appreciated that the clocks in each of the process control computers 14a 14b, the network consrollers 16 and the field computer units may undergo a periodic adjustment in order to maintain the clock ~; signals within a desired tolerance (for example, 4 milliseconds).
In any event, when the output value signals are received at a field computer i unit 12, they are communicated to each of the redundant computer circuits, and are referred to as Unarbitrated Data in block 78. Then, in accordance with the present invention, each of the redundant computer circuits independently arbitrate these output value signals in software .~ ~

~r ~
WO 93/20488 P~/US93/02253 ~`
~- 213~1~i6 ! i' (block 80). Finaily, each of the redundant computer circuits transm~ each of the arbitrated output value signals to the field DO devices 84 and the field AO devices 86 (block 82) through a set of abort circuits which will be discussed below in connection Figures 10A and 10B.
However, at this juncture it should be noted that the abort circuits enlorce the decisions made via software arbitration by each of the redundant computer circuits.
Referring to Figure 5, a perspective view of the processor chassis 40 is snown.
The processor chassis 40 generaliy includes a metal housing 88 and a mother board 90. The mother board 90 may be referred ~o as a backplane board, as it is vertically supported against the back wall of the housing 88. The backplane board 90 includes the necessary connectors and conductors for interconnecting the various circuit boards which are rnounted to the backplane board. In this regard, Figure 5 shows that an individual circuit board is provided for each of the three redundant computer circults 92-96 contained in the field comp~er unit 12. In this way, rt should be appreciated that any of these individual computer circuit boards 92-96 may be quickly removed and replaced without affecting the operation of the remaining computer circult boards. Indeed, one of these computer circuit boards 92-96 may simply be pulled from the processor chassis 40 for repair or replacement. However, it is preferred that electrical power for this computer circuit board be temporarily shut down while it is being removed or re-installed into the processor chassis 40. Nevertheless, no other command or software changes need to be made during replacement, evsn though the physical process is continuing to be controlled by the output signals from the field computer unit being serviced.
Figure 5 also illustrates that individual Al, DO and AO circuit boards are also mounted to the backplane board 90. Each of these input and output circuit boards is capable of handling a plurality of different signal inputs or outputs as the case may be. It should also be noted that a high speed analog input circuit board could also be contained in one of chassis locations within the field computer unit t2 for measuring electrical parameters in an alternating waveform power system. A description of this high speed power analyzer may be found in the commonly assigned ~31azer et. al. patent application Serial No. 502,050, entitled 'High Speed Power Analyzer, filed on March 30, t990, now U.S. Patent No. 5,151,866. This U.S. patent is hereby incorporated by referenc0.
Referring to Figures 6A-6U, a schematic diagram for one of the redundant ~, computer circuits will now be discussed. For sake of simplicity, this redundant computer s~, circuit or field l/O controller will be generically referred to herein ~s controller 100. It should ~ also be understood that in this embodiment, the controller 100 will be replicated for each of ,~ 35 the redundant computer circuits 92-96. However, it should be appreciated that other suitable ~ redundant computer circuits may be employed in the appropriate application, and that one r ,:

~, wo 93/20488 PCI-/US~3/02253 `--.
~3~i\; 14 ~, or more of these circuits could be replaced with an updated circuit w~hout necessarily , requiring the rep!acement of all of the redundant computer circuits.
Figure 6A shows that the controller 100 includes a microprocessor c,rcu~ chip U40. While in one form of the present invention, the microprocessor U40 is comprised of a 3 5 80C31 BH-1 microprocessor chip manufactured by Intel, it should be understood that other suitable chips may be used for this or any of the other circuit chips identified herein as the application or technological advance may warrant. The microcomputer kernel for the controller 100 also includes a 128K x 8 EPROM memory (58255P-551) U41, a 128K x 8 battery-backed RAM memory (58255P-551) U42, and a memoly address latch (74HC573).
The microcomputer kernel for the controller 100 also includes a memoly controller (EP1810) U44, which is shown if Figure 68. In this embodiment, the program for the controller could be stored in either the EPROM circuit or the battery-backed RAM circuit. The use of a battery-backed RAM is particularly advantageous in at least one respect. Nameiy, the battery-backed RAM U42 helps to permit an updated program to be downloaded to the controller 100 from the process control computers 14a~14b through the fiber optic network at any available communication time slot without having to electrically configure the memory device for a i~ change in the inforrnation stored therein.
- Importantly, it should be noted that the process of downloading an updated program to one or more of the field computer units 12 does not interfere with the ongoing operation of the physical process being controlled. More specdically, the program for only one controller 100 is updated at a time, so that the other two remaining controllers may continue under their existing programs to process field inputs and outputs. In one form of the present invention, the RAM U42 has a storage capacity of 1 28K bytes, even though the actual program storage requirement does not exceed 64K This is to permit both data and program memory to be stored on the same chip. The doubling of memory capacity allows an updated program to be loaded and verified, while the controller is not doing process control, without disturbing the current contents of the program memory. After this valid~y check is completed, then the updated program is moved to the lower 6~K memory locations of the RAM U42 tor , use on the next program cycle.
3û Once the updated program has been properly downloaded into the RAM U42 for one of the controllers 100 in a field computer unit 12, it is successively loaded into the RAM U42 for each of the other controllers 100 in tum. As will be discussed below, each of the controllers 100 include neighbor to neighbor serial communication links which will permit, among other things, an updated program sent to one of the controllers to be copied to the RAM memory U42 of another controller in the field computer unit 12. Such neighbor to ; neighbor links also enable one ot the controllers to cornpletely restore the program memory ~ : :

"~'," i ~f ~

WO 93/20488 PCl /USg3/02253 1 ~ -213l l a~

in another controller should such an action be required. Thus, each of the field computer units 12 in the distributed interface system 10 may be provided with updated application prograrns wnhout any manual s~eps needed to be taken at the field computer ~nits or any interruption required in the physical process itself. Indeed, it is also possible for a broadcast 5 downloading operation to be employed with the fiber optic network in which some or all of the field computer units 12 concom~ant~r receive an updated program through a general~
addressed network message. In other words, the process control computers 1 4a-1 4b could transmX an updated program to as many field computer un~s 12 as appropriate in the distributed interface system 10 by setting the addresses to each of the corresponding 10 breakout circuits 26 in the broadcast message to direct the message to the selected field computer units.
The RAM memory U42 and the ROM (and bootstrap) memory U41 share multiplexed address/data bus P0~ (pins P0-1..P0-7), as well as a common address bus ~P2-(pins P2-0..P2-7). In this regard, it should be appreciated that the memory address latch U~3 15 creates an address bus AD- (pins AD-0..AD-7) from the mul~iplexed address/data bus for use by various components in the controller 100. In other words, the memory address latch U43 will capture an address or partial address on pins P0-1..P0-7 for subsequent use by components such as the EPROM memory U41. For example, pins AD-0..AD~ and AD-7 are directed to the memory controller U44, which is a programmable logic device. Depending 20 upon the digital state of these address pins and other needed input pins (such as IWR-), the ¦~ memory controller will generate an output signal in accordance with the intemal software configuration for the chip. As an example ot one such output, the memory controller will generate a '/RAM- signal which is directed to the '/CE' port of the RAM memory U42. This par~icular signal from the memory controller U44 will enable the RAM memory chip U42 to 25 read or write data in combination with other associated signals, such as the '/RAM-WR^ signal generated by the memory controller.
~- Figure 6A also shows a manually actuated reset switch 'SW4', which may be conveniently located on the front panel of the field computer unit 12 in order to permit a technician to reset rnicroprocessor U40 of the controller 100. However, in accordance with 30 the present invention, a neighbor controlled reset circuit 102 is also provided which will enable any two controllers in the field computer unit 12 to reset the remaining corltroller without - operator intervention. The reset circuit 102 has two input signals, namely 'N1RSr and ? N2RSr. Each of these signals represents a reset request to the controller from one of the ', other neighbor controllers. The N1 RST signal is directed to the opto-coupler (MOC8021) U36, ~; 35 while the N2RST signal is directed to the opto~oupler U35. The output of opto~oupler U36 is connected to the other input to opto^coupler U35, so that the reset circuit 102 requires the ;!
-WO93/20488 PCI/US93/02253 j~
~ 3~S6 16 ,~

combination of both the N1 ~ST and N2RST signals to produce a high output ~REsEr signal for transmission to the RST port of the microcomputer U40 through comparator (LM339) U24 and micro manager (DS1236-5) U28. The comparator U24 is employed to produ~ce a Low ~EXTRNRSr signal when the microprocessor U40 is to be reset~ The miGro manager circuit U28 will respond to the Low EXTRNRST signal by producing the High RESET signal.
Thus, for exampie, where two of the controllers in the field computer unit do not receive communication from the remaining controller within a predetermined period of time, then each of the other controllers may independently arrive at a decision that the non-responsive or othe~vise errant controller should be temporarily reset or permanently shLn down. Nevertheless, the reset circuit 102 requires the concurrence of both of the other neighboring controllers to temporarily reset or shut down the remaining controller by causing a reset condition (and holding this controller in the reset condition when it is to be permanently shut down). A permanent reset condition at the microprocessor level will disable the operation of the controller until at least one of its neighboring controllers changes the digital state of its reset request signal. In accordance with the method of operation under the present invention, the non-responsive controller is temporarily reset before a decision is made to permanently reset the controller. The in~ial decision to temporarily reset the non-responsive controller is preferably made after valid input and output communication messages have not been received for two consecutive process control cycles ffor example, 2 seconds).
Accordingly, it should be appreciated that this method allows for a fault tolerance for communications between neighboring controllers of at least one process control cycle, If the non-responsive controller does not begin communicating with its neighbors within a predetermined period of time after being temporarily reset (for example, 20 seconds), then its neighboring controllers will independently request a permanent reset of the non-responsive controller. Once the non-responsive controller has been replaced or repaired, then the permanent reset condition may be terminated through a software value change in the appropriale data table location of a neighboring controller to re-activate the previously non-respons-~e controller. Additionally, each of the controllers 100 preferably maintains a count of the number of times that they have requested a reset condition of a neighboring controller, 4i 30 so that a record may be available for health and weNare analysis as needed.
,. It should be noted that each of the controllers preferably communicates three times it a process control cycle (for example, one second) with its neighboring controllers.
Specifically, each of the controllers will communicate the following signals to neighboring ~ controllers: the input signals received trom the field, the output signals received from one of the process controller computers, and various diagnostic signals to be discussed more fully ~'. below. In one form of the present invention, each of these communications may take place :. 1 . .

,.c WO 93/~0488 2 ~ ~ 1 1 5 6 PCI /US93/022~3 ~., during predetermined time windows (for example, 8 milliseconds each).
The micro manager circuit U28 also monitors the voltage level of the normally +5 volt VCC power line. This monitoring function enables a temporary reset condition to be applied in the eYent ~hat the VCC power line drops momentarily below a predetermined level (for example, +3 volts). Addltionally, the micro manager circuit U28 is adapted to switch the suppiy of electrical power for the RAM memory U42 to the lithium backup ba~ery B1 in the event that the VCC power line drops to zero. The micro manager circuit U28 controls the PROT-CERAM signal. This signal usual~ follows the CERAM signal, but is latched high during battery backed conditions. Important~, this procedure will disable these memory circuits from writing any new data into their respective memory locations. This procedure is employed to prevent potential corruption of the data contained in RAM memory due to an interruption in electrical power.
It should also be pointed out that the opto-couplers U35-U36 electrically 3 isolate the controller 100 from both of its neighbors. In this particular embodiment, opto-couplers are used on the reception end to isolate all of the communication paths between the i3 redundant controllers 100, in order to prevent an electrical fault in one of the controllers from affecting the operation of its neighboring controllers.
Neighbor to neighbor signal transmissions from She microprocessor U40 of Figure 6A are facilitated through the serial communications driver (74H138) U38 of Figure 6H.
As illustrated in Figure 6H, the ~TXDATA~ signal from the serial output port of the microprocessor U40 is coupled to the /G2B~ input port of the serial communication driver U38. Accordingly, it should be appreciated that the serial communication dnver U38 is used to direct the TXDATA signal from the microprocessor U40 to one or more of a plurality of dfflerent communication paths. These communication paths include the 'NF1TXD~ and ~NF2TXD' signals, which each represent a serial communication signal to a dfflerent neighboring controller 100. Four additional serial communication output signal streams are also provided, namely 'rXl)ATMO~, ~rXDATA1-, ~XDATA6' and ~XDATA11'. TheTXDATMO
signal is directed to the analog output circults in the field computer unit 12 to convey analog .~, output values and direct the non-intrusive testing to be described below. In this regard, it 30 should be appreciated that the analog output value signals which are transmitted from the process control computers 1 4a-1 4b to the field compu~er unit 12 are subsequerltly processed (for example, software arbXration) by the microprocessor U40 of the controller 100 and i-~ directed to the appropriate analog output circuit boards of the field computer unit through the serial communication driver U38. Additionalty, it should be noted that the arbitrated analog ,~ 35 output value signals are not transmitted to any neighboring controllers, as there is no need ~. to do so in accordance with the present invention. Thus, it should be appreciated at this .
~,,, .

. ' . . . : ' . ! ~ .

W0~2~488 PCr/US93/022;1 juncture that none of the other controllers are aware of specific analog output value signals transmitted to their respective analog output circuits. The other three serial communication signals ~lXDATA1, T)(DATA6 and T)(DATA11) are directed to speci~ic analog input clrcuits for requesting value and configuration data. -The last two remaining output signals of the serial communication driver U38 of Figure 6H are the ~MAIN XMIr and RPT XMIT' signals. The MAIN_XMIT signal is directed to a transmitter circuit, such as that shown in Figure 15B, for communication with one of the process control computers 14a-14b through the fiber optic network. In this regard, the MAIN XMIT signal is directed to the appropriate port of breakout circuit 26 connected to the field computer unit 12. The RPT XMIT signal simply provides additional communication capac~y if desired. With respect to the controller 100 which is mounted in the Middle slot ot the field computer unit 12 between the Left and Right controllers, there is no connection provided for the MAIN XMiT and RPT XMIT signals in this particular embodirnent. However, it should be appreciated that the fiber optic network could be modified to provide a set of fiber optic conduits for each of the controllers 100 contained in the field computer unlt 12, particularly when three redundant process control computers 14 are provided.
- ~ ~ Figure 6C illustrates a signal distribution circuit 104 which is coupled to the multiplexed dataladdrass bus P0 of the microprocessor U40. The signals directed to the distribution circuit 104 from the microprocessor U40 are buffered by a pair of octal D type latch circuits (74HC573) U37 and U32. Latch circuit U32 is used to transmit signals to the debug panel 44 for the controller 100, while latch circuit U37 creates a distribution bus ~RP' (pins RP-O..RP-7) for use by several other circuit chips. Each of the circuit chips connected to the RP bus in Figure 6C are comprised of an 8-bit addressable latch circui~ (75HC259).
The latch circuit U30 and a portion of the latch circuit U39 are used to transmit individual 'ser digital output signals (pins SDO-1..SD0-10) to specific digital output circuits which are connected to the controller 100 through the backplane board 90. Accordingly, it should be appreciated that the digital output value signals which are transmitted from the process control computers 1 4a-1 4b to the field computer unit 12 are subsequent~y processed ffor example, sof~Hare arbitration) by the mic~oprocessor U40 ot the controllèr 100 and directed to the appropriate digital output circuit boards of the field computer unit through the .
latch circuits U30 and U39. ~, The latch circuits U22, U26, U34 and U39 are used to transmit abort analog i~ output signals AAO' and abort digital output signals 'ADO- to the analog output circuits and ';J 35 digital output circuits, respectively, of neighboring controllers. For example, latch circuit UZ
generates abort digital output signals ADO2~..ADO2-10, while latch circuit U26 generates ;
:,.
.l ,;~

W O 93/20488 2 1 3 1 1 ~ 6 PC~r/l S93/02253 . 1 9 abort digital output signals ADO1-2..ADO1-9. This notation means that all of the abort digital output signals from latch circult U22 are directed to the digital output circuits for the controller 100 designated as ~neighbor 2- relative to this particular controller circuit. Similarly~ all of the abort digital output signals from latch circuit U26 are directed to digital outpln circuits for the controller designated as ~neighbor 1~. Additionally, the specific signals with corresponding final digits, such as ADO1-9 and ADO2-9, refer to the same digital ousput channe!. Thus, it should be appreciated that a series of corresponding abort digital output signals are sent to the digital output circuits for the neighboring controllers within the field computer unit 12.
With respect to the abort analog output signals, it should be understood that these signals are not analog in nature. Rather, as in the case of the abort digital output signals, the abort analog output signals are either in a High digital state (logical ~1~) or a Low digital state (logical 0~). Additionally, a corresponding notation is employed for both the abort digital and abort analog output signals. Accordingly, it should be appreciated that a series of individual abort analog output signals are sent to the analog output circuits for each of the neighboring controHers within the field computer unit 12. As will become more clear from the discussion of the analog and digital output circuits below (for example, Figures 10A-10B), these ~abort~ output signals are used to enforce the software arbitration decisions made by each of the consrollers 100. These arb~tration decisions are represented by the ~set~ digital output signals and the analog output signals already discussed above.
The signal distribution circuit 104 of Figur2 6C also includes a latch circuit U33 which is used for various functions of the controller 100. For example, several temperature control signals are shown, such as 'FANON', 'COOLON' and 'HEATON', for maintaining the field computer unit interior within an acceptable temperature range. As the signal names imply, the field computer unit 12 may be provided with one or more fans, a heater and/or an air cooling device in the event that the field computer unit is located in an environment where such measures would be desirable. llle 'BAr signal is used to turn off a charger for the batteries 52 in order to begin a load test to be described in connection with the power supply circuit 50. The ~BArrOFF' signal is used to shut down a +5 volt power supply line to the field ;~ computer unit when the batteries 52 are drained of power. Similarty, the '/CONSERYE' signal is used to tum off a +26 volt power line to the field computer unit in order to conserve battery powen The ~XGFLr signal is used to control the circuitry that tests for a difference between :j the ground potential of the field computer unit and the true ground. , i The DEADSET' signal is directed to a retriggerable monostable multivibrator circuit (74LS12~) U21 which is used as deadman timer and abort opening circuit. In this ~ .
regard, the capacitor C49 and the resistor R102 determine a basic pulse time, and the '1 DEADSET signal is used to prevent Ihe IABRES' and 'DEAD' output signals from switching .~
., W093/2048~ /US93/0225- ~.

~0 ' ' ', ~., tO their shutdown states. As illustrated in Figure 6C, the IABRES signal is directed to the /CLR
port of the latch circuits UZ, U26, U30, U34 and U39. Accordingly, the /ABRES signal serves to simultaneousry reset all of these identified latch circuits when the DEADSET strobe is not received from the microprocessor U40 to a retrigger a timer in multivibrator circuit U21. The . `' 5 DEADSET signal is transmitted once each process control cycle when the microprocessor U40 is functioning properly. The DEAD signal is directed to the analog output circuits in order to prevent them from sending power to the field.
Figure 68 also illustra~es that the PLD circuit U44 generates demultiplexed output signals (OUTû..OU T7) which are directed to the enable port for several of the circuit 10 chips that have been discussed above. For example, the OUT5 signal is transmitted to latch circuit U22 to enable this latch circuit to capture the HIGH/LOW data signal on line RP-0 and ~, direct it to the output port addressed by lines RP-1.. RP~. Additionally, the OUT6 and OU17 signals are directed to a digital to analog converter circuit U1 which will discussed in connection with Figure 6K.
The PLD circuit U44 also generates demultiplexed output signals (IN0-IN6), which are directed to the various ~read~ circuits shown in Figures 6F and 6G. Thus, for example, the IN3 signal from Pl D circuit W4 is directed to the enable ports (/1 G and /2G) of 7 the tri-state buffer circuh ~74HC244) U16 of the 'read- remote address circuit 106 shown in Figure 6F. In this regard, switches SW1 and SW2 (230034G) determine the field address of 20 the controller 1û0, which may be read by the microprocessor lJ40 from bus P0 when it is desired to receive a message from or form a message to one of the process control computers 14a-14B. Figure 6F also includes a read function circuh 107 similar to the read remote address circuit 106. The rear~ function circuits 107 includes a switch SW3 which is set to inform the microprocessor U40 of the power supply configuration for the controller 25 and/or other hardware specific settings. Addhionally, the read tunction circuh 107 includes a set of KEY0..KEY3 signals which respond to the keys depressed on the debug panel 44.
. These keys include a function key, a key to read an element of memory and a key to put a value into a memory location.
Figure 6D shows another read circuit 108. This read circuit includes a set of 30 jumpers J7~10-, which may be used to permit the microprocessor U4û to know which hardware version or revision is being utilized for the controller 10û~ Additionally, a swXch . à
'SW6~ is employed in order to provide space for future enhancements. The signals provided ~ `
, by the jumpers J7~10 and the switch SW6 are captured by the tri-state buffer circuit ,. (74HC244) U61 and transmitted to the Pû bus of the microprocessor U40.
Figure 6E shows a display circuit 1 û9, which is comprised of an octal flip-flopci-cun U~i2 and an LED ùank (LEDBA~10) ~LED1'. This display circun is employed on the . .

~, WC~ 93~20488 PCI`/US93/02253 ~:
21~ 6 controller circuit board to permit a technician to readily see various health and we~are indicia for the controller during maintenance.
Turning to Figure 6G, a set of three read circuits 110-114 are shown. These read circuits are used to inform the microprocessor U40 as to how to interpret the data being read from a plurality of analog signal input circuits, such as those shown in Figures 7A-7C and 8A-8F. For example, the 'TYPEAC and 'lYPEDC' signals inform the microprocessor U40 whether the input signals from the left expansion chassis 42 represent aternating current A.C.~ or direct current ~D.C.- signals. Additionally, signals such as ^FAM1-5A~ and 'FAM1-5B~
transm~ed to buffer circuits U23-U27, respectively, providè digital indications of broad linearization routines th~ should be employed by the microprocessor U40. For example, these signals indicate wnether a particular signal received by the microproclessor U40 has been transmitted from a smart input circuit board or a standard input circuit board. The 'AITYPE1-A' and 'AITYPE3-B~ signals indicate spec~ic linearization routines that should be employed by the microprocessor U40 ffor example, type~ v. type~ thermocouples).
The buffer circun U31 receives signals, such as 'AISENSE1-5', which inform the microprocessor U40 as to which input and output circuit boards are installed in the field computer Ullit 12. The switch SW4 is used to configure signals, such as 'USE-DOAC1~, which inform ~he microprocessor U40 whether the cor~roller 100 is being used as a Left, Middla or Ftight controller.
Fi~ure 61 illustrates a sixteen channel multiplexor circuit (506A) U9 which is configureai to direct a plural'ny of digital input signals to the main muitiplexor circu'lt (506) U11 shown in Figure 6J. SpecNicalq~ the digital input signals are labeled ~MDI-1..MDI-10~. These signals are derived from the pull down circuits shown in Figures 6T and 6U. Address lines 'HDEV0.~HDEV3~ are used to select one of these digital input signals for ~output to the main muitiplexor circult U11. The output port of the muitiplexor U9 is connected to an operational amplifier (3140A), which is configured as a voitage follower, in order to generate the ~DI-- LOCAL~ signal for transmission to the main muitiplexor U11.
' The main muitiplexor U11 of Figure 6J is used to indr~Jidualty sele~t one of a plurallty of d'fferent input signals for transmission in a successive pattern to the microprocessor U40 through a successi~e approximation circuit 116. These input signals 3 include the analog level or analog serial input signals (for example, ~MAI6-1 0L ), analog output status and track signals (for example, ~AOr), serial communication signals from neighboring ~`
;~ controllers (for example, ~NP2RXD~), and serial communication signals from the fiber optic i~ network ffor example, 'MAIN RCV!). Additionaliy, the main muitiplexor circuit U11 receives a 'Dl DISTANl~ signal which represents a plurality of muitiplexed analog voitage level signals from digital inputs circuits in the left expansion chassis 42, and a ~DO DISTANT' signal which .
,, .

., W093/~04Xg PCI'/US93/0~253 S~i 22 represents a plurality of mu~tiplexed analog vo~tage level signals from analog inp~n circuits in the left chassis. The ~DACCAL~ signai is a signal which could be used to provide external calibration of the DAC circuit U1. The ~BOARD FUNC signal represents a elurality of multiplexed signals from the multiplexor circuit U10 of Figure 6K. The ~DO_LOCAL~ signal 5 represents a plurality of multiplexed informational signals from one or more digital output circuit boards, such as track values and retum values from non-intrusive testing.
The successive approxirnation circuit 116 receives the multiplexed output from the main multiplexor U11 through the resistor R41. The successive approximation circuit 116 enables she microprocessor U40 to determine the vo~age level of a signal output from the 10 multiplexor U~ 1. In this regard, the output from the main muitiplexor U11 provides one input to a comparator (LM339) U3. The other input to the comparator U3 is provid~ed by a digital to analog converter ~DAC circuit (DAC708KH) U1, shown in Figure 6K as a continuation of the successive approximation circuit 116. Specifically? the successive approximation circuit permits the microprocessor U40 to receive a plural~y of both digital and analog input signals 15 through a single input line ~RXDATA~. This is achieved through the toggling of the comparator '., iJ3 output in response to a changing ~vour signal level from the DAC circuit U1. The microprncessor U40 transmits a series of dlfferent digitai voltage levels to the DAC circuit U1 via the RP bus until such time as the comparator U3 changes output states. In this regard, the microprocessor U40 preferably perfomms a binary search by starting with a digital voltage 20 level in the middle of the acceptable range, determining if this value is high or low, and then stepping up or down from that point. The microprocessor U40 then determines the voltage level output frnm the main multiplexor U11 through its knowledge of the last digital voltage level transmitted to the DAC circuit U1. Accordingly, it should be appreciated that the ,~ combination of this successive approximation procedure and the use of multiplexors 25 substantial~y reduces tha number of input pins that would otherwise be required to read all of the digital and analog inputs signals being gathered by the field computer unit 12.
Figure 6K also shows th~t the DAC circuit U1 is addressed through an octal ~i D flip-flop circuit (74HC374) U17, which creates the address lines 'DAC0.... DAC2' from the RP
~$ ~ bus. Additionally, this fli~flop circuit also creat~s address lines 'LDEVû.. Ll:)EV3', which are directed to level shifting buffer circuits (NC14504B) U18 and U19. The LDEV address lines are shifted from a 0/5 Yolt signal to a 0/15 volt signal, as required by the configuration desired '~ for the multiplexor cirr uits U9, U10 and U11. Similarly, the address lines P1 4.. P1-7 are shffled ~; by the buffer circuit (MC14504B) U13 to generate address lines IIP14............... HP1-7 for the multiplexor U11. In this regard, it should be noted that the ground 'GND' potential of these 35 multiplexor circuits is set to 10 volts rather than 0 volts. This is because the particular multiplexor chip chosen (506) limits the potential d-fFerenca bet~Heen V+ and GND to æ volts.

.-- .
,,, :;

WO 93/20488 PCl /US93/0''2~3 ~131156 i`-`
2 3 ! I ~

However, with the GND potential set to 10 volts, the V+ potential may be set to 25.2 volts and the V- potential set t~ -5 volts, thereby allowing the multiplexor circu'ns to operate from a +/-15 volt supply. In such a configuration, it is n~cessary to shffl the level of the LDEV address signals in order to permlt the multiplexor chip to operate properly.
As indicated in Figure 6K, the multiplexor circuit U10 receives several diverse input signals tor selection and transmission to the main mul~iplexor U11 via tne~BOARD_FUNC~ signal. These input signals include the present status of reference voltage levels (for example, ~+lOVREF~), and various temperature levels (for example, ~BDTEMP^).
Figure 6L illustrates a simple temperature sensor circuit 118 which is used to provide an indication of the temperature at or near the controller circuit board. This temperature is sensed by the transducer circuit tormed by (AD502) 013 and resistor R52, and filtered by capacltor C13.
Figure 6M illustrates two temperature control outpu~ circuits 120-122. The output circuit 120 is responsive to a ~HE~TON- signal from the latch circuit U33 of Figure 6C, while the output circuit 122 is responsive to a ~COOLON~ signal from this latch circuit. Opto-couplers U1 4-U15 are used to galvanical~ isolate the controller 100 from the external heating and cooling devices through the transmission of optical signals ~pHEAr and ~PCOOL~
respectively. These-opto-couplers are driven by current sources (T1317C) Q17-Q18 and the concurrence of e'~her of the HEATON or COOLON signals.
Figure 6N illustrates a filter circuit 124 for ~he identified humidity and temperature signals. For example, the 'EX~MP_1' external temperature signal input is labeled ~MEXTEMP~ at the output, which is then transmitted to the multiplexor circuit U10 of Figure 6K. This external temperature signal may be used as a redundant cold reference junrtion temperature signal. The humidity signal ~HUMITY 1' may be derived from a sensor within the ~ield computer unit housing 88. One or more of thesef temperature signals may be used by the microprocessor U40 to determine whe~her the PHEAT or PCOOL signals should be generated. In one fonn of the preserlt invention, it is preferred that the interior environment of the field computer unit 12 be maintained within a temperature range between 10 and 50 degrees celsius.
Figure 60 ~s a very simple impedance circuit 126 which operates in conjunction with the serial communication driver circuit U38 of Figure 6H for communicating with neighboring controllers. Specif~cally, the circuit 126 receives the 'NF1TXD' and 'NF2TXD~
signals, which each represent a serial communication signal to one of tlle neighboring controllers. This impedance protects dnver circuit U38 from damage in the event that a short ~ 35 occurs on a signal line outside of the controller 100. It should also be noted that Figure 6S
f provides a serial communication receiver circuit 128 for accepting communication from .
:f, . ., ,., WO g3/204gX PCI /US93/OZ253 ~3~6 2 4 .
neighboring controllers. These neighbor signals are passed through to the opto-coupler circuit U12 for optical isolation. These signals are then transrnitted to the main multiplexor circuit U11 as the signals ~NP2RYD' and ~NP1 R,YD'.
As mentioned earlier, the neighboring communication paths may be used to convey input and outp~ value signals, as well as updated or revised program data.
Accordingly, it should be appr~sciated that the combination of serial communication transmi~er and receiver circu'ns between the three controllers 100 in the field computer unit 12 provide the field computer un'~ with the ability to arbitrate both incoming and outgoing data through the mutual exchange of such data by the controllers. Thus, when the Left controller board f 1 0 92 receives output value signals for the field instrumentation via fiber optic conduits 48, these signals are also transmitted by the Left controller board to the Middl~ controller board 94 and the Right controller board 96. Similarly, when the Right controller board 96 receives output value signals for the field instrumentation via fiber optic conduits 46, these signals are also transmitted by the Right controller board to the Middle controller board 94 and the Left controller board 92. In this way, each of the three controller boards 92-96 are provided with three sets of output value signals which may be used for independent arbitration in software.
In one form of the present invention, the Middle controller 94 receives output value signals from both the Left controller board 92 or the Right controller board 96. A further discussion of the arbitration procedure for output values will be provided in connection with Figures 1 7F~
171 and 180-18T.
Figure 6P illustrates a ground fault circuit 130, which is used to inform the rnicroprocessor U40 that a ground fault condition has occurred through the signal ^GNDFLr and multiplexor U9. in this regard. the 'XGFLr signal is derived from the latch circuit U33 of Figure 6C, while the 'GND FAULr signal is derived from the field through the bacl~plane board 90. A ground fault condition occurs when there is a very low potential dfflerence between the chassis ground and the FLTGND terminal. The microprocessor U40 may respond to this condition by setting an error bit that is available to the process control computer 1 4.
'f Figures 6Q and 6R are shown simply to illustrate two representative power ;, 30 conditioning circuits which are contained on the controller 100. The 'MM15' output signal ~, shown in Figure 6R is used to permit monitoring of the -15 volt power line. Similar power conditioning circuits are also contained on other circuit boards in the tield computer unit 12.
~ As should be appreciated from the above discussions, the controller 100 requires several ,~ d'fferent voltage levels to drive the circuit chips forming part of the controller, and these power conditioning circuits are adapted to produce the desired voltage levels.
~, Figures 6T and 6U illustrate dig'~al input pull down circuits 13? and 134 ,.

~ W O ~3/20488 PC~r/US93/02253 25 ~1311~6 ,~,, respectively. In this regard, each of these circuits include a current source circuit (TL317), such as Q12, which is set to drive 2.5 milliamps through a current loop associated with each of the indicated digltal input signal lines (e.g, Dl-1..DI-5). These digltal input lines may be used, for example, to sense the opening or closing of a set of switch contacts. When one of these switches is open, the current source will unsuccessfully attempt to push 2.5 milliamps into an essentially infinite load, so the voltage level measured from the sensing line (for example~ MDI-1~ will be in excess of 20 volts. When one these switches c!oses, the associated digital input line will be pulled to ground through a low impedance path, and its connected sensing line (for example, MDI-1) will transmit a signal level to the multiplexor U9 on the order between 2.5-7.5 vo~s. This voltage level will depend upon how many controller boards are connected to the particular signal input to the field computer unit 12. In this regard, it should be noted that if the voltage level sensed is below 1.5 vo~s, then the microprocessor U40 will assume that a field short condition has occurred, as the resistance in the sensing circuit is below that which would otherwise be available if the digital input circuit was operating properly.
Referring now to Figures 7A-7C, a schematic diagram for a smart serial input circuit 200 for processing analog signai information is shown. The input circult 200 is capable of asynchronously processing the signals received on 5 separate serial input channels. Each of these channels are adapted to receive a digital signal stream which is representative of - 20 analog input signal information. In one form of the present invention, the field computer unit 12 may employ three such ~analog- input circuits for each of the three redundant computer circuits 9~-96. In this regard, the input circuit 200 will be mounted in one ot the card slots shown in the processor chassis 40 of Figure 5 ffor example, Al1-5 and Al6-10). While not shown in Figure 5, a slot is also provided for an ~Al11-20' analog input circuit. Thus, it should be appreciated that the field computer unit 12 is capable of handling up to twenty distinct analog input signals.
The input circuit 200 is designed to operate in conjunction with a suitable transmitter device which will generate the appropriate digital stream. Preferably, a Honeywell transmitter is employed to read the analog signal and generate a digital stream or message therefrom, such as a (Series 100, 200 or 300) Smart Pressure Transmitter, a Smart Temperature Transmmer or a Smart MAGNEW Flow Transmitter. These Honeywell ~ transmitters generate a three part digital message approximately three times each second.
s ~ Specifically, the digital message includes the transmitter status, the primary analog value - sensed, and configuration/status data The digital message may also include a secondary vanable value, such as head temperature.
The input circuit 200 is referred to as being a 'smart circuit in that it is ~:, !~

W O 93/20488 PCT/US93/02~3 ~
~,~3~LS6 2 6 capable of doing considerably more than mere~ sending on to the controller 100 the raw data J
that 'n receives from the ~ransmitters. In this regard, input circuit 200 decodes the serial data stream from the transmitters and converts these streams to a format which is compatible with the controller 100 (that will u~timate~ be transmitted to the process control computer 14 as a 16-bn signed integer percent of full value). The input circult Z00 also provides for various error b'~s that the controlier may utilize to interpret the data or otherwise transmit informed error messages. For example, these error bits include a No Xmitter bit, a 'Parity Error- b'n, and a ~Comm Errol' b'lt. The No Xm~er bit is set when the transmitter has failed to send a serial data stream to the input circuit 200 wnhin a predetermined time period (for example, 382 msec.). The Parity Error blt is set when: (a) an input signal is detec~ed less than 48.9 msec.
after the completion of the previous message, (b) the current byte being assembled from the serial transmission fails the parity test, or (c) the binary value of the startlstop bits are wron~.
The input circuit 200 also formulates a message to the controller 100 which permits the controller to perform a ~checksum~ verification of the message it receives from the input circult.
The debug panel 44 for the controller 100 may also be utilized to examine the status bytes which contain the above identified error bits at the tield computer unit 12. For example, the technician may use the debug panel to enter the memory address for the particular status byte in question, and the contents of this byte will be presented for visual inspection on the display device of the debug panel.
Figure 7A shows a receiver circuit 202 for the input circuit 200. While only onereceiver circuit 202 is shown, it should be appreciated that the input circuit 200 should include an individual receiver circuit for each transmitter. The connector pin 'C3 is used as the entry point of the circuit to convey the digital signal stream from a transmitter to the receiver circuit 202. The receiver circuit 202 then employs a comparator (LM339) AU5 to produce an appropriate digital signal level input HON1' (for example, High ~5 volts, Low 0 volts) for further processing. The comparator AU5is preferably set in an inverting mode to trigger at 0.9 volts with a hysterisis band of 0.42 volts, so that a logic '0- is detected when the voltage input to the circuit exceeds 1.25 volts, and a logic '1' is detected when the voltage input to the board is below 0.83 volts.
The HON1 signal is directed to the P1- port of a t6MHz microprocessor (~OC31)AU2,whichis shown in Figure 7B. An 8Kx8 EPROM (27HC64) chip AU1 is used to store the program employed by the microprocessor AU2. The EPROM chip AUlis directly ~- `
connected to ttte 'P2 port of the microprocessor AU2 and indirecthy connected to the ~PQ~
port of the microprocessor through memory address latch (HC573) AU3. The multiplexed ~, 35 data output from the microprocessor AU2is transm'nted to the controller 100 through the 'TXDATA- signal. The TXDATA signal corresponds to one of the MAI- prefix signals WO 931204~38 2 1 3 1 1 5 ~ P~/US93/022~3 connected to the main multiplexor U11 of the controller 100. The microprocessor AU2 also receives signals from the controller 100 through the ~RXDATA' signal line stemming from connector pin ~C12~. ~
Figure 7C shows a configuration circuit 204 for the input circuit 200. The 5 configuration circuit Z04 includes a switch ~ASW1~ which has four output lines(lYPE1..TyPE4). A pull up resistor is connected to each ~ these lines through resistor bank chip ~ARP1~. Additional~, an inverter from hex inverter circuit (HC04) AU4 is connected to each of the output lines from the switch ASW1 to provide an isolated set of configuration lines to the microprocessor AU2. The switch position for each of these lines is used ~o inform the 10 microprocessor AU2 (through the ~P3~ bus) of the type of transmitter device connected to each of the receiver circuits by employing a suitable four bit code. The switch output lines are also directed to the controller 100. These output lines correspond to the 'AITYPE' prefix signals shown on Figure 6G.
Referring to Figures 7D-7M, a series of flow charts assoc:iated w~h the 15 operation of the smart serial input circuit 200 are shown. In this regard, Figure 7D provides an overall flow chart 206 entitled ~AISER MAIN~. The flow cha,rt 206 includes an initialization block 208 which ends with the enablement of one or more interrupts. Program flow control is then passed to diamond 210, which determines whether or not a request for data has been sent by the controller 100, referred to here as 'FIO'. If data has been requested, then the 20 UPLOAD routine is called (block 212)~ The UPLOAD routine is shown in Figure 7F. If an upload request is not present, then the microprocessor AU2 determines if all of the data read through the flow chart of Figure 7E has been ana,~yzed (diamond 214). If the data received in response to a series of data interrupts has not been analyzed, then the ANALYZE routine ~ of Figure 7G is called (block 216).
- ~ 25 Figure 7F indicates that the UPLOAD routine 212 includes the transmission of seven debug bytes to the controller 100 (block 218). These bytes are preferabiy stored in the intemal RAM memory of the microprocessor AU2, and they may be accessed through the debug panel 44 for the controller. ~.
I Figure 7G indicates that the ANALYZE routine calls the SERVICE routine Z0 30 shown in Figure 7H for each of the analog input signals received. The ANALYZE routine performs a variety of va~idity checks on the digital signal stream from a transmitter. For - ~ example, the flow chart 220 includes a diamond 2~2 which deterrnines whether the channel ~`
is clear (CHNCLR), and a diamond ~4 which determines whether the channel is in the process of assembling a byte of information from the serial data stream. If a byte is being 35 assembled, then diamond 225 determines if the information being processed is from the proper interrupt. A bit count is then used to detemmine if valid start, parity and stop bits have .~

W~2~ ~4 8 8 P C r / U 5 9 3 / t) 2 2 5 3 ~ ~

~ - 28 been received. If the answer is negative for any of these questions, then the BADPARITY bit is set (block 226). Assuming that the data passes these checks, then the contents of the bit buffer ~BITBUFF~ are copied into the memory buffer MBUFF~ (block 228) for subsequent transfer to the upload buffer 'UPBUFF~ (block 229). The contents of the upload buffer are ~; 5 then transmitted to the controller 100 in response to an upload request.
Figures 71-7M illustrate flow charts for programs associated with ~he interpretation of signals received by the controller 10û from the input circuit 20û. In this regard, the ~Al31~ flow chart includes a set up block 230 which calls a Smart Al_lnterface :~j routine. The Smar~ Al_lnterface routine provides a timeout of 5 msec. within which a upload response must be received and checked for communication errors~ !f a communication error .< was detected, then the status check routine 'STCHK' is called. The STCHK routine sets one or more specific error bits depending upon the detected error (for example, a bad parity bit ; or a bad checksum bit). If no communication errors were detected, then a jump is made to the ~OKAIS~ routine of Figures 7J-7L is made (block 232).
As indicated by block 234 of Figure 7J, the OKAIS routine determines if a primary variable value was contained in the message sent trom the input circuit 200. If the ~- primary value is deterrnined to be good, then a flag will be set which will cause a Fail-Last value to be sent to the process control computer 14 on the next tailure (block 236 of Figure 7K~. Then, the ~IETOPS~ routine of Figure 7M will be called (block 238) to convert the primary value to a fixed point value and store it as a percent of the maximum scale value of an .~
acceptable input. In the event that a bad primary \falue was received, diamond 240 will determine whether a Fail-Last condition was set for this process control cycle. If it was, then the last known good primary value will be sent to the process control computer 14 and a flag will be set to not Fail-Last in the next process control cycle. However, if a Fail-Last condition was not requested, then the prima~ value will be loaded with a number corresponding to -100% of the maximum acceptable value (block 242).
Bloeks 24~246 and diamond Z48 indicate that if a secondary value is present (for example, temperature), then it will be converted to a percent of full scale. Diamond 250 then shows that this patt of the OKAIS procedure will be implemented for all five analog inputs being sensed. Diamond 252 indicates that the controller 100 will then load the primary variables for channels 11-15, that were stored by block 258, into the proper IRAM locations.
Block 254, diamond 256 and block 258 combine to temporarily store the primary variables for channels 11-15 and re-execute the routine to collect the data lor channels 16-20. This allows one call of the routine to process 10 channels of data. The conclusion of the OKAIS routine .~ 35 is an indication that the analog input signals are now available for subsequent software arbitration by the field computer unit controllers.

, :, ... .

WO 93/Z0488 2 1 ~ 6 PCT`/US93/02253 ! ~ :~

Referring to Figures 8A-8E, a schematic diagram for a multiple-mode pulse input circuit 3G0 according to the present invention is shown. The input circuit 300 is also referred to herein as the pulse train board ~PTB^ circuit. The PT8 circuit 300 is a five channel analog input daughter~ circuit board that rnay be used to measure frequency (1 Hz to 65kHz) 5 with a high degree of accuracy (for exarnple, .075% of the measurement) and/or count pulses (1 to 32767 pulses per second). Since the PTB circuit 300 has three different modes of operation, the controller 100 has two dfflerent methods of processing data (that is, pulse or frequency), and three methods of outpu~ting this analog data (that is, only pulses, only frequency or both), even though the controller uses the same data to calculate both 10 frequencies and count pulses. In the ~requency mode, the frequency value stored in the Al table of the controller 100 is in a pseudo-floating point format, as will be discussed further below. This form is preferred in order to ensure that the floating point conversion would introduce no more than .025% of error into the final value to be transmitted to the process control computer 14. In the pulse counting mode, a true integer number is stored in the Al 15 table. The number of pulses received since the last reported value is reported to the process control computer 14 as an integer stored in the Al table. In the even~ that the values received by the PTB circuit 300 are over their respective ranges, then the controller 100 preferably reports a full range value.
Since the field computer unlt 12 preferably reports all of its input data to the20 process control corr,puters 14a-14b each second, It should be appreciated that measured frequency values lower than IHz present a special problem, as the field complner unit will not be able to update the measurement once per second. Accordingly, the PTB 300 is adapted to report a frequency of 1 Hz in the time intervals that a pulse was detected. If no pulse was detected within the reported second, then a zero value will be transmitted to the process 25 control computer 14. In the case where a pulse train starts after a period of zero input, and the PTB circuit 300 is in the frequency mode, the first second will not be used to report a frequency value. Rather, this first second will be used to repon the total number of pulses received in that second. Only in the next second will the data be a tnue frequency value. This procedure is utilized to permit a summation of the total pulses over a known time interval. If 30 no pulses are received over a second, the PTB circuit 300 will be unable to measure the time interYal.
~, Figure 8A illustrates a receiver circuit 302 for the PTB circuit 300. In this regard, it should be understood that a receiver circuit 302 should be provided for each of the input pulse signal channels connected to the PTB circuit 300. The receiver circuit 302 35 includes a connector '8C3- which is used to couple the circuit to a pulse emitting transducer, such as a Hall Effect device, through the protection provided on the passive element board.
.

:i ~, WO 93/20488 PCl /US93/0~2~3 i ,` . -;`3~S6 30 .~ The receiver circuit 3û~ also includes a signal line labeled 'Al-1C' which provides a path to ground through a PTC resistor, such as resistor ~VR3~ shown in Figure 8D. The receiver .~............ circuit also includes a low pass filter, which is comprised of resistor ~RLP~ and capacitor ~CLP~
, This low pass filter effectively removes any high frequency noise that may otherwise be ~, S induced in the field wiring. It should also be noted that the resistor RLP and the capac~or CLP are derived from a function module chip ~BU13^ which contains several of the other passive components in the receiver circuit 3û2. The capacitor CLP is connected in ,oarallel with a diode (1 N5819) ~CR4~ which clamps the negative going portions of the pulse signal to GND in order to prevent the comparator (LM339) ~BU12~ from being saturated.
The comparator i3U12 receives the filtered pulse signal input and a reference voitage potential derived from a ten volt source. The reference voltage potential is set by voltage divider network comprised of the threshold resistor 'RTH', a 10K resistor ~R14' and the hysterisis resistor 'RH'. When the pulse signal is above the re~erence voltage potential, the output of comparator BU12 is pulled to GND. The low output from the comparator BU12, in effect, puts the resistor R14 in parallel wlth the resistor RH. This eHect lowers the threshold resistance and allows the comparator output to stay low longer. This substantially eliminates unwanted oscillation that could be caused by low level noise on the input pulse signal.
The values for the passive components RTH, RH, RLP and CLP are preferably determined in accordance with the following approximation equations for large signal applications:
RTH = (100,000/Vth) - 10,000 where Vth = (.30) x Amax where Amax is maximum amplitude of the signal RH = ((1fVh) -1/5) x 50,000 where Vh = 2 x (peak to peak noise level) RUxCLP=T
where T = (1/Fmax) x (duty cycle of input)/3~14, ~ where T = (1/Fmax) x (1 - duty cycle)/3.14, $. depending upon whichever is smaller, and Fmax = the maximum frequency of the signal In this regard, it should be noted that Vth is the threshold voltage where the comparator BU12 will decide that an input has a great enough voltage to be considered a high input. The value of the hysterisis resistor RH should be selected to allow the proper amount of hysterisis to be placed in the receiver or detector circuit 302. In this context, hysterisis is the dlfference between the threshold point and the point at which the comparator BU12 determines that the signal has dropped enough to be considered low. The provision of hysterisis in the receiver ~".
~) .j;:
,, .
, . ~

i~ WO 93/20488 PCI/lJS93/022~3 :: 3 1 2~ 6 1`:
~ .
~, ~
;~: circuit 302 is useful in preventing mid-frequency, low-amplitude noise from affecting the output of the comparator BU12. The value of T is the period of the fastest component in Fmax.
This calculation is useful as most signals are not on and off for equal periods ot time (for example, a 50% duty cycle). Thus, to allow a pulse of 20% du~y cycle to pass, the low pass filter must be capable of handling a frequency 1/(2 x .2~ or 2.5 times greater than the true Fmax. Conversely, if the duty cycle is greater than 50%, the low pass filter must be capable of handling the zero part of the signal that is at a higher frequency than expected by a 50%
duty cycle Fmax. Thus, for example, a pulse signal with a duty cycle of ~5% should have a filter designed for 1/(2 x (1 -.75)) or 2 times Fmax. In this regard, it is preferred that the value for CLP be chosen to enable the value of RLP to stay in the range between 1 ohm and 1 OK
ohms. Where the frequency of the inpln signal is relatively low (for example, 50 Hz), the following values may be provided through the function module BU13: RTH = l Ok, RH = 1 OOK, RLP = 2.7k and CLP = 100 pf.
In large signal applications, the error induced in the approximations by RH is small, and thereby making the calculation for Vth a standard voltage divider. However, for small pulse signals, the error may be signilican~. Accordingly, for hysterisis levels greater than 1% of Vth, the following equations should be employed:
10000 x RH
RTH = ~
(100000 + (10 x RH) - (10000 x Vhc)) - RH - 10000 (10 - Vth) where Vhc is the high value output from the comparator BU12 (for example, 5 volts) To use this formula. the value of RH must be known. In this regard, the value of RH may be approximated according to th~ following formula:
(5 - Vh) x 50000 RH =
5 x Vh Once the pulse signal passes through the comparator BU12, ~ is an inverted ~ 0/5 volt signal with a relatively slow rise time due to the capacitor (.001 micron) 'C8'. To :~ speed up signal transitions and shape the signal into a more precise digital form, an inverter ~1 gate with hysterisis (74LS14) '8U6' is used. The inverter gate BU6 improves the rise time of the signal and inverts the output pulse signal 'PTB1' to the original orientation of the pulse ; ~rain received by the circuit.
As indicated in Figure 8B, the pulse signal output from each of the receiver ~:
.,~, ~, ~' ~v~

' ' W 0 93/20488 PCr/US93/02253 3 2 ~::

circuits 302 (PTB1..PTB5) are coupied to a programmable iogic device (Altera 1810) 'BU7~.
The programmable logic device BU7 is set to provide five internal counters (one for each input pulse channel), and the associated internal addressing is set to permrt it to be add~essed as ,~, a memory mapped l/O device: In this regard, the in~ernal configuration for the programmable s logic device BU7 looks like five individual eight bit counters with their output control lines being set by logic driven by the address lines. The necessary multiplexing function for the programmable logic device outputs is accomplished by using tri-state buffers internal to the device. The internal counters permit pulses with a frequency greater than one-haH the sample rate (that is, the Nyquist limit) to be measured.
Figure 8B also indicates that the PTB circu~ 300 includes a microprocessor (80C31) '8U2', a memory address iatch (HC573) ~BU3' and an 8Kx8 EPROM chip 'BU1'. The jumper ~J1~ is set beh~een pins 1-2 for EPROMs up to 256K, and the jumper ~)1 is set between pins 2-3 for EPROMs that are 256K or larger. The 16 MHz crystal oscillator 'BY1- used to create the microprocessor clock signal is preferably accurate to +/- .û05% in order to 1 s minimize the measurement error of the PT~3 circuit. When the microprocessor BU2 accesses a counter in the programmable logic device BU7, it reads the counter value and determines the number of pulses that have elapsed by subtracting the previous count from the current count. This procedure allows up to 255 puises to occur between sample periods. It should also be noted that the PTB circuit 300 includes a light emitting diode ^LED1', which will be on when the circuit is functioning properly, as an aid to troubleshooting in the field. A flashing green light will indicate that the controller 100 is attempting to reset the PTB circuit 300. The debug panel 44 may be used to view the contents of an error byte for the PTB circuit 300.
For example, individual bits of this error byte will indicate whether there has been a communication failure between the controller 100 and the PT8 circuit 300, or whether a reàd error has occurred on a particular input pulse channel.
In terms of communication with the controller 100, the 'FtXDATA' signal line connected to the microprocessor BU2 is used to receive signals from the controller 100, such as a request to send data to the controller. Conversely, the ~XDATA' signal line is used to transmit the processed pulse data to the corltroller 100.
Figure 8C illustrates a current driver circuit 404, which is used for those pulse transducers which need to receive their electrical power from the PTB circuit 300. The current driver circuit is designed to provide a 25 milliamp current source to the field device at approximately 17 volts. A similar current driver circuit may also be employed in other input circuit boards, such as the input circuit 200 discussed above. As illustrated in Figure 8C, each of the pulse transducers may receive their electrical power through an individual current ,, driver, such as current driver (LM317) '~U15'.
,...
., :~;
, ., , ,.

WO 93/20488 2 ~ 3 I 1 ~ 6 Pcr/US93/02~s3 Figure 8E illustrates a switch circuit 306, which is used to set the operating mode of the PTB circuit 300. In this regard, the switch BSW1~ sets the function for all five channels on the PTB circult 300. For example, a selection of ~0~ may be used for the frequency mode, while a selection of ~3~ may be used for the pulse counting mode. 5 Additionally, a seiection of '4' may be used to enable both the frequency and pulse counting modes to be employed. In this regard, the controller 100 will transmit a set of both frequency and pulse counting data to the process control computer 14 for each of the channels contained on the PTB circuit 300. The OUtput lines of the swi~ch BSW1 are coupled to the P1~ port of the microprocessor BU2 shown in Figure 8B. Thus, it should be appreciated that the switch circuit permits the PTB circuit 300 to be configured in the field, while also providing a way for the controller 100 eo know how the data should ultimateiy be processed, Referring to Figures 8F-8Q, a series of flow charts associated with the operation of the PTB circuit 300 are shown. Figures 8F-8J relate to software resident on the PTB circuit 300 itself, while Figures 8K-8Q relate to software resident on ~he controller 100.
~r 15 More specifically, the software represented by Figures 8F-8J is responsible for sampling the 1-5 pulse signal inputs, totaling the number of pulses received, measuring the elapsed time, and communicating this data back to the controller 100. In contrast~ the soft vare represented ; ~ by Figures 8K-8Q is responsible for taking the data delivered from the PTB circuit 300, - ~ converting it into a frequency value and a total pulse count, and then sending these values to the process controller computer 14 upon request.
l4rr ~ Figure 8F shows an overall flow chart 308 for the PTB circuit 300. The flow s ~ chart 300 includes a system initialization routine (block 310), which is illustrated in Figure 8G.
After initialization has been completed, the program for the microprocessor BU2 of the PTB
~ ~ circuit 300 checks to see if data communication has been requested by the controller 100.
i~} 25 If the answer is no, then the program checks to see if there is data to process. If pulse data has been rece~ved, then program control is directed to the process data routine (block 312~, ~ -: which is shown in Figure 8H. Once all of the data has been processed, then the program control returns to check for a communication re~uest. If the controller 10Q has made a request for data, then the send data routine is called (block 314). The send data routine is r~ 30 shown in Figure 81.
Figure 8F also shows an interrupt or sampling routine (block 316), which is shown in Figure 8J. The interrupt routine is not shown to be connected to any other program ~, control block, as it is clock controlled to ensure the accuracy of the sampling rate.
Specifically, the interrupt routine is controlled by the 'r1~ clock signal of the microprocessor ~,~ 3s BU2 (see block 318 of Figure 8G). This interrupt preferably has priority over all of the other , ! programmed functions of the PTB circuit 300 in order to ensure that sampling occurs at . ~

, .
, . .

'x ~l:
~ WO 93/204~8 PCr/US93/02''53 ~`:

~3~6 34 t precise time intervals. In one form of the present invention, the sampling rate has an interval of 1/1999 sec. This particular sampling rate is considered advantageous due to the ability to evenly divide this rate into the maximum number of instructions/second (1,333,333) of the ~,~,~ ;
microprocessor BU2 and its ability to maintain a maximum error of .05%. As will be discussed ,. ~ 5 further below, this sampling rate is preferably compensated for the length of time required to execute different instructions.
The function of the interrupt routine 316 shown in Figure 8J is to sample the ~, counters in the programmable logic device BU7 and store the data in a buffer for later .- ~
analysis. This is accomplished by reading each of the five internal counters four successive times (that is, read counter for channel 1 four times, then read counter for channel 2 four times, etc.), and then storing the data in a temporary buffer of the microprocessor BU2. This procedure is illustrated by blocks 320~22 in Figure 8~1. The interrupt routine 316 then sorts through the readings to find the first two consecutive readings that were equal for each channel in order to prove the validity of the data read (for example, diamonds 324-328). The routine then starts filling up a buffer of data (for example, blocks 330 332) to be used by the ~, process data routine 312, which runs in the spare time between interrupts.
~-";~ The responsibility of the process data routine 312 shown in Figure 8H is to look at the data in the buffer, decide H a pulse has arrived, and then act on this decision. In order to accomplish this, five registers (blocks 338 339) are kept in the microprocessor BU2 for each channel of the PTB circuit 300. These registers are referred to as: Total Pulses, Total Interrupts, Number of Interrupts, Interrupts Since Last Pulse, and Previous Counter Reading.
The Total Pulses register contains the number of pulses counted since the last transmission to the controller 100 (during the one second interval). This is the actual value transmitted to the process control computer 14 when the PTB circuit 300 is in the pulse counting mode. The Total Interrupts register contains the number of interrupts that have elapsed between the first and last pulses in the Total Pulses register. In other words, the Total Interrupts register provides an interval timer which is started by the last pulse received (leading edge) before the previous transmission to the controller 100 and ended by the last pulse received before this transmission to the controller. The Number of Interrupts Since Last Pulse register is used for pulse trains that are slower than 2kHz (that is, pulse trains under the sample rate). This register stores the number of interrupts that have occurred since the last pulse was detected and allows the Total Interrupts register to truly reflect the number of interrupts that have ~3 elapsed while the microprocessor BU2 was reading the Total Pulses register. The Previous Counter Reading register stores the last counter reading taken from the programmable logic 35 device BU7, and it is used to determine how many pulses were received between samples Before proceeding to discuss the process data routine 312, It should be noted ;, .~ -.

!, ....'.
.'' r' WO 93/~0488 2 1 3 1 1 5 6 PCr/US93/0~53 .. .
'.~ that the interrupt routine 316 inclu~es a block 336 tor controlling the timer controlled by the h;f T1 clock. As the instruction set for the microprocessor BU2 includes instructions which may take one or two bus cycles to execute, a problem is presented when writing software that must be interrupted after a precise time interval. This is because this particular microprocessor will not service an interrupt until it is finished with the current instruction. The ,~ preferred solution to this problem is to load the T1 ~count up~ counter register of the v microprocessor BU2 with the value of ~FFFF~ minus the number of bus cycles to elapse before an interrupt is to occur. The T1 counter will then count up until it hits 0000~, and then the interrupt would occur. Thus, for example, with a one bus cycle instruction, the interrupt routine would begin with a T1 value of 6 (to allow for the time needed to process the interrupt call), while an interrupt at the beginning of a two bus cycle instruction would enter the interrupt routine with the T1 counter having a value of 7. By adding the value of T1 to the ~ appropriate constant and loading this value into the T1 counter register, it is possible to allow .; the average time between interrupts to be constant. This constant is determined by the number of bus cycles needed ~e~veen interrupts and the number of bus cycles between the value of the timer and loading the timer. Thus, for example, where an interrupt is desired every 1/1999 sec. (or every 667 bus cycles), and it takes 5 bus cycles between the reading and loading operations, the value loaded into the T1 register would be: FD69 = FFFF -~e ~ 666dec + 5 dec.
~ 20 As illustrated in Figure 8H, the process data routine 312 works by first fr~ incrementing all of the Number of Interrupts Since Last Pulse registers (block 338). Next, the current count ~CC' from the buffer created by the interrupt routine 316 is compared with the Previous Counter Reading value ~PC' to determine ~ a pulse has been received ~diamond 340). If a pulse has not been received, the routine will move on to process the data trom the next channel (block 342). If a pulse was received, then the number of pulses would be added to the corresponding Total Pulses register (blocks 344348). The Number of Interrupts Since ~ Last Pulse would also be added to the Total Interrupts register (block 350), the Number of .~ Interrupts Since Last Pulse wouid be zeroed (block 352), and the processing would move on to the next channel (block 354).
Figure 81 shows the send data routine 314 which is called in response to a .~ data reque t from the controller 100. In this regard, the PTB circuit 300 first sends the controller 100 the contents of seven bytes of debug data (block 356). Then, the error byte and constants, such as the sampling rate, are sent (block 358). Subsequently, the Total ~¦ Pulses read in the last second and the Number of Interrupts that elapsed while reading the Total Pulses are sent for each of the input channels in tum (block 360). Finally, an Exclusive ~3 OR sum of all the transmitted bytes 'XSUM', excluding the XSUM byte, is sent (block 362).

WO 93/2048~ PCI /US93/02253 j3 3 6 li 3~3~j6 Figure 8K shows an overall tlow diagram 364 for the software used in the controller 100 for processing the data received from the PTB circu~ 300. The flow chart 364 begins with a get data routine (block 366), which is shown in Figure 8L If the controller 100 is unable to obtain data from the PTB circuit 300, the controller will place the PTB circu~ into a reset mode for three seconds ~block 368), increase the error count by one (block 370), and send the previous second's data to the process control computer 14 with a flag to indicate that this group of analog inp~ns has bad data (block 372) .
Assuming that the data has been received without error (diamond 374), the program will then convert the raw data inte both total pulses (block 376) and a pseudo-floating point form (block 378). For the total pulse counting mode, the program takes the number of pulses received and places this value into the analog input table ~AI XRAM~ (block 376). This conversion routine is shown in Figure 8M~ For the frequency mode (block 378), mathematical manipulations are performed to convert the Total Pulses and Total Interrupts data ints a pseudo-floating point value. This is a two par~ process which begins by forming a 24 bit intermediate result, and then is completed by converting this result to a 16 blt pseudo-floating point form used to encode frequency. The pseudo-floating point nurnber is a 1 ~ bit value comprised of a power of four sxponent and a fractional man~issa The exponent represents the smallest power of four that can be divided into the original frequency (while maintaining a fraction) less one. This prevents the representation of numbers less than one, since fractions of one are not allowed. However, this procedure allows numbers up to 65535 to be represented. For example, given a frequency of 7692 Hz, the smallest power of four that can be divided into this frequency value and stilt retain a fraction is 47 = 16384. Since the exponent of the power of four is stored in a ^less one~ format, the value of the exponent stored in the upper 3 bits of the floating point number is six. The mantissa value is the frequency as a fraction of the power~f-four value stored in the exponerlt. It is a 13 bit integer that is a fraction of 8191 (1 FFFh, where 'h' stands for hexadecimal). In other words, drviding the value : in the marltissa by 8191 and multiplying the answer by four raised to the exponent plus one power will result in the original frequency. Thus, for the example shown above, the fractional mantissa would be:

= .4694824 This fractional mantissa would be stored in the 13 available bits as 3845 decimal or ûF05h.
Therefore, the final pseudo-floating point value produced for a frequency of 7692 Hz would be:
1100111100000101 = CF05 ,,.

A

., WO 93/20488 2 1 3 1 1 ~ ~ Pcr/US93/02253 ,;
7 !

An overview of this pseudo-fioating point conversion process is shown in Figure 8N. In this regard, Figure ~O provides a detailed flow chart of the block 380 for converting number of pulses data to a 2~ bit marTtissa. Similarly, Figure 8P ~rovides a detailed flow chart of the block 3~Z for converting the 24 bit mantissa to the 16 bit pseudo-5 floating point form. Finally, Figure 8Q illustrates a flow chart of the block 384 for making anadjustment when the frequency value is less than 1 Hz.
With respect to Figure 80, th~ following should be noted. If there were not any pulses (block 386), then the 24 bit frequency mantissa value is stored as zero ~block 388).
If the number of pulses (that is, Total Pulses) is less than 255, than the exponent value 'EXP~
10 is set tO zero, and the constant ~K~ is set to 800h (block 390~. The variable RPS~ stands for Reads Per Second, and this is the number of interrupts that occur every second (that is, 1999 dec). The constants 800h and 08h are necessary to slide the 24 bit answer to the proper pos~ion so that no resolution is lost when doing the conversion to the 16 bit pseudo-floating point value. These constants will slide the value of 1 out of the 12th bit position where it 15 belongs in the 16 blt pseudo-floating point value. The use of these constants also has the added advantage of allowing greater precision since more bits are calculated be~ore they exceed the limlts of the divide routine.
As illustrated in the flow chart 382 of Figure 8P, the conversion to the pseudo-floating point value is accomplished by polling the 14th and higher bits of the 24 bit result.
20 If any of them are not zero, the result is shHted to the right by two places (that is, divided by four), and the exponent is increased by one (block 392). This shiftinq process is continued until bits 14, 15 and 16 are zero. Once the result is reduced to 13 bits (block 394), the final bit shifted off is rounded back into the 13 bits. When the bit is one, a one is added to the 13 bit mantissa (block 396). This reduces the error of the pseudo-floating point number to .025%.
25 Finally, the exponent is ORed into the upper 3 bits (16, 15, 14) of the 16 bit frequency value (block 398). If the final result is greater than 65535, the output is forced to positive full value, - 6~35. If the final result is less than one, the oùtput is forced to the represerltation of one, as indicated by the flow chart 384 of Figure 8a. The process control computer 14 may then av,erage the pulses over many seconds in order to obtain a true frequency value.Reterring to Figures 9A-9D, a schematic diagram for a multi functional bridge circuit 400 according to the present invention is shown. The bridge circuit 400 may be used to measure 5 indi/idual temperature or weight values. Specifically, the bridge circuit 400 is designed to accept standard platinum resistance temperature devices 'Rll~s' or heavy duty RTD's when the circuit is placed in the temperature measuring con1iguration using the switch 35 ~CSW1' of Figure 9D. Additionally, when the bridge circuit 400 is placed in the weight measuring configuration, the circuit will accept the wire terminations of a weight cell (for !

/
.

WO 93/2~488 P~US93/022~3 ~ 3 8 ! ~ .

~3~) exampie, A~D excttation, and B-C mv inp~n wnh B posl~ive). As indicated in Figure 9D, the switch setting also permits the bridge circuit 400 to inform the controller 100 that the temperature should be recorded in a Celsius or Fahrenheit format.
,(~ Figure 9C shows a voltage source circuit 402 for providing electrical power to the temperature/weight transducers. Figure 9B shows the multiple-wire input signal filtering provided ~o the bridge circuit for each of these transducers. As shown in Figure 9A, these input signals are directed to multiplexors ' t506A) 'CU1-CU2'. The output signal from multiplexor CU2 is coupled to an operational ampl'~ier (3140A) ~CU5~l which is shown to be in a voltage follower configuration. The output signal 'MAI-L' from the operational amplifier CU5 is transmitted to the main multiplexor U11 of controller 100.
The output signal from the multiplexor CU2 also provides one input to the differential amplifier circuit (AD521) 'CU3~. The other input to the differential amplHier circuit ; ,.~
CU3 is received from the multiplexor CU1. The output from the differential ampl'rfier CU3 is amplified via operational amplifier (314ûA) CU4 and directed to the main multiplexor U11 of controller 100 as signal MAI-H~. Figure 8A also shows a precision resistor assembly (S2CH) CU6~, which is comprised of a set of resistors used for calibration and gain purposes.
Referring to Figure 10A, a simplified block diagram of a portion of the triply redundant field computer is shown to particularly illusSrate the abort rircuits for the digital outpus signals. In this regard, a set of abort circuits are located on each of the dig'ltal output ~, 20 circuits 500-i504, As should be appreciated from Figure 1 OA, each of the con~rollers 92-96 is provided with its own digital output circuit. Accordingly, it should be understood that a field computer unit 12 contains a set of three redundant digital output circuits 500-504 whenever digital output signals are to be sent to the ffeld. While each of these redundant digital output circuits preferabl,Y has a plurality of output signal chcmnels (for example, 1-10 individual output ., 25 signal channels), only one such channel is shown in Figure 10A for illustration purposes.
. Each of the controllers 92-96 transmits a ^SEr DODC' signal to their respective digital output circuits 50~5(~4 for each digital outpuS signal to be sent to the field. Each of these SET DODC signals represents th0 result of an arbitration process which is indiYiduall,Y
.'~ performed at each of the controllers 92-96. As indicated above, the digital output value j ~ 30 signals received by the field computer unit 12 from the process control computers 14a-14b -~ are shared with each of the redundant controllers 92-96. Assuming that the transmission of '.:1 any particular digital output signal value (that is, a High or Low value) has been completely ',''' successful and all of the controllers 92-96 have correctly processed this value, then the ^SET
DODC-L, 'SE~T DODC-M- and 'SET DODC-R' signals will be identical. The 'L', 'M- and 'R~
, ' 35 suffix is simply used herein to indicate that the signal originated from the Left, Middle or Right ! ' controller. However, there may be instances when these SET DODC signals are not the , "

., ~ j .

W093/20488 21311SI~ PCI`/IS93/0~253 same. Additionaily, there may be instances when it is desirable tor the digltal output signal from a particular digltal output circuit to be prevented from being transmitted to the tield.
As indicated by Figure 10A, the output conductors from each oPthe digital output circuits 500-504 are tied together at a common node 506, which is connected to a 5 digitalty controlled device 508 ffor example, a solenoid). This means that if the output signal from any one of the digital output circuits ~00 504 is High, then the device 508 could receive a High input signal, even though the other two digital output circuits are generating Low , output signals. However, such a situation is prevented from occurring in accordance with the present invention through the combined use of redundant abort circuits 510-514.
As shown in Figure 1 OA, each of the abort circuits 510-514 includes a set of three electronically controlled switches 516-520 (for example, MOSFET devices). The switch 516 is contro!led by the SET ~ODC signal. However, even though the switch 516 may be closed, a High output signal ffor example, 26 volts) cannot be transmitted to the device 508 unless at least one of the switches 518-520 is also closed. The switches 518-520 are 15 controlled from the ABORr signals generated by the other two neighboring controllers. For example, in the case of the abort circuX 510, the switch 518 is controlled by the ^ABORT R-L-signal from controller 96, and the switch 520 is controlled by the ~ABORT M-L' signal from the controller g4. As illustrated in Figure 6C, these ABORT signals are determined individually by the microprocessor U40 of each controller.
Thus, it should be appreciated that in order for the controller 92 to transmit a High SET DODC-L signal to tl~C ~leld, it needs the concurrence or agreement of either the .~ controller 94 (through a High A~ T M-L signal) or the controller 96 (through a High ABORT
R-L signal). In this way, the software arbitration decisions by the controllers 92-96 are ~7, enforced in the digital output circuits 500 504 through the abort circuits 510-5t4. If the 25 controllers 94-96 determine that a particular digital output signal from controller 92 should be prevented from being transrn-~ed to the field, then each of the controllers 9496 will generate a Low ABORT signal for that particular digital output signal, which will open the abort switches 518-520.
~1 Each of the digital output circuits 50~504 includes a rrEsr line, such as the 30 TEST line 522 for digital output circuit 500. A diode, such as diode 524, is also included to 3.
~, isolate the digital output circuit (and hence the TEST line) from the common voltage seen by ^~ the device 508. A TRACK feedback line 526 is also provided in order to permit each of the controllers 92-96 to see the actual digital state presented as an input to the device 508. As 't" will be more fully described in connection with Figures 11A-11 C, the digital output circuits 500-. 35 504 are designed to faci!itate non-intrusive testing. The method of non-intrusively testing the digltal output circuits 500-504 will be discussed in connection with Figures 19A-19M.
,,;

, . . .
, ,`!

~`i WO 93/20488 PCr/US93/02253 Re~erring to Figure 10B, a block diagram is shown o~ ~he redundant analog output circuits 600-604 according to the present invention. In this regard, a detailed block diagram is presented for the analog output circuit 60~, while a single block is used t~ illustrate the identical analog output circuits 602-604 for neighboring controllers. Due to the detail 5 presented in the block diagram for analog output circu~ 600, the discussion of the schematic diagram for this circuit, as shown in Figures 12A-12G may be somewhat abbreviated. In any event, Figure 10B illustra~es that the analog output circuit 600 includes an abort circuit 606 ;~ for each analog output signal channel contained in the analog output circuit (for example, 5 independent channels). The abort circuit 606 is similar to the abort circuit 510 discussed 10 above, insofar as the abort switches DN1-DN2 correspond generally in placement to the switches 520-518. However, an amplHier is used in the place of the switch 516, as an analog ;,~
;~. signal rather than a digital signal is to be transmitted to the field. Additionally, opto-isolators are use~ as the abort switches instead of MOSFETs~ Accordingly, it should be appreciated that each of the redundant anatog output circuits 600-604 are provided with an abort circuit 15 tor the same reason that an abort circuit is provided in the digital output circu'lts 500-604.
The analog output circuit 600 receives instructions from its controller, which is generically indicated in Figure 10B as controller 100. In this regard, the analog output . circuit 600 receives a desired output value for each channel from its controller, and the analog output circuit is left by the controller to determine how this output value is to be achieved.
20 For this reason and for the analog output circu'~t's ability to conduct non-intrusive testing on its own, the analog output circuit is considered to be a 'smarr circuit that frees the controller 1 Oû to perforrn other needed functions in the meantime. In order to achieve these goals, the , analog output circuit 6û0 is provided with a microprocessor and the necessary support circuitry to operate with relative independence from the controller 100, as indicated by block 25 610.
The capacity for intelligent independence in accordance with the present invention is also important from the standpoint of determining how a common field device ! should be driven from three concurrently operating analog output circuitsto a common output i~
value. This is a particularty dNficult problern where, as here, a rapid response to changing ~; 30 conditions is desired. In this regard, each of the analog output circuits 6~604 will be commanded by their respective controllers 92-96 to achieve a desired output value on each - a~r ~ channel. According~y, each of the analog output circuits 60û 6û4 will want to drive the field ~ ' -~ device in response to a goal output value independently given to them by their own controller once each process control cycle (for example, one second). Thus, an unstable output could 35 result, since it is also desired that the analog output circults operate wnh relative independence from each other during the process control cycle for fault tolerance purposes.

,.
.::
, ~, .-, , j.
. ;;
L ~

- ;:
~ WO 93~20488 2 1 3 1 1 ~ 6 PCT/US93/02~3 1.`
; . ' i `~. 41 `
.. ~. , However, in accordance with the present invention, inteliigent, yet independent methods of controlling the output are provided for each of the analog output circuits through the microcompuner control circuit 610. In accordance with these methods, not only is ounput level sharing optimally achieved, but each of the analog ounpun circuits is able to respond at high ;~ 5 speed to changing conditions.
The microprocessor for the analog outp n circuit digitally transmits mul~iplexed:~ output signal voltage values for each of the actively operating output channels to a digital to ;~ analog converter circuit 612. The analog output values from the digltal to analog converter circuit 612 are then sequentially processed through an amplifier circui~ 614, and forwarded to a multiplexor circuit 616. The multiplexor circuit 616 then directs the amplified analog output signals to the appropriate abort circuits, such as the abort circuit 606 for the 'AO-1 signal.
As in the case of the abort circuits 510-514 for the digital o~np--t circuits 500-504, each of the abort circuits for the analog output circuits include a provision for creating a feed~ack signal. With respect to the abort circuit 606, this feedback provision is shown to ~, be comprised of a resistor 618 and a pair of signal lines 620-622. The signal line 620 provides a high feedback signal ~MEH-1' on the upstream side of the resistor 618, and the signal line 622 provides a low feedback signal 'MEL-1' on the downstream side of the resistor 618. Additionally, a Track resistor 624 and a pair of signal lines 626-628 are provided by the field computer unit 12 in order to perm~ each of the analog output circuits 600-604 to see the actual analog output signal value being received at an analog controlled output device 630.
The signal line 626 provides a high track signal 'AOT-tl-1- on the upstream side of the Track resistor 624, and the signal line 628 provides a low track signal 'AOT-L-1D on the downstream side of the resistor 624. Additionally, the abort circuit 606 is also shown to include a signal , 25 line 632 which provides a feedback signal OAT 1^ immediately following the amplifier 608.
.: In this way, the operability of the analog output circuit 600 up to this point may be tested with ~ both of the abort switches DN1-DN2 in an open condition in accordance with the non-intrusive `~ testing method to be described below.
,,". ~
As illustrated in Figure 10B, the analog output circuit 600 includes a pair of ,~ 30 multiplexor circuits 634 636 which feed a dlfferensial amplifier 638. The mu!tiplexor circuits ,.i-i; 634-636 operate under the address instnuctions from the microprocessor of the analog output ~; circuit to successively pair corresponding High/Low signals as an input to the dfflerential i.~. ampfifier ~38 to produce a signal indicative of the voltage drop across the feedback and track .,, resistors, which is directly proportional to the output being sent to the field. Thus, for 35 example, the MEH-1 signal would be presented at the output of the multiplexor 634 at the same time that the MEL-1 signal is presented at the output of the multiplexor 636. After an .. .
,:~,..
... .
'';:;'' .~,;

WO 93/20488 PCI /US93/02~53 ,.,;, ~

amplification step, a final multiplexor 640 is then employed to successively transmit these ,1 differential voltage signals, the ~OAT-1.. 0AT-6~ signals, or the mulltplexor outputs referenced t to ground to an analog to digital converter circuit 642. The analog to digital converter circuit 642 is in turn connected to the microprocessor block 610 for analysis.
The analog outp~ circuit 600 is preferably a 5 channel ~0-22 ma) circuit device which is capable of testing it's outputs in such a way that the testing is non-intrusive to the field. The analog o~put circuit 600 is also designed to be a high speed device, so that if one of the three redundant analog output circuits 600-6û4 fails, then the other analog output circuits will pick up the additional load within a relatively short period of time (for example, 80 msec.) The operation of the analog output circurt 600 may best be described as providing a proportional integral ~PI~ control loop, as the circuit responds to an output value (for example, a setpoint) received from the controller 100. This output value is preferably a fraction or percentage of the maximum output capability (for example, 22 ma). As mentioned above, the actual field output is measured by each of the redundant analog output circuits 600-604 across the Track resistor 624, which is located on the passive element board of the field compu~er unit 12. In order to filter out any noise that might appear on the Track signal, one fourth of the difference between the last Track value and this measurement is added to the last Track value. If the difference is greater than 8%, the old Track value is completely .; replaced in order to speed the system's response to large errors.
ZO The software control loop of the analog output circuit 600 involves a comparison between the voltage across the Track resistor 624 and the desired output value.
;J' A fraction of the error between the desired output and measured Track values (up to one fourth) is then added to the desired digital to analog output value (that is, the integral value), which is stored in the memory of the microprocessor for the analog output circuit 600. This enhanced value is then transmitted to the digital to analog converter circuit 612 and processed through the multiplexor 616 to the designated abort circuit (for example, abort circuit 606). The analog output circuit 600 then deterrnines its contribution to the total output provided to the field device 630 ~y measuring the voltage drop acroæ the 'ME' feedback resistor 618. This is done to assure that the analog output circuit 600 is contributing 100%
,,~,, , ~
of the output to the field device 630 during the non-intrusive testing method described below.
The analog output circuit 600 also compares the OAT signal to the output ot the digital to ~, analog converter circuit 616 (via its ~DAC-OUT~ slgnal shown in Figure 10B), to determine 3`
whether or not the opera~ional amplifier 608 Is operating properly. For example, if too much ~j power is being transrnitted to the field device 630, and this channel's output should be zero, but the OAT measurement says that it is not zero, the analog output circuit 600 disables this channel and flags an 'O~T<>DAC- signal to the controller 100.
~3 ~1 .
,~
;.~?

j~ WO 93120488 2 1 3 1 1 5 G PCI/US93/02253 ~;
'j'_t ' I ' ' ~
~ 43 , -,! ~

The analog output circuit 600 also provides for the automated application of abort switches (for example, abort switches DN1-DN2) in the event of a failure which sends too much power to the fieid. The primary path for opening an abort switch is a ze~ro output ensurance mechanism which forces the abort switches open for a channel when that channel is commanded to have a zero output. The secondary path for opening the abort switches is derived from a request of one or more of the analog output circuits 500-604. For example, in the event that a particular output channel for an analog output circuit is 2% too high, -~ according to the analog output circuit's own analysis, then this analog output circuit will request its controller to have the offending output channel be aborted by opening either of the abort switches ~N1-DN~. However, as these abort switches are responsive to the neighboring controllers, an exchange of abort request information is required at the controller level. In accordance with one form of the present invention, the exchange of abort requests between each of the controllers 92-96 takes place during the next output comrnunication cycle (for example, in the next process control cycle). If any two controllers 92-46 agree that a particular channel for one of the analog output circuits 600-604 should be disabled, then these controllers wiil generate the necessary signals to open both of the abort switches DN1-DN2 on the offending analog output circuit. If an analog output circuit requests an abort on a particular output channel, and neither of the neighboring controllers have requested an , abort on the same channel, then an abort disagreement has occurred. These disagreements are preferabiy handled by counting the number of sequential disagreements on a particular channel and flagging an error to the process control computers 14a-14b when the count ,- exceeds a predetermined value (for example, 32 decimal, 20 hex). When there is no abort disagreement on a particular channel, the counter for that channel is zeroed. It should be s appreciated that the secondary path for opening the abort switches enforces the arbitration decisions made by each of the controllers 100. Accordingly, it is not necessary for any of the three analog output circuits 600-604 to know the arbitrated output values that were sent to the o~her analog output circuits by neighboring controilers.
Additionally, if an analog output circuit is detemmined to be dead, the ~,a neighboring controllers will open the abort switches for all of the channels on the dead analog output circuit to isolate this circuit from the field. In this regard, an analog output circuit will be considered dead if the smart analog output board is not communicating, if a memory test of the circuit has failed, if a test of the digital to analog converter circuit 612 has failed, or if a test of the analog to digital converter circuit 642 has failed. The controller 100 responsible ~i for the dead- analog output circuit will not open the abort switches of the neighboring analog output circuits due to a loss of its own analog output circuit. Rather, this controller will examine the controller to controller communications to determine if the opening of these other , :
, ,~,., ., ~ W 0 93/20~88 PC~/U593/02253 ~s ~ 4 4 abort switches is warranted. This will permit a 3-2-1 failure scenario, rather than a 3-2-0 failure procedure. According~, in the event that only one working analog output circuit ¦ -remains, then no aborts on the operating channels for that analog output circu~it will be opened, unless an output is commanded to zero. -In the event of a controller to controller communication failure, the abort switches tor the analog output circuit corresponding to the controller 100 that did not communicate will not be opened. This procedure permits the fail SAFE/LAST mechanism described below to work property. The two remaining controllers that are able to. communicate will then act as a dual redundant field computer unit, where only one abort request is needeb to open an abort circuit. If both neighboring controllers fail to communicate, then an abort request will not be serviced, and the fail SAFE/LAST selections ~ in sottware arbitration will control the outputs from the field computer unit for all of the analog '., outputs.
Once a pair of abort switches have been opened due tO an excessively high :~ 15 output, it is preferred that these abort switches be closed only after a replacement of the analog output circuit is sensed or the controller 100 for that analog output circuit is restarted.
The exception to this procedure occurs in the case where there is a triple abort request for # a par~icular output channel. In such an occurrence, all of the abort switches for this channel are reclosed to prevent a total loss of power to the field.
From the above discussion, ~ should be appreciated that a failure associated with one or more output channels may take two process control cycles to open the appropriate abort switches DN1-DN2. Thus, for example, whsre an overall process cycle of .-one second is provided, then a one second period will be used to communicate an abort . request to the controllers from the analog output circuits, and then another one second period -x 25 will be used to permit controller to controller communication. Nevertheless, an abort on zero . output to the field will take place in the same cycle that the controllers 92-96 receive a zero output value from the process control computers 14a-14b.
~3 ~ Referring to Figures 11A-11C, a schematic diagram for the digital output ,- circuits ~00-504 is shown. Figure 1 ~A provides a schematic diagram of the abort circuit 510, which was diagrammatically illustrated in Figure 1 0A. Again, it should be noted that such an abort circuit is provided for each digital output channel of the field computer unit 12. In other ...... t`
! words, in a field computer unit having ten digital output channels, a set of ten abort circuits t ~c would be provided for each of the three controllers 92-96, thereby providing a total of thi~y k I abort circuits.
Figure 11A shows that the switches 516-520 are each comprised of a MOSFET (IRFD120) transistor. Each of these transistors receive their gate signals from an ~.-' WO~3/20488 I'CI/US93/02253 2t 311S6 , ~`
x; 45 opto-isolator, such as opto-isolator (PS2603) DU1 fortransistor 516. The ~SET DODC-1~ input signal for the opto-isolator DU1 general~y corresponds to the SET DODC-L~ signal of Figure 10A. Similarly, the ABORT1-1- input signal corresponds to the ABORT R-L- of ~igure 10A, and the ABORT2-1~ input signal corresponds to the ~ABO~T M-L- signal of Figure 1 OA. The parallel connection of transistors 51~-520 in Figure 1 OA is demonstrated in Figure 11 A by the tact that the drain and source terminals of these two transistors are tied together. The source terminal of transistor 516 is also connected to the drain terminals of the transistors 518-520, and the drain terminal of transistor 516 is connected to the +26 volt power supply DPS1-(shown in Figure 11 C) through fuse ~DF1~. In other words, the transistor 516 is connected in series wlth both transistors 518 and 520. Pull down resistor (1 00K) RP7 and diode (1 N459A) 52~ are connected to the source terminals of transistors 518-520 to provide the output line labeled ~DODC-1~ on the downstream side of diode 524. Thus, it should be appreciated that when transistor 516 is turned on by a High SET DODC-1 signal and at least one of the -:~ transistors 518-520 are turned on by their respective gate signalsl then the conductive states .:~
of these transistors will permit current to flow from the +26 volt power supply to the DODC-1 output line. Since the conduction of the transistor 516 is required to transmit electrical power to the field device 508, this transistor may be referred to as a power switch. In contrast, the transistors 518-520 may be referred to as abort switches, as these transistors operate in combination to inhibit or prevent electrical power from being transmitted to the field device when the power swi~ch is closed (that is, the transistor 516 is in a conductive or On state).
As indicated above, the digital output circuits 500-504 are designed to enable non-intrusive testing to be performed. In this regard, it should be noted that the abort circuit 510 includes a resistor (1 0K) RP1 connected in parallel across the drain and source terminals of the transistor 516, and a resistor (10K) RP3 connected in parallel across the drain and Z5 source terminals of the transistor 520. Additionally, Figure 1 1 A shows that the TEST-1 line 5Z2 is connected to the node or junction which is provided between the source terminals of the transistors 518-520, the pull down resistor RP7 and the anode of diode 524. Accordingiy, it should be appreciated that the resistors RP1, RP3 and RP7 provide a voltage divider network wi ich will enable the transistors 516-520 to be selectively actuated and the change in voltage , ~ 30 detected via the TEST-1 line. For example, when the transistor 516 is tumed on, the voitage on the TEST-1 line will rise, as the resistor RP1 is effectively short-circuited by this transistor.
Similarly, when either of the transistors 518-520 are tumed on, the voltage on the TEST-1 line will rise, as the resistor RP3 is effectively short~ircuited by the conducting transistor, Nevertheless, substantial current is not permitted to flow through the DODC-1 line unless the transistor 516 and one of the transistors 51~520 are switched to a conductive state~
Figure 11 B shows a feedback circuit 526 for the digital output circuit 500. The . "
~".
~, ~., ,r :~j WO 93/20488 PCI /US93/0_253 ¦~

3~ 4 6 ~^ feedback circuit 526 includes a pair of multiplexor circuits DU33 and DU35 which are addressed by the controller 100 through the address lines HDEV-O..HDEV~ and the enable ~, line HP3-5. The TEST lines for each of the digital output channels are connected~as input -;~.1 signals to the multiplexor DU33, while the DODC signals for each of these channels are connected as input signals to the multiplexor DU35. The output lines 528-530 from the ;~. multiplexors DU33 and DU35, respectively, are coupled together, and the multiplexed feedback signals on these output lines are then processed through a pair of operational arnpli~iers (3140A) DU32 and DU31 which are connected in series. Accordingly, it should be appreciated that each of the digital output circuits 500-504 provide a serially multiplexed i~ 10 stream of feedback signals to their respective controllers 92-96.Referring to Figures 12A-12F, a schematic diagram for the analog output circuits 600-604 is shown. Figure 12A provides a schematic dia~ram of the microcomputer circuit shown as block 610 in Figure 10B. The microcomputer circuit 610 includes a 1 6MHz ~; microprocessor (BOC31) EU3, a memory address latch circuit (HC573) EU2, an 8Kx8 CMOS
, 15 EPROM (57C64) EU1, and a programmable logic device (EP910) EU4. The microprocessor ,.: E~3 receives the output value for each of the analog ou~put channels on the serial RXDATA
.~ line from the controller 100, and the microprocessor transmits status data to the controller on the serial TXDATA line. The EPROM EU1 is used to store the operating program for the analog output circuit 600. The PLD EU4 is used to generate various signals which control the , 20 functions of specific portions of the analog output circuit 600. For example, the 'DACWR- and ~DACA~ signals from the PLD EU4 are transmitted to the digital to analog converter circuit 612 ~- of Figure 1 2B in order to cause the D/A con rerter to capture a digitally coded analog value ~ on the data bus (DATA <7 O>) of the microprocessor EU3 and convert this coded value to 3, a corresponding analog level.
The microcomputer circuit 610 also includes Green and Red LEDs to provide a visual indication of the hea~h status of the analog output circuit 600 (sometimes referred to ~,.! - ~ as the SAO board for Smart Analog Output'~. If the board is functioning properly~ the Red LED will be OFF and the Green LED will be ON. Howc~er, the microprocessor of thecontroller will cause the Green LED to flash under certain conditions, such as when the communications between the analog output circuit 600 and its controller 100 have failed.
Similarly, the Red LED may be caused to flash when the microprocessor circuit 610 is not functioning properly or it is trying to communicate with its controller 100. The Red LED will be tumed ON under several possible conditions, such as H a non-intrusive test has failed, a channel on th~ SAO board has been aborted, or a track problem has been detected.~,;~, ~j 35 ConYersely, the Green LED will be ~umed OFF if a hardware component of the SAO board has failed or a failure of the controller 100 has occurred. Accordingly, it should be appreciated t, ,'', W0 93/20488 PCI`/US')3/02~53 ~;?

"

that these status LE~s are preferably put to multiple uses, so that a variety of different problems may be visually discerned during a field inspection from just two LDs.Figure 1 2B shows the digltal to analog converter circuit 612, amplifier circuit,~ 614 and multiplexor circuit 616 discussed in connection with Figure 10B. In this regard, it should be noted that the D/A converter 612 tAD7248) has a resolution of 12 bits, but it need not be designed for absolute accuracy. Rather, in accordance with the control methods of the present invention, the accuracy of the D/A converter 612 is not nearly as importanl as the ability to make small changes.
:~ The amplifier circuit 614 is comprised of an operational amplifier EU34 (3140A). This single stage amplifier provides a 2.21~ multiplier that boosts the 10 volt maximum output to a maximum of 22.1 volts. In this regard, it is preferred that a 1.21 k ohm resistor be empioyed in the feedback leg between the output and the inverting input of the operational amplifier. This provision prevents a dmerential input greater than 10 volts by Iimiting the amount of current that can bs drawn through the non-inverting input, and thus preventing the device from being put into a positive feedback mode that could take several seconds to recover from. This provision also allows the arnplifier circuit, in conjunction with the 1.21 k ohm resistor, to ampl fy its input by 2.21.
~ ~ Figure 1 2C illustrates the abort circuit 606 which was discussed in connection ! ;~ ~ with Figure 10B. In this regard, the operational ampl~ier (3140A) EU15 or 608 is responsive to the ~SET-A01- signal from the multiplexor 616. However, the abort circuit includes provisions to prevent electrical power from being transmitted to the field if either the microcomputer circuit 610 or the controller 100 fail to operate properly. Specifically, the operational amplifier EU15 may be disabled by the conduction of the transistor EQ3 via a Low signal on the appropriate pin of the 'P1- bus of the microprocessor EU3. In other words, the analog output circuit 600 may pull its own analog output to zero. Additionally, the presence of a Low 'DEADMAN~ signal from the deadman timer circuit 6~9 ot Figure 1 2D will also cause - -~ the analog output from the operational amplifer EU15 to be pulled to zero. The timer (LS122 EU9 of the deadman timer circuit 649 is responsive to periodic ~DEADSEr signal pulses from the controller 100 to maintain the DEADMAN signal in a High state. Thus, if a DEADSET pulse Is not received within a predetermined period of time ~for example, 64 msec~, then the analog output circuit 600 will automatically pull down all ot its analog output lines to zero.
As in the case of the digital abort circuits 510, the analog abort circuit 606 includes opto-isolators (EU~2-EU33) to electrically insulate the analog output circuit 600 from its neighboring analog output circuits 602-604. However, these opto-isolators (ILD31~ are also capable of passing current to drive the field control device to which the analog output circuit ~j is connected. Accordingly, the output line 646 from the operational ampl-~ier EU1~ is ~, ~, ~ W 0 93/2048~ PC-r/US93/02'53 213 ~ 1 4 8 - b connected to the collector terminal of the transistor in each of the opto-isolators EU32-EU33.
Additionally, it should be nosed that the abort circuit 606includes a diode 648 which separates the ME resistor 618 from the track resistor 624.
Figure 12E indicates that the muitiplexor circu~t 634 of Figure 1 OB is actuallycomprised of multiplexors EU24 and EU26. Similarly, the multiplexor circuit636 of Figure 1 OB
. is shown to be comprised of multiplexors EU23 and EU2~. Accordingly, the drfferen~ial amplifier circuit 638is also comprised of a set of five operational amplifiers (OPA2107) EU11, . (OPA2107) EU21 and (OPA602) EU12. The operational amplifiers EU11 provide the multiplexed ~OUT-L~ and ~OUT-H~ signals from the ME and track resistors that allow the é 10 measurement of these signais with respect to ground. The operational ampl'lfiers EU~1 buffer . the output of the multiplexors as the first stage of the dmerential amplifier 638 formed by ~ operational amplHiers EU21 and EU12. The ~A/D_IN' signal produced by the differen~ial z amplifier 638 represents an amplified voltage dfflerence between the outputs of the multiplexors (for example, amplHied by 4.545).
~ 15 The differential ampl'~ier circuit 638 provides a gain of 4.545 in order to convert z ~ the 2.2 volt maximum track differential to 10 volts. This amplification permits the entire range of the analog converter 642 to be utilized~ Additionally, it should be noted that the operational f ampliflers have negative and positive rails of -5 volts and +26 volts respectively. In this r regard, the operational ampl'Hiers operate wlthin 5 volts of the negative rail and 3.0 volts of the :~ ~ 20 positive rail. Tha operational amplifiers should also have a slew rate greater than 1 volt/msec, and as low a voltage offset as possible. In this way, the dlfferential amplifier circuit 638 has the ability to operate relative~y fast, perforrn well near the SUppl,Y rails and reject common mode voitages across a wide range.
. ~ - Figure 1~F completes the analog output circuit 600 by receiYing the OUT-L, ,j 25 OUT-H and ~/D IN signals and further muitiplexing these signals with the OAT-1.. 0AT-5 signals. The analog output of the muitiplexor 640 is processed through operational amplifier . - tC~PA602) EU5, and then conYerted into a digital signal stream by A/D converter (ADS574) 642. The AID converter 642 is in tum connected to the DATA <7 O> bus of the .~ microprocessor EU3 of the analog output circuit 600.
Referring Figures 13A-13D, a schematic diagram for the network controller 16 ~'~; is shown. As indicated above, the network controller 16 serves æ the communication director for the entire fiber optic network, and it preferably has the capabil ty to communicate at a rate of at least 500K baud. The network controller 16 is equipped with its own microcomputer circuit 800, as illustrated in Figure 13A. The microcomputer circuit 800 includes a microprocessor (80C31BH-1) FU~O, a 32K program memory FU11, a 32K data memory chip FU6, a PLD memory controller chip FU5 and latch chips FU2-FU3. In this respect, the ~ ~ ' ~,f, :
~ `~

W O 93/~0488 2 ~ 3115 6 PC'r/U593/02'53
4 9 microcomputer circuit 800 is similar in design to that shown for the controller 100 in Figure 6A, and the same or similar components may be used in both circuit designs. A 16MHz oscillator circuit 802 is also shown to be connected to the microprocessor FU10, w~ch serves to point out that the network controller 16 operates under its own clock, even though the microprocessor FU10 receives a 'MODSYNCIN~ synchronization signal from the process t control computer 14.
The network controller 16 is connected to its process control computer 14 via a 16-bit wide ~B~ bus, which is shown in Figure 13B. The network controller 16 also receives a set of encoded control signals (rMOD-DO..MOD-D3', MOD-CP~ and 'MOD~r) from the 10 process control computer 14 which facilltate communication between these ~wo computer systems. In this regard, these encoded control signals are connected to a decoder circuit (ZV10) FU13, which deciphers these control signals and directs these control signals to the circuits indicated in Figures 13A-13B. Thus, for example, the ~/MODSt I uATA~ signal is sent ~o a pair of three-s~ate flip flop circuits (74HT574) FU14-FU15 in order to capture data 15 presented on the ~B- bus. Similarly, the ~/MODREADATA~ signal is sent to a pair of latch circuits FU1 6-FU17 in order to enable these latch circuits to pass da~a captured from the ~PO
bus of the microprocessor FU10 to the ~B~ bus of the process control computer. The flip flop circuits FU14-FU17 also receive enable/clock signals from a 3 to 8 decoder circuit (74HC138) FU4, which is connected to the ~AD~ bus of the microprocessor FU10.
Figure 13B also shows that a flip flop circuit FU18 provides a further input interface batween the 'B~ bus from the process control computer 14 and the PO bus of the microprocessor FU10 of the network controller 16. In this regard, the process control computer transmits a SETCODE signal to the network controller 16 which is used to indicate to the network controller 16 what data elements were loaded into the flip flop circuits FU14-25 FU15 by the process control computer 14. Additionally, the process control computer 14 sends a predetermined set code value (for example, 1 Ohex) to nlp-flOp circuit FU18, which is used to indicate the start of a new process control cycle ffor example, a new second~. During the anticipated time that this code should be transmitted, the network controller 16 repeatedly polls the flip-flop circuit FU18 in a tight loop in order to detect the start of a new process 30 control cycle. When the new prrcess control cycle set code is detected, then the microprocessor FU10 will read and store its own corresponding clock signal. Then, the microprocessor FU10 will change the appropriate register which stores the clock data by an amount which will enable the clock signal of the network con~roller 16 to be adjusted to that of the process control computer 14. Finally, Figure 138 shows a decoder circuit (74HC541) 35 FU1 which is connected to the keyboard of the debug panel 18 for the network controller 16 via signal lines 'KEYO..KEY3'. Communication to the debug panel 18 is provided by the WO 93/20488 PCl /US93/0~2~3 ~,3~1~i6 ~o RPDBUG signals shown in Figure 13A. Thus, it should be appreciated that the circuits illustrated in Figure 13B provide a way to effectively make multiplexed use of the P0~ bus of the microprocessor FU10 for purposes of bi-directional communication with ~he process control comp~ner 14 and bi-directional communication with the debug panel 18.
Figure 13C shows a receiver circuit 8~4 for the network controller 16. The receiver circuit 8W generally comprises a multiplexor circuit FU8, a digital to analog converter circuit FU12 and a comparator circuit FU7~ The muitiplexor circuit FU8 is connected to an ~RXD~ bus, which is essentially a set of individual signal lines that extend from an edge connector on the network controller circuit board. These signal lines include the ~MAIN RXD^
and the ~R~PEAT_RXD~ signal lines which illustrate the network controller's ability to communicate in opposite directions~ In this regard, the MAIN ~(D line is ultimateiy connected to both of the two fiber optic cables 34 shown in Figure 1 through an interface circuit to be described below. Similarly, the REPEAT RXD line is ultimately connected to both of the ~vo fiber optic cables 36. In this way, both of the cables in each network ring are utilized to form one communication link. Additional~, the multiplexor FU8 also receives the signal lines labeled NEIGH1 RXD~ and ~NEIGH2 RXD~. One of these NElGHbor lines could be used to receive high speed optical communication between the process control computers 1 4a-14b.
The other of these NElGHbor lines is also available to facilitate such communication when the process control computer 14 is comprised of three redundant process control computers.
Altemat~ely, these NElGHbor signal lines could be used to provide additional redundant communication links between the process control computers.
As in the case of many of the input signals for the controller 100, the digital to analog conver~er circuit FU12 and the comparator circuit FU7 operate in combination to produce an ^RXDATA' signal which is connected to the microprocessor FU10. This arrangement permits a plurality of both analog and digital signals to be processed through the same circuitry, which ultimately generates a single input line to the microprocessor FU10.
Figure 13D shows a transmitter circuit 806 for the network controller 16.
Specifically, the transmitter circuit 8û6 is shown to be comprised of a decoderldemultiplexor circui~ (74HC138) FU9. The decoder circuit FU9 is connected to the address bus ^P1^ of the microprocessor FU10, and the decoder circuit also receives the ~TXDATA' -cignal from the microprocessor tor transmitting signals to the fiber optic network. The decoder circuit FU9 produces signals which are complimentary to the ^RXD' signals discussed in connection with Figure 13C. Specitically, the ^MAIN ~XD' signal is ultimately connected to one of the fiber optic cables 34, and the ^REPEAT FtXD' signal is ultimately connected to one of the fiber optic cables 36. Similarly, one ot the ~NEIGH1 TXD'rNElGH2 TXD' signals could be used to provide a transmission link between the process control computers 14a-14b.

WO 93/204X8 2 1 3 1 1 ~ 6 PCTtUS93/0~253
5 ~
~' Referring to Figures 14A-14E, a schematic diagram of the breakout serial communication circuit 26 is shown. In this regard, the breakout circuit 26 has several circuit similarities to the network controller 16. Specifically, the microcomputer circui~808 of the breakout circuit 26 (shown in Figure 14A) is similar ~o the microcomputer circuit 800 for the network contrnller 16. The microcomputer circuit 808 includes a microprocessor (80C31 BH-1 ) GU10, a 32K program memory GU13, a 32K data memory ch.p GU11, a ~LD memory controller chip GU14 and latch chips GU3 and GU8. Addltionally, the transmitter circuit 810 of the breakout circuit 26 (Figure 14D) is similar to the transmitter circuit 806 of the network controller 16, and the receiver circuit 812 of the breakout circuit (Figure 14D) is similar to the transm~er circuit 804 of the network controller.
Figure 14B shows a power supply circuit 814, which serves to illustrate that the breakout circuit 26 may receive its electricai power from the process control computer 14 (labeled ~MOD~) or from an external source. Figure 14C shows the connectors 'S1..S15- for each of the communication signal lines a~/ailable on the breakout circuit 26. These connectors 15 are in turn coupled to fiber optic receiver/transmitter circuits, such as those shown in Figures 1 5A-1 5B respectively. Thus, for example, the MAIN RXD and MAIN TXD signals are coupled through connector S1, and the REPEAT RXD and RFPEAT TXD signals are coupled through the connector S3. Additionally, as the name breakout- implies, a set of connectors S6~15 are provided to direct signals received by the breakout circuit 26 to specfflc communication 20 channels that are associated with individual field computer units 12.
Accordingly, it should be appreciated that the breakout circuit 26 has the capability to multiplex or demultiplex communication signals for up to ten individual field computer units 12. Additionally, it should also be appreciated thaS the breakout circuit 26 may be configured to provide a repeater function, such as that shown for the breakout circuit 26e 25 in Figure 2. In this regard, the signals received on the MAIN_~YD line may be processed through the microprocessor GIJ10 and re-transmitted on the REPEAT TXD line to the next breakout circuit, such as the breakout circuit 26f of Figure 2. In this way, the breakout circuit 26e may be used as a signal r~transmitter.
Figure 14E shows a configuration circuit 816, which is used to control the 30 signal directioning function of the breakout circuit 26. SpecHically, a pair of switches GSW1-GSW2- are provided to facilitate the multiplexing/demultiplexing of signals between the mainlrepeat ports 3~32 of the breakout circuit 26 and the communication channels~CH1..C) 110-. In one form of the present imention, the switch GSW1 is used to determine a start channel and the switch GSW2 is used to deterrnine a stop channel. Thus, the 35 combination of these two range switches will enable the microprocessor GU10 to know which set of adjacent channels are actively connected to field computer units 12. In contrast, the WO 93/2()4~ PCl/US93/0''253 ~3~1S~ 52 ~ `~
setting of switch GSW3 informs the microprocessor GU10 whether the breakout circuit is connected on the primary level of signal distribution (for example, breakout circuits 26b and 26d of Figure 1) or whether the breakout circuit is connected on the secondary level~of signal distribution (for example, breakout circuits 26a and 26c of Figure 1). The setting of swi~ch 5 GSW3 also informs the microprocessor GU10 as to whether the breakout circuit is being used as a repeater. Additionally, Figure 14E also shows a connector GS5' which is used to couple the debug panel 56 for the breakout circuit 26 to the microprocessor GU10 via the ~RPDBUGr bus.
Referring to Figures 1 5A-158, a schematic diagram of two fiber optic interface 10 circuits are shown. Specifically, Figure 15A shows a receNer circuit 900, and Figure 15B
shows a transm~er circuit 902. The receiver circuit 900 includes an optical to electrical converter circuX ~HU2- which feeds a high speed comparator circun (LT1016) 'HU4-. The high speed comparator HU4 produces a 'RX our signal which has an electrically variable component that corresponds to the optically vanable component of the optic input signal.
15 When plastic optical fibers are employed to conduct communication signals, it is preferred that an HP-2522 converter be u~ilized for the converter HU2. However, when glass optical fibers are employed, it is preferred that an HP-2402 converter be employed for the converter HUæ
The transmitter circuX 902 of Figure 15B includes a NAND gate (75451) HU3 which feeds an electrical to optical signal converter circuit HU1. When plastic optical fibers 20 are employed to conduct communica~ion signals, X is preferred that an HP-1 sæ converter be utilized for the converter HU1. However, when glass optical fibers are employed~ n is preferred that an HP-1404 converter be employed for the converter HU1.
Referring to Figures 1 6A-1 6G, a schematic diagram of the power supply circult 50 is shown. The power supply circuit 50 is a 500 watt power suppty that is capable of 25 powering up to five fieid computer unit sides. In this regard, X is preferred that one power supply circuit be used to power only corresponding controllers 92-96 in each field computer unit 12. In other words, one of the power supply circuXs 50 may be used to provide electrical power to the Left controller ~2 in 1-5 field computer unXs. The power supply circuX 50 may also be used to provide power to one or more of the breakout circuXs 26 as well. Addnionally, 30 the power supply circuX 50 is also used to charge the batteries 52 from which it may ultimately derive power in the event of an interruption in its A.C. input power. The batteries 52 are preferably a set ot two 12 volt sealed batteries which are connected in series.
The power supply circui~ is also preferably contained in Xs own enclosure, as shown in Figure 1. An enclosure may also be provided to house a field computer unX 12, a 35 set of power supply circuXs 50 and a set of batteries 52. The enclosure for the power supp~
circuit 50 is preferably equipped with a set of LEDs which will indicate the status of various WO 93~20488 ~ ~ 3 1 1 S 6 PCT/US93/02~53 ~:

" ~ ! ' functional aspects of the power supply circuit 50. For example, one LED may be used to indicate that the power supp~y circuit 50 is receiving A.C. electrical power, while another LED
may be used to indicate the battery 52 has sufficient power available. As will be discussed below, the power supply circuit 50 has the ability to test the battery 52 by conducting a load 5 test.
Figure 16A shows a fan controller circuit 904 which is responsive to the ~FANON- signal from the controller 100. The FANC)N signal will cause the transistor in the opto-isolator circuit IU8 to conduct, and thereby transmit electrical power to a fan in the enclosure for the power supply circuit ~0. Power to the fan may also be provided from the 10 signal generated by a pair of temperature sensing devices (AD592), which are connected to pins 14 of the connector ~S3~. If the temperature being sensed in the power supply enclosure is sufficiently high, the temperature sensing devices (not shown) will turn on the fan (also not shown). The POWER-TEMP signal is transmitted back to the controller 100 to allow the controller 100 to monitor the temperature of the power suppiy and turn on the fan H
1 5 necessary.
Figure 168 shows a power converter circuit 906 which may receive either 120 VAC or 240 VAC electrical power. Figure 1 6B also shows an opto-isolator circuit (H11 G2) IU1, which is used to sense that A.C. power is available to the power supply circuit 50. While not shown in this schematic diagram, a suitable A.C. converter (for example, a Vicor Vl-FKE6-20 CMX circuit) is preferably employed to produce modulated D.C. power on the lines labeled'+HV' and 1-HV'. A set of three 200 watt power supply circuits (Vl-200) 'PS3-PS5' are connected in parallel to convert this high voltage input power to a regulated 28 volt D.C.
output. A voltage divider circuit ~R3-RS is used to adjust the output voltage to precisely +28 volts. This voltage level is necessary to charge the batteries 52. The batteries 52 are charged 25 through the bank of positive temperature coefficient (PTC) resistors 'VR2..VRr, which are used to limit current flow to the batteries. As the batteries 52 draw rnore current, the PTCs heat up and restric ;he flow of current to the batteries.
The charging vol~age is transmitted on conductor line 908 to a relay K2 on Figure 16C, which is used to connect the batteries 52 to the charger circuit of Figure 16B.
`
30 In this regard, the positive terrninal of one or more sets of battenes 52 is connected to conductor line 910 on the downstream side of the relay K2. The relay K2 Is controlled by the 'LOAD TEST-B- signal, which is derived from the -ontroller 100. The LOAD_TEST-B signal is used to causa the batteries 52 to be disconnected from the charging circuit in order to test the state of charge on the batteries. As will be seen below, this test is conducted under load 35 conditions which will reflect the amount of current draw that could occur if the batteries were called upon to provide the primary power source for one or more field computer units 12.

WO 93/20488 PCI /US93/0'2~3 ~
3l ~, 6 5 4 ~ ' In order to conduct this ~load test, the batteries 52 are alternately switched be~veen a iow current drawing load (for example, 125 ohms) and a high current drawing load (tor example, 0.75 ohm). The low current ~oad is provided by (5 watt) resistors R28-R29, while the high current load is provided across pins 3-6 of connector ~S4~. The high current load may be any resistive device capable of pulling the maximum allowable current from the batteries 52, such as a pair of Dale HLZ-165 1.5 ohm power resistors in parallel. A switch K1 is used to alternately connect the batteries 52 to the high/low current loads during the testing procedure in response to a LOAD TEST-A signal which is received indirectly trom the controller 100. The LOAD TEST signal resets a (555) timer circu~ IU9, which is configured to generate a High signal for approximate~y 180 seconds. With the polar~y shown for the opto-isolator circui~s IU7 and IU10, the LOAD TEST-A and LOAD TEST-B signals may actually be the same signal from the controller 100. In other words, the batteries 52 will be charged while the LOAD TEST-B signal is High, and the timer circuit IU9 will be held in a reset condition. However, when the LOAD TEST-B signal is brought Low, the switch K2 will energize and connect the positive terminal of the batteries 52 to the switch K1. The ti~ner circuit IU9 will then start counting and cause the batteries 52 to be switched to the high current load for approximately 60 seconds. Then, the batteries 52 may be switched to the low current load.
During the load test, the battery voltage BA I I tRY V will be measured by the controller 100 through isolation circuit (AD202) IU3. In this regard, the discharge voltage of a banery is both a function of the load and the amount of energy stored. Accordingly, the controller 100 will be able to determine the approximate amount of energy stored from the BArrERY V signal and the known resistance value of the high current load. In other words, the controller 100 will direct a load test where the power supply circuit 50 provides the controller with a high current load battery value during a time span of approximatcly 60 seconds. The low current load may also be used to fully discharge the baKeries 52 if needed.
The isolation circuit IU3, as well as the isolation circuit IU4, are used to permit the power supply circuit 50 to have twu separate GND potentials. The GND potential which is isolated from the battery GND is referred to herein as ISOGNI~.
The power suppty circuit 50 also generates several other signals which are related to the stata of tha circuit or the state ot the batteries 52. For example, Figure 16C
shows that the power supply circuit 50 includes a comparator circuit tLM339) IU6, which generates a BAl~ LOW~ signal. As the name implies, the BAl~ LOW signal is indicative of whether the battely vo~age is too low ffor example, < 10 volts). Similarly, a BATll~RY >26V
signal is used to indicata that the battery voltage is too high (for example, over 26.1 volts), via one of the comparator circuits IU6. The CHARGER V signal is used to provide the controller 21311~ 6 i -WO 93/20488 PCl`/US93/02253 100 with an indication of the voltage being applied to charge the batteries ~2. Assuming that this charging voltage is above 25 volts, one of the comparator circuits IU6 will generate a High ^CHARGER OK~ signal. Since the toggle point of this comparator is set to 4.17 vo~s by the regulator (ADs87) IU5 and the resistors R20 and R23, the CHARGER V signal is divided down across resistors R32-R31.
Turning to Figu~e 16D, a control interface circu~ 912 for a group of five power supply circui~s 50 is shown. The sontrol interface circuit 912 includes a pair of decoder circuits (22V10) ~U1~U2 for interpreting comrnand signals from the controller 100, such as the replicated ~FANON~ and ~ICONSERVE~ signals. As will be seen from the discussion below, the ICONSERVE signal is used to turn off the supply of 26 volt power to the field computer units. The 8ATOFF~ signal is used to turn off the supply of 5 volt power to the field computer units. In this regard, it should be appreciated that the controller 100 may first direct the power supply circuit 50 to conserve battery power by turning off the 26 volt power source, and subsequently shut down the 5 volt power source after a suitable time has elapsed (as determined by the controller 100). The ~BAT TEsr signal is used to generate a ~LOAD TEST ON- signal which corresponds to the LOAD TEST-A/LOAD TEST-B signals.
Figures 1 6E-1 6F show a set of connector circuits 91~916 which are replicated for each of the field computer units 12 that are powered by the power supply circuit 50. The connector circuit 914 simp~y shows the various command signals that are transmitted to each of the field computer units 12. Similarly, the connector circuit 916 shows the transmission of the 26 volt power source and a 'VCC' power source to each of the field computer units 12 via fuses 'CB1 -CB2'.
Figure 1 6G shows an output power circuit 918 for the power supply circuit 50.
The output power circuit 918 includas a power line labeled ~VSOURCE' which corresponds to the +28 volt power source output from cormerters PS3-PS5 of Figure 1 6B. The VSOURCE
line feeds three 150 watt converter circuits (Vl-200) 'KPS2-KPS4' and a 10û watt converter circuit ~I-200)'KPS1-. The converter circuits KPS2-KPS4 combine to produce a +26 volt power source across lines 92~922, while the convsrter circuit KPSl produces a +5 volt power source across lines 922-924. It should be noted that jumpers KJ3-KJ4 are provided to connect the output of the +5v-power source to the sense circuit of the power source.
A set of opto-couplers (MOC8021)'KUl-KU4' are used to corltrol the on/off operation of the converter circuits KPS1-KPS4 in response to the 'SHUTDOWN' and '5V OFF~
command signals. SpesHically, a High SHUTDOWN signal (which was derived from theICONSERVE signat) will cause the opto-isolator circuit KUlto become non~onductive, and thereby turn on transistor KQ1. This will cause the gate signal input to the converters KPS2-KPS~ to be driven low, and thereby shut these converters off. This will in turn remove the WO 93/20488 P~/US93/022~3 ~' ~ 3li~S ~`'`' +26 volt power source from the field computer un~. A similar control procedure is also utilized to shut off the +5 vott power source through opto-isolator KU4 and transistor Ka2.
Addltionally, the opto-isolators KU2-KU3 are responsive to the + 28 volt li~e 926 to simul~aneously turn on the converters KP$1-KPS4 when the converter circuits PS3-PS5 of 5 Figure 1 6B are receiving power from the AC line.
Referring generally to Figures 17A-171 and Figures 18A-18T, a set of flow charts is shown to illustrate the arbitration methods performed at the field computer unit 12 according to the present invention. Figures 17A-17E relate to the arbitration of digital inputs, and Figures 17F-171 relate tO the arbitration of digital outputs. Similar~y, Figures 18A-18N
relate to the arbitration of analog inputs, and Figures 180-18T relate to the arbitration of analog outputs.
In order to put the field computer unit 12 software arbitration methods in perspective, the following observations may be made. These methods represent theprocedures according to the present invention for how input and output values are selected in response to both agreements and disagreements between the values provided to each of the three controllers 92-96 contained in the field computer un~ 12. In this regard, it is important to understand that these arbitration methods are performed by each of the controllers 92-96. It should also be understood ~hat each of these arbitration methods are performed within each process control cycle (for example, each second).
In general, the value data used in these arbitr~tion methods must first be validated as an initial step. Then, ff the value data (that is, a A0, Al, Dl or D0 value) from at least two controllers agree, then the Leftmost value is selected. In other words, the Al or Dl value determined at the Left controller 92 will be transmitted to the process control computer 14 if the Left controller 92 and the Middle controller 94 agree. Similarly, the A0 or D0 value detennined at the Middle controller 94 will be transmitted to the field if the Middle controller 94 and the Right controller 96 agree. However, as each of the controllers 92-96 perform this arbitration prccess, it should be appreciated that it is possible that the controllers may transmit arbitrated values from dfflerent agreemerlt combinations on a channel by channel basis for both input and output values. Such a situation could occur, for example, as a result of a communication failure to or from one of the controllers 92-96, so that the data values for that controller may not be shared with the other two controllers.
In the event that three valid data values exist, but none of the three controllers 9~-96 are in agreement, then in accordance with the present inver~tion a software selectable default condition is used for that value. In the ca~e of input values, a choice may be made between a Select-High or Select-Low value to be sent to the process control computer 14.
In the case of output values, a choice may be made between a Faii-Safe or a Fail-Last value WO 93/2048~ 2 1 3 1 1 5 6 PCI /US93/0~253 ; - 5 7 ! ¦;

to be sent to the field. One of the advantages of the present invention is that these software selec~able default conditions may be rapid~y changed in order to provide the most effective process control decisions possible in response to changing conditions in the fie~d. In one form of the present invention, these default value conditions can be changed and are transmitted to the field computers units 12 with each process cycle signal communication for each input and output channel being processed by the field computer unit.
While these default value conditions are stored in each of the controllers 92-96so that a communieation interruption will not prevent the most current default value conditions from being applied, a procedure is nonetheless provided to ensure that the most appropriate default value cond'~ions will be applied. For example, when a process is first star~ed, the most appropriate output default value condition may be a Fail Safe value (for example, a zero output). Whereas, after the process has been oper~ting properly for some period of time, the most appropriate output default value condition may be ~he Fail-Last condition. In this regard, the Fail-Last condition applies the last arbitrated data value for the channel in question in the event of a loss of communication from the process control computer 14. When the Fail-Last condition is invoked for an analog output in response to a complete disagreement between valid data, then the value which is numerically nearest the las~ arbitrated data value will be selected. In the event that no valid data is available for either an input or an OUtput value, then the last arbitrated data value should be used.
Turnin3 to Figures 17A-17E, the flow charts for ~he arbitration of digital inputdata will now be described. Before proceeding to discuss these flow charts, it should be noted that each of the three controllers ~2-96 independently perform this arbitration process.
However, the Middle controller 94 will not send its arbitration results to the process control computer 14 unless an additional fiber{~ptic communication link is provided for this controllèr.
Such a fiber-optic communication link should be utilked, for example, in the event that three process control computers 14 are provided.
Figure 17A shows an overall flow chart 1000 for the arbitration of digital inputdata. Block 1002 indicates that the data values for the first 10 digital input channels are loaded into memo~. These data values were obtained from the multiplexor U9 of the controller 100 shown in Figur~ 61. Then, various constants, pointers and counters are initialized to set up th~ arbitration process (block 1004). Assuming that the digital input circuits are contained on the controiler circllit board or the microprocessor U40 detects that a chassis mounted digital inpu~ circuit is plugged in, then a 'good bit' is set to indicate that valid data is available (block 1006).
Diamonds 100~1010 test whether valid neighborto neighbor communication messages have been received at the controller ffor example, using a checksum calculation).

W093/204~8 PCr/US93/0ZZ53 ~

C~3~5G i In other words, the controller 92 will test to see if valid data passing messages have been recerved from the controllers 94-96, while the controller 94 will test to see if valid data passing messages have been received from the controllers 92 and 96. Next, the controlle~ will ~get-the valid digltal input values for the first channel (block 1011). Then, the valid digital input 5 values for this channel will be converted from ~N1~ ( for example, controller 94), 'N2~ (for example, controller 96) and ~ME~ (for example, controller 92) values, to Left, Middle and Right values for arb'ltration software purposes (block 1012).
At this point, the flow chart 1000 shows a series of three broken-line boxes 1014-1018 which each represent a separate flow chart. Specifically, the ~Determine Send-Low-block 1014 is shown in Figure 17B, the ~Deterrnine Which Input to Send' block 1016 is shown in Figures 1 7C-1 7D, and the ~SetlClear DIC Bit~ block 1018 is shown in Figure 17E. Once the process steps shown in these flow charts are completed, then the arbitrated digital input value for the first channel is stored in a message bu~er for transmission to the process control cornpu~er 14 (block 1020). The program then repeatedly loops back to get and arbitrate the next dig~tal input channel until all of the digital input values have been arbitrated (block 1 0Z).
Again, it should be noted that this process is performed by each of the controllers 92-96, particularly where three process control computers 14 are provided. However, in the embodiment illustrated in Figure 1, on~ the Left and Right controllers 92 and 96 transmit their arbitration result to their respective process control computers 14a-14b.
The flow chart 1014 of Figure 17B is directed to determining whether a Low default value shouid be sent to the process control computer 14. In this regard, the flow chart 1014 checks to see H a valid Send Low bit is availabie for at least one of the Left, Middle and Right controllers 92-96 (for example, diamonds 1024-1028). Then, the program checks to see if there is an agreement between the valid Send Low bit of hVO controllers (for example, diamonds 1030-1032). If there is an agreement, then the Leftmost Send Low bit is used ffor example, block 1034). However, if there is a disagreement between valid Send Low bits when only two valid Send Low bits exi~t, then the state of the last valid Send-Low bit will be used ffor example, blocks 103~1038).
The flow chart 1016 of Figures 17C-17D represents the primary arbitration routine for each of the digital input channels. While the process starts out testing the valid'~y of the Left dignal input (block 1040), it should be appreciated that the apparent bias toward the values of the Left controller 92 is not necessary, even though this selection promotes overall system and software uniformity. Assuming that the Left digital input value is valid, the Middle digital input value is checked for valid~ty (block 1042). Then, assuming both values are good, and they match (block 1044), then the Left digital input value will be selected for transmission to the process control computer 14 (block 1046~. In other words, if both the Left WO ~3/20488 21311~ G Pcl`~us93to2~s3 ~:

and Middle controllers 92-34 provide a High digltal value, then the digital value stored in memory that represents the Left value will be sent to the data table of values which will ultimate~ be transmitted to the process control computer 14. Never~heless, the prQcess does not end at this point, as a Left-Right match determination is made (block 1048) if a valid digital input value is available from the Right controller 96. In the event that there is a disagreement (for example, Left = High, ~ight--Low), then the Left-Right compare bit ~DICLR~ will be set;
that is, the DICL~ bit will be provided with a Highlone value block 1050). These specific compare bits may be counted and/or sent to the process control computer 14 with each process control cycle, so that an indication is available of continued disagreements. In this regard, the accumulated compare bits may be used to decide that a service call to the field should be made or that a particular digital input circuit board or controller 100 should be shut down in the appropriate circumstances.
The remaining portion of the flow chart 1016 generaliy follows the ana~sis discussed above. However, it should be noted that block 1052 indicates that an Arbnration 1~ Failure b~ is set when there is a Len-Middle disagreement and the Right digital input value is not valid. At this point, diamond 1054 indicates that the program ch~cks ~o see if the process control computer 14 has requested that a Low value be sent as the default value. If the answer is no, then the Left value will be selectad if it is High (block 1056), and the Middle value will be selected if the Left value is Low (block 1058). This is because the Middle value must be High, as there was a disagreement with the Low- Left value. If the Send-Low default value was requested, then the Left value will be checked first to see if it is High (block 10~0).
As blocks 1058 and 1062 indicate by implication, the Low value will ultimately be sent to the process control computer 14.
The flow chart 1018 of Figure 17E is directed to detemmining the state of a general digltal input compare bit 'DIC'. If a disagreement between any two valid digital input values has been detected from the sta~e of the specific compare bits, then the DIC bit will be - set (block 106~). Othelwise the DIC bit will be cleared (bloclc 1066).
Referring to Figure 1 7F-171, the arbitration method for the digital output values ~ill now be described. In this regard, it will be seen that the flow charts of Figures 17F-171 generally follow the analysis discussed above for the arbitration ~t diq~al input values. Thus, for example, the flow chart 1068 of Figure 17F corresponds to the flow chart 1000 of Figure 17A, and the flow chart 1070 of Figure 17G corresponds to the flow chart 1014 of Figure 17B.
However, in the case of flow chart 1070, the detennination is made as to whether a 'Fail-Last' request has been sent to the field computer unit 12 from the process cor~trol computer 14.
The flow chart 1072 of Figure 17H provides the primary arbitration routine for each of the digital outpu~ channels. As the selection of digital outputs generally follows the WO 93~2~)488 PCr/US93/02253 ~`
~,~,3~ 6 60 ` `~

analysis described in connec~ion with the sele~ion of dig~al inputs, only a few comments need to be made. Spec~fical~, block 1074 indicates that a specific INomatch~ b~ (that is, the Compare bit) and a ~Negotiation Failure~ bi~ (that is, the ~DOAF~ bit) will both be set~when the only two valid digital output values are not the same. Additionally, block 1076 indicates that the ~DOAF~ bit will be set in the event that none of the Left, Middle and Right digital output values are valid.
Block 1076 also indicates that the present invention provides a mechanism in response to a failure of communications. Specifically, a programmable ~timeo-n counter-will be decremented from an initial value, which would other Nise prevent any change in output status to be made until communications have been re-es~ablished. In this regard, a desired timeou~ value may be transmi~ted from the process control computer 14, which would then be arbitrated by the controllers 92-96 for use as a fail safe timeout coun~er for all digital and analog ou~puts. For example, this timeout valus may represent the number of seconds before moving trom a fail-last status to a fail-safe status. Diamond 1078 is used to test whether a timeout has occurred (for example, a zero counter value). If the timeout has not yet occurred, then diamond 1080 tests whether a Fail-Last defaun value has been requested. If the Fail-Last default value has been requested, then block 1082 indicates that the last arbitrated digital output value will be sent to the field (for example, digital output circuit 500). If the Fail-Last defautt value has not been requested, then a Fail~afe value (for example, a Low, zero or d~
energized state) will be sent to the field (block 1084). If a timeout condition has occurred, then diamond 1078 and block 1084 indicate that a Fail~afe value is sent to the field.
The flow chart 1086 of Figure 171 generally corresponds to the flow chart 1018 of Figure 17E. However, block 1088 indicates that a general digital output compare bit 'DOC
will be set H a disagreement was found between any two controller values for the particular digital output channel being processed. Finally, block 1090 of Figure 17F indicates that the selected digital output value will be stored in a memory table location for subsequent transmission to the appropriate digital output circuit channeL
Tuming to Figures 1 8A-1 8N, the flow charts for the arbitration of analog inputdata will now be described. In this regard, Figures 1 8A-1 8B combine to show an overall flow chart 1100 for the arbitration of analog input data. As an initial procedure, block 1102 indicates that the program checks the Family-Type codes from each of the three analog output circuits 60~604. The detailed process steps represented by block 1102 are shown in Figures 1 8C-1 8D. SpecHically, the program routine starts by checking to see H valid Family-Type codes were received from each of the two sets of analog input circuits (for example, diamonds 11041108). Then, the program determines whether or not there is a ma~chbetween the Family-Type codes for the controller conducting the arbitration and the Family-W093/~0488 6 1 Pcr/us93/022s3 Type codes for the other two controllers (for example, diamonds 1110-1112). If a match is found, then a specific ~OK- bit is set in each instance (for example, blocks 1114-1116).
However, if a particular match was not found, such as for the 'ME~ and ~Neighbor1~ codes, then a ~Nomatch~ bit may be set (block 1118 in Figure 18D).
Now that the controller conducting the arbitration method knows how to process the analog input data, the program flow jumps back to block 11Z of Figure 1 8A in order to obtain the da~a values from the three analog input circuits for the first channel.
Diamond 1124 indicates tha~ the prograrn then conducts several tests relative to the Neighbor1 analog input circuit. Specifically, the controller conducting the arbnratien checks to see ff the Neighbor1 circuit board is inserted and if a complete communication message has been received from the controller for the Neighbor1 analog input circuit. In this regard, it should be noted that this may be, achieved by looking to see if the ~OK bit has been set for the Family-Type codes of the ME and N1 boards.
Next, the difference between the analog value received by the controller conducting the arbitration and the analog value received from the Neighbor1 analog input circuit (through a Neighbor to Neighbor communication message) is determined (block 1126).
This difference in analog values is then compared against a Narrow Tolerance threshold value (block 1130). The Narrow Tolerance value is dependent upon the particular type of analog input sensing hardware being used. For example, for a sensor providing a 4-20 ma current ~ ~20 loop input value, the Narrow Tolerance value may be set to 0.6%. In other words, if the 'ME' - ~ ~ value was 10.0 ma and the Neighbor1 value was between 9.88-10.12 ma, then these values would be determined to be within Narrow Tolerance agreernent. Substantially tighter Narrow Tolerance values may be employed with other analog input values which are quite stable, such as those derived from thermocouples.
Block 1132 indicates that the Neighbor1 Narrow Tolerance bit will be set in - the event that there is Narrow Tolerance agreement. However, if the Neighborl value was - ~ outside of the Narrow Tolerance range, then a test will be made to deterrnine if this value is - at least within a Wide Tolerance value (block 1134). The Wide Tolerance value is a suitably less, strict value, such as a value which is double that of the Narrow Tolerance value.~ As will - 30 be seen below, the Narrow Tolerance value test is used to initially qualify an input channel for ~- ~ arbitration, referred to herein as being 'in service-. In contrast, the Wide Tolerance test is used to perrnit a previously qualified input channel to remain in service. Assuming that the ~ME- value and the Neighbor1 value are sufficiently in agreement, then the Wide Tolerance i ~ bit will be set (block 1136). Regardless of outcome of this decision, the program will then 35 proceed to test the Neighbor2 value in the same way that the Neighborl value was tested (for example, diamonds 1138-1142), assuming that the Neighbor2 analog input circuit board was W093/~0488 PCI/US93/0'2~3 ~ 3 ~!L 6 2 inserted. Then, assuming that both the Neighbor1 and Neighbor2 analog input circuit boards ~; were inser~ed and the necessary Neighbor to Neighbor communication messages were received, then the analog input values from these two circuits will be subjected to t~e Narrow Tolerance and Wide Tolerance value tests (for example, diamonds 1144-1148). The ME, Neighborl and NeighboR values will then be converted to Left, Middle and Right values for sof~ware arbitration purposes (block 1150).
Next, a set of ~in service- test routines is provided for each of the Left, Middle and Right analog input values, as indicated by blocks 1152-1156. Each of these routines are used to determine whether these values should remain in service. The significance of the ~in service designation is that a value must first be judged to be in service before it may be used in the primary arbitration routine. Figure 1 8E provides a fiow chart for the block 1152, Figure 18F provides a flow chart for the block 1154 and Figure 18G provides a flow chart for the block 1156. Due to the similarity between these three flow charts, only the flow chart 1152 for the Left analog input value will be discussed.
As will be seen from the flow chart 1152 of Figure 1 8E, the program starts off with an assumption that the ~In-Service^ b'~ for the Left input value is already set. However, if the Famiiy-Type code for the Left input value is wrong (diamond 1158), then the In~ervice bit wili be cleared (block 1160). Assuming that the Family-Type code is correct, then the program will check to see H the In~ervice b'lt for the Left input value is presently set (diamond 1162). Assuming that the In~ervice bit is set, then the In~ervice bit for the Middle input value will be checked (diarnond 1164). Assuming that the In~ervice bit for the Middle input value is set, then the program will check to see if the L-M Wide Tolerance bit was set (diamond -, 1166). If the Wide Tolerance test was satisfied, then the Left In~ervice bit will remain set.
;, Otherwise, the Right input value will be tested in the same way, as indicated by diamonds ~ 25 1168-1170. If the L-R Wide Tolerance bit was not set, then the M-R Wide Tolerance bit will ,, be examined (diamond 1172). If the series of tests represented by diamonds 1166-1172 all fail, then the Left In~ervice bit will be cleared (block 1160).
After the in service' designation has been tested for each of the Left, Middle and Right values, then the flow chart 1100 of Figure 18B proceeds to block 1014. In this regard, it should be noted that block 1014 references the same flow chart as that shown in Figure 17B for digital inputs. Accordingly, it should be appreciated that the process of determining whether the process control computer 14 has requested a Low input value in the event of a default condition is the same for both digital inputs and analog inputs.
~ The analog input arbitration process then proceeds to the primary selection '.~ 35 routine, which is indicated by block 1174 in Figure 1 8B. The flow chart represented by block 1174 is collectively shown in Figures 18H-18J. The program will first check to see if any of ~J

, ,~

W093/20488 21311~G PCI/US93/0~l53 ~

the Left, Middle or Right values are in service (for example, diamonds 1176-1180 in Figure 1 8H
and ~amonds 1~ 82-1184 in Figure 181). If none of these values are in service for the analog input channel being processed, then the controller performing the arbitration will select its own value (black 1186) and the Arbitration Failure bit will be set (block 1188). However, if both the 5 Left and Middle values were found to be in service (from their reSpeCtNe In Service bit settings), then these h~o values would be subjected to the Wide Tolerance value test (diamond 1190). Assuming that the Left and Middle valu~s were in sufficient agreement, then the Left value would be se~ected (block 1192).
Importantly, block 1192 also indicates that a value labeled 'Difference~ is 10 added to or subtracted from the Left value selected. The summation of the value selected with the Difference value is used to avoid a process bump in the event of a failure, as i explained below. If the Left analog input value was selected during the last process cycle, then the Difference value will be zero and the Left value from the present process cycle will be sent to the process control computer 1~ without modification. However, if the Left value :
15 was found to be out of se!vice during the present cycle, and the Middle value was selected . for transmission to the process control cempu~er 14 (for example, block 1194 in Figure 181), i, the Difference vaiue provides an offser that may be added to or subtracted from the Middle value before transmission of the resulting value to the process control computer 14.
Thus, assuming for example that the Left in service value for the last process ` 20 control cycle was 10.00 ma and the Middle in selvice value was 10.05 in the same process cycle, then a valid of 10.00 ma would still be transmitted to the process control computer 14.
~,~; However, if the Left value in the next process cor~rol cycle was unavailable and the Middle ~ in service value was selected for this cycle, then the 0.05 Dfflerence value from the last : process control cycle would be subtracted from the present Middle in service value by the 25 controller performing the arbitraSion. In other words, if the present Middle in service value was 10.12, ~hen 0.05 from this amount and the analog input value for this channel would be ~ A; ~ transmitted to the process control computer 14 as 10.07 ma. As each of the controllers 92-96 ; perform the arbitration process shown in Figures 1 8H-1 8J, it should be understood that these ' ! ~ Corlltrollers will know the specific Difference value that should be added or subtracted from the 30 present Middle in service value selected prior to transmission of this analog input value to the process control computer 14. Alternativety, it should be appreciated that the Difference value could be transmitted to the process control computer 14 to permit interpretation of the analog input values to be made by the process control computer.
Even though the Left value has been selected, the arbitration process does 35 not end at this point. As illustrated by diamond 1196, the program proceeds to detem ine i~
the Right value is currently in service. Assuming that the Right value is in service, then the ''"' .!

~i, W0 93/20488 rCl /us93/022s3 ~ ,, .

~,33~56 64 .~
Wide Tolerance test is checked Sor both the Left-Uight and Right-Middle value combinations (diamonds 1198-1200). If either of these tests fail, then the appropriate compare bit could be set, such as the specific R-M compare bit (block 1202). In this way, the process control computer 14 could ultimately be apprised of disagreements between in service analog input s values. The number of these disagreemerlts may be counted to enable a sultable response to be taken in the event of a continued disagreement, such as alerting an operator or even shu~ting down an aHected controller 100 in the appropriate circumstances.
In the event that one of the three analog input values are not in service, such as the Middle value, then the program will proceed to a comparison be~ween the h~o ~0 remaining in service values (for exarnple, block 1204~. If these two in service values are in Wide Tolerance disagreement, then the Ar~itration Failure bit will be set (block 1206).
Additionally, block 1206 indicates that the specKic compare bit affected could also be set. If this disagreement represents a new failure (block 1208), then the arbitratiorl analog input Yalue for the Last process control cycle will be sent to the process control computer 14 (block 1210). However, If this failure was present in the immediately preceding process control cycle, then the program will Ch2ck to see if the process control computer S 4 has requested a ~ow default value (diamond 1212). In either event, the program will test to see which one of the two in service values is greater than the other (diamonds 1214-1216). If the Low value was requested, then blocks 121 8-1Z0 indicate that the lower value of the two in service values will be sent. Similarly, blocks 1220-1222 indicate that the higher of the two in service values will be sent when the Select-Low bit for this analog input has not been set. In any event, it should be appreciated from blocks 1218-122~ that the Dfflerence value may also be factored in during the arbitration process or it could be sent to the process control computer 14 along with the analog input value selected. As the remaining portions of Figures 181-1 8J carry out a similar decision tree ana~sis as that described above for those times in which the Left andlor Middle values are not in service, no further discussion of these flow charts is - necessary.
Refernng again to Figure 1 8B, a block 1224 indicates that a set of Difference j va,lues is calculated for use during the next process control cycle. SpecHically, the difference between the actual value selected and each of the Left, Middle and Right values is calculated and stored. In the event that the Left value was selected, then the Difference value would be zero. However, in the example set forth above, the Dfflerence value for the Left-Middle ~, combination would be 0.0~ ma. A similar Dfflerence value is also calculated for the Left-Right and Middle-Right combinations, assuming that these values were also in service at ~he time.
Next, a set of 'in service- test routines is provided lor each of the Left, Middle and Right analog input values, as indicated by blocks 1226-1230. Each of these routines are ~, ,, 21311~6 I`-WO 93/20488 - PC~/US93/0225~ ~ ~
j~
used to determine whether these values should be put in service for the next process control cycle. Figure 18K provides a flow chart for the block 1 Z6, Figure 18L provides a flow chart for the block 1226 and Figure 18M provides a flow chart for the block 123û. ~ue to the similari~y between these three flow charts, on~ the flow chart 1226 for the Left analog input 5 value will be discussed.
Diamond 1232 indicates that the Left value will simply remain in service if it is already in service. However, in the event that the Left value was found to be out of service, then diamonds 1234-1238 indicate that the Middle and Right values w.ill be checked for their respective in service availabil~y. If both the Middle and P~ight values are in service, each of 10 these values is compared against the Left value to determine R there is Narr~w Tolerance agreement (diamonds 1240-1242). If both Narrow Tolerance tests are successful, then the In-Service bit for the Left value will be set for use in the nex~ process control cycle (block 1244). However, if the Left-Middle Narrow Tolerance test fails and the Left-Right Narrow Tolerance test passes (diamond 1246), then the dfflerence between the Left value and the 15 input sent to the process control computer will be calculated (block 1248). Then, diamond 1250 will test whether the Left-Sent value is less than the Narrow Tolerance threshold. If the Left~;ent value was less than the Narrow Tolerance threshold, then the Left In~ervice bit will be set. OthenNise, the Le/t value will remain out of service.
In the event that the Lef~ and Right values were found to be in service, and 20 the Middle value was out of service, then the Left-Right Narrow Tolerance test need only be passed in order for the Left In~eNice bit to be set (diamond 1252). In the event that none of the Left, Middle or Right values were found to be in service, then the program will check to see if one of the Middle and Right values were at least 'good~ (diamonds 1254-1256). In - this regard, a good value is one where the analog input board was piugged in and a complete 25 neighbor to neighbor message was received. If either the Left-Middle or the Left-Right combinations pass the Narrow Tolerance test (diamonds 1258-1260), then the Left In~ervice bit will be set (e.gl block 1262).
Once this procedure is completed for each of the Left, Middle and Right analog input values, then the flow chart of block 1264 is executed, as shown in Figure 18N.
30 In this regard, the general analog input compare bit 'AIC' will be set if any of the specific analog input compare bits have been set (block 1266). Thus, for example, if the comparison between the LeR and Middle values failed the Wide Tolerance test (diamond 1268), then the AIC bit would be set.
Finally, as indicated by block 1270 in Figure 18B, the arbitrated analog input 3~ value is stored in a data table which will be transmitted to the process control computer 14.
Then, the program will proceed to arbitrate the next analog input channel in a loop which is ~ W O 93/2048X P ~ /US93/07'53 3~6 6 6 indicated by ellipse 1272. This Al loop will be repeated until all of the analog input channels are arbitrated for the first set of redundant analog input çircuit boards. Then, the entire arbitration process will be repeated until all of the analog input channels have been ~arbitrated (~or example, 4 sets of 5 analog input channels being arbitrated at a time). I
Referring now to Figures 180-1 8T, the process of arbitrating analog outputs will now be described. Figure 180 shows an overall flow chart 1274 for the analog outp ut ;~ process. As flow chart 1274 follows the analysis employed by the flow chart 1068 of Fi gure 1 7E for digîtal outputs, the flow chart 1274 needs only to be briefly discussed. For example, it should be noted that the ~Oetermine Fail~afelFail-Last block 1070 is the same for b oth digltal and analog outputs. The substantive d~ference between the analog and digital o verall flow charts is ultimately contained in the ~Determine which Output to Use' block 1276 and the ~Set/Clear AOC bit- block 1278. Figures 1 8P-1 ~S illustrate the flow chart for block 1276, while Figure 18T illustrates the flow chart for block 1278.
Referring first to Figures 18P-18S, the flow chart 1276 is shownto generally follow the analysis discussed above for selecting digital outputs (flow chart l072 of Figure 17G). However, instead of matching digital output values, valid pairs of analog output s are compared relative to an Output Tolerance value. Specifically, the dfflerence between t wo analog output values is calculated (for example, block 1280), and then a determination is rnade as to whether this dfflerence is beyond the Output Tolerance value (for example, block 128~). The Output 'rolerance value is preferably selected to be 0.1% of full scale.
If the Output Tolerance test is successful, then the Leftmost value is selected (for example, block 1284). However, H the Output Tolerance test fails~ then the specific Disagreement bit will be set and the general Negotiation failure bit 'AOAF' will be set (block 1286). The program will then proceed to determine if a Fail-Last request has been made by the process control computer 14 (diamond 1288). If the Fail-Last request has not been made, then the lowest of the two valid analog output values will be sent to the field (diamond 1290).
This lowest of the two valid analog output values provides a Fail~afe selection for the analog output channel.
In the event that a Fail-Last value was requested by the process control `' 30 ~ computer 14, then the program will proceed to find out which of the two valid analog output values wa~ closest to the last arbitrated value. For example~ as block 1292 indicates~ the difference between the Right analog output value and the Last arbitrated output value will be calculated. Similarly~ block 1294 indicates that the d'~ference between the Left analog output value and the Last arbitrated output value will be calculated. Then, diamond 1296 will ~; 35 eompare these two value differences and the lowest dfflerence will be used to pick the Left or Right value as the case may be.
~ ~, ~i ;

p W 0 93/20488 213ll56 PC~r/US93/OZ253 Finally, the flow chart 1278 of Figure 18T is used to set or clear the general analog output compare blt ~AOC~. In this regard, the diamonds 1298-1302 and block 1304 indicate that the AOC bit will be set if any specific comparison bits were found t~ be set.
Otherwise, the AOC bit will be cleared if no disagreements have been found (block 1306).
S It should also be noted that the analog output track 'AOr values and the digital output track ~DOr values may be arbitrated in a similar manner to that described in connection with the arbitration of analog output and digital output values described herein.
Indeed, even the clock signal received by the controllers 92 and 96 may be arbitrated as well in a similar manner. In this regard, the clock signal arbitration preferably follows the analysis set forth in ~igure 17C to determine which clock signal should be selected.
Referring to Figures 19A-19M, a set of flow charts is shown to illustrate the method non-intrusively testing the digital output circuits 50û-504 according to the present invention. This testing method includes both passive and active testing procedures. Figures 1 9A-1 9C combine to provide an overall flow chart 1400 for the non-intrusive testing process.
As indicated by blocks 1402-1406 and diamonds 1408-1416, a series of health checks are made before any testing of the digital output circuits is permitted. In this regard, no errors must be found from the immediately preceding process cycle for the digital output circuit to ~- ~ be tested, and the controller 100 conducting the test must be able to communicate with its neighboring controllers. In the event that any of the conditions represented by diamonds 1408-1416 are not met, then the continuation of flow chart 1400 in Figure 19B indicates that the appropriate error codes are set.
Assuming that the digital output circuit is permitted to be tested, then diamond1418 indicates that the digital output circuits for the neighboring controllers will be checked for errors. If any errors are found, then the passive testing procedure of block 1420 will be bypassed. Figures 19D-19E combine to provide the flow chart for the passive testing procedure. While the passive testing procedure could be conducted on the digital output circuit of only one of the controllers 9296 at a given time, it should be appreciated that each of the controllers 92-96 could conduct the passive testing procedure simultaneousty. This is because active cooperation between neighboring cQntrollers is not required during the passive testing procedure.
As indicated by block 1422, po~gons 1424-1426 and diamond 1428, the passive test will begin with Channel 1, and then loop through all ten channels if no errors are encountered. Diamond 1430 indicates that the program will detect whether or not the channel being tested has changed states. If the channel has changed states, then the program will proceed to test the next channel. However, during the initial pass through the loop, the answer will be no, and the test and track voltages will be read (blocks 1432-143'~)~
,, J~ ~

WO 93/204X8 PCI`/US93/0'253 ~`:

' ! ~` `
S 6 6 ~
f Diamond 1436 indicates that the controller 100 will determine whether the channel being tested is On or Off trom the arbitrated command value. If the channel is commanded On, the controller will check to see that the test voltage (for example~ TEST~
was greater than a predetermined threshold level (for example, 19 volts). If the test voltage 5was greater than this level, then this portion of the test will have been successfully passed, and program will loop back to test the next channel through the Ol~ polygon 1440. If the test vol~age was too low, then the appropriate errors codes will be set, as a number of different errors could have occurred (for example, a blown fuse or a set switch open). Once an error is detected, the passive test is ended in this embodiment. However, it should be appreciated 10that the other channels could be subjected to passive testing in the appropriate application.
If the channel is commanded to be in an Off condition, then the controller 100 will check to see ~ the test voltage is greater than a predetermined Low test level (for example, 350 milli-volts) through diamond 1446. If the test voltage is below this level, then an open fuse condition will be detected for the fuse in the abort circuit under examination (for example, fuse 15DF1 of Figure 11A), and the appropriate error code will be se~. Assuming that the test voltage exceeds the predetermined Low test level, then the controller 100 will check to see ~ the track voltage is below a Low track level (for exarnple, 4.4 volts) through diamond 1448. If the track voltage is above this Low level, then the controller 100 checks to see if the track voltage is less than a predetermined high track voltags (for example 14.4 volts) through diamond 14~0.
20If the track voltage is above this I ligh leval, then an error is present. However, the exact source of the error cannot be determined, so the test is continued with another channel. In this regard, the active testing procedure to be described below will need to be employed to help identffy the source of the error.
In the event that the track voltage is below the Low voltage level, then further25checks are performed in order to determine if there, nevertheless, is still an error that could be detected. In other words, the track voltage should be below the predetermined Low level when the channel is off, but there still may be a hidden problem that could be uncovered.
In this regard, the test voltage will be examined to see if there is an error related to the diode .~ 524 of the abort circuit (diamond 1452). If the test voltage is greater than a predetermined 30High test voltage (for example, 15~8 volts), then an open diode condition will be determined by the controller, and the appropriate error codes will be set (block 1454). In this regard, it .~# should be noted that these error codes may be used by the controller 100 to request an abort ~,~ of the channel by its neighboring controllers. Additionally, the controller which is conducting ~;j the test may also signal the presence of an error in its digital output circuit to the process .j 35control computer 14 in the next message sent to the process control computer. The process ,f. control computer 14 could also request that the field computer unit 12 transmit specific error .;
., ,, ~,;
;,,~

~ ` W 0 93t204~8 PC~r/US93/02~3 ::~` 69 ~:
` code or status bits for analysis through a health and ~veifare process. In this regard, it should be noted that the process control computer 14 could be connected ~o another computer which would perform the heatth and welfare anaiysis.
If the test voltage was found to be less than its predetermined high voltage S level, then the controller 100 will test for the presence of a voltage drop across the diode 524 by~ comparing the test and track voltages (diamond 1456). If a voltage drop was not found, , ~ then the controller 100 will determine the presence of a shorted diode condition, and set the appropriate~error code,~block 1458). If a voltage drop was found, then the controller 100 will check~to see if the track voltage is below a predetermined Minimum level (for example, 240 10 ~ ~ milli-volts)~through dlamond 1459. If the track voitage is below this Minimum level, then the controller ~1 00~will determine~that the passive test was successful for this channel. If the track voltage~is~above the~mmimum level~ then the conlroller 1oo will determine that an error in the field has occurred, and the appropriate error code will be sent (block 1460). It should be understood that each of the High, Low an'd Minimum threshold values are determined by,the 15~ +26~voit power~suppiy level and the resistance values set forthe resistors RP1, RP3 and RP7 in the-abort circuit 510~shown in~Figure 11A.
From the~a~ove discussion, it should be appreciated that the controller,100 ` is~able~t,o~passively test each of~the channels of its digital output board, in that none of the dlgltal~output channéls~have to~ be lntentionalb set on or ofl as part of ~the test procedure. In 20,, this, regard,~ block~ 1462 of ~Figuré~ 1~9A points out that the controller 100 must reserve a certain p~erio~d~of~ In' i lo,pa Ne dete t and analyze the~functioning of ns digital output circu~it`through~t~he~test and Irzk~signals~ Additionally, it should be appreciated that the passlv,eitest~àccordlng~to the present' invention also has the capabili~ to determine the type devlce~in~ be,ercountered, inciuding an error as ocialed with the output controtRefèrring specifical~ to~Figure 19B, ~he controller 100 will wait until the time" 'has,~pire f ~ ~th ~ ~e~t ting~pr edure (for example, 10 milli seconds) beforeproc`eeding to~the active test procedur,e (block 1464). A decision is then made as to which se~of the~controllers 92-96 will conduct the active test procedure. In one form of the present 30~ invention,~ it Is preferred ~that a d'~fereri controller 9Z-96 undergo active testing each process , contral~cycle. ~ This ~is accomplished by ~ dividing the second' clock value of the pracess c ontro!~ computer t4 by the number ot controllers contained in the field camputer unit 12 (that i is, 3), as shown in block 1466. Tl~e remainder is used to deterrnine which cantraller will unde~rgo active testing. For example, at a reading of 12 seconds, the remainder value is 0.
3s~ ;Therefore, as indicated by diamond 1468, the Left controller 9;2 will ~onduct the active test procèdure (polygon 1470) during this process cantroi cycle. Additionally, the result of WO 93/204~X PCI`/US93/02253 ~-2~3~S6 70 diamond 146~ indicates that the other two controllers 94-96 will enter a listening mode (polygons 1 472-1 473).
Figures 1 9F-1 9G combine to provide an overall flow chart 1470 for ~he active test procedure. In this regard, the first channel of the Left controller 92 will be used to illustrate the operation of the active test procedure. Assuming that the digital output circuit board 5~0 for the controller 92 is in place and no errors are found on any of the digital output circuits 500-504 (diamonds 1474-1482), then the block 1482 indicates that one of the digital output channels will be seiected for the active test procedure. In this particular embodiment, only one of the digltal output channels will be tested during a single process control cycle.
Accordingly, it should be appreciated that it will take 30 seconds to activeiy test all 10 of the digital output channels in the digital output circuits 500-504, where the process control cycle is set for a period of 1 second. In the event that the state of the channel in line for testing has not changed (diamond 1484) and a field error has not been found from passive testing of this channel (diamond 1486), then a determination will be made as to whether this channel is On or Off (diamond 148~). If the channel is Off, then the active-Off test will be performed (polygon 1490). Conversely, If the channel is On, then the active-On test will be pelformed (polygon 149~).
The flow chart 1490 for the active-Off test is shown in Figure 19H. As illustrated by flow chart 1490, the active-Off test is comprised of a series of three separate tests (biocks 1494-1498), which will all be completed assuming that no errors are found. In the first test (block 1494), the SET DODC-1 signal will be set High by the controller 92 in order to turn on the transistor 516 of Figure 11A. While not specHically stated in block 1494, the transistors 518-520 will both be off, as the abort switches are programmed to open automatisally when the channel is Off. Accordingly, the conduction of transistor 516 will not cause the abort circuit 510 to drrle the field device 508. As the resistor is shorted across the conducting transistor 516, the TEST-1 voltage signal should rise by an amount determined - by the resistance divider network in the abort circuit 510. Accordingly, as indicated by block 1494, the controller 92 will check to see that a su~ficient voltage increase (delta-test) was achieved, and that the TEST-1 voltage stays below its maximum allowable value. If this test was unsuccessful, then an Active Test Error bit will be set. Regardless of the outcome, the SET_DODC-1 signal will be toggled back to its off state. Diamond 1500 indicates that the ~, controller 100 will check to see if the Active E~rror bit was set, and if it was, then program flow will be turned over to the active error procedure 1502 of Figure 19F.
,.; Assuming that no errors were encountered, then the second active-Off test will be performed (block 1496). Under this test, the controller 100 will request that its neighborl controller (for example, controller 94) set the ABORT1-1 signal High in order to turn ~,, !~

; w o 93/204g8 PC~r/US93/0~.53 l```
~ ~ ~ 3 1 1 ~ 6 ~i `

i .
on transistor 518. However, as the SET DODC-1 signal will remain Low, the abort circuit 510 will not be able to drive the field device 508. Nevertheless, ~he TEST-1 signal voltage should rise, as resistor RP3 is effective~ shorted by the conducting transistor 518. The controller 100 will check to see if the appropriate vo~age level increase was achieved, and set the Active 5 Test Error bit ~ this increase was not achieved. The controller 92 will then request its i, neighboring controller to ~oggle the A~OP~T1-1 signal back to a Low state. Diamond 1 5W
indicates that the controller 92 will ~hen check to see if this message was received via the Communication Error bit.
Assuming that no errors were encountered, then the third active-Off test will be perFormed (1498). This test is the mirror image of the second active-Off test, except that the ABORT2-1 signal will be toggled by the remaining neighboring controller (for example, controller g6). If no errors were encountered, then program control will loop back to the flow chart of Figure 1 9G in order to ~est the next digital output channel in the next process control cycle (polygon 1506).
Turning to Figures 1 gl-1 9J, the flow chart for the active-On test 1492 is shown.
T~le active-On test is comprised of a series of five test procedures (blocks 1508-1516). In test block 1508, the SET DODC-1 signal is set Low, while the ABORT1-1 and ABORT2-1 signal remain High. Accordingly, the controller 92 checks to see that the TEST-1 voltage level drops by the delta-voltage amount. The SET DODC-1 signal is then toggled back to its High state.
In test block 1510, the ABORT1-1 signal is toggled Low (through a request to the neighbor1 controller), while both of the ABORT2-1 and SET DODC-1 signals are High. Accordingly, the controller 92 checks to see that the TEST-1 signal has not experienced a voltage drop. If a voltage drop is found, then a failure has occurred relative to the transistor 520, the opto-isolator DU3 or the ABORT2-1 signal, as a properly conducting transistor 520 would cause the TEST-1 signal to maintain its voltage level. The third aaive-On test (block 1512) repeats the second active-On test, except that the ABORTZ-1 signal will be toggled Low.
In the fourth active-On test (block 1514), the cor)troller 92 requests both of its neighboring controllers 94-96 to set the ABO~T1-1 and A80RT2-1 signals low. Then, the ; j controller g2 will check to see that TEST-1 signal voltage drops by the predetermined delta-.~ 30 voltage value. During this time, the other two controllers 9496 will continue to drive the field device. Finally, in the ffflh active-On test, the controller 92 will request its neighboring '~-;'; controllers 94-96 to switch their SET DODC-1 signals Low forthe channel being tested. When this happens, it should be understood that the abort circuit 510 alone will be driving the tield device 508. Accordingly, the controiler 92 will check to see that the TEST-1 voltage level does not drop, in order to make sure that the abort circuit 510 is capable of driving the field device 510 by itseH it necessary. Additionally, the presence of a voltage drop across the diode 524 ~, 7~';"

~'''rr .

i;,:.j .
W O 93/204~ PC~r/US93/02253 ~ .

~,~3~\6 72 ` ~

will also be checked for, in order to be certain that the diode is functioning properly.
Assuming no errors were found, then program control will be passed to the no error procedure 1506, which wil! set up the next channel to test (block 15183.
During ~he actNe-Off and active-On tests, it should be understood that the neighboring controllers 94-96 need to cooperate with the controller 92 by acting on the requests to change their ABORT1-1, A~ORT2-1 and SET D3DC-1 signals. This cooperation is achieved through the listening mode procedure 1472 shown in Figures 1 9K-1 9M. As these neighbor to neighbor communications are outside of the input and output data exchanges which are performed at speG~ic simes once each process control cycle, the successive ~; 10 approximation digital to analog converter circuit shown in Figures 6J-6K must be set up at each of the controllers 94-96 to receive signal change requests from the controller 92 (block 1520). An internal timer will then be set up by each of the controllers 9~-96 within which signal change requests or commands must be received (block 1522). If the appropriate commands are not receNed in this time (diamond 1524), then the get out procedure 1526 of Figure 19~ will be performed.
Diamonds 1528-1530 indicate that the controller 92 may signal Ihe controllers 94-96 to end the active test process. If the command received was not an end test command, the neighboring controllers 94-96 will check to see ~ any errors were encountered on their respective digital output circuits 502-504 during passive testing (block 1532). If any error was encountered, then the neighboring controller detecting its own error will signal back to the controller g2 that it cannot execute the requested command (1534), and set the amount of time that ~t expects a further message from the controller 92 (block 1536). As the existence of any board error will terminate active testing, the controller 92 will preferably respond with the end test command. In such a case, the Error code representing the type of error will be ~5 stored, as will an identification as to which channel the error was detected during passive testing (block 1534).
Assuming that no errors were found, then the neighboring corltrollers 9~96 will deterrnine whether the contro~ler g2 has requested a specffic change in the A30RT signal (diamonds 1540-1542) or a change in the SET signal (diamond 1544). For example, in the case of the ~Abort On~ command, then the neighboring controllers 9496 will extract the channel to be affected from the command message (block 1546), and check to see if there j~ is a field error (diamond 1548). Assuming that an error has not been detected for the field !,~ device 508 of the channel being tested, then each of the controllers 9~96 will check to see ~ the channel is On (diamond 15~0). If the channel is On, then the abort transistor (for ~. 35 example, transistor 518) will already be on. Accordingly, the controller receNing an Abort On ,~ command at this juncture will deterrnine that a bad message has been received (polygon .~
....

,,.

W0 93/~0488 ~ 1 3 1 1 ~ ~ PCI/US93/02~53 :

1552), and send a reply message to the controller 92 that this command cannot be executed (block 1 536). However, assuming that the channel was Off, then the controllers 94-96 will determine which abort switch has been commanded to be changed to an Off state (block 1554). Then, the Reset Wait routine 1556 of Figure 19M will be perlorrned.
The Reset Wait routine 1556 of Figure 19M begins with the neighboring controllers 94-96 sending a reply message ~o the controller 92 which echoes back the command received (block 1558). This echoing procedure enables the controller 92 to know thet ~s message was proper~ received. Then, the cor~roilers 94-96 will turn On or Off the specific switch commanded by the controller 92 (block 1560), and set a timer to permit an automatic toggling back of this swltch to its previous state (block 1562). If a toggle-back message from the controller 92 is not received before the timer reaches zero (or the predetermined time out value), then the affected neighboring controller will automatically toggle this switch back to its previous state (block 1564). Otherwise, the controllers 94-96 will reset their respectiYe switches (block 1566), and reply with an echo message to the controller 92 (block 1568). Ultimately, as shown in Figure 19G, the controller 92 will send a message to its neighboring controllers to end the active testing procedure (blocks 1570-1572).
As indicated above, each of the analog output circu~s 600 604 enable tests to be conducted of their abort and drive capabifities. These tests are considered to be non-intrusive, because they will not disturb the analog output values being supplied to the field.
The non-intrusive testing will be conducted on all 5 channels of one analog output circuit 600-604 at a time, and such testing preferably takes place only when all of the controllers 92-96 and their respect~ve analog output circuits are fuliy functioning. While one analog output circuit is undergoing this non-intrusive testing, at least one of the other two neighboring analog output circuits will generate the electrical current necessary to maintain ~he desired output power to the field.
Figures 20A-20V provide a set of flow charts for the software on the controllers~- 92-96 which makes abort determinations and directs the non-intrus~e testing of the analog output circuits 600-604 according to the present invention. In this regard, Figure 20A shows an overall or main flow chart 1600 for this controller software. For ease of description, 30 operations represented by this software will be discussed using controller 92 as the example.
However, It should be appreciated that these operations are perfommed concurrently by each ,~j of the controllers 92-96. Block ~i 602 indicates the necessary data for abort decisions and non-intrusive testing is copied from the extemal RAM memory (U42 of Figure 6A) to the intemal .i RAM of the controller's microprocessor (U40 of Figure 6A). Then, the controller 92 will :~; 35 sequentiaily perform a set of routines, as indicated by the broken-line blocks 1604-1612. The Calculate i~ieeded Aborts routine 16~4 is shown in Figures 20B-20L The Choose and Set Up .,, ~, :, , ~, :;
. . .

WO ~?3/~!0488 PCI`/US93/0~253 ~:
, : ~, `.
~ 3 ~ 7 4 the Non-lntrusive ( NI') Test routine 1606 is shown in Figures 20M-20P. The Communicate to the Smart Analog Output (~SAO~) Board routine 1608 is shown in Figures 20Q-20S. The Handle Errors rou~ine 1610 is shown in Figures 20T-20U. The Send Abort Positions to the Hardware routine 1612 is shown in Figure 20V. Once all of these routines are completed, then the necessary status bytes needed by the Process Information ( PI-) system are created (block 1614). Final~, the IRAM data is copied back to the XRAM (block 1616).
Referring to Figures 20B-20L a set of flow charts for the Calculated Needed Aborts routine 1604 is shown. In this regard, Figure 20B provides an overall flow chart for this routine. Block ~ 618 indicates that the data transferred from the N1 and N2 output 10 communications will first be examined to see if there are any hardware abort disagreements.
A hardware abort disagreement arises when the ME controller 92 has aborted a particular channel and neither of the neighboring controllers N1-N2 have done the same. If this condition exists, the disagreeing abort switch will be closed~ In any event, any abort request from a neighboring controller is honored by opening the abort switch for the chanr!el of the 15 SAO identified by the request data (block 1620). The controller 92 will then clear out the abort requests and start to process its own independent abort determinations for the next process controt cycle (block 1622).
Diamonds 1624-1626 are used to determine if e'~her of the neighboring SAO
boards were replaced, and if so, then blocks 1628-1630 indicate that the abort switches for 20 a replaced SAO will be closed in order to permit it to operate. Next, the controller 92 will check to see 'if 'Its SAO board sent a communication during the last process control cycle (diamond 1632). If a communica~ion was not sent or a problem was reported, then a flag will be set to indicate that this SAO board is considered ^dead' (block 1634). A similar procedure is then performed for both of the neighboring SAO boards through the messages provided 25 from the controllers 94-96 (diamonds 163~1638). Then, in the event that both of the neighboring controllers 94-96 failed to communicate with the controller 92, then no abort switches will be ~pened by the controller 92 at this point (diamond 1640). This is to permit , the outputs determined by the Fail Safe/L~t mechanism to reach the field even though none '5 , of the controllers 92-96 are able to communicate w'lth each other.
Assuming that the controller 92 is able to communicate with at least one of i~ its neighbors, then the Open Needed Aborts routine 1642 will be performed. The Open - t`
-'i Needed Aborts routine 1642 is shown in Figures 20C-20J. The controller 9Z will then perform ,`
~ the Handle Abort Disagreements routine 1644 ot Figure 20K Final~y, the controller 92 will perform the Clean Up from the Aborts routine 1646 of Figure 20L
~ 35 Referring to Figures 20C-20J, the Open Needed Aborts 1642 routine will now '7. be discussed. Diamond 1648 indicates that an initial check is made as to whether the SAO
,,, .~ .
. ., . ~, .

W~ 93/2048~ PCI /US93/022~3 !~-2 1 3 ~ 1 5 t~

board for the controlier 92 was flagged as being dead. If this SAO board is considered alive or operational, then program control will jump to point A~ on Figure 20E. However, even if this SAO board is considered dead, the controller 97 will still set up to process abortdecisions for all five analog output channels, and point to the first of these channels (block 1650).
Diamonds 1652-1656 indicate that a check will be made to see if either of the neighboring SAO boards were Slagged as dead.
Assuming that both of the neighboring SAO boards are operational, then f diamonds 1658-1660 are used to detect for the presence of an ~OOCH ME - 0 flag from each of the neighboring SAO boards, as relayed by the controllers 94-96. The ~OOCH~ term of this status signal stands for ~Out Of Control High~. As indicated above, if any of the SAO
boards detect more power going to the field than there should be (for example, more than 2%
of the maximum allowable value), then any SAO board detecting such an occurrence will attempt to ramp itse~ down to zero~ If it is able to ramp itself out of the contribution of power being transmrtted to the field (that is, ME = 0) and the OOCH condi~ion still exists, then it will set the Out Of Control High ME = 0 flag for communication to neighboring controllers through a message from its own controller. Thus, for example, if the ~`11 OOCH ME = 0 signal is received by the controller 92, and the 'N2 OOCH ME = 0' flag is not set, then block 1662 indicates that the controller 92 will open the abort switch for the first channel on the controller designated as N2 ffor exampls, controller 96). This action is taken because it is clear at this point that the SAO board for the controller designated as N1 (for example, controller 94) is not the source of the problem. However, if both the 'N1 OOCH ME = 0' and 'N2 OOCH ME
= 0^ signals were received by the controller 92, then a flag will be set to indicate to the process control computer 14 that uncontrolled power is being transmitted to the field for this analog ou~put channel (block 1664).
In the event !hat the answer to diamond 1652 is YES and the answer to diamond 1654 is NO, then the controller 92 will look for the ~N2 OOCH ME = 0- flag (diamond 1666). If this signal is present, then the controller 92 will set the uncontrolled power to the field flag (block 1668). Additionally, as extra measure, the controller 92 will re-open the abort switch for this channel of the SAO board for the controller designated as N1. This is because (although the abort switch should have been opened) it could nevertheless be possible that -i the N1 SAO board could erroneously be sending too much powsr to the field, even though j~, the N1 controller could not communicate with the controller 92, and the N2 SAO appears to ,i be able to drive the load. Diamond 1670 and block 1672 indicate that this procedure is followed in the event that the N1 SAO is functioning properly and the N2 SAO board is ~ 35 considered dead (or its controller did not communicate with controller 92 in this process " control cycle). In the event that diamonds 1652 and 1654 are both answered YES, then this , .
;

~,~,3~ 76 channel's Triple Abort flag will be cleared (block 1674). This flag is used to enable all abort switches to be closed in order to prevent a total loss of power to the field.
Figure 20D shows that this process is continued and repeated until all of the five analog channels have been processed. Additionally, Figures 20E~ combine to 5 demonstrate that this process is performed in a similar manner when the SAO board for the controller 92 is func~ional and the neighboring SAO boards may or may not be functional.
Thus, for example, diamond 1676 indicates that the controller 92 will test for the presence of its own OOCH ME = 0 flag when its neighbors have failed to communicate or their SAO
boards are considered dead. In this example, block 1678 indicates that the proper amount 10 of power is being transmmed to the field for the SAO board for controller 92 has not ramped itse~ down to a non-contribution level (for example, a zero outpul). In contrast, r~ this SAO has ramped itself out, then the uncontroiled power to the field flag will be set and the N1 and N2 abort swi~ches for this channel will be opened by the controller 92 to assure that they are outputting no power (block 1680).
,~ 15 Additionally, it should be noted that a YES answer to diamond 1682 in Figure 20F indicates that the neighboring controllers 94-96 will independently handle the necessary abort decisions (fo~ example, open the abort switches for SAO board of controller 92), if such action is warranted by the process described above. Furtherrnore, a NO answer to diamond 1684 of Figure 20J shows that the Safe Disagreerrlent flag will be set (block 1686). This is a 20 situation where all of the SAO boards are functioning, communication has been received from .- both the N1 and N2 controllers, the SAO board for controller 92 has set the ^OOCH ME = 0~, and the other two SAO boards have not set their respective 'OOCH ME = 0' flags. In this ~; situation, the Safe Disagreement flag is set because the three SAO boards are functioning, !, SO it iS possible to employ majority decision making to determine whether an abort should be .~
2~ opened. The Safe Disagreement flag is used to indicate to the Abort Disagreement routine of Figure 20K that a problem has occurred. However, if the answer to diamond 1684 is YES, then the cor(troller 92 will open the N1 abort switch for this channel (block 1688)~ This is because two SAO boards (ME and N2) have independently noticed the output to the field was too high and independently pulled their outputs down to a non-contribution level, but the SAO
30 boardforthe N1 controller has not.
Referring to Figure 20K, a flow chart for the Handle Abort Disagreements routine 1644 of Figure 20B is shown. This routine examines a counter which is set up for each analog output channel to record the number of Safe Disagreements between this ,~ .
t controller's SAO board 'OOCH ME = 0- flag and the other two functioning SAO boards. If this dJ 35 count gets too high ffor example, 32 decimal3 on any one of the five analog output channels, then an abort disagreement error flag will be set (block 1690). This error flag will cause the ' ' 'I
, .
, .

W093/20488 PCr/US93/02253 3~156 ~ l~

controller 9Z to sh~ down ns l~wn SA0 board, because the disagreement with the neighboring boards indicates that this board would not be capable of driving the output if it had to (that is, the output would be too low). Diamond 1692 and blocks 1694 1696 indicate that only continuous disagreements will be accumulated to elimina$e undue transient 5 conditions.
Referring to Figure 20L a flow chart for the Clean Up from the Aborts routine 1646 of Figure 20B is shown. This routine is used to respond to a situation where the controller 92 is informed that both of its neighboring control!ers 94-96 have opened the abort switches on one of ~he channels for the SA0 board of the controller 92. If the controller 92 10 had also opened the abort switches on this channel, both of the abort switches for this channel will be closed by the controller 92, so that at least one of neighboring SA0 boards will be able to transmit power to the field (block 1698). If the controller 92 had not opened the aborts on the channel, ~he SAO board would be told to shut down since one of its channels was aboFtsd and the board would have to be removed for repair.
~eferring to Figures 20M-20P, a preferred form of the non-intrusive testing method according to the present invention is shown. In this regard, these fiow charts represent the Choose and Set Up the Nl Test routine 1606 of Figure 20A. Diamond 1700 shows that this testing will only be initiated if the controller conducting the test is able to communicate with both of its neighbors, and at least one of the controllers was able to 20 communicate with the process control computer 14 within the last process cycle. Similarly, diamond 1702 indicates that if any errors were encountered, then the non-intrusive test procedure will be by-passed until such errors are corrected.
As indicated by diamond 1704~ the non-intrusive testing is timed to begin at exact multiples of 5 minutes, according to a ctock signal of the process control computer 14~
25 In this regard, each of the tield computer units 12 will receive a synchronization pulse from both the Left and Right process control computers 14a-14b each second. The controllers 92-96 then adjust their clocks accordingly. The non-intrusive testing then uses that clock to follow a specifically timed schedule. As it takes approximately 1.5 minutes for one of the analog output circuits to complete the testing routine, the 5 minute interval allows sufficient s 30 time to complete non-intrusive testing for all of the analog output circuits 60~604. In this regard, the Tabl~ below identifies the preferred timed operations for the non-intrusive testing.
The ~Displayed rme~ listed on the Table is the time which is visually presented on the debug panel 18 of the process control computers 14a-14b. Each of the test numbers identified in this Table correspond to specific test procedure identified in Figures 20J-20M.

.~ :
.

,..
.

', W093/20488 PCI'/US93/022~3 ~3~6 78 - , f .. . . _ Tlme Di~played Tlme Action 00:00-00:35 00:00-00:23 Le~ Test #1 ¦ -00:36 _ _ 00:24 __ __ Test #2 00:37 00:25 Test ~3 ¦
00 38 00:26 Test #4 ~ , 00:39 _ 00:27 Test #5 00:40 00:28 Test #6 ¦ 00:41 - 01:21 00:29 - 01:15 Test #7 ¦01 22 ~:57 01:16 - 01:39 Middle Test #1 ¦01 :s8 01 :3A Test #2 ¦01:59 01:3B Test #3 ¦02:00 _ ~ 02:00 Test #4 ¦02:01 02:01 _ Test #5 02:02 02:02 Test #6 _ . ~
Oz W -~_ 02:03 - 02:2B Test #7 02:44 - 03:19 02:2C - 03:13 Right Test #1 03:20 _ 03:14 Test #2 03:21 03:15 _ Test #3 - 20 03:22 03:16 Test #4 ,~ I _ _ _ _ ~ 03:23 I ~ Test #5 ~ I .
¦ 03.24 03:18 _ Test #6 03-25 - 04:0~ 03:19 - 04:05 Test #7 I _ - _ ,., , .
2~
While each of these seven tests will discussed below, these tests may be ' identHied as follows. Test #1 may be referred to as the 'Rampdown~ test, as the controller conducting the test (controller 92 in thls example) will slowly reduce its contribution to the analog output current to 0% of the commanded output value. The SAO boards for the N1 and 30 N2 controllers will react by increasing their output current to maintain the proper output upon each reduction. The SAO board for the N1 controller is preferably instnucted to contribute the majority of the output. This operation generally takes several seconds. H a failure is reported during this step, the probable cause of the failure will be due to a shorting of the blocking ~;

, r.' ~ ~ f ~ . : . .

j` WO 93/2048~ 2 1 3 ~ PCr/US93/022~3 ~ 7 9 ,, I
diode 648 (shown on Figure 12C).
Test #2 may be referred to as the ~Generate Test Voltage~ test, as the SAO
5~ board for controller 92 will be instructed to output a voltage which is not large ~nough to -~ affect the curren~ being transmitted to the field. In other words, the test voltage level should be set lower than the threshold of the blocking diude 648 (for example, 400 mV). If a failure is reported during this step, then the probable cause of the failure will be due to the inability of the operational ampli~ier 6û8 to output the desired test voltage level.
.~ Test #3 may be referred to as the ~ME Aborted Test-, as the DN1 and DN2 abort switches will be commanded to be opened. The SAO board for the controller 92 will measure its output on the high side of the ME resistor 618 with respect to ground to determined if in fact the output is zero volts. In this regard, it shouid be noted that in all of these tests, it is preferred that each of the five channels are tested simultaneously.
.~
According~, under Test #3, all of the analog output channels on the SAO board for the controller 92 will be aborted.
Tes~ #4 may be referred to as the ~N2 Abort Switch~ test, as the DN2 abort switch will be closed while the DN1 abort switch is opened. The SAO board for the controller 92 wili then measure its output on the high side of the ME resistor 618 with respect to ground to determine H the abort test voltage (for example, 400 mV) is present at the output for each of its channels.
Test #5 is a test of the deadman circuitry. It begins by repeating Test #3 to assure the aborts DN1 and DN2 have been opened. Then, the deadman circuitry is activated, a voitage is output to detect the actn~ation of the deadman, and then a determination is made whether the deadman was activated. Test #6 is a repeat ot Test ~4, except that the DN2 abort switch is open while the DN1 abort switch Is closed.
Test #7 may be referred to as the ~ME 100% Load~ test, as the SAO board for the controller 92 will ultimately be commanded to drive 100% of the commanded output ~i value to the field. Accordingly, tho DN1 and DN2 abort switches will be closed and the SAO
.,.7 boards for the N1 and N2 controllers will slowly ramp down to 0%. The SAO board for the Gontroller 92 will then measure the output for each channel across the ME resistors 624 to ,~. 30 make sure that the SAO board has the ability to drive the required output value without any -- help from either ot its neighbors.
3i Retuming to Figure 20M, the block 1706 indicates that the test time will be incremented by one second each instance that this procedure is repeated. This time count or value will then be evaluated through a series of diamonds 1708-1724 in view of the fact that ~. 35 the seven tests for each of the three controllers 92-96 follow the time chart set forth in the j~ Table above. Addi~ionally, it should be noted that a two dig~t nomenclature is used in the flow , ,.
J~
J~
7 ~, i WO93/~0488 PCI/US~3/02~53 ~3~6 charts of Figures 20M-20~ ~o ident1y the non-lntrushe ( Nl ) tests ef the present invention.
The first digit refers to the identity of the controller conducting the Nl test, whereas the second digit refers to the specific test number. In this regard, the first digit is either '0', '1-~2' or 'x~
The '0~ digit refers to the ME controller, which is controller 92 in this example. The ~1~ and '2-5 digits refer to the N1 and N2 controllers respectively. The ~ digit is essentially a wild card that could refer to any of the controllers 92-96. Additionally, the ~x~ designation may also be used as wild card for the test number digit as well~
Thus, if the test time is between 0-35 seconds, the controller will allow the extraction of the first test (that is, Test #1), as indicated by the 'x1 nomenclature (block 10 1726). Next the controller conducting the Nl test procedure will then check to see H It is the Left or the Middle controller (diamonds 1728-1730). In this example, the answler to diamond 1728 will be YES, and the program will go to block 1732 of Figure 20P. Block 1732 permits the SAO board for controller 92 to extract a ~Ox' test number, which at this point in the procedure ~x' was previously ide3ntified as Test #1. As this Nl test procedure wil! also be 15 conducted independent~, but concurrently in the other controllers 9496, the program will jump to points ~C~ or ^D~ of Figure 20P, respectively, for each of these controllers. In this regard, it should be appreciated that the points C- and D~ provide entry points for other parts of the NI test program. Thus, for example, the diamonds 1734-1738 are used to direct program flow to dfflerent proc0dures depending upon which test is currently being extracted.
20 In the case of Tests #~#5, ths Right controller 96 must open the abort switches for its neighbor N2 (that is, controller 92), provided that the channels of the controller 92 were able to ramp down as required under Test ~1 (block 1740). In the case of Test #6, the Right controller will close the abort switch for each of the channels on the SAO board for the controller 92 (block 1742).
Finally, block 1744 indicates that the last second's Nl test number and this second's test number will be stored. Then, during the next process control cycle, which in this example is a one second period, the Nl test procedure of Figures 20M-20P will be repeated. In this way, each ot the controllers 92-96 will dire~t the Nl tests parformed on the Sl~O boards. Additionally, it should be appreciated that these controllers will also cooperate with each other by toggling abort switches and ramping downlup as required by the specitic test number being conducted. This cooperation is provided through the time chart set torth above, as each ot the controllers independently perfomms the same test procedure program In other words, it is not necessary for one controller to request or command another controller 3 to take the necessary action. Rather, each of the controllers 92-96 will look at the time and ~ 35 take the appropriate action, unless one of the problem conditions set forth in diamonds 1700-Y., 1702 is detected.

,,~
r ~ WO ~3/204~8 PCl /USg3/OZ2~3 ~`` 81 ... ;
~"; Referring to Figures 20~-20~, the flow chart for the Communicate to the SAO
Board routine 1608 of Figure 20A is shown. This routine is used to facilitate bi-directional ¦ -communication between a controller and its SAO board. In this regard, a first data e~xchange between the controller and its SAO board is referred to as ~Primary~ communication (for 5 example, Nl test directions and output values). Conversely, any subsequent data exchange .*~.
between the SAO board and its controller is referred to as a 'Secondary' communication (for example, track values). Accordingly, Figure 20Q shows two entry points, one for Primary communication (oval 1746) and one for Secondary communication (oval 1748).
Figure 20Q shows several communication set up blocks which are 10 consecutively performed. In this regard, it should be noted that sel up block 1750 provides an initial wake up message to the SAO board, to which the SAO board must respond within a specific tirneout period. If the SAO board responds properly, then data will be exchanged with the SAO board (block 1752). If the validity check failed (for example, an incorrect ~i, checksum~, then the appropriate bad communication flags will be set (blocks 1754-1756).
15 Additionally, all of the analog outp~ track (~Aor) values will be zeroed to prevent old data .. ~ from remaining in the data tables, and thereby prevent a technician from misinterpreting the old data.
Figure 20R indicates the appropriate status information and values will be stored depending on whether the message was a Prima~ or Secondary communication 20 (blocks 1758-1760). Additionally~ diamond 1762 is used to check for any failures in the Non-, Intrus~e testing. The controller, such as controller 92, will respond by setting a flag which will be transm'r~ed to its neighboring controllers to either stop or continue the Nl test procedure (blocks 1764-1766). Regardless of this outcome, a flag will be set for the SAO board of the controller 92 to indicate that any test failure is a false alarm (block 1768). As will be seen ~,,i 25 below, this flag may be cleared during a later part of this procedure.
The controller 92 will then begin to examine the Nl test error counters for eachof the five analog output channels (block 1770). If the Nl test conducted in the last second was not Test #1 or Test #7, then the Nl test counter will be incremented or decremented depending upon whether a test failure was reported by the SAO board (blocks 1772-1774).
'. 30 If a test failure was reported and the test error counter exceeds a predetermined limit ffor example, 30 hex), then a flag will be sent to the neighboring cornrollers to s~op testing and the false alarm flag will be cleared (blocks 1776-1778). In this regard, it should be appreciated that the Nl test procedure will pennit a transient error to be reported before ~: deciding to halt the Nl test procedure.
Figure 20S shows that the controller 92 will again check for a failure of an Nl test (diamond 1780). This is done because the test failure~ flag will be cleared H an Nl test ~: ?

~?'~ ~ .

1.`.

WO 93~20488 P~/USg3/02?53 ,,.',` ':'~
`~; 8 2 ` : ~`
failure occurred, but the test error counter did not exceed the predetermined limit. if such an failure is detected, then the false alarm flag will be cleared and the SAO board for controller 92 will be instructed to shut down (block 1782). This procedure will then be repeated for each of the analog output channels (block 1784 and diamond 1786). An Nl testing report is also 5 generated when a new error is detected (block 1788).
Referring to Figures 20T-20U, the flow chart for the Handle Errors rout5ne 1610 of Figure 20A is shown. This routine begins with a check to see if an SAO board was replaced during the last process control cycle, and then it proceeds to check for other health indicia (diamonds 1790-1798). If the status report indicates a failure or the controller was not 10 able to receive a communication from Its SAO board, then the SAO board will be flagged as dead, and the controller will request its neighboring controllers to open the abort switches for . this SAO board ~block 1800 on Figure 20U). However, H the SAO board was flagged as being alive for the last process control cycle, then the error handling routine will look at the data from each of the analog input channels (block 1810).
Diamond 1812 examines the value of a 'Recovery' counter, which is used to give the system time to re-synchronize when the controller 92 is unable to communicate with either of its neighbcring controllers (see diamond 1814 and block 1816 of Figure 20U). If the Recovery count is not zero, then the ~OOCH ME = 0' status byte will be cleared in order to prevent an abort from being opened as the system is synchronized (block 1818). If a test 20 failure is detected on any of the analog output channels, then the Nl testing will be stopped ~block 1820). If an 'OAT ~> DAC' error has been flagged, then an abort request will be transmitted to the neighboring controllers 9496 for the particular channel under inspection ~ (block 1~22). This is because the 'OAT <> DAC' error means that the SAO board's .~ operational amplifier 608 on this channel is not functioning properiy.
Figure 20U also shows that a ~P(etry~ counter is employed to handle a situation where ~he communication from the controller to its SAO board is imperfect (diarnond 1824).
If the Retry counter is greater than a predetermined value (for example, 5), then the controller will cause a hardware reset of the SAO board in an attempt to correct the problem (block 182~?. In other words, the bad communication flag from block 1754 of Figure 20Q will be used to permit the controller to track the existence of a communication problem with its SAO
board, and after a sufficient number ~f tries, then the controller will reset the microprocessor EU3 of the SAO board in an attempt to restore valid communication.
Referring to Figure 2W, the tlow chart for the Send Abort Positions to the Hardware routine 1612 of Figure 20A is shown. This routine examines the abort decision informasion fo,r each of the analog output channels and responds by opening or closing each ~n, of the abort switches for its neighboring SAO boards (blocks 1828-18303. It should also be , , .
;~
~ .
r~

.;: WO 93/2048~ PCl /~JS93/02253 .
2 1 3 1 1 ~ 6 ` 83 ,.,~
. ~ noted that the controller will look at the arbitrated analog olnput value to be sent to the field ~, (diamond 1832). If the output value is zero for any of the analog output channels, then the controller 92 will send a flag to its neighboring controllers to open the abort swRçhes on its SAO board for those channels (1834~.
~eferring now to Figures 21A-21S, a set of flow charts is shown for the software resident on the SAQ boards. Additional flow charts for the SAO board software will .;~ also be discussed in connection with Figures ~2A-22S and 23A-231. Figures 21 A-21 B provide .~
an overall or main flow chart 1~00 for the SAO board software. As should be appreciated from the discussions above this software is contained in the program memory circuit EU1 of each of the SAO circuit boards 6Q0-604.
The flow chart 1900 begins with a call to a startup routine 1902, which is shown in Figures 21C-21D. The microprocessor EU3 of the SAO board will preferably read the sofnvare version level from memory (block 1904), and proceed to test the hardware components for the SAO board (block 1908). This hardware test routine is shown in Figures 21E-21K. The SAO microprocessor will then check to see if a Deadman condition exists ~ ~diamond 1908). A Deadman condition could exist H the controller 100 shuts down~ the ; microprocessor on the SAO board shuts down, or if the SAO board puts itseH into a Deadman .; condition for diagnostic testing purposes. If a Deadman condition exists, then all of the analog output channels will be zeroed (block 1910) and the program will jump to the warm start point in the startup routine 1902 of Figure 21 C, unless the SAO board is currently testing its ability to disable the operational amplifier 608. While not shown in Figure 21A for simplicity, "? a check may be made at this point to determine if the SAO board is currently testing this Deadman capability. This Deadman test will be described below in connection with Figures 23E-23G. If the SAO board is testing the Deadman capabilRy, then the Deadman test will be repeatedly conducted (for example, 30 times) before retuming to an appropriate location in flow chart 1900, such as block 19û4.
Figure 21A also shows that the SAO board may be re-started if too many interrupts are received from an intemal timer of the SA0 microprocessor (diamond 1912). t ~ These timed interrupts provide a way to pem R the SAO microprocessor to determine whether ;~,j 30 a communication from the controllèr for this SAO board has been received wRhin a reasonable period of time.
Assuming that the SAO boa-d is 'alive-, the SAO microprocessor will strobe ,~ the DEADSEr signal (block 1914), and call the communications routine (block 1916). The '~ communications routine is shown in Figure 21M. After this communications routine, then a Testing routine will be called (block 1918~. The Testing routine 1918 is shown in Figure 21L
A routine will then be performed to gather feedback data from the field (block 1920). This ,,, ,~

W093/~0488 PCr/US93/02253 ~.i 8 4 ~) Read Data routine is shown in Figures 21N-21Q. Next, a Handle Error Conditions routine 1922 of Figure 21R will be perforrned. The program will then proceed to a Calculate the . Output routine 1924, which is shown collectively in Figures 22A-22S. Thereafter,~the non- I
--~ intrusive testing routine 192~ will be performed~ This Nl testing routine is shown collectively ~ I .
!
in Figures 23A-231.
Once all of these steps are performed, then th~ SAO microprocessor will point to the next channel to be serviced (block 1928) and repeat the procedure until all five analog output channels are done (diamond 1930). The SAO microprocessor will then update its record of five channel cycles' since the last communication from its controller, such as con~roller 92 (block 1932), and then determine if it is the appropriate time to check the field ~ loops (diamond 1934). The routine for checking the field loops (for example, measuring the -~ field loop resistance values) is shown in Figure 21S (block 1936)~ In either case, the main program for the SAO board will ultimate~ loop back tO the beginning in order for the program .~ to be continuously repeated. Thus, it should be appreciated that the field loops will be . 15 measured and the hardware tested each pr~cess control cycle (for example, one second).
~,r", Referring to Figures 21C-21D, the flow chart for the startup routine 1902 is .~ shown. The Red LED will be tumed on to indicate that the SAO board hardware is not ready to send power to the field, as a series of tests will be conducted (block 1938). In this regard, the first test relates to the data memory for the SAO board (block 1940). This test is similar ~, 20 to the memory test described below for the controller's data memory. Then~ due to the fact , -~ that the SAO board is entering a cold start, a counter which keeps track of the number of " ~ process cycles executed by the SAO board will be set to '01' to allow the hardware test routine to function properly (block 1942).
Then, as shown in Figures 21 C;-21 D, a hardware test routine will be performed at four df~erent points during the startup routine (blocks 19441950). This hardware test routine is shown collectively in Figures 21E-21K In this regard, n should be noted that the ~ repeated testing of the hardware components for the SAO board is not necessary. Rather, fi~ this testing routine is performed during spare times as an extra measure to increase the i confidence level in the ultimate operation of the SAO board. Thus, for the example, the ~i~ 30 hardware test routine will be performed in between times that the controller is trying to communicate Wilh the SAO board (diamonds 1952-1954). As indicated above, the controller will communicate twice with the SAO board (blocks 195~1958) in order ~o send timing infonT ation, output values, and assure the controller/SA0 communication link is functioning ~ property. Ultimately, the Red LED will be tumed off (block 1960) and the Deadman timer will be reset (1962).
Tuming to Figures 21 E-21 G, an overall flow chart 1906 for the hardware test :

:. ` WO 93/2048~ PCI /US93/02253 : - 2131156 i 8 s .3,' rou~ine is shown. Assuming that this is the first cycle for the SAO board, then the SAO
microprocessor will read the ~0 volr input to the drfferential amplHier 638 via the muitiplexors ~, EU23-EU26 shown in Figure 12F (block 1968). Then, a check will be made tg determine whether or not the vo~tage being read is within specifications (diamond 1970). If this voltage 5 is outside of the proper specification level, then a routine will be performed to flag an analog to digital problem (block 1972). The flag ADC problem routine is shown in Figure 21 H. The SAO microprocessor will then read the 118 reference' signal shown on Figure 12B as an input to mu~tiplexor EU24 (block 1974). This voltage signal level ffor example, .275 votts) will be stored for use during tha Calculate Slope routine of Figures 21J-21K (block 1976). Then a ; -~
i?~10 check will be made to determine whether or not this vo~tage signal is within specifications ,~ (diamond 1978). In this regard, the value which is produced by the dfflerential amplifier 638 for the ~1/8 reference~ signal will be tested against a predetermined range ~for example, 1.25 ;~ volts +/- 078 volts). A similar procedure is also implemented for the '1/2 reference' signal (for example, 1.10 vo~ts).
Then, as shown in Figure 21 F, the SAO microprocessor will cause the digital :;:
i to analog conve~er (~DAC~ 612 to output a series of dmerent voltage levels (blocks 1980-1986), and then it will check the actual output from the DAC through the analog to digital converter t~ADC~) 6~2 (diamonds 1988-1994). If any of these voltage levels were deterrnined to be outside of specifications, then the ~FIag DAC Problem~ routine 1996 will be performed.
As shown in Figures 21 H and 211, both the Flag ADC Problern routine 1972 and the Flag DAC
r.-,;- Problem routine 1996 increment or decrement a problem counter (blocks 1998-2000) as k needed. Additionally, either or both o~ these Flag routines may cause the Red LED to tum ~ ON if the problem count exceeds a predefined limit (diamond 2002 and block 2004). Then, '~ as shown in Figure 21 G, this problem counter will be evaluated (diamonds 2006-2010), and the problem counter will be decremented ff a problem was not detected during this pass through the hardware test routine (block 2012). Once this problem counter is greater than a decimal 2, then the Red LED will be tumed On, and the SAO board shut down. A similar procedure could also be implemented to test the operational amplifier 608, as was per~ormed for the DAC test. Thus, for example, the DAC 612 could be instructed to output a.~, 30 predeterrnined voltage (for example, æ2v), and then the OUT-H and OUT-L signals could be read to see If these signals were within specifications.
Referring to Figures 21J-21K, a seH~xplanatory flow chart for the Calculate Slope routine 1976 is shown. As will be seen from the flow chart, this routine evaluates the ~
-, slope of an artificial line created between the 112 and 1/8 reference signal levels, and operates 35 to adjust stored slope and intercept values by one (each pass through the routine) until there :l, is equality with the measured values. The values created by this routine are used to correct ,;".i, ,. .. ..
: 3;
:'"
. .

~ WO 93/20488 PCr/US93/02253 8 6 ! J
~3~ 6 r the field measurements fo- offset and gain errors introduced by the analog circuitry. ~.
e Referring to Figure 21 L, a flow chart of the Testing routine 1918 of Figure 21A
~ is shown. This routine detects whether the SAO board is plugged into a test jig rather than ;~ the field computer unit 12 itseH (diamond 2014). If the SAO board is plugged into the test jig, then a set of predefined outp~n values will be used to test the operation of the SAO board . ~block Z016).
, Referring to Figure 21 M, a flow chart for the Communications routine 1916 of Figure 21 A is shown. While this flow chart is also self-explanatory, is should be noted that the ~ watchdog interrupts referred in diamond 1912 of Figure 21A will be turned off (block 2018) - 10 and subsequently reset during this routine (2û20).
.~: Referring to Figure 21 N, a flow chart of the Read Data routine 1920 of Figure 21A is shown. The ADC convsrter control block 2022 of this routine is shown as its own flow - chart in F~gure 210. In this regard, it should be appreciated that the SAO microprocessor needs to command a specific input sign~ selection for the differential input rnultiplexors EU25-~ 15 EU26 and the conver~or input mu~tiplexors EU23-EU24. The Read Data routine wiil then ;: proceed to the Linearize routine 2024 of Figure 21 P. As shown in Figure 21 P, the slope value determined from the Calculate Slope routine will be evaluated (diamond 2026). If the slope ~, value is greater than one, then this slope value will be compared with the commanded output ~I value (diamond 2028). If the output value is greater than twice the slope, then the Linearize ~ 20 routine will be ended because linearization of the data will result in an overflow in the ¦ ~ ~ mathematics. Otherwise, a calculation will be made, as shown in block 2030. The purpose of this calculation is to correct the measured voltages for offset and gain errors introduced by the analog circuitry.
Once the Linearize routine 2024 is completed, the Read Data routine 1920 will proceed to the Filter the Track routine 2032 of Figure 21Q. This routine begins with : comparing the newly measured track value and the track value stored from the calculation performed on this channel in the last S channel cycle (block 2034 and diamond 2036). If the ; absolute value of the dfflerence between the new and old track values exceeds a first predetermined amount, then the old track value will be completely replaced with the new track value to speed the response of the SAO board in its effort to achieve the commanded output value (block 2038). If the absolute value of this d-~ference in track value is less than the first predetermined amount, then a check will be made to see if this difference is less than a second, smaller predetermined amount (diamond 2040). The result of this decision will deterrnine whether the Unstable Track flag will be set. In any event, the dfflerence value will be divided by four (block 2042), and a portion of this divided dfflerence value will be added to or subtracted from the old track value depending upon whether the dfflerence value was ~:
~:
~: :

. . ~ .

'D `~ 8 7 213 t l ~ 6 PCr/US93/0~253 i~
, .

positive or negative (diarnond 2044 and blocks 2046-2048). This proportionate change in the stored track value filters o~ rnost noise found on the track signal.
The Read Data routine 21 N will then point the multiplexors EU25-El,l26 at the ME resistor High/Low values, and read and store these values (block 20~0). A similar operation will then be performed for the OAT values via multiplexor 640 (block 2052).
,~ Referring to Figure 21 R, a flow chart for the Handle Error Conditions routine 19Z of Figure 21 B is shown. This self-explanatory flow chart demonstrates how the Red LED
flag will be set and used to cause the DAC to rampdown (block 2054). In this regard, the Rampdown DAC routine 2054 will be discussed in connection with Figure 221. Similarly, the Send the DAC to the Fie1d routine 2056 will be discussed in connection with Figure 220.
Referring to Figure 21S, a flow chart for the Check the Field Loops routine 1936 of Figure 21 B is shown. As will be seen from this flow chart, the SAO microprocessor will measure the actual output signal for each of the analog output channels ~nd perform the checks identified on the magnitude of this signal (diamonds 2058-2062). If the signal being sent to the field is outside of any of these test bounds, then the appropriate flag will be set ~r or preserved for further processing (blocks 20~-2068) . These tests assume that the field load 7 i5 modeled by a resistor in series with an inductor, and that the load being driven is between 50 and 470 ohms (+/- 30 ohms). Thus, for example, diamonds 2060 and 2062 compare the ~' ¦ measurement from the low side of the track resistor wlth respect to ground with the maximum and minimum acceptable voltages for this output value. However, it should be noted that the -~ loop resistance check will not be performed if the output value (block 2058) for the channel is below 2 mA, because the present hardware prevents the signal from being read reliably ¦ when the output value is below this magnitude.
~S~ I It should also be noted that a 100 ohm PTC resistor is preferably connected in seties between the low side of the track resistor 624 and the field loop. Thus, the maximum and minimum acceptable measurements at full scale ffor example, 22 mA) can be calculated trom the tollowing formulas:
Vma~t = (Rmax + Rptc) ~ (22mA), where Rmax = 470 ohm Vmin = (Rmim + Rptc) ~ ~ærrA), where Rmim = 50 ohm Using these formulas, it should be appreciated that the maximum and minimum voltage levels employed by diamonds 2060-2062 may be calculated for any desired output value (in mA).
Thus, the test employed by the field loop routine 1936 are specifically tailored to the output value commanded by the controller tor the SAO board.
~;; Referring to Figure 22A, an overall flow chart for the Calculate the Output ,",, wo 93/204X8 PCI /US93/02253 S~' 88 routine 1924 of Figure 21B is shown. This Output control routine provides an intelligent Pl control loop as will be seen from the description below. The Output control routine includes a setup routine 2100, which is shown in Figure ZB. In this regard, Figure 22B show,~ that an initia~ evaluation of the commanded output value will be made (diamond 2102). If the output value is nearly 100% of the maximum allowable value, then the output for the channel being processed will be forced to a level just below this maximum value ( block 21~4). This is done so that an output above the 99.75% level can be seen and no more than 22ma of current will be transrnitted to the field.
The Ou~put control routine also includes a Calculation routine 2106, which is shown in more detail in Figure 22C. Once output error is calculated (block 2108), which is the difference between the output value and the measured track value, then it will be determined whether an increase or decrease in the analog output must occur (diamond 2110), and the appropriate status indicators will be set.
Referring again to Figure 22A, an evaluation will then be made as to whether the remainder of the Output control routine should be skipped (diamond 2112). In this regard, the Output control routine may be skipped when a problem has been detected on the board -~ ~ by the Handle Error Conditions routine. Assuming that the Output control routine is to be performed, then a check will be made to see if the red i~D is ON (diamond 2114). If the red LED is ON, then a determination will be made as to whether the calculated output error is too large (diamond 211 fi). If the error is too large ffor example, 3.5%), then a flag will be set to indicate that this SAO board is controlling the field (block 2118), and the Out of Control routine 2120 will be performed. Qtherwise, the opposite indication will be flagged, the SAO
board will back off its output to zero (block 2122), and the In Control routine 2124 will be performed.
As should be appreciated from the procedure described thus far, the three SAO boards 600-604 will effectively compete with one another to drive the load in accordance with the present invention. However, when any of the SAO boards detect that one of the other SAO boards is controlling the output, it will start backing off to a non-contribution level.
In this way, only one of the three SAO boards 600-604 operates to drive the load at any one time, unless one of the other SAO boards determines that its contribution is necessary to achieve the commanded output value. ~!
If the red iD is OFF, then a Back Calculation routine 2126 will be periormed. ~ `
This Back Calculation routine is shown in Figures 22D-22E~ As will be seen from Figures 22D-ZE, the Back Calculation routine is used to set a 'Back.Calc' constant, and subtract or add this constant to the output error (block 2128). The Back.Caic constant is used in the Pl control loop to account for any differences in the track measurements (due to any hardware WO 93/~0488 '2 ~ 3 1 1 5 6 PCI /US93/0~253 8 9 1:

differences between the SAO boards), and thereby allow the smoothest exchange of output contribLltion. The Back.Calc constant is the dmerence between the output value and the track value ~block 2130). In this regard, it will be appreciated that the Back.Calc calculation will depend upon factors such as which Nl test is being performed (for example, diamonds 2132-2134),because these are the cycles where the SAO boards must exehange responsibilities.
In other words, the driving board must lower its output to zero and another board must drNe the output.
Once the Back Calcul~tion routine 2126 is performed, an ~Output In Controi ~7 ? rolnine 2136 will be executed by the SAO microprocessor. The Output In Control routine ~, 10 2136 is in the form of a question, because it will exit into either the In Control routine 2124 or the Out of Control routine 2120 depending upon the conditions being evaluated during its execution. The Output In Control routine 2136 is shown collectively in Figures 22F-22H. In this regard, Figure 22F shows that a series of evaluations will be made to determine if an Nl test is being conducted (diarnond 2140~, and if so, then identify which test is currently being conducted (diamonds 2140-2148). The answers ~o these questions and answers to their depending questions (that is, diamonds 21 ~2-2164) will determine which mode the SAO board is in. Speci~ically, Figure 22F identifies three modes of operation, namely qight Control-, ~Monitoring~ and ~Stay Clear~. The use of the operating modes will become apparent from a review of Figures 22F-æH and the description below.
If the Nl test is 00-, it should be understood that no Nl test is actually being conducted. As indicated by diamonds 2152-2154, the Tight Control mode is assumed when the SAO board's contribution to the field output is other than 0% of the commanded output value. Diamond 2166 of Figure ZG shows that an evaluation will be made in the Tight Control mode to determine if the output error (the owtput value - track difference) is within a tight deviation range ffor example, 0.05% of 22ma~. If the output is outside of this tight deviation range, then the Out of Control routine 2120 will be per~ormed, as shown in Figure ZH. Otherwise, the In Control routine 2124 will be performed.
I~ the SAO board was not corltributing anything to the output (diamond 2154), then the Stay Clear mode will be assumed. In the Stay Clear mode, a check will be made to see if the output error is outside of a wide deviation range, such as 1.6% (diamond 2168).
If the output error is within the wide deviation range, then the In Control routine 2124 will be performed. Otherwise, the Out of Control routine 2120 will be performed.
If the Nl test is Test #1 (diamond 2142), then a detemmination will be made ; to see if the SAO board is driving more than 50% of the commanded output value (diamond 2156). If the answer is YES, then the nght Control evaluation of diamond 2166 will be performed. Otherwise, the SAO board will assume the Monitoring mode. In the Monitonng ,"
, ...
., ;s WO 93/20488 PCl`/US93/022~3 .~

2,J1 3~L~5 6 g o - mode, a determination will first be made to see H ~he SAO board is driving any of the output (diamond 2170). If the answer is YES, then a check will be made to see if the output error is within a monitor deviation, such as 0.10% (diamond 2172). If the answer to this question is NO, ~hen the Out of Control routine 2120 will be perforrned. However, if the answer to this question is YES, then a determination will be made as to whether the output value was greater than the track value measured (diamond 2174). The determination of diamond 2174 will also be made if the Nl test is ~01 -or and the output is within the wide deviation (diamonds 2176-2178).
If the output value was greater than the track value (diamond 2174), then the In S~ontrol routine 2124 will be performed. Otherwise, a series of questions will be posed (diamonds 21B0-2190) before entering the In Control routine 2124. Thus, for example, if the Nl test is Test #07 and the output has not achieved more than 93.75% of the maximum possible output, then the Rampdown DAC~routine 2192 will be performed. This action prevents more than 22ma Srom being sent to the field, as it should be noted that block 2174 established that the track is already greater than the output value.
The Rampdown DAC routine 2192 is shown in the flow chart of Figure 221.
In this regard, the flow chart indicates that the output will be ramped down in relatively small or large increments, depending upon whether the SAO board is driving more than 25% of the output value (diamond 2194). For example, when the small decrement constant is employed (block Z196), the output may be ramped down on the order of 0.1 %/call to this routine. While the controllers 92-96 operate on a specific process control timing cycle, this is not strictly the case for the SAO circuit boards 600-604, as the SAO microprocessors will repeatedly execute their programs (as shown in Figures 21A-21B) as quickly as possible. In other words, each SAO board may execute all of its programs on the order of 50-100 times per process control cycle (for example, one second) of the controllers 92-96.
Figure 22H also shows that a Power Rampdown routine 2198 may be employed H the series of questions is resolvsd to the point where it is determined that the output error is greater than the rnonitor deviation (diamond 2190). The Power Rampdown DAC routine 2198 is shown in the brief flow chart of Figure 22J. In this regard, it will be appreciated that a very rapid decrement rate will be employed due to the fact that the output has been detected to be beyond the acceptable monitor deviation limit.
Figure 22F also shows that the Tight Control mode will be assumed whenever it is determined that the ME SAO board is driving 100% of the desired output value (diamonds 21 ~8, 2162-2164). Otherwise, if the answer to any of the diamonds 2158, 2162-2164 is NO, then the Monitoring mode will be assumed. Similarly, if ~ is determined that ME SAO board is not driving any of the output (diamonds 2150 and 2160), then the Stay Clear mode will be Y W093/20488 2i3~ 6 PCr/US93/022~3 9 1 j,-~
assumed.
Referring to Figure Z~ a flow chart for the In Control routine 2124 is shown.
This routine begins by clearing the ~AImost Out of Control High ME = û~ flag (block Z00).
The clearing of this flag is used to signify that an OOCH ME = 0 condition will not be 5 signalled the next time the Out of Control counter reached a preset limit. Then an evaluation will be made as to whether the output value is greater than 99.7% of the maximum allowable output value (diarnond 2202). If the output value is essentially less than this maximum value, then the program flow will skip down to the end of this routine, where an Out of Control counter will be decremented (block 2204). However, if the output value is at its ma~(imurn 10 value, then three additional evaluations may be made (diamonds 2206-Z10). If the Nl test is one of the test numbers Test #01 through Test # 06, then the Out of Control counter will be decremented. However, if the Nl test is one of those listed in diamond 2206, then the Rampdown DAC routine 2192 will be perforrned. Similarly, H the Nl test is Test ~ 07 and th0 SAO board is outputting more than 93.7% of the maximum output value (diamonds 2208-15 2210), then the Rampdown DAC routine 2192 will be performed.
In the event that the Rampdown DAC routine 2192 routine is implemented at this point, then the Send the Output to the Field routine 2212 will be immediately executed.
The Send the Output to the Field routine Z12 will be discussed in connection with Figure - 22N. The Send the Output to the Field routine 2212 is also shown on Figure 22A as the next 20 routine to be executed in any event once the In Control rol~tine 2124 is completed.
Nevertheless, if it is determined that the output of this SAO board should be decreased, then it is preferred that it should be perrnitted to begin backing off at the earliest opportunity.
Referring to Figures æL-22Ml a flow chart for the Out of Control routine 2120 is shown. This routine is used to change the DAC output value in response to a number of 25 factors, such as the magnitude of the error detected. In the first place, block 2214 indicates that this routine will cause eubsequent routines are to be skipped. This is because Nl testing should not be performed if the output is not correct. Then, a sibling wait counter will be evaluated (diamonds æ16-2218). The sibling wait counter is used to delay reaction to an output error and enabie one of the neighboring SAC) boards to react instead. Then, the Out 30 of Control counter will be incremented (block 2;æ0). Next, the magnitude of the output error will be evaluated in order to determine the rate at which the DAC output value should be ~, .
changed (diamonds ~ 4).
As shown in Figure 22L thQ program will branch depending upon whether the output error was negative (diamond 2226). H this difference was negative, then the DAC value S 35 will be decreased accordingly (Figure 22M, block 22~8). Otherwise, the DAC value will be increased to the appropriate value (block ~30). Thus, for example, the DAC value will be set ~ W 0 93/20488 PC~r/US93/02253 'I 2~3~LS~ 92 to a 1 ov OUtpUt amount in block 2232 to prevent a futile attempt to send 20v to the field H the device will not allow the track to reach the output value at maximum voitage out. This action lowers the bump ~ a disconnected field wire is attached.
Referring tO Figure ~2N, a brief flow chart of the Send the Output to the Field routine 2212 is shown. Rfter a setup step (block 2234), this routine simply calls the DAC
Control routlne 2236 to write the two byte value into the digital to analog converter circuilt.
The DAC Control routine is shown in the self explanatory f!ow chart of Figure 220.
Referring to again to Figure 22A, the next routine to be executed is shown to be the Check for a Test #07 Error routine 2238. This routine is shown in the flow chart of Figure 22P. As shown in Figure 22P, a series of evaluations are made to determine H the Nl Test Fail counter should be incremented (block 2240), and ul~imately flag an Nl Test Failure (block æ42) if too many tests have failed (diamond 2244). In this regard, it will be recalled that during Test #07, the ME SAO board must be drNing the entire output by itself for each of its channels. Thus, if the SAO board is not driving the entire output by itself, its output voltage is at the maximum, and current is going to the field, then the Nl Test Failure counter will provide a period of time to reach the required goal. However, If the goal of driving the output by Xse~ cannot be reached within a reasonable period of time (for example, the Nl Test Failure counter has exceeded 30), then an error condition will be flagged.
Figure 22A shows that the final routine to be executed is the Handle Output Problems routine 2246. The Handle Output Problems routine 2246 is shown in Figures 22a-; 22R. As will be seen from these figures, this routine is used to set or clear a number or differen~ flags depending upon the condXions specified. Thus, for example, H the Out of Control count for the channel being evaluated has not exceeded a predetermined amount (for example, 53), then three different flags will be cleared (diamond 2248). If the oun of Control count exceeded a predetermined amount, then an evaluation will be made as to whether the track measurement was lower than the outpun value (diamond 2252). If the answer is YES, then the 'Almost Out of Control High~, the 'Out of Control High~ and the 'Out of Gontrol High ME = 0- flags will be cleared (block ~54). Addnionally, the o~n of Connrol Low flag will be '., set, as the output to the field is lower than n should be.
In contrast, if the error is on the high side (block 225û generates a NO), then ~d the ~Out of Control High~ flag will be set and the ~Out of Control Low- flag will be cleared (block æ58). Then, the operational amplifier track signal OAT will be evaluated to see '~ 'n is near zero (diamond 2260). If n is not near zero, then the OAT signal will be re-measured, as the DAC was commanded previousty to reduce its output (block 2262). If this additional measurement does not show the desired response, then the ^OAT < > DAC' tlag will be set (block 2264~.

i~

S

WO 93/2048~ 2 1 3 1 1 5 6 PC~/US~3/02253 i~.i s . 1:

Figure 22R shows that the ~AImost Out of Control High Me = 0^ flag will first ~- be set (block Z66) and the Out of Control count will be zeroed (block æ65) if the difference . between the output value and the track rneasurement is greater than an abort deviation value, such as 2% (diamonds æ68-227D). Then, during the next pass through this routine that the 5 error count has exceeded a predetermined amount, the ~Out of Control High ME = 0 flag will be set (block Z72) if the ~Almost Out of Control High ME = 0~ flag has not been cleared (block Z74). Forcing this delay in the setting of the OOCHME = 0 bit prevents false errors from being reported.
Referring now to Figures 23A-231, a set of flow charts is shown for the Nl Testing routine 1926 of Figure 21 B. Diamond 2300 indicates that this Nl Testing routine may be skipped, such as when an error has been detected by the Handle Error Conditions routine.
Diamond 2302 indicates that the Nl Testing routine will not be performed during those one-second periods when the Test #00 insignia is utilized. Additionally, diamonds 2304-2306 indicate that the Nl Testing routine will not be performed when an error is encountered on the 15 channel ~o be tested or when the controller for this SAO board commands an output value which is less than a minimum value ffor example, 4 mA). While Nl testing could be performed when the commanded output value is near zero, it is preferred that Nl testing be deferred, as the abort switches for any zero output channel will be opened and it will not be possible to conduct a complete test (e.g, Test #7).
In the event that this SAO board or one of the other SAO boards is being tested (diamond 2308), then this SAO board will look to see which test is being conducted.
In this regard, ~ should be appreciated that this SAO board ffor example, SAO circuit board 600) does need to take any action for Tests #12-16 or #21-26, as any necessary action will be taken by its controller (e.g, controller 92). In the event that Test #11 is being conducted 25 (diamond 2310), then the Nl Testing routine will cause this SAO board to assume the necessary output being shed by its neighboring SAO board designated as N1 ffor example, SAO board 6023. However, it should be noted at this point that the Nl Testing routine 1926 does not specifically test for Test #21, This is due to the fact that the Nl Testing routine being performed by the N1 SA0 board will have the N2 SAO board designated as its neighbor N1.
f ' ! 30 In other words, the Nl Testing routine 1926 builds in a preference for which SAO board should begin to assume the output being shed by another SAO board. Specifically, in this instance, the preference is made for the SAO board which has most recently completed Test #7, as this particular test evaluates the SAO board's ability to assume the entire output.
In the event that the Nl test being conducted is not Test #11, then the sibling 35 wait counter will be cleared to permit immediate action i~ necessary (block 2312). Then, it will be determined if the Nl test being condur,ted is Test #17 or Test #27 (diamond 2314 of `~ ~

WO 93/20~8~ PCI /VS~3/022~3 Figure 23B). If the answer is NO, then the Nl Test routine 1926 will be ended for this call.
However, if one of these two Nl tests are being eonducted, then the sibling wait counter will be loaded with a value which will permit the SAO board under t~st time to ramp up i~s OUtput (block 2316). Then, a determination will be made as to whether this SAO board is driving any of the output (diamond ~318), the appropriate rampdown rate will be chosen (blocks 2192 and 2198~ as the result, and the output value will sent to the field (block 2Z12). If the DAC output is not zPro, then a flag will be set ~o indicate that this SAO board has not finished ramping down (block 2320).
If this SAO board is currently being tested (diamond 2308), then a flag will be set to indicate that all lower Nl routines in this SAO cycle should be skippecl (block 2322).
Then, if Test #07 is being conducted (diamond 2324) or N Test #11 is being conducted, a determination will be made as to whether this SAO board is driving any power (diamond 2326) by examining the vottage across the ME resistor and the appropriate flag will be set (block 2328). Then~ the contribution to the field will be evaluated (diamonds 2330-2336) by examining the voltage drop across the ME resistor. If this SAO board is driving 100% of the output, the DAC output is at its maximum and the track output is at the proper value, then the Nl test will be successfully completed ~diamond 2338). Otherwise, additional determinations will need to be made and the appropriate action taken during this pass through the Nl Testing routine 1926. For example, i~ this SAO board is driving more than 25% of the output value (diamond 2334), but less than 100% of the output value (diamond 2336), then 0.05% will be added to the value supplied to the DAC (block 2340). Then, the Nl Testing routine 1926 will exit at this point until it is called upon again to evaluate the contribution that this SAO board is making to the output. If the DAC output is at its maximum, and this board is not driving 100% of the output, the test failure counter is increased.
If the answer to diamond 2324 on Figure 23A was NO, then the Nl Testing ro~ine 1926 will jump to point ~A~ on Figure 23C to begin checking to see which of other the Nl tests are being conducted (diamonds 2342-2344 on Figure 23C, diamonds 2346-2348 on !I Figure 23D, diamond 2350 on Figure 23E, and diamond 2352 on Figure 23H). As will be appreciated from a review of Figures 3C-231, the Nl Testing routine follows a specHic regimen for each of the Nl tests. Thus, tor example, in the case of Test #01, the SAO board will a~tempt to ramp itseH down until a zero output is achieved (diamonds 2354-2356). Once a zero output is achieved, the Nl Testing routine 1926 will jump to point 'D- on Figure 231. If the rampdown is unsuccessful, the controller is flagged not to test this channel and subsequent tests in the cycle will locate the problems on the neighboring boards.
As indicated in Figure 231, a check will be made to see if the voltage measured on the low side of the ME resistor with respect to ground is too high for a DAC

' W093/204X8 2131156 PCr/U593/02253 9 5 ! 1 `
. I
3 output of zero ~diamond 2358). If the voitage is too high (for example, 0.037), the diode has been shorted and the Nl Test Failure counter will be incremented (block 2360). Then, the Nl Test Failure counter itse~ will be checked to see if the present count has ex~eeded its i~ predetermined limit, such as 40 failures (diamond 2362). This failure count is set relatively 5 high in comparison to the failure count maintained by the controllers (e.g, only 1 failure is perm~ed at the controiler level), in light of the fact that the SAO boards are repeatedly ; executing their programs many times relat~e to the process control cycle timing employed by the controllers 92-96. If the count limit has been exceeded, then a flag will be set to indicate that an Nl test failure has occurred ~block 2364). However, as indicated by diamond 2366 and the additional en~ry points ~B~ and ~E~, the Nl test failure flag will only be set ff this SAO board was conducting the Nl test, as opposed to one of its neighborincl SAO boards.
in the case of Test #02, Figure 23D shows that the DAC output will be evaluated to determine H the SAO board was able to ramp down this channel (cliamond 2368).
Assuming that this channel was able to ramp down to zero, then the SAO micraprocessor will set the channel output to the abort test voltage (block 2370), allow time for the output to settle tblock 2372), and measure the operational amplifier track (~OAr) voltage signal (block 2374).
Then, a determination will be made as to whether the OAT voltage level for this channel is in the expected or acceptable band, such as 150-700 mV (diamond 2376~. If the answer is YES, then Test #02 will be successfully completed for this particular channel. However, ~ the answer is NO, then the Nl Testing routine 1926 will jump to point ~E' on Figure 231, where the Nl Test Failure counter will be incremented. In any event, it should be appreciated that each of the analog output channels will be serviced in tum each time the Nl Testing routine 1926 is called from the main SAO program 1900.
In the case of Test #03, Figure 23E shows that the Nl Testing routine 192~
will ùltimately measure the voitage on the high side of the ME resistor with respect to ground (block 2378~, provided that this channel was able to ramp down to zero (diamond 2380) and determine if it is low enough (e.g,. 150mv) (diamond 2382). If the voitage is not sufficiently low, then one or both of the abort switches have not opened. In this regard, it should be noted that the opening of the DN1 and DN2 abort switches will be performed independentiy by the N1 and N2 controllers, respectively, according to the time chart discussed above.
in the case of Test #5, Figures 23E-23G show that two tests are actually conducted. First, the operation of the abort switches DN1 and DN2 are again tested through a ME resistor measurement while the ATV signal is being produced (block 2384). Then, assuming that this tes~ was successful, the ability to disable the operational amplifier will be 35 tested. This test is accomplished by first checking to see if the SAO board Deadman is 'open~
(diamond 2386). This check is made by causing the microprocessor 610 to read the 'NOT

~ W 0 93/Z0488 PC-r/US93/02'53 !~ 2~3~ 9 6 DEAD- signal from the Deadman Timer 649 of Figure 12D. If the answer is Yes, then the operational arnplifier 608 should be disabled. If ~he answer is NO, then all ot the operational amplifier's 608 on the SAO conducting the test will be disabled (block 2388). The DAC will then be commanded to output the Deadman Test Voltage, such as 3v (block 2390). The NOT
' 5 DEAD signa~ will be checked again ~diamond 2392), and then OAT signal will be read for the channel being tested ~ the Deadman is not open (biock 2394). In this case, all of the SAO
- board operational amplifiers 608 will be re~nabled (block 2396), and then the OAT voltage will be checked to see if it is high enough tdiamond 2398). Assuming that the OAT was high enough (for example, ~he Deadman Test Voltage level), or if the Deadman was not already 10 opened, ~hen the operational ampl'lfiers will be disabled (block 2400). Next, the OAT voltage will be measured ~block 2402). Thereafter, the DAC will be re-set to the ATV level (block 2404), and the operational amplifiers will be re-enabled (block 2406). After this step, then the ~3 voitage from the Deadman voltage input will be evaluated to see if was possible to disable the operational amplHier (diamond 2408).
In the case of Tests #04 and #06 (diamond 2352), Figure 23H shows that a voltage measurement will be made on the high side of the ME resistor (block 2410). Again, it should be appreciated that the necessary steps of opening and closing the abort switches DN1 and DN2 are handled by the neighboring controllers in accordance with the time chart set forth above.
FroM the above description of the preferred embodiment, it should be appreciated that the field computer units 12 operate in accordance with a predetermined process control cycle. In other words, all of the signal communication and input/output processing functions of the field computer units are performed within a single process control cycle, such as a one second interval. While the clock signals for each of the network controllers 16 and the field computer unit controllers 92-96 are all adjusted during this process control cycle to maintain the clock signals within a given tolerance, an adjustable ~imeline is ~-J generally provided to facilitate cooperation benHeen these interface system components. For example, in one form of the present invention, the synchronization message is sent by the ~, network controllers 16 to each of the field computer units 12 at the beginning of a new , 30 process control cyclè. The field computer units 12 will in tum be looking for this two byte message within a given period of time ffor example, 1.5 milli-seconds). After the network controllers 16 determine the necessary communication paths, they will send the appropriate , digi~al and analog output values to each of the field computer units. Then, the controllers 92^
96 will exchange this information in order to perform the independent arbitration methods described above. However, in the event that communication from the network controllers 16 is not received by a field computer unit or communication is not received by one of the r"

~ WO 93/20488 PCr/US93/1)~2~3 213 1 1 S 1~
,`.,.
I
controllers 9~.-96 from its neighboring controllers, these components will nevertheless proceed to perform their tasks after a suitable period of time. Thus, for example, the previously supplied Fail-Last and Fail~afe instructions may be implemented according to the output arbitration methods discussed above.
Additionally, the action timeline should also permitted the non-intrusive testing of digital and analog outputs to be performed periodically as set forth above. The timeline may also be constructed to perrnit further testing of system components. For example, it may be advantageous to test the RAM memory U42 in each of the controllers 92-96 within an available time slot. This test may be accomplished by first writing a specific value (for example, s5hex) into each storage location of an unused section of the RAM memory, and then reading each location to verify the integrity of this section of memory. Then, a portion of the input or output data table may be moved to this verified section of RAM memory, and the memory section from which this data was taken could be Yerified in the same manner.
However, it is preferred that a dmerent value is written into this used section of memory (for examp~e, AAhex). The data could then be replaced once it was determined that there were no memory errors. In this way, the entire RAM mernory U42 may be periodically tested. If a memory error wæ found, then this memory section could be tes~ed again and/or a general ~problem- status bit could be set to inform the process control computer 14 of the presence of a error. As with the other errors discussed above, the process control computer may request the status of a specific error bit which would identify an error in the RAM memory U42.
Referring generally to Figures 24A-27M, a set of flow charts are shown to illustrate the methods of downloading updated software according to the present invention.
In this regard, the present invention advantageously provides the ability to download updated sof~ware throughout the process control inteRace system 10 without having to interrupt the physical process being controlled. More specifically, the present invention permits updated or new software to be selectively transmitted from one of the network controllers 16 to each of the breakout circuits 26 in the interface system 10, and to each of the field computer units 12 in the interface system.
Thus, the software contained in each of the major componen~s of the :~ 30 distributed process control interface system 10 according to the present invention may be individually updated or collectively updated in groups. In other words, it may be beneficial ~, to update the software for each of the field computer units 12 at one time and update the ~, software for each of the breakout circuits 26 at another time. Conversely, it may be rll appropriate to update the software throughout the interface syslem 10, starting with the breakout circuits 26 and ending with the field computer units 12.
:'j Importantly, each of these updating operations may be carried out while .., ':

~ wo 93/20488 PCr/US93/022~3 ~, ~ 3 ~ ~ 9 8 'J. process control operations are continuing. For example, while one of the process control computers 1 4a-1 4b is being used for process control, the other process control computer may switch over to perform one or more downloading operations. Another advantage of the method and system according to the present invention is the ability to download updated 5 software into a plurality of breakout circuits 26 or field computer units 12 during the same ~$ downloading operation. Thus, for exarnple, when a successful downloading procedure has been verified for each of the field computer units, then the redundant controller 92-96 in each of the field computer units 12 which received the new software may startup using this so~ware in the same process control cycle.
In one form of the present invention, it is preferred that a successful download~, operation be verified for all interface system components to which the new sofh4are was addressed before any of these system components is permitted to startup on the new software. In other words, if the Left controllers 92 in all of the field computer units 12 verified a completely accurate reception of the new software, then they will a!! be permitted to startup 1~ on the new software. Otherwise, they will all be commanded to start back up using the old software which was previously contained in these controllers 92. At this point, the downloading procedure may be tried again, or the hardware for the controller(s) that were unable to verify the correctness of the new software could be checked.
Once the updated software has been verified for all of the Left controllers 92, 20 then these controllers may be commanded to transmlt a copy of this software to the Middle con~rollers 94 in each of the field computer units 12. In this regard, it should be appreciated that the serial communication links between the controllers 92-96 in the field computer units 12 enable one of the controllers 92-96 to ~ransfer a copy of updated software into one or both of the other controllers. Altematively, it should be appreciated that once the Left and Middle 25 controllers 92-94 are operating with updated softwarej then the Right controller 96 could receive a copy of this updated software from its process cr ntrol computer ffor example, process control computer 14b). In other words, the process control computer 14a could retum to its process control operations, and the process control computer 1 4b switched over to a downloading operation.
Of course, both of the process control computers 1 ~a~1 4b could be shut down from a process control standpoint, so that both the Left controller 92 and the Right controller 96 in each of the field computer units could receive the identical updated sottware. However, this could require an interruption in the physical process being controlled. In any event, it should be appreciated that the only downloading function that could be implemented with 35 both of ths process control computers 14a-14b running process control operations, is the transfer of updated soltware from either the Left controller 92 or the Right controller 96 to the .

WO 93/20488 PCr/US93/02'5~ ~
2~311~6 Middle controller 94, as the process control computers ~4a-14b do not need to be involved in this procedure in accordance with the present invention.
~eferring specHically to Figure 24A, an abbreviated flow chart,,of the field computer unit main ~Femmai~ 2420 is shown. Flow chart 2420 indicates that each of the field computer units 12 wiil generally be conducting the process control activities discussed above (block 2422), unless a aDOWNLDF~ bit has been set in response to a download command (diamond 2424). The setting of the DOWNLDF b~ is actually accomplished in the serial port interrupt routine 2426 shown in Figure 24B. In this particular application, the field download command is simply identified as command ~113~ (diamond 2428). Prior to the clearing of the DOWNLDF bit (block 2430), the value of this bit will be placed in a neighbor communication message in order to inform the neighboring controllers that this controller is receiving new software. This action will prevent the neighboring controllets from attempting to reset the controller recerving updated software. It should also be noted that the field communication routine ~Fcomm~ of Figure 24C is used to receive download commands from the process control computer 14.
Assuming that the process control computer 14 has issued the download command, then the field computer unit 12 will jump to the 'FIO DOWN_LD' routine shown in Figures 24E-24G (block 2432). The FIO Down lD routine 2432 is sometimes referred to herein as the FIO Download routine. As will be apparent from this flow chart, the FIO DOWN LD routine provides a main routine for a series of subroutines, which are shown in Figures 26G-26P and 271-27M. These sub-routines enable the field computer unit to receive ; and verify the downloaded software, assuming that this software is intended for the field computer unit. However, before discussing the these flow charts further, the transmission of downloading commands will first be examined.
Referring to Figure 25A, an abbreviated flow chart of the Netmain program or routine 2500 is shown. In this regard, the Netmain program 2500 represents a main program for the network controller 16. This Netmain program follows a normal process control timeline, such as indicated by the ~Do Process Control' blocls 2502. Nevertheless, at an early point in the main loop of the Netmain program, it is detemmined whether a downloading operation has been requested (diamond 2504). This request is deterrnined by checking for the presence of a DOWNLD- bit, which is set in the flow chart shown in Figure 258. H the DOWNLD bit is set, then the Netmain program will jump to the GET_CODE routine 2506 shown generally in Figures 25C-25E. Otherwise, norrnal process control functions, such as transferring data received from the field computer units lZ to the process control computer 14, will be :, 35 performed, assuming that ~he process control computer has not been taken off its process control regimen.

t ~ .
WO 93/2048~ PCI /US93/0225 Thereatter, the NCOMM routine 2508 will be performed. This routin~ is shown ~, through the fiow chart o~ Figure 2sP. As indicated by this flow chart, the NCOMM routine relates to the loading of updated sof~ware into the Middle controller g4 of th~ field c~omputer units 12. More specifically, the NCOMM routine will check to see if a command has been S entered to load the Middle controllers 94 with updated software (diamond 2510). As will be appreciated from the description below of the CBTDEC routine of Figure 25R, the requ~st for a Middle download may be entered by an operator through the debug panel 18. If a Middle download request has been made, then a specific command will be sent downstream by the network controller (block 2512) to all of the field computer units 12 through a Send Command 10 routine 2514 shown in Figure 25Q. While it is preferred that all of the Middle controllers 94 be updated together, it should be appreciated that in the appropriate application it may be permit a selection of some but not all Middle controllers 94.
The Middle download command will be received and acted upon by the BCOMM routine 2516 of Figure 24D, which is contained in each of the breakout circuits 26 15 connected to one of the process control computer 14a-14b. The BCOMM routine 2516 will pass the Middle download command to all of its output ports to eventually be acted upon by the FCOMM routine 2518 in each of the field comp~ner units 12. The FCOMM routine is shown in Figure 24C. The FCOMM routine 2518 writes the Middle download command into XRAM, where it is read by the SIDE LOAD routine 2520 of Figures 26Q-26R. The SIDE LOAD
20 routine 2520 in the I eft controller 92 or the Right controller 96 determines the port address of the Middle controller 94, sends the Middle download command to thc Middle controller, and listens for an answer. The NEIGHBOR subroutine 2522 of Figure 26S in the Middle controller 94 receives this command, sets its serial port to receive from the neighboring controller that sent the command, and then jumps out of its process control tirne line to the FIO DOWN LD
25 routine 2524 of Figures 24E-24G to receive the new software.
In the meantime, the NCOMM routine 25Q8 will enable the CHECK MID routine 2526 of Figures 26R-26S (block 2528 in Figure 26P~ and initialize a waiting period for the CHEC:K MîD routine to be executed (block 2530). The CHECK MID routine 2526 is also shown as a block in the Netmain loop of Figure 26A. The CHECK MID routine 2526 is used 30 to verify that a copy of the updated software from either the Left controller 92 or the Right controller 96 has been successfully transferred to the Middle controller g4. In this regard, the Middle controller 94 will perform checksum calculations and comparisons, and upon successful completion, it will respond to the sending controller with its checksums. These checksums may be comprised of exclusive or-, ~rotated exclusive or' and 'sum of code~
35 checksums. These checksums will ~e compared with the checksums which are embedded in the software code sent to the Middle controller 94. The sending controller will compare the WO 93/2~48~ 2 1 3 1 1 ~ 6 PCr/US93/02~s3 ,. ~. .

checksum from the Middie controller 94, and ~ they agree with its own checksums, then a bit will be set in a byte which will be transmitted to the network controller 16 during normal input communication.
Once all of the Good Checksum messages have been received by the network controller 16, then a similar confirmation message will be displayed on the debug panel 18 of the network controller 16. The display of the Good Checksum message on the debug panel 18 will enable the operator to know that the Middle controller 94 may be started up on the new sofh~are. In this regard, the operator may then depress the buttons on the debug panel 18 which will cause a ~Transplant' command to be sent to each of the field computer units 12 via the NCOMM routine 2508 of Figure 26P. However, if a checksum error has been detected, then a ^Cold Feet~ command will automatical~ be sent to all of the field computer units via the NCOMM routine 2508. The Cold Feet command will cause the Middle controllers 94 to start up (that is, be reset) using the old or prior so~ware. A suitable message to this effect will also be disp!ayed on the debug panel 18.
The relevant portion of the common button decoder~CBTDEC~ routine 2528 is shown in Figure 25~. The CBTDEC routine 252B is referred to as being comrnon in that ~- ~ it is preferably contained in each of the interface system components that contain a debug panel (that is, the network controllers 16, the breakout circuits 26 and the field computer units 12). This is why 1he CBTDEC routine 2528 corltains a determination as to whether this component is a network controller 16 for each of the functions listed (for example, diamond 2530). Each of the functions identified in the CBTDEC routine refer to a specific downloading - . operation. Thus, for example, the Function 1 E is used to initiate the downloading of updated software into the Middle controllers 94. As indicated by diamond 2S32, the interface system 10 will only permit the Middle download command to be transmitted after at least one of the Left or Right controllers has successfully received updated software. Once the operator has ~- depresseci theappropriate debug panel buttons, then the MID LOAû bit will be set (block 2534~. One or more messages may then be displayed on the debug panel, such as ~Loading Middle Field ItO- (display block 2536).
Function 1 D is used to automatically cause the Cold Feet command to be sent ~.
I
to all of the components to whom new software code was addressed. In this regard, the downloaded software code will be ignored, and the components will startup on the old software code.
Similarty, Function 1 C is used to enable the operator to cause the Transplant ~ ~ command to be sent to all of the devices to whom new software code was addressed. The -~ 35 Transplant command can also be sent via the NCOMM routine 2508 to start the Middle controller 94 on the new software code if the network controller 16 is executing its process W093/Z04!18 PCI/US93/02~53 102 ~ ~ f~
control time line. Once this command is received, then the REPROG routine 2538 of Figure 26D will be executed. The REPROG routine 2538 will cause the newly downloaded software to be copied from data memory ffor example, XRAM) into program memory. It should be noted that the CBTDEC routine 2528 will not permit the Transplant command to be sent if the S checksum verifications have indicated the presence of an error (diamond 2540).Function 1 B is used to move new software from one ot the process control computers 1 4a-1 4b to the XRAM circuit contained in ItS network controller 16. The selection of Function 1B will cause the command code ~113~ to be transmitted from the nehvork controller 16. In this regard, diamond 2542 indicates that this function will not be performed 10 if this process control computer is currentiy being used for process control. The downstream devices or interface system components which receive the new software code is determined from the start and stop' switches on the breakout circuits 26. Since the breakout circuits 26 do not know what type of device or devices they are connected to downstream, it is preferred that all of these devices will receive new code intended for the breakout circuits when that 15 option is selected. In this regard, the preferred procedure is for the new ~overheads~ software code to have an embedded program ID that may be used downstream to determine whether the receiving device should use the new somNare code. While the network controller 16 will initially know which devices are connected to it downstream from a call to the process control computer, it should be appreciated that the network controller 16 couid poll the fiber optic 20 network prior to the downloading operation ~o deterrnine which devices are currentiy connected to It.
VerHication of downloaded breakout circuit software code and field computer '!.-'' ' unit software code is accomplished at the network controller 16 i~y polling the known field computer units 12 on the fiber optic network. In this regard, it should be noted that each of 25 the breakout circuits will preferab~y verify new breakout circuit software received before transmitting this software to any devices to which they are connected. Thus, for example if the breakout circuit 26f of Figure 2 detects that ii has not received a complete or accurate transmission, ~ will not send this sofhvare to the breakout circuR 269. In one form of the present irnvention, the breakout circuits will not attempt to verify the accuracy of new field 30 computer unit software, as the breakout circuits 26 are not provided with sufficient free memory to check this software. More specffically, new field computer unit software is transmitted in two packets ffor example, 32K each), whereæ new breakout circuit software on~y requires a single transmission (for example, 32K). However, it should be understood that the memoly capacity of the breakout circuits 26 could be increased in the appropriate 35 application.
When the network controller 16 receives the checksums that agree with the WO 93/2~488 . ~ ~- 3 1 1 ~ 6 PCl /US93/~253 ~:
`'.- I ~
~03 --checksums of the transmitted program, from all of the known field computer units 12, it will presen~ the operator with a choice of starting on ~he new software code or nn the old software code via a message prompt on the debug panel 18. However, if the network controller 16 receives a bad checksum or times out whiie requesting a checksum message trom any of the t 5known field computer units ~2, then ali of these devices will be sent the Cold Feet command code to automatically cause a start up on the old software. Indeed, even if all of the known field computer units 12 sent good~ checksum messages, it is preferred that the interface system alnomatically cause a start up on the old software, if the operator does not respond to the prompted choice within a predetermined timeout period. In any event, if the time-out 10timer expires during the verification process, then the downloading operation will automatically terminate with a ~Time-Out~ message being displayed on the debug panel 18.
Once the DOWNLD bit has been set via Function lB of the CBTDEC routine 2528 (block 2544), this bit will be detected by the Netmain routine 2500 of Figure 25A. This will in turn cause the neh~ork controller 16 to jump to the GET CODE routine 2506 of Figures 25C-25E. The GET CODE routine 2506 detects what devices have been selecled for so~ware -~ updating and reacts accordingly. As indicated by diamond 2546, the Middle controller 94 in the field computer units 12 may be downloaded through the GE~ CODE routine 25û6.However, this procedure is only implemented when both of the process control computers 14a-14b are ~down' with respect to process control operations. In this case, the GET CODE
routine calls the JUMPOUT routine 2~48 shown in Figure 25H. The JUMPOUT routine 2548 will cause a one second burst of back to back download commands to be transmitted out the :- main port of the network controller 16. These consecutive download commands will cause the breakout circuits 26 andlor one side of the field computer units 12 to jump out of their process control time line, and sit in a tight receive loop (with a time-out timer running) looking for ~urther instructions upstream. From this point, the downloading and Yerification process will be automatically perforrned.
Assuming that the Middle controller 94 is not involved with the downloading process at this point, then the network corltroller will then receive new software from the process control computer 14. In one form of the present invention, this software is preferably sent in the following four blocks or packets: (1) network controller software (for example, 32K), (2) breakout circuit software ffor example, 32K), and ~3) field computer unit software (for example, two passes of 32K each). In this regard, the read ~Which One' block 2550 refers to the numbers (1), (2) or (3) for these software transfers. As the field computer unit software ,.,, ~; requires two transmissions or passes, the diamond 2552 indicates that the network controller - ~ 35 16 will check whether or not it is receiving the second pass of the number (3) software `
, :
transfer. If any other number is detected, then the transfer request will be interpreted as a ~:, WO 93/20~88 PCI/US93/0~2~3 ~5 ' ,:`' ~2~3~S6 1 04 ! `: `
~,, .
bad selection (diamond 2554), and the network controller 16 will revert to the Netmain rolnine (block 2556) Assuming that the software transfer request is acceptable, then the~network controller will determine if the sofhvare being transferred is network controller software .~ S (diamond 2558~. If the software is not network controller software, then the FIO tabie will be check to see if it is empty ~Mr ~diamond 2560 on Figure 25D). In this regard, it should be noted that the term FIO stands for Field Input/Output, and it is simply another way of referring to the field computer units. Assuming that the FIO table is not empty, or the so~ware is network software, then the network controller 16 will request the next 32K packet of software (block 2562). The network controller 16 will ~hen look for the next command code from the process control computer 14 (block 2564). The command code is received in two bytes, as indicated in Figure 25G.
Assuming that this is not the second pass for FIO software (diamond 2566), then the checksums will be stored in XFlAM (block 2568). At this point, the network controller 16 will check if this software is FIO software (diamond 257û), and verify the accuracy of the transmission if the so~ware is not FIO software (block 2572). In this regard, Figure 250 shows the flow chart of the Verify routine 2572. If the checksums did not rnatch ~hose embedded in the softwarz (diamond 2574), then a ~Bad Checksum~ message will be displayed on the debug panel 18, and the network controller 16 will revert to the exiting ~OId~ program (block 2576).
if the checksums matched those embedded in the transferred software, then the network controller 16 will check H this packet is network controller software (diamond 2578). If the software is not network controller software, then the network controller 16 will call the Jumpou~ routine 2548 of Figure 25H, and then put downstream devices in a receive loop (block 2580). The network control~er 16 will then request the next software transfer (block 2582). The ne~vork controller 16 will then check H the received software is FIO software (diamond 25~4). If the software is FIO so~ware, then a check will be made to see if this is the first or second pass (diamond 2586). If it is the first pass, then the network controller 16 will bump the Which One- number to (4) to set up the second pass (block 2588). If this was the second pass, then the network controller will call the VerHy Downloaded Program routine 2590 shown in Figures 25K-25N. Assuming that the \/eri~y Downloaded Program routine 2590 did '.j not terminate with a revert to Old Program block, then the a message will be displayed on the ~, debug panel 18 (block 2592), which will perrnit the operator a choice of implemerlting the New .~3 Program (block 2S94) or reverting to the Old Program (block 2596).
~35 Figure 251 shows the New Program routine 2594, while Figure 2~ shows the '~ Old Program routine 2596. In this regard, it should be noted that the New Program routine ~ .

., ~r '`;

WO 93/2048~ PCl ~US93/02~53 .-- . 2 1 3 ~ 6 , 1` "'`
~ 0 5 1`~
2594 calls the Reprog routine 2538 shown in Figures 26D-26F. As shown in Figure 25E, the New Program routine 2594 will be executed in response to the selection of Function lC on Figure 25B. In this r~gard, the selection of Function 1C will cause the transmission of command code ~114~ ~rom the ne~vork controller 16. Figure 25E also shows that the Old Program routine 2596 will be executed in response to the selection of Function 1 D on Figure 25B. The selection of Function 1 D wili cause the transmission of command code 115~ from the network controller 16.
It should be noted that the Verify Downloaded Program routine 2590 calls the Get One ro~nine 2598, which is shown in ~igure 25F. The Get One routine 2598 is simply a way of providing relatively large delays, such as for a one second timeout. As shown in Figure 25F, the Get One routine controls the decrementing of several counters (for example, block 2600).
' Turning now to the downloading process at the breakout circuits 26, the 8COMM routine 2516 of Figure 24D will call the Breakout Download routine 2602 of Figures 25T-251J. As shown in Figures 25T-25U, the Breakout Download routine 2602 will call various su~routines, such as the Jumpo~ routine 2604 of Figure 25Z, the Rcv Init routine 2606 of Figure 27D, and the Get t:)ne routine 2608 of Figure 25Y. The Breakout Download routine 2602 is also responsive to Yarious commands received from process control computer 14 - through the network controller 16. For example, in response to command ~118~, the Breakout Download routine 2602 will call the Check Sums subroutine 2610 of Figures 25V-25W.
Command code 118' is a request from the sending device which will cause the receiving device to send back the checksums received with the transmitted software. This will permit the sending device to compare these checksums with the embedded checksums in itsprogram memory. Similarly, in response to command '122', the Breakout Download routine 2602 will call the Receive subroutine 2612 of Figures 26A-26B. The Receive routine 2612 will in turn call the Download subroutine 2614 of Figure 25X. The Breakout Download routine 2604 will also call the Tellall subroutine 2616 of Figure 26C, which will pass the command code to downstream devices. ~:
If the software is determined to be Breakout circuit software ~diamond 2618), then the Breakout Download routine 2602 will call the verify routine VXRAM 2572 of Figure 250. If the checksums are correct (diamond 2620), then the Reprog routine 2538 of Figure ',;
26D will be executed. OthenYise, a 8ad Checksum message will be displayed (block 26Z), and the breakout circuits will ultimately revert to the existing software through a timeout implementation. Figure 25U also shows that the Breakout Download routine 2602 will also r -.~ 35 respond to the command ~115~, which is used to cause a start up on the exiting sofn~are code '~
~ (block 2624). In this regard, the Tellall subroutine 2616 will be called to pass this command i , .

:

WO 93t2048~ PCl /US93/02~53 ~ `3 `~ G 1 06 ~ ~ , downstream, and then a jump will be made back to the main program for the breakout circuits 26 (block 2626) $`
Refening again to Figures 24E-24G, it will be appreciated that the FIO
Download routine 2524 has a number of similanties to the ~reakout Download routine 260 of Figures 25T-25U. Thus, for example, the FIO Download routine 2524 will call the Receh/e routine 2524 of Figure 26G in response to command ~122~. Additionally, the receipt of command ~114 will cause the field computer units 12 to determine if the downloaded code is FIO software (diamond 2628). !f the sof~ware received is not FIO software, then the Old Program subroutine 2630 of Figure 271 will be called. Othe~ise, the verify routine 2572 of Figure 250 will be called.
It should also be noted that the FIO Download routine 2524 will call the Neighbor subroutine 2632 in response to command 123~. The Neighbor subroutine 2632 is shown in Figures 26J-26K. The Neighbor subroutine 2632 is used to transfer new software from one controller 100 to both of the neighboring controllers in the same field computer unit 12. In this regard, the Neighbor subroutine 2632 causes the serial port to be pointed at the Neighbor1 controller (block 2634), and a burst of command code '113- signals is sent to get the neighboring controller out of its process control time line (block 2636). The serial port is then pointed at the Neighbor2 controller (block 2638), and the command code '113- signals are sent to this control!er (block 2640). An enable data mode command code ~122~ is also 20 sent to these controllers. Upon receiving the command code 'lZ-, the neighboring controllers will branch to the Receive sub-routine 2524, and then perform the checksum test with the Verify routine 2572.
Figure 24G also shows that the FIO Download routine 2524 wili check for command code ~124~ (diamond 2642). This command code is a request for the neighboring 25 controller which received new software to send the checksums back to the sending controller.
In this regard, it should be noted that the sending controller will wait a sufficient period of time for the neighboring controller to receive and verify the software before transmitting command code '124-. If the checksums match the embedded checksums in the sending controller's program, then the process will be repeated for the other neighboring controller. If the 30 checksums do not match, then the downloading process is terminated by the sending controller jumping to the start of its main program.
Referring to Figure 26\t, a flow chart of the My Side Receive routine 2644 is shown. Due to the tact that the programs for the field computer units 12 are stored in RAM, the My Side Receive routine 2644 is used for loading the overheads software into a controller 100 which has just been installed in a field cornputer unit. The My Side Receive routine 2644 begins with a search for a program source. In this regard, the new controller will point to its W0 93/2048X PCr/US93/02253 '' 1o721311S~ 1' Neighbor1 controller (block 2646), and then call the Neighbor subroutine 2648 of Figure 26W.
The Neighbor subroutine 2648 will send a command code ~120~ signal to this neighboring controller (block 2650), and then it listens for a command code ~121- signal reply (block 2652).
If the new controller does not receive the expected reply within the timeout period set, then i 5 it will repeat the process with the Neighbor2 controller (block 2654). Again, if the expected reply is not received, lhen the new controller will point to the main serial port (block 26~6) in order to receive its program software from the interface network. If the new controller detects a cornmand code ~13~ while it is pointing at its main port, then it will jump to the FIO
Download routine 2524 to receive its software as explained above.
10If the new controller does receive the expected command code '121', then the Command subroutine 26~8 of Figures 26X-26Y will be called to receive the overheads software. If the neighboring controller in module Side Load of Figures 26Q-26R r eceives the command code ~1~0~, it will remember which port address this request came from, answer with the command code ~121-, and write this command code into the ~DOWN- byte~in XRAM.
15 On ~he next invocation of the Side Load routine, the sending neighbor will send the command code 122' to the new controller in order to put this controllet into a data receiving mode, and send a block of program memory from its own program memory 'PRAM'. In this method of program transfer, the new software in written directly into the program memory of the receiving controller, and verification is not attempted until the program begins to run. If the transfer is 20 unsuccessful, then the entire My Side Receive routine will be repeated again.The present invention has been described in an illustrative manner. In this regard, it is evident that those skilled in the art once given the benefit of the foregoing disclasure, may now make modifications to the specific embodiments described herein without departing from the spirit of the present invention. Such modifications are to be considered 25 within the scope of the present invention which is limited solely by the scope and spirit of ~he appended claims.

!~

Claims (94)

WHAT IS CLAIMED IS:

(A)
1. Field computer unit (12) having a set of at least three redundant computers (92, 94, 96), comprising:
means (1000, 1100) associated with said redundant computers (92, 94, 96) for receiving and independently arbitrating analog and digital signals for both input and output channels of said field computer unit (12), and means for processing said independently arbitrated output signals from each of said redundant computers through a set of output circuits (500, 600) associated with said output channels, each of said output circuits having abort means (510, 606) for preventing the transmission of a field output value signal from one of said redundant computers to a process control device (84, 86) connected to said output circuits, wherein each of the correspondingly arbitrated output signals is communicated to said process control device (84, 86) unless aborted.
2. Field computer unit according to Claim 1, wherein each of said output circuits includes an individual abort circuit (510; 606) for each of said output channels, the output conductors for each of said individual abort circuits for a particular output channel being connected together so that a set of at least three individual abort circuits (510; 606) provides a common output for said process control device (84; 86).
3. Field computer unit according to Claim 2, wherein each of said redundant computers (92, 94, 96) transmits an output signal value to one of said abort circuits (510; 606) in said set of abort circuits for each of said output channels, and each of said redundant computers also transmits a individual abort signal value to the remaining abort circuits (510; 606) in said set of abort circuits for each of said output channels.
4. Field computer unit according to one of the preceding Claims, whereby any two neighboring redundant field computers are capable of inhibiting the transmission of the arbitrated output signals of a third of said redundant field computers.
5. Field computer unit according to one of the preceding Claims, wherein each of said abort means (510, 606) includes a set of abort switches (518, 520;
DN1, DN2) for each arbitrated output signal of a redundant field computer, each of said abort switches being controlled by a neighboring redundant field computer, such that the combined opening of said abort switches for a specific output channel operates to inhibit the transmission of the arbitrated output signal for that output channel.
6. Field computer unit according to Claim 5, wherein the abort switches are in an open condition for any output channel which has an arbitrated output value of zero.
7. Field computer unit according to Claim 5 or 6, wherein any of said redundant field computers is capable of requesting that its neighboring redundant field computers open their abort switches for at least one of said output channels.
8. Field computer unit according to one of the preceding Claims, wherein each of said redundant field computers includes an analog output circuit (600) which compares its arbitrated analog output signals with the analog output signals actually transmitted to each process control device (86), and if a deviation beyond a predetermined limit is detected by one of said analog output circuits (600), then said analog output circuit (600) will force its arbitrated analog output signal to a non-contribution level.
9. Field computer unit according to Claim 8, wherein each of said analog output circuits (600) has self-regulating means for causing an arbitrated analog output signal to reach a desired output level commanded by the redundant computer for said analog output circuit in a manner which is independently determined by said self-regulating means.
10. Field computer unit according to one of the preceding Claims, including dedicated neighbor to neighbor communication means (102) between each of said redundant computers for enabling any two of said redundant computers to hold the remaining redundant computer in a reset condition.
11. Field computer unit according to one of the preceding Claims, wherein each of said redundant computers includes a computer processor (U40) and serial input circuit means (116, U11) for enabling said computer processor to receive serial input signals from a plurality of analog and digital signal sources over a single conductor, including individual neighbor communication signals from each of the other of said redundant computers.
12. Field computer unit according to one of the preceding Claims, wherein said arbitration means (1000, 1100) includes plurality of software selectable default input and output conditions.
13. Field computer unit according to one of the preceding Claims, further including at least one analog input circuit (300) for each of said redundant computers (92, 94, 96), each of said analog input circuits (300) having selectable mode means for reporting a plurality of different input pulse signals over a predetermined time period, said selectable mode means including a first mode for reporting a pulse count and a second mode for reporting an average frequency value.
14. Field computer unit according to Claim 13, wherein each of said output circuits includes means for permitting said redundant computers to perform non-intrusive testing of said output circuits.
15. In a process control system having process computer means (14) for making process control decisions which affect a physical process, a distributed interface system (10), characterized by:
a plurality of self-contained remotely located triply redundant field computer units (12) according to one of the preceding claims having a set of three redundant computers (92, 94, 96), said field computer units being connected to said computer means through a communication network having at least two active bi-directional communication channels (46, 48), wherein said means associated with said redundant computers for receiving and independently arbitrating analog and digital signals of each of said triply redundant field computer units includes means (200) for receiving raw analog and digital input signals from sensors associated with said physical process, means (92, 94, 96) for arbitrating each of said input signals, means (902) for transmitting said arbitrated input signals to said process computer means via said network, means (900) for receiving output value signals from said process computer means, means (92, 94, 96) for providing independent redundant arbitration of said output value signals received from said process computer means, and wherein said means (500, 600) for processing each of said arbitrated output value signals comprise a set of individual abort circuits (510, 606) which are connected to a device (84, 86) associated with said physical process.
16. Distributed interface system according to Claim 15, wherein said network includes network controller means (16) for individually changing the direction of communication signal flow on at least one signal distribution level over each of said communication channels (46, 48).
17. Distributed interface system according to Claim 15 or 16, wherein said network includes a plurality of interconnected breakout circuits (26) for directing bi-directional serial communications between said process computer means (14) and each of said triply redundant computer units (12).
18. Distributed interface system according to Claim 17, wherein a first of said breakout circuits (26) is connected to said process computer means (14) to direct communication from said process computer means (14) to predetermined groups of said triply redundant computer units (12), and a plurality of second breakout circuits (26) are connected to said first breakout circuit to direct communication to specific triply redundant computer units, each of said second breakout circuits (26) being connected to a plurality of said triply redundant computer units (12).
19. Distributed interface system according to claim 17 or 18, wherein a plurality of first breakout circuits (26) are connected to form a ring with said network controller means (16), which ring enables signals to be transmitted in either direction around said ring, wherein at least one of said first breakout circuits (26) is connected with at least one second breakout circuit (26) and wherein each of said second breakout circuits (26) is connected with a plurality of said triply redundant computer units (12).
20. Distributed interface system according to Claim 18 or 19, wherein each of said breakout circuits (26) includes means for enabling any of said breakout circuits (26) to be configured as first or second breakout circuits.
21. Distributed interface system according to one of Claims 17 to 20, wherein each of said breakout circuits (26) includes means for enabling any of said breakout circuits (26) to repeat received signals at a predetermined signal strength.
22. Distributed interface system according to one of Claims 15 to 21, wherein said network includes means (16) for broadcast downloading of updated software from said process computer means (14) to a plurality of said triply redundant field computer units (12) through said network.
23. Distributed interface system according to one of Claims 16 to 22, wherein each of said communication channels (46, 48) forms a physical fiber optic ring connected to said process computer means (14) on a first level of signal distribution for said network.
24. Method of controlling an analog device (86) from a field computer system in particular according to one of Claims 1 to 14, said field computer system having at least three redundant computers (92, 94, 96) with an analog output circuit (600) for each of said redundant computers whose output signals are coupled to a common control input of said analog device (86), comprising the steps of:
independently determining at each of said analog output circuits (600) whether the summed output of said analog output circuits (600) sent to said analog device (86) deviates from the analog level of their control input to said analog device (86) by a predetermined limit;
any of said analog output circuits (600) finding such a deviation independently forcing their analog outputs to a level which does not enable it to contribute to the analog level supplied to the control input to said analog device (86);
determining if more than one of said analog output circuits (600) have forced their analog output signals to said non-contribution level; and if more than one of said analog output circuits (600) have forced their analog output signals to said non-contribution level, then restoring the analog output signals of such analog output circuits to the level commanded by their respective redundant computers, and forcing the analog output signal of the remaining analog output circuit to said non-contribution level.
25. Method according to Claim 24, wherein said non-contribution level is a substantially zero output level.
26. Method according to Claim 24 or 25, wherein each of said analog output circuits (600) independently makes said determination of whether it is generating an analog output signal whose level deviates beyond said predetermined limit.
27. Method according to Claim 26, wherein each of said analog output circuits (600) periodically performs a non-intrusive testing procedure which includes the step of:
forcing its analog output to at least one testing level which does not enable the analog output circuit to substantially contribute to the analog level of the control input to said analog device (86);
determining if its analog output signal has achieved said testing level; and restoring the analog output signal of the tested analog output signal back to the level commanded by its redundant computer.
28. Computer implemented method of controlling a process with substantial tolerance to faults in a computer system having a set of redundant process control computers (14a, 14b), and a field computer unit (12) which is capable of both receiving a plurality of raw analog and digital signal inputs from sensors (58, 60, 62) associated with said physical process and generating output signals to at least one process control device (84, 86), characterized by:
converting at least some of said raw input signals into arbitrated input value signals in at least three redundant field computers (92, 94, 96 contained in said field computer unit (12), concurrently transmitting at least some of said arbitrated input value signals to said set of redundant- process computers (14a, 14b) over a plurality of communication channels (46, 48), concurrently transmitting output value signals from at least two of said redundant process computers to said field computer unit (12) over said plurality of communication channels, independently arbitrating said output value signals at each of said redundant field computers such that each of said redundant field computers generates an individual arbitrated output signal for each of said output value signals received by said field computer unit, and processing said arbitrated output signals through an output enforcement arrangement (510, 606) which is capable of inhibiting the transmission of at least one of said arbitrated output signals to said process control device, wherein any two neighboring redundant field computers are capable of inhibiting the transmission of the arbitrated output signals of a third of said redundant field computers.
29. Method according to Claim 28, wherein each of said redundant field computers includes an analog output circuit (600) which compares its arbitrated analog output signals with the analog output signals actually transmitted to each process control device (86), and if a deviation beyond a predetermined limit is detected by one of said analog output circuits (600), then said analog output circuit will force its arbitrated analog output signal to a non-contribution level.
30. Method according to Claim 28 or 29, wherein said output enforcement arrangement (510, 606) includes a set of abort switches (518, 520; DN1, DN2) for each arbitrated output signal of a redundant field computer, each of said abort switches being controlled by a neighboring redundant field computer, such that the combined opening of said abort switches for a specific output channel operates to inhibit the transmission of the arbitrated output signal for the output channel.
31. Method according to Claim 30, including the step of opening the abort switches for any output channel which has an arbitrated output value of zero.
32. Method according to Claim 30 or 31, wherein any of said redundant field computers (92, 94, 95) is capable of requesting that its neighboring redundant field computers open their abort switches for at least one of said output channels.
33. Method of processing input and output signals in a field computer unit (12) having at least three redundant computers (92, 94, 96), characterized by the steps of:
arbitrating (1000, 1100) a plurality of corresponding input data signals independently at each of said redundant computers by majority voting and employing one of a plurality of software selectable input value conditions in the event that a majority agreement cannot be reached among corresponding input signals;
arbitrating (1068, 1274) a plurality of corresponding output data signals independently at each of said redundant compute-s by majority voting and employing one of a plurality of software selectable output value conditions in the event that a majority agreement cannot be reached among corresponding output signals.
34. Method according to Claim 33, wherein the majority voting for analog data comprises the steps of:
- calculating the differences between each pair of data to be arbitrated;
- determining those pairs of data whose differences do not exceed a predetermined tolerance value;
- selecting from those pairs one data according to a predetermined selection rule, which rule is independent of the values of the data.
35. Method according to Claim 33 or 34, including the steps of validating said input and output data signals, and permitting only valid data signals to be arbitrated.
36. Method according to Claim 35, wherein said software selectable input value conditions include a Select-High condition and a Select-Low condition.
37. Method according to Claim 36, wherein said software selectable output value conditions include a Fail-Safe condition and a Fail-Last condition.
38. Method according to Claim 37, wherein said software selectable input and output value conditions may be changed with each process control cycle.
39. Method according to one of Claims 33 to 38, including the steps of subjecting pairs of corresponding analog input data signals to at least one tolerance test, and permitting the arbitration of only those analog input data signals which pass said tolerance test.
40. Method according to Claim 39, wherein pairs of corresponding analog input data signals are subjected to both a wide and narrow tolerance test, the passing of said narrow tolerance test being required to qualify corresponding analog input data signals for arbitration during an initial process control cycle, and the passing of said wide tolerance test being required to continue qualifying corresponding analog input data signals for arbitration during a subsequent process control cycle.
41. Method according to Claim 40, wherein a difference value is determined between each of the corresponding analog input signals, and the corresponding difference value for an immediately preceding process control cycle is summed to the arbitrated analog input value for the current process control cycle.
42. Method according to one of Claims 37 to 41, wherein the analog output value closest to the last arbitrated analog output value will be selected during a Fail-Last condition.
43. Method according to one of Claims 33 to 42, wherein a signal indicative of a specific disagreement between both corresponding input and output data signals will be generated.

(B)
44. In a field computer unit (12) having at least one controller circuit (100) and a plurality of output circuits (500, 500), a power supply system (50), characterized by:
means (906, 918) for providing a plurality of electrical power lines having different voltage levels;
means for providing at least one backup battery source (52) of electrical power;
means (K2, 910) for charging said battery source (52) from one of said electrical power lines;
means (K1, IU9) for periodically testing the electrical storage capacity of said battery source (52) under a high current load condition; and means (912, 918) for conserving the available electrical power from said battery source (52) when the electrical storage capacity of said battery source (52) reaches a first predetermined threshold by inhibiting the transmission of electrical power from at least one of said electrical power lines to said output circuits (500, 600).
45. The invention according to Claim 44, further including means (912, 918) for turning off electrical power from said battery source (52) when the electrical storage capacity of said battery source (52) reaches a second predetermined threshold.
46. The invention according to Claim 44 or 45. wherein said means for testing the electrical storage capacity of said battery source (52) includes switching means (K1) for alternatively connecting said battery source to a high and low current drawing load, and detecting means (IU3,...) for measuring the voltage level of said battery source (52) when said battery is connected to said high current drawing load.

(C)
47. A method of controlling at least three redundant computers (92, 94, 96), characterized by the steps of:
detecting the presence of a predetermined error condition associated with a neighboring redundant computer at each of said redundant computers;
requesting a reset condition for a neighboring redundant computer when one of said redundant computers detects said predetermined error condition; and causing (102) a reset condition for a neighboring redundant computer when two of said redundant computers detect said predetermined error for said neighboring redundant computer.
48. The method according to Claim 47, wherein said neighboring redundant computer for which said predetermined error was detected is temporarily reset.
49. The method according to Claim 48, wherein a neighboring redundant computer which has been temporarily reset is permanently disabled when said predetermined error condition is detected again by two of said redundant computers after a predetermined period of time has elapsed.
50. The method according to one of Claims 47 to 49, wherein said predetermined error condition is a failure to communicate.
51. The method according to one of Claims 47 to 50, wherein each of said redundant computers monitors at least one of its power supply lines, and any of said redundant computers is capable of causing a reset condition for itself when said monitored power supply line drops below a predetermined level.

(E)
52. A method of conducting passive non-intrusive testing of a set of corresponding digital output circuits (500, 502, 504) in a field computer unit having at least three redundant computers (92, 94, 96), where each of said digital output circuits having a plurality of output channels, with corresponding output channels of said digital output circuits being connected with a common port (506), comprising the steps of:
providing a predetermined period of time in which to conduct a passive test of a plurality of said output channels; and conducting passive testing (1400) of a plurality of said output channels during said predetermined period of time, said passive testing for each of said plurality of output channels including the steps of comparing the magnitude of a first signal (TEST L, TEST M, TEST R) associated with the respective digital output circuit with a first predetermined high test level (19V) when said channel is On, and comparing the magnitude of a second signal (TRACK) associated with the common port (506) with a predetermined low track level (4.4V) when said channel is Off, said first and second signals being different signals and each of said comparing steps providing a determination of a different error condition.
53. The method according to claim 52 for passive non-intrusive testing of a set of corresponding digital output circuits (500, 502, 504) in a field computer unit having at least three redundant computers (92, 94, 96), where each of said digital output circuits having a plurality of output channels, with corresponding output channels of said digital output circuits being connected with a common port (506), wherein said first and second signals provide an indication of the voltage level on opposite sides of said respective diode (524) through which a high output signal from said digital output circuit is transmitted to said common port (506).
54. The method according to Claim 52 or 53, including the step of comparing the magnitude of said first signal with a second predetermined high test level (15.8V) when the output channel being passively tested is Off.
55. The method according to Claim 54, including the step of comparing the magnitude of said second signal with a predetermined minimum track level (0.240V) when the output channel being passively tested is Off and the magnitude of said second signal is below said predetermined low track signal (4.4V).
56. The method according to one of Claims 52 to 55, including the step of comparing said first and second signals to determine the presence of a voltage drop across said diode (524) when the output channel being tested is Off.
57. The method according to one of Claims 52 to 56, wherein said output channels are sequentially tested during said predetermined time period.
58. The method according to Claim 57, wherein the output channels for each of said corresponding digital output circuits are tested during different predetermined time periods.
59. The method according to one of Claims 52 to 58, including the step of temporarily stopping the passive testing for an output channel when it is determined that the output channel being tested has changed digital states.
60. A method of actively non-intrusively testing a digital output circuit (500) in a field computer unit (12) having at least three redundant digital output circuits (500, 502, 504) which are each controlled by a correspondingly redundant computer (92, 94, 96), where each of said digital output circuits has a plurality of output channels and each of said output channels has a power switch (516) controlled by one of said redundant computers and a set of abort switches. (518, 520) which are each controlled by a neighboring redundant computer, comprising the steps of:
(a) selecting a first output channel to be actively tested on one of said digital output circuits;
(b) determining whether the selected output channel is in an On condition where said power switch is closed and at least one of said abort switches is closed, or an Off condition where at least said power switch is open;
(c) conducting a series of active-Off tests if the selected output channel is in an Off condition;
(d) conducting a series of active-On tests if the selected output channel is in an On condition;
(e) selecting the next output channel to be actively tested on one of said digital output circuits, and repeating steps (b) through (d) for the next output channel to be actively tested; and (f) periodically repeating steps (b) through (e) until all of said output channels for all of said digital output circuits are actively tested.
61. The method according to Claim 60, wherein said series of active-Off tests includes the steps of individually closing and then opening each of said abort switches for the selected output channel of the digital output circuit being actively tested in sequence, and determining if a test signal level changes by a predetermined magnitude in response to the closing of each of said abort switches.
62. The method according to Claim 61, said abort switches are closed in response to a command transmitted by the redundant computer conducting the active-Off testing to each of its neighboring redundant computers, and said abort switches are subsequently opened by each of said neighboring redundant computers after a predetermined period of time.
63. The method according to Claim 61, wherein said series of active-Off tests includes the step or closing and then opening said power switch while all of said abort switches are open.
64. The method according to Claim 60, wherein said series of active-On tests includes the steps of:
(a) opening said power switch while all of said abort switches are closed, determining whether said test signal level changes by a first predetermined magnitude; and closing said power switch;

(b) opening and then closing each of said abort switches in turn, and determining whether said test signal level has changed;
(c) opening all of said abort switches, determining whether said test signal level has changed by a second predetermined magnitude; and (d) opening said power switch and all of said abort switches, determining whether said test signal level has changed by a third predetermined magnitude, closing said power switch, and closing all of said abort switches.
65. The method according to Claim 64, said abort switches are closed in response to a command transmitted by the redundant computer conducting the active-On testing to each of its neighboring redundant computers, and said abort switches are subsequently opened by each of said neighboring redundant computers after a predetermined period of time.
66. The method according to Claim 65, wherein each of said neighboring computers determines whether the commands received from the redundant computer conducting said active-On testing can be executed, and each of said neighboring computers echoes back to the redundant computer conducting said active-On testing each command received that can be executed.
67. A method of non-intrusively testing a digital output circuit (500) in a field computer unit having at least three redundant digital output circuits (500, 502, 504) which are each controlled by a correspondingly redundant computer (92, 94, 96), where each of said digital output circuits has a plurality of output channels and each of said output channels has a power switch (516) controlled by one of said redundant computers and a set of abort switches (518, 520) which are each controlled by a neighboring redundant computer, said method using the method of conducting passive non-intrusive testing according to one of Claims 52 to 59 and the method of conducting active non-intrusive testing according to one of Claims 60 to 66, said method comprising the steps of:
providing a predetermined period of time in which to conduct a passive test of a plurality of said output channels;
conducting passive testing of a plurality of said output channels during said predetermined period of time regardless of whether said output channels are On or Off, selecting at least one of said output channels for one of said digital output circuits for active testing after said predetermined period of time has expired; and conducting a series of active tests, said active tests including a plurality of active-Off tests if the selected output channel is in an Off condition and a plurality of active-On tests if the selected output channel is in an On condition.
68. The method according to Claim 67, wherein said passive testing for each of said plurality of output channels including the steps of comparing the magnitude of a first signal with a first predetermined high test level when said channel is On, and comparing the magnitude of a second signal with a predetermined low track level when said channel is Off, said first and second signals being different signals associated with said digital output circuit and each of said comparing steps providing a determination of a different error condition.
69. The method according to Claim 67, wherein said plurality of active-Off tests includes the steps of individually closing and then opening each of said abort switches for the selected output channel of the digital output circuit being actively tested in sequence, and determining if a test signal level changes by a predetermined magnitude in response to the closing of each of said abort switches.
70. The method according to Claim 67, wherein said plurality of active-On tests includes the steps of:
(a) opening said power switch while all of said abort switches are closed, determining whether said test signal level changes by a first predetermined magnitude, and closing said power switch;
(b) opening and then closing each or said abort switches in turn, and determining whether said test signal level has changed;
(c) opening all of said abort switches, determining whether said test signal level has changed by a second predetermined magnitude; and (d) opening said power switch and all of said abort switches, determining whether said test signal level has changed by a third predetermined magnitude, closing said power switch, and closing all of said abort switches.
71. A method of non-intrusively testing an analog output circuit (600) in a field computer unit (12) having at least three redundant analog output circuits (600, 602, 604) which are each controlled by a correspondingly redundant computer (92, 94, 96), where each of said analog output circuits has a plurality of output channels and each of said output channels has an analog signal driver (608) which is responsive to one of said redundant computers and a set of abort switches (DN1, DN2) which are each controlled by a neighboring redundant computer, comprising the steps of:
(a) selecting one of said analog output circuits to undergo said non-intrusive testing;
(b) causing an analog signal driver for at least one of said output channels of said selected analog output circuit to reduce its analog signal level to a predetermined level over a period of time which will permit at least one of said neighboring redundant computers to increase its analog signal level output in order to maintain the analog signal level provided to a field device for this output channel before said non-intrusive testing was begun;
(c) determining if the analog signal level provided to said field device was reduced by a predetermined amount during the time that that analog signal level from said analog signal driver was being reduced; and (d) restoring the analog signal level output of said analog signal driver to the analog signal level provided before it was reduced.
72. The method according to Claim 71, wherein the analog signal level output from a plurality of analog signal drivers for said selected analog output circuit are concomitantly reduced, so that a plurality of said output channels are tested during the same period of time.
73. The method according to Claim 72, wherein the analog signal level output from all of said analog signal drivers for said selected analog output circuit are concomitantly reduced, so that all of said output channels are tested during the same period of time.
74. The method according to Claim 71, wherein said predetermined level is a level where the analog signal driver no longer provides a substantial contribution to the analog signal level transmitted to said field device.
75. The method according to Claim 74, wherein said predetermined level is a substantially zero level contribution.
76. The method according to Claim 71, wherein the analog signal level output of said analog signal driver is restored to the analog signal level provided before it was reduced in the event that it was determined that the analog signal level provided to said field device was reduced by said predetermined amount during the time that that analog signal level from said analog signal driver was being reduced.
77. A method of non-intrusively testing an analog output circuit (600) in a field computer unit (12) having at least three redundant analog output circuits (600, 602, 604) which are each controlled by a correspondingly redundant computer (92, 94, 96), where each of said analog output circuits has a plurality of output channels and each of said output channels has an analog signal driver (608) which is responsive to one of said redundant computers and a set of abort switches (DN1, DN2) which are each controlled by a neighboring redundant computer, comprising the steps of:
(a) selecting one of said analog output circuits to undergo said non-intrusive testing;
(b) determining if the analog signal level provided by an analog signal driver for at least one of said output channels of said selected analog output circuit is below a predetermined threshold level;

(c) causing said analog signal driver to increase its analog signal level to a predetermined test level which will not change the analog signal level provided to a field device for this output channel;
(d) determining if the analog signal level output from said analog signal driver was able to achieve said predetermined test level.
78. The method according to Claim 77, wherein said predetermined test level is a voltage level which is below the forward cut-in potential of a blocking diode in the output channel of said selected analog output circuit.

(F)
79. In a process control system having process computer means (14) for making process control decisions which affect a physical process, a distributed interface system (10), characterized by:
a plurality of self-contained remotely located field computer units (12) connected to said computer means (14) through a communication network having at least two active bi-directional communication channels (46, 48), each of said field computer units including means (200) for receiving raw analog and digital input signals from sensors associated with said physical process, means (900) for receiving output value signals from said process computer means, wherein on a first level of signal distribution for said network each of said communication channels comprises a ring connecting said process computer means (14) and a plurality of breakout circuits (26) within said ring and wherein on a second level of signal distribution for said network each of said breakout circuits (26) is connected to a plurality of said field computer units (12) for directing bi-directional serial communications between said process computer means (14) and each of said field computer units (12).
80. Distributed interface system according to Claim 79, wherein said network includes network controller means for individually changing the direction of communication signal flow on said first signal distribution level over each of said communication channels.
81. Distributed interface system according to claim 79 or 80, wherein each of said breakout circuits (26) (first breakout circuits) in said ring is connected with at least one second breakout circuit (26), each of said second breakout circuits (26) being connected to a plurality of field computer units (12).
82. Distributed interface system according to Claim 81, wherein each of said breakout circuits (26) includes means for enabling any of said breakout circuits (26) to be configured as first or second breakout circuits.
83. Distributed interface system according to one of Claims 79-82, wherein each of said breakout circuits (26) includes means for enabling any of said breakout circuits (26) to repeat received signals at a predetermined signal strength.
84. Distributed interface system according to one of Claims 79-83, wherein said network includes means for broadcast downloading of updated software from said process computer means (14) to a plurality of said field computer units (12) through said network.
85. Distributed interface system according to one of Claims 79-84, wherein said ring comprises a physical fiber optic ring.
86. A method of directing communications in a distributed interface system (10) according to one of Claims 79 to 85 for a process control computer (14) having a network controller (16) which provides bi-directional communication between said process control computer and a plurality of field computer units (12), characterized by the steps of:
providing communication link between a plurality of first breakout circuits (26b), such that a ring is formed with said network controller which enables signals to be transmitted in either direction around said ring;
providing a communication link between each of said first breakout circuits (26b) and a plurality of said field computer units (12);
transmitting a message around said ring in one direction, and then transmitting said message around said ring in the opposite direction;
determining if a reply to each of said messages was received at said network controller (16) within a predetermined period of time; and storing a communication path to each of said field computer units in response to said determination.
87. The method according to Claim 86, wherein said method is repeated before data communication is permitted with each process cycle.
88. The method according to Claim 87, wherein each of said breakout circuits (26) transmits each of said messages to their respective field computer units, and each of said field computer units transmits a reply to said messages.
89. The method according to Claim 88, wherein at least one of said messages enables each of said field computer units (12) to adjust a clock signal to a clock signal of said process control computer (14).
90. The method according to one of Claims 86-89, wherein at least two process control computers (14a, 14b) are provided, and a corresponding set of breakout circuits (26) is provided to enable bi-directional communication between each of said process control computers (14a, 14b) and each of said field computer units (12).

(I)
91. A method of concomitantly installing a revised computer program into a plurality of field computer units (12), where each of said field computer units includes at least three redundant computers (92, 94, 96), which field computer units (12) continue to generate output signals for controlling a physical process, comprising the steps of:
a) providing a communication network for transmitting signals from a source computer (14) to said field computer units (12), said communication network having a network controller (16) and a plurality of breakout circuits (26);
b) transmitting said revised computer program from said source computer (14) to a first one of said redundant computers in said field computer units through said network controller;

c) validating the transmission of said revised computer program at said first one of said redundant computers in each of said selected field computer units;
d) activating said revised computer program at said first one of said redundant computers in each of said field computer units which have received said revised computer program when said revised computer program has been validated in each of said field computer units which have received said revised computer program, wherein during said steps a) to d) the other ones of said redundant computers in each of said field computer units continue to generate said output signals.
92. Method according to Claim 51, wherein said received computer program is transmitted to one or both of the other redundant computers in the respective field computer unit via dedicated neighbor to neighbor communication means (102) between each of said redundant computers (92, 94, 96) in that field computer unit (12).
93. Method according to Claim 92, wherein said received computer program can be written directly into the program memory of the receiving redundant computer.
94. Method according to one of Claims 91 to 93, used in a distributed interface system according to one of Claims 15 to 23.
CA002131156A 1992-03-31 1993-03-15 Process control interface system having triply redundant remote field units Abandoned CA2131156A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US07/864,931 US5428769A (en) 1992-03-31 1992-03-31 Process control interface system having triply redundant remote field units
US07/864,931 1992-03-31

Publications (1)

Publication Number Publication Date
CA2131156A1 true CA2131156A1 (en) 1993-10-14

Family

ID=25344354

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002131156A Abandoned CA2131156A1 (en) 1992-03-31 1993-03-15 Process control interface system having triply redundant remote field units

Country Status (12)

Country Link
US (4) US5428769A (en)
EP (4) EP1300735A2 (en)
JP (1) JPH07507889A (en)
KR (2) KR100322462B1 (en)
AU (1) AU3918393A (en)
CA (1) CA2131156A1 (en)
DE (2) DE69322626T2 (en)
ES (2) ES2128424T3 (en)
HK (2) HK1011427A1 (en)
MX (1) MX9301799A (en)
SG (1) SG55081A1 (en)
WO (1) WO1993020488A2 (en)

Families Citing this family (106)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100302223B1 (en) * 1992-06-12 2001-11-22 그래햄 이. 테일러 The secret interface for the process control computer and the method of transferring its data
US5754757A (en) * 1992-11-06 1998-05-19 The University Of Newcastle Upon Tyne Efficient schemes for constructing reliable computing nodes in distributed systems
US5666129A (en) * 1994-07-06 1997-09-09 Level One Communications, Inc. Electrical display elements for displaying multiple different conditions
EP0742504B1 (en) * 1995-05-11 2000-08-23 Siemens Aktiengesellschaft Numerical control device for a machine-tool or a robot
EP0825506B1 (en) 1996-08-20 2013-03-06 Invensys Systems, Inc. Methods and apparatus for remote process control
US6381506B1 (en) 1996-11-27 2002-04-30 Victor Grappone Fail-safe microprocessor-based control and monitoring of electrical devices
US6070250A (en) * 1996-12-13 2000-05-30 Westinghouse Process Control, Inc. Workstation-based distributed process control system
SE9702176L (en) * 1997-06-06 1998-12-07 Ericsson Telefon Ab L M A hardware design for majority elections, as well as testing and maintenance of majority elections
US6216051B1 (en) * 1998-05-04 2001-04-10 Nec Electronics, Inc. Manufacturing backup system
US6748451B2 (en) 1998-05-26 2004-06-08 Dow Global Technologies Inc. Distributed computing environment using real-time scheduling logic and time deterministic architecture
US6368367B1 (en) 1999-07-07 2002-04-09 The Lubrizol Corporation Process and apparatus for making aqueous hydrocarbon fuel compositions, and aqueous hydrocarbon fuel composition
US6383237B1 (en) 1999-07-07 2002-05-07 Deborah A. Langer Process and apparatus for making aqueous hydrocarbon fuel compositions, and aqueous hydrocarbon fuel compositions
US6368366B1 (en) 1999-07-07 2002-04-09 The Lubrizol Corporation Process and apparatus for making aqueous hydrocarbon fuel compositions, and aqueous hydrocarbon fuel composition
US6647301B1 (en) * 1999-04-22 2003-11-11 Dow Global Technologies Inc. Process control system with integrated safety control system
US7089530B1 (en) 1999-05-17 2006-08-08 Invensys Systems, Inc. Process control configuration system with connection validation and configuration
WO2000070531A2 (en) 1999-05-17 2000-11-23 The Foxboro Company Methods and apparatus for control configuration
US6788980B1 (en) 1999-06-11 2004-09-07 Invensys Systems, Inc. Methods and apparatus for control using control devices that provide a virtual machine environment and that communicate via an IP network
US6522934B1 (en) * 1999-07-02 2003-02-18 Fisher-Rosemount Systems, Inc. Dynamic unit selection in a process control system
US6419714B2 (en) 1999-07-07 2002-07-16 The Lubrizol Corporation Emulsifier for an acqueous hydrocarbon fuel
US6652607B2 (en) 1999-07-07 2003-11-25 The Lubrizol Corporation Concentrated emulsion for making an aqueous hydrocarbon fuel
US20040111956A1 (en) * 1999-07-07 2004-06-17 Westfall David L. Continuous process for making an aqueous hydrocarbon fuel emulsion
US6913630B2 (en) 1999-07-07 2005-07-05 The Lubrizol Corporation Amino alkylphenol emulsifiers for an aqueous hydrocarbon fuel
US6827749B2 (en) 1999-07-07 2004-12-07 The Lubrizol Corporation Continuous process for making an aqueous hydrocarbon fuel emulsions
US6530964B2 (en) 1999-07-07 2003-03-11 The Lubrizol Corporation Continuous process for making an aqueous hydrocarbon fuel
US6850973B1 (en) 1999-09-29 2005-02-01 Fisher-Rosemount Systems, Inc. Downloadable code in a distributed process control system
US6473660B1 (en) 1999-12-03 2002-10-29 The Foxboro Company Process control system and method with automatic fault avoidance
US6732300B1 (en) 2000-02-18 2004-05-04 Lev Freydel Hybrid triple redundant computer system
US6550018B1 (en) 2000-02-18 2003-04-15 The University Of Akron Hybrid multiple redundant computer system
US6931641B1 (en) * 2000-04-04 2005-08-16 International Business Machines Corporation Controller for multiple instruction thread processors
US7292897B2 (en) * 2000-04-28 2007-11-06 Hitachi, Ltd. Multiplexing control system and multiplexing method therefor
DE10063350C1 (en) * 2000-12-19 2002-07-18 Siemens Ag Process for monitoring data processing and transmission
US6704887B2 (en) * 2001-03-08 2004-03-09 The United States Of America As Represented By The Secretary Of The Air Force Method and apparatus for improved security in distributed-environment voting
US20020141402A1 (en) * 2001-03-08 2002-10-03 Chang Li-Tien Telecommunication auto-looper
US7552191B1 (en) * 2001-06-12 2009-06-23 F5 Networks, Inc. Method and apparatus to facilitate automatic sharing in a client server environment
JP2003177938A (en) * 2001-12-07 2003-06-27 Fujitsu Ltd Electronic device and its debugging authentication method
US6850807B2 (en) * 2001-09-10 2005-02-01 Kabushiki Kaisha Toshiba Triple redundant control device and method
US7093168B2 (en) * 2002-01-22 2006-08-15 Honeywell International, Inc. Signal validation and arbitration system and method
WO2003062932A1 (en) * 2002-01-22 2003-07-31 Honeywell International Inc. Signal validation and arbitration system and method
NO20021247D0 (en) * 2002-03-13 2002-03-13 Ericsson Telefon Ab L M Software upgrade method and system
GB0216740D0 (en) * 2002-07-18 2002-08-28 Ricardo Consulting Eng Self-testing watch dog system
DE10240584A1 (en) 2002-08-28 2004-03-11 Pilz Gmbh & Co. Safety control system for fault protected operation of critical process such as occurs in machine system operation
US7516043B2 (en) * 2003-07-31 2009-04-07 Fisher Controls International Llc Triggered field device data collection in a process control system
US7085865B2 (en) * 2003-08-21 2006-08-01 International Business Machines Corporation I/O throughput by pre-termination arbitration
US6844840B1 (en) * 2003-10-14 2005-01-18 Cirrus Logic, Inc. Successive-approximation-register (SAR) analog-to-digital converter (ADC) and method utilizing N three-way elements
US7526568B1 (en) * 2004-02-20 2009-04-28 Broadcast Pix, Inc. Integrated live video production system
US7761923B2 (en) 2004-03-01 2010-07-20 Invensys Systems, Inc. Process control methods and apparatus for intrusion detection, protection and network hardening
US7202624B2 (en) * 2004-04-30 2007-04-10 Minebea Co., Ltd. Self calibrating fan
DE102004035442B4 (en) * 2004-07-22 2006-06-01 Phoenix Contact Gmbh & Co. Kg Method and device for safe switching of an automation bus system
JP4529079B2 (en) * 2004-09-02 2010-08-25 横河電機株式会社 Control system
JP2006114149A (en) * 2004-10-15 2006-04-27 Fujitsu Ltd Semiconductor test system
JP2008518296A (en) * 2004-10-25 2008-05-29 ローベルト ボッシュ ゲゼルシャフト ミット ベシュレンクテル ハフツング Method and apparatus for switching in a computer system comprising at least two execution units
WO2006045788A1 (en) * 2004-10-25 2006-05-04 Robert Bosch Gmbh Method and device for mode switching and signal comparison in a computer system comprising at least two processing units
US8938557B2 (en) * 2004-12-23 2015-01-20 Abb Technology Ag Method for configuring field devices
JP4743508B2 (en) * 2005-11-29 2011-08-10 横河電機株式会社 Plant control system
WO2007123753A2 (en) * 2006-03-30 2007-11-01 Invensys Systems, Inc. Digital data processing apparatus and methods for improving plant performance
JP4645519B2 (en) * 2006-04-27 2011-03-09 株式会社デンソー Arithmetic processing device, control device and program
US7546486B2 (en) * 2006-08-28 2009-06-09 Bycast Inc. Scalable distributed object management in a distributed fixed content storage system
US7680034B2 (en) * 2006-11-03 2010-03-16 General Electric Company Redundant control systems and methods
US7898937B2 (en) * 2006-12-06 2011-03-01 Cisco Technology, Inc. Voting to establish a new network master device after a network failover
US7710075B1 (en) * 2007-01-31 2010-05-04 Network Appliance, Inc. Apparatus and implementation of a battery in a non volatile memory subsystem
US20090006902A1 (en) * 2007-06-29 2009-01-01 International Business Machines Corporation Methods, systems, and computer program products for reporting fru failures in storage device enclosures
US20090037996A1 (en) * 2007-07-30 2009-02-05 Shiakallis Peter P Multi-Domain Secure Computer System
US20090076628A1 (en) * 2007-09-18 2009-03-19 David Mark Smith Methods and apparatus to upgrade and provide control redundancy in process plants
US9395771B1 (en) * 2007-10-26 2016-07-19 Pce, Inc. Plenum pressure control system
DE102007054923A1 (en) * 2007-11-15 2009-05-20 Endress + Hauser Process Solutions Ag Method for operating a field device
DE102007062974B4 (en) * 2007-12-21 2010-04-08 Phoenix Contact Gmbh & Co. Kg Signal processing device
US7991535B2 (en) * 2008-02-08 2011-08-02 Gittere Robert J Portable, palm-sized data acquisition system for use in internal combustion engines and industry
US7899850B2 (en) 2008-02-22 2011-03-01 Bycast, Inc. Relational objects for the optimized management of fixed-content storage systems
CN104407518B (en) 2008-06-20 2017-05-31 因文西斯系统公司 The system and method interacted to the reality and Simulation Facility for process control
DE102008038131B4 (en) * 2008-08-18 2013-12-05 EAE Ewert Automation Electronic GmbH Redundant control system and method for the safety-related control of actuators
US8072098B2 (en) * 2008-09-29 2011-12-06 Honeywell International Inc. Remotely configurable analog/digital input circuit and related apparatus and method
US8214165B2 (en) * 2008-12-30 2012-07-03 International Business Machines Corporation Apparatus, system, and method for precise early detection of AC power loss
US8898267B2 (en) 2009-01-19 2014-11-25 Netapp, Inc. Modifying information lifecycle management rules in a distributed system
EP2233991A1 (en) * 2009-03-25 2010-09-29 Siemens Aktiengesellschaft Safety-oriented automation system with automatic address restore
US8463964B2 (en) 2009-05-29 2013-06-11 Invensys Systems, Inc. Methods and apparatus for control configuration with enhanced change-tracking
US8127060B2 (en) 2009-05-29 2012-02-28 Invensys Systems, Inc Methods and apparatus for control configuration with control objects that are fieldbus protocol-aware
AT509310B1 (en) * 2009-12-16 2015-10-15 Bachmann Gmbh METHOD FOR OPERATING A MEMORY PROGRAMMABLE CONTROL (PLC) WITH DECENTRALIZED, AUTONOMOUS EXECUTION CONTROL
DE102010029370A1 (en) * 2010-05-27 2011-12-01 Siemens Aktiengesellschaft Submarine Propulsionsantriebssystem
EP2576316A2 (en) * 2010-05-31 2013-04-10 Central Signal, LLC Train detection
CN103140814B (en) * 2010-10-11 2016-08-03 通用电气公司 For detecting the system of the displacement in redundant sensor signal, method and apparatus
US8635492B2 (en) * 2011-02-15 2014-01-21 International Business Machines Corporation State recovery and lockstep execution restart in a system with multiprocessor pairing
US8671311B2 (en) 2011-02-15 2014-03-11 International Business Machines Corporation Multiprocessor switch with selective pairing
US8930752B2 (en) 2011-02-15 2015-01-06 International Business Machines Corporation Scheduler for multiprocessor system switch with selective pairing
EP2691820B1 (en) 2011-03-30 2020-08-05 Vestas Wind Systems A/S Wind power plant with highly reliable real-time power control
WO2012163636A1 (en) * 2011-05-27 2012-12-06 Siemens Aktiengesellschaft Method for testing redundant analogue outputs and associated device
EP2817761A2 (en) 2012-02-24 2014-12-31 Missing Link Electronics Inc. Partitioning systems operating in multiple domains
US9355120B1 (en) 2012-03-02 2016-05-31 Netapp, Inc. Systems and methods for managing files in a content storage system
JP2014056374A (en) * 2012-09-12 2014-03-27 Renesas Electronics Corp Information processor
DE102013100159A1 (en) * 2012-11-28 2014-05-28 Endress + Hauser Gmbh + Co. Kg Field device for determining or monitoring a process variable in automation technology
US11705244B1 (en) 2012-12-22 2023-07-18 Bertec Corporation Force and/or motion measurement system that includes at least one camera and at least one data processing device configured to execute computer executable instructions for determining a position and/or movement
US10331324B1 (en) 2012-12-22 2019-06-25 Bertec Corporation Measurement and testing system
US10803990B1 (en) 2012-12-22 2020-10-13 Bertec Corporation Measurement and testing system that includes a data processing device configured to synchronize a first plurality of data values with a second plurality of data values by determining which first timestamps correspond to which second timestamps and to interpolate values missing from the second values
US9829311B1 (en) * 2012-12-22 2017-11-28 Bertec Corporation Force measurement system
US9740178B2 (en) * 2013-03-14 2017-08-22 GM Global Technology Operations LLC Primary controller designation in fault tolerant systems
DE102014113371A1 (en) 2014-09-17 2016-03-17 Knorr-Bremse Systeme für Schienenfahrzeuge GmbH Method for monitoring and diagnosing components of a rail vehicle, with expandable evaluation software
US9838142B2 (en) 2014-10-15 2017-12-05 Christopher B. TYRRELL Electrical conductor to optical input conversion system
JP2016092445A (en) * 2014-10-29 2016-05-23 株式会社リコー Serial communication system
CN104460661B (en) * 2014-12-05 2017-12-12 国家电网公司 The remote debugging system of long-range turn-off reset and remote monitoring can be carried out
DE102015213744A1 (en) * 2015-07-21 2017-01-26 Ellenberger & Poensgen Gmbh power distribution
US10825263B2 (en) 2016-06-16 2020-11-03 Honeywell International Inc. Advanced discrete control device diagnostic on digital output modules
KR101988361B1 (en) * 2017-06-15 2019-06-12 버슘머트리얼즈 유에스, 엘엘씨 Gas Supply System
US10579558B1 (en) * 2019-03-06 2020-03-03 Honeywell International Inc. Flexible redundant input/output (I/O) schemes for I/O channels
CN111123130A (en) * 2019-12-25 2020-05-08 北京空间飞行器总体设计部 Satellite lithium ion battery voltage telemetering health on-orbit autonomous diagnosis method
US20240031439A1 (en) 2020-12-07 2024-01-25 Behault Industrial Property Office B.V. A cyber-physical system for an autonomous or semi-autonomous vehicle
CN113296388A (en) * 2021-05-27 2021-08-24 四川腾盾科技有限公司 Three-redundancy unmanned aerial vehicle steering engine output instruction voting method, system, computer program and storage medium
CN114033558B (en) * 2021-11-09 2023-01-31 唐山中芯智控科技有限公司 Low-cost high-speed high-precision analog output module special for gas turbine

Family Cites Families (129)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US33521A (en) * 1861-10-22 Improved apparatus for heating air for blast-furnaces
US3377623A (en) * 1965-09-29 1968-04-09 Foxboro Co Process backup system
DE1549397B2 (en) * 1967-06-16 1972-09-14 Chemische Werke Hüls AG, 4370 Mari PROCEDURE FOR THE AUTOMATIC CONTROL OF CHEMICAL PLANTS
US3665173A (en) * 1968-09-03 1972-05-23 Ibm Triple modular redundancy/sparing
US3593307A (en) * 1968-09-20 1971-07-13 Adaptronics Inc Redundant, self-checking, self-organizing control system
GB1253309A (en) * 1969-11-21 1971-11-10 Marconi Co Ltd Improvements in or relating to data processing arrangements
GB1308497A (en) * 1970-09-25 1973-02-21 Marconi Co Ltd Data processing arrangements
US4049957A (en) * 1971-06-23 1977-09-20 Hitachi, Ltd. Dual computer system
US3783250A (en) * 1972-02-25 1974-01-01 Nasa Adaptive voting computer system
US3845356A (en) * 1972-04-06 1974-10-29 Foxboro Co Process control system for hazardous areas
US3895223A (en) * 1973-01-03 1975-07-15 Westinghouse Electric Corp Circuit arrangement for enhancing the reliability of common bus outputs of plural redundant systems
DE2303828A1 (en) * 1973-01-26 1974-08-01 Standard Elektrik Lorenz Ag CONTROL PROCEDURE WITH THREE COMPUTERS OPERATING IN PARALLEL
CH556576A (en) * 1973-03-28 1974-11-29 Hasler Ag DEVICE FOR SYNCHRONIZATION OF THREE COMPUTERS.
US3898621A (en) * 1973-04-06 1975-08-05 Gte Automatic Electric Lab Inc Data processor system diagnostic arrangement
CA1026850A (en) * 1973-09-24 1978-02-21 Smiths Industries Limited Dual, simultaneously operating control system with fault detection
US4015246A (en) * 1975-04-14 1977-03-29 The Charles Stark Draper Laboratory, Inc. Synchronous fault tolerant multi-processor system
JPS5831602B2 (en) * 1976-02-04 1983-07-07 株式会社日立製作所 Dual system control device
US4228496A (en) * 1976-09-07 1980-10-14 Tandem Computers Incorporated Multiprocessor system
US4099234A (en) * 1976-11-15 1978-07-04 Honeywell Information Systems Inc. Input/output processing system utilizing locked processors
DE2701924B2 (en) * 1977-01-19 1981-03-19 Standard Elektrik Lorenz Ag, 7000 Stuttgart Control device for track-bound vehicles
US4105900A (en) * 1977-02-16 1978-08-08 The Boeing Company Signal selection apparatus for redundant signal sources
US4358823A (en) * 1977-03-25 1982-11-09 Trw, Inc. Double redundant processor
US4101958A (en) * 1977-09-01 1978-07-18 Rockwell International Corporation Apparatus and method for effecting redundant control data transfer in a digital flight control system
US4133027A (en) * 1977-09-13 1979-01-02 Honeywell Inc. Process control system with backup process controller
US4159444A (en) * 1978-03-21 1979-06-26 Sperry Rand Corporation Fail operational dual electromechanical servo actuator for aircraft with model monitoring
GB2019622B (en) * 1978-04-14 1982-04-07 Lucas Industries Ltd Digital computing apparatus
GB2022893B (en) * 1978-06-10 1983-01-12 Westinghouse Brake & Signal Fault detection
FR2430633A1 (en) * 1978-07-07 1980-02-01 Sfena SELF-MONITORED CONTROL SYSTEM FOR A PROCESS
US4270168A (en) * 1978-08-31 1981-05-26 United Technologies Corporation Selective disablement in fail-operational, fail-safe multi-computer control system
JPS55146552A (en) * 1979-05-02 1980-11-14 Hitachi Ltd N 1 backkup method of dispersion type hierarchy system
US4271505A (en) * 1979-07-02 1981-06-02 The Foxboro Company Process communication link
US4276648A (en) * 1979-09-04 1981-06-30 The Boeing Company Midvalue signal selection and fault detection apparatus and method
DE2939487A1 (en) * 1979-09-28 1981-04-16 Siemens AG, 1000 Berlin und 8000 München COMPUTER ARCHITECTURE BASED ON A MULTI-MICROCOMPUTER STRUCTURE AS A FAULT-TOLERANT SYSTEM
US4277832A (en) * 1979-10-01 1981-07-07 General Electric Company Fluid flow control system
US4656475A (en) * 1979-10-30 1987-04-07 General Electric Company Method and apparatus for controlling distributed electrical loads
US4347563A (en) * 1980-06-16 1982-08-31 Forney Engineering Company Industrial control system
US4352103A (en) * 1980-01-24 1982-09-28 Forney Engineering Company Industrial control system
US4304001A (en) * 1980-01-24 1981-12-01 Forney Engineering Company Industrial control system with interconnected remotely located computer control units
US4342083A (en) * 1980-02-05 1982-07-27 The Bendix Corporation Communication system for a multiple-computer system
US4412281A (en) 1980-07-11 1983-10-25 Raytheon Company Distributed signal processing system
EP0268041B1 (en) * 1980-09-02 1992-06-17 Deutsche Airbus GmbH Servo unit for actuating control surfaces or the like of a flight control system
US4530045A (en) * 1980-09-23 1985-07-16 Petroff Alan M Measurement and control system
US4375683A (en) * 1980-11-12 1983-03-01 August Systems Fault tolerant computational system and voter circuit
US4371754A (en) * 1980-11-19 1983-02-01 Rockwell International Corporation Automatic fault recovery system for a multiple processor telecommunications switching control
US4424559A (en) * 1981-02-27 1984-01-03 New Brunswick Scientific Co., Inc. Modular instrumentation for monitoring and control of biochemical processes
JPS57164636A (en) 1981-04-03 1982-10-09 Hitachi Ltd Control method for transmission system
US4443861A (en) * 1981-04-13 1984-04-17 Forney Engineering Company Combined mode supervisory program-panel controller method and apparatus for a process control system
JPS58500820A (en) * 1981-05-27 1983-05-19 マステク、コ−パレイシヤン Integrated circuit operating method and integrated circuit operating power control circuit
US4532630A (en) * 1981-05-28 1985-07-30 Marconi Avionics Limited Similar-redundant signal systems
IN160140B (en) * 1981-10-10 1987-06-27 Westinghouse Brake & Signal
DE3208573C2 (en) * 1982-03-10 1985-06-27 Standard Elektrik Lorenz Ag, 7000 Stuttgart 2 out of 3 selection device for a 3 computer system
US4472806A (en) * 1982-05-03 1984-09-18 The Boeing Company Signal selection and fault detection apparatus
JPS58171537U (en) * 1982-05-07 1983-11-16 ブラザー工業株式会社 Electronics
US4517639A (en) * 1982-05-13 1985-05-14 The Boeing Company Fault scoring and selection circuit and method for redundant system
DE3279929D1 (en) * 1982-06-16 1989-10-12 Boeing Co Autopilot flight director system
JPS5985153A (en) * 1982-11-08 1984-05-17 Hitachi Ltd Redundancy controller
IT1169167B (en) * 1983-02-15 1987-05-27 Gd Spa FUNCTIONAL CONTROL SYSTEM FOR OUTPUT TRANSDUCERS OF A CENTRAL CONTROL AND CONTROL UNIT FOR MACHINES AND / OR DEVICES USABLE IN PRODUCTION AND / OR PACKAGING LINES OF PRODUCTS
DE3310585C2 (en) 1983-03-23 1985-08-01 Texas Instruments Deutschland Gmbh, 8050 Freising Memory protection circuit
US4872106A (en) * 1983-04-06 1989-10-03 New Forney Corp. Industrial process control system with back-up data processors to take over from failed primary data processors
JPS59212902A (en) * 1983-05-18 1984-12-01 Hitachi Ltd Multiplexing controller
JPS59224228A (en) * 1983-06-02 1984-12-17 Fanuc Ltd Neumeric controller
US4562575A (en) * 1983-07-07 1985-12-31 Motorola, Inc. Method and apparatus for the selection of redundant system modules
US4634110A (en) * 1983-07-28 1987-01-06 Harris Corporation Fault detection and redundancy management system
US4610013A (en) * 1983-11-08 1986-09-02 Avco Corporation Remote multiplexer terminal with redundant central processor units
US4600870A (en) 1983-11-17 1986-07-15 United Technologies Corporation Dual controller position control system
JPH0754442B2 (en) * 1983-11-24 1995-06-07 大倉電気株式会社 Process control system
JPS60122407A (en) * 1983-12-06 1985-06-29 Fanuc Ltd Programmable controller
US4617475A (en) * 1984-03-30 1986-10-14 Trilogy Computer Development Partners, Ltd. Wired logic voting circuit
US4823256A (en) * 1984-06-22 1989-04-18 American Telephone And Telegraph Company, At&T Bell Laboratories Reconfigurable dual processor system
US4695952A (en) * 1984-07-30 1987-09-22 United Technologies Corporation Dual redundant bus interface circuit architecture
JPS61267846A (en) * 1984-11-12 1986-11-27 Nec Corp Integrated circuit device with memory
US4622667A (en) * 1984-11-27 1986-11-11 Sperry Corporation Digital fail operational automatic flight control system utilizing redundant dissimilar data processing
US4663704A (en) * 1984-12-03 1987-05-05 Westinghouse Electric Corp. Universal process control device and method for developing a process control loop program
US4635184A (en) * 1984-12-17 1987-01-06 Combustion Engineering, Inc. Distributed control with mutual spare switch over capability
US4672530A (en) * 1984-12-17 1987-06-09 Combustion Engineering, Inc. Distributed control with universal program
US4777626A (en) * 1984-12-22 1988-10-11 Tokyo Electric Co., Ltd. Memory device having backup power supply
US4639885A (en) * 1984-12-24 1987-01-27 United Technologies Corporation EMI suppression for electronic engine control frequency signal inputs
US4665522A (en) * 1985-01-28 1987-05-12 The Charles Stark Draper Laboratory, Inc. Multi-channel redundant processing systems
FR2577087B1 (en) * 1985-02-07 1987-03-06 Thomson Csf Mat Tel TRIPLICATED CLOCK DELIVERY DEVICE, EACH CLOCK SIGNAL HAVING A SYNCHRONIZATION SIGNAL
US4726026A (en) * 1985-02-08 1988-02-16 Triconex Corporation Fault-tolerant voted output system
US4982430A (en) * 1985-04-24 1991-01-01 General Instrument Corporation Bootstrap channel security arrangement for communication network
US4752869A (en) * 1985-05-09 1988-06-21 Westinghouse Electric Corp. Auxiliary reactor protection system
DE3522220C2 (en) 1985-06-21 1997-02-06 Licentia Gmbh Circuit arrangement for the safe control of control elements of a process
US4683105A (en) * 1985-10-31 1987-07-28 Westinghouse Electric Corp. Testable, fault-tolerant power interface circuit for normally de-energized loads
FR2591777B1 (en) * 1985-12-13 1991-03-15 Cimsa Sintra HIGH OPERATING SECURITY COMPUTER NETWORK AND CONTROL METHOD USING SUCH A NETWORK
JPH0778750B2 (en) * 1985-12-24 1995-08-23 日本電気株式会社 Highly reliable computer system
US4799140A (en) * 1986-03-06 1989-01-17 Orbital Sciences Corporation Ii Majority vote sequencer
DE3688073T2 (en) * 1986-04-03 1993-06-24 Otis Elevator Co TWO-WAY RING CONNECTION SYSTEM FOR ELEVATOR GROUP CONTROL.
US4967347A (en) * 1986-04-03 1990-10-30 Bh-F (Triplex) Inc. Multiple-redundant fault detection system and related method for its use
US4713832A (en) * 1986-04-11 1987-12-15 Ampex Corporation Programmable divider up/down counter with anti-aliasing feature and asynchronous read/write
GB8615057D0 (en) * 1986-06-20 1986-07-23 Approved Prod Technology Ltd Adaptive control systems
US4843537A (en) * 1986-07-04 1989-06-27 Hitachi, Ltd. Control system
US4730313A (en) * 1986-08-18 1988-03-08 Racal Data Communications Inc. Access circuit diagnostics for integrated services digital network
US4797884A (en) * 1986-09-29 1989-01-10 Texas Instruments Incorporated Redundant device control unit
US4774709A (en) * 1986-10-02 1988-09-27 United Technologies Corporation Symmetrization for redundant channels
US4805107A (en) * 1987-04-15 1989-02-14 Allied-Signal Inc. Task scheduler for a fault tolerant multiple node processing system
SE457391B (en) * 1987-04-16 1988-12-19 Ericsson Telefon Ab L M PROGRAM MEMORY MANAGED REAL TIME SYSTEM INCLUDING THREE MAINLY IDENTICAL PROCESSORS
DE3714960A1 (en) * 1987-04-30 1988-11-10 Licentia Gmbh ARRANGEMENT FOR THE SAFE DETECTION OF PROCESS CONDITIONS WITHIN A FREE RELEASABLE UNIT AND METHOD FOR IMPLEMENTATION
DE3723727A1 (en) * 1987-07-17 1989-01-26 Siemens Ag POWER SUPPLY
US4858101A (en) * 1987-08-26 1989-08-15 Allen-Bradley Company, Inc. Programmable controller with parallel processors
US4868826A (en) * 1987-08-31 1989-09-19 Triplex Fault-tolerant output circuits
JPH0731537B2 (en) * 1987-09-11 1995-04-10 株式会社日立製作所 Multiplex controller
US4916612A (en) * 1987-11-02 1990-04-10 The Boeing Company Dual channel signal selection and fault detection system
US4847830A (en) * 1987-12-02 1989-07-11 Network Equipment Technologies, Inc. Method and apparatus for automatic loading of a data set in a node of a communication network
US4965745A (en) * 1987-12-18 1990-10-23 General Electric Company YIQ based color cell texture
US4868851A (en) * 1988-01-26 1989-09-19 Harris Corporation Signal processing apparatus and method
JPH01245335A (en) * 1988-03-28 1989-09-29 Hitachi Ltd Multiplexing system for programmable controller
US4872213A (en) * 1988-03-31 1989-10-03 Barber-Colman Company Versatile interface means for computer-based control systems
US4841232A (en) * 1988-04-29 1989-06-20 International Business Machines Corporation Method and apparatus for testing three state drivers
JP2533612B2 (en) * 1988-05-16 1996-09-11 富士通株式会社 Memory data protection method
US4926364A (en) * 1988-07-25 1990-05-15 Westinghouse Electric Corp. Method and apparatus for determining weighted average of process variable
ATE97753T1 (en) * 1988-09-12 1993-12-15 Siemens Ag EQUIPMENT FOR OPERATION OF A REDUNDANT MULTIPLE COMPUTER SYSTEM FOR CONTROLLING AN ELECTRONIC INTERLOCKING IN RAILWAY SIGNAL TECHNOLOGY.
US4965717A (en) * 1988-12-09 1990-10-23 Tandem Computers Incorporated Multiple processor system having shared memory with private-write capability
US4975931A (en) * 1988-12-19 1990-12-04 Hughes Aircraft Company High speed programmable divider
US4958270A (en) * 1989-01-23 1990-09-18 Honeywell Inc. Method for control data base updating of a redundant processor in a process control system
US4959768A (en) * 1989-01-23 1990-09-25 Honeywell Inc. Apparatus for tracking predetermined data for updating a secondary data base
US4995040A (en) * 1989-02-03 1991-02-19 Rockwell International Corporation Apparatus for management, comparison, and correction of redundant digital data
US4955020A (en) * 1989-06-29 1990-09-04 Infotron Systems Corporation Bus architecture for digital communications
US5008805A (en) * 1989-08-03 1991-04-16 International Business Machines Corporation Real time, fail safe process control system and method
JPH0823793B2 (en) * 1989-12-13 1996-03-06 富士通株式会社 Memory card
US5307318A (en) * 1990-01-30 1994-04-26 Nec Corporation Semiconductor integrated circuit device having main power terminal and backup power terminal independently of each other
SE466172B (en) * 1990-05-15 1992-01-07 Asea Brown Boveri DEVICE FOR THE PREPARATION OF A VARIOUS CURRENT RESPONSIBLE FOR A DEVICE APPLIED
US5170362A (en) * 1991-01-15 1992-12-08 Atlantic Richfield Company Redundant system for interactively evaluating the capabilities of multiple test subjects to perform a task utilizing a computerized test system
US5271023A (en) * 1991-06-03 1993-12-14 Motorola, Inc. Uninterruptable fault tolerant data processor
JPH05128080A (en) 1991-10-14 1993-05-25 Mitsubishi Electric Corp Information processor
US5442620A (en) 1992-03-26 1995-08-15 At&T Corp. Apparatus and method for preventing communications circuit misconnections in a bidirectional line-switched ring transmission system
US5313386A (en) * 1992-06-11 1994-05-17 Allen-Bradley Company, Inc. Programmable controller with backup capability
US5425266A (en) * 1994-01-25 1995-06-20 Envirotest Systems Corp. Apparatus and method for non-intrusive testing of motor vehicle evaporative fuel systems
US5408871A (en) * 1994-01-27 1995-04-25 General Motors Corporation Idle air control system diagnostic

Also Published As

Publication number Publication date
KR100322461B1 (en) 2002-02-07
MX9301799A (en) 1994-01-31
HK1011427A1 (en) 1999-07-09
US5970226A (en) 1999-10-19
EP1300735A2 (en) 2003-04-09
DE69322626D1 (en) 1999-01-28
KR100322462B1 (en) 2002-11-30
ES2191884T3 (en) 2003-09-16
JPH07507889A (en) 1995-08-31
DE69332897T2 (en) 2004-02-26
DE69322626T2 (en) 1999-07-08
WO1993020488A2 (en) 1993-10-14
AU3918393A (en) 1993-11-08
SG55081A1 (en) 1998-12-21
ES2128424T3 (en) 1999-05-16
EP0869415A2 (en) 1998-10-07
EP0631673A1 (en) 1995-01-04
HK1048670A1 (en) 2003-04-11
EP0631673B1 (en) 1998-12-16
DE69332897D1 (en) 2003-05-22
WO1993020488A3 (en) 1994-03-31
US5862315A (en) 1999-01-19
EP0869415B1 (en) 2003-04-16
EP0869415A3 (en) 1999-12-15
US5428769A (en) 1995-06-27
US6061809A (en) 2000-05-09
EP1193576A2 (en) 2002-04-03

Similar Documents

Publication Publication Date Title
CA2131156A1 (en) Process control interface system having triply redundant remote field units
US5761518A (en) System for replacing control processor by operating processor in partially disabled mode for tracking control outputs and in write enabled mode for transferring control loops
CN1103949C (en) Automatic self-testing system
RU2395830C2 (en) Process device with supervisory overlayer
US5428526A (en) Programmable controller with time periodic communication
JP4128083B2 (en) Digital reactor protection system that eliminates common software type failures
CN109920562B (en) Protection system control device for nuclear power station
US8184417B2 (en) Apparatus for fault tolerant analog inputs
JP2008135027A (en) Drop in fully redundant, workstation-based distributed process control system
EP2595018B1 (en) Method and apparatus for analogue output current control
EP1435552B1 (en) A field device for a fieldbus system
JP2002517850A (en) Machine, plant or appliance control device and control monitoring method
JPH0262606A (en) Cnc diagnosing system
CN1139077C (en) Dual optical communication network for reactor protection systems
CN111399427B (en) Classification modularization device and method based on embedded type FPGA controller
US11513490B2 (en) I/O mesh architecture for a safety instrumented system
RU2698627C1 (en) Software and hardware complex for monitoring and controlling technological processes in ore mining and processing industry
US11669391B2 (en) Data processing procedure for safety instrumentation and control (IandC) systems, IandC system platform, and design procedure for IandC system computing facilities
FI130063B (en) Parametrizable IO module
Walz et al. Distributed supervisory protection interlock system SLC acceleration
JPH0239631A (en) Supervisory control system
JPS6275703A (en) Triplex controller
Walz et al. Distributed supervisory protection interlock system
JPS63298597A (en) Environment abnormality warning device

Legal Events

Date Code Title Description
EEER Examination request
FZDE Discontinued