CA2137464C - Secure front end communications system and method for process control computers - Google Patents

Abstract

A secure front-end communication system which couples a plu-rality of actively redundant process control computers to a computer network. The system includes a front end computer which is capable of establishing time limited communication contracts with one or more computer entity on the computer network. Each time limited communication contract is based upon an acceptable response to the transmission of an unpredicable signal from the front end computer, such as an encrypted transformation of a pseudo-random number gen-erated by the front end computer. A security table is used to identify the network entities that are permitted to send write command mes-sages to the process control computers to which the front end compu-ter is connected. The front end computer also includes at least one per-missive table which is used to determine whether a write command message from the network entity should be transmitted to the process control computer for which the message was intended.

Description

' a . - 1 ~-A''-' N rJ (-' p PC'T/US93/6. ,18 J 93/25948 ..
TEXT -i , ~r, ~;.. ', ' ~ ~~4 8 ~
SECURE =RONT _ND COMMUNICATION SYSTEM AND METHOD
FOR PROCESS CONTROL COMPUTERS

The present invention generally relates to "front-end" communication techmoues between process control computers aria a pianvlocai area network.
More specifically, the present mvent~on relates to a front-end communmation system which is capable of securely handling messages from the plant area network which could affect the t 0 operation of a process c:ontroi computer.
In chemoal manufacturing plants and other relatively large processing plants, a network of control computers and operator workstations may tie needed to achieve automated control of an ongoing physical process in the plant. For example, the Jones et. ai l:.S. Patent No. 4,663, 704, issueo on May 5, 1987, shows a distributed processing system for a ' S plant m which a single data h~anway connects all the various inoutloutput terminals, data acgmsnion stations, co~troi devoes, record keening devices and so forth.
Sim~fariy, the Henzel U.S. Patent No. 4,607,256, issued on August 19, 1986, shows a plant management system which utilizes a plant control bus for the purpose of transmitting data to physical computer modules on the network.
20 In some of these process control computer networks, redundant process control computers are employed to enhance the reliability of the plant control and monitoring system.
For example, the Fiebi~3 et. al U.S. Patent No. 5.008,805, issued on April t 6, 1991, shows a networked control system which includes a "hot standby" redunoant processor that synchronously prpcessEas a control schedule table for comparison with control messages from a

2~ senger processor that are transrmtted on the network. The reoundant listener processor maintains a duplicate ~:onfiguranon in ns memory ready to take over control of the system in the event of a failure of the sender processor. As another example, the McLaughiin et. al U.S.
Patent No. 4,958,270, issued on September 18, 1990, snows a networked control system which employs a primary controller grip a secondary controller. in orger to maintain consistency 30 between the primary Bata base and a secondary image of the oata base, only predetermined areas cnangeg are uoc~ated as a way of increasing the efficiency of the update function.
Sim~iariy, the Slater U.S. Patent No. 4,872,106, issued on October 3, 1989, shows a networked control system which employs a or~mary Bata processor and a back- uo data processor.
Normally, the back-uc~ processor mll be m a back-up mode of operation, and it will not operate 3S to exercise control overr the moutloutaut oemces or receme data concerning the states of the inoutloutput oevmes Accordingly, control over the inputloutout devices ~s exclusively carried out by the primary processor. however, the primary processor periodically transfers status data relating to its operation in the control of the input/output devices to the back-up data processor via a dual ported memory connected between the two processors.
In contrast with the above networked control systems, another control technique for redundant process control computers exists in which both of the process control computers operate on input data and issue control commands to the same output devices. This type of control technique may be referred to as active redundancy, because each of the redundant process control computers operate independently and concurrently on common input data. A discussion of this type of control technique may be found in the Glaser et. al U.S. Patent 5,428,769, filed on March 31, 1991, entitled "Process Control Interface System Having Triply Redundant Remote Field Units".
The use of active redundancy as a control technique presents a difficult problem in terms of communication with the plant computer network, as each actively redundant process control computer will receive a set of input values and each of these process control computers will generate a set of output values. In the case where the actively redundant process control computers arbitrate or resolve some or all of the input and/or output values, to the extent that differences do exist, then multiple sets of input and output values could be created.
For example, a set of pre-arbitration and post-arbitration input data values could potentially be available from each of the actively redundant process control computers. Accordingly, it would be desirable to enable some or all of these data sets to be matched up and analyzed by another computer on the plant network without interfering with or slowing down the operation of the actively redundant process control computers.

Additionally, it would be desirable to permit one or more of the computers on the plant network to modify certain values used by the program in each of the actively redundant process computers as the need may arise, such as analog constants. However, it should be appreciated that such an activity would need to be restricted in some manner, as predictable changes in the operation of physical devices should be assured.
Accordingly, it is a principal objective of the present invention to provide a secure front-end communication system and method for controlling signals transfers between an actively redundant process control computer and a plant/local area network.
It is another objective of the present invention to provide a secure front-end communication system which is capable of evaluating an instruction from the plan/local that could affect the operation of the actively redundant process control computer.
It is also an objective of the present invention to provide a secure front-end communication system which insures that there is proper alignment with the operating program in the actively redundant process control computers.
It is a further objective of the present invention to provide a secure front-end communication system which enables one of the actively redundant process control computers - 2a -~ 93/25948 ~ ~ PGT/US93/0~_.~8 :o receme a reviseo oo~erauna program wnnout adversely affectly the operation or the other activeiv redundant process control computer.
~t is an additional oblectme of the present invention to provide a secure front-end communication system and metnoa canon ~s caoaole of uuiimng a pluranty of different communication oroto<:ois ano encryption tecnniaues depending upon the type of message oeing transmitted.
SUMMARY OF THE INVENTION
To achieve the foregoing oolectives, the present mvenvon provides a secure 0 front-end communication system which ~s interposed between a plurality or actively redundant process control computers and a computer network. The secure front-end communication system intrudes a from: end computer which ~s capable of establishing nine limned communication contracts cairn one or more computer entity on the computer network. In accordance with the method of the present invention, each of these nine nmited ~, ~ communication contracts is cased upon an acceptapie response to the transmission of an unpredicable signal from the front eno computer. More particularly, the acceptable response is preferably in the form of an encrypted transformation of a psuedo-random number generated by the front end computer. Additionally, before :he nine limited communication contract expires, the front end ~:omputer will negotiate a new nine limited communication contract 20 with the computer entity on the computer network using a new psueoo-random number.
In one form of the present invention, the front end computer also includes at least one permissive table which is used to determined whether a wine command message from the network entity should be transmitted to the process control computer for which the message was intenaea. A securny server is also included on the computer network for ZS transmitting a security table to the front erd computer. The security taole is useo to identify the networK ensues that are permitted to send write command messages to the process control computers to which the front eno computer is connetted.
Additioral features and advantages of the present invention will become more fully apparent from a reading of the detailed description of the preferred embodiment and the 30 accompanying drawings in which:
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a piock diagram of an intelligent front-end communication system for a pmraiity of actively redundant process control computers which utilizes a stealth interface

3~ according to the present invention Figures iA and 2B promde a diagrammatic representation of the data rabies stored m a nrne ai~gneo reflective memory buffer and the Correlate buffer shown in Figured .
figure 3 ~s a black diagram or the stealth interface shown m Figure 1 93/25948 ~ ~ PCT/US93/05_ s F,gures 4A aria 4B cnmorise a scnema2c aiagram of the stealth interface of ~~aures 1 and 2.
Figures 5A and 58 illustrate two timing oiagrams for the stealth interface.
Fioures 6A~~6c comprise a set of flow marts ~Ilustraung particmar aspects of the security aria validation n,etnoas accoroing to the present invention.
F;gure 7 ~s a olock o~agram of the aooiicanon software for the front end computers shown m Figure 1 Figure 8 is a diagrammatic illustration of the configuration for the front end computers.
Figure 9 is a a oiagrammatic illustration of the reiauonsnlp between the reflective memory buffers in the front end computers, the transfer map in the IFS circuit and the data memory in the process control computers.
Figure 10 is a olock diagram of the IFS circuit shown in Figure 1.
Figure 1 1 is a olock diagram of the IFQ circuit shown in Figure t.
'S
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Referring ;o Figure t, a block diagram ~s shown of an intelligent front-end communication system 10 which is couples to a pair of acUveiy redundant process control computers 12a-12b. Ea<:h of the process control computers 12a-12b receive common input data 20 from field computer units (not shown) or other suitable field instrumentation. In this regard, the Glaser et. al. U.S. Patent Application Serial No. 07/864,931, referenced above, describes in detail the commurncation and control links between a pair of actively redundant process control computers, such as process control computers 12a-t 2b, and the inputloutAUt devices oirectly associated with the physical process being controlled.
While the reounoancy of two actively operating process control computers has certain fault tolerance aavantages over a single decision maKing process control computer, It snouid be understood that the printpies of the present invention are not limned to any particular configuration of process control computers. Thus, for example, it may be desirable to employ three proces~~ control computers in the place of the two process control computers 30 t 2a- t 2b shown m Figure t unoer the appropriate circumstances.
In the present embooiment, the process control computers 12a-12b preferably operate concurrently on ail of the signals transmuted from one or more field computer units.
tit other words, each of the process control computers 12a- 12b are capable of making ~ naepenaent deusions based upon the oats receiveo by these redundant computers from the ~ f~eid. The decisions made by tne~ process control computers 12a-12b aetermine the output signal values whmh are ultimately oirected to spemfic output devices (for example, valves, pump motors ano reacz.or heaters) by the appropriate field computer units.
While the output s~gnai values are oreferamy reconcileo at least to some extent Between the two actively > 93/25948 PCT/US93/0:,_~8 ~eaunaant process control cornouters t 2a-12b before the transmission or tnese signals to the field, n snomo be unaerstooa that two maepenaent sets or output s~gnai vames could be communicated to the field computer units. In this regaro, the input values recemed from a field computer unit coma tJe aromratea, whmn shoula maKe n unnecessary to reconcne or arbitrate output vames. This ~s oecause ootn of the process control computers 12a-t 2b would then be working with the same process c:ontroi program ono operating on the same set of arbitrated ~ nput values.
As an example or a preferred form of possible value reconaliation, corresponding input varue tables m each of the process control computers 12a-12b could be compared during t0 a preset time penod, and one or the values could be chosen for each input value signal to be subjected to the process control program. This selection of input values could be made on a suitable cntena to the process being control led, sucn as the use of the value determined by the Left process control cornputer 1:2a when the value determined by the Right process control computer t 2b is within a certain predetermined percentage limit (for example, 2.5%).
,, 5 Othermse, the distinct input values of both the Left and Right process control computers could each be employed when these vames are found to be outside the preoetermrned percentage limn. Alternatively, the selection of different input/output values from the Left and Right process control compwcers could be made on the basis of a software implemented preference.
Thus, for example, under certain process conditions, ~t may be considered more appropriate to 20 select either the high ar low vai tie, regardless of whether the value was determined by the Left or Right process control computer.
To faciiit~ate this arbitration or reconciliation process, a parallel communication link 14 is provided between the process control computers 12a-12b. Parallel communication link t4 is referred to as the "major" link, as it oermm a direct transfer of data and timing S signals between the process control computers. n should also oe noted that the :.eft process control computer t 2a is labeled " fox", wnile the Right process control computer t 2b is labeled "dog" . These are log~c.al designations for alternative operating modes of the process control computers 12a-12b.
Vllhile each of the process control computers t 2a-t 2b make ~ndeoendent 30 deasrons, which may ~~e subject to aronranon, the process control computer currently in the fox mode has the abiln;y to farce the process control computer m the dog mode to move to a subsequent step m a programmed sequence m piper to keep the cooperative efforts of the two process control computers m relative syncnromzation. Additionally, the process control computer m the fox mope mil transmit a timing s~gnai to the process control computer in the 35 dog _moue at the begm~na of its process control program cycle (for example, a one second oenod), so that the process control computer m the dog mode mil know to begin a new process control program type as weir. As the process control computers t 2a-12b operate under their own clock osoliators, the aetectron and interpretation or this program cycle timing signal p_ 93/25948 ~ PCT/US93/OS_ .d ov the process control cornouter ~n the doo mope wnl help to penoolcailv Keen tnese process control computers m relative syncnronmanon. However, n snoulo be appreciated that the program cycle of the process control computer m the dog mode mll typ,cally follow the program cycle of the process contro~ computer m the fox mode py the period of rime it takes to transmit and then detect the program cycle riming signal (for example, 20-mmroseconds.to 20-milliseconds).
In the event that process control computers t 2a-12b are temporar~iy not able to communicate over the rr~alor rink t 4, each of these process control computers mil continue their operations in a mocye wmcn assumes that they are operating alone. In this mode of oPeranon, it should be appreoated that the program cycles of the process control computers t 2a-12b may gradually daft apan: m vine relative to each other. Nevertheless, as will be seen from the d,scussion below, the front end communmauon system t 0 is designed to enable data recemed from the proce<.~s control computers 12a-t 2b to be vine aligned for real-time analysis.
As illustrated ~n Figure t, eacn of the process control computers t 2a- t 2b includes t 5 a stealth interface accord,ng to tr,e present mvent~on. In part,cuiar, process control computer ' 2a includes stealth interlace c~rcun t 6a, wmie process control computer 12b includes stealth interface urcu,t 16b. As the stealth interface c,rcuits 16a-t 6b comprise ,dentical circuits, these stealth interface circuits are somet,mes referred to generally herein as stealth interface circuit t 6. Due to the redundant nature of the front end communication system t 0, a general reference number mll a so be used for other dupioative components m the system.
The stealth interface t 6 prov,des transparent data transfers between the process control computer to which it is connected and external communication devices.
In this regard, the data transfers are tr<3nsoarent to the process control computer 12 in that the operation of the process control computer ~s not delayed or othermse adversely affected by a transfer of its data to one or more external communmanon demces. The stealth interface t 6 also enaples the transfer of messages from an external communoaton device wnnout affecting the operation of the process control computer t~ 2. The primary example of sucn an external communication demce is shown in Figure t to be comprised of a pair of redundant front end computers t8a-t8b. The front end computers t8a-18b are redundant, because commumcauon paths are Provided for enabling each of these front end computers to excnange data and messages with both of the stealth interface orcuns 16a-t 6b.
Each of the front end computers t8a-18b promde a highly intelligent interface between the stealth interface circuits t 6a-t 6b and a piantllocal area network, which is generally designated by reference numeral 20. However, since each of the redundant front end computers t8a-t8b are caoaoie of commumcanng wnn eacn of the stealtn interface orcuits t 6a-t 6b, n shou id be appreoated trial this redundancy is not reomred, and that a single front end computer could be uniized m the appropriate apAlicanon. Addinonaily, as will be-more apparent from they discussion below, each of the stealth interlace orcuns are capaole of _d_ 193/25948 ~ ~ PCT/US93/0~ ~8 excnanaina aata and messa4es with other external communication devices, as well as the front end computers 18a-18t;.
As iIW strated in Figure 1 , the stealth interface circuit 16 features a dual-ported rlemorv "DPM" 22 winch resides on the pus structure or the process control computer 12.
indeed, in the emoodiment discloseo herein, the dual- ported memory 22 provides the primary or only data memory fc~r the process control coin outer 12. Thus, ; n accordance with the present invention, the stealth mterfac:e e:ircun 16 will se!ecnveiy grant external devices direct access to the data memory of the process control computer itself. The dual-ported memory 22 includes an internal port which ~s connected to the bus structure of the process control computer 12 and an external port, which is sometimes referred to herein as the stealth port.
While the dual-ported memory 22 cou~d be configured to provioe aoditional ports, the dual-ported memory preferably includes an arpitration urcuit which enables a plurality of external communication crevices to have alternative access to the stealth port. In other words, only one external device mil be able to use the data and address lines of the stealth port at any given time when access S to the dual-ported memory is permitted through the stealth port, even though more than one external device may ul umately be coupled to rite data and address lines of the stealth port. In the present embodiment, the stealth interface aroitratidn circuit employs a first-come, first-serve approach to grarning access nghts.
However, in accordance with the present invention, this arbitration urcuit operates only on the stealth port. There rs no aroitranon per se between the internal and external ports of the stealth interface circuit 16. Rather, access to the dual-ported memory 22 from the external/stealth port is available only dunng those times when the process control computer 12 cannot a<:cess the dual- ported memory. More specifically, in the form of the invennon disclosed herein, the machine cycle of the process control computer 12 is utilized to control access to the d uai-ported memory t 6. As ~s well known, the central process unit of any computer must fetch and decode one or more programmed ;nstructions in order to operate on one or more data words. In computers based upon the van Neumann architecture, it typically takes several computer clock cycles to fetch, decode and execute an instruction. However, in the present embodimrant, the process control computer 12 is based on the Harvard architecture, which permits both an op-code instruction and the operand data for this instruction to be fetched in the same cl~xk cycle This is because a computer based upon the Harvard architecture includes physically separate instruction and data stores, and each of these stores have their own addre~;s and data lines to the central processing unit. Thus, during the portion of the clock cycle for the process control computer 12 that is devoted to fetching ano decoding 3 J an mstrucnon, the du,si-ported data memory 22 may be accessed from the stealth port. Then, during the portion of the clock cycle for the process control computer 12 that is devoted to feuning the operand from the data store, the process cdntroi computer will have access to the cuai- ported data memory 22 from the internal port.

93/25948 ~ ~ PGT/US93/0; ,8 ~n accoroance with the present mvenuon, the stealth Interface circuit 16 watches vor a specific transnlon m the memory oocK signal of the process control computer t 2 in order :o aetermme when the stealth port may nave access to the dual-ported data memory t 6. In this ~egara, it should be unaerstood that the process control computer itself is not affected by this external access, as external access Is permuted by the stealth interface circuit 16 only during :hose time periods whey the process control computer 12 will not need to access the dual-oorted data memory 22. Indeed, the process control computer t 2 does not even have to know lust externally generaneo read/wnte activity is actually occurring with respect to Its data store.
Nevertheless, In accord~~nce with the present invention, an important disnncvon is made between the ability to ' read" from the dual-ported data memory 22 and the ability to "write to the dual-ported data memary, as far as the stealth port Is concerned. While it may be aesrrable to enable an erxternai communication devme to read each and every memory location m the dual-pored data memory 22, this may not tie true with respect to the ability of an external device to wrlte~ to memory locavons In the dual-ported memory. In this regard, the ~ 7 coal-ported data memory 22 will store not only dynamic data associates with the pnyslcal process being controlled, but ~t rnay also store other process control variables, such as analog ano digital constants.
Accordingly, the dual-ported memory 22 includes two "logical" memory settions, namely variable settlon 24 and mailbox section 26. These memory sections are logically d~stlnct, because they are treated separately, even though they may both reside in the same pnysical memory circuit chip ar chip set. In the present embodiment, the mailbox section 26 is comprised of a set of 2°->6 memory word locations ( 16 bits each) in the dual-ported data memory 22, and the variable se<alon 24 is. comprised of the remaining memory locations in the dual-ported data memory 2:? (for example, a block of 64k memory word locations).
The variable section 24 may arse inc ode a message area for holding system messages from the process control computer 12 to the front end computer t 8. The mailbox section 26 is used to provide a specific region m memory for storing messages from external devices, such as the front end computers 18a-18b. In this regard, it should be appreciated that the memory locations of the mailbox section 26 do not need to be physically convguous. While the mailbox secvon 26 may be configured to hold more than one message at any one vine, depending upon the message transmission protocol ,;amployeci, the mailbox section need only be large enough to hold one complete message. These messages may be as simple as an external request for the process control computer 12 to garner and transmit health/status data from a remote field computer untt rust It may ootaln less frequently. A message may also include a commano to change a particular varlaole stores in the dual-ported aata memory 22. Additionally, the manbox section 26 of the dual-ported oats memory 22 may also oe useo to electromcalty convey a program reVlslOn to the DrOCesS control Computer t 2.

193/25948 PCT/US93/0_ ~8 ~~~s4 As wni tie more ~~unlv o~scusseo below, the steanh interface cutup 16 maudes a guardian arcun wmcn prevents .any external enmy from wnnng to any memory locations m the variable section 24 of the dual-oortea data memory 22. Thus. wmle some or all of the ~~emorv locations m cn~e ouai-oorteo aata memory 22 may oe reaa from the stealth port, an external entity is only permuted to write to the memory locations m the mailbox section 26 of the dual-ported memory 22. This feature of the present mvennon provides a hardware safe-guard at the process control computer 12 whmh insures that no external enmy wVl be able to inadvertently interfere with the data processing operations of the process control computer 12.
As will be more apparent from the discussion below, tins feature of the present invention could ! 0 also be employed to grant or deny external waste access to any partmular memory location or set of memory locations in the dual-oohed data memory 22.
In order to rap~aly pump data into or out from the stealth port, the front end communication system 10 of Figure 1 ~s also shown to include an interface to stealth "IFS"
orcuit 28, an interface to Q-bus "1FQ" circmt 30. and a set of fiber optic cables 32 interposed S tnerebetween. The IFS o«mt 28 is connected to the stealth port of the dual-ported data memory 22, while the IFQ orcmt 30 resides on the "Q bus" of the front end computer 12. Due to the redundant nature of the front end communication system 10, it should be appreciated that the IFS c~rcmt 28a is connected to the stealth port of dual-ported data memory 22a, while IFS arcuit 28b is conne~aed to the stealth port of dual- ported data memory 22b. Similarly, the 20 IFQ circuit 30a is connected to the Q bus of the front end computer 18a, white the iFQ circuit 30b is connected to the Q bus of the front end computer 18b. In the embodiment disclosed herein, the front end computer 18 is preferably comprised of a MICROVAX 3400 computer using the real-time EL1J operating system from the Digital Eampment Corporation "DEC".
While the VAX family of computers from DEC offer considerable speed and networking 25 advantages, ~t should be appreciated that other suitable front end computers may tie employed in the appropriate application.
In order to permit each of the front ena computers 18a-18b to conduct bi-direcvonal communications mth both of the stealth interface orcuits 16a-16b, the fiber optic cables 32 actually inc~ude two sets of send and receive optical fibers (for example, 30 62.5/125/0.275NA typE~ fibers). However, the separate send and receive optical fibers for each of the front end computers 18a-18b are represented as single cnanneis in Figure 1 for simplicity.
Thus, fiber optic channel 34a includes a separate opmaf fiber for sending mformanon from the front end computer 1l3a to the stealth interface urcurt 22a aria an optical fiber for receiving information from the stealth interface mrcun 22a. Sim~iarly, the fiber optic channel 36a 37 mcluaes a separate oc~tmai fiber Tor senomg information from the front end computer 18a to the stealth interface orcun 22b and an optical fiber for recemina mformanon from the stealth interface orcmt 22b. This arrangement of optical fibers ~s also duplicated for the front end-computer 18b.
3_ ~ 93/25948 PCT/US93/6. .18 ~~?464 .n the present emoooiment, the comoination of the IFS circuit 28. the iFQ
arcuit 30 and the fiber pout caoies 32 orovioe an optical transmission interface wnicn permits the front end computers 18a-18b to oe remoted located from the process control computers 12a-12b. For examine, in th!s emoaoiment it ~5 DosSiDie far the front era COmDUterS 18a-18b to be located uo .to 2 km from the process control computers 12a-12b. Additionally, it should be noted that the Fiber Dis2n~uted Data Interface "FDDI" protocol may be used to transmit mformauon between tree IFQ and IFS orcuits over the fiber pout cables 32.
The IFS cir.uit 28 includes the appropriate address and data buffer circuits (not shown) for transferring information to and from the stealth port of the dual-ported data memory 22. The IFS circuit 28 also includes a transfer map 37 which enables data from selected locations in the dual-ported data memory 22 to be gathered and transferred as one contiguous block of data. The tranl~fer map :37 may be comprised of a static RAM with sufficient address storage capability to gather data from all of the available memory locations in the dual- ported data memory 22.
1 S Additionally, the IFS circuit 28 includes a separate transmitter and receiver circuit for each of the two front end computers 1 Sa-18b, such as transmitter 38a and receiver 40a. The transmitter 38a is adapted to convert parallel data words (for example, 16 bits) from the stealth pon into a serial bit strs!am suitable for transmission over one of the fiber optic cables 32.
Similarly, the receiver 40a is adapted to convert a serial bit stream from the front end computer 18 into a parallel data vvord for transmission to the stealth port through one or more of the IFS
urcuit buffers. A corresponding set of transmitters and receivers are also provided in the IFQ
circuit 30, such as transmtter 38b and receiver 40b. From the above, it should be appreciated that the use of two sets of transmitter-receiver pairs enables data to be transferred and/or received simultaneously between both of the IFS ci«uits 28a-28b and both of the IFQ circuits 30a-30b. Thus, for exarnpie. the IF5 circuit 28a is capable of simultaneously transmitting data acquired from the process control computer 12a to both of the front end computers 18a-18b.
While not shown for illustration simplicity, it should appreuated that a laser or LED light source is interposed between each of the transmitters (for example, transmitters 38a-38b) and their respective ooncad fibers. Similarly, a photo- detector is also interposed between each of the receivers (for example, receivers 40a- 40b) and their respective opvcal fibers. For example, these light ccinverters may be comprised of a pair of AT&T ODL200 series converters.
While fiber optic cables are preferred for their speed, low error rate aria security advantages over mediums such as coaxial cable, n should be understood that that other suitable data transmission meaium could be employed in the appropriate aooiicauon.
3S In the pnasent emoodiment, the transmitters and receivers m the IFS and IFQ
circuits are preferably comprised of a high-performance Gallium Arsenide ch~pset, such as the "Gazelle" GA9011 transmitter arnd GA90t 2 receiver from Tnquint Semiconauctor, Inc., 2300 Owens St.. Santa Gara, CA. These particular transmitters aria receivers permit data ;p_ ~, 4 ,~ 4 P~/US93i _ _ 108 ;ransmrss~on rates m excess of ~ CO M bns~secona. Tnese transmitters and recemers um me a 40-opt moe oaranel pus wnmn enaoies data to oe encoded into a 50-baud worn using FDDI-stanaaro 48/53 encoomg. it tins encoding, 4-on oata nmoies are translated into a ~-baud cone symool Accoromg~y, cite 48; 5B encoding produces ten 5-oaua symoois from ten 4-bit data nibbles m oroer to con,or~se a data frame. The GA901 1 transmitters also convert the serial stream from a Non-Return to Zero "NRZ" format to a Non-Return to Zero, Invert on ones "NRZI" format, wnmn comomes the transm~ss~on or data and clock signals into a single waveform. The NRZI waveform oenotes a logical one wnn a Aolanty transition and a iogrcal zero with no transnron wm~ n the nit-nine-frame. These iog~ca~ ones and zeros are called 0 bands, ano eacn group of five bauas are tailed a symool. For example, a "0000" 4-bit binary input wrll be converted to a " 1 1 110" 5-baud binary symool output, whrie a "
1011 " 4-bit binary :rout mil be converted to a ' 101 1 1 " 5-baud binary symbol output.
The use of 48/58 encoding and NRZI formatting commne to substantially enhance the reliability of high-speed data transm~ss~ons over the fiber opuc tames.
The GA9012 recervers nave bunt m ciocK and data recovery (for example, NRZI to NRZ
conversroy, and they also monitor the mcornrng 5B symtiois for val~dny. In tW s regard, the 48/58 encoding creates a number of invalid symools whop may be checxed for at the GA9012 recemers. As the presence of noise or fitter across the fiber opm link could cause one or more of the bands to change to an unintended value, the detection of invalid symbols reduces the possibility of a transmission 20 error going undetected.
As an additional layer of protection from potential errors, data transmissions from the IFS circuit 28 are formed into complete data frames, which are comprised of the data to be transferred (that is, the 40-bit input data framej, a 16-bit destination address field, a 4-bit control code field ano a 4-bit error oetecnon code field. These complete data frames are 25 oreferaoiy separated from earn otner on the fiber opuc nnK by at least one sync frame. As potential physical Imw: errors may have a burst or clustering nature, the error code needs to be able to detett up to four contiguous bit errors. In this regard, a Longitudinal Redundancy Check "LRC" code is employed to prevent masked errors from potentially corrupting suosequent data processing operations. This type or error code ~s also referred to as a 30 ~~ Longitudinal Parity t_heck" . In a LRC code, a 4-bit nibble composed of parry bits is generated and inserted into the encoded data stream for a preoetermmed number of data nibbles in the encoded data stream as spawn below:
b4 b3 b2 b1 data W bble t ; x x x x ;
35 data nibble 2 ; x x x x oata nibble 3 ; x x x x ;

'O 93/25948 6 ~ PCT/US93/~_ _08 gala mobie 8 ' x x x x gala nibble 9 ; x x x x rata nibble 10 ; p4 p3 p2 pt ;
S where pr = bi 1 Xor br2 Xor.... Xor big, and ~ = bit location t to 4. Thus, the ith tart of this parity check character checks the ith information bit posrnon m data nibbles t through 9 under even panty conditions. The ~:ombination of the LRC error checking, the 4B/SB
encoding and the NZRI
conversion enable the vront ena communication system t 0 to provroe a targeted Baud Error Rate "BER" of t E- t 2. While a Cyclic Redundancy Check "CRC" code could be employed in lieu t 0 of the LRC code, the more complicated CRC code would also i ncrease the cornpiexny of the IFQ
and IFS circuits. Additionally, the LRC coding more readily permits dual fiber optic channel signal transmissions between the IFS and IFQ ar~_uits, grip the intrinsic synchronization features of the the Gazelle transmitters 38a-38b and recemers 40a-40b may be used to frame the LRC
oased protocols.
t 5 The IFQ orrurt 30 incluaes a microprocessor 42 (for example, an mtel 80186 chip) winch provides the data pump for the front end computer 18. The microprocessor 42 is not piny responsible for all IFQ/IFS protocol control and relaying data from the process control computers 12a-12b to a destination on the network 20, but n ~s also responsible for controlling the integrity of write a~cnvines t:o the IFS and IFQ circuits. For example, the microprocessor 42 20 may be used to program the transfer map 37 in the IFS circuit 28, so that only a particular sub-set of data in the duai~ported data memory 22 may be gathered and transmitted to the front end computer 18, if lees than al!I of the available variables (for example, input/outaut values, alarms and events) is desired. In this way, the actual contents of the transfer map 37 may be aeoendent uAOn a specific process control application.
2S All signal transmissions oetween the IFQ circuit 30 grip the IFS orcurt are unoer the control of IFQ circuit mmrourocessor 42. In this regard, there are three types of data transmissions from th~a IFQ circuit 30 to the IFS circuit 28, namely "load transfer map", "send command messages" and "receaive data". The load transfer map transmission mil enable the IFQ circuit 30 to load the transfer maA 37 of the IFS circuit 28 mth the specific vanaole 30 aodresses which will steer the data memory transmit bursts from the IF5 circuit. Tne receive gala transmission will cause the IFS circuit 28 to return the reauested segment of memory from the dual-ported data memory ;22.
A command message transmission will start with a Write-Lock reauest to the IFS
orcuit 28. Assuming that mcormng buffer is free, the IF5 circuit 28 mll assert a Write-Lock on 35 ;tie mailbox section 26 or the aual-ported data memory 22, and return a positive acxnowledgement to the IFQ circuit 30. The IFQ circuit 30 may then transmit its message with the assurance that no other devme mll be able to waste to the mailbox section 26 until its message has been cornpleteiy storeo grip preferably reap by the process control computer 12.
~2-~ 93/25948 ~ ~ PCT/US93/1._ .J8 ~owever, a ume nmn may oe ~mooseo on the write ~ocx to ensure tnat the flow of communications ~s not ~m~eoea oy one or the external enmnes connected to the stealth interface arcun t6. It mould also oe aaoreoatea tnat message transmissions should not take mace during any ume ~n wnmn a oata burst snouid oe recemed from the IFS
circuit 28.
As anotnear measure of data transmission protection, the IFQ circuit 30 will cause the IFS circuit 28 to reap bacx a rnessage transmuted to and stored m the mailbox section 26 of the dual-ported data memory 22 m order to be sure tnat the message was transmuted and stored correctly. Once the IFQ circuit 30 determines that the message has been accurately recemed and stored, then the IFQ orcun mil cause a flag to be set whop mil signal the process t 0 control computer 12 to pink uo the new message. In the event that this data verification fails, then the entire message transmusslon process will be repeated.
The IFQ circuit 30 <3lso ~nctuoes a process aata buffer 44, whmh is shown as block in Figure 1 for illustranor slmomn:y. However, the process data buffer 44 should include sufficient memory cap~3uty to store a separate data table for each of the process control computers 12a-12b (for example, 262,144 bytes). Eacn of these data rabies mil include both the SDSS and DS5 data transm~ss~ons. Addmonally, a DMA buffer (not shown) may also be provided to allow some elasmlt:y m processing the data being recemed. In this regard, it should be noted that the both the IFS orcun 28 and the IFQ circuit 30 are configured to facilitate bi-directlonal Direct Memory Access "DMA" transfers between the IFQ circuit 30 and the Q-bus of 20 the front end computer t 8. In this way, the central processing unit 45 of the front end computer t 8 does not need to devote substantial time to processing data transfers to and from the IFQ circuit 30. Acc~~rdmgly, the DMA buffer is preferably used as a bucket brigade area to perform DMA transfers on blocks of data from the process data buffer 44 (for example, 8K
bytes at a time) to a suitable memory res~dmg on the Q-bus of the front end computer 18.
The use of DMA transfers also ennances the amlny of the front end commumcavon system t 0 to acmeve the goal of makmo ava~fable real-time data from the process control computers 12a-12b to one or more computers on the network 20.
More specifically, the front end comrnunmation system 10 is designed to request, receive and answer network queues on troth pre-Innk and post- arbitrated data from each of the process control 30 computers t 2a-12b within a one- second time resolution. For example, In this particular embodiment, each of the process control computers t 2a-t 2b mil issue a Sequence Data Stable Strobe "SDDS" signal in every one-second program cycle, whmh indicates that approximately ' 024 ( 16 bit) words of ore-link dynamm analog/digital input data ~s stable and available in the dual-ported data memory 2'1. This specific data set Is referred to as pre-Link data, as this data 3~ nas not yet been arbitrated between the process control computers 12a-t 2b ma data transmissions across the major link t a Subsequently, m the same one-second program cycle, earn of the process cantroi c:omouters t 2a-12b will issue a Data Stable Strobe "DDS" slgnal~, winch indicates tnat ac complete sec of post-arbitrated input and output data ~s stable and ,.;_ O 93/Z5948 PCT/US93/4_ _JS
~~ ~~4 ~ 4 avairable rn the guar-ported aat~s memory 22. This data set ~s referred to as post-arbitrated, as -.ne input values wni have peen aronratea or resorvea av tins point rn the program cycle. in the present emboa~ment, tt,rs post- ~armtrated oats sec may ae comprised of uo to 65.536 ( 16-bit) words, a5 iL W il rnCWae DOtn Wau2 and putout vaWes land any otner Variables storeo in the dual- ported data memory 22i. .
it shourd also be notes at this Doint that one of the first funcvons m the program cycle of the process cornrol computers t 2a-t 2b rs to make output value decisions from the post-aroitrated input data obtained rn the immeoiatery preceding program cycle.
Accordingly, it should be appreciated that the post- arbitrated data set will include the arbitrated input values t 0 from the current program cycle and the output values from the immediately previous program cycle.
It rs also r mportant to understand that the funttion of obtaining a copy of the pre-link and post-aroit~ated data sets cannot be permuted to delay the opera2ons of the process control computers 12a-12b Thus, for example, the front end communication system 10 t S must be sufficiently fast to oatarn a cony of the ore-auk data sets before the process control computers t 2a-12b need to nave the aoiiity to mange one or more of these data values through the aroitrauon process. Accordingly, rn the context of the present embodiment, the front end commumcat~on system t 0 needs to be able to acquire a pre-link data set within ten milliseconds of the nine that the SDSS signal was initially asserted in order to have the 20 assurance of data stability. Similarly, the front end communication system 10 needs to be able to acquire a post-arbitrated data set within fifty milliseconds of the time that the DSS signal was initially asserted. In this regard, rt should be appreaated that each of these data sets need to be independently ac:ourred from both of the process control computers t 2a-t 2b by each of the front end computers t8a-t 8b. Additionally, each of the front end computers 18a-18b must also be able to send messages to the one o~ ooth of the process control computers 12a-t 2b ounng time periods outside of the SDSS and DSS data acouisition windows.
In order':o further facilnate the ability of the front end communicanon system to acquire the SDSS and USS data sets washout any data transfer blocknecks, and also provide the ability to group and nine align the data sets being received, each of the front end computers 30 t 8a-t 8b includes a set of at least three reflective buffers for each of the process control computers t 2a-t 2b. E ach of tnese rogrcally distinct reflective buffers or shadow memories may reside in the same physical memory cmp or cnio set in the front end computer 18. As shown in Figure 1, the set of ref~ecnve puffers contained rn the front end computer t 8a is generally compassed of a ZERO t uffer "Zl." 46a for the Left process control computer t 2a. a ZERO buffer 3~ "~R" 48a for the Rignt process c:ontroi computer t 2b, a ONE buffer "OL"
for the Left process control computer, a ONE buffer "OR" for the Right process control computer, a TWO buffer "T;." for the Left process contra) computer. and a TWO buffer "TR" for the Right process controi computer Addiuonarly, n snouid be unoerstood that a corresponding set of reflective 193/25948 ~ ~ PCT/US93/0.._~8 puffers are contamea n~ the wont eno computer t 8b, sucn as the ZERO buffer "ZL" 46b for the _eit process control cornouter 1:2a aria the ZERO buffer "ZR" a8b for the Right process control computer 12b.
T he nQ c rcun 30 writes to tnese left aria r~gnt buffers m a 'round room"
fashion - ~smg DMA data transf~ars. m otner woras, the IFQ circuit 30 wni fill the ZERO buffer 46a with ore-Imk and post-armnated data of a oart~cular process control cycle from the Left process control computer 12a. Then, wnen pre-rink aria post-armtratea oata for the next process control cycle ~s recemea from the Deft process control computer 12a, the IFQ
circuit will ncrement to the ONE buffer 50,a m oraer to store this data. S~mnarly, the IFQ
urcmt 30 will 0 :urn to the TWO buffer 54a wnen pre-link and post-arb~trateo data for the third process control cycle is recemed from the Deft process control computer 12a in order to store this data.
Then, when pre-lnk arid post-arbnrateo data for the forth m time process control cycle from the Left process control computer 12a is to be stored, the IFQ urcun 30 coil return to address the ZERO buffer 46a for aata storage. Of course, it should be appreciateo that the IFQ circuit 30 ~ mll employ the same rouno robin seauence for individually transferring pre-rink ono post-aronrated data to the tnree reflective buffers 48a, 52a and 56a that are used for the Right prpCe55 control COmpu'Cer 12b.
For purposes of illustration, Figure i shows three reflective memory buffers (46a, ~Oa and 54a) for the Left process control computer 12a, and three reflective memory buffers 20 f48a, 52a and 56a) for the Right process control computer t 2b. However, as the SDSS and DSS
data transfers are treated as independent DMA events, the reflecvve memory buffers preferably include distinct refiectwe memory buffers for each of these events.
Accordingly, a total of twelve reflective memory buffers are preferably promded in the front eno computer t 8. Addnonally, each of these reflective memory buffers are individually tracked, so that the ~ ordering of these puffers oo not necessar~iy have to follow the rea~men snown peiow:
Second N: (Zf=RO-SDSS-L ZERO-DSS-L ZERO-SDDS-R ZERO-DSS-R) Second N + t : (ONE-SDSS-L ONE-DSS-L ONE-SDDS-R ONE-DSS-R) Second N + 2 (T'~NO-SDSS-L TWO-DSS-L TWO-SDDS-R TWO-DSS-R) Rather, the ordering of tnese buffers could also proceed unoer other regimens, sucn as shown 30 oelow:
Second N: (ONE-SDSS-L TWO-DSS-L ZERO-SDDS-R ONE-DSS-R) Secono N + 1 : (TWO-SiDSS-L ZERO-DSS-L ONE-SDDS-R TWO-DSS-R) Secono N + 2 (ZERO-SDSS-L ONE-DSS-L TWO-SDDS-R ZERO-DSS-R) it is important to understand that the corresoonomg left ono right reflective sS puffers (for example, :coffers aEia and 48a) mil generally not become f~lieo at the same time, as the program time line of the process control computer m the oog mode snould follow the program time tine of the process control computer m the fax moos by a preoetermmabie oenod of time lfor example. 20-mmroseconos to 20- m~ii~seconos). However, tnese time tines O 93/25948 PCT/US93/0.._J8 X74 ~ 4 gay oecome consiaeratoy separated m the event that commumcauons across the major link 14 are not possible, as mer~nonea aoove. even wnen the left ono ngnt SDSS or DSS
signals are asserted at near the same rime, the delays reauired to transfer this mformanon to the IFQ
c:rcun 30 aria then transfer tins mformanon into the appropriate refiecnve memories may result ~n a maer rime sKew between tnese events as seen by the application software of the front end computer 18 ~:han as seen by the process control computer aria IFS
c~rcmt hardware.
nevertheless, it ~s the responsrb~l~ty of the front end computer 18 to ensure that the data sets ~iumateiy made available to the computer network 20 represent data from the process control computers 12a-12b in the same program cyoe (for example, a one second period).
In this regard, the appiicauon software of the front end computer t8 includes a procedure, referred to as "MI Sync", which groups mdmdual data transfer events into a cohesive set of buffers that represent a "snapshot" of the ore-Imk and post- arbitrated data for a partmuiar process control cycle.
The MI Sync oroceoure uses a set of reflecvve memory buffer management structures (MI RMBM~i) to traces; the status of incoming oata transfers. When the IFQ circus driver software signals to the MI Sync proceoure that a DMA transfer has completed, MI Sync records the required information rn the appropriate MI RMBMS data structure.
When MI Sync determines that a comalete set of buffers has been recemed and stored (that ~s, left SDSS, right SDSS, left DSS aria ngho. DSS), it updates a global data structure (MI RM
DATA) with the pointers to the newly rE~cemed data. These pointers are copied from the MI
RMBMS data structure. Accordingly, MI RM DATA includes the pointers to the currently available "complete" or rime aliened set of reflective memory buffers. Depending upon where the front end computer 12 is in the rouno robin procedure, the most current rime aligned set of reflective memory buffers may be TWO buffers 54a and 56a at one rime interval, the ONE
~5 buffers SOa and 52a at vine next time interval, ono the ZERO buffers 46a and 48a at the roilomng ume interval. In the event that the SDSS or DSS data from one of the process control computers 12a-12b is not received by the IFQ circuit 30, MI Sync mll still maintain rime at~gnment by using an ;3ppropnate timeout (for example, 700 milliseconds) for updaung the MI RM DATA pomterrs. An mdicauon mil also be promded as to whmh buffer or buffers are unavailable.
The buffer pointers wnhm MI RM DATA are protected by a mutual exclusion semaphore or "murex". MI SYNC reouests this murex before copying the new pointers to MI-RM_DATA aria rereases n ~mmediateiy after the coot' is complete. When a network entity ~eeos to access reflec2ve memory data, a cony or the MI RM DATA pointers ~s made by reaues2ng the murex, :ooyng these buffer pointers to a local data structure, and then ~eieasing the murex. S rice the aooiication for querying or redoing the data uses a copy of the oo~nter, contention for the murex is mmmmea, and MI Svnc mil be axle to update ~~11 RM DATA wnn new pointers as soon as the next complete set of data has peen stored. In O 93/25948 ~ ~ ~ PCT/US93/~ .08 ws regard. ~: ~s ~maortant to note that tins metnoa win enaole the reading apomatlon to still access the same set of reTiectme memory duffers wmle MI Sync updates MI RM
DATA with new pointers. Since r~eaomg ap~mat~ons mll access the most current time angned set of reflective memory ou rfers. n. should oe unoerstooa that a reaamg aoomanon could be accessing one set of rEaflecnve memory buffers Ifor example, the TWO buffers 54a and 56a), while a subsequent reading apomanon could be gmen access to another set of reflective memory buffers (for example, the ONE buffers 50a and 52a) once MI Sync updates MI RM DATA with new pointers.
It should also be understood that applications which access the reflecvve t 0 memories will be abler to run to completion before the referenced buffers are overwritten with new incoming data. In one emoodment of the front end communication system 10, applications requiring reflective memory data are assigned execu2on priormes high enough to allow them to run to ~:ompienon m less than one second. However, It should be appreciated that the front end cornouter t Ei could be configured with additional sets of buffers to al low the development Ot an appioauon trial may take longer to run to COmpleUOn.
It should also oe ~aopreciated from the aoove that the use of the front end computers t 8a-18b also enaales the communication system 10 to have the necessary intelligence to answer specific data requests. Tie use of the front end computers 18a-18b also permit a rapid check to be made that the process control computers 12a-12b are in fact 20 continuing to send real-rime data. Additionally, the front end computers 18a-t 8b are also preferably programmed to make determinations as to whether read or write requests from the process control computers 12a-12b should be granted with respect to the entity on the computer network 20 whmh has forwarded the request. As will be discussed more fully below the front end computers 18a-18b contain ooth a security table and two permissive tables in 25 their memories for facilitating these oetermmanons. The securnv table is used determine whether communmat:~ons mll be oermnted at all with various enmnes on the computer network 20, while the permissme tables are used to evaluate write command messages from an entity on the computer network winch could affect specific locations in the dual-ported data memories 22a-22b.
30 The front eno computers 7 8a-18b may also utilize at least one set of additional reflective buffers, such as Corre~ate buffers 58a and 60a. In light or' the fact that the DSS data set will contain the past-arbitrated input value data from the current program cycle and the output value data th<~t was oa~seo upon the post-armtrated input values of the immediately preceding program type, n may be aes~ratile to correlate into one data table the output values 35 vor a oartmular program type wnn the input values useo to decide these output values.
Accoromgiy, the front eno computer t 8a may employ the Correlate buffers 58a and 60a to store a copy of the post-ar~~trated input values from the current DSS data set, and then wan for the alignment of the next DSS data set m oroer to store a coov of the output values from this /O 93/25948 ~ ~ ~ PCT/US93~,...108 :uoseauent data set m the same Correlate Duffers. in gyms regaro, .t snouid be a~flreciateo that -.ms copyng proceoure mil be made from the most current rime angned set or reflective memory duffers. Thus, for example. Figure 2A shows a a~aarammaW example or a Data table n a rime aiignea Duffer, wane F~aure 2B shows a s~mnar example of a data tale m the Correlate buffer CL. In .any event, it mould be understooo that the time alignment capabilities of the front end computers 18a-'18b orovioe a powerful diagnostic tool for analyzing both the ooeranon of the process control computers 12a-12b aria the onysical process being controlled.
For example, the arbitr,snon performed mth respect to the input data values may be analyzed .or both of the process ~:ontroi computers 12a-12b, as ore-Link and post-arbitrated input data 0 values are time aiignea and made available by the front end computers 18a-18b.
The computer network 20 is shown m Figure 1 to generally include a direct control segment, a process mformanon segment ano a connecvon to a Wide Area Network "WAN". Each of these network segments preferably employ Ethernet compliant mediums and IEEE 802.3 compatible <:ommumcanon protocols. The direct control segment ~s comprised of dual Plant Area NetworKS "PAN-1 " ano "PAN-2", wh~ie the process information segment is comprised of Plant Area Network "PAN-3". At least one dredge 62 is used to mterconnectthe PAN-1 and PAN-2 segments. Addmonally, at least one badge 64 is used to interconnect the PAN-2 segment with the PAN-3 segment. Another badge may be used to interconnect the PAN-1 segment with the PAN-3 segment. One or more br~ages 66 may also be used to 20 interconnect the PAN-a segment with the WAN.
It should be noted that the front end computer 18a is coupled to the PAN-1 segment, while front end computer 18b is coupled to the PAN-2 segment. While a single plant area network could be provided, the use of dual plant area networks shown herein have certain communication and redundancy advantages over a single plant area network. In this 25 regard, the badges mll typically filter commumcauons by Ethernet haraware addresses to repute the amount of traffic on eacn of the networK segments. For example, a communication between the security server 68 and the operator station 70 will not be transmuted across the badge 62 to the PAN-1 segment.. The badges 62-66 also oromde a layer of physical separation between the network ~~egments, so that if a fault occurs on one of the network segments, then 30 the fauitwiil be prevented from adversely affecvng the otner network segments.
Additionally, one or more of the badges are also used to filter communmations on the basis of specific data communication protocol ~aennficanons to enhance the overall security of the network 20. For exam ale, the bridge 64 may oe usea to prevent the transmission of messages emoioyng the EtnernEat compliant protocol used by the security server 68 from one of the PAN-s5 2 and PAN-3 segments to the other. S~m~iariy, the br~aoe 64 may oe useo to prevent the transmission of messac3es emoloyng the Ethernet compi~ant protocol uses to write ~nrormanon into the rna~lbox section 26 of the ouat-porteo data memory.
_~,g_ O 93/25948 ~ ~ PCT/US93/1~_-08 he computer network 20 also includes a piuramy or operator workstations, such as operator worxstanans 70 and 72. As snown m Fioure 1, these operator worxstanons may be located on different networx segments, and the numper of operator worxstations mil be dependent upon the oartWUlar process control aopWat~on. One or more of these operator worxstavons may be used to mew or analyze data recemed from the front end computers 18a-? 8b. Additionally, these operator workstations may be used by an authorized control room operator to transmit the appropriate instructions to the front end computers 18a-18b which wnl cause a command message to De conveyed to the process control computers 12a-12b.
The network 20 further includes a process information computer 74 which may ? 0 perform a variety of functions. For example, the process information computer may be used to store a history of process data recewed from the front end computers 12a-12b.
Additionally, the process information computer 74 may be used to store the compilers needed to change the computer programs residing m the front end computers 18a-18b, as well as the programs residing in the proces!~ control computers 12a-12b. The process information computer 74 may - S also mnude loaning assistant s~pttware for transferring operating program remsions to the process control computers 12a-12b. The network also includes a control room data manager computer 76, which may be used to perform various file serving and tracking functions among the computers tonne<aea to the network.
An expen download assistant 78 is also promded to facilitate program revisions in 20 the front end computers 18a-18b. In contrast, the loading assistant software m the process information computer 74 may be used to cause a new computer program to be downloaded to one of the process control computers 12a- 12b through at least one of the front end computers 18a-18b and the mailbox section 26 of the dual-ported data memory 22. While the download assistant 78 may be rers~dent in its own network computer, the download assistant could also 25 reside in a suitable nertwork computer, such as the process information system computer 74.
The foa~dmg assistant may also be used to cause the process control computer with the revised program ':o start operating in a mode which will enable real-time testing of the revised program. In this mode of operation, the process control computer will receive input data and make output deosions, but these output decisions will not be transmitted to the field 30 instrumentation devices. This will permit the plant engineer to evaluate the revisions, and even make further remsions ~f necessary before instructing the process control computer to assume an active mode of ooeran on, 'such as the fox or dog modes.
Whenever ~t is decided that the manner in which the process control computers 12a-12b perform their particular manufacturing control operations should be changed 35 tnrough a program rems~on, the remsed program for the process control computers ? 2a-12b must be compiled from the the source programming language to an executable file or set of dvnammailv linked fi ies. m the preTerred empodiment, a unique identifier ~s empedded into the executable code during the como~le procedure. This identifier represents for is otnerwise ? 9-93/25948 ~ ~ PCT/US93/0:,_.d associateo wnn) the version or the remseo software for the process control computers 12a-12b.
he program version ~a~entner ~s used to ensure proper angnment oetween the version of the program being executed by the process control computers 12a-12b and the filesitables rn the -roast eno computers 18a-18b useo to evamate write command messages to these process control computers.
As menvoned above, each of the front end computers 18a-18b include two oerm~ssme tables, such ,as the "Pl_" perm~ssme table 80a for the deft process control computer 12a, and the "PR" permissive table 82a for the Right process control computer 12b. These permissive tables are used by the front end computers 18a-18b to determine whether any enmy on the computer network 20 should be oermrtted to change the contents of specific locations m the dual- ported data me~rories 22a-22b. However, it should be appreciated that the data structure of the permrssrve taole could be constructed to protect the contents of any memory location or area m the process control computers 12a-12b which could altered from a write command messace-15 When a message ~s recemed by a front end computer 18 from an enmy on the network which uses the write command protocol, such as a write commano message from one of the operator workstartrons 70-72, a "data wnte_check" sub- routine will be called by the central process unit of front end computer. The data write check routine mil perform a comparison between tt~e variable elements identified in the write command message and the 20 variable elements in the permissive table for which changes should be authorized or denied.
For example, if the front end computer 18a receives a write command message which seeks to increaseldecrease an analog gam "AG" factor used by the program being executed by the Left process control computer 12a, the front end computer 18a will look up the element word for this particular AG factor in oerm~ssive table 80a and determine rf a bit has been set to deny the autnorrzation neeaed to change this factor. if authonzanon ~s denied, then the front end computer 18a writ not transmit the waste command message to the process contro~ computer 12a. instead, the front end computer 18a will preferably send a reply message to the host entity on the computer network 20 that or~gmally sent the write command message, to inform the host entity that a waste error has occurred.
30 From the above, it should be appreoated that the PL and PR permissive tables stored in the front end ~:ompute~rs 18a-18b need to be closely coordinated with the version of the program being exe~:uted by each of the process control computers 12a-12b.
m order to ensure that each of these perm~ssme tables are sufficiently matched with the programs being executed by their respecvve process control computers 12a-12b, the program version identifier ~ a~scussea above ~s also embeddea into these oermissme rabies when they are comp~ied. This program version ~denm~ier may then be sent to the process control computer 12 aloha with a verified write comman« message, so that the process control computer 12 will be able to confirm that the commanded variable change ~s aoproonate to its program version.

93/25948 ~ PCT/US93/0_ r8 o enhance the sec:urny or ;ms ver~TOauon process. the program version identifier from the permissme tatoe ~s preferaoiy altered by a sunaoie encryption algorithm before it is transmuted mtn the write commano message to the mailbox section 26 of the stealth interface circuit 16 for the ~ntenaea process contro~ computer 12 The process control computer 12 receiving the write commano message will then decode this version identifier, and compare it with the program versnon ~oentnfier embedded in its program to determine if their is a match.
l= the program version ~ aennfiers match, then the process control computer 12 will perform the commanded variable change. Otherwise, the process control computer 12 mil respond by discarding the write command message and transmitting an appropriate error message to the 0 front end computer 18.
The PL aria PR permissive tables are also preferably provided with a data structure which permits write commano autnor~zanon determinations to be made for specific host entities on the compuuer netwurk 20. In other words, the permissive table 80a may permit particular variable changes to bea made from operator workstation 70 that are not allowed to be made from oberator worKStauon 72. Thus, the permissme tables may nave several station specific table sections, .as well as a default table section. Nevertheless, the ability may also be provided to bypass a cnecK of the abpropriate permissive table, through the use of a suitable password at a host entity on the computer network 20. However, in this event, a log should be created and stored in tree front end computer 18 which will identify this transaction and the 20 identity of the host entity (for e~:ambte, a CPU identifier).
It should he noted that the use of separate permissive tables for the process control computers 12a-12b has the advantage of enabling a program downloading operation to be performed on one of the process control computers while the other process control computer continues to actively control a manufactun rig process. indeed, even after a revised 2c program has been succ~essfuliy transferred to the brocess control computer 12a (and the corresponding permissive tame 130a loaded in front end computer 18a), the use of separate permissive tables will enable the front end computer 18a to evaluate a write command message intended for the process control computers 12a which is distinct from a write command message intended for the process control computer 12b. While it may not be 30 advisable in some circumstances to run the process control computers 12a-12b with different program versions in an active control mode, a passive oberating mode may be used for the process control computer wlm the revised program while the other process control computer is in an active control mOae. m such an event, the plant engineer may Use the download assistant 78 during final progran, testing to Issue write command messages for the passive process 3~ control combuter, while another plant engineer issues write command messages to the active process control computer tnrauc~n the same front eno computer 18.
The security server 68 is used to inform each of the computers residing on the network 20 who they may communicate with on the networK. In this regard, the security server 93/25948 ~ ~ ~ PCT/US93/O5~ _ s sores a specific security taole for eacn of the vand enuties on the network.
Eacn of these security rabies will ~de~nfy which of the networK computer entities a particular network computer may conduct m- dlrect~onai communmanons. =or example, m the case of the front eno computers t8a-t8b, one or the first functions on start uo mil be t0 Obtain their respective security tables from the security server 68. Accoroingly, the security server 68 is shown in Figure t to store a security table "S 1 " for the front end computer 18a, and a security table "S2" for the front end computer t F,b. While the security server could also be used to send the PL and PR
permissive tables disc~~ssed aoove to the front end computers 18, it is preferred that newly compiled permissive ta3oles be received from the download assistant 78. In this regard, it should ~ 0 be noted that the download ass~lstant ~s also preferably used to send the transfer map 37 intended for the IFS circuit 28 to the front end computer 18 along with the appropriate permissive table.
In order to assure the integrity of security table transfers from the security server 68 to the front end cornouters 18a-t 8b, a method of validating these transfers is utilized in the ~ 5 present embodiment. tit accordance with this method, the front end computer 18 will embed a random or pseudo-ransom number m a broaocast network message to request that the security server 68 identify itself as a prelude to sending the appropriate security table. The security server will respond to this request with an acknowledgement message that utilizes a security protocol identifier which is different than that used with other types of network 20 messages. Importantly, this acknowledgement message will include the random number from the front end computE~r 18 in a transformed state. In this regard, a suitable encryption algorithm may be used to alter the random number, and the random number should have a bit length which will make it difficult for any unauthorized entity to decode (for example, 32 bits).
Upon receipt of the acknowledgement message, the front end computer t 8 will then either reverse the encryption Droce551:o Ob2ain the random number Or encrypt its Ori(7inal random number t0 make a COnIDarISOn DetWeen the tran5mltted and reC2lVed random nUTDerS.
Assuming that these random numbers match, then the front end computer 18 will determine that the acknowledgement message has been received from a valid security server, and the transfer process will proceed.
30 In order to further enhance the security of communicavons between the front end computers 18a-18b and other entities on the computer network 20, an additional validation procedure is preferably implemented. More specifically, this additional validation procedure is utilized tit permit communication between the front end computers 18a-18b and any network entity for which a write command message may be recognized. In accordance ~ with this validation m~=tnod, the front eno computer t 8 will seno a contract offer message on a periodic basis to the E~:hernet aoaress of each host entives on the network 20 which it recognizes as having a write message capability. Each of these contract offer messages will include a random or p5euoo-random number or other suitably unoredicable message 'L2-93/25948 ~ ~ ~ PCT/US93/OS_ _a component. in oraer for a nose entity to sole to nave ass write command messages recognized, must respond to ;ts contract orfer message witmn a oreaetermmea period of time /for example, 10 seconast wnn a contract acceptance message that includes a transformeo version o~ tnis unoreaicaole message component. White any appropriate encryption aigorrthm be uses for tnis purpose. n ~s preferreo tnat tins encryption algontnm be different titan the encryption algorithm used to vai ldate the transfer or a security table from the security server 58. Additionally, it snouid be noted that the security message protocol may oe used for these contract offer and accecnabie messages.
The front end computer t 8 will then decrypt the random number embedded in the contract acceptance message to oetermine if a time limited communication contract will be established between the wont end computer and this host entity at the speafic Ethernet aadress for the host entity that was contained in the security table. This rime fimitea communication contract will ensure that a waste command message link between a front end computer 18 and a part cular host entity will be reliable and speafic. Thus, for example, the t S ~ront ena computer t 8a m ii send a contract offer message to the Ethernet address of the operator worKStation 7 2 whmn mil contain a new ransom num~er (for example, 32 bass in length). The operator worxstauon 72 will respond with a contract acceptance message that includes an encrypted version of this particular random number. Then, the front ena computer t 8a will either decrypt this numaer wash the contract algorithm key stored in its memory for this purpose or use the ~~ame encrvpeon algorithm to compare the offer and acceptance numbers. If these numt~ers match, then the front end computer t 8a will be process write command messages from the operator workstation 72 for a predetermined period of time.
Otherwise, if the numbers oo not match, then the front end computer 18a will disable a waste command authorization bas for the Ethernet address of the operator workstavon 72 from its security table S t to inaicate that write command messages from tnis operator worKStation snould be ignored.
The communication contract established for write commana messages is rime iimrted to enhance the transmission security of these parncular messages. In the preferred emoodiment, the comrnumcanan contract wail automatically expire within twenty seconds after berng mvated. ~levertheless, in order to ensure that the ability to seno write command messages is not interrupted, the contract offer messages snould be sent from the front end computer 18 to each of the appropriate host entities on the networrc 20 on a periodic basis wnich will provide this continuity. For example, with a communication contract of twenty seconos, it is preferred that the contract offers be transmitted at a rate of approximately every > j ten seconas. tit other words. every ten seconds, eacn or the host entities that are caoapie of transmitting recognizable writer commana messages will receive a new random numoer from eacn of the front eno computers 18 -?3-193/25948 PCT/US93/0'_ 3 _~ ~~~ s ~
n the event that a host entity fans to respond to a contract offer message from a =runt end computer t F~, the front aria computer will oreferaoiy maKe three tees to establish or maintain a time l~mnea cornmunicauon contract. If no response is received from these three tries, then the the front eno computer 18 mil oisaoie the wine commano authorization pit for the Ethernet address of tn~s host enmy from its security table. In such an event, the affected host entity mil not tie aple to nave its wine command messages processed by the front end computer t8 until the security server 68 transmits a new security taple to the front end computer 18.
It Should be appreUated from the above that only the random numbers need to t 0 be encrypted to facilitate a transfer of the security table or to establish the time limited communicavon contract for write commanp messages. However, it should be understood that the security table iuei ~ or the w~rne command messages could be encrypted as well in the appropriate application. NevErzneiess, the use of different Ethernet protocols for security messages and write commano messages, the use of different encryption algorithms for security taola transfers and wr to commana communication contracts, the limitation of the time of the write command comrr~unoanon contracts to snort durations, and the use of specific permissive tables for each of the oront end computers t 8, all combine to provide a very high degree of communication aria w rite command security for the process control computers 12a-t 2b.
Additional protection ~s also supstantially provided by the guardian circuit in the stealth 20 interface orcun 16, the emoepding of a program version identifier in the PL
and PR permissive tables, and the encryption of the these program version identifiers by the front end computers 18a-t8b when a verified write command message is transmitted to the process control computer t 2a-t 2b. In this regard, it should be noted that the encryption algorithm used by the front end computers t 8a-t 8b for the program version identifiers ~s preferably different than 2~ the encryption algorithm useo for securnv tame transfers or the encryption algorithm used to establish the time iimitea commumcauon contracts for write command messages.
Turning to Figure 3, a block diagram of the stealth interface urcuit t 6 is shown.
Reference will also be mane to the schematic diagram of the stealth interface circuit t 6,which is shown in Figures 4A-4B. The stealth interface arcuit 16 is interposes between the internal bus 30 structure 100 of the process control computer t 2 and the externally directed stealth port t 02.
The stealth interface circus '.6 is connected to bus structure t 00 via a set of suitable buffers. In this regard, buffer block 104 incur des two 8-bit buffer circuits U 17- U 18, which receive address information from the address pus on the process control computer 12.
Similarly, buffer block t 06 includes two 8-bit buffer circuits U6-U 7, whmh receive data information from the data bus 3~ of the process contro~ computer 12.
The stealth interface circuit 16 also includes a data control block 108, which is also connectea to the bus <..tructure 100 or the process control computer 12. As indicated in Figure CA, the data control block 108 ~s preferaoiy compnseo of a Programmable Array Logm "PAL"

)93/25948 ~ ~ PGT/US93/0:._.~8 orcult U 15 (for examon~. .P5? 2), wnmn is useo to aetect the SDSS ano D55 signals from the process control computer ? 2. As wen known m the art, a PAL circuit has fusible links which may oe programmed so that a pmramy or internal AN D oaten and OR gates will be configured to oerformea a deslrea ioyc funcnon. Wh~le a PAL orcun oromoes a relatively low cost way of ~moiemennng logic functions, it should be unaerstood that other suitable circuit devices may oe used for this apploauon. It should also be noted that the PAL orcun is programmed to oetect two extra strobe signals that may oe generateo by the process control computer 12, namely the "EXS1 " anti "EX52" s~onals. One or both of these extra strobe signals may be used by the process control computer ? 2 to md~cate that certain data stored in the dual-ported data ? 0 memory 22 is stable, such as oats used to oisolay graphical mformanon.
The stealth interface circuit ? 6 also recemes four control signals from the process control computer 12 wnmh are uses to access the dual-ported data memory 22.
These signals are "/EN DATAMEM", "!EMR", "R/W" and "MEMCLK. The first three of these signals relate to whether the process control corn outer ? 2 seeks to reaa or write to the dual-ported data ~ memory 22. However, MEMCLK. ~s the memory mock s~gnai referreo to above whmh effectively divides the nine In the macmne cycle of the process control 12 available for accessing the dual-oorted data memory 2:2. The MEMCLK signal ~s a fifty percent duty clock signal, as shown in the timing diagram of Figs re 5A. In accoroance with the method illustrated in this timing diagram, the dual-ported data memory 22 may be accessed from the internal process control computer 20 port 100 when MEMCL:C is Low. Then, when MEMCLK unoergoes a transition to a High state, the dual- ported data rnemory 22 may oe accessed from the external stealth port 102. While the MEMCLK signal is shown to have a period of 400 nano-seconds (that is, a frequency 2.5 MHz), it should be understood that other suitable periods and duty cycles may be provided in the appropriate application.
25 On the stealth port sae of the steann interface orcun ~ 6, a set or suitable buffers are also promded to hanole the transfer of aodress and data information. In this regard, buffer block 1 10 includes two 8-bit buffer circuits U 1-U2, which receive address information from the external stealth port ? ~)2. Similany, buffer block 1 12 includes two 8-bit buffer urcuits U4-U5, which are capable of transmitting and receming data information between the dual-ported 30 data memory 22 and the stealth port 102.
Additionally, the stealth interface clrcmt 16 incluoes a aroltranon orcuit 114 which receives bus reauest s~gn,ais from external en2~es on the stealth port 102. As shown in Figure 58, the present embodiment promoes four individual channel lines far the incoming bus request signals "/BR1..lBR4". Thus, the stealth interface orcun 16 enaoies up to four different 35 external entities to tie connecteo to the stealth port 102. The aronranon orcult 1 14 is shown in Figure 48 to comprise a four input asynchronous bus arbiter ercU t U9 which mil grant bus access to the first bus reouest s~gna~ retained. in this regard, a sAeofic bus grant signal "IBG 1../BG4" will ultlnnately be generateo to inform the particular external en2 y who won the _2 j_ 93/25948 ~ ~ PCT/US93/05_ pus that the cnannei ~s near fur its use T he arbnranon c~rcun t t 4 also pas an internal ANO
gate wnich wit produce the any-pus-reauest s~anai /ANY BR" shown m the timing diagram or Figure SA.
The steann interface orcun 16 furtner includes a steanh port control circuit 116, winch is used to control access to the auai-ported data memory 22. The control circmt 1 16 is snown m Figures 4A-4B to combnse a PAL circuit U t 6. a timer orcmt U 10 and a set of tri-state puffers which are cont<3~neo m cmo U8. In the case or memory access for the internal process control computer bus 100, the P,4L circuit U 16 will transmit the chip select signal "/CS" to the buffers 104 and 106 to latch or capture address and data mformavon from the internal bus.
t 0 The PAL circuit U 16 will also send the enable memory read signal "/B-EMR"
to the buffer 106 when the process control computer 12 needs to latch or capture data from the data bus 1 18 of the stealth interface circuit 16. In this regard, the PAL urcuit U 16 is responswe to both the MEMCLK signal and the central brocess unit clock signal "C?" of the process control computer 12.
t 5 In the case of memory access from the external stealth port 102, the PAL
arcuit U 16 will transmit the enable signal "/SP EN" to the buffers t 10 and 1 12 to latch or capture address and data infonrauon from the external bus. The PAL circuit U 16 will also send the enable memory read signal "SV1//R" to the buffer 1 12 when an external entity is permuted to latch or capture data from the data bus 1 18 of the stealth interface ci rcmt 16. The SW/R signal 20 is received at the stea~t.h port bus 102, and ~t promdes an ~ndica2on from the external entity the direction of data flow desired. In this particular embodiment, the SR/W signal is active High for a read cycle and active Low for a write cycle. The SR/W signal is common to all four potential external users, and it si~ould be held in a tri-state until the external user winning the bus recewes its actwe Low /BR signal.
2S The PAL U 16 also transmits the SWIR signal to the cnecK point guaro~an arcurt 120 (PAL c~rcun U 13) to inmate an evaluation to be made on the address of the dual-ported data memory 22 selected by the external entity for a write operation. In this regard, the guardian circuit 120 is programrned to inhibit the transition needed in the chip enable signal "/CE" for accessing the oual- ported data memory chips U t 1-U 14, whenever the aodress ~s outside of the 30 manbox section 26.
With respect to the seduence of operation for the stealth interface arcuit 16, it should be aobrec~ated that a memory readlwrite cycle from the stealth port 102 must be inmated by the external entity seeking to access the oual-ported data memory 22. This cycle is begun with the transmission of a bus request signal /BR from the external entity, sucn as front 3S end computer 18a. Urron the rercemt of any bus reduest signals, the arW
trator orcun 1 14 will transmit an active Loin any-pus-reduest signal /ANY 3R to the PAL circmt U 16.
The any-bus-reouests~gnal ~s directed to an internal flip-fiOD Of the PAL orcuit U 16.
winch operates under the clock signal CP. A<:cordmgiy, the any-pus- reouest signal needs to be present before the O 93/25948 ~ PCT/US93/6..~08 =a~nng edge of the cioe:K s~gna~ CP m oroer for steann oort access to occurwnen MEMCLK goes sign, as mown m the ammo a~agrarn or F~oure SA If the iatcned any-bus-reauest signal is active, the steaitn interface orcun 16 mll beam a steann port memory cycle.
Othermse, the steann interface orcun 16 mimot ornate a steanh port memory cyoe until the next MEMCLK
s~anal oer~od.
When a s,teaith part memory cycle occurs, the /SP E~~ signal is generated from the PAL circmt U 16. As ~no~cated aoove, tins s~gnai will enable the address and data buffers on the stealth port. The l'~P EN signal mil also enable the aroitrauon circmt 1 14, which issues a specific bus Bran; sign~ai /BG for the external user whim inns the bus. Once the external entity 0 detects its bus grant synal, then n may transmit either the memory address n seeks to read or the aadress and data necessary for a write operation. The chip enable signal ICE is delayed by the PAL circuit U 13 to allow for the delay introduced from the address buffer 1 10, as the address needs to be stable before the RAM chaos U 1 1- U 14 are actually accessed.
For a ste~3ltn port read cycle, the data placed on the data bus 1 18 will become ~ stable approximately ~i5ns aster lCE becomes active. In this regard, n should be noted that symbols such as "TC~" in the 2rmng diagram of Figure 58, intimate the appropnate delay time duration. A read later signal RDLATCH directed to the PAL urcuit U 16 may then be used by the external entity to enh~er latch the data into the buffer 1 12 or indicate that data ~s available. For a stealth port write cy~ae, the address lines on the address bus 122 will be monitored by the 20 guardian circuit 120 to ultimately permit or deny write access to the stealth port 102. When write access is denied, the guardian circuit will not generate the active Low chip enable signal /CE, and thereby restrict an external enmy on the stealth port 102 from wasting to the particular address location in the dual-ported data memory 22 that ~t has selected. In this event, the guardian o ~cun 120 will also generate a write address valid signal "WR AD VAL", 2S wnmh is transmnteo 2 the PAL orcmt U 16 of the control orcun 1 16. The PAL
orcuit U 16 will respond by generannc~ a write address error signal "WR AD ERR" fortransm~ssion to the external entity. The w~nte aadress error signal ~s active High and valid only during the current memory access cycle, and this signal ~s common to all external entmes.
For stealth Aor accesses to valid waste addresses, the guardian circuit 120 will 30 activate the ICE signal. Additionally, the SRM/ s~gnai from the external envty should become active when the pus grant signal /BG is Low. The PAL U 16 will also cause the waste enable signal lWE for the RAM chip<.; U 1 1-U 14 of the dual-ported data memory 22 to become active, and the nsmg edge of the /WE signal is useo to waste data into these RAM chips.
The control orcmt 1 16 also includes a timer orcun U 10, whmh mll generate a 3S CLEAR signal aoorox~rnateiy 1 Sons after one of the bus grant signals /BG
becomes active. The CLEAR signal ~s used to cause the tit-state buffers m buffer cmo U8 to generate individual bus g~ant clear signals "BC; 1-CLR..BG4~C~R" to each external user The CLEAR
signal ~s also used to gear the stealth port memory cycle by deacnvavng the stealth port enable signal /SP EN.
~7-_. 3 93/25948 ~ ~ PCT/US93/0:,_~8 Refernnc~ to ~~cures 6A-6E. a set of flow marts rs shown to furtner illustrate various aspects ot~ the <..ecurny and vanoauon metnods discusseo above. In this regard, Figure 6A snows the part of ttie boot up procedure or the front end computer 18 which is oirected to a searcn fortne security server 68. Then, once the security server rigs properly identified itself to -.tie front end computer 18, Figure 68 shows the procedure for transferring the security table (for example. security table S 11. Thereafter, Figure 6C shows the procedure for establishing a time limited commum canon contract witn each of the operator stations identified in the security table as having write cammand ability. Finally, Figures 6D-6E combine to illustrate the procedure for validating a wine commano message sent from an operator station (for t0 example, operatorstaaon 72).
Turning virst to Figure 6A, block 200 indicates that the front eno computer "FEC"
sends a broadcast message over the computer network 20 to re4uest that the security server 68 identify itself to this front end computer. This message preferably utilizes the Ethernet protocol for security n-~essaaes. The content of this broadcast network message is generally shown in block 202. Ir tnis regard. the network message includes a destination address "FF-FF-FF- FF-FF-FF" which will cause the message to oe sent to every entity that is operatively coupled to the PAN-1 and PAN~~2 segments of the computer network 20. The network message also includes the source address of the front end computer. The network message also includes a type indication, namely "REQUEST SECURITY SERVER". In the data portion of the network 20 message, the CPU idernfication ~s gmen for the process control computer 12 to which the front end computer 18 is connected. Additionally, and importantly, the data portion of the network message also includes an unpredicabie key, such as a 32 bit random number. As discussed above, this random key is used to verify the identity of the security server 68.
Block 20.4 shows that the security server 68 will check all of the information in the 25 _broaocast networK me~ssaoe, sucn as the pnysicai E thernet address of the front end computer and the CPU ID of its process control computer t 2. Assuming mat this information corresponds to the information stored in the security server for this front eno computer, an acknowledgement message 206 will be sent bacx to the pnysical Ethernet adaress of the front end computer. In ordEer to enaole the front end computer to verify the identity of the security 30 server 68, the acicnowiedgement message 206 includes a transformation or the random key sent from the front end computer 18. As indicated above, this transformation ~s performed with an encryption algorithm which ~s uni4ue to messages from the security server 68.
Diamoncy 208 shows that the front end computer t 8 will wan a predetermined amount of time to reoeive the acKnowleaaement message. If the acicnowieogement message is 3S not received within tins umeout period, then the wont end computer will use the last security table stored in its memory or the default security taole ~f this ~s the first rime the front end computer 18 is being orouont into oaerauon Ib~ock 210). However, if the acicnowiedgement message 206 is received m time, tnen the wont end computer t 8 will check its random key J 93/25948 ~ PCT/US93/4_ _J8 against the transiormeo version of the key wnmn was contained m the acKnowieagement message (block 212). As mo~catea above, this comparison may oe accomonshed by either performing a transformation on the random key using the encryption algorithm for security messages or using a corresoonamg oecrvotion a~gontnm if the transformed key matches the S expected key number (~~iamond 214), then the front end computer 18 mll proceed to the procedure shown in Ficiure 68 far transferring a copy of the current security table from the security server 68 (block 216). Othermse, the wont end computer mll exit this portion of the boot up procedure and stop accumulating further network communication capability (block 218). In one form of the present invention, the front end computer 18 may oe permitted to conduct network communmanons at this point, but not process any write command messages recemed from an enmy on the computer network 20, until such time as a security table is successfully transferred to the front end computer.
Turning now to Figure 68, block 220 shows that the front end computer 18 starts the procedure for tranl;ferring a copy of the security table by sending a reduest message to the 5 speafic (logmal or phy!acal) E thernet address of the security server 68.
This onysical Ethernet address ~s the address I~~arned and stored through the boot up procedure discussed above in connection with Figures 6A. Block 222 indmates that this request message includes an identification of the CF~U ID for the process control computer being serviced by the front end computer 18. Additionally, the front end computer t8 will also inform the security server 68 as to wnether this CPU ID ~s for the Left process control computer 12a or the Right process control computer 12b through the Mode data (for example, ML for the Left process control computer).
Once the security server receives this request message, it will check the data contained in the message, and build a control message for the front end computer 18 (block 224) As shown in block 226, this control message will inform the front end computer 18 how ,S many bytes are contained m cite security table for the process control computer identified in the request message. The front end computer t 8 will respond with an acknowledgement message that will contain a new random key (blocks 228-230). The security server will then transmit the security table (for example, security table S 1 for the Left process control computer 12a) mth the transformed random key (blocks 232-234). The front end computer 18 will then determine if the transiormea key matches the expected key (diamond 236). if the keys do not match, then the front sand computer 18 mll use the ofd or existing security table stored in its memory (block 238). Othermse, the front end computer 18 mil store the new security table for use, and sena an acknowledgement message back to the security server (blocks 240-244).
While the front end computer 18 could also be provided with the editing capability to create its own security table, n its preferred that a separate network security server be employed in order tnat the front end computer oe aeaicated to the functions ~dennfied above.
Referring to Fiaure 6C, the procedure for establishing a vine i~mited communication contract is snown. The front end computer 18 begins by creating a new watch 93/25948 PCT/US93/0; ,8 oog key, winch is redresentea dv a 32 bit ransom numoer tbiocK 246). The front ena computer t 8 will then sena a watcr~-dog message m turn to the physical Etnernet aodress of each of the operator stauons (idennfied in the security table as namng write command message capability).
~n this regard, n snouia oe aooreoateo that these are momaua~ watch-dog messages which include a new watch-and Key for each message (block 2481. Each oderator stavon which receives such a watch-dog message mil resdond with a watch-dog reply message that includes a transformation of the vvatch-dog Key (blocks 250-252).
Since it is p~oss~ble that an operator station may not currently be in communication with the computer network 20, the front end computer i8 will preferablywait for a suitable timeout period for a reply, such as ten seconds (diamond 254).
If the operator station goes not reply to the watch-dog request message 248 within this umeout period, the front end computer 18 wall make aaamonai attempts to make contact (diamond 256 and block 258). If a reply is not received from this operator station after all of these attempts, then the front end computer 18 mil disable the write command ability of this particular operator station (block 260). However, i t shouia be aopreaated that this waste commano ability may subsequently be re-established, such as when an updated security taole is transferred to the front end computer 18. n tins rec~aro, n should be noted that the security server 68 may initiate the security tablE~ transfer procedure discussed above through a suitable network message to the front end computer 18.
In the even that the operator station ooes reply to the watch-dog request message, then the front end computer t 8 will determine whether the transformed watch-dog key contained in the reply message matches the expected key number (diamond 262). If a match is not found through this comparison (as discussed above), then the front end computer t 8 will ignore the reply rnessage (264). At this point, the front end computer t 8 could again attempt to establish a nine iimitea communication contract with this operator station or disable its write command abilities. In the event that a match was found, then the front end computer 18 will cony the previous, valid watch-dog key of this operator station from the current key position to the old key position (block 266). Then, the front end computer t 8 will save the transformed watch-dog key received in the reply message ~n the current key position.
30 As will be discussed below, the current and old keys are used to evaluate the validity of write command messages frorn the operator station during the penoo in which a time limited communication contrary is in force. m this regard, it should be understood that the procedure shown in Figure 6C is recreated for each of the operator stations with write command privileges before the time limited communication contract expires m order to maintain a continuous 35 ability of the operator sv:anons to nave their write command messages processed dy the front endcomouter i8.
Referring ;o Figures 6D-6E, these figures combine to ~Ilustrate the procedure for validating a write command message sent from an operator station (for example, operator O 93/25948 ~ ~ PCT/US93/6_.08 :~auon 72) to the front e~na computer t 8 This oroceaure oegins witn an operator station ~enamg a write commana message to the front ena computer t 8 (block 2681. T
his message oreferaoiy uunzes the st.anaaro Ethernet protocol for communication between the front end computer 18 sits _otner entities on the computer networK 20. in ~.nis regara, the write commana _ .message win mnuoe not only the variaoie(s) sought to changed, but also the watch-oog Key from the time nmned communmauon contract, the CPU identification of the recipient process control compuuer, and the program version ioentification of this process control computer t 2. The front ena cnmouter t8 mil then perform several checks on this write command message. ~or exam pie, the front ena computer t 8 will examine the security table to aetermine ~f it has an entry for tins partmuiar operator station (diamond 270). If this operator station was not founa m the security table, then the front end computer will return the write command message to the operator station aria create a stores log of this error (blocK 272).
Assuming that the operator station was identified in the security table, then the front eno computer wnl check. rite security table to determine if the wine command bit was set 'or this operator station (a~amond 274) At this point, ~t snouid be understooa that the security (sole contains not only the Ethernet aadress of every valid entity on the computer network 20 who can communicate with the front ena computer, but also an indication of wnetner these entities have wine command prm~eges. T he security table may contain additional information pertaining to each of these ennt~es, such as a CPU identification and whether or not these 20 entities may request specific types of information from the process control Computer, such as alarm messages. If the securixy gable noes not nave the bit set to indicate write command privileges, then the front end computer will return the write command message to the operator station (or otter source entity), and log this error (block 276).
In the event that the operator station noes nave wine commana privileges, then the front ena computer mll aetermine wnetner or not the watch- aog key (containea in the write commana messa~~e) matches either the current or oia watch-dog keys (diamond 278). If a match is not found, thE~n the front end computer will rewrn an invalid watch-dog message to the operator station (block 280). If a match was found, then the front ena computer will preferably checK to seEa if the program version identification contained in the write command 3C message matches the program version identification stored in the front end computer for the recipient process control computer t 2 (diamond 282). If these program version identifications ao not match, then thE~ front eno computer will return an invand program version message to the operator station (riiock 284).
The front end comauter t8 will also cnecK to see if the write commana message :: contains an indication that the permissive tame for the recipient process control computer J J
mould be bypassed (d among 2.86). The ability to bypass the oerm~ssme table may oe considereo a special Anvilege vrnmn snouid reauire the use of a password or pnysoa~ Key which ~s assigned to the operator with tins orivnege. If the bypass bit was set in the write command ;;.

'O 93/25948 PCT/US93/~_.08 ~ ~4 6 4 ~~essage, tnen the wont ena computer wnl sail oreteraoiy checK the oermissme table (for example, perm~ssme taole 80ai to aetermme ~T a oypass ~s oermitteo for the specific permissive taoie or table section that would otherwise tie addressed (diamond 288). If a bypass of this permissive tame ~s not permuted, then the front eno computer mll return a message to the operator station to mdic:ate that no waste access ~s available m this way (block 29.01. If a bypass of the permissive table ~s permitted. then the front end computer w,ll transmit the write command message to the recipient process control computer with a transformed version of the program version identification stored in the permissive table of the front end computer (block 292). The reap~ent pro~:ess control computer 12 may then determine whether this transformed program version idenniicanon matches the program version idenvfication of its operating program before deciding to change the variables) listed in the write command message.
In the event that the write command message does not have the bypass bit set, then the front eno computer ' 8 will examine the perm~ssme table to determine if the the variabfe(s) to be changed have their waste command bit set (diamond 294). If the waste ~ command bit is not set for any one of these vananies, then the front eno computer will return a no write access message to the operator stauon (block 296). Othermse, if the front end computer determines that the waste commano message is acceptable, then ~t will transmit the message to the recipient process control computer as discussed above (block 292).
Referring to Figures 7, a block diagram of the applicavon software 300 for the front end computer 18 is shown in this regard, Figure 7 shows the interaction of the application software with the Q-bus 302 of the front end computer 18 and mth the Ethernet services 304 for the computer network 20. Thus, for example, a bi-directional line is provided between the Q-bus 30~: ono the IFQ dnver 308. The IFQ driver 308 represents the device driver software for controlling the communicating mth the CPU of the front end computer 18. The 2S FQ drmer 308 is couoierd to the "MI Sync" subsystem 310 througn a aata store event 312. In this regard, the MI Sync su~~system recemes notification of DMA compienons from the IFQ driver 308, such as when the'.iDSS data from one of the process control computers 12a-12b has been completely recemed in the aopropnate Interim buffer (for example, Intenm buffer 46a or 48b).
The reflective memornas 46a-56a from Figure 1 are shown in Figure 7 as reffecvve memories 314. Figure 7 also ~tlustrates that the reflective memories 314 are operatively coupled to the Q-bus 302 of the front ero computer 18.
The MI S~~nc subsystem 310 represents that portion of the application software 300 which is responsible for synchronizing the incoming SDSS and DSS data frames from each of the process control computers 12a-12b througn the operation of the reflective memories 314, as a~scussed above. The MI Sync suosystem also notnes the "MI MOD Health"
module 316 and "System Messages" mpdule 318 when a data name ~s available for processing.
Additionally, -tie MI Sync subsystem 310 ~s also used to detect wnetner or not reflective memory updates are not occurring, such as when one of the process control computers tips stopped sending data to .32_ O 93/25948 PCT/US93/~.. .08 _~e front ena computer ~ 8. This oroceaure ~s ~moiemented mrougn the "MOD
Status ' module 320 aria the "MI Watchaog moauie 322. The MI Watchdog module 322 uses a two-5econa umer to detect if the frcmt eno computer 18 has stopped receiving data from either of the process control comounars t 2a-t 2b.
The MI M()D Heanh moaule 316 processes hearth bit changes m the data being recemed by the front eno computer t 8 from the process control computers 12a-12b. In this regard, the MI MOD Heaitn modme 3 t 6 sends these changes to the "EVT Event Handler"
module 324. Similarly, the MI System Messages module 318 processes incoming system messages from the process control computers, and it queues any requests to the EVT Event Hanaler module 324. Tne EVT Event Handler module 324 processes event buffers, formats text for putout to the Print ~iervrces moaule 326, and records errors and other events in an event log.
The refiecnve memories 314 are coupled to the "MI CISS Memory Read" module 328. which performs read operations on the reflertrve memories. In this regard, the MI C155 5 Memory Reaa moaule :328 formats query responses into the standard Ethernet protocol for transferring dataimess~~ges, and directs the response to the reauestrng network entity via port 330. The "NI CISS" module 332 recemes incoming query requests from a network entity using the standard protocol for transferring data/messages. The NI CISS module 332 performs an ~nnial security check on the message, and routes the request to the appropriate process as determined by the message type. For example, the NI CISS module 332 mll route a read data message to the MI CISS Memory Read module 328. Additionally, the NI CISS
module 332 will route program downicad requests to the "MI Download Handler" module 334. Other request messages wnl be routed to the "' MI Message Services" module 334.
The aooiicanon software 300 also includes modules which facilitate S communma2on wnn a User Interface. In this regard, the User Interlace ~s used to provide a window into the operation or the front end computer 18, as opposed to an interface to one of the process control cornputers t 2a-t 2b. The User Interface software may be accessed "locally"
through a terminal connected directly to the front end computer 18. The User Interface software may also be accessed "remotely" through an appiicauon that could be run from the security server 68. The User Interface ~s used to disable or re-enaoie network communications for a Specific protocol, perform o~agnostm functions, re-boot the front end Computer 18, monnor reflectme me~~nory updates, monitor network acnvny, and otherwise manage access to privileged front end computer functions.
The application software modules that handle User Interface requests are the "NI
Remote User" moaule 338. the "UI vocal" mooule 340 and the "UI Servmes ' module 342. The NI Remote User moaule 338 recemes ail messages having the protocol for User interface communmations, and it forwaros vald requests to the UI Services module 342.
The UI Services moaule 342 ~romdes ~s data server for loth local and remote user requests. The UI Local ~O 93/25948 PCT/US93/. _08 ~ '~,~ 6 4 ~~ooule 340 hanaies the local user interface a~saiay screens m order to display responses on the ocal term~nai.
The apomauon software 300 also includes an 'NI Transmn Done" module 344, wn~cn recemes nonficat:on of Ethernet-wrne comp~e2ons ono maintains a tree gueue of networic .interface transmn message puffers. Addnionatly, an "EVT File Maint"
module 346 is used to delete aged event log °iiers. Furthermore, an "NI Watchdog"
module 348 and an "NI
SCSP" module 350 to ~mptement the watchdog security process g~scussed above.
In this regard, the NI Watchdog module 348 sends watchdog reouest messages to the operator stations, and the NI SCSP module 350 processes the reply messages (as well as all other network messages using the security protocoll. The NI Watchdog module 348 also checks to see ~f reply messages were received to each of the watchdog request messages.
Other than watchdog reply messages, the NI SCSP module 350 forwards all other security protocol messa~~es to then "CFG Config Manager" module 352. The CFG
Config Manager module 352 processes the security requests and performs the meal locoing of the 5 permissive tables 80a-82a. The CFG Config Manager module 352 also performs the loading of a memory map to be discussed oeiow m connection with Figure 8. The appimation Software 300 also includes a "MIF Master Process" module 354, whmn performs the basic initialization routines to create all of the other front end computer processes. The MIF
Master Process module 354 is also used to detect an unexpected termination of any of these processes.
Referring to Figure 8, a diagrammatic illustration of the configuration for the front end computer 18u is shown. Specifically, Figure 8 illustrates that the CFG Config Manager module 352 interacts with the security server 68 and the download assistant 78 to obtain the information necessary to configure the front end computer 18a on boot up. In this regard, the CFG Config Manager module 35:2 is responsme to requests from the MIF Master Process module 354 to perform these configuration ac2vmes. in other words, the CFG Config Manager module 352 will locate the securny server 68 through the broadcast networK message (as described above) and load the se~:urny table 51 which is uinmately received from the security server.
Additionally, the CFG C.onfig Manager module 352 mll also load both of the permissive tables 80a-82a from the download assistant 78. The CFG Config Manager module 352 also receives a memory map for each of the process control computers 12a-12b, such as the memory moo 356 shown in Figure 8. The memory moos are used to enaoie the front end computer 18a to build the transfer tables (for example, transfer table 37) and interpret the data recemed m each of the reflectwe memory buffers 314. In other woras, each of the memory maps identify the data which ~s stored m each aaaressaoie location of the aual-ported data memory 22 for each of the process control computers 12a-'12b. As part of this process, the memory moo dimdes the dual-oorted data memory 22 of the process control computer 12 into iogmal segments.
The first set or segments are used >:~r SDSS data values, wmle the DSS data values include the SDSS memory segments, as well as acidnionai segments.

JO 93/25948 ~ PCT/US93~ _ 108 As o~scusseo move, the MI Svnc supsvstem 310 ~s responsible for grouping the ~"JIA completion events reiauve to the transrer or SDSS and DSS data for porn process control computers 12a-12b mtc> a conesive pair of data tables tnat represent data for a given process control cvoe snap-snot. =or purposes of this aiscussion tnese DMA completion events will be referred to as the Left SDSS buffer, the Rignt SDSS buffer, the Left DSS
buffer an.o the Right DSS
buffer. The exact order in wnich these data buffers are received may vary, but the SDSS buffers .vn preceoe the 055 b~ ffers.
The MI Svnc subsystem 310 is responsive to the apove identified DMA events. In tnis regard, the MI Sync: supsystem 310 will wan for the completion of a DMA
event, and then cneck the status to aeterrmine the type of buffer received. If the buffer received is an SDSS
buffer and the front end computer 18 has alreaoy received a corresponding DSS
buffer, then f~na1 completion oroce~ssmg mil be performed. Likewise, ~f the buffer for this type has already peen received, final corn pretion processing will be performed. If the buffer received is not the first buffer, then the MI Sync supsystem 310 will check the nine aifference between the current S t'me ono the ume at wimcn the fast buffer was receiveo. If this difference exceeas a preaetermined tolerance, sucn as 0.7 seconds, then the steps for final completion processing will be performed. If this is the first buffer (for example, the Left SDSS
buffer), then the nine that this buffer was received will be recoraed. If this buffer was not expected at this point, then iu status will be ci~anged to expected. The pointer to this buffer will also be recorded, 20 and the buffer will be rnarked a~s received The MI Sync subsystem 310 will also check to see if all expected buffers have been received (for example, the LeftlRight SDSS and Left/Right DSS buffers). If all the expected buffers have been received, then final completion processing will be performed. Dunng final completion processing, the buffer pointers for the received buffers mll be copied to a system ,S aata strutture which will allow ~otner appmauons to access tnis aata. This procedure is protected by a mutual exclusion semaphore, wnich ~s referreo to as the "murex". Additionally, the error counters ml I be zeroed for all received buffers. If any expected buffers were not received, the associate~b error counters will be incremented. If the error counters exceed the allowed threshold, then the affected buffers will be marked as not expected.
Then ail buffers 30 will be marked as not received in order to set up the processing for the next set of buffers.
Applications that access the memory buffers receiveo may then copy the buffer pointers out of the shared system data structure for use.
In order to more fully ~Ilustrate the operation of the MI Sync suosystem 310, a mooule synopsis and the pseudo-code for tins software will be presented below.
Additionally, sS the aata structures for the reYiective memory buffers 314 will also tie set forth as well to assist the interpretation of the pseuoo-code. The oata structures are contained m Tables 1-3, the rlooule synopsis is containeo m Table a, and the pseuao-code fonows immed~ateiy tnereafter.
_35_ 'O 93/25948 PCT/US93/~._ ..08 ~4 ~ 4 'ABLE ' . Reflective Memory Data Structures Data Item Data Format Descr,otlon Data Structure BATA
MI R;V

- -RM MUTEX Murex Murex used to protect th,s data structure RM STATUS ~Nora inoicates current reflective memory status L~F~ SDSS PTR Pointer Pointer to current left SDSS reflective memory buffer RIGHT SDSS-PTR ~Pornteraomter to current r,ght SDSS reflective memory buffer ;.=FT DSS PTR Po,nter Po,nter to current left DSS refiecvve memory buffer - -RIGHT-DSS-PTR Po,nter Pointer to current r,ght DSS refiect,ve memory buffer FOX_DSS-PTR ~omter Pointer to current fox DSS reflective memory buffer DOG-DSS-PTR Pointer Pointer to current dog DSS reflective memory buffer FOX_MAP-PTR Pointer Pointer to current memory map (left or right) for the current fox butter DOG-MAP-PTR Po,nter Pointer to current memory map (left or tight) for the current dog buffer FOX SIDE Longword Indicates the channel that is the fox. 0 = left,1 = right, -1 = undefined.
DOG SIDE ! ongword indicates the channel that is the dog. 0 = left, t = right, --1 = undefined.
LIFT INFO BYTE Byte Info byte for outbound C155 requests satisfied from the left buffer. Includes fox/dog status.
RIGHT_INFO_BYTE Byte Info byte for outbound CISS requests satisfied from the r,gnt buffer Indudes fox/dog star =OX INFO BYTE Byte info byte for outrJOUnd CISS reauests satisfied from the fox buffer. includes left/right status.
DOG_INFO- BYTE Byte Info byte for outbound CISS requests satisfied from the dog buffer. Includes leftlnght status.

TABLE 2: Reflective Memory Data Structures Data Item Data Format Descnot,on Data Structure MI R!1ABMSf0.1 - Structure Array NOTE: The Reflective Memory Buffer Management Structure (MI RMBMS) array consists or four MI RMB STATUS TYPE (define oe,ow data strucauresl. Each RMBMS entry,s uses to keep tracK of a soeafic -~6-J 93/25948 PCT/US93/6_ J8 '~ 4 ~ ~
-efiecnve memory type (lervngnt SDSS ano DSSI. Symooiic indices are ae>:inea to access tnis array: MI RM L SDSS, MI RM R SDSS, MI RM L DSS, ano MI RM D DSS-LAST_RECEIVED Time Soeofies the rime of receipt of the last buffer for this type.
DMA EVENT Object Contains the VAXELN object ID for the event signaled ~ar~able oy IFQ Driver when a DMA completion for this type of memory buffer completes.
ENABLE EVENT Object Contains the VAXELN object ID for the event signaled Var~abte by tailing MI ENABLE STROBES to tell MI Sync that strobes nave been enabled.

DISABLE EVENT Object Contains the VAXELN object ID for the eventsignaled by Variable IFQ Driver when a DMA completions for this type of memory by calling MI DISABLE STROBES to tell MI
Sync that strobes have been disabled-PEND BUFF PTR Pointer Contains a pointer to the DMA buffer received for this memory type in the current time window. Reset to null by MI Sync upon copying pointers to MI RM DATA.
RMB STS ~ongworo Longword bn masks indicating the status of this reflective memory buffer. The individual bit fields are listed below.
RMB STS V Bit Bit in RMB STS that indicated that EXPECTED the assoc~ateo strobe for this reflective memory type is enabled, thus indicating that DMA
compfetions are expected.
3~ RMB_STS_V- Bn Bit m RMB_STS used by MI Sync RECEIVED to mdmate that a DMA completion ~or this reflective memory type-has occurred in the current DMA time O 93/25948 PCT/US93/4. JS
vmnoow. Cieareo wnenever a comoiete set or buffers nas been recewed, and then set for each mdmdual buffer tvoe as n is recemed.
RMB STS V Bit MI Sync to md~cate that a DMA
DSS BUFF comoletionforthisrefiettive memory type has occurred in the current DMA time window.
Cleared whenever a complete set of buffers has been received, and then set for each individual buffer type as n ~s received.
~ 5 Indicates ~f the reflecnve buffer type in question is either for the left or right DSS reflective memory buffer.
RMB STS V Bit Indicates ~f the associated strobe 20 ENABIE~ is enabled.
CONS ERR COUNT Longword Specifies the number of consecutive receive failures for this buffer type.
DMA ERR COUNT Longword Specifies the number of consecutive DMA completion failures for this buffer type.
ADSB Structure Specifies the Asynchronous Data Status Block used by the drive to indicated DMA compievon status. This structure is of the IFQ~ ADSB type and includes a s:atus field ana a buffer number field.
BUFFER PTR Pointer The BUFFER PTR array the addresses of uo to eight Array(8] DMA buffers used for this reflecnve memory type, in the order the buffers wnere s~ec~fied m the IFQS ENABLE DSS or SDSS call. This array ~s subscnpted by the buffer number field returned in the p O 93/25948 ~ PCT/US93/1._..08 ADSB to retrieve the base aooress of the DMA buffer ust received. This a~mens~on or this array allows for the maximum numoer of DMA buffers supported by the 'FQ driver, 3UFF HIST IDX Longwora Index to the BUFF HIST PTR array. Indicates the most recently updates buffer.
3UFF HIST PTR Pointer Circular buffer of most recently received buffers. DMA
0 Array(8] indicates the buffers recemed in the last eight seconds.
BUFF HIST IDX points to the most recent entry.
MOD TASK Longword Indicates the PCC task state as indicated by the most recent reflective memory update. Valid only if RMB STS V DSS BUFF is set.
ZO TASLE 3: Reflective Memorv Data Structures Data Item Data Format Description Data Structure MI RNI AUX
LAST DSS L PTR Pointer Pointer to most recent left DSS buffer. Set by MI Sync and used by MI Health Check and MI System Messages.
LAST DSS R PTR Pointer Pointer to most recent right DSS buffer. Set by MI Sync and used by MI Health Check and MI System Messages.
',ND FLAG Longworo Flag used by MI Sync and MI Watchdog to check for MI
Sync activity.
DMA BUFFER Longword Specifies the number of DMA buffers currently in use.
COUNT Copied from MIF MP.NUM DMA BUFFERS on startup.
TIME CHANGE Event Set when a ume change occurs. Tells MI Synctore-Obiect determ,ne the rime of the first DMA receipt.

J 93/Z5948 PCT/US93/0__.18 SYSMSG L SEMA Semaonore Set by MI Sync to rugger MI System Messages to Object process left refiecvve memory.
- SYSMGR R SEMA Semaonore Set by MI Sync to trigger MI System Messages to Oblect process right reflective memory.
HEALTH L SEMA Semaphore Set by MI Sync to rugger MI Health Check to process Object process left reflective memory.
HEALTH R SEMA Semaphore Set by MI Sync to trigger MI Health Check to process Object right reflective memory.
TABLE 4~ Reflective Memory Data Structures Data Item Data Format Description Module Synopsis for MI SYNC MAIN
ABSTRACT Synchrornzes receipt of in-incoming DMA buffers MODULE TYPE Process mainline EVENTSI MI RMBMS(*). The four (IeftJright DSS/SDSS) completion SEMAPHORES EVENT events signaled by the IFQ DMA_Driver process on 2S receipt of a new reflective memory buffer. Indices to the MI RMBMS array are MI RM L DSS, MI RM R DSS, MI RM L SDSS and MI RM R SDSS.
MI 'RMBMS(*). The four (left/right DSS/SDSS) DMA enable ENABLE events. These are signaled by MI ENABLE
EVENT STROBES to noufy MI Sync of changes in the receipt of SDSS and DSS DMA updates.
MI RMBMS(*). The four (leftlright DSSISDSS1 DMA disable DISABLE events. These are s~gnaied by MI DISABLE
-a0-O 93/25948 PCT/US93/~ _08 ~ ~~ s 4 cVEN T STROBES to nonfy MI Sync of changes m tt,e receipt of SDSS and DSS DMA
uoaates.
c MI RM AUX Signaled to tell MI MOD Health to process left HEALTH ! nealth bits.
SEMA
PJ11 RM AUX Signalea to tell MI MOD Health to process HEALTH R right health bits.
SEMA
MI TM AUX Signaled to tell MI System Messages to process SYSMSG L left system messages.
s S SEMA
MI TM AUX Signaled to tell MI MOD Health to process SYSMSG R right system messages.
SEMA

OTHER INPUTS MI RMBMS(''). Asyncronous Data Status Blocks for each of the ADSB four DMA completion events.

DSS data buffer Accessed at offset MI TASK STATE
L or MI TASK STATE R to aetermme FOX/DOG

status.

OTHER OUTPUTS MI_.RM_DATA Structure containing current reflective memory pointers.

MI RM AUX. Set to i to mdmate receipt of data.

WD FLAG

CALLED KER'.SWAIT ANY

ROUTINES

KER'.SCLEAR EVENT

CONDITION MIF NORMAL

J 93/25948 PCT/US93/4_ ~8 ~ ~4 6 4 CODES MIF ~FQ cRROR
MIF APP ERROR
MI SYNC MAIN Pseudo-code PROGRAM MI SYNC MAIN
0 waiting for-first-DMA = true REPEAT
/* Issue the ~Nan any 'for the four DMA completion events, the an enabre or disable of strobes. or time changes: 'I
CALL KERSWAII' ANY ~nntn MI RMBMS(0].DMA EVENT, MI RMBMS[1].DMA EVENT, MI RM3M5(2].DMA EVENT, MI RMBSM(3].DMA EVENT, MI_ RMBSM(0].ENABLE-EVENT, MI RMBMS(1].ENABLE EVENT, MI RMBMS(2].ENABLE EVENT, MI RMBMS[3].ENABLE EVENT, MI RMBMS(0].DISENABLE EVENT, "r'~ -RMBMS( 1 ].DISENABLE-EVENT, MI RMBMS(2].DISENABLE EVENT, MI RMBMS(3].DISENABLE EVENT, MI RM AUX.TIME CHANGE, and wait result RMBMSydx = (wait,_result - t ) MOD 4 case lax - wam result DIV 4 CASE (case idx]

(0] Caill Com~ienon DMA

( t J Call _Enabie DMA_ (2] Call Disable DMA

(3] C<311 Change Time ENDCAS~

.:2-~ 93/25948 ~ PCT/US93/~, ,08 REPEAT for ~ = 0 to 3 soil waning = Mi-R.MBMS(i).RMB-STS V-EXPECTED ~s set and RMB STS '/ RECEIVED is gear UNTIL (still waiting or final neranon) IF 'still waiting THEN
We have a~ complete set of buffers;
Check MC D TASK values fir valid combination CALL uod~ate pointer (MIF NORMAL) waiting for f°rst DMA = true .5 ENDIF
UNTIL MIF shutoown required EXIT
SUBROUTINE DMA Completion CALL KERSCLEAR EVENT MI RMBMS(RMBMS idx].DMA EVENT
MI RM AUX.WD FLAG = i current ume := Current system ume IF waiting for first DMA
first dma time = current vine waiting for First DMA = false ELSE
If currem: time-first dma time>MI Sync TOLERANCE
Lag Error "Out of sync-- Did not receive reqmred DMA"
Check for excessme failures FURi = ()to3 IF MI-RMBMS(i].RMS STS V EXPECTED ~s set and RMB STS V RECEIVED is gear MI RMBMS(i].PEND BUFF PTR = null _~3_ J 93/25948 ~ PCT/US93/0_ .18 ~_oa error ' Failea to receme DMA for (DMA typej"
.'VII RMBMS(iJ.RMB CONS Er~RORS =
RMB CONS ERRORS t 1 IF MI RMBMS(ij.RMB CONS ERRORS > toierancethen Log Error "No longer expecting (DMA typeJ--too many consecutive failures"
(broadcast error message) Clear MI RMBMS(iJ.RMB STS.V EXPECTED
END IF
ENCIF
ENDFOR
Update pointers wnn ava~labie data:
S CALL upaate-oomters (MIF-NO_SYNC) first dma ume =: current time /* Fall through to use this buffer as the first buffer in the next 5et... ';
ENDIF
ENDIF
If buffer type is SDSS and DSS and corresponding DSS received, then CALL update pointers ENDIF

WITH MI RMB~/IS(RMB1~15 ~dx) If *.RMB STS V RECEIVED is set Lod Error ("(Jut of Sync-- DMA collision") CA_L update-pointers (MIF-DMA COLL) first dine time= currenttime /* fall through to use this buffer as the first it the next set... */
ENDIF
IF *.RMB STS V EXPECTED is not Set Loy Error (" Unexpected DMA completion") ENDIF
-::4-O 93/25948 PCT/US93/L_..08 ~ ~~ ~ 4 .f * RMB STS '~ DISABLED ~s set Loci Error ("Recewed comolete for disabled strobe") Return ENDIF
Check DMA corn oleuon status ~ n ADSB
I F error * CONS ERR COUNT = *.CONS ERR COUNT + t IF *.CONS-ERR COUNT < S Then Loy Error ("DMA failure on channel") ELSE
!F ".CONS ERR COUNT MOD 300 = 1 Log Error ("DMA still failing") ~ 5 ENDIF
ENDIF
ELSE
*.CONS ERR COUNT = 0 ENDIF
rm buffer ptr = *.BUFFER PTR(*.ADSB.buffer number- 1J
*.RECEIVED DATE TIME = current time *.PEND BUFF PTR = rm buffer otr *.RMB STS ~' EXPECTED = true Set *.RMB ST~~ V RECEIVED
IF *.RMB-STS__V-DSS-BUFF is set get moa state using rm buffer ptr offset by '. RM TASK OFFSET
'.MOD TASK - moo state IF RMBMS-ID)C = MI RM L OSS
MI RM AUX.LE~T RM PTR = rm buffer otr Signal MI_RM-AUX.HEALTH_L -EVENT
Signal N'1 RM ,4UX.SYSMSG L EVENT
ELSE
MI RM AUX.RIGHT RM PTR = rm buffer otr -a S-93/25948 ~ PCT/US93/05:
S~gnai MI ~.M AUX.HEALTH R 5',IENT
S~anal MI RM ,4UX.SYSMSG R EVENT
ENDIF
ENOIF
ENDWITH
RETU RN
END SUBROUTINI=
SUBROUTINE DMA ENABLE
.5 Clear MI RMBMS(RMBMS pox].DMA ENABLE (KERSCLEAR EVENT) MI RMB~AS (RMBMS ~dxj.RMB STS V DISABLED = false MI RMBS~M (RMBMS idx].RMB STS V EXPECTED = true RETU RN
END SUBROUTINE
SUBROUTINE DMA DISABLE
Clear MI RMBMS (RMBMS ~dx).DMA DISABLE (KERSCLEAR EVENT) MI RMBIVIS (RMBMS idxj.RMB STS V DISABLE = true MI RMBIVIS (RMBMS ~dx].RMB STS V EXPECTED = false MI RMBIVIS [RMBIV15 ~dx).PEND BUFF PTR = Null RETU RN
END SUBROUTINE
.................
SUBROUTINE TIP~1E CHANGE
a6-93/25948 PCT/US93/0~ ~8 ~.LL KEF;SCLEAR EVENT mtn MI ?m AUX.T1ME CHANGE
:urrent t.me = Currentsvstem2me -first ama time = current time RETU RN
END SUBROUTINE
0 SUBROUTINE uooate pointers (state) Lock MI RM GLOBAL'.i mutex MI RM DAT~a.RM TATUS = state S

Copy the LEFT/~iICE
SDSSIDSS
pointers:

MI RM OAT,A.LEFTSDSS PTR =

MI RM13MS SDSS L IDX).PEND BUFF
(MI PTR

MI RM DAT,A.RIGHTSDSS PTR =

z0 MI RM'3MS SDSS R IDX).PEND BUFF
(MI PTR

MI RM DAT,A.LEFTDSS PTR =

MI RMBMS DSS L IDX).PEND BUFF
(MI PTR

MI RM DAT.A.RIGHTDSS PTR =

MI-RMBIVIS DSS R IDX).PEND BUFF
(MI PTR

Clear FOX/DOC~
pointers,:

MI RM DATA. FOX DSS PTR = null MI RM DATA.DOG D5S PTR = null MI RM DATA.FOX MAP PTR = null MI RM DATA.DOG MAP PTR = null Mark the info byte as "not prime' unvl proven otherwise:

Clear MI RM DATA.A;IGHT INFO-BYTE prime bit I* BitO'/

Clear MI RM DATA. LEFT INFO-BYTE prime bit Set Fox sl oe and doa sne to "unKnown" (1):

MI RM DATA. FOX SIDE = -1 MI RM DATA.DOG SIDE = -1 .:;_ 1 93/25948 PGT/US93/05_ ..
Determine new FOX/DOG inform au ow IF MI RMBMS (MI-DSS-L-IDX).MOD STATUS = fox status or eagle status MI RM DATA.FOX JSS PTR =
MI RMBMS (MI DSS L IDX).PEND BUFF PTR
MI RM DATA. FOX MAP PTR = Addr (MEMORY MAP L TABLE) Set MI RM I)ATA.FO;X INFO BYTE left/right bit /* bit 0 */
Set MI RM DATA.LEFT INFO BYTE pnme bit /* bit 2 */
C MI RM DAT'A.FOX SIDE = 0 /* Left */
IF MI RMBM~i (MI DSS R IDX).MOD STATUS = dog status or "task B"
Ml RM DATA.DOG DSS PTR =

MI RMBMS DSS R IDX). PEND BUFF PTR
(MI

, ~ MI RM ~ATA.COG MAP PTR = Addr (MEMORY MAP L TABLE) Ciear MI RM DATA. DOG INFO BYTE leftlright bit MI RM DATA.DOG SIDE = 1 I' Right *!
ENDIF
ZO ELSE
IF MI RMBM'.i (MI DSS R IDX).MOD STATUS = fox status or eagle status MI RM DATA. FOX DSS PTR =
MI RMBMS(MI DSS R IDX).PEND BUFF PTR
MI RM DATA.FOX MAP PTR = Addr (MEMORY MAP R TABLE) Clear MI RM DATA. FOX INFO BYTE leftlnght bit Set MI I~M DA1'A.RIGHT INFO BYTE pnme bit MI RM DATA.FOX SIDE = t /* Right *I
30 IF RMBMS (MI DSS L IDX).MOD STATUS = dog status or "task B"
MI RM DATA. DOG DSS PTR =
MI RMBMS (MI DSS L IDX).PEND BUFF PTR
MI RM DATA. DOG MAP PTR = Addr (MEMORY MAP '_ TABLE) Set MI RM DATA. DOG INFO-BYTE left/r~ant bn .VII RM DATA. DOG SIDE = 0 /* Left *!
ENDIF
.:8-93/25948 PCT/US93/0_ ~8 1 ~4 ~ 4 ~~~nIF
~NDIF
Release NII RM C~OBALS mutex Clear context:
FOR ~ = 0 to 3 MI RMBMS (i).PEND BUFF-PTR = null Cie~ar MI RMBMS (i) RMB STS V RECEIVED
ENDFOR
END SUBROUTINE
END PROGRAM
Referring to Figure 9, a d,agrammatic illustration is shown of the relationship between the reffecnve memory puffers ~I 1 a m the front ena computer 18a, the transfer map 37 in the IFS
circu,t 28 and the dua,-oortea aata memory 22 ,n the process control computers 12a-12b. For purposes of illustrat,on, the aata memory 22 is snown to mciuoe only two segments. The transfer map 37 indicates that data memory addresses 2000 to 2002 (hex) m the first segment, and data memory addresses 4t 00 to 4 i 05 (hex)in the second segment are to be transferred to the reflective memory buffer 46a. More speafically, it should be ooserved that the transfer map 37 creates a bloc f; or contiguous data elements from memory iocauons,n the data memory 22 wnich are not necessan,y cont,guaus.
Referring to F,gure 10, a block diagram of the IFS urcun 28 is shown. In this block diagram, the,ndiviouai transmitters and recemers ffor example, transmitter 38a and receiver 40a) are shown m a single olocK 400 wh,ch also includes the AT&T ODL200 serves fight converters. The IFS orcmt 28 also , nuudes control blocks 402-404 wnmn govern the transfer of data/adaress signals t~ ana from the transmnterirece,ver block 400. In this regard, the IFS
circuit 28 inciuaes ootn an aaaress puffer 406 ana a aata buffer 408 to fac,litate these signal transfers. An address latch 41 Cl is also provided for send,ng a data memory address to the _~g.

93/25948 ~ ~ PCT/US93/OS_ s ~teaith port. Simnarly, ~3 transceiver 412 ~s oromoea to enable the IFS
circuit 28 to send or retsina data information ma the aata pus or the steaitn interface circuit 16.
The IFS circuit 28. also ~ncnudes a stealth timing ano control orcmt 414. The stealth timing and control circuit 414 mcmaes one or more Programmaoie Array ~ogm orcuns to ~mpiement a state machine for processing specific s~gnais to or from the stealth ynterface circuit ~ 6. For example, when the SDSS signal is retained, it promdes an indication to the the IFS circuit 28 that a valid mndow exists for reaping from the data memory 22. Assuming that the arpitration circuit on the stealth interlace circuit 16 also grants access to the data memory 22, then the stealth timing and control orcun 414 mil appropriately set the control status register 0 416. The data out control orcmt: 404 will respond by causing a DMA counter circuit 418 to start counting down to zero from a pre-set value. The DMA counter 418 will decrement with each aata word read from the data memory 22. The DMA counter 418 in turn controls a DMA word count arcuit 420 whict~ generates an address in the transfer map 37. In other words, the DMA
word count orcuit 420 points to an address in the transfer map 37, which in turn points to an aadress in the data memory 22. Through this form of indirection, the IFS
circuit 28 mil read each of the locations of the data memory 22 that are speafied in the transfer map 37 for the particular mndow per~mtted by the process control computer 12 through the stealth interface circuit 16.
Referring to Figure t 1, a block diagram of the IFQ circuit 30 is shown. The IFQ circuit 30 20 includes the Intel 80186 microprocessor, as discussed above, and the program for this microprocessor is stored in EPRQM 420. Additionally, an address latch 422 is coupled to the address bus 424 of the microprocessor 42. Similarly, a data buffer 426 is connected to the data bus 428 of the microprocessor 42. A 64Kb RAM circuit 430 is also coupled to both the address bus 424 and the data bus 428. The RAM circuit 430 is used to store system data. such as one or 2S more stacks and other operational data structures for the microprocessor 42.
The IFQ orcun :30 also includes a fiber interface "daughter" board 432, which contains the orcmts directly responsible for transmitting and receiving signals over the fiber optic cables 32. In this regard, blo<:k 434 inc:luaes the two channels of light converters and retainer circuits, and block 436 includes the two channels of light converters and transmitter/recemer urcuns, as 30 discussed above. With the Gazelle renal transm~tter/recemer pairs, each of the fiber optic links to the IFS circuits 28a-28b ~s capable or transmm~ng 2.5 million, 40 bit frames per second. Block 44 represents the two 128Kb data buffers used for initially storing SDSS and DSS data which is asynchronously retained from the process control computers t 2a-12b, as discussed in connettion with Figure 1 . These "link" data buffers are preferably implemented using two 3S independent memories m a dual-port configuration, one for each fiber optic cnannei, in order to Aromas real-time uninterrupted gathering or process data and messages from the IFS
c~rcuns. The block 43ti represents the promsion of at least one word register (for each fiber .
-~0-i 93/25948 PCT/US93/0~_.~8 pout cnannei) urea to noid ser~ai data to oe transmntea to one or the process control computers t2a-12b.
The block 440 represent the logic orcm is for controifing the storing of information into .~e data buffers 44 and the worn register 438. The logo circuits 440 mdudes one or more Programmable Array I_ogm 1"P~aL") orcuns for ~mplemennng a state machine for handling these aata write ooerjtions. nor example, wnen a forty bit data frame is received from one of the process control computers t 2a-t 2b, the logic orcmts 440 will decode the address and control bit in order to steer the data bits to the appropriate memory location in the data buffers 44. The fiber interface aaugnter board 432 also includes an interrupt urcurt block 442 t 0 whmh contains the m:errupt lo~g~c for helping the microprocessor 42 understand the state of the data write actmues. In thus regard, at least two separate interrupt fines are used to interconnect the interrupt arcuit block 442 with the mmroprocessor 42 (one per fiber optic cnannel). Both the IFS circuit 28 and the fiber interface daughter board 432 of the IFQ circuit 30 also ~nciude a PAL state macmne which examines incoming frames for errors (for example, t ~ panty errors and 4B/SB IinK errorsl. In one emoodiment of the front end communication system t0, ail of the spate machines on the IFQ urcmt 30 operate from a 20MHz clock signal which ~s derived from the tOMHz crock signal of the microprocessor 42.
The moroprocessor 42 is programmes to provide at least two DMA engines for moving data. For example, the mmroarocessor 42 will respond to appropriate interrupt signals from 20 the interrupt circuit blocK 442 by momng data from the data buffers 44 to a dual-ported 64Kb RAM circuit 444, whn:h acts to provide a bucket brigade storage medium. Then, once sufficient data is stored in the dual-ported RAM circuit 444 (for example, 8Kb), the DMA
state machine in the first in, first out ("FIFO") O~MA control block 446 will move this data over the Q-bus 302 of the front end computer t 8. Memory cycles are preferably interleaved between both the 25 mmroprocessor 42 system pus aria the Q-bus, with the system bus of the microprocessor 42 gwen top priority. A staves register circuit 448 and a CSR circuit 450 are provided to transfer status and control invormation. Additionally, as shown in Figure t t , an address buffer 452 and a DMA/FIFO counter 454 are also couGled to the address lines of the dual-ported RAM circuit 444. Similarly, a DM,4lFIFO data buffer 456 for the Q-bus 302 and a data buffer for the 30 microprocessor 42 are also coupled to the data lines of the dual-ported RAM
circuit 444.
The present invention nas been described in an illustratwe manner. In this regard, it is emdent that those skilled m the art once gmen the benefit of the foregoing disclosure, may now make modifications to the specific embodiments described herein without departing from the spirit of the present mvenuon. Such moaifications are to oe considered mthin the scope of 35 the present mvennon which is I~mned solely by the scope ano spirit of the appended claims.

Claims (33)

1. A method of providing secure communications between a plurality of computers on a network (20) on the basis of an acceptable response to the transmission of an unpredictable signal from one of said computers, characterized by the steps of:

a) establishing a time-limited communication contract between first (18;18b) and second (70;72) computers on said network, said time limited communication contract being established on the basis of an acceptable response to the transmission of an unpredictable signal from one of said computers and being valid for a predetermined time period, said time period beginning with the establishing of the contract;

b) establishing a new time limited communication contract between said first and second computers before said predetermined time period expires, said new time limited communication contact being established on the basis of an acceptable response to the transmission of a new unpredictable signal from one of said computers and being valid for said predetermined time period, said time period beginning with the establishing of the new contract;

c) repeating step b) as long as a valid communication contract exists; and d) enabling a designated type of signal communication between said first and second computers only as long as a valid communication contract exists.

2. The method according to claim 1, wherein said step of establishing a time limited communication contract includes the steps of generating (246) an unpredictable signal at said first computer (18a;18b), transmitting (248) said unpredictable signal to said second computer (70;72), generating (250) a predictable modification to said unpredictable signal at said second computer (70;72), transmitting (252) said modified unpredictable signal to said first computer (18a;18b), and determining (254,256) at said first computer (18a;18b) whether said modified unpredictable signal is acceptable before permitting (266) said designated type of signal communication between said first and second computers.

3. The method according to claim 2, wherein said modified unpredictable signal is determined to be acceptable if it matches an expected modification of said unpredictable-signal.

4. The method according to claim 3, wherein said unpredictable signal is a pseudo-random number.

5. The method according to claim 4, wherein said predictable modification of said unpredictable signal is an encrypted form of said pseudo-random number.

6. The method according to claim 3 or 4, wherein said pseudo-random number has a digital length of at least 32 bits.

7. The method according to one of the preceding claims, wherein said designated type of signal communication includes an instruction from said second computer (70;72) to said first computer (18a;18b) which commands a modification of at least one process control variable.

8. The method according to one of claims 4 to 5 and in particular according to claim 7, wherein said pseudo-random number is encrypted by said second computer (70;72) in accordance with an algorithm which is unique to the compiled version of an application program running in said first computer (18a;18b).

9. The method according to one of the preceding claims, wherein a new time limited communication contract is established at interval of less than one minute.

10. The method according to claim 9, wherein said predetermined time period is less than one minute.

11 . The method according to claim 10, wherein said predetermined time period is less than 30 seconds.

12. The method according to one of the preceding claims, wherein the establishing of said communication contracts is initiated by said first computer (18a;l8b).

13. The method according to claim 12, wherein a communication contract is offered by a contract offer message only to a second computer (70;72) being identified in a security table (S1) as having a corresponding authorization, said security table (S1) being stored in said first computer (18a; 18b).

14. The method according to claim 13, wherein the authorization is disabled, if the response of said second computer (70;72) to the transmission of said unpredictable signal is not acceptable or if said second computer (70;72) does not respond to a predetermined number of successive contract offers within a respective time-out period.

15. The method according to claim 13 or 14, wherein said security table (S1) is installed in said first computer (18a;18b) via communication from a separate security server (68) upon initialization of said first computer (18a;18b).

16. A secure front end communication system for at least one process control computer (12a;12b) which controls the operation of a physical process, including a computer network (20) for enabling communication between a plurality of computers, and at least one computer entity (70;72) connected to said computer network, characterized by:

at least one front end computer (18a,18b) connected between said process control computer (12a;12b) and said computer network (20), said font end computer (18a;18b) having means for:

a) establishing a time limited communication contract with said computer entity (70;72), said time limited communication contract being established on the basis of an acceptable response to the transmission of an unpredictable signal from said front end computer (18a;18b) to said computer entity (70;72) and being valid for a predetermined time period, said time period beginning with the establishing of the contract;

b) establishing a new time limited communication contract with said computer entity (70;72) before said predetermined time period expires said new time limited communication contract being established on the basis of an acceptable response to the transmission of a new unpredictable signal from said front end computer (18a;18b) to said computer entity (70;72) and being valid for said predetermined time period, said time period beginning with the establishing of the new contract;

c) repeating step b) as long as a valid communication contract exists; and d) enabling a designated type of signal communication between said computer entity (70;72) and said process control computer (12a;12b) via said front end computer (18a;18b) only as long as a valid communication contract exists.

17. The secure front end communication system according to claim 16, wherein said computer entity (70;72) includes means (250) for generating an expected modification of said unpredictable signal, and said establishing means in said front end computer (18a;18b) includes means (254,262) for determining whether the modified unpredictable signal received from said computer entity (70;72) is acceptable.

18. The secure front end communication according to claim 17, wherein said establishing means determines that said modified unpredictable signal is acceptable if it matches an expected modification of said unpredictable signal.

19. The secure front end communication system according to claim 1B, wherein said unpredictable signal is a pseudo-random number.

20. The secure front end communication system according to claim 19, wherein said expected modification of said unpredictable signal is an encrypted form or said pseudo-random number.

21. The secure front end communication system according to claim 19 or 20 , wherein said pseudo-random number has a digital length of at least 32 bits.

22. The method according to one of claims 19 to 21, wherein said computer entity (70;72) encrypts said pseudo-random number in accordance with an algorithm which is unique to the compiled version of an application program running in said process control computer.

23. The secure front end communication system according to one of claims 16 to 22, wherein a new time limited communication contract is established at intervals of less than one minute.

24. The secure front end communication system according to claim 23, wherein said predetermined time period is less than one minute.

25. The secure front end communication system according to claim 24, wherein said predetermined time period is less than 30 seconds.

26. The secure front end communication system according to one of claims 16 to 25, wherein the establishing of said time limited communication contracts is initiated by said front end computer (18a;18b).

27. The secure front end communication system according to claim 26, wherein communication contract is offered by a contract offer message only to a computer entity (70;72) being identified in a security table (S1) as having a corresponding authorization, said security table (S1) being sacred in said front end computer (18a;18b).

28. The secure front end, communication system according to claim 27, wherein the authorization is disabled if the response of said computer entity (70;72) to the transmission of said unpredictable signal is not acceptable or if said computer entity (70; 72) does not respond to a predetermined number of successive contract offers within a respectibe time-out period.

29. The secure front end communication system according to claim 27 or 28, wherein said security table (S1) is installed in said front end computer (18a;18b) via communication from a separate security server (68) upon initialization of said front end computer (18a;18b).

30. The secure front end communication system according to one of claims 16 to 29, wherein said designated type of signal communication includes an instruction from said computer entity (70;72) to said process control computer (12a;12b) that commands a modification of at least one process control variable.

3. The secure front end communication system according to claim 30, wherein said front end computer (18a;18b) includes means nor storing at least one permissive table (PL,PR), and means (270,274) for determining whether such an instruction from said computer entity (70;72) will be transmitted by said front end computer (18a;18b) to said process control computer (12a;12b) from a comparison of the process control variable sough to be modified and an enable indicator contained in said permissive table (PL,PR) for said process control variable.

32. The secure front end communication system according to one of claims 16 to 31, further including a security server (68) connected to said computer network (20), said security server (68) having means for storing a security table (S1,S2) which identifies the computer entities on said computer network (20) that are permitted to send commands to said process control computer (12a;12b), and means (204) for responding to a network message (202) from said front end computer (18a;18b) which requests a copy of said security table (S1;S2) by transmitting a responsive network message (206) which includes an encrypted transformation of an unpredictable component contained in said requesting network message (202) from said front end computer (18a;18b).

33. The secure front end communication system according to one of claims 16 to 32, wherein said computer network (20) includes a plurality of network segments (PAN-1,PAN-2,PAN-3), and means (62;64) for preventing the transmission of a network message that includes such a variable modification instruction to the network segment (PAN-1;PAN-2) on which said front end computer (18a;18b) resides from at least one other network segment (PAN-2; PAN-1; PAN-3) of said computer network (20).