This invention relates to a method of controlling a plurality of subprocesses in a distributed control system upon the failure or otherwise removal from service of a process control computer controlling one of the subprocesses and more particularly to a method of providing a bumpless transfer of control from a process control computer that has failed or is otherwise removed from service to a process control computer acquiring control of a subprocess not previously controlled by that process control computer.
In a ring-type distributed control system such as disclosed in U.S. Pat. No. 4,015,548 each process control computer controls the associated subprocess, specifically a coal pulverizer and elevation of fuel firing equipment. The same process control computer monitors the operation of the associated coal pulverizer and burner elevation equipment from a safety perspective. An adjacent process control computer also monitors the operation of a coal pulverizer and burner elevation from a safety perspective. Field inputs necessary to ascertain the status of safety equipment are wired to input ports of both the controlling process control computer and the process control computer providing redundant safety backup.
The process control computer providing redundant safety backup has the ability to shutdown the coal pulverizer and burner elevation equipment that it is monitoring from a safety perspective. In an energize-to-start, energize-to-stop control system, a failure or otherwise removal from service of the processor providing control of its associated coal pulverizer and burner elevation does not remove the associated coal pulverizer and burner elevation from service. The associated coal pulverizer and burner elevation remain in service until an unsafe operating condition is approached at which time the adjacent processor monitoring the coal pulverizer and burner elevation from a safety perspective will safely shutdown the coal pulverizer and burner elevation. However, the processor providing redundant safety backup does not have the ability to control the coal pulverizer and burner elevation but rather only permits the coal pulverizer and burner elevation to remain in service at the status quo.
What is needed is a method of controlling a plurality of subprocesses in a distributed control system upon the failure or otherwise removal from service of a process control computer controlling one of the subprocesses by providing a bumpless transfer of control without continually providing an update of the control variables to the process control computer that will assume control.