Automatic control or automation is very important within industrial production, for example in order to eliminate monotonous tasks and lessen hazardous elements in a production line. In general automation also increases the efficiency as well as the quality of a process and is an excellent means to meet today's demands for non-environmental influence and economical production.
The different process sections in a typical plant are linked in some way, either by process flow or by energy flow. These circumstances bring about the drawback that shutting down one process section quickly causes other shut downs of other process sections located up- and downstream and eventually a shut down of the whole plant. It is very important to have constant availability to the plant using such process control systems since a standstill of the production is quite expensive. Starting up a plant is generally a time-consuming process, often requiring several hours or even days. A stop in one section thus causes production losses, which can be in the multimillion-dollar range. Further, a stop and restart also causes excessive wear on process equipment and catalysts. This in turn entails maintenance work more frequently, servicing and catalyst replacement, thus adding to the long-term cost of operation.
It is often necessary to make changes to the way the processes are controlled in order to improve equipment utilization, minimize defects and off-spec quality, optimize energy consumption and so on. Regular updates of system software are thus necessary for improving existing routines as well as for correcting shortcomings of the routines used. The control programs controlling the processes are therefore subject to continuous development in order to meet the changing demands. In view of the high costs associated with a production stop such changes of the control programs are normally performed on-line, but to make a change on-line entails a risk of upsetting the process being changed and care has to be taken when upgrading the process applications.
More specifically, when such updates are to be made, the version presently being used is overwritten by the new, upgraded version. This can bring about serious problems should the new version not be adequately downloaded, if the new version contains bugs or if it is non-functioning or if it contains unforeseeable incompatibilities with the system, for example leading to disturbances or instabilities in the controlled process. Should a need to revert to the old version arise, this previous code has to be downloaded again. The production could then possibly halt until the old version is up and running again. As mentioned, such interruptions in production are very expensive, or could even, depending on the industry in question, be dangerous. It is difficult to foresee whether a new version of a control application would be functioning in a real environment, and if it is not functioning, it is very difficult to know which part of the application is not functioning satisfactory.
One approach to address these problems is described in the published patent publication U.S. Pat. No. 5,491,625. The approach presented in this patent publication uses two controllers that are tightly coupled to each other, for example a primary and a redundant controller. One of the controllers run the current version of the control program and the other one executes the new version. Both controllers read values from the process, but outputs from the second controller are blocked such that only outputs from the first controller can affect the process. A user can compare the results of the two controllers and thus determine if the new version of the control program behaves in a correct way, before he or she switches over to let the new version actively control the process. A difficulty of this state of the art solution is that it requires two controllers, which increases the cost. A further difficulty is that it requires some kind of synchronization and arbitration mechanism between the two controllers, in order to synchronize execution cycles, arbitrate between the process outputs from the two controllers, determine any differences in results and generate a difference report. The synchronization must be very tight to ensure that both controllers for each execution cycle uses process input values relating to identical samples of process inputs and external variables. This further increases the complexity and cost of the proposed solution. A yet further difficulty is that if the two controllers are a primary and a redundant controller, the redundant controller is used to execute the new version of the control program and therefore does not function as a back-up for the primary controller for the duration of the evaluation.
It would thus be desirable to provide an improved way of changing or upgrading versions of a control program or an application within a system, and to make such change or upgrading without disturbances in the production.