The present invention generally relates to the interface between a process control computer and its remotely located field instrumentation. More specifically, the present invention relates to a process control interface system which is comprised of a distributed network of triply redundant remote field units that communicate with redundant process control computers over redundant fiber optic paths.
One of the most difficult and elusive goals to achieve in the design of any automated process control system is to provide an accurate, fast and yet highly reliable control system which is capable of withstanding the rugged demands of controlling a physical process non-stop for years at a time, if possible. This is particularly true for the process control applications in a chemical plant where the cost of shutting down a complex large-scale process for computer system repairs may be enormous due to the time, effort and waste incurred in attempting to bring such a process back on line.
In order to achieve maximum economic efficiency and optimum product quality, the demands for more comprehensive process control automation have continued to increase in both quantity and sophistication. As the reliance on computer-based control for the operation of a chemical process increases, it is clear that a number of computers are required to work together in order to accomplish all of the desired control tasks. This, of course, adds further complexity to a control system for which maximum fault tolerance is desired.
In order to increase the reliability of a process control computer system, many attempts have been made to provide a backup computer for one or more of the computers being used to actively control the process. However, a rapid hand-off of control from an active computer to a backup computer is difficult to achieve if the goal is to provide a seamless or transparent transfer to the devices which affect the operation of the physical process. Additionally, the conditions-under which a transfer of control should be made may be complex and consume needed processor time during normal operations.
Another approach to this problem is to provide triple redundancy with three actively operating computers. While the provision of three computer processors certainly increases the overall cost of the control system, it does permit the use of "majority voting" for decision making. The benefit of majority voting not only adds to the ability of the computer system to withstand a fault in one of the computers, it also helps to ensure that the decisions being made are accurate. In other words, the agreement of two out of three computers on any particular decision increases the likelihood that the decision is ultimately correct.
Nevertheless, even when triply redundant control is found to be desirable, a myriad of design problems must first be confronted in order to achieve a truly effective triply redundant control system, including the handling of internal failures within different areas of the triply redundant control system. While there have been a number of attempts to appropriately manage the interrelationships between a set of three or more computers, there is still considerable room for advancement in this art, particularly as it relates to large scale chemical process control applications.
Accordingly, it is a principal objective of the present invention to provide a distributed network of triply redundant field computer units which communicate with redundant process control computers to maximize both accuracy and the overall system's tolerance to faults in the process control system that could affect the physical process being controlled.
It is another objective of the present invention to provide a distributed network of triply redundant field computer units which enables broadcast downloading of updated software to each of these units without affecting the process being continuously controlled.
It is a further objective of the present invention to provide a triply redundant field computer unit which permits circuit boards in one of the computers contained in the unit to be replaced without affecting the process being controlled or requiring control to be forced to one or the other of the remaining computers.
It is an additional objective of the present invention to provide a triply redundant field control unit which enables a unique arbitration process of field inputs and outputs to be achieved.
It is also an objective of the present invention to provide a triply redundant field computer unit which is capable of automatically aborting potentially erroneous output signals.
It is yet another objective of the present invention to provide a triply redundant field computer unit which enables any two computers contained in the unit to temporarily reset, and if necessary, more permanently reset the remaining computer.
It is still an additional objective of the present invention to provide a triply redundant field computer unit which includes one or more "smart" multi-function input circuits for interpreting raw sensor information and one or more "smart" output circuits for independently determining the manner in which a desired output value is achieved.
It is still a further objective of the present invention to provide a method of testing both digital and analog output circuits which is non-intrusive to the process being continuously controlled.
It is yet another objective of the present invention to provide a triply redundant field computer unit which includes a high current output power supply circuit and a battery backup that may be periodically tested under load conditions.