CA2137157A1 - Stealth interface for process control computers - Google Patents

Abstract

A stealth interface for an intelligent front-end communication system which couples a plurality of actively redundant process control computers to a computer network. The stealth interface in each of the actively redundant process control computers includes a multi-ported memory for storing dynamic data associated with the physical process and for transferring this data to a front end computer which is in communication with the computer network. The multi-ported memory also includes a mailbox section for storing messages sent between the front end computer and its actively redundant process control computer. The stealth interface also includes a guardian circuit which ultimately controls the ability of the front end computer to write information to specific memory locations in the multi-ported data memory.

Description

"` 2137157 ~:
WO g312~;94~; ` PCI~/US93/05207 5TE~ALT~ INT~RFAC~ roP~ ~OCESS CONTROL COMPUl ~RS
' ':

. .

The present invention ge~erally relates to "_ront-end" communication techniques between process control computers and a p~ant~local area network. More specifically, the oresent invention relates to a "stealth"
interface for a front;end communication system which is ~ capable of transparent'y handling rapid data transfers to and from a process control computer with very high reliability and security.
In chemical manufacturing plants and other relatively large processing plants, a netw~rk of control l5 computers and operator workstations may be needed ~o achieve -~automated control of a~ ongoing physical process in the plant. ~or example, the Jones et. al U.S. Patent No.
4,663,704, issued on May 5, 1987, shows a distributed processing system for a plant in which a single data highway 20 connects all the various input/output terminals, data acquisition stations, control devices, record keeping deYi~es and so forth. Similarly, t~e Henzel U.S. Patent No.
4,607,~56, issued on August l9, 1986, shows a plant management system which u~ilizes a plant control bus for the 25 purpose of transmitting data to physical computer modules on the network.
In some of these process control computer networks, redundant process control computers are employed to enhance the relia~ility of the plant control and monitoring system.
30 ~or example, the Fiebia et. al U.S. Patent No. ;,008,805, issued on April 16 r 1991~ shows a networked control system which includes a "hot standby" redundant processor that synchronously processes a control schedule table for comparison with ~ontrol messages from a sender processor 35 that are transmitted on the network. The redundant listener processor maintains a duplicat~ cor.figuration in i s memory ready to ta~e over control of the system in the event of a 39~?4F 21371~ ~

failure of the sender processor. As another exGmp1e, the McLaughlin e ! al rJ.S. Patent No. 4,958,27~, issued on - September 18, 1990, shows 2 networked control s~s~em which employs a primary controller and a secondary control'er. In ; order to main~ain cor.slstency between-the primary d2ta base - and a secondary image of the data b~se, only predete~mined areas changed are updated as a way of increasing the efficiency of the update function. Similarly, ~he Slater U~S. Patent No. 4~872,106, issued on October 3, 1989, shows 10 a networked control system which employs a primary data processor and a back-up data processor. Normâlly, ~he back-up processor will be in a back-up mode of operation, and lt will not operâte to exercise control over the input/output devices or receive data concerning the states of the input/output devices. Accordingly, control over the input/output devices is exclusively carried out by the -primary processor. However, the primary processor periodically transfers status data relating to its operation `~`
in the control of the input/output devices to the back-u 20 data processor via a dual ported memory connected between t~e two processors. An example of a method of linking two processors with a common shared memory is shown in the article "Multiprocessor Systems" by Alan Cements in the September, 1988 publication of Electronics World and 25 Wireless World (Sutton, Surrey, Great Britain). The artic!e `
discusses issues related to coupling, memory access mechanisms, arbitration timing, and dynamic RAM control.
However, this reference does not disclose a variable section in memory, a mailbox section in memory, or memory access 30 only during a predetermined portion of an operative clock ! ~ ' cycle. This article is hereby incorporated by reference.
In contrast with the above networked control systems, another control technique for redundant process con~rol computers exists in which both of the process 35 control computers operate on input data and issue control commands to the same output devices. This type of control technique may be referred to as actlve redundancy, because each of the redundant process control computers operate

-2-AMENDED SHEET

. ~ ~

39a24-F 2137157 independently and concurrently on co~mon input data~ A `~
discussion of this type of control technique may be found in the Glaser et. al U.S. Patent Application Serial No.
07~864,931, filed on March 31, 1991 entitied "Process 5 Control Interface System Having Triply Redundant Remote Field Units". This application is hereby incorporated by reference.
The use of active redundancy as a control technique presents a difficult problem in terms of communication wi~h 10 the plant computer network, as each actively redundant --. a--AMENDED SHE~T

-` 21371~7 `~:
`` W093J25945 PCT/US93/0~207 ~rocess control co~puter will receive a set o- input values . and each of these process control compurers wili generate a - set of output values. In the case where the actively redundant process control computers arbi~rate or resolve 5 some or all of the input and/or output values, to the extent ;~
that differences do exist, then multiple sets of input and ;~
output values could be createdO For example, a set of pre-arbitration and post-arbitration input data values could potentially be available from each of the actively redundant 10 process control computers. Accordingly, it would be ~-desirable to enable some or all of these data sets to be matched up and analyzed by another computer on the plant network without interfering with or slowing down the ~;
operation of the actively redundant process control computers.
Additionally, it would be desirable to permit one or -~
more of the computers on the plant network to modify certain ~-values used by the program in each of the actively redundant process computers as the need may arise, such as analog 20 constants~ However, it should be appreciated that such an activity would need to be restricted in some manner, as `~
predictable changes in the operation of physical devices should be assured. `
Accordingly, it is a principal objective of the 2~ present invention to provide a stealth interface for front end communication system which enables rapid and highly reliable data transfers ~etween an actively redundant `~
process control computer and a plant/local area network.
It is another objective of the present invention to 30 provide a stealth interface for a front-end communication system which enables data transfers in a manner that is non-intrusive to the operation of the actively redundant process control computer.
It is al50 an objective of the present invention to 35 provide a stealth interface for a f ront-end communication system which enables messages to be transferred to the actively redundant process control computers in a non-W093t25945 2 1 3 7 I ~ 7 PCTIUS93/05207 intrusive manner to the operation of the actively redundantprocess con~roi computer.
It is a f~r~her ob~ective of the present invention to provide a s~eal~h interface which enables the actively redundant process control computer to ultimately control write operations by external entities to memory locations in the actively redundant process control computer.
It is an additional objective of the present invention to provide a stealth interface which is capable of handling data transfers with a plurality of external communication devices.

SUMMARY OF THE INVENTION
; . ~ _ . ~. .
To achieve the foregoing objectives, the present invention provides a "stealth~ interface for a front-end communication system which is interposed between a plurality of actively redundant process control computers and a computer network. A separate steaLth interface resides in each of the actively redundant process control computers, 20 and each of these stealth interfaces communicate with a front end computer which is coupled to the computer network.
Each stealth interface features a multi-ported memory for storing dynamic data associated with the physical process, and for transferring some or all of this data to the 25 computer network. In this regard, the stealth interfàce derives its name from its ability to transfer data from the multi-ported memory in a way which is transparent to its actively redundant process control computer. In one form of the present invention, the front end computer is permitted 30 read access to all of the memory locations in the multi-; !ported memory.
The multi-ported memory of the stealth interface also includes a mailbox section which is used to store messages from the front end computer to the actively 35 redur.dant process control computer. However, in order to more completely control this write access capability by the front end computer, the stealth interface further includes a guardian circuit which prevents the f:ont end computer from 21~71~7 `-~ ~ W093/2594~ PCT/VS93/0~207 ~rit_ng to any memory location in the multi-ported memory -.
other than the mailbox section. Accordingly, while the :~
-ront end co~puter may be permitted read access to the entire contents of the multi-ported memory, che actively redundant process control computer will ultimately determine ~he write access for the front end computer. The mailbox ~
section of the multi-ported memory will also enable the .:.
ront end computer to transfer new computer program `~
instructions to the actively redundant process control ~-10 computer in a download mode.
In one form of the present invention, the multi~
ported memory in each of the actively redundant.process control computers also includes an arbitration technique for permitting the multi-ported memory to be accessed by a ;``
; plurality of differen~ communication devices. Thus, the dynamic data and/or other variable data stored in the multi- `~
- ported memory may be made accessible to other external .
~: entities without interfering in any way with the operation of the actively redundant process control computer.
Additional features and advantages of the present -::
. invention will become more fully apparent from a reading of the detailed description of the preferred.embodiment and the `
accompanying drawings in which: ;

25 ~RIEF DESCRIPTION O~ THE DRAWINGS ~;
, Figure 1 is a block diagram of an intelligent front-end communication system for a plurality of actively :
redundant process control computers which utilizes a stealth interface according to the present invention.
Figures 2A and 2B provide a diagrammatic .
representation of the da~a tables stored in a time aligned .:
reflective memory buffer and the Correlate buffer shown in Fi~ure 1.
Figure 3 is a block diagram of the stealth interface 35 shown in Figure 1. ;
~igures 4A and 4B comprise a schematic diagram of .`
the stealth interface of FiguFes 1 and 3.
. . '~

213 71.57 -`
W093/25~45 PCT/US93/052~7 ~ igures 5A and ;~ illustra~e two timing diagrams for he stealth interface.

DETAILED DESCRIPTrON OF THE PREF~RRED EMBODIMENTS
Referring to Figure 1, a block diagram i5 shown of an intelligent front-end communication system 10 which is coupled to a pair of actively redundant process control computers 12a- 12b. Each of the process control computers 12a-12b re~eive common input data from field computer units 10 (not shown) or other suitable field instrumentation. In this regard, the Glaser et. al~ U.S. ~atent Application Serial No. 07/864,931, referenced above, describes in detail the c~mmunication and control links between a pair of actively redundant prscess control computers, such as process control computers 12a-12b, and the input~output `
devices directly associated with the physical process being controlled.
While ~he redundancy of two actively operating process control computers has certain fault tolerance 20 advantages over a single~decision making process control computer, it should be understood that the principles of the presant invention are not ~imited to any particular configuration of process control computers. Thus, for example, it may be desirable to employ three process control 25 computers in the place of the two process control computers 12a-12b shown in Figure 1 under the appropriate circum~tances.
In the present embodiment, the process control computers 12a-12b preferably operate concurrently on all of 30 the signals transmitted from one or more field computer ~; ~ ' units. In other words, each of the process control computers 12a-12b are capable of making independent decisions based upon the data received by these redundant computers from the field. The decisions made by the process 35 control computers 12a-12b determine the output signal values which are ultimately directed to specific output devices (for example; valves, pump motors and reactor heater.s) by .
the appropriate field computer units. While the output ~ `` WOg3l2~945 2 1 3 7 1 ~ 7 PCT/US9310~207 aignal values are ~referabiy reconciled ae least ~o some -~
extent between ~he ~wo actively redundant process control computers 12a-12b before the transmission of these signals ~o the field, it should be understood that two independent sets of output~signal values could be communicated to the field computer units. In this regard, the input values received from a ~ield computer unit could be arbitrated, which should make it unnecessary to reconcile or arbitrate output values. This is because both of ~he process control 0 computers 12a-12b would then ~e working with the same proce~s ~ontrol program and operatin~ on the same set of arbitrated input values.
As an example of a preferred form of possible value reconciliation, corresponding input value tables in each of the process control computers 12a-12b could be compared during a preset time period, and one of the values could be chosen for each input value signal to be subjected to the process control program. This selection of input values could be made on a suitable criteria to the process being;;~
20 controlled, such as the use of the value determined by the Left process control computer 12a when the value determined by the Right process control computer 12b is within a `;
certain predetermined percentage limit (for example, 2.5~).
Otherwise, the distinct input value~ of both the Left and 25 ~ight process control computers could each be employed when ~;
these values are found to be outside the predetermined percentage limit. Alternatively, the selection of dif~erent input/output values from the Left and Right process control computers could be made on the basis of a software 30 implemented preference. Thus, for example, under certain process conditions, it may be considered more appropriate to select either the high or low value, regardless of whether the value was de~ermined by the Left or Right process control computer.

3~ To facilitate this arbitration or reconciliation process, a parallel communication link 14 is provided between the process cont~ol computers 12a-12b. Parallel .
communication link 14 is referred to as the "major" link, as , W093/2~945 2 13 7 15 7 PCT/US93/05207 ~ permits a direc~ t ansfer of data and timing signals Detween the Drocess control computers. It should also be noted that the Left process control computer 12a is labeled "fox", while the Right process conerol computer 12b is labeled "dog'l. ~hese are logical designations for alternative operating modes of the process control computers 12a-12b.
While each of the process control computers 12a-12b make independent decisions, which may be subject to 0 arbitration, the process control computer currently in the fox mode has the ability to force the process control computer in the dog mode to move to a subsequent step in a programmed sequence in order to keep the cooperative efforts of the two process control computers in relative synchronization. Additionally, the process control computer `
in the fox mode will transmit a timing signal to the process control computer in the dog mode at the beginning of its process control program cycle ~for example, a one second period), so that the process control computer in the dog ~:
20 mode will know to begin a new process control program cycle as well. As the process control computers 12a-12b operate under their own clock oscillators, the detection and interpretation of this program cycle timing signal by the process control computer in the dog mode will help to z5 periodically keep these process control computers in `
relative synchronization. However, it should be appreciated that the program cycl~ of the process control computer in the dog mode will typically follow the program cycle of the process control oomputer in the fox modè by the period of 30 time it takes to transmit and then detect the program cycle timing si~gnal (for example, 20-microseconds to 20-milliseconds).
In the event that process control computers 12a-12b are temporarily not able to communicate over the major link 35 14, each of these process control computers will continue their operations in a mode which assumes that they are . operating alone. In this mode of operation, it should be appreciated that the program cycles of the process control `` W093/2~9~5 ~ 1 3 7 1 5 7 PfCT/US93/05207 - computers 12a-12~ may 5radually drift apart in time relativ`e to each other. Nevertheiess, as will be seen from the aiscussion below, the front end communication system 10 is aesigned to enable data received from the process control ; computers l~a-12b to be time aligned for real-time analysis.
As illustrated in Figure 1, each of the process control computers 12a-12b includes a stealth interface accordin~ to the present invention. In particular, process control computer 12a includes stealth interface circuit 16a, 0 while process control computer 12b includes stealth interface circuit 16b. As the stealth interface circuits 16a-16b comprise identical circuits, these stealth interface circuits are sometimes referred to generally herein as ``
stealth interface circuit 16. Due to the redundant nature of the front end communication system 10, a general reference number will also be used for other duplicative components in the system.
The stealth interface 16 provides transparent data ,~
transfers between the process control computer to which it 2~ is connected and external communication devires. In this re~ard, the data transfers are transparent to the process control computer 12 in that the operation of the process control computer is not delayed or otherwise adversely affected by a transfer of its data to one or more external 25 communication devices. The stealth interface 16 also enables the transfer of messages fro~ an external communication devicè without affecting the operation of the process control computer 12. The primary example of such an external communication device is shown in ~igure 1 to be 3~ comprised of a pair of redundant front end computers 18a-18b. The front end computers 18a-18b are redundant, because communication paths are provided for enabling each of these front end computers to exchange data and messages with both of the stealth interface circuits 16a-16b.
Each of the front end computers 18a-18b provide a highly intelligent interface between the stealth interface circuits 16a-16b and a plant/local area network, which is generally desi3nated by reference numeral 20. However, g W O 93/25945 2 ~ 3 7 1 S 7 ~ PC~r/US93/05207 - i since each of the reaundan~ front end computers 18a-18b are ~
capable of communicating with each of the stealth interface --circuits 16a- 16b, it should be appreciated that this redundancy is not reauired, and that a sin~le fror.t end ; computer could be utilized in the appropriate application.
~dditionally, as will be more apparent from the discussion below, each of the stealth interface circuits are capable of exchanging data and messages with other external communication devices, as well as the front end computers 10 18a-l8b.
As illustrated in Figure 1, the stealth interface circuit 16 featur~es a dual-ported memory "DPM" 22 which resldes on the bus structure of the process control computer 12. Indeed, in the embodiment disclosed herein, the dual-15 ported memory 22 provides the primary or only data memoryfor the process control computer 12. Thus, in accordance with the present invention, the s~ealth interface circuit 16 will selectively grant external devices direct access to the data memory of the process control computer itself. The 20 dual-ported memory 22 includes an internal port which is connected to the bus structure of the process control computer 12 and an external port, which is sometimes referred to herein as the stealth port. While the dual-ported memory 22 could be configured to provide additional 25 ports, the dual-ported memory preferably includes an arbitration circuit which enables a plurality of external communication devices to have alternative access to the stealth port. In other words, only one external device will , be able to use the data and address lines of the stealth 30 port at any given time when access to the dual-ported memory `
! ` I ` is permitted through the stealth port, even though more than one external device may ultimately be coupled to the data and address lines of the stealth port. In the present `-embodiment, the stealth interface arbitration circuit employs a first-come, first-serve approach to granting access ri~hts. --~
However, in acc~rdance with the present invention, this arbitration circuit operates only on the steal h port.

-~` wo g3/25945 ~ 1 3 7 1~ . P~T/US93/05~07 - ~here is no arbi~ at~cn per se be~ween the nternal and : .
. external ~orts or the stealth interface circuit 16. Rather, - access to the dual-Dorted memory ~2 from ~he external~stealth ~ort is available only aurin~ those times S when the process control computer 12 cannot access the dual-ported memory. More specifically, in the form of the invention disclosed herein, the machine cycle of the process control computer 12 is utilized to control access to the - dual-ported memory 16. As is well known, the central ~.
10 process unit of any computer must fetch and decode one or more programmed instructions in order to operate on one or more data words. In computers based upon the von Neumann architecture, it typically takes several computer clock .
cycles to fetch, decode and execute an instruction.
However, in the present embodiment, the process control computer 12 is based on the Harvard architecture, which permits both an op-code instruction and the operand data for this instruction to be fetched in the same clock cycle.
This is because a computer based upon the Harvard 20 architecture includes physically separate~instruction and data stores, and each of these stores havè their own address and data lines to the central processing unit. Thus, during the portion of the clock cycle for the process control computer 12 that is devoted to fetching and decoding an 25 instruction, the dual-ported data memory 22 may be accessed from the stealth port. Then, during the portion of the clock cycle for the process control computer 12 that is ~:
devoted to fetching the operand from the data store, the process control computer will have access to the dual-ported -30 data memory 22 from the internal port.
In accordance with the present invention, the stealth interface circuit 16 watches for a specific transition in the memory clock signal of the process control computer 12 in order to determine when the stealth port may 35 ha~e access to the dual-ported data memory 16. In this regard, it should be understood that the process control ;-.
computer itself is not affected by this external access, as external access is permitted by the stealth interface '~''` 93/2594~ ` PCI/l~S93/05207 ~v 2 1 3 7 1 5 7 circui- 16 only during -hose time perioas when the process controi comsuter 12 will not need to access the dual- ported data memory 22. Indeed, the process control computer 12 does not even have to know that externally generated read/write activity is actually occurring with respect to its da.a store. Nevertheless, in accordance with the present invention, an important distinction is made between the ability to ~'read~ from the dual-ported data memory 22 and the ability to "write~ ~o the dual-ported data memory, as far as the stealth port is concerned. While it may be desirable to enable an external communication device to read each and every memory location in the dual ~orted data mPmory 22, this may not be true with respect to the ability of an external device to write to memory locations in the dual- ported memory. In this regard, the dual-ported data memory 22 will store not only dynamic data associated with the physical process being controlled, but it may also store other process control variables, such As analog and digital constants. `
~20 Accordingly, the dual-ported memory 22 includes two `~ "logical" memory sections, namely variable section 24 and mailbox section 26. ~hese memory sections are logically distinct, because they are treated separately, even though they may both reside in the same physical memory circuit 2S chip or chip set. In the present embodiment, the mailbox section 26 is compri~ed of a set of 256 memory word locations (16 bits each) in the dual- ported da~a memory 22, and the variable section 24 is comprised of the remaining memory locations in the dual-ported data memory 22 (far 30 example, a block of 64k memory word lscations). The variable section 24 may also include a message area for holding messages from the process control computer 12 to the front end computer 18. The mailbox section 26 is used to provide a specific region in memory for storing messages ; 35 from external device , such as the front end computers 18a-18b. In this regard, it should be appreciated that the . memory locations of the mailbox section 26 do not need to be physi~ally contiguous. While the mailbox section 26 may be -12- :

` W~93/25~45 2 1 3 7 1 5 7 PCT/US93/05207 ,~
configured to hold more than one message at any one time, :`
. aPDending upon the message transmission protocol emDloyed, - .Ae mailbox section need only be large enough to hold one complete message. ~hese messages may be as simple as an :
external request for the process control computer 12 to gather and transmit health/status data from a remo~e field computer uni~ that it may obtain less frequently. A message may also include a command ~o change a parti~ular variable stored in the dual- ported data memory 22. Additionally, the mailbox section 26 of the dual-ported data memory 22 may also be used ~o electronically convey a program revision to the process control computer 12.
- As will be more fully discussed below, the stealth interface circuit 16 includes a guardian circuit which preven~s any external entity from writing to any memory locations in the variable section 24 of the dual-ported data memory 22. Thus, while some or all of the memory locatio~s ~-in the dual-ported data memory 22 may be read from the "
stealth port, an external entity is only permitted to write 20 to the memory locations in the mailbox section 26 o~ the dual-ported memory 22. This feature of the present invention provides a hardware safe-guard at the process .
control computer 12 which insures that no external entity will be able to inadvertently interfere with the data 25 processing operations of the process control computer 12. As will be more apparent from the discussion below, this feature of the present invention could also be employed to grant or deny external write access to any particular memory location or set of memory locations in the dual-ported data 30 memory 22.
In order to rapidly pump data into or out from the stealth port, the front end communication system 10 of Figure 1 is also shown to include an interface to stealth "IFS" circuit 28, an interface to Q-bus '`IFQ" circuit 30, 35 and a set of fiber optic cables 32 interposed therebetween.
The IFS circuit 28 is connected to the stealth port of the dual-ported da~a memory 22, while the IFQ circuit 30 resides on the "Q bus" of the front end comp~ter 12. Due to the W093/~5945 2 1 3 7 1 ~ 7 ~ PCTIUS93/0~207 ~'' redundan~ ~.ature of the front end communication system lQ, it should be appreciated that the IFS circuit 28a is connected to the stealth port of dual-ported data memory 22a, while IFS clrcuit 28b is ~onnected to the stealtA port of dual-ported data memory 22b. Similarly, the IFQ circuit 30a is connected ~o the Q bus of the fron~ end computer 18a, while the IFQ cixcuit 30b is connected to the Q bus of the front end computer 18b. In the embodiment disclosed herein, the front end computer 18 is preferably comprised of a 0 MICROVAX 3400 computer usin~ the real-time ELN operating system from the Digital Equipment Corporation "DEC". While the VAX family of computers from DEC offer considerable speed and networking advantages f it should be appxeciated 'that other suitable front end computers may be employed in ~
the appropriate application. :' In order to permit each of the front end computers 18a- 18b to conduct bi-directional communications with both of the stealth interface circuits 16a-16b, the fiber optic ~'~
:: cables 32 actually include two sets of send and receive 20 opticAl fibPrs (for example, 62.5/125/0.275NA type fibers). .:
However, the separate send and receive optical fibers for ,~.
each of the front end computers 18a-18b are represented as ~
single channels in Figure 1 for simplicity. Thus, fiber ,:
optic channel 34a includes a separate optical fiber for -,-25 sending information from the front end computer 18a to the `' :~ stea}th interface circuit 22a and an optical fiber for ` r2ceiving information from the stealth interface circuit 22a. 5imilarly, the fiber optic channel 36a includes a ,;:
separate optical fiber for sending informati,on from the :~
30 front end computer 18a to the stealth interface circuit 22b ;~
and an optical fiber for receiving information from the stealth interface circuit 22b. This arrangement of optical :
fibers is also duplicated for the front end com,puter 18b.
In the present embodiment, the combination of the , ,35 IFS circuit 28, the IFQ circuit 30 and the fiber optic ';
cables 32 provide an optical transmission interface which ~:
, permits the front end,computers,18a-18b to.be remoted ,, located from the process control computers 12a-12b. For `` W093~25945 2 1 3 71 5 7 PCT/US93/05~7 example, in this emDoaiment it ` S possibie for the ~ront end cQmputers 18a-18b to be located up to 2 km from the process control com~uters 12a-12b. Additionally, it shouid be noted that the Fiber Distributed Data Interface "FDDI" protocol may be used to transmit information between the IFQ and IFS
circuits oYer the fiber optic cables 32.
The IFS circuit 28 includes the appropriate address and data buffer circuits (not shown) for transferring :
information to and from the stealth por~ of the dual-ported data memory 22. The IFS circuit 28 also includes a transfer map 37 which enables data from selected locations in the dual-ported data memory 22 to be gathered and transferred as `;
one contiguous block of data. The transfer map :37 may be comprised of a s~atic RAM with sufficient address storage capability to gather data from all of the availa}?le memory locations in the dual-ported data memory 22. ~
Additionally, the IFS circuit 28 include!s a separate ~i transmitter and receiver circuit for each of the two front `~
end compute~s 18a-18b, such as transmitter 38a and receiver ~ 20 40a. The transmitter 38a is adapted to convert parallel~
:~ data words ~for example, 16 bits) from the stealth port into a serial bit stream suitable for tran~mission over one of the fiber optic cables 32. Similarly, the receiver 40a is adapted to convert a serial bit stream from the front end : 25 computer 18 into a parallel data word for transmission to the stealth port through one or more of the IFS circuit buffers. A csrresponding set of transmitters and receivers are also provided in the IFQ circuit ~0, such as transmitter 38b and receiver 40b. From the above, it should be 3q appreciated that the use of two sets of transmitter-receiver pairs enables data to be transferred and/or received simultaneously between both of the IFS circuits 28a-28b and both of the IFQ circuits 30a-30b. Thus, for example, the IFS circuit 28 is capable of simultaneously transmitting 3S data acquired from the process control computer 12a to both of the front end computers 18a-18b.
While not shown for illustration simplicity r it should appreciated that a laser or LED light source is W093/2~94~ 213~157 ` PCT/US93/05207 I ~
inter~osed between each of the t-ansmitters (for example, ransmitlers 38a-38b) and their respective optical fibers.
Similarly, a pnoto-de~ector is also interDosed between each of the receivers (for example, receivers 40a-40b) and their respective oDtical fibers. For example, these light converters may De comprised of a pair of AT&T ODL200 series converters. While fiber optic cables are preerred for their speed, low error rate and security advantages over mediums such as ~oaxial cable, it should be undPrstood that 0 that other suitable data transmi~sion medium could be employed in ~he appropriate application. -In the present embodiment, the transmitters and receivers in the IFS and I~Q circuits are preferably comprised of a high-performance Gallium Arsenide chipset, 15 such as the "Gazelle" GA9011 transmitter and G~9012 receiver from Triquint Semiconductor,Inc., 2300 Owens St. r Santa Clara, CA. These particular transmitters and receivers permit data ~ransmission rates in excess of 200 ;
Mbits/second. These transmitters and receivers utili~e a ~-::: ..
20 40-bit wide ~arallel bus which enables data ~o be encoded `~
into a 50-baud word using FDDI-standard 4B/5B encoding. In -~
this encoding, 4-bit data nib~les are translated into a 5-baud code symbol. Accordingly, the 4B/5~ encoding produces ten 5-baud symbols from ten 4-bit data nibbles in order to 25 comprise a data frame. The GA9011 transmitters also convert ;~
the serial stream from a Non-~eturn to Zero "NRZ" format to a Non-Return to Zero, Invert on ones "NRZI" format, which combines the transmission of data and clock signals into a single waveform. The NRZI waveform denotes a lo~ical one 30 with a polarity transition and a logical zero with no `
transition within the bit-time-frame. These logical ones and zeros are called bauds, and each group of five bauds are ~`
called a symbol. ~or example, a "0000" 4-bit binary input -~
will be converted to a "11110" 5-baud binary symbol output, 35 while a "1011" 4-bit binary input will be converted to a "10111" 5-baud binary symbol output.
, The u~e of 4B~5B encoding and NRZI formatting i combine to substantially enhance the reliability of high-''~

`` WO 93~2~945 2 1 3 7 1 5 7 PCT/US93/05207 - s~eed aata t;ansmissions over the fiber optic cabies. The GA9012 receivers have built in clock and data recovery (for example , NRZI to NR~ conversion ), and they also monitor the lncoming 5~ symbols for validity. ~n this regard, the 4B/SB
encoding creates a number of invalid symbols which may be checked for at the GA9012 receivers. As ~he presence of noise or jitter across the fiber optic link could cause one or more of ~he bauds to change to an unintended value~ the detection of invalid symbols reduces the possibility of a 10 transmission error going undetected.
As an additional layer of protection from potential errors, data transmissions from the IFS circuit 28 are formed into complete data frames, which are comprised o~ the data to be transferred (that is, the 40-bit input data frame), a 16-bit destination address field, a 4-bit control code field and a 4-bit error detection code field. These complete data frames are preferably separated from each other on the fiber optic link by at least one sync frame.
As potential physical link errors may have a burst or 2D clustering nature,jlthe error code needs ~Q be able to detect . .
up to four contiguous bit errors. In this regard, a Longitudinal Redundancy Check "LRC" code is employed to prevent masked errors from potentially corrupting subsequent data processing operations. This type of error code is also 25 referred to as a "Longitudinal Parity Check". In a LRC
code, a 4-bit nibble composed of parity bits is generated and inserted into the encoded data stream for a predetermined number of data nibbles in the encoded data stream, as shown below:
! 30 . . .

WO 93/~945 2 1 3 7 1 ~ 7 PCT/US93/05207 D4 b3 b2 bl data nibble 1 ~, x x x x data nibble 2 x x x x data nibble 3 , x x x x s : :

data nibble 8 1 ~ x x x data nibble 9 I x x x x data nibble 10 I p4 p3 p2 pl whexe pi = bil Xor bi2 Xor..... Xor bi9, and i = bit location 1 to 4. Thus, the ith bit of this parity check character ~;
checks the ith information bit position in data nibbles 1 ~~
through 9 under even parity conditions. The combination of the LRC error chec~ing, the 4B/5B encoding and the NZRI ~;
conversion enable the front end communication system 10 to ;~
provide a targeted Baud Error Rate "BER" of lE-12. While a Cyclic Redundancy Check "CRC" code could be employed in lieu of the LRC code, the more oomplicated CRC code would also 2~ in~rease the complexity of the IFQ and IFS circuits.
Additionally, the LRC coding more readily permits dual fiber optic channel signal tr~nsmissions between the IFS and IFQ
circuits, and the intrinsic synchronization features of the ~he Gazelle transmitters 38a-38b and receivers 40a-40b may be used to frame the LRC based protocols. ~`~
The IFQ circuit 30 includes a microprocessor 42 (for example, an Intel 801`86 chip) which provides the data pump for the front end computer 18. The microprocessor 42 is not `-only responsible for all IFQ/I~S protocol control and 30 relayin~ data from the process control computers 1!2a-12b to a destination on the network 20, but it is also responsible ~`
for controlling the integrity of write activities to the IFS
and IFQ circuits. ~or example, the microprocessor 42 may be used to program the transfer map 37 in the IFS circuit 28, 35 so that only a particular sub-set of data in the dual-ported data memory 22 may be gathered and transmitted to the front - end compu~er 18, if less than all of the available variables (for example, input/output values, alàrms and events) i5 ,:

~ W093/~594s 2 1 3 7 1 S 7 P'~T/U~93/0~207 desired. n this way, the ac~ual conten~s 5,- the transfer map 37 may De depenaent upon a specific process control aDplication ~
-All signal ~ ansmissions Detween the I~Q circuit 30 and the I~S circuit are under the control of IFQ circuit microprocessor 42. In this regzrd, there are three types of data ~ransmissions from the IFQ circuit 30 to the IFS
circuit 28, namely "load ~ransfer map", "send command messages" and "receive data". The load transfer map 10 transmission will enable ~he I~Q circuit 30 to load the transfer map 37 of the IFS circuit 28 with the specific variable addresses which will s~eer the data memory transmit burs~s from the IFS circuit. The receive data transmission will cause the IFS circuit 28 to return the requ~ested 15 segment of memory from the dual-portéd data memory 22.
A command message transmission will start with a Write-Lock request to the IFS circuit 28. Assuming that incoming buffer is free, the I~S circuit 28 will assert a Write- Lock on the mailbox sec~ion 26 of the dual-ported 2~ data memory 22, and return a positive acknowledgement to the IFQ circuit 30. The IFQ circuit 30 may then transmit its message with the assurance that no other device will be able to write to the mailbox section 26 until its message has been completely stored and preferably read by the process 2S control computer 12. However, a time limit may be imposed on the Write Lock to ensure that the flow of communications is not impeded by one of the ext~rnal entities connected to the stealth interface circuit 16. It should also be appreciated that message transmissions should n~t take place 30 during any time in which a data burst should be received from the IFS circuit 28.
As another measure of data transmission protection, the IFQ circuit 30 will cause the IFS circuit 28 to read back a message transmitted to and stored in the mailbox 35 section 26 of the dual-ported data memory 22 in order to be sure that the message was transmitted and stored correctly.
Once the ~FQ circuit 30 determines that th~ message has been accurately received and stored, then the IFQ circuit will W093/25~45 213 71 ~ 7 PCT/US93/05207 cause a flag to be set wnich will sianal the process control compu~er 12 to pic~ up the new messaae. In the event that this data verification fails, then the entire message transmission process will be repeated. ~ -; The IFQ circuit 30 also includes a process data buf~er 44, which is snown as block in Figure 1 for ilustration simplieity. However, the process data buffer 44 should include sufficient memory capacity to store a -~-separate data table ~or each of the process control 0 computers 12a-12b (for example, 262,144 bytes). Each of --these data ta~les will include both the SDSS and DSS data ~`:
transmissions. Additionally, a DM~ buffer (not shown~ may ~`
also be provided to allow some elasticity in processing the data being received. In this regard, it should be noted ::~
hat the both the IFS circuit 28 and the IFQ circ:uit 30 are configured to facilitate bi-directional Direct Memory Access "DMA" transfers between the IFQ circuit 30 and the Q-bus of the front end computer 18. In this way, the central processing unit 45 of the front end computer 18 does not ~.
20 need to devote substantial time to~processing data transfers ;-to and from the IFQ circuit 30. Accordingly, the DMA buffer is preferably used as a bucket brigade area to perform DMA~;
transfers on blocks of da~a from the process data buffer 44 Ifor example, 8K bytes at a time) to a suitable memory 2S residing on the Q-bus of the front end computer 18.
The use of DMA transfers also enhances the ability of the front end communication system 10 to achieve the goal of making available real-time data from the process control computers 12a-12b to one or more computers on the network 30 20. More specifically, the front end communication system 10 is designed to request, receive and answer network queries on both pre-link and post-arbitrated data from each of the process control computers 12a-12b within a one-second time resolution. For example, in this particular 35 embodiment, each o~ the process control computers 12a-12b will issue a Sequence Data Stable Strobe "SDDS" signal in every one-second program cycle, wh-ich indicates that approximately 1024 ~16 bit) words of pre-link dynamic -20- :

~`` W093l2594~ 2 1 3 7 ~ '3 ~ PCT/US93/052~7 ~
analog/diqital i~put data s s~abie and available ir. the . dual-ported data memory 22. This specific data set is - referred to as pre-link data, as this data has not yet been arbitrated between the process con~rol computers 12a-12b via data transmissions across the major link 14. Subsequently, in the same one-second program cycle, each of the process control computers 12a-12b will issue a Data Stable Strobe "DDS" signal, which indicates that a omple~e set of post-arbitrated input and output data is s~able and available in 0 the dual-ported data memory 22. This data set is referred to as post-ar~itrated, as the input values will have been arbitrated or resolved by this point in the program cycle.
In the present embodiment, this post-arbitrated data set may be comprised of up to 65,536 (16- bit) words, as it will -include both input and output values (and any other variables stored in the dual-ported data memory 22).
It should also be noted at this point that one of the first functions in the program cycle of the process control computers 12a-12b is to make output v~lue decisions 20 from the post-arbitrated input data obtained in the immediately preceding progxam cycle. Accordingly, it should be appreciated that the post-arbitrated data set will include the arbitrated input values from the.current program cycle and the output values from the immediately previous 25 program cycle.
It is also important to understand that the fun~tion of obtaining a copy of the pre-link and post-arbitrated data : sets cannot be permitted to delay the operations of the pro~ess con rol computers 12a-12b. Thus, for example, the front end communication system 10 must be sufficiently fast to obtain a copy of the pre-link data sets before the process control computers 12a~12b need to have the ability to change one or more of these data values through the arbitration process. Accordingly, in the context of the 35 present embodiment, the front end.communication system 10 needs to be able to acquire a pre- link data set within ten . ... milliseconds of the time that the SDSS signal.was initially asserted in order to have the assurance of data stability.

W093/2~945 2 ~ 3 7 1 5 7 PCTI/US93/0~207 ```~ -`
Similarly, the fr~nt end communication system 10 needs to be -~
aDle to acquire a post-arbi~rated da~a se~ within fifty `:
milliseconds of tne time that the DSS signal was initially asserted. ~n ~his reqard, it shouid be appreciated that each of these data sets need to be independently acquired from both of the process control computers 12a-12b ~y each of the front end computers 18a-18b. ~dditionaliy, each of the front end computers 18a-18b must also De able to send messages to the one or both of the process control computers --`
0 12a-12~ during time periods outside of the SDSS and DSS data acquisition windows. -:
In order to further facilitate the ability of the ;
front end communication system to acquire the SDSS and DSS
data sets without any data transfer blocknecks, and also ~`
provide the ability to group and time align the data sets ;`~
being received, each of the front end computers 18a-18b includes a set of at least three reflective buffers for each of the process control computers 12a-12b. Each of these logically distinct reflective buffers or shadow memories may 2~ reside in the same physical memory chip or chip se~ in the front end computer 18. As shown in Figure 1, the set of reflective buffers contained in the front end computer 18a is generally comprised of a ZERO buffer "ZL" 46a for the Left process control computer 12a, a ZERO buffer "ZR" 48a :~
25 for the Right process control computer 12b, a ONE buffer "OL" for the Left process control computer, a ONE buffer "OR" for the Right prDcess control computex, a TWO buffer "TL" for the Left process control computer, and a TWO buffer ;~
"TR" for the Right process control computer. Additionally, 30 it should be understood that a corresponding set of '!`
'reflective buffers are contained in the front end computer ~;
18b, such as the ZERO buffer "ZL" 46b for the Left process control computer 12a and the ZERO buffer "ZR" 48b for the Right process control computer 12b. `
The IFQ circuit 30 writes to these left and right ;
buffers in a "round robin" fashion using DMA data transfers. , In other words, tne IFQ circuit 30 will fill the ZERO buffer 46a with pre-link and post-arbitrated data of a particùlar .. -. j , . . - , ,- . ,. . " . . ., . ,. - . .. . . ~ . . .. .. . .,, ... . -W0~3~25945 2 1 3 7 1 ~ 7 PCT/US93/052~7 Drocess control cycle from the Lef~ Drocess control computer i2a. Then, when pre-link and post-arDitrated data for the next process control cycle is received from the Left process control computer 12a~ the IFQ circuit wiil increment to the ONE buffer 50a in oraer to store this data. Similarly, the IFQ circuit 30 will turn to the TwO buffer 54a when pre-link and post-arbitrated data for the third process control cycle is received from the Left process control computer 12a in order to s~ore this data. Then, when pre-link and post-arbitrated data for ~he forth in .ime process control cycle from the Left process control computer 12a is to be stored, the IFQ circuit 30 will return to address the ZERO buffer 46a for data storage. Of course, it should be appreciated that the IFQ circuit 30 will employ the same round robin se~uence for individually transferring pre-link and post-arbitrated data to the three reflec~ive buffers 48a, 52a and 56a that are used for the Ri~ht process control computer 12b.
For purposes of illustration, Figure 1 shows three 20 reflective memory buf~ers (46a, 50a and 54a) for the Le~t :
process control computer 12a, and three reflective memory buffers ~48a, 52a and 56a) for the Right process control computer 12b. However, as the SDSS and DSS data transfers :
are treated as independent DMA events, the reflective memor~
25 buffers preferably include distinct reflective memory buffers for each of these events. Accordingly, a total of twelve reflective memory buffers are preferably provided in the front end computer 18. Additionally, each of these reflective memory buffers are individually tracked, so that 30 the ordering of ~hese buffers do not necessarily have to follow the regimen shown below:
Second N: ~ZERO-S~SS-L ZERO-DSS-L ZERO-SDDS-R ZERO-DSS-R) ..
Second N+l: (ONE-SDSS-L ONE-DSS-L ONE-SDDS-R ONE-D5S-R) 35 Second N+2 (TWO-SDSS-L TWO-~SS-L TWO-SDDS-R TWO-DSS-R) Rather, the ordering of these buffers couid also proceed under other regimens, such as.~hown below:
Second N: (ONE-SDSS-L TWO-DSS-L ~ERO-SDDS-R ONE-DSS-R) W0~3/2594~ 2 1 3 7 1 5 7 P~T/US93/05207 j ~
Second ~ WO-S~SS-L ZERO-DSS-~ ONE-SDDS-~ mWO-DSS-~
Second N+2 (ZERO-SDSS~L ONE-DSS-L TWO-SDDS-R ZERO-DSS-R) : -^
It is im~ortant tO understand that the corresponding left and right .eflec~ive buffers (for example, buffers 46a and 48a) will generally not become filled at the same time, as the program time line of the process control computer in ~he dog mode should follow the ~rogram time line of the Drocess control computer in the fox mode by a `
predeterminable period of time (for example, 20-microseconds :~
to 20-milliseconds). ~owever, these time lines may become considerably separated in the event that communications across the major link 14 are not possible, as mentioned above. Even when the left and right SDSS or DSS signals are :
asserted at near the same time, the delays required to -.
transfer this information to the IFQ circuit 30 and then transfer this information into the appropriate reflective memories may result in a wider time skew between these events as seen by the application software of the front end :"
compu~er 18 than as seen by the process control computer and 20 IFS circuit hardware. Nevertheless, it is the ~ ;;
responsibility of the front end computer lR to ensure that :
the data sets ultimately made available to the computer network 20 represent data from the process control computers 12a-12b in the same program cycle (for example, a one second 25 period)r In this regard, the applic~tion software of the front end compute~ 18 includes a procedure, referred to as "MI Sync", which groups individual data transfer events into a cohesive set of buffers that represent a "snapshot" of the pre-link and post-arbitrated data for a particular process 30 control cycle.
The MI Sync procedure uses a set of reflective memory buffer management structures (MI_RMBMS) to track the status of incoming data transfers. When the IFQ circuit driver software signals to the MI Sync procedure that a DMA
35 transfer has completed, MI Sync records the reauired ~nformation in the appropriate MI_RMBMS data structure.
. When MI Sync determines that a complete set of buffers has - been received and stored (that is, left SDSS, ;ight SDSS, ~` W093/2~94~ 2 1 3 7 1 5 7 PCr/US~3J05207 :eft DSS and right DSS), t upaates a global data structure RM DATA) with the pointers tO the newiy received data.
~hese pointers are copied from tne MI_RMBMS data structure.
.~crordingly, MI RM DATA nrludes ~he pointers to the currently available ~complete" or time aligned set of -eflective memory buf fers. Depending upon where the front end computer 12 ls in the round robin procedure, the most curren~ time aligned set of reflective memory buffers may be TW0 buffers 54a and 56a a~ one time interval, the ONE
10 buffers 50a and 52a at the n~xt time interval, and the ZERO
buffers 46a and 43a at the following time interval. In the event that the SDSS or DSS data from one of the process control computers 12a-l~b is not received by the IFQ circuit 30, MI Sync will sti1l maintain time alignment by using an 15 appropriate timeout (for example, 700 milliseconcls) for . updating the MI RM DATA pointers. An indication will also be provided as to which buffer or buffers are unavailable.
The buffer pointers within MI RM DATA are protected by a mutual exclusion semaphore or ~Imutex~. MI SYNC
20 requests this mutex before copying the new pointers to MI RM DATA and releases i~ immediately after the copy is complete. When a network entity needs to access reflective memory data, a copy of the MI RM D~TA pointers is made by requesting the mutex, copying these buffer pointers to a 25 local data structure, and then releasing the mutex. `Since tne application for querying or reading the data uses a copy of the pointer, conte~tion for the mutex is minimized, and MI Sync will be able to update MI RM D~TA with new pointers as soon as the next complete set of data has been stored.
30 In this regard, it is important to note that this method ! ' ' will enable the reading application to still access the same set o~ reflective memory buffers while MI Sync updates MI RM DATA with new pointers. Since reading applications will access the most current time aligned set of reflective 35 memory buffers, it should be understood that a reading ~.
application could be accessing one set of reflective memory buffers (for example, the TWO buffers 54a and 56a), while a subsequent reading application could be ~iven access to W~93/2~945 2 1 3 7 1 5 7 - PCT/US~3/OS207 another set of -ef~ective memory buffers (for example, the ONE buffers 50a and 52a) once .~I Sync updates MI RM_DATA
with new pointers.
It snould also be understood tha~ applications which ;~
5 access the reflective memories will be able to run to ~:.
completion before the referenced buffers are overwritten with new incoming data. In one embodiment of the front end communication system 10, applications requiring reflective `:~`
memory da~a are assigned execution priorities high enough to 10 allow them to run to completion in less than one second.
However, i~ should be appreciated that the front end computer 18 could be configured with additional sets of buffers to allow the development of an application ~hat may ~ake longer to run to completion. :-It shoula also be appreciated from the above that the use of the front end computers 18a-18b also ~nables the :' communic tion system 10 to have the necessary intelligence ;' to answer specific data requests. The use of the front end computers 18a-18b also permit a rapid check to be made that 20 the process control computers 12a-12b are in fact continui~g to send real-time data. Additionally, the front end computers 18a-18b are also pref erably programmed to make .
determinations as to whether read or write requests from the process control computers lZa-12b should be granted with 25 respect to the entity on the compu~er network 20 whic~ has forwarded the request. As will be discussed more fully below the front end computers 18a- 18b contain both a security table and two permissive tables in their memories for facilitating these determinations. The security table 30 is used determine whether communications will be permitted at all with various entities on the computer network 20, while the permissive tables are used to evaluate write - command messages from an entity on the computer network which could affect specific locations in the dual-ported 35 data memories 22a-22b. :::
The front end computers lBa-18b may also utilize at least one set of additional reflective buffers, such as ~-Correla~e buffers 58a and 60a. In light of the fact that 3~ 4-F 2137137 the DSS data se, will contain the post-arbitrated input value data from the current program cycle and the output value data that was based upon the pos;-arbitrated input values of the immediately preceding program cycle, it may be desirable to co.relate into one data table the output values for a particular program cycle witn-the input values used to decide these output values. Accordingly, the front end computer 18a may employ the Correlate buffers ;8a and 60a to store a oopy of the post-arbitrated input values from the current DSS data set, and then wait for the alignment of the next DSS data set in order to ~tore a copy of the output values from this subsequent data set in the same Correlate buf~ers. In this regard, it should be appreciated that this copying procedure will be made from the most current time aligned set of reflective memory buffers. Thus, for example, Figure 2A shows a diagrammatic example of a data able in a time aligned buffer, while Figures 2B shows a similar example of a data table in the Correlate buffer "CL". In any event, it should be understood that the time - 20 alignment capabilities o~ the front end computers 18a-18b provide a powerful diagnostic tool for anàlyzing both the operation of the prQcess control computers 12a-12b and the physical process being controlled. For example, the arbitration performed with respect to the input data values 25 may be analyzed for both of the process control computers 12a-12b, as pre-link and post-arbitrated input data values are time aligned and made available ~or the front end computers 18a-18b. A further discussion of these time ; alignment methods may be found in the Allbery et. al. patent 30 application filed on even date herewith, U.S. serial no.
- I 898,126, filed on June 12, 1992 entitled "IntelLigent Process Co~trol Co~munication System and Method". This application is hereby incorporated by reference.
The comFuter network 20 is shown in Figure 1 to 35 generalLy include a direct control segment, a process - informa;ion segment and a connection to a Wide Area Network "W~N". Each of these necwork segments preferably employ --Ethernet compliant mediums and IEEE 802.3 compatible AME~ EDSHEET
~, W093/~5945 ~ 1 3 7 1 5 7 PCT/US93/05~07 communication Drotocois. The direct con~rol segment s comprised o~ dual ~lant Area ~etworks "PAN-l" and "PAN-2", ;~
wAile the process informacion segment is com~rised of Plant Area Netwox~ "~AN-3". At leas. one Dridge 62 is used to interconnect the PAN-l and PAN-2 segments. Additionally, at leas~ one bridge 64 ls used to intereonnect the PAN-2 segment with the PAN-3 segment. Another bridge may be used tO int~rconnect the PAN-l segment with the PAN 3 segment.
One or more bridges 66 may also be used to interconnect the 0 PAN-3 segment with the WAN.
It should be noted that the front end computer 18a s coupled to the PAN-l segment, while front end computer 18b is coupled to the PAN-2 segment. While a single ~lant area network could be provided, the use of dual plant area ,5 networks shown herein have certain communication and redundancy advantages over a single plant area network. In this regard, the bridges will typically filter communications by Ethernet hardware addresses to reduce the amount of traffic on each of the network segments. For 20 example, a communication between the security server 68 and - the operator ~tation 70 will not be transmitted across the bridge 62 to the PA~-l segment. The bridges 62-66 also provide a layer of physical separation between the networ~
segments, 50 that if a fault occurs on one of the network 25 se~ments, then the fault will be prevented from adversely affecting the other ne~work segments. Additionally, one or more of the bridges are also used to filter communications on the basis of specific data communication protocol id~ntifications to enhance the overall security of the 30 network 20. For example, the bridge 64 may be used to prevent the transmission of messages employing the Ethernet compliant protocol used by the security server 68 from one of the PAN-2 and PAN-3 segments to the other~ Similarly, the bridge 64 may be used to prevent the transmission of 35 mess~ges employing the Etherne~ compliant protocol used to wri~e information into the mailbox section 26 of the dual-ported data memory.

-2~-~``~ W093/25945 2 1 3 7 1 ~ 7 PCT/US93/05207 The computer network 20 also includes a piurality of ~ operator workstations, such as operator worKs~ations 70 and 72. As shown in Figure 1, these operator workstations may ~e iocated on different ne~work segments, and the number of oDerator works~ations will be dependent upon the particular ~rocess control appiication. One or more of these operator workstations may be used ~o view or analyze data received ~,om the front end computers 18a-18b. Additionaliy, these operator workstations may be used by an authorized control 0 room operator to transmit the appropriate instructions to the fron~ end computers 18a-18b which will cause a command message to be conveyed to the process control computers 12a-12b.
ThP network 20 further includes a process information computer 74 which may perform a varie~y of ~nctions. For example, the process information computer may be used ~o store a history of process data received from ~he front end computers 12a-12b. Additionally, the process : information computer 74 may be used to store the ~ompilers ~ 20 needed to change the computer programs residing in the front : end computers 18a-18b, as well as the programs residing in the process control computers 12a-12b. The process information computer 74 may also include loading assistant - software for transfe~ring operating program revisions to the 25 process control computers 12a-12b. The ne~work also includes a control room data manaqer computer 76, which may ~: be used to perform various file serving and tracking ; . functions among the co~puters connected to the network.
An expert download assistant 78 is als~ provided to 30 facilitate program revisions in the front end computers 18a-. ' 18b. fn contrast, the loading assistant software in the process information computer 74 may be used to cause a new computer program to be downloaded to one of the process control computers 12a-12b through at least one of the front 35 end computers lBa-18b and the mailbox section 26 of the dual-ported data memory 22. While the download assistant 78 mav be resident in its own network computer, the download 2137I~i7`
W093/25945 PCTIUS93/05207 ! ~;
2ssistant could also resiae in a suitable network computer, ~
such as tne process information system computer 74.
The ioading assistant may also be used to cause the process control computer with the revised pro~ram ~o start 5 operating in a mode which will enable real-time testing of .~.
the revised program. In this mode of operation, the process control computer will receive input data and make output decisions, but these output decisions will not be transmitted to the field instrumentation devices. This will permit the plant engineer to evaluate the revisions, and even make further revisions if necessary before instructing the process con~rol computer to assume an active mode of operation, such as the fox or dog modes.
Whenever it is decided that the manner in which the process control comDuters 12a-12b perform their particular manufac~uring control operations should be changed through a program revision, the revised program for the process co~trol computers 12a-12b mu t be compiled from the the source programming language to an executable file or set of .
20 dynamically linked files. In the preferred embodiment, a - unique identifier is embedded into the executable code during the compile procedure. This identifier represents (or is.otherwise associated with) the version of the revised software for the process control computers 12a-12b. The : 25 program version identifier is used to ensure proper alignment between the version of the program being executed by the process control computers 12a-12b and the files/tables in the front end computers 18a-18b used to evaluate write command messages to these process control 30 computers.
As mentioned above, each of the front end computers 18a-18b include two permissive tables, such as the "PL"
permissive table 80a for the Left process control computer.
12a, and the "PR" permissive table 82a for the Right process 35 control computer 12b. These permissive tables are used by the front end computers 18a-18b to determine whether any entity on the computer network 20 should be permitted to change the contents of speci~ic locations in the dual-ported ~W093/2~945 ~ 1 3 7 1 ~ 7 P~T/~Sg3/052~7 da~a memories 22a-22b. ~owever, _~ shouid be apprec:atea tnat tne data structure of the permissive table couid be construc~ed to protect the contents or any memory location ~ or area in the process con~rol computers 12a-12b which could altered from a write command message-When a message is received by a front end computer18 from an entity on the network which uses the write command protGcol, such as a write command message from one of the operator workstations 70-72, a "data write_check"
0 sub-routine will be called by the central process unit of front end computer. The data_write check routine will perform a comparison between the variable elements identified in the write command message and the variable elements in the permissive table for which changes should be authorized or denied. For example, if the fron~ end ;~
computer 18a receives a wri~e command message wh:ich seeks to increase/decrease an analog gain "AG" fact~r used by the program being executed by the Left process control computer 12a, the front end computer 18a will look up the element 20 word for this particular AG factor in permissive table 80a ~ and determine if a bit has been set to deny the : authorization needed to change this factor. If :~ authorization is denied, then the front end computer 18a :~will not ~ransmit the write command message to the process 25 control computer 12a. Instead, the front end computer 18a will preferably send a reply message to the h~st entity on ~ the computer network 20 that originally sent the write : ~ command message, to inform the host entity that a write error has occurred. .
From the above, it should be appreciated that the PL :
` and PR`permissive tables stored in the frunt end computers . 18a- 18b need to be closely coordina~ed with the version ofthe program being executed by each of the process control . computers 12a-12b. In order to ensure that each of these i35 permissive tables are sufficiently matched with the programs !being executed by their respective process control computers 12a-12b, the program version identifier discussed above is also embedded into these permissive tables when they are ~1371~7 -W093/2~945 ``` PCr/US93/05207 compilPd. T~.is program version iaentifier may ~hen be sen; `
.o ~he process cont~ol computer i2 along with a veriied write command message, so that the process control computer 2 will be able to confirm that the commandea varia~le ; change is appropriate co its program version.
To enAance the security of this vericication process, the program version identifier from the permissive table is preferably altered by a suitable encryption algorithm before it is transmitted with the write command 0 message to the mailbox section 26 of the stealth interface circuit 16 for the intended process control computer 12.
The process control computer 12 receiving the write command ~.
messa~e will then decode this version identifier, and compare it with the program version identifier embedded in its program to determine if their is a match. If the progra~ version identifiers match, then the process control computer 12 will perform the commanded variable change.
Otherwise, the process control computer 12 will respond by discarding the write command message and transmitting an 20 appropria~e error message to the front end computer 18.
The PL and PR permissive tables are also preferably provided with a data structure which permits write command authorization determinations to be made for specific host entities on the computer network 20. In other words, the . ~5 permissive table 20a may permit particular variable cAanges to be made from operator workstation 70 tha~ are not allowed to be made frnm operator workstation 72. Thus, ~he permissive tables may have several station specific table sections, as well as a default table section. Nevertheless, 30 the ability may also be provided to b~pass a chec~ of the ! ' appropriate permissive table, through the use of a suitable password at a host entity on the computer network 20.
However, in this event, a log should be created and stored in the front end computer 18 which will identify this 35 transaction and the identity of the host entity (for example, a CPU identifier).
. It should be noted that the use of separate permissivé tables for t~e process control computers 12a-12b ` W093/25945 ~ 1 3 7 1~ PcT/US~3~05207 has the advantage cf enabling a program downioadingoperation to be performed on one of tAe orocess con~rol computers while the other process ~ontrol computer continues 'o actively control a manufacturing process. Indeed, even after a revised ~rogram has been successfully transfe~red to the process control computer 12a (and the correspondin~
permissive table 80a loaded in ~ront end computer 18a), the use of separate permissive tables will enable the front end computer l~a to evaluate a write command message intend~d 0 for the process control computers 12a which is distinc~ from a write command message intended for the process control computer 12b. While it may not be advisable in some circumstances to run the process control computers 12a-12b with different program versions in an active control mode, a 15 passive operatinq mode may be used for the process control computer with the revised program while the other process control computer is in an active control mode. In such an ~`
event, the plant engineer may use the download assistant 78 during final program testing to issue write command messages :-20 for the ~assive procesç control computer, while another plant engineer issues write command messages to the active .process control computer through the same front end computer lR.
~: The security server 68 is used to inform each of the ~ 25 computers residing on the networ~ 20 who they may : communicate with on the network. In this regard, the security server stores a specific security table for each of : the valid en~ities on the network. Each of these security .
tables will identify which of the network computer entities :
30 a particular network computer may conduct bi-directional :~
communications. For example, in the case of the front end computers 18a-18b, one of the first functions on start up :
will be to obtain their respective security tables from the security server 68. Accordingly, the security server 68 is 35 shown an Figure 1 to store a security table "Sl" for the front end computer 18a, and a security table "S2" for the . front end com~ut~r 18b. While the security server could -~
aiso be used to send the PL and PR permissive tables W093/~945 2 1 3 ~ 1 5 7; PCT/U~93/05207 ~"j discussed above ~o the front end computers 18, t is ~referred that newly compiled permissive tables be received from ~he download assistant 7~. In this regard, it should be noted that the aownload assistant is also ?referably used to send the transfer map 37 intended for the IFS circuit 28 'o the front end computer 18 along with the appropriate permissivP table~
In order to assure the integrity of security table transfers ~rom the security server 68 to the front end 0 computers 18a-18b, a method of validating these transfers i~
utilized in the present embodiment. In accordance with this method, the front end computer 18 will embed a random or pseudo-random number in a broadcast network message to request that the security server 68 identify itself as a prelude to sending the appropriate security table. The security server will respond to this request with an acknowledgemen~ message that utilizes a security protocol identifier which is different than that used with other types of network messages. Importantly, this 20 acknowledgement message will include the random number from thèSfront end compu~er 18 in a transformed state. In this regard, a suitable en~ryption algorithm may be used to alter the random number, and the random number should have a bit length which will make it difficult for any unauthorized 25 entity to decode (for example, 32 bits~. Upon receipt of the acknowledgement message, the front end computer 18 will then either reverse the encryption process to obtain the random number or encrypt its original random number to make a comparison between the transmitted and received random 30 numbers. Assuming that these random numbers match, then the front end computer 18 will determine that the acknowledgement message has been received from a valid security server, and the transfer process will proceed.
In order to further enhance the security of 35 communications between the front end computers 18a-18b and other entities on the computer network 20, an additional validation procedure is preferably implemented. More specifically, this additional validation procedure is - . . . . ~ ;. ~ .. .

``) W093~25945 ~ ~ 7 1~ PCT/US93~05207 ;-I..tilized 'o ~ermit comsnunication Detween t.ne f.ont end , computers 18a-18b and any network entity for which a write - command message may be recognized. In accordance with this ~Jaiidation method~ the front end computer 18 will send a contract offer message on a periodic basis to the Ethernet address of each host entities on the network 20 which it `;~ -recognizes as having a write message capability. Each of ~-~
these contract offer messages will include a random or `~
pseudo-random number or other suitably unpredicable message ~-0 component. In order for a host entity to able to have its write command messag~s recognized, it must respond to its contract offer message within a predetermined period of time ~for example, 10 seconds) with a contract acceptance message ;`
that includes a transformed version of this unpredicable message component. While any appropriate encryption ~;
algorithm be used for this purpose, it is preferred that this encryption algorithm be di~erent than the encryption algorithm used to validate the transfer of a security table `
from the security server 68. Additionally, it should be ~:
20 noted that t~e security mEssage protocol may be used for `~
these contract offer and acceptable messages. ~:
The front end computer 18 will then decrypt the :
random number embedded in the contract acceptance message to determine if a time limited co = unication contract will be 25 established between the f ront end computer and ~his ~ost entity at the specific Ethernet address for the host entity that was contained i~ the security table. This time limited communication contract will ensure that a write command messag~ link bet~een a front end computer 18 and a 30 particular host entity will be reliable and specific. Thus, ! ~ for example, the front end computer 18a will send a contract offer messaqe to the E~hernet address of the operator workstation 72 which will contain a new random number (for example, 32 bits in length). The operator workstation 72 35 will respond with a contract acceptance message that - includes an encrypted version of this particular random number. Then, the front ~nd computer 18a will either decrypt t~is number with the contract algorithm key stored in i~s memory for this DurDose or use the same encryption aigorithm to com~are t;~e offer and acceptance numDers. If _;nese numDers match, the~ the front end computer I8a will be ?rocess write command messages from the o~erato~ workstation `
72 for a predetermined period of time. Otherwise, if the number~ do not match, then the front end compute~ 18a will disable a write command authorization bi~ for the ~thernet address of the operator workstation 72 from its security table Sl to indicate that write command messages from this 0 o~erator workstation should be ignored.
The communication contract established for write command messages is time limited to enhance the transmiss~on security of these particular messages. In the preferred embodiment, the communication contract will automatically expire within ~wenty seconds after being initia~ed.
Nevertheless, in order to ensure that the ability tO send write command messages is not interrupted, the contract offer messages should be sent from the front end computer 18 to each of the appropriate host entities on the network 20 20 on a periodic basis which will provide this continuity. For example, with a communication contract of twenty seconds, it is preferred that the contract offers be transmitted at a rate of approximately every ten seconds. In other words, every ten seconds, each of the hos~ entities that are 25 capable of transmitting recognizable write command messages will receive a new random number from each of the front end computers 18.
In the event that a host entity fails to respond to a contract offer message from a front end computer 18, the 30 front end computer will preferably make three tries to establish or maintain a time limited communication contract.
If no response is received from these three tries, then the the front end computer 18 will disable the write command authorization bit for the Ethernet address of this host 35 entity from its security table. In such an event, the affected ho t entity will not be able to have its write command messages processed by the front end computer 18 39~24-F 2137157 ~:~

until the security server 68 transmits a new security table to the front end comp~ter 18.
It should be appreciated ~rom the above that only ~-tne random numbers need to be encrypted to faciLitate a ;~
transfer of the security table or to establish ~he time limited co~m~nication contract for wri;e command messages.
However, it should be understood that the security table itself or ~he wri~e command messages could be encrypted as well in the appropriate application. Nevertheless, the use of different Ethernet protocols for security messages and ~-write command messages, the use of different encryption algorithms for security table transfers and write co~mand-co~munication contracts, the limitation of the ti~e of the write command communication contracts to short durations, --and the use of specific permissive tables for each of the ~-front end computers 18, all combine to provide a very high d~gree of communication and write command security for the process control computers 12a-12b. Additional protection is also substantially provided by the guardian c;rcuit in the stealth interface circuit 16, the embedding of a progra~ ;~
version identifier in the PL and PR permissive tables, ar.dr~ -the encryption of the these program version identifiers by ~ `
the front ent computers 18a-18b when a verified write ;
command message is transmitted to the process control computer 12a-12b. In this regard, it should be noted that the encryption algorithm used by the front end computers ``
18a-18b for the program version identifiers in preferably ~
different than the encryption algorithm used for security ~`
table transfers or ~he encryption algorithm used to establish the time limited communication contracts for write command messages. A further disc~ssion of these security ~`
and verification features may be found in the de Bruijn et.
al. patent application, serial no. 898,~23~ filed on June 12~ 1992 and entitled "Secure Front End Communication System and Method". This patent application is hereby incorporated by reference.
Turning to Figure 3, a block diagram of the stealth interface circuit 16 is shown. Reference will aLso-be ~ade AMENDED SHEFr W093/25945 2 1 3 7 1 5 `l PC~(US~3~K207 ~o t~e schemat c c agram of the stealth in~erface circuit 16 rwhich is shown in Figures 4A-4B. The stealth inter~ace circuit 16 is interposed between the internal bus structure 100 o~ the process control computer 12 and the exter~al ly directed stealth port 102. The stealth interfa~e cir~u~t 16 is connected to bus structure 100 via a set of suitable buffers. Tn this regard, buffer block 104 includes e~o 8-bit buffer circuits U17-U18, whic~ receive address information from the address bus on the process control 0 computer 12. Similarly, buf~er block 106 includes tw3 8 bit ~uffer circuits U6-U7, which receive data information from ~he data bus of the process control computer 12.
The stealth interface circuit 16 also includ~s a data control block 108, which is also connected to the bus structure 100 of the process control computer 12. As indicated in Figure 4A, the data control bloc~ 108 is preferably comprised of a Programmable Array Logic "PA~
circuit U15 (for example, EP512), which is used to de~e~t the SDSS and DSS signals from the process control compu~er 20 12O As well known in the art, a PAL circuit has fusi~le links which may be programmed so that a plurality of internal AND gates and OR gates will be configured to performed a desired logic function. While a PAL ci~cuit provides a relatively low cost way of implementing loy~c 25 functions, it should be understood that other suitablè
circuit devices may be used for this application~ It s~ould also be noted that the PAL circuit is programmed to detect two extra strobe signals that may be generated by the proress control computer 12, namely the "EXSl" and "EX52"
30 signals. One or both of these extra strobe siqnals may be used by the process control computer 12 to indicate that certain data stored in the dual-ported data memory 22 is stable, such as data used to display graphical information.
The stealth interface circuit 16 also receives four 35 .control signals from the process control computer 12 which are used to access the dual-ported data memory 22. These . signals are "~EN_DATAMEM", "/EMR", "R/W'` and "M MCLK. . The first three of these signals relate to whether the process .... . . .. ... ; . .... . . . . . .. ~ . ...

21371S7 :
W0~3/2~945 - PCT/US93/0~207 contrcl compu~er 12 seeks to eaa or write ~o the cua;~
portea data ~emory 22. ~owever, MEMCLK is the memory clock signal referred to above which erfectively divides the time r. the machine cycle of the process control 12 avai;able for accessing the dual-ported data memory 22. The ~EMCLK signal is a fifty percent duty clock signal, as shown in the timing diagram of Figure 5A. In accordance with the method illustrated in this timing diagram, the dual-ported d~ta :~.
memory 22 may be accessed from the internal process c~ntrol ~;~
0 computer port 100 when MEMCLK is Low. ~hen, when ~EMCLK
undergoes a transition to a Kigh state, the dual- ported data memory 22 may be accessed from the external stealth port 102. While the MEMCLK signal is shown to have a period of 400 nano-seconds (that is, a frequency 2.5 ~Hz), it 15 should be understood that other suitable periods and àuty cycles may be provided in the appropriate application. ;~
On the stealth port side of the stealth interface circuit 16, a set of suitable buffers are also provided to ~:~ handle the transfer of address and data information. In 20 this regard, buffer block 110 includes two 8-bit buffer circuits Ul- U2, which receive address information from the external stealth port 102. Similarly, buffer block 112 includes two 8-bit buffer circuits U4-U5, which are capable of transmitting and receiving data information between the 25 dual-ported data memory 22 and the stealth port 102.`
Additionally, the stealth interface circuit 16 includes a arbitration circuit 114 which receives bus request signals from external entities on the stealth port 102. As shown in Figure 4B, the present embodiment provides 30 four individual channel lines for the incoming bus request sianals "/BRl../BR4". Thus, the stealth interface circuit i6 enables up to four different external entities to be connected to the stealth port 102. The arbitration circuit 114 is shown in ~igure 4B to comprise a four input 35 asynchronous bus arbiter circuit U9 which will grant bus access to the first bus request signal received. In this . regard, a specific bus grant signal "/BGl.. /BG4" will .
; ultimately be generated to inform the particular external : -39-I

W093t2594~ 2 1 3 7 1 ~ 7 PCT/US93/05207 ` ~:
en~ity who won the bus that ;he channel is clear f~r _~s use. ~he arDitra~ion circuit 114 aiso has an internal AND
aate which will produce the any-bus-re~uest signal "/ANY BR"
shown in tne timing àiagram of ~igure SA.
The stealth interfe~e circuit 16 further includes a stealth port control circuit 116, which is used to control access to the dual-ported data memory 22. The control circuit 116 is shown in ~igures 4A-4B to comprise a PAL
circuit U16, a timer circuit U10 and a set of tri-state .0 buffers which are contained in chip U8. In the case of memory access for the internal process control computer bus 100, tne PAL circuit U16 will transmit the chip select signal "/CS" to the buffers 104 and 106 to latch or capture address and data information from the internal bus~ The PAL
5 circuit U16 will also send the enable memory read signal . "/B_EMR" to the buffer 106 when the process control computer 12 needs to lat~h or c~pture data from the data bus 118 of the stealth interface circuit 16. In this regard, the PAL .
circuit U16 is responsive to both the MEMCLK signal and the 20 central process unit clock signal "CP" of the process - control computer 12.
In the case of memory access from the external steal~h port lOZ, the PAL circuit U16 will transmit the enable signal "/SP EN" to the buffers 110 and 112 to latch 25 or capture address and data information from the external ,:
bus. The PAL circuit U16 will also send the enable memory read signal "SW/R" to the buffer 112 when an external entity is permitted to latch or capture data from the data bus 118 of the stealth interface circuit 16. The SW/R signal is 30 received at the stealth port bus 102, and it provides an indication ~rom the external entity the dîrection of data flow desired. In this particular embodiment, the SR/W
signal is active ~igh for a read cycle and active Low for a write cycle. The SR/W signal is common to all four 35 potential external users, and it should be held in a tri-state until the external user winning the bus receives its . active Low /BR signal.

213~157 WO93/25g45 P~T/US93/05207 T~e ?AL Ul6 also transmits the S~/R si~nal to the cneck point guardian circuit 120 (PAL circuit U13) to - ~nitiate an evaluation to be made on ~he address of the dual-ported ~ata memory 22 selected by the external entity 5 or a write operation. In this regard, the ~uardian circuit ~:
120 is programmed to inhibit the transition needed in the chip enable signal "/CE" for accessing the dual-ported data ~:
.~emory chips Ull-U14, whenever the address is outside of the mailbox section 26. ;:.
With respect to the sequence of operation for the stealth interface circuit 16, it should be appreciated that a memory read/write cycle from the stealth port 102 must be `~
initiated by the external entity seeking to access the dual-ported data memory 22. This cycle is begun with the 1~ transmission of a bus request signal /BR from the external i-entity, such as front end computer lBa. Upon the receipt of ~`
any bus request signals, the arbitrator circuit 114 will ~- transmit an active Low any-bus-request signal /ANY_BR to the : PAL circuit U16. The any-bus-request signal is directed to ~: 20 an internal flip-flop of the PAL circuit U16, which operates ;i . under the clock signal CP. Accordingly, the any-bus-request ~;i signal needs to be present before the falling edge of the `
clock signal CP in order for stealth port access to occur `~
when MEMCLK goes high, as shown in the timing diagram of 25 Figure 5A. If the latched any-bus-request signal is active, the stealth interface circuit 16 will begin a stealth port memory cycle. Otherwise, the stealth interface circuit 16 will not initiate a stealth port memory cycle until the next -- MEMCLK signal period.
When a stealth port memory cycle occurs, the /SP EN~`
signal is generated from the PAL circuit U16. As indicated - above, this signal will enable the address and data buffers on the stealth port. The /SP EN signal will also enable the~;
arbitration circuit 114, which issues a speci~ic bus grant signal /BG for the external user which wins the bus. Once the external entity detects its bus grant signal, then it may transmit either the memory address it seeks to read or the address an~ data necessary for a write opPration. The

-4 1 -WOg3/2594~ 2 1 3 7 1 5 ~ PCT/US93/0~207 c;~io enable signal /C~ ~s delayea Dy the PAL circuit U13 to a;low for .he del~y ~troauced from the address buffer 110, as the address needs .o be stable before the RAM chips Ull- -~J14 are ac~ually accessed.
~or a stealth port read cycle, the data placed on the data bus 118 will become stable approximately 45ns after /CE becomes active. 'n this regard, it should be noted that symbols such as "TC~" in the timing diagram of Figure 5B, indicate the appropriate delay time duration. A read latch 1O signal RDLATCH directed to the PAL circuit U16 may then be used by the external entity to either latch the data into th~ buffer 112 or indicate that data is available. For a stealth port write cycle, the address lines on the address bus 122 will be m~nitored by the guardian circui~ 120 to ~5 ultimately permit or deny write access to the stealth port 102. When write access is denied, the guardian c:ircuit will not generate the active Low chip enable signal /CE, and thereby restrict an external entity on the stealth port 102 from writing to the particular address iocation in the dual-20 ported data memory 22 that it has selected. In this event,the guardian circuit 120 will also genera~e a write address valid signal "WR AD VAL", which is transmitted to the PAL
circuit U16 of the control circuit 116. The PAL circuit U16 will respond by generating a write address error signal 25 "WR AD ERR" for transmission to the external entity. The write address error signal is active High and valid only durin~ the current ~emory access cycle, and this signal is common to all external entities.
~or stealth port accesses to valid write addresses, 30 the guardian circuit 120 will activate the /CE signal.
Additionally, the SR/W signal from the external entity should become active when the bus grant signal /BG is Low.
The PAL U16 will also cause the write enable signal /WE for the RAM chips Ull-U14 of the dual-ported data memory 22 to 35 become active, and the rising edge of the /WE signal is used to write data into these RAM chips.

.

W093/25945 2 1 3 7 1 5 7 ; Pcr/us93/0s207 ~ ~ ~
~he ~ontrol ci-cui 6 also ~ciudes a : mer `~ .
ci`cuit U10, which wili aenera~e a CLEAR signai approximately 150ns after one of the bus grant signais /~G
becomes active. The CLEAR signai is used ~o cause ~e tri- -:
state buf~ers in buffer chip U8 to generate inaividual bus grant clear signals "BGl_CLR..BG4_CLR" to each external user. The CLEAR signaI is also used to clear the stealth ~-por~ memory cycle by deactivating the stealth port enable ``~
signal /SP_EN.
The present invention has been described in an illustrative manner. In this regard, it is evident that `
those skilled in the art once given the benefit of the "~
foregoing disclosure, may now make modifications tO the specific embodiments described herein without departing from ..~.
the spirit of the present invention. Sucn modifications are `~
. to be considered within the scope of the present ~nvention which is limited solely by the scope and spirit of the :~
: appended claims.
- ' ', ~3

Claims (18)

WHAT IS CLAIMED

1. A method of providing transparent data transfers between an actively redundant process control computer (12) connected to a multi-ported memory (22) having at least one internal port for communicating with said process control computer (12) and at least one external port (16) for communicating with a front end computer (18), and at least one said front end computer (18) which is capable of communicating with a computer network (20), characterized by the steps of:
providing a variable section in said multi-ported memory (22) for periodically storing data collected by said process control computer (12) in said variable section of a multi-ported memory (22);
providing a mailbox section in said multi-ported memory (22) for storing messages sent from said front end computer (18) to said process control computer (12); and enabling said multi-ported memory (22) to be addressed from said external port (16) only during a predetermined portion of an operative clock cycle for said process control computer (12), so that either at least one data word stored in said variable section of said multi-ported memory (22) may be transferred to a memory associated with said front end computer (18) or at least one message word may be transferred from said front end computer (18) to said mailbox section of said multi-ported memory (22) without any interference with the operation of said process control computer (12).

2. The method according to Claim 1, further including the step or preventing at said process control computer (12) the ability to write to predetermined locations in said multi-ported memory (22) from said external port (16).

3. The method according to Claim 2, wherein said preventing step limits the write access capability from said external port (16) to only said mailbox section of said multi-ported memory (22).

4. The method according to Claim 3, wherein the entire contents of said multi-ported memory (22) may be read from said external port (16).

5. The method according to Claim 1, wherein at least one of said messages sent from said front end computer (18) causes a change in a value used by the program of said process control computer (12).

6. The method according to Claim 1, further including the step of selectively enabling additional communication devices to access said multi-ported memory (22) from said external port (16) during said predetermined portion or said operative clock cycle.

7. A stealth interface for providing transparent data transfers between an actively redundant process control computer (12) having a multi-ported data Emory having an internal port connected to the bus structure of said process control computer (12) and at least one external port (16) for communicating with a front end computer (18), and at least one said front end computer (18) which is capable of communicating with a computer network (20), characterized by:
said multi-ported data memory having a variable section for periodically storing data collected by said process control computer (12), and a mailbox section for storing messages from said front end computer (18) to said process control computer (12);
external access control means, coupled to a clock signal associated with operation of said process control computer (12), for enabling at least one word address in said multi- ported data memory to be accessed from said external port (16) only during a predetermined portion of the cycle for said clock signal; and guardian means connected to said multi-ported data memory for limiting the write-access permitted from said external port (16) to predetermined address locations in said multi-ported memory.

8. The stealth interface according to Claim 7, wherein predetermined locations are confined to said mailbox section of said multi-ported data memory.

9. The stealth interface according to Claim 7, further including timing means for clearing said external port (16) prior to the end of said predetermined portion of the cycle for said clock signal.

10. The stealth interface according to Claim 7, wherein said external access control means including error signaling means for transmitting a write error signal to said external port (16) when said guardian means has denied write access to said front end computer (18).

11. The stealth interface according to Claim 7, wherein said guardian means is comprised of a programmable array logic circuit which is connected to the address bus of said multi-ported data memory.

12. A stealth interface for providing transparent data transfers between a computer and a plurality of external front end devices, characterized in that:
said computer is an actively redundant process control computer (12), and said stealth interface includes a multi-ported data memory having an internal port connected to the bus structure of said process control computer (12) and at least one external port (16) for communicating with said front end devices;
external access control means, coupled to a clock signal associated with operation of said process control computer (12), for enabling said multi-ported data memory to be accessed from said external port (16) only during a predetermined portion of the cycle for said clock signal;
and arbitration means interposed between said control means and said external port (16) for selecting one of said front end devices to access said multi-ported memory (22) means during said predetermined portion of the cycle for said clock signal.

13. The stealth interface according to Claim 12, including guardian means connected to said multi-ported data memory for limiting the write access permitted from said external port (16) to predetermined address locations in said multi-ported memory.

14. The stealth interface according to Claim 13, wherein predetermined locations are confined to a mailbox section of said multi-ported data memory.

15. The stealth interface according to Claim 14, further including timing means for clearing said external port (16) prior to the end of said predetermined portion of the cycle for said clock signal.

16. The stealth interface according to Claim 15, wherein said external access control means including error signaling means for transmitting a write error signal to said external port (16) when said guardian means has denied write access to said front end computer (18).

17. The stealth interface according to Claim 16, wherein said guardian means is comprised of a programmable array logic circuit which is connected to the address bus of said multi-port data memory.

18. The stealth interface according to Claim 12, wherein said arbitration means includes access signaling means for transmitting an individual access signal to said external port (16) upon a predetermined transition in said clock signal.