Field of the Invention
The present invention relates to a process control apparatus and system and to an updating method therefor.
Priority is claimed on Japanese Patent Application No. 2013-131714, filed Jun. 24, 2013, the content of which is incorporated herein by reference.
Description of Related Art
Conventionally, in a plant, a factory, and so on (hereinafter, collectively referred to as a plant), a processing control system is implemented that controls various state quantities (for example, pressure, temperature, and flow amount, or the like) in an industrial process, thereby achieving highly automated operation.
Specifically, for example, as indicated in Patent Reference 1 (Japanese Patent Publication No. 4399773), Patent Reference 2 (International Patent Publication 2005/050336), and Patent Reference 3 (US Patent Application Publication 2007/0078980) below, a controller forming the core of the process control system acquires detection results from a plurality of sensors (flowmeters and temperature gauges or the like). Depending upon these detection results, the controller determines the actuation amounts of actuators (such as valves). The controller operates the actuators depending upon the actuation amounts, so that the above-described state quantities are controlled.
Although conventional plant control systems have been implemented using dedicated devices having unique specifications, in recent years plant control systems are in the process of becoming open, and many of them have come to be implemented using general-purpose devices (such as computers and workstations) with general-purpose open specifications. In a plant control system using such general purpose devices, similar to the case of general information systems, it becomes necessary to replace hardware and improve software. Software improvements include such things as functional enhancement of an operating system and correction of problems or vulnerability in the operating system.
Patent Reference 4 (Japanese Laid-open Patent Publication No. JPA 11 (1999)-3240) noted below discloses art, in a computer control system in which duplexed processors units (control side and standby side) are installed, enabling a change in the system program without influencing the object of control. Specifically, the standby side is temporarily stopped and loaded with a new system program, after which the standby side is started, the application data that had been stored in the control side is copied into the standby side, and then the control side is stopped and the standby side is then started as the control side, so that the system program is changed without influencing the object of control.
Because almost all process control systems are required to operate continuously over long periods of months or years, it is not possible to arbitrarily stop a process control system that is in operation. For example, with the exception of shutdowns for periodic maintenance or to establish plant safety, stopping a process control system is basically not allowed.
Because from a safety standpoint a process control system is required not to exhibit faulty operation or loss of operation, if the cause of faulty operation or the like (for example, a problem or weakness in the operating system) is discovered, it is necessary to take immediate action (updating of the operating system) that can eliminate that cause. However, as described above, because a process control system cannot be arbitrarily stopped, even if a potential cause of faulty operation is discovered, this may lead to a problem in which it is not possible to take appropriate action immediately.
It can be envisioned that, using the art disclosed in Patent Reference 4 noted above, it is possible to update the operating system without stopping the process control system and influencing the object of control. However, the art disclosed in Patent Reference 4 noted above executes a new system program at the control side, without sufficiently verifying operation under actual operating conditions. This may lead to a problem that, even if it is possible to update the operating system without stopping the process control system, it is not possible to guarantee stable continued operation of an application on a newer operating system of which version is upgraded.