This invention relates to a data processing system used to control an industrial process wherein a back-up data processor or processors are used to automatically assume control over the industrial process when the primary processor controlling the industrial process fails.
Many system type industrial installations, such as those related to industrial process-type manufacturing and electrical power generation, often employ a large number of physically distributed control devices and associated sensors for effecting coordinated operation of the overall system. One such system is disclosed in Michael E. Cope U.S. Pat. No. 4,304,001 and assigned to the assignee of this application. In the Cope application, a plurality of remote stations are connected to various control devices and sensors and communicate with one another through a communications link. Each of the remote stations will have a data processor and, at most of the remote stations, these data processors will operate to receive signals from sensors and control process parameters of the industrial process. One of the remote stations would include a control panel to provide operator access to and control of the overall system. In the above described system, as disclosed in the Cope patent, if one of the data processors at a given remote station fails, this will not mean that the entire process control system will fail because the other remote stations will continue to function receiving information from the sensors and controlling the output parameters assigned thereto. Nevertheless, it is important to keep all of the remote stations functioning to maintain efficient automatic operation of the industrial process. To achieve this purpose, the present invention provides at each of the remote stations a back-up processor to take over the input/output operations when the primary processor at the remote station fails.
In the past, it has been proposed to employ redundant or back-up processors to take over from a primary processor when the primary processor fails. However, in such systems, a process upset often occurs when the primary processor fails because of problems in getting the back-up processor to operate on valid data concerning the current status of the process. Proposals have been made in the past to periodically have the primary processor transfer status data to the back-up processor. The problem of process upset still exists because when the primary processor begins to fail, the status data is often contaminated by the problem which caused the primary processor to fail.