With the advance of computer technology over the past several years, there has been a concomitant use of computers in the automatic control of industrial processes. However, due to the critical need for providing continuous, accurate control over most processes either because of the extreme volatility of the finished product or because of the desire for greater efficiency and higher yields to offset the high cost of energy, there is a pressing need for enhanced security in DDC process control systems. Security as used herein refers to the ability of the system to provide automatic control under normal circumstances and to take corrective action in the event of abnormal occurrences such as occasional power interruption, component malfunctions and the like in the face of potential disturbances to the process.
Numerous techniques have been proposed over the years to improve the security aspects of these computer based process control systems. These include the provision of a backup controller available to take the place of the primary controller in the event of a failure (i.e., a redundant control system). Among the collection of patent art relating to such redundant control systems, there is included U.S. Pat. No. 3,636,331 (Amrehn) and U.S. Pat. No. 4,141,066 (Keiles).
Keiles discloses a process control system that includes a plurality of primary process controllers, with each having stored in its random access memory (RAM) configuration information that is compatible with the type of control function being performed by the particular controller. There is also disclosed a single backup controller arranged to be substituted for a failed primary. However, since Keiles' backup is not being used for monitoring and controlling the process, its RAM is devoid of any configuration information, and accordingly upon failure of a primary, the RAM of the primary controller is transferred to the RAM of the backup to allow it to assume the identity of the failed controller. Although not entirely clear from the disclosure, it does not appear that Keiles is concerned with automatically preserving dynamic (i.e., current process input/output values, results of time dependent calculations, etc.) state information in addition to the static (i.e., configuration) information. Furthermore, there is a high likelihood that the data base will be corrupted if controller failure occurs while updating this information.
Amrehn, on the other hand, proposes a system for controlling a chemical plant employing two identical computers whose control programs are subdivided into phases that correspond to operational phases of the chemical process. Although Amrehn's system purports to have backup capability which assumes control in the event of a breakdown of the primary control computer without producing any disturbance to the process, it suffers from some drawbacks and disadvantages. Particularly, if there is such a failure, the backup only takes over control by starting at the beginning of the program phase which had been processed by the failing computer. This requires that "phase breaks" be carefully designed by the end users of the system (i.e., process plant operating management), especially during batch process control, so that the total process will not be endangered.
Also, in Amrehn's system a system check module periodically reviews the status of the primary controller; and if a failure occurs, the check module merely connects the backup computer to the data bus by means of activating a switching mechanism which Amrehn refers to as the data flow gate. No provision is included in the backup determine the reliability of the data base (i.e., program phase change information) which was transferred by the failed primary just prior to switchover. As Amrehn points out, the last command of a phase can be altered or obliterated if the primary fails during a phase change.
It is also apparent that these prior art redundant control strategies, upon failure of the primary controller and during transfer to the backup controller can create a severe process "pump". These bumps can result in reduced efficiencies in the overall control of the process.