This invention relates to a method and system for resynchronizing a list of alarm states of a device that monitors or controls a process or a system, in whole or in part.
An alarm state is a warning to a user of an event. Notifications are used to indicate and warn the user that an alarm state has changed, for example, from an inactive to an active state or from an active to an inactive state (the latter also called return-to-normal). A common type of alarm used, for example, by a process control system against an unwanted situation is based on testing of a process measurement, also known as a process variable. Analog process variables, such as temperatures, pressures, flows, levels, and the like, are often tested against high limits and low limits. When a process variable value becomes higher than a high limit, a high alarm becomes active and a notification is generated. Likewise, when a process variable value becomes lower than a low limit, a low alarm becomes active and similarly a notification is generated.
It is common to have two levels of alarm that behave similarly, using, for example, a high-high limit and a low-low limit. Another type of alarm is associated with a deviation from a current desired operating point, referred more commonly as a setpoint. When the process variable deviates from a setpoint more than the specified deviation-high-limit or deviation-low-limit, a deviation-high or deviation-low alarm becomes active, as appropriate.
For discrete process variables, such as a high-limit sensor or an over-temperature sensor, the apparatus itself indicates one of two-states such as xe2x80x9cOnxe2x80x9d or xe2x80x9cOffxe2x80x9d, xe2x80x9cYesxe2x80x9d or xe2x80x9cNoxe2x80x9d, xe2x80x9cNormalxe2x80x9d or xe2x80x9cAbnormalxe2x80x9d, xe2x80x9cTruexe2x80x9d or xe2x80x9cFalsexe2x80x9d, etc. The occurrence of an unwanted state can be used to set an associated alarm active. The limits that are used for testing of an unwanted state are alarm limits or alarm condition limits. Examples of alarm conditions are high, high-high, low, low-low, deviation-high, deviation-low, and discrete. Alarm condition states or alarm states are said to be either active or inactive.
Additionally, there are times when a process variable is expected to exceed an alarm limit, so an alarm condition state and alarm notification are not wanted. An example would be when equipment is desired to be shut down. An alarm condition disable state, or simply alarm disable state indicates that an alarm state should be disabled and rendered inactive for the associated alarm condition. Return-to-normal notifications are usually issued when an active alarm condition is rendered disabled.
U.S. Pat. No. 6,138,049 describes a notification system for handling the generation and distribution of notifications concerning the occurrence of events. According to the patent, a notification is an indication of some abnormal or exceptional situation relating to a controlled process, its measurement and control equipment. For example, notifications may comprise alarms, system events, operator messages, and the like. The notification system includes a supervisory controller and a plurality of process controllers.
The supervisory controller is associated with each of the process controllers, directly or indirectly, to allow the exchange of information. The supervisory controller monitors characteristics (e.g., status, temperature, pressure, flow rate, current, voltage, power, utilization, efficiency, cost and other economic factors, etc.) of the process, either directly or indirectly through the process controllers. Depending upon the specific implementation, such monitoring may be of an individual process, a group of processes, or the whole facility.
The integrity of the data concerning the aforementioned process characteristics can be degraded by the occurrence of various operation events, such as supervisory controller startup, supervisory controller failover, process controller startup, process controller failover, control network communication failure and recovery and addition (via configuration) of a new process controller. A notification recovery system is provided to restore the integrity of the data after the system resumes normal operation.
The notification system includes a recovery procedure to restore the data integrity when normal operation resumes after the occurrence of any of the aforementioned events. The supervisory controller issues a recovery command to the process controller that is associated with the devices that provided the affected data. The process controller then executes a recovery program that provides the current values of the alarm states of its associated devices to the supervisory controller.
The notification system of the patent works very well when the devices and process controllers are compatible with one another, i.e., the devices and process controllers are native devices and native process controllers. However, the recovery procedure described in the patent does not address the situation of a control system that also has a non-native device, i.e., a device that is incompatible with the native devices and the native process controller.
There is a deficiency in some non-native devices, for example those devices that conform to the Foundation Fieldbus specifications ISA-S50.01-1992. The response to the reading of the current alarm condition states from any device is performed at a lower priority than the generation of notifications of on-going changes to those same alarm condition states (i.e., notification of a new active alarm condition or notification of a return-to-normal of a previously existing active alarm condition). Hence, the results of the reading of current alarm condition states can be incorrect due to the lack of guaranteed sequencing of the related communication messages.
Specifically, after requesting the reading of an inactive alarm condition state from a device in order to ascertain current alarm states, the response can be placed in a communications output buffer in the device. However, before it is communicated over the network, the alarm may become active (changing to the active state), causing an active alarm notification message to be placed in the same device""s notification output buffer, which is separate from the read-response output buffer. Since notifications are specifically permitted access to the network at a higher priority than responses to reading the alarm condition states, the active alarm notification can be received by a notification manager first, even though placed in its output buffer later. Then the response to the reading of the alarm condition states may be received, indicating that the alarm condition is inactive. The notification manager can then falsely conclude that the alarm condition is inactive when, indeed, it has just become active.
Symmetrically, after requesting the reading of an active alarm condition state from a device in order to ascertain current alarm states, the response can be placed in a communications output buffer in the device. But before it is communicated over the network, the alarm may return to normal (changing to the inactive state), causing a return-to-normal notification message to be placed in the same device""s notification output buffer, which is separate from the read-response output buffer. Since notifications are specifically permitted access to the network at a higher priority than responses to reading the alarm condition states, the return-to-normal notification can be received by a notification manager first even though placed in its output buffer later. Then the response to the reading of the alarm condition states may be received, indicating that the alarm condition is active. The notification manager can then falsely conclude that the alarm condition is active when, indeed, it has just become inactive.
What is needed is a mechanism to reliably ascertain the current alarm condition states from such non-native devices so that, for example, a notification manager can be guaranteed to be able to re-synchronize its alarm database with that of the devices after a communications loss and restoration or after recovery from some significant disturbance to the state of an involved computing element that may have resulted in a processing discontinuity such that a change in one or more alarm condition states may have been lost.
Thus, there is a need for a recovery procedure that can handle both native and non-native devices and controllers.
The method of the present invention synchronizes alarm condition states produced by a device that monitors and/or controls a process or a system. Particularly, the method synchronizes the notification messages after there has been a loss of communication with the device and after communication is restored with the device including, but not limited to, losses caused due to communications failures and processing discontinuities resulting from computing element failures, restarts, resets and so on.
When communication is restored, the method controls the device to regenerate current values of alarm states that it maintains. The method then provides first notification messages and second notification messages to a network. The first notification messages are for the current values of the alarm states. The second notification messages are for any changes in the alarm states that occur after the device regenerates the current values. The first notification messages and the second notification messages may be interspersed, but the sequential ordering for each alarm condition is assured to preserve correct alarm state interpretation.
The method controls the device by setting all of the alarm disable states to disabled and then restoring those alarm disable states that were previously enabled back to enabled. The first and second notification messages are provided after the previously enabled alarm disable states are restored to enabled. The method also reads and saves the alarm disable states prior to setting all of the alarm disable states to disabled for use during the restoration operation.
The device responds to the restoration operation to automatically generate a set of return-to-normal notifications, which, being irrelevant, are ignored or not provided to the network.
The system of the present invention includes means that perform the method of the invention.