(19)
(11)EP 3 416 061 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
13.01.2021 Bulletin 2021/02

(21)Application number: 18176884.7

(22)Date of filing:  08.06.2018
(51)International Patent Classification (IPC): 
G06F 13/40(2006.01)

(54)

MULTIPLE MASTER PROCESS CONTROLLERS USING A SHARED SERIAL PERIPHERAL BUS

MEHRERE MASTER-PROZESSREGLER MIT EINEM GEMEINSAMEN SERIELLEN PERIPHERIEBUS

MULTIPLES UNITÉS DE COMMANDE DE PROCESSUS MAÎTRES AU MOYEN D'UN BUS PÉRIPHÉRIQUE SÉRIE PARTAGÉ


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 16.06.2017 US 201762520925 P
05.06.2018 US 201816000196

(43)Date of publication of application:
19.12.2018 Bulletin 2018/51

(73)Proprietor: Honeywell International Inc.
Morris Plains, NJ 07950 (US)

(72)Inventor:
  • WENSEN, Aad Van
    Morris Plains, NJ New Jersey 07950 (US)

(74)Representative: Houghton, Mark Phillip 
Patent Outsourcing Limited 1 King Street
Bakewell, Derbyshire DE45 1DZ
Bakewell, Derbyshire DE45 1DZ (GB)


(56)References cited: : 
US-A1- 2013 054 852
US-A1- 2016 140 067
US-A1- 2013 173 832
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    FIELD



    [0001] Disclosed embodiments relate to fault-tolerant process control systems having a master process controller and a secondary master controller, along with Serial Peripheral Bus communication interfaces that enable communications between the process controllers and for a plurality of field devices to be controlled.

    BACKGROUND



    [0002] The failure of an industrial control system can lead to costly downtime. There is expense involved in restarting a process along with the actual production losses resulting from a failure. If the process is designed to operate without supervisory or service personnel, all of the components in the process control system generally need to be fault-tolerant.

    [0003] A conventional way of providing fault-tolerance is by including a Safety Instrumented System (SIS) hooked up in parallel to the process control system. Accordingly, a fault-tolerant process control system generally includes a first and a second master controller. The Serial Peripheral Interface (SPI) bus is a commonly used microprocessor data bus for process control systems. SPI as known in the art is designed for a single master process controller with multiple slave controllers, and thus does not support redundant master controllers. SPI is a fully synchronous serial protocol, so that for every clock cycle one bit of data is transferred.

    [0004] FIG. 1 is a block schematic diagram of a conventional fault-tolerant process control system 100 comprising a primary master process controller 110 interfaced to a plurality of input/output (IO) modules 120 shown as IO modules 1201 ... 120n, and another (redundant) master process controller 110' interfaced to a plurality of input/output (IO) modules 120' shown as IO modules 1201' ... 120n'. The IO modules 120, 120' are shown coupled to field devices comprising sensors 112 and actuators 113 that are coupled to processing equipment 114 to allow sensing and control of the process being run in industrial processing facility (IPF) that is fault-tolerant process controlled by the master process controllers 110, 110'. The connection between the master process controllers 110 and 110' shown as 119 is a known connection that enables their respective memories comprising the first memory 111a and second memory 111a' to be tracked memories. This arrangement allows the memories 111a and 111a' to be maintained in an identical fashion using an initial memory transfer followed by updates that are tracked.

    [0005] Master process controllers 110 and 110' each include a processor 111, 111' shown as a central processing unit (CPU) having internal memory 111a, 111a' (e.g., register memory), and a serial communication engine 117, 117'. A first Serial Peripheral Interface (SPI) bus 135 is shown with its logic signals that provide a synchronous serial data link which operates in full duplex mode which is between the master process controller 110 and the IO modules 1201 ... 120n. A second SPI bus 135' is shown with its logic signals that provides a synchronous serial data link that operates in full duplex mode between the master process controller 110' and the IO modules 1201' ... 120n'. Each of the IO modules 1201 .. . 120n and 1201' ... 120n' has an SPI port.

    [0006] SPI specifies four logic signals. These logic signals are (i) CLK (serial clock) output from controller/master (controller); (ii) MOSI: controller/master output, IO module/slave input (output from controller/master); (iii) MISO; controller/master input, IO module/slave output (output from slave); and (iv) separate/independent IO module/slave select signals (active low, output from controller/master) shown as MS1, MSn.

    [0007] The IO modules in 120 comprising IO modules 1201 ... 120n, and in 120' comprising IO modules 1201' ... 120n' are connected in a daisy chain configuration where the SPI signals (CLK, MOSI and MISO) of the respective IO modules for each process controller can be seen to all be connected together. Respective IO modules 120, 120' communicate in slave mode where the master process controller 110, 110' acting as the master device forms the messages to be sent to the slave device in its memory 111a, 111a' to initiate data frames to form a multi-frame message.

    [0008] US2016140067 discloses multiple masters for accessing shared slaves via arbiter controlled switches.

    SUMMARY



    [0009] This Summary is provided to introduce a brief selection of disclosed concepts in a simplified form that are further described below in the Detailed Description including the drawings provided.

    [0010] The present invention is defined by appended fault-tolerant process control system as defined by claim 1 and process control method as defined by claim 5.

    [0011] Disclosed; arrangement and method thus solve the problem for conventional fault-tolerant process control systems, such as the conventional fault-tolerant process control system 100 shown in FIG. 1, where a single random hardware failure in either of the master process controllers prevents the remaining 'healthy' master process controller from gaining access to the SPI bus and thus controlling the process resulting in plant down-time. This disclosed arrangement also removes the need for conventional fully redundant first and second SPI buses 135, 135' as shown in FIG. 1 that thus reduces the cost of the fault-tolerant process control system.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0012] 

    FIG. 1 is block schematic diagram of a conventional fault tolerant control system comprising a first master process controller interfaced to a plurality of IO modules, and a second master process controller interfaced to another plurality of IO modules, where the respective process controllers are each connected to separate SPI busses.

    FIG. 2 is a block schematic diagram of a disclosed fault-tolerant process control system including redundant master controllers comprising a first master process controller shown as Master process controller 1 and a second master process controller shown as Master process controller 2, where both of the master process controllers are connected to the same shared SPI bus through respective bus switches that are controlled to be On one at a time by an arbiter to a common node for each of the SPI lines (MISO, MOSI, CLK, CS), according to an example embodiment.


    DETAILED DESCRIPTION



    [0013] Disclosed embodiments are described with reference to the attached figures, wherein like reference numerals, are used throughout the figures to designate similar or equivalent elements. The figures are not drawn to scale and they are provided merely to illustrate aspects disclosed herein. Several disclosed aspects are described below with reference to example applications for illustration. It should be understood that numerous specific details, relationships, and methods are set forth to provide a full understanding of the embodiments disclosed herein.

    [0014] Also, the terms "coupled to" or "couples with" (and the like) as used herein without further qualification are intended to describe either an indirect or direct electrical connection. Thus, if a first device "couples" to a second device, that connection can be through a direct electrical connection where there are only parasitics in the pathway, or through an indirect electrical connection via intervening items including other devices and connections. For indirect coupling, the intervening item generally does not modify the information of a signal but may adjust its current level, voltage level, and/or power level.

    [0015] FIG. 2 shows a disclosed fault-tolerant process control system 200 including a first process controller shown as master process controller 1 110 and a redundant second master process controller shown as master process controller 2 110'. The processor controllers can each comprise a PLC. Each master process controller 110, 110' connects to the same shared SPI bus 235 through a dedicated bus switch 211, 212, sometimes also called "digital switches", which as known in the art are electronic products designed for connecting to high speed digital buses. The basic element for each channel of a bus switch is generally an N-Channel field effect transistor (FET) whose condition (on, or off) is controlled by Complementary Metal-Oxide Semiconductor (CMOS) logic that controls the bias voltage applied to the FET gate with respect to a source terminal for NMOS or to a drain terminal for PMOS. The switches may also comprise bipolar transistors or insulated-gate bipolar transistors (IGBTs).

    [0016] Both of the bus switches 211, 212 are controlled by an arbiter block 225 that controls the bus switches for single bus switch selection such that only one of the bus switches 211, 212 at any given time will have its switches On to thus allow connecting to its associated master process controller to the shared SPI bus 235. The arbiter block 225 can comprise digital logic such as flip-flops with logic functions, analog logic, or be software-based.

    [0017] The arbiter block 225 is controlled by signals sent over the request lines 115, 115' provided by the respective master processor controllers 110, 110'. More generally, N-number of master controllers can be connected to the shared SPI bus 235 with an arbiter block 225 providing outputs to a dedicated data bus switch for each master controller. As noted above, the connection between the master process controllers 110, 110' shown as connection 119 is a known connection that is configured to enable their respective first memory 111a, and second memory 111a' to be tracked memories. The first memory 111a and the second memory 111a' can comprise register memory or other memory.

    [0018] The first master process controller 1 110 includes a first processor 111 shown as a CPU including first memory 111a and a first serial communication engine 117 and the second master process controller 2 110' connected in parallel to the first master process controller includes a second processor 111' shown as a CPU including a second memory 111a' and a second serial communication engine 117'. The processors 111, 111' can comprise a digital signal processor (DSP), a microcontroller, an application specific integrated circuit (ASIC), a general processor, or any other combination of one or more integrated processing devices.

    [0019] A first bus switch 211 couples the first serial communication engine 117 to the shared SPI bus 235 including a plurality of SPI lines, and a second bus switch 212 that couples the second serial communication engine 117' to the same shared SPI bus 235. The shared SPI bus 235 transmits SPI signals received from the first serial communication engine 117 when the first bus switch 211 is enabled by the arbiter block 225 to at least a first target device 120 shown as IO module 1 to IO module n, and transmits SPI signals received from the second serial communication engine 117' when the second bus switch 212 is enabled to at least a second target device 120' shown as IO module 1' to IO module n'.

    [0020] Both master process controllers 110/110' are thus connected to the same shared SPI bus 235 through respective bus switches 211, 212 to a common node (shown in FIG. 2 as black dots at the intersection of a plurality of lines) for each of the SPI bus lines (MISO, MOSI, CLK, CS). The bus switches 211, 212 can generally comprise any analog or tri-state switch capable of driving or level shifting the SPI signal levels and frequencies (typically to 16 MHz) used in the process control system for implementing process control.

    [0021] The target devices 120 and 120' are shown both coupling to the same sensors shown as sensor 112 and the same actuators shown as actuator 113, that both are associated with processing equipment 114 such as boilers, tanks and mixers which run a physical (industrial or manufacturing) process that generates a tangible product. Although the target devices 120 and 120' are both described as IO modules and shown as IO modules in FIG. 2 being part of a fault-tolerant process control system 200, the devices connected to the shared SPI bus 235 in other system types may be any controller such as a PLC using SPI as communication bus that can benefit from disclosed multiple master process controllers utilizing a shared single SPI bus that can comprise any slave device compatible with an SPI bus.

    [0022] The arbiter block 225 will generally activate the most recently requested bus switch through control by master process controller signaling over request lines 115, 115', and release (i.e., turn Off) all other data bus switch(es) even while the other data bus switches are switched On. A master process controller will not request the SPI bus 235 if one of the other master process controllers is incapable of sensing a request over a request line for releasing the shared SPI bus 235. A healthy master process controller can sense another master controller is incapable of sensing a request by generally exchanging status messages between the master controllers over connection 119. This assures that a single hardware fault cannot block access of healthy master process controller(s) to shared SPI bus 235. The arbiter block 225 can also assure that if multiple master process controllers (master process controller 1 110 and master process controller 2 110' in FIG. 2) request the shared SPI bus 235 simultaneously, only one of the master process controllers 110, 110' will gain access to the shared SPI bus 235. The master process controller which will gain access to the shared SPI bus 235 in this simultaneous case can be arbitrarily set (e.g., arbitrarily master process controller 110) or be based on some parameter, such as based on the best quality. For example, a fault-free master process controller may take preference over a master process controller with current fault(s), were a fault can be anything abnormal.


    Claims

    1. A fault-tolerant process control system 200, comprising:

    a first master process 110 controller including a first processor 111 including first memory 111a and a first serial communication engine 117;

    at least a second master process controller 110' connected in parallel to said first master process controller including a second processor 111' including second memory 111a' and a second serial communication engine 117';

    a first bus switch 211 coupling said first serial communication engine to a shared Serial Peripheral Interface (SPI) bus 235 including a plurality of SPI lines and a second bus switch 212 coupling said second serial communication engine to said shared SPI bus, wherein said shared SPI bus transmits SPI signals received from said first serial communication engine 117 when said first bus switch 211 is enabled to at least a first target device 120, and transmits SPI signals received from said second serial communication engine 117' when said second bus switch 212 is enabled to at least a second target device 120', and

    an arbiter block 225 having an input coupled to receive a select control signal from both said first and second master process controllers, the arbiter block is coupled to both said first bus switch 211 and to said second bus switch 212 for single bus switch selection,

    wherein at any time only one of said first master process controller and said second master process controller is granted access to said shared SPI bus,

    wherein said first target device 120 and said second target device 120' are comprised of a plurality of input/output (IO) modules 120, 120' that are each coupled to field devices including sensors and actuators, the sensors and actuators are coupled to processing equipment in an industrial processing facility (IPF); and

    wherein if the first master process controller and the second master process controller request the shared SPI bus simultaneously, only one of the master process controllers gains access to the shared SPI bus, characterized in that.
    a fault-free master process controller takes preference over a master process controller with current fault(s).


     
    2. The fault-tolerant process control system of claim 1, wherein said first processor and said second processor each comprise a programmable logic controller (PLC).
     
    3. The fault-tolerant process control system of claim 1, wherein said arbiter block 225 comprises digital logic.
     
    4. The fault-tolerant process control system of claim 1, wherein said arbiter block 225 comprises analog logic.
     
    5. A method of process control, comprising:

    providing a first master process controller 110 including a first processor 111 including first memory 111a and a first serial communication engine 117 and at least a second master process controller 110' including a second processor 111' including second memory 111a' and a second serial communication engine 117' and being connected in parallel to said first master process controller, a first bus switch 211 coupling said first serial communication engine 117 to a shared Serial Peripheral Interface (SPI) bus 235 including a plurality of SPI lines and a second bus switch 212 coupling said second serial communication engine 117 to said shared SPI bus, and an arbiter block 225 being coupled to control said first bus switch 211 and said second bus switch 212;

    said shared SPI bus transmitting SPI signals received from said first serial communication engine 117 when said first bus switch 211 is enabled to a first target device 120 and transmitting SPI signals received from said second serial communication engine 117' when said second bus switch 212 is enabled to a second target device 120';

    said arbiter block 225 receiving a select control signal from both said first and second master process controllers for single bus switch selection so that at any time only one of said first master process controller and said second master process controller is granted access to said shared SPI bus,

    wherein said first target device 120 and said second target device 120' are comprised of a plurality of input/output (IO) modules 120, 120' that are each coupled to field devices including sensors and actuators, the sensors and actuators are coupled to processing equipment in an industrial processing facility (IPF), and

    wherein if the first master process controller and the second master process controller request the shared SPI bus simultaneously, only one of the master process controllers gains access to the shared SPI bus, characterized in that
    a fault-free master process controller takes preference over a master process controller with current fault(s).


     
    6. The method of claim 5, wherein said first processor and said second processor each both comprise a programmable logic controller (PLC).
     
    7. The method of claim 5, wherein said arbiter block 225 comprises digital logic.
     
    8. The method of claim 5, wherein said arbiter block 225 comprises analog logic.
     
    9. The method of claim 5, wherein said first bus switch 211 and said second bus switch 212 comprise analog switches or tri-state switches.
     
    10. The method of claim 5, wherein said arbiter block activates a most recently requested one said first and second bus switch through a control signal sent by said first or by said second master process controller.
     


    Ansprüche

    1. Fehlertolerantes Prozesssteuersystem 200, umfassend:

    einen ersten Master-Prozessregler 110, der einen ersten Prozessor 111 beinhaltet, der einen ersten Speicher 111a und eine erste serielle Kommunikationsmaschine 117 beinhaltet;

    mindestens einen zweiten Master-Prozessregler 110', der parallel zu dem ersten Master-Prozessregler geschaltet ist, der einen zweiten Prozessor 111' beinhaltet, der einen zweiten Speicher 111a' und eine zweite serielle Kommunikationsmaschine 117' beinhaltet;

    einen ersten Busschalter 211, der die erste serielle Kommunikationsmaschine mit einem gemeinsamen seriellen Peripherieschnittstellen-Bus (SPI-Bus) 235 koppelt, der eine Vielzahl von SPI-Leitungen beinhaltet, und einen zweiten Busschalter 212, der die zweite serielle Kommunikationsmaschine mit dem gemeinsamen SPI-Bus koppelt, wobei der gemeinsame SPI-Bus SPI-Signale, die von der ersten seriellen Kommunikationsmaschine 117 empfangen werden, wenn der erste Busschalter 211 aktiviert ist, an mindestens eine erste Zielvorrichtung 120 überträgt, und SPI-Signale, die von der zweiten seriellen Kommunikationsmaschine 117' empfangen werden, wenn der zweite Busschalter 212 aktiviert ist, an mindestens eine zweite Zielvorrichtung 120' überträgt, und

    einen Arbiter-Block 225, der einen Eingang aufweist, der gekoppelt ist, um ein Auswahlsteuersignal von dem ersten und dem zweiten Master-Prozessregler zu empfangen, der Arbiter-Block sowohl mit dem ersten Busschalter 211 als auch mit dem zweiten Busschalter 212 zur Auswahl eines einzelnen Busschalters gekoppelt ist,

    wobei zu jedem Zeitpunkt nur einem des ersten Master-Prozessreglers und des zweiten Master-Prozessreglers Zugriff auf den gemeinsamen SPI-Bus gewährt ist,

    wobei die erste Zielvorrichtung 120 und die zweite Zielvorrichtung 120' aus einer Vielzahl von Eingabe/Ausgabe-Modulen (IO-Modulen) 120, 120' bestehen, die jeweils mit Feldvorrichtungen gekoppelt sind, die Sensoren und Stellglieder beinhalten, wobei die Sensoren und Stellglieder mit Verarbeitungsausstattung in einer industriellen Verarbeitungsanlage (Industrial Processing Facility - IPF) gekoppelt sind; und

    wobei, falls der erste Master-Prozessregler und der zweite Master-Prozessregler gleichzeitig den gemeinsamen SPI-Bus anfordern, nur einer der Master-Prozessregler gleichzeitig Zugriff auf den gemeinsamen SPI-Bus erhält, dadurch gekennzeichnet, dass

    ein fehlerfreier Master-Prozessregler Vorrang gegenüber einem Master-Prozessregler mit aktuellem/aktuellen Fehler(n) hat.


     
    2. Fehlertolerantes Prozesssteuersystem nach Anspruch 1, wobei der erste Prozessor und der zweite Prozessor jeweils eine speicherprogrammierbare Steuerung (PLC) umfassen.
     
    3. Fehlertolerantes Prozesssteuersystem nach Anspruch 1, wobei der Arbiter-Block 225 digitale Logik umfasst.
     
    4. Fehlertolerantes Prozesssteuersystem nach Anspruch 1, wobei der Arbiter-Block 225 analoge Logik umfasst.
     
    5. Verfahren zur Prozesssteuerung, umfassend:

    Bereitstellen eines ersten Master-Prozessreglers 110, der einen Prozessor 111 beinhaltet, der einen ersten Speicher 111a und eine erste serielle Kommunikationsmaschine 117 beinhaltet, und mindestens eines zweiten Master-Prozessreglers 110', der einen zweiten Prozessor 111' beinhaltet, der den zweiten Speicher 111a' und eine zweite serielle Kommunikationsmaschine 117'beinhaltet und mit dem ersten Master-Prozessregler parallel geschaltet ist, wobei ein erster Busschalter 211 die erste serielle Kommunikationsmaschine 117 mit einem gemeinsamen seriellen Peripherieschnittstellenbus (SPI-Bus) 235 koppelt, der eine Vielzahl von SPI-Leitungen beinhaltet, und ein zweiter Busschalter 212 die zweite serielle Kommunikationsmaschine 117 mit dem gemeinsamen SPI-Bus koppelt, und ein Arbiter-Block 225 gekoppelt ist, um den ersten Busschalter 211 und den zweiten Busschalter 212 zu steuern;

    wobei der gemeinsame SPI-Bus SPI-Signale, die von der ersten seriellen Kommunikationsmaschine 117 empfangen werden, wenn der erste Busschalter 211 aktiviert ist, an eine erste Zielvorrichtung 120 überträgt, und SPI-Signale, die von der zweiten seriellen Kommunikationsmaschine 117' empfangen werden, wenn der zweite Busschalter 212 aktiviert ist, an eine zweite Zielvorrichtung 120' überträgt;

    wobei der Arbiter-Block 225 ein Auswahlsteuersignal von dem ersten und dem zweiten Master-Prozessregler zur Auswahl eines einzelnen Busschalters derart empfängt, dass zu jeder Zeit nur einem des ersten Master-Prozessreglers und des zweiten Master-Prozessreglers Zugriff auf den gemeinsamen SPI-Bus gewährt wird,

    wobei die erste Zielvorrichtung 120 und die zweite Zielvorrichtung 120' aus einer Vielzahl von Eingabe/Ausgabe-Modulen (IO-Modulen) 120, 120' bestehen, die jeweils mit Feldvorrichtungen gekoppelt sind, die Sensoren und Stellglieder beinhalten, wobei die Sensoren und Stellglieder mit der Verarbeitungsausstattung in einer industriellen Verarbeitungsanlage (IPF) gekoppelt sind, und

    wobei, falls der erste Master-Prozessregler und der zweite Master-Prozessregler gleichzeitig den gemeinsamen SPI-Bus anfordern, nur einer der Master-Prozessregler gleichzeitig Zugriff auf den gemeinsamen SPI-Bus erhält, dadurch gekennzeichnet, dass

    ein fehlerfreier Master-Prozessregler Vorrang gegenüber einem Master-Prozessregler mit aktuellem/aktuellen Fehler(n) hat.


     
    6. Verfahren nach Anspruch 5, wobei der erste Prozessor und der zweite Prozessor jeweils eine speicherprogrammierbare Steuerung (PLC) umfassen.
     
    7. Verfahren nach Anspruch 5, wobei der Arbiter-Block 225 digitale Logik umfasst.
     
    8. Verfahren nach Anspruch 5, wobei der Arbiter-Block 225 analoge Logik umfasst.
     
    9. Verfahren nach Anspruch 5, wobei der erste Busschalter 211 und der zweite Busschalter 212 analoge Schalter oder Dreizustandsschalter umfassen.
     
    10. Verfahren nach Anspruch 5, wobei der Arbiter-Block einen kürzlich angeforderten des ersten und des zweiten Busschalters über ein Steuersignal aktiviert, das von dem ersten oder von dem zweiten Master-Prozessregler gesendet wird.
     


    Revendications

    1. Système de commande de processus tolérant aux pannes 200 comprenant :

    une première unité de commande de processus maîtres 110 comprenant un premier processeur 111 incluant une première mémoire 111a et un premier moteur de communication série 117 ;

    au moins une seconde unité de commande de processus maîtres 110' connectée en parallèle à ladite première unité de commande de processus maîtres comprenant un second processeur 111' incluant une seconde mémoire 111a' et un second moteur de communication série 117' ;

    un premier commutateur de bus 211 couplant ledit premier moteur de communication série à un bus d'interface périphérique série (SPI) partagé 235 comprenant une pluralité de lignes SPI et un second commutateur de bus 212 couplant ledit second moteur de communication série audit bus SPI partagé, dans lequel ledit bus SPI partagé transmet des signaux SPI reçus dudit premier moteur de communication série 117 lorsque ledit premier commutateur de bus 211 est activé sur au moins un premier dispositif cible 120 et transmet des signaux SPI reçus dudit second moteur de communication série 117' lorsque ledit second commutateur de bus 212 est activé sur au moins un second dispositif cible 120' et

    un bloc d'arbitrage 225 ayant une entrée couplée pour recevoir un signal de commande de sélection à la fois de la part desdites première et seconde unités de commande de processus maîtres, le bloc d'arbitrage est couplé à la fois audit premier commutateur de bus 211 et audit second commutateur de bus 212 pour la sélection d'un commutateur de bus unique,

    dans lequel, à tout moment, un seul élément parmi ladite première unité de commande de processus maîtres et ladite seconde unité de commande de processus maîtres se voit accorder l'accès audit bus SPI partagé,

    dans lequel ledit premier dispositif cible 120 et ledit second dispositif cible 120' sont constitués d'une pluralité de modules d'entrée/sortie (IO) 120, 120' qui sont chacun couplés à des dispositifs de terrain comprenant des capteurs et des actionneurs, les capteurs et les actionneurs étant couplés à un équipement de traitement dans une installation de traitement industriel (Industrial Processing Facility- IPF) ; et

    dans lequel, si la première unité de commande de processus maîtres et la seconde unité de commande de processus maîtres demandent simultanément le bus SPI partagé, une seule des unités de commande de processus maîtres obtient l'accès au bus SPI partagé, caractérisé en ce que

    une unité de commande de processus maîtres sans défaut a la préférence sur une unité de commande de processus maîtres avec un ou plusieurs défauts actuels.


     
    2. Système de commande de processus tolérant aux pannes selon la revendication 1, dans lequel ledit premier processeur et ledit second processeur comprennent chacun une unité de commande logique programmable (PLC).
     
    3. Système de commande de processus tolérant aux pannes selon la revendication 1, dans lequel ledit bloc d'arbitrage 225 comprend une logique numérique.
     
    4. Système de commande de processus tolérant aux pannes selon la revendication 1, dans lequel ledit bloc d'arbitrage 225 comprend une logique analogique.
     
    5. Procédé de commande de processus, comprenant :

    la fourniture d'une première unité de commande de processus maîtres 110 comprenant un premier processeur 111 comprenant une première mémoire 111a et un premier moteur de communication série 117 et au moins une seconde unité de commande de processus maîtres 110' comprenant un second processeur 111' comprenant une seconde mémoire 111a' et un second moteur de communication série 117' et étant connectée en parallèle à ladite première unité de commande de processus maîtres, un premier commutateur de bus 211 couplant ledit premier moteur de communication série 117 à un bus d'interface périphérique série (SPI) partagé 235 comprenant une pluralité de lignes SPI et un second commutateur de bus 212 couplant ledit second moteur de communication série 117 audit bus SPI partagé, ainsi qu'un bloc d'arbitrage 225 étant couplé pour commander ledit premier commutateur de bus 211 et ledit second commutateur de bus 212 ;

    ledit bus SPI partagé transmet des signaux SPI reçus dudit premier moteur de communication série 117 lorsque ledit premier commutateur de bus 211 est activé sur un premier dispositif cible 120 et transmet des signaux SPI reçus dudit second moteur de communication série 117' lorsque ledit second commutateur de bus 212 est activé sur un second dispositif cible 120' ;

    ledit bloc d'arbitrage 225 reçoit un signal de commande de sélection provenant à la fois desdites première et seconde unités de commande de processus maîtres pour la sélection d'un commutateur de bus unique, de sorte qu'à tout moment, une seule unité parmi ladite première unité de commande de processus maîtres et ladite seconde unité de commande de processus maîtres se voie accorder l'accès audit bus SPI partagé,

    dans lequel ledit premier dispositif cible 120 et ledit second dispositif cible 120' sont constitués d'une pluralité de modules d'entrée/sortie (IO) 120, 120' qui sont chacun couplés à des dispositifs de terrain comprenant des capteurs et des actionneurs, les capteurs et les actionneurs étant couplés à un équipement de traitement dans une installation de traitement industriel (IPF) et

    dans lequel, si la première unité de commande de processus maîtres et la seconde unité de commande de processus maîtres demandent simultanément le bus SPI partagé, une seule des unités de commande de processus maîtres obtient l'accès au bus SPI partagé, caractérisé en ce que

    une unité de commande de processus maîtres sans défaut a la préférence sur une unité de commande de processus maîtres avec un ou plusieurs défauts actuels.


     
    6. Procédé selon la revendication 5, dans lequel ledit premier processeur et ledit second processeur comprennent chacun une unité de commande logique programmable (PLC).
     
    7. Procédé selon la revendication 5, dans lequel ledit bloc d'arbitrage 225 comprend une logique numérique.
     
    8. Procédé selon la revendication 5, dans lequel ledit bloc d'arbitrage 225 comprend une logique analogique.
     
    9. Procédé selon la revendication 5, dans lequel ledit premier commutateur de bus 211 et ledit second commutateur de bus 212 comprennent des commutateurs analogiques ou des commutateurs à trois états.
     
    10. Procédé selon la revendication 5, dans lequel ledit bloc d'arbitrage active un commutateur de bus demandé le plus récemment parmi lesdits premier et second commutateurs de bus, par le biais d'un signal de commande envoyé par ladite première ou par ladite seconde unité de commande de processus maîtres.
     




    Drawing











    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description