This invention relates to control systems where safety features are of special interest.
A number of process control systems use both a general process control system and a second attached safety shutdown computer system to comply with safety requirements in an apparatus controlled by the process control system. Such safety requirements are formalized in documented standards such as IEC 61508 (International Electrotechnical Commission Standard 61508) Parts 1 through 7; VDE 0801 (German Technical Standard 0801) AK 1 through 6; DIN (German Normalizing Institute Standard) 0116, Chapter 8.7; DIN V 19250, AK 1 through 6; EN (European Standard) 298, Chapters 9 and 10; EN 61010-1; EN 50081-2; EN 55011; and EN 55022. Process control safety requirements are also formalized in regulations such as 29 C.F.R. xc2xa71910.119 in the United States of America.
Respective to formalized requirements, a process known as xe2x80x9ccertificationxe2x80x9d is used in determining formalized acceptability of a system. The certification process examines conformance between (a) design of the system, (b) practices by organizations in construction, modification, and use of the system, and (c) the formalized requirements. Respective to xe2x80x9ccertificationxe2x80x9d and IEC 61508, four levels of acceptability are defined which are known as SILs (Safety Integrity Levels), with SIL 1 appropriate for processes having some minor risk and SIL 4 appropriate for processes having high potential risk (for example, public transportation systems under automatic control or nuclear power plants under automatic control). xe2x80x9cCertificationxe2x80x9d is usually done by a trained xe2x80x9ccertifying agencyxe2x80x9d with credibility for such review in the society in which the xe2x80x9ccertifiedxe2x80x9d system is used; an example of such a xe2x80x9ccertifying agencyxe2x80x9d is Txc3x9cV Bxc3xa4yern having main offices in Munich, Germany.
In providing an acceptable control solution, there is frequently a need in higher-risk processes for the safety shutdown system to have robustness and real-time diagnostic sophistication superior to comparable attributes in the general process control system. The safety shutdown system is also usually more secure than the general process control system in the ability of an operating technician to modify critical parameters; in this regard, access to the data space of a safety shutdown computer uses a physical lock and key kept in secure custody. Safety shutdown computer system design has taken a somewhat different course from general process control system design; this has resulted in divergence in operational and programming attributes of the systems. While the concurrent use of such systems with their divergent operational and programming attributes has been generally effective, there are drawbacks. Engineers, supervisors, and operating technicians must be versant in the accompanying divergent operational and programming attributes; and, in certain situations, a comprehensive understanding of the manner in which the two systems as a whole effect control is confounded as features respective to the divergent operational and programming attributes interact. Process control systems incorporating the use of a safety shutdown computer system also enable compilation of affiliated potentially variant control-computer-executed logic sets used in the two different systems at different times: a situation which does not characterize the control system logically unified at one point in time under a unified authority. xe2x80x9cPotentially variantxe2x80x9d references that portion of the logic which could reasonably be expected to undergo change at the level of security access permitted to the programming engineer; a Read Only Memory chip (ROM), while frequently providing logic derived from a compile process, is not xe2x80x9cpotentially variantxe2x80x9d in this regard unless routine incremental modifications to the control computer logic includes the process of new ROM creation and ROM component change. A control system logically unified at one point in time (that is, where all potentially variant source code for the general control of the apparatus and all potentially variant source code for the safety shutdown system of the apparatus are compiled to Machine Operation Code in the same compile instance) under a unified authority is ideally desirable in managing complex facilities. Finally, provision of a support base for two different systems is usually more expensive than for one system; such extra expense confounds efficient use of resources.
What is needed in resolving the above concerns is to provide a single unified system for executing both the safety related aspects of process control and the general aspects of process control. A rapid solution to this is to use a safety-capable system for all control needs; however, the use of a safety-capable system (frequently triply-redundant physically) in generally controlling a facility as well as in providing for its safety shutdown is expensive because of the higher capital needed per I/O point. So, while providing a technical solution to the problem of a single unified system, use of a safety shutdown system for all control is not usually an efficient resolution to the problem. What is truly needed and desired, therefore, in resolving the above concerns is to provide an economically viable single unified system capable of executing both (a) safety-related process control and (b) general process control. The present invention provides a solution to this need by providing a unified system which can execute general process control of an apparatus while also providing features used (a) in implementing burner and fired equipment safety shutdown and (b) in implementing safety management and safety integrity system solutions for achieving at least Safety Integrity Level 3 (SIL1, SIL2, and SIL3) conformance (when further coupled with organizational and engineering processes respective to construction, modification, and use of the control system which are acceptable to the certifying agency).
The following incorporated documents describe embodiments in a general process control system prior to modification into the unified control system described in this specification:
One embodiment of a control computer used in a general process control system is described in U.S. Pat. No. 5,555,424 (24Sederlund et al.) issued on Sep. 10, 1996 and entitled xe2x80x9cExtended Harvard architecture computer memory system with programmable variable address incrementxe2x80x9d to Sederlund, Edward R.; Lindesmith, Robert J.; Root, Larry A.; Dupree, Wayne P.; and Thomas, Lowell V. This patent is expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention.
An embodiment of a redundant control computer system in a general process control system using two control computers such as the control computer described in 24Sederlund et al. is described in U.S. Pat. No. 5,583,757 (Baca, Jr. et al.) issued on Dec. 10, 1996 and entitled xe2x80x9cMethod of input signal resolution for actively redundant control computersxe2x80x9d to Baca, Jr., Eloy; Dupree, Wayne P.; Grinwis, Donald J.; Kanse, Johannes C.; Pelletier, Douglas P.; and Schulze, Oscar E. This patent is expressly incorporated herein by reference in the present application.
An embodiment of a system for achieving data access for the control computer described in 24Sederlund et al. is described in U.S. Pat. No. 5,568,615 (15Sederlund et al.) issued on Oct. 22, 1996 and entitled xe2x80x9cStealth interface for control computersxe2x80x9d to Sederlund, Edward R.; Thomas, Nadene T.; Lindesmith, Robert J.; and Cowles, Russell W. This patent is expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention.
An embodiment of a system providing a Remote Field Unit (also referenced in abbreviated form as a xe2x80x9cRemotexe2x80x9d, an xe2x80x9cRFUxe2x80x9d, or a xe2x80x9cRemote unitxe2x80x9d) for use with the control computer described in 24Sederlund et al. is described in U.S. Pat. No. 5,428,769 (69Glaser et al.) issued on Jun. 27, 1995 and entitled xe2x80x9cProcess control interface system having triply redundant Remote Field Unit field unitsxe2x80x9d to Glaser, Robert S.; Hoy, Robert S.; Fernandez, G. Paul; and Grai, Timothy J. This patent is expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention.
An embodiment of a system providing an interface for reading electrical current in power distribution systems for use with the field unit described in 69Glaser et al. is described in U.S. Pat. No. 5,151,866 (66Glaser et al.) issued on Sep. 29, 1992 and entitled xe2x80x9cHigh speed power analyzerxe2x80x9d to Glaser, R. Steven and Bade, Jeffrey M. This patent is expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention.
An embodiment of a system providing a high speed gateway for use with the redundant control computer system described in Baca, Jr. et al. and the system for achieving data access for the control computer described in 24Sederlund et al. is described in
(a) U.S. Pat. No. 5,519,603 (Allbery, Jr. et al.) issued on May 21, 1996 and entitled xe2x80x9cIntelligent process control communication system and method having capability to time align corresponding data setsxe2x80x9d to Allbery, Jr., James D.; Troisi, Peter A.; Johnson, Susan J.; Cullen, James H.; Butler, Richard L.; Ferreira, James P.; Ellison, Joseph; Patel, Chiman L.; Uban, James E.; and Schultz, Dale H.;
(b) U.S. Pat. No. 5,428,745 (45de Bruijn et al.) issued on Jun. 27, 1995 and entitled xe2x80x9cSecure communication system for re-establishing time limited communication between first and second computers before communication time period expiration using new random numberxe2x80x9d to de Bruijn, Ronny P.; Verboven, Marc L. K.; van Weele, Leonardus A.; Vermeire, Roger R.; Schulze, Oscar E.; Schultz, Dale H.; and Bell, Brian G.; and
(c) U.S. Pat. No. 5,561,770 (70de Bruijn et al.) issued on Oct. 1, 1996 and entitled xe2x80x9cSystem and method for determining whether to transmit command to control computer by checking status of enable indicator associated with variable identified in the commandxe2x80x9d to de Bruijn, Ronny P.; van Weele, Leonardus A.; Verboven, Marc L. K.; Vermeire, Roger R.; Schulze, Oscar E.; Bell, Brian G.; and Schultz, Dale H.
These patents are expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention; the system that they describe is also denoted as the high speed interface (or HSI) in this specification.
An embodiment of a system providing human interfacing for use with the redundant control computer system and interfaces described in the above patents is described in U.S. Pat. No. 5,631,825 (van Weele et al.) issued on May 20, 1997 and entitled xe2x80x9cOperator station for manufacturing process control systemxe2x80x9d to van Weele, Leonardus A.; de Bruijn, Ronny P.; Vermeire, Roger R.; Zemering, Christo; and Lenting, Ben. This patent is expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention.
Embodiments of systems providing real-time interpretation of Application Program code executing in the above systems are described in U.S. Pat. No. 5,491,625 (Pressnall et al.) issued on Feb. 13, 1996 and entitled xe2x80x9cInformation display system for actively redundant computerized process controlxe2x80x9d to Pressnall, Dana W.; Polishak, Jeffery T.; Felix, Bradley K.; Durisin, Michael J.; and Ellison, Joseph.; and in U.S. Pat. No. 5,408,603 (Van de Lavoir et al.) issued on Apr. 18, 1995 and entitled xe2x80x9cGlobal process control information system and methodxe2x80x9d to Van de Lavoir, Ronny; Follon, Marinus (Neerpelt, BE); and Ravenscroft, Ian. These patents are expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention.
A large graphical overview system providing interface to humans is deployed in the preferred embodiment along with the Operator Station. This graphical overview system is described in U.S. Pat. No. 5,726,668 (Clement) issued on Mar. 10, 1998 and entitled xe2x80x9cProgrammable graphics panelxe2x80x9d to John L. Clement. This patent is expressly incorporated herein by reference in the present application for showing the status of the prior art and a manner of use respective to the present invention.
An embodiment of a system providing a new control computer for alternative future use as the processor in the redundant control computer system described in Baca, Jr. et al. and a manner of use in a coordinated distributed system is described in (a) U.S. Pat. No. 5,655,133 (Dupree et al.) issued on Aug. 5, 1997 and entitled xe2x80x9cMassively multiplexed superscalar Harvard architecture computerxe2x80x9d to Dupree, Wayne P.; Churchill, Stephen G.; Gallant, Jeffry R.; Root, Larry A.; Bressette, William J.; Orr, III, Robert A.; Ramaswamy, Srikala; Lucas, Jeffrey A.; and Bleck, James; (b) United States Patent Application having Ser. No. 08/797,967 filed on Feb. 12, 1997 and entitled xe2x80x9cA Dedicated Context-Cycling Computerxe2x80x9d naming as inventors Dupree, Wayne P.; Verniers, Gerrit; Lucas, Jeffrey A.; Root, Larry A.; and Churchill, Stephen G.; and (c) U.S. Provisional Patent Application having serial No. 60/086,737 filed on May 26, 1998 and entitled xe2x80x9cDistributed Computer Environment Using Real-Time Scheduling Logic and Time Deterministic Architecturexe2x80x9d naming as inventors Woods, Randy D.; Jachim, David M.; Dupree, Wayne P.; Verniers, Gerrit H.; Churchill, Stephen G.; and Fernandez, George P. These patents are expressly incorporated herein by reference in the present application for showing the status of prior art and a manner of use in one contemplated embodiment respective to the present invention.
Additional features which were implemented in modifying a general process control system such as that described above to incorporate features necessary for economically providing a combined and unified (a) general process control system and (b) safety shutdown computer system is appreciated through study of the summary and details respective to the present invention as further provided herein.
The present invention provides a process control system receiving input signals from a controlled apparatus and using the input signals in determining at least one output signal modifying the characteristics of at least one respective control device in the controlled apparatus where source code for the general control of the apparatus and source code for the safety shutdown system of the apparatus are compiled to control code in a unified compilation.
Details of the invention are fully appreciated from an examination of the detailed description and figures.