The present invention generally relates to control systems, and more specifically to a fault management method and apparatus for a system that includes at least one electromechanical or electro-hydraulic components. Applications of the apparatus include fail-safe actuators for controlling closure speeds and torques applied to system valves to minimize hydraulic shock waves or valve damage due to runaway kinetic energy.
In many industrial applications where hazardous or large quantities of fluid are handled, it is important that the facility be constantly monitored and shut down in the case of an emergency to avoid potential injury to personnel or damage to the facility. One condition that is typically monitored is the main power. Additionally, sensors may be used to detect emergency conditions, such as escaping fluid, fire, etc. In each case, it is important to have a scheme for shutting down the industrial plant or facility and, equally important, for re-instating the operation of the facility after the emergency condition has been eliminated or power restored.
Numerous controllers and actuators have been devised for dealing with the problem of shut down. While many supervisory control systems are known, the known systems for actuating an electro-mechanical or electro-hydraulic component, such as a pump discharge valve, are reactionary in nature. Thus, there is virtually no time lapse between a fail-safe signal and valve closure. Such reactionary devices have two major disadvantages. Firstly, being primarily mechanical or hydraulic in nature, such actuators are normally not capable of stopping once initiated and, once initiated, dispense all of their energy within a very short period of time. Subsequently, these devices must be reset and this may take seine time and effort. The primary disadvantage, however, of using such reactionary devices is that once initiated, they act almost instantaneously and can induce hydraulic shock waves in the system being controlled and damage valves or other system components.
There are also known numerous programmable controller devices in supervisory control systems which provide supervisory control in a sequential or selective manner and that provide a time responsive control. In some instances, the programmable logic circuits (PLCs) are designed specifically for providing protection of reliability features including backup or standby. However, in most instances, the backup or standby controllers merely include auxiliary power for operating the controller itself. In most controllers, in which power supplies are used, such supplies are normally themselves disabled in the event of a power failure. Thus, in most of such systems, the backup power supply is merely intended to provide sufficient power to continue operation of the controller circuits and not designed or adapted to provide sufficient power to a controlled element, such as a valve or the like.
In U.S. Pat. No. 5,095,438, an engine controller is disclosed which is connected to an automobile battery. In this patent, it appears that the battery is merely used as a backup power source for maintaining distort memory and RAM and possibly other logic circuits.
Numerous uses of programmable controllers have been proposed in conjunction with process plants that are intended to monitor control parameters and maintain a process by regulating various controlled elements. Thus, in U.S. Pat. No. 4,005,581, an apparatus is disclosed for controlling a steam turbine which includes a controller. In U.S. Pat. No. 4,059,745, a system is disclosed for regulating a process with a single final control element, such as a valve to insure that process variables do not exceed the acceptable minimum or maximum limits. U.S. Pat. No. 4,074,354 illustrates the use of a digitally controlled apparatus for regulating a valve on the basis of sensing signals received from field sensing devices. The system provides a centralized maintenance backup system for supplying backup control signals to selected field control devices while their normal control signals are interrupted while servicing various system components. In U.S. Pat. No. 4,360,882, there is disclosed a control system in which a controller is used to prevent a stuck valve from being overdriven by a controller.
It is also known to control turn off or job recovery after a malfunction has been detected. Thus, in U.S. Pat. No. 4,521,847, a control system is disclosed for job recovery after a malfunction. Such control systems are also used in a field of sequential control for safety of numerically controlled machine tools, such as disclosed in U.S. Pat. No. 5,111,383. Microprocessor control is disclosed in U.S. Pat. No. 4,729,089, in which the controller insures proper sequencing in a heat pumped air-conditioning system. Microprocessor control is used to prevent transient noise from resetting the microprocessor and restarting the system.
In U.S. Pat. No. 5,057,994, a controlled system for an industrial plant is disclosed in which a controller is utilized to receive the outputs of numerous sensors to detect parameters of the industrial plant. The controller is provided with fault logic for providing shut down mechanisms for the industrial plant. The prior art does not, however, include intelligent fail-safe devices for electro-mechanical or electro-hydraulic components that do not rely on reactionary devices, such as spring, pneumatic or hydraulically driven devices that may cause damage to both the components which are being controlled as well as the system in which they are incorporated.