The invention pertains to control and, more particularly, to methods and apparatus for avoidance of faults in process and other control systems.
The terms xe2x80x9ccontrolxe2x80x9d and xe2x80x9ccontrol systemsxe2x80x9d refer to the control of a device or system by monitoring one or more of its characteristics. This is used to insure that output, processing, quality and/or efficiency remain within desired parameters over the course of time. In many control systems, digital data processing or other automated apparatus monitor the device or system in question and automatically adjust its operational parameters. In other control systems, such apparatus monitor the device or system and display alarms or other indicia of its characteristics, leaving responsibility for adjustment to the operator.
Control is used in a number of fields. Process control, for example, is typically employed in the manufacturing sector for process, repetitive and discrete manufactures, though, it also has wide application in electric and other service industries. Environmental control finds application in residential, commercial, institutional and industrial settings, where temperature and other environmental factors must be properly maintained. Control is also used in articles of manufacture, from toasters to aircraft, to monitor and control device operation.
Reliability is among the key requirements of any control system. A controlled manufacturing process, for example, that occasionally produces a bad batch is wholly unacceptable for many purposes. Given the expense of manufacturing individual process control components that achieve satisfactory levels of reliability, designers have turned to redundancy. This typically involves using two or more control elements in place of one. The duplicated units can be sensors, actuators, controllers or other components in the control hierarchy.
Thus, for example, U.S. Pat. No. 4,347,563 discloses an industrial control system in which redundant processing units serve as bus masters xe2x80x9cof the moment,xe2x80x9d monitoring status information generated by primary processing units. If a redundant unit detects that a primary has gone faulty while executing an applications program, the redundant unit loads that program and takes over the primary""s function. A shortcoming of these and many other prior art redundancy schemes is their imposition of undue computational or hardware overhead. U.S. Pat. No. 4,058,975, for example, has the disadvantage of requiring a computer to continually compare the outputs of multiple temperature sensors monitoring a gas turbine.
Implementing such solutions can be difficult in some situations and impossible in others. The latter may prove true if the control elements or configuration do not support communications or processing necessary to implement the necessary redundancy protocols.
The self-validating sensors described in U.S. Pat. Nos. 5,570,300 and 5,774,378 (assigned to the assignee hereof and the teachings of which are incorporated herein by reference) represent a significant advance in the art. Such sensors provide not only estimates of control variables (e.g., pressure or temperature) being monitored, but also information about the uncertainty and reliability of those estimates. Thus, for example, a sensor can generate a validated measurement signal (VMV) representing a best estimate of a control variable being monitored, a validated uncertainty signal (VU) identifying the uncertainty in VMV, a status signal (MV) indicating the status of VMV (e.g., xe2x80x9cclear,xe2x80x9d xe2x80x9cblurred,xe2x80x9d xe2x80x9cdazzled,xe2x80x9d xe2x80x9cblind,xe2x80x9d), and a device status signal indicating a status of the sensor itself.
Notwithstanding the advent of self-validating sensors, still more flexible mechanisms for avoiding fault are desired. This is increasingly so as the art shifts to control architectures that permit the xe2x80x9chotxe2x80x9d insertion or replacement of control elements.
An object of this invention is to provide improved methods and apparatus for control and, more particularly, improved such methods and apparatus that provide for avoidance of detected faults.
A further object of the invention is to provide such methods and apparatus as facilitate maintaining continuous operation of a process, environmental, industrial or other control system in the face of actual or potential degradation of a sensor or other control element.
A still further object of the invention is to provide such methods and apparatus for use with self-validating control elements and particularly, for example, with self-validating sensors.
The foregoing are among the objects attained by the invention which provides, in one aspect, a control system with components that respond to actual or potential faults, e.g., in sensors or other field devices, by automatically switching to other sources of desired control or process variables.
Thus, in one aspect, the invention provides a control system with first and second control components that generate first and second xe2x80x9csourcexe2x80x9d signals, respectively, representing substantially identical or related process control variables. A third control component, which normally processes the first source signal, responds to actual or potential degradation of that signal (or the control component that generated it) for processing the second source signal in lieu of the first.
By way of example, a process control system according to this aspect of the invention can have a first sensor that generates a temperature reading of a reactor vessel and a second sensor that generates a pressure reading of that same vessel. A control processor can be arranged to process the reading generated by the first sensor, e.g., as part of a temperature control loop. In response to indications of actual or potential degradation of the first sensor, the control processor can process readings from the second sensor, e.g., in lieu of those from the first.
Further aspects of the invention provide a control system as described above in which the first control component (e.g., the first sensor in the above example) generates a confidence signal indicative of actual or potential degradation of the first sensor. Where the first component is a self-validating sensor, that confidence can be a measurement value (MV) status signal and/or a device status signal, both as described above. The third control component (e.g., the control processor in the example) can identify actual or potential degradation of the first control component from that confidence signal.
Still further aspects of the invention provide a control system as described above in which the second control component (e.g., the second sensor in the example) generates a signal identifying the control variable (e.g., temperature or pressure) output by it. The second component can transmit that signal, e.g., to a distributed registry, for storage. The third control component can retrieve the identifier signal from the registry in the event of actual or potential degradation of the first source signal, thus, permitting identification of the second source signal as a potential substitute for the first.
Yet still further aspects of the invention provide a control system as described above in which the control components and/or registry are coupled via bus, a network and other communications media, by way of non-limiting example, compatible with any of Foundation Fieldbus, Profibus, DeviceNet(trademark), InterBus(trademark) and Modbus(copyright) standards, among others.
Other aspects of the invention provide process, environment, industrial control systems and methods in accord with the foregoing.