[go: up one dir, main page]

GB2272611A - Control system for machinery and/or plant apparatus - Google Patents

Control system for machinery and/or plant apparatus Download PDF

Info

Publication number
GB2272611A
GB2272611A GB9223182A GB9223182A GB2272611A GB 2272611 A GB2272611 A GB 2272611A GB 9223182 A GB9223182 A GB 9223182A GB 9223182 A GB9223182 A GB 9223182A GB 2272611 A GB2272611 A GB 2272611A
Authority
GB
United Kingdom
Prior art keywords
control
control station
station
slave
processor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9223182A
Other versions
GB9223182D0 (en
Inventor
Paul Marshall
Michael Beizsley
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Integrated Control Platforms Ltd
Original Assignee
Integrated Control Platforms Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Integrated Control Platforms Ltd filed Critical Integrated Control Platforms Ltd
Priority to GB9223182A priority Critical patent/GB2272611A/en
Publication of GB9223182D0 publication Critical patent/GB9223182D0/en
Publication of GB2272611A publication Critical patent/GB2272611A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/403Bus networks with centralised control, e.g. polling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/4026Bus for use in automation systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Hardware Redundancy (AREA)

Abstract

This invention provides a control system 40 for controlling machinery and/or plant apparatus, comprising a plurality of control stations 42 - 60 interconnected by at least one discrete communications network 62, 64, each control station (fig. 2, not shown) comprising a system processor (90) and at least one operational processor (92 - 98), whereby each control station can execute control algorithms, and interface to controlled apparatus and control system operators, simultaneously. Preferably one control station is initially configured as a master control station and its system processor governs the systems processors of the remaining control stations which are designated as slave control stations. In the event that the master control station becomes disabled, any one of the other control stations may be designated the master control station and any of the remaining control stations may be commanded to perform any of the duties previously performed by the disabled control station. <IMAGE>

Description

CONTROL SYSTEM This invention relates to a control system and is particularly, though not exclusively concerned with a control system for use in a complex installation such as a power station, oil refinery, ship or off-shore oil rig.
A typical such control system, for example that of a ship, is illustrated in the accompanying drawing labelled PRIOR ART. The prior control system 02 of ship 04 comprises two major control centres 06 and 08 respectively. Each control centre 06, 08 comprises a control processor, 10, 12 respectively, linked to separate display processors 14, 16 respectively. Display-processors 14, 16 have the capability to drive several operator interface stations 18, 20 respectively, which comprise a number of display screens and command input devices. Each control processor 10, 12 has the capability to run all control algorithms and applications which manage the operational control the ship apparatus, via the plant stations 26. The control centres are located apart from each other to minimise the risk of both control centres being disabled.The control centres 06, 08 are linked via at least two communications networks 22, 24 to the plant stations 26. The plant stations interface to the major apparatus of the ship for example, engines, rudder, pumps, valves, which are under the control of the control system. Each plant station 26, is located close to the apparatus that it interfaces too, therefore, plant stations 26 are distributed about the ship in several locations. The communications networks 22, 24 take different routes about the ship to minimise further the risk of both control centres being simultaneously disabled through damage to a network.
During normal operation, a control centre, for example control centre 06, has total control of the ship apparatus via the plant stations. The other centre, in this example control centre 08, is maintained as a backup to the operational control centre 06 and has a monitoring function allowing changeover to the backup control centre 08 at any time. Typically, with prior control systems, that changeover may take up to five minutes to complete. Such changeover times are disadvantageous in that the installation, i.e. the ship, is without automated control of its major plant until changeover is completed. In the context of critical safety installations, or similar, such changeover delays can be disastrous.A further disadvantage of such control systems is that of operational degradation which affects the speed of operation and damage tolerance of such a control system.
Operational degradation relating to operation speed occurs when the control processor, within the operational control centre 06, has to process so much information that it adversely affects the operational performance of the control system. This type of operational degradation increases, for a given control processor capacity, with the control sophistication required and the number of control points in an installation. Increasing the capacity of the control processor only helps to a certain extent. With increasing complexity, other factors start to affect the operational performance. Thus this type of control system is limited to the number of points or size of an installation that can be effectively managed.
Operational degradation, relating to damage tolerance, occurs when the sustainable operational performance of the installation is adversely affected after one or both control centres 06, 08 or plant stations 26 have been damaged. With a conventional control system of the type described, the installation can be controlled from one of the control centres in the event that the other is disabled. If both control centres are disabled then the installation is immediately left without automated control. This also applies to individual pieces of ship apparatus which are immediately left without automated control when a plant station becomes disabled.
There is a conflict in prior control system designs between the need for more control processing capacity and the need for a good operational degradation characteristic. That is, providing adequate operational performance and ensuring that the installation can be controlled even after sustaining damage, while trying to reduce the cost of installing multiple control redundancy. Previously, control systems have been limited to about 5000 control points whereas it is anticipated that future requirements for control systems, in increasingly complex installations, will require several thousand additional control points.
According to the invention, there is provided a control system for controlling machinery and/or plant apparatus, comprising a plurality of control stations interconnected by at least one discrete communications network, each control station comprising a system processor and at least one operational processor, whereby each control station can execute control algorithms, and interface to controlled apparatus and control system operators, simultaneously.
In such a system, there are typically three operational processors. Also, each operational processor may be a specific type suitable for application execution, human computer interfacing or controlled apparatus interfacing and each control station may comprise several of each type of operational processor.
Each controlling algorithm/application may be executed on more than one control station. Each plant/machinery apparatus control sensor input point may be read by more than one control station. Each plant/machinery apparatus signal control output point may be generated by more than one control station. The control system is preferably arranged so that all human computer interaction facilities can be provided from more than one control station.
The control system is preferably capable of automatic configuration, whereby one control station becomes the designated master control station and its system processor governs the system processors of all the other control stations which become designated slave control stations. In the event of disablement of the current designated master control station, or any part- of the control station interconnections, any other control station can become the designated master control station. In the event of disablement of a designated slave control station, or any part of the control station interconnections, then the designated master control station will select application control/algorithm output and plant apparatus sensor inputs from other slave control station sources, as the remaining slave control stations will have functionality of the failed slave control station duplicated. Thus the control system is able to rapidly reconfigure and continue operating in the event that the currently designated control station is disabled.
The invention may be operated so that all plant/machinery apparatus input, human computer interface command input and application output data generated by each slave control station is gathered by the designated master control station, which is provided with means to determine the control system data value for each plant/application/human data item gathered from the plurality of sources (ie slave control stations), which then distributes the collated control system data, concerning the operation of the complete control system, to all the designated slave control stations. All control station and control system data is transmitted through each network to minimise the possibility of data corruption. The cycle is then continuously repeated under the control of the designated master control station at a rate commensurate with the hardware platform used to implement the control system.
The invention may be operated so that; should the current designated master control station become disabled, the control system will automatically reconfigure to establish another master control station from those remaining; should a slave control station become disabled, the designated master control station will select the source of the plant/application/human data item produced by the failed slave control station from another, still active slave control station or stations; should the control station interconnections become severed, the two separated halves of the control system will automatically reconfigure to take account of the lost control stations, respectively. The half with the designated master control station will act to select the source of the plant/application/human data item produced from the still connected slave control stations.
The half which lost the designated master control station will act to establish another a master control station from those remaining, thereby, the now two separate control systems will act independently to maintain control of as much of the installation plant/machinery as possible; should the master control station interconnections become severed from all the other control stations, the control system will automatically reconfigure to establish another master control station from those remaining.Meanwhile, the disconnected master control station will automatically reconfigure to operate in a stand alone mode to control only the specific installation plant/machinery associated with that control station; should a slave control station interconnection become severed from all the other control stations, the designated master control station will select the source of the plant/application/human data item produced by the failed slave control station from another still active slave control station. Meanwhile, the disconnected slave control station will automatically reconfigure to operate in a stand alone mode to control the specific installation plant/machinery associated solely with that control station.
A control system in accordance with the present invention will now be described, by way of example, with reference to the other accompanying drawings in which: Figure 1 is a schematic view of the control system in accordance with the present invention; Figure 2 is a schematic view of a control station included in the system of Figure 1; Figure 3 is a state transition diagram illustrating the system control sequences for the system of Figure 1; and Figure 4 is an operation diagram illustrating the system control data collection and distribution operational cycle for the system of Figure 1.
A control system in accordance with the present invention can be as small as 100 control points on two control stations or as large as 10,000 control points spread over an unlimited number of control stations. Such a control system 40 on a large ship, such as a Liquid Gas Carrier shown in Figure 1, comprises numerous control stations 42-60 interconnected by at least two Communications Networks 62 and 64.
Each control station 42-60 consists of a system processor 90 and a number of operational processors 92-98, such as that shown in Figure 2. A minimum configuration for a control station is with a system processor 90 and a single operational processor 96. However, a more typical configuration for a control station will be that configured with a system processor 90 and several operational processors 92-98 of various types as shown in Figure 2.
Each control station 42-60 is strategically located throughout an installation in accordance with the location of equipment under control, required position or level of operator interfacing, and operating philosophy adopted for the installation, such as safety, damage zones, failsafe operation etc. Each control station 42-60 has the capability to execute several controlling applications which are strategically allocated across all control stations by the system designer in accordance with the adopted operating philosophy. Each control station 42-60 has the capability to interface to numerous pieces of ship equipment through up to 1000 individual input and output control points. Each control station 42-60 has the capability to drive several operator interfaces 66-74.The nature of the control stations 42-60 is not critical as long as they can cope with the system functions required for the operation of the control system. The standard of implementation of the control stations 42-60 is also not critical, and for example might operate within a personal computer, racked bus computer, or workstation technology and using any suitable integration technology.
A system processor 90 is able to perform control system operational sequences as well as communication network and operational processor support functions. The system processor 90 is able to communicate with each operational processor via a standard industrial interface. The system processor 90 and operational processors 92-98 are implementation independent, allowing numerous execution platforms of various types from standard personal computer to full higher specifications for a given control system.
Operational processors 92-98 are able to provide three primary functions; application execution, operator interfacing and plant interfacing. Operational processors 92-98 are implementation independent, allowing the execution of a wide range of bespoke, user dependent, third party applications.
The communication networks 62, 64 are identical, that is to say "redundant". Each communication network 62, 64 connects every control 'station with every other control station within the installation. Each communication network 62, 64 carries all system data information to and from each control station 42-60 within the installation. Each communication network 62, 64 is arranged to continue functioning in the event of any other network becoming disabled. Each communication network 62, 64 takes a different route about the ship to further minimise the risk of both networks 62, 64 being simultaneously damaged. The nature of the networks 62, 64 is not critical as long as they can cope with the system data transfer rates required for the operation of the control system.The networks 62, 64 might be implemented using standard copper wiring, coaxial cables, or fibre-optic cables as a transmission medium. The protocol of operation of the communication networks 62, 64 is also not critical, and for example might operate FDDI, Ethernet or token ring protocols.
Each control station 42-60 is connected, via networks 62 and 64, to every other control station 42-60.
An operational plant processor 96 is configured into each control station that interfaces to the ship equipment such as the engines, steering gear, valves, pumps, etc. The controlled equipment items are not shown in Figure 1, only the control stations, networks and operator interface means.
Control stations 42-60 are shown connected to operator interface means 66-84, respectively. Operator interface means 66-70 are fixed display and command consoles.
Operator interface means 72, 74 are desktop computers of various sizes. Operator interface means 76, 78 are portable computers. Operator interface means 80-84 are hand held computers. Any of the above types of operator interface means can be connected to any control station, simultaneously, to apply operator control commands and display control system information. The individual applications are designated by the system designer to execute on at least two control stations which are strategically located in different parts of the ship.
Critical ship equipment control outputs and sensor inputs are designated by the system designer to interface to at least two control stations which are strategically located in different parts of the ship. One control station, for example control station 60, is designated by the system designer to act as the primary "master" control station.
All remaining control stations 42-58 will reconfigure to "slave" control stations in the control system. Each "slave" control station 42-58 is able to take over the role of master" control station in the event of the current "master" control station becoming disabled. This could be due to either a hardware failure of the station itself or its connection to the communication networks.
Referring to Figure 4, a system processor first gathers [1] all plant/machinery sensor input, human computer interface command input and application output data generated by its associated control station. The designated master control station gathers [2] all plant/machinery sensor input, human computer interface command input and application output data generated by each slave control station. This data is then collated [3] by the master control station which determines which slave control station source to select for every control system data value from each plant/application/human data item gathered from the slave control stations. When completed, the master control station then distributes [4] the collated control system data values, concerning the operation of the complete control system to all slave control stations.After receiving a copy of the collated control system data each system processor distributes [5] the received data to each operational processor within the associated control station. The operational processors then begin execution [6] of their assigned control applications and algorithms, simultaneously. All control station and control system data is transmitted through each network to minimise the possibility of data corruption. This operational cycle is repeated continuously, under the control of the designated master control station, at a rate commensurate with the hardware platform used to implement the control system.
Referring to Figures 1, 3 and 4, in the first stage of operation of a system processor, the "Control Initialisation" state (1), occurs after a power-up or reset event of a control station, via "Station Reset" path (a).
The system processor executes its own initialisation and self-check procedures and tries to establish communications with each operational processor configured within the associated control station. If the system processor diagnoses that all processors within a control station (including itself) are healthy, then it progresses to the "Control Configuration" state (2), via "Station Initialisation Completed" path (b). If the system processor detects or diagnoses a fault within the associated control station then it goes to the "Control Failure" state (11), via "Station Initialisation Failure" path (c).
In the "Control Configuration" state (2), a system processor waits, via "Await Status Message" path (d), for the receipt of a "Station Status Request" message from the master system processor. If the predetermined time-out period for the system processor, for example the one associated with control station 46, expires before a "Station Status Request" message is received, then the system processor progresses to the "Control Master Configuration" state (3), via "Status Message Timeout" path (e), as it is has been configured to have the shortest time-out period within the control system configuration.Another system processor, for example the one associated with control station 60, will, upon reaching its own "Control Configuration" state (2), still be waiting for a "Station Status Request" message, via "Await Status Message" path (d), from the designated master system processor associated with control station 46. The system processor of control station 60, upon receipt of a "Station Status Request" message, progresses to the "Control Slave Configuration" state (5), via "Status Message Received" path (m).
In the "Control Master Configuration" state (3), the system processor becomes the designated master system processor, hence its associated control station becomes the designated master control station for the control system. All other control stations and their associated system processor become slave control stations and slave system processors, respectively. All control stations are loaded with a complete set of code, configuration and control data for all control stations within the control system. The master system processor will first try to locate and load its own associated control station operating code, configuration and control data from the control system program data.If any part of the operating code, configuration or control data cannot be located, or has been corrupted, the master system processor loops back to the "Control Master Configuration" state (3), via "Await Master Download" path (f), to await a download of the program data from an external source.
The master system processor, after it has successfully loaded its own operating data, will send a "Process Status Request" message to each active operational processor found during "Control Initialisation" state (1), and then wait for short, predetermined time-out period for the operational processor to reply. Meanwhile, each operational processor will have completed its own initialisation and configuration procedures, the results being contained in the "Process Status Acknowledge" reply message, which is sent upon receipt of a "Process Status Request" message from the master system processor. The master system processor, after receiving a "Process Status Acknowledge" message, will determine if the corresponding operational processor requires operating data.If so, then the master system processor will 'send a "Process Code Data" message containing the appropriate operating code data to the operational processor in question and then wait for a short predetermined time-out period for the operational processor to reply The operational processor, after loading the received program code, will send a "Process Status Acknowledge" message back to the master system processor containing the status of the operation.
If the operating code was not successfully received and loaded by the operational processor, the sequence is repeated a predetermined number of times. If the code transfer sequence was not successful after this, then the master system processor will update the control station Health Status, accordingly, to remove the affected operational processor from further master control station activity. If the operating code transfer was successful, then the sequence is repeated for each active operational processor for the transfer of operating configuration and control data. If there is a failure in any part of the operating data transfer sequences, then the master system processor loops back to the beginning of the "Control Master Configuration" state (3), via "Await Master Download" path (f), to await an operating data download from an external source. If all the operational processors were successfully loaded with their specific operating data then the master system processor proceeds to the "Control Master Initialisation" state (4), via "Master Configuration Successful" path (g).
In the "Master Initialisation" state (4), the designated master system processor, and operational processors within the associated master control station, action their respective control process and operation initialisation procedures, simultaneously. If the master system processor detects a fault, with itself or with any of the operational processors, then the master system processor goes to the "Control Failure" state (11), via "Master Initialisation Failure" path (aa). If no fault has been detected during master control station initialisation, the master system processor loops, via "Establish System Configuration" path (h), sending a "Station Status Request" message to every slave system processor of the associated slave control stations 42-44,48-60 and waits for a predetermined period for a "Station Status Acknowledge" reply message.
The master system processor, upon receipt of the "Station Status Acknowledge" message containing the slave control station current health status or when the predetermined message time-out period expires, will update the control system health status, accordingly.
Initially, should a responding slave system processor indicate that its associated slave control station is not loaded with program data, or what is loaded has been corrupted, then the master system processor will send a "System Code Data" message containing a copy of the control system program code data to the appropriate slave system processor and then wait for a "Station Status Acknowledge" message in reply. The slave system processor, after loading the received code data, will send a "Station Status Acknowledge" message back to the master system processor containing the status result of the operation. If the program code loading operation failed with the slave system processor the sequence is repeated a predetermined number of times.If the program code loading operation was not successful after this, then the master system processor will update the control system health status, accordingly, to remove the affected slave control station from any further control system activity. If the program code loading operation was successful and the responding slave system processor indicates that its associated slave control station requires program configuration and/or control data, or what is loaded has been corrupted, then the master system processor will repeat the data loading sequences, with the slave system processor, for control system program configuration and control data.
The master system processor, after successfully completing any required program loading sequences, loops back to "Control Master Initialisation" state (4), via "Establish System Configuration" path (h), for a predetermined number of times, sending a "Station Status Request" message to each active slave system processor and waiting for a predetermined period for the slave control station to reply with a "Station Status Acknowledge" message. For each "Station Status Acknowledge" message received the master system. processor will update the control system Health Status entry for the appropriate slave control station.If no "Station Status Acknowledge" message replies are received, that is to say if the is a problem with either the master control station connection to the network or a complete control system network failure, then the master system processor goes to the "Control Stand Alone" state (9), via "Master Initialisation TimeOut" path (i). If the predetermined number of consecutive "Station Status Acknowledgement" messages are received from at least one slave control station then the master system processor progresses to the "Control Master" state (7), via "Master Initialisation Completed" path (j).
In the "Control slave Configuration" state (5), the system processor becomes a designated slave system processor, hence its associated control station becomes a designated slave control station of the control system. The slave system processor will first try to locate and load its own operating code, configuration and control data for its associated slave control station. If any part of its operating data cannot be located, loaded, or is found to be corrupted, then the slave system processor updates its associated control station Health Status and then loops back to "Control slave Configuration" state (5), via "Await slave Download" path (n). The slave system processor will wait here indefinitely for the receipt of a "Station Status Request" message from the master system processor or for a download of program data from an external source.The slave system processor, upon receiving a "Station Status Request" message from the designated master system processor, responds by sending a "Station Status Acknowledge" message back to the master system processor containing its associated control station health status. Should a slave system processor indicate that its associated control station is not loaded with program data, then it will wait for a "System Code Data" message from the master system processor containing a copy of the control system program code data. The slave system processor, upon receiving a "System Program Code" message from the master system processor and loading the received program code, will send a "Station Status Acknowledge" message back to the master system processor containing the status result of the operation.If the program code loading sequence failed then it is repeated a predetermined number of times. If a program code loading sequence was not successful after this, then the slave system processor loops back to the "Control slave Configuration" state (5), via "Await slave Download" path (n), to await program download from an external source.
If a program code loading sequence was successful and the slave system processor indicates that its associated slave control station is not loaded with program configuration or control data, or what is loaded has been corrupted, then the program loading sequences will be repeated for control system program configuration and control data.
If there is a failure in any part of the program loading operation, then the slave system processor loops back to the beginning of the "Control Slave Configuration" state (5), via "Await Slave Download" path (n), to await program download from an external source.
Once the slave control station has successfully been loaded with a complete copy of the control system program data, it will initiate an operational processor operating data transfer operation.
The slave system processor will send, for each active operational processor found during "Control Initialisation" state (1), a "Process Status Request" message and then wait for a predetermined period for the operational processor to reply with a "Process Status Acknowledge" message.
Meanwhile, each operational processor will have completed its own initialisation and configuration procedures, the results being contained in the "Process Status Acknowledge" reply message, which is sent upon receipt of a "Process Status Request" message from the slave system processor. If an operational processor is awaiting operating code data, the slave system processor will send a "Process Code Data" message containing the appropriate data and then wait for a predetermined period for the operational processor to reply with a "Process Status Acknowledge" message. The operational processor, after loading the received operating code, will send a "Process Status Acknowledge" message back to the slave system processor containing the status of the operation. If the operating code transfer was not successful, the sequence is repeated a predetermined number of times. If the operating code transfer was not successful after this, then the slave system processor will update its control station Health Status, accordingly, so removing the affected operational processor from further slave control station activity. If the operating code transfer was successful then the sequence is repeated for each active operational processor within the associated slave control station. If there is a failure in any part of the operating data transfer sequences, then the slave system processor loops back to "Control Slave Configuration" state (5), via "Await Slave Download" path (n), to await program download from an external source. If all the operational processors were successfully loaded with their specific operating data then the slave system processor proceeds to the "Control Slave Initialisation" state (6), via "Slave Configuration Successful" path (o).
In the "Slave Initialisation" state (6), the slave system processor, and operational processors within the associated slave control station, action their respective control process and operation initialisation procedures, simultaneously. The slave system processor then updates its control station health status with the result of the initialisation operation, and should a fault be detected or diagnosed with itself or with any of the operational processors, then the slave system processor goes to the "Control Failure" state (11), via "Slave Initialisation Failure" path (bb). If no fault is found the slave system processor loops, via "Await Status Message" path (p), waiting a predetermined period to receive a "Station Status Request" message from the master system processor.For each "Station Status Request" message received the slave system processor will update its control station Health Status and send "Station Status Acknowledge" reply message back to the master system processor. If a "Station Status Request" message is not received before the timeout period expires, that is to say if there is a problem with the master control station, connection of the slave control station to the control system network, or a complete failure of the network, then the slave system processor goes to the "Control Stand Alone" state (9), via "Slave Initialisation TimeOut" path (q). If the predetermined number of consecutive "Station Status Request" messages are received from the master system processor, then the slave system processor proceeds to the "Control Slave" state (8), via "Slave Initialisation Completed" path (r).
In the "Control Master" state (7), the designated master system processor will immediately commence a Collection and Distribution (CAD) cycle. The master system processor will send [1] a Process Local Request" message to an operational processor, and then wait a short predetermined period for the operational processor to reply with a "Process Local Data" message. An operational processor, upon receipt of a "Process Local Request" message from the master system processor, will send a "Process Local Data" message back to the master system processor containing the output from its control/operational algorithms and its current health status.
The master system processor, upon successful receiving a "Process Local Data" message, will store the operational data contained within the message for processing later on.
The local operational data transfer sequence is then repeated for each active operational processor within the associated master control station. Should an operational processor not respond with a "Process Local Data" message before the timeout period has expired, then the master system processor will update its control station health status, accordingly.
When all operational data has been collected, the master system processor processes this information to compile a "Station Local Data" message containing the all application/plant/operator inputs and a set of application /plant outputs generated by the associated operational processors of the master control station. The master system processor will then send [2] a "Station Local Request" message to each slave system processor, starting with the first slave control station in the control system configuration, and then wait a short predetermined time for the slave system processor to reply with a "Station Local Data" message.The slave system processor after receiving a "Station Local Request" message will send a "Station Local Data" message back to the master system processor containing all the application, plant, and operator inputs as well as set of application and plant outputs generated by the associated operational processors of the slave control station.
The master system processor upon successfully receiving a "Station Local Data" message will store the local operational data contained within the message for processing at a later stage, and then update the control system Health Status entry for the appropriate slave control station. The "Local Data" transfer sequence is then repeated to collect all locally generated slave control station, including that from the designated master control station, hence the whole control system.
Should no slave system processors reply to any request messages then the master system processor returns to the "Control Configuration" state (2), via "Master Communications Failure" path (1), as it has can no longer communicate with any slave control stations. When all local data has been collected, the master system processor processes [3] this information to compile the "System Global Data" message which contains all application, plant, and operator inputs as well as the application and plant outputs for the whole control system. The master system processor then sends [4] the "System Global Data" as a broadcast message to every slave control station, simultaneously, thereby distributing current information concerning the complete control system to every slave control station within the control system.The master system processor then commences [5] a system data transfer sequence to distribute the current control system information to each active operational processor associated with the master control station. The master system processor sends a "Process Status Request" message to the first active operational processor and then wait a short predetermined period for the operational processor to reply with a "Process Status Acknowledge" message.
An operational processor sends a "Process Status Acknowledge" message containing its current operating status, in reply to the successfully received "Process Status Request" message from the master system processor, and then waits for a "Process System Data" message. The master system processor, after successfully receiving a "Process Status Acknowledge" message from an operational processor, sends a "Process System Data" message containing the most recent control system data to the operational processor and then waits a short predetermined-period for it to reply with another "Process Status Acknowledge" message.
The operational processor, after loading the control system data contained within the received "Process System Data" message, sends a "Process Status Acknowledge" message back to the master system processor containing the resultant status of the operation and then executes [6] its associated control applications and algorithms. The master system processor, upon successful receipt of this final "Process Status Acknowledge" message from the operational processor, updates the control station Health Status, accordingly, with the operating status contained in the acknowledgement message. The "System Data" transfer sequence is then repeated with each active operational processor associated within the master control station.
If there is at least one active slave control station within the control system, the master system processor will wait for a predetermined period, to allow the operational processors associated with each control station to execute their respective control and/or operation algorithms before loops back to "Control Master" state (7), via "Master Operation Cycle" path (k), to repeat another Collection and Distribution cycle. Should an -operational processor not respond to the "System Data" transfer sequence, then the master system processor will update the control station Health Status, accordingly, so removing the affected operational processor from further master control station activity.Should a slave system processor not respond to any System or Station messages for a predetermined number of times, then the master system processor will update the control system Health Status entry for the appropriate slave control station, so removing that slave control station from any further control system activity. Should the master system processor detect a fault with its associated master control station then it goes to the "Control Failure" state (11), via "Master Failure" path (cc), to try and deal with the failure event.
In the "Control Slave" state (8), a slave system processor will send [1] a "Process Local Request" message to an active operational processor, and then wait a short predetermined timeout period'for the operational processor to reply. An operational processor, upon receipt of a "Process Local Request" message from the slave system processor, will immediately send a "Process Local Data" message back to the slave system processor containing its control application and algorithm outputs and current health status. The slave system processor upon receipt of a "Process Local Data" message will store the operational data contained within it, for processing later. The "Operational Data" transfer sequence is then repeated for each active operational processor within the associated slave control station.
Should an operational processor not respond with a "Process Local Data" message before the timeout period has expired, then the slave system processor will update the control station Health Status, accordingly. The slave system processor after collecting all the operational data processes it, along with its associated slave control station health status, to compile a "Station Local Data" message. The slave system processor then waits [2] for a "Station Local Request" message from the designated master system processor, and upon receiving the request message immediately sends the compiled "Station Local Data" message back to the master system processor. The slave system processor then waits again [3] and [4], this time for a "System Global Data" broadcast message, containing the current information concerning the complete control system, from the designated master system processor.
The slave system processor, after receiving the "System Global Data" message, commences a System Data transfer sequence [5) by sending a "Process Status Request" message to the first active operational processor, within the associated slave control station, and then waits a short predetermined period for the operational processor to reply.
An operational processor, upon the receipt of a "Process Status Request" message from the slave system processor, sends a "Process Status Acknowledge" message back to the slave system processor containing its current health status and then waits for the follow-on "Process System Data" message. The ' slave system processor, directly after receiving a "Process Status Acknowledge" message, sends a "Process System Data" message to the same operational processor containing a copy of the latest System Data and then waits a short predetermined period for a reply. An operational processor, after loading the System Data contained within the received "Process System Data" message, sends a "Process Status Acknowledge" message back to the slave system processor containing the status of the transfer operation and then execute [6] its assigned control applications and algorithms.The slave system processor, upon receipt of this final "Process Status Acknowledge" message, updates the control station Health Status according to the operating status contained in the acknowledgement message. The "System Data" transfer sequence is then repeated for each active operational processor within the associated slave control station.
The slave system processor then waits for a predetermined period to allow the operational processors, to execute their respective control and/or operation algorithms, before looping back to the "Control slave" state (8), via "slave Operation Cycle" path (s), to repeat another control system operating sequence. Should an operational processor not respond to the System Data transfer sequence, the slave system processor will update the control station Health Status, accordingly, so removing the affected operational processor from further control station activity.Should a slave system processor not receive any System or Station messages from the designated master system processor within the predetermined timeout periods, then it will update its associated control station Health Status accordingly, and go to "Control Configuration" state (2), via "slave Communications Failure" path (t). Should a slave system processor detect a fault within the associated slave control station then it goes to the "Control Failure" state (11), via "Slave Failure" path (dd).
In the. "Control Stand Alone" state (9), the system processor sends [1] a "Process Local Request" message to an active operational processor, and then waits a short predetermined timeout period for the operational processor to reply.
An. operational processor, upon receipt of a "Process Local Request" message from the slave system processor, will immediately sends a "Process Local Data" message back to the slave system processor containing its current health status and control application and algorithm outputs. The slave system processor upon receipt of a "Process Local Data" message stores the operational data contained within it, for processing later. The "Operational Data" transfer sequence is then repeated for each active operational processor within the associated control station.
Should an operational processor not respond with a Process Local Data" message before the timeout period has expired, then the system processor will update the control station Health Status, accordingly. The slave system processor, after gathering all the operational data, processes it, along with the associated slave control station Health Status, to compile a "Station Local Data" message. At this point (2] the system processor also generates a pseudo "System Global Data" message containing all the gathered operational data ready to send to the active operational processors in place of that normally received from the master system processor.
The system processor then waits [3] and [4] for a predetermined period before commencing a "System Data" transfer sequence (5] by sending a "Process Status Request" message to the first active operational processor, within the associated slave control station, and then waits a short predetermined period for the operational processor to reply.
An operational processor, upon the receipt of a "Process Status Request" message from the slave system processor, sends a "Process Status Acknowledge" message back to the slave system processor containing its current health status1 and then waits for the follow-on "Process System Data" message.
The system processor, directly after receiving a "Process Status Acknowledge" message, sends a "Process System Data" message containing a copy of the pseudo "System Data" to the same operational processor, and then waits a short predetermined period for a reply. An operational processor, after loading the System Data contained within the received "Process System Data" message, sends a "Process Status Acknowledge" message back to the system processor containing the status of the transfer operation and then execute [6] its assigned control applications and algorithms.
The system processor, upon receipt of this final "Process Status Acknowledge" message, updates the control station Health Status according to the operating status contained within the acknowledgement message. The "System Data" transfer sequence is then repeated for each active operational processor within the associated control station.
The system processor, after completing the pseudo "System Data" transfer sequence, goes to the "Control Retry" state (10), via "Communications Retry" path (u), to try and re-establish communications with either the currently designated master system processor or a slave system processor on another control station. While in the "Control Retry" state (10), the operational processors associated with the control station will be executing [6] their respective control and/or operation algorithms. Should operational control return to the "Control Stand Alone" state (9), via "Communications Retry Failure" path (w), the system processor will simply repeat the "Control Stand Alone" state (9) operating procedures from the beginning.
Should an operational processor not respond to any request messages, then the system processor will update the control station Health Status, accordingly, so removing the affected operational processor from further control station activity.
Should the system processor detect a fault with its associated control station hardware then it goes to the "Control Failure" state (11), via "Stand Alone Failure" path (ee).
In the "Control Retry" state (10), the system processor waits for a predetermined period to receive a "Station Status Request" message from the designated master system processor. Should a "Station Status Request" message be received within the timeout period, then the System processor will reply by sending a "Station Status Acknowledge" message containing the current operating status of the associated control station back to the designated master system processor. If this status communications between the system processor and the master system processor is maintained repeatedly for a predetermined number of sequences, then the system processor goes to the "Control slave Initialisation" state (6), via "Master Communications Re-Established" path (x).That is to say, when communications is restored the system processor becomes a designated slave system processor and responds to the current, designated master system processor in the normal manner. Should no "Station Status Request" messages be received before the timeout period expires then the system processor attempts to establish communications with any other control station within the control system. The system processor sends a "Station Status Request" message to the first control station in the normal control system configuration. Then, the system processor waits for a predetermined period for a "Station Status Acknowledge message in reply. If no reply is received after the timeout period has expired then the system processor repeats the above procedure to try and establish communications with each control station, within the control system.Should a reply be received from another control. station, then the system processor goes to the "Control Master Initialisation" state (4), via "slave Communications Re-Established" path (y), where the system processor becomes the designated master system processor of the communicating system processors. However, during normal control system operations this path is not expected to be a very likely occurrence, as control stations returning from Stand Alone operations would normally become designated slave control stations. If no replies are received at all, then the system processor goes back to the "Control Stand Alone" state (9), via "Communications Retry Failure" path (w), to run another pseudo control system Data Cycle.
In the "Control Failure" state (11), the system processor runs a control station self-check sequence, and if possible, updates the control station Health Status, accordingly. As part of the self-check sequence, to test for a Network connection failure, the system processor monitors the control system Network Communications activity, for a predetermined period, waiting the receipt of a "Station Status Request" message addressed to its associated control station. The system processor, upon receiving a "Station Status Request" message, sends a "Station Status Acknowledge" message containing the current health status of the associated control station back to the current master system processor.
If the system processor discovers a fault during a self-check sequence, then it loops back to the beginning of the "Control Failure" state (11), via "SelfCheck Sequence Failure" path (ff), to restart the self-check procedures.
If the self-check procedures do not reveal any faults after a predetermined number of sequences, then the system processor goes to the "Control Initialisation" state (1), via "SelfCheck Sequence Completed" path (gg), to reconfigure and initialise the associated control station in preparation for returning it to normal control system operations.
In the control system described above, after each system processor has completed its self-check and initialisation procedures, it pauses for a predetermined period of time, a timeout period, while it waits to receive a "Station Status Request" message from a master system processor. The timeout period is determined by the system designer and a different value is assigned to each system processor, hence each associated control station. The shortest period is assigned to the system processor which the system designer intends to act as the primary designated master control station for the whole control system.
In the event of a failure of the master system processor, within the master control station, the remaining slave system processors, and hence their associated slave control stations, will timeout and go into their "Control Configuration" state as they will not have received any System/Station messages from the now defective master control station. Each system processor commences its configuration and initialisation procedures and the system processor having the next shortest assigned timeout period becomes the new designated master system processor and its associated control station the new designated master control station of the whole control system.
The control system is able to reconfigure in such a manner in a period as short as l second, or less, depending on the speed of the system processors. In that period of reconfiguration, updated control data is fed to each remaining control station, within the control system, and the workload previously undertaken by the failed master control station is taken up and performed by the remaining control stations. Thus, the control system reconfigures and continues without the failed master control station.
Should a slave control station experience a failure event of some kind then the designated master system processor will simply send a configuration data update to each remaining slave control station, within the control system, and the workload previously undertaken by the failed slave control station is taken up and performed by the remaining control stations. Thus, the control system reconfigures itself and continues without the failed slave control station. If possible, the failed control station will enter either the "Control Stand Alone" state (9) or the "Control Failure" state (11), from which repair of the faulty control station sub-assembly can be undertaken.
Thus, a control system built and operated in accordance with the present invention, has improved damage and fault tolerance compared to prior art control systems.
Additionally, it is able to provide a large increase in the number of controllable operation points while maintaining faster system response times than those of conventional prior art control system with a smaller number of controllable operation points.
The control system in accordance with the present invention is able to provide a large increase in the number of control applications and algorithms that can be executed while maintaining faster system response times than those for a conventional prior art control systems with a smaller number of applications. Also, whereas the system response time of conventional prior art control systems is activity dependent, (i.e response time varying with the amount of signal processing currently being undertaken), the response time of a control system in accordance with the present invention is activity independent, and so system response times remain constant at a value set by the system designer.

Claims (11)

1. A control system for controlling machinery and/or plant apparatus, comprising a plurality of control stations interconnected by at least one discrete communications network, each control station comprising a system processor and at least one operational processor, whereby each control station can execute control algorithms and interface to controlled apparatus and control system operators, simultaneously.
2. A control system according to claim 1 in which the operational processors are selected from processors suitable for application execution, human/computer or controlled apparatus interfacing.
3. A control system according to claim 1 or 2 in which each control station comprises a plurality of different operational processors.
4. A control system according to any preceding claim in which each controlling algorithm/application is executed by more than one control station.
5. A control system according to any preceding claim in which one control station is initially configured as a master control station and its system processor governs the systems processors of the remaining control stations which are designated as slave control stations.
6. A control system according to claim 5 in which in the event of disablement of the presently designated master control station or at least a portion of a communications network any other control station can become the designated master control station.
7. A control system according to claim 5 or 6 in which in the event of disablement of a slave control station or at least a portion of a communications network, the presently designated master control station designates another slave control station to assume the functions of the first said slave control station.
8. A control system according to any one of claims 5-7 in which all data generated by the slave control station is gathered by the presently designated master control station.
9. A control system according to claim 8 in which the presently designated master control station distributes the gathered control system data to each slave control station.
10. A control system according to any one of claims 5 to 8 in which in the event of separation of a communications network into two separate halves, one half having the presently designated master control station, a slave control station in the other half will reconfigure as a master control station for that half of the control system.
11. A control system and method for operating a control system substantially as described herein with reference to the accompanying drawings.
GB9223182A 1992-11-05 1992-11-05 Control system for machinery and/or plant apparatus Withdrawn GB2272611A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB9223182A GB2272611A (en) 1992-11-05 1992-11-05 Control system for machinery and/or plant apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9223182A GB2272611A (en) 1992-11-05 1992-11-05 Control system for machinery and/or plant apparatus

Publications (2)

Publication Number Publication Date
GB9223182D0 GB9223182D0 (en) 1992-12-16
GB2272611A true GB2272611A (en) 1994-05-18

Family

ID=10724578

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9223182A Withdrawn GB2272611A (en) 1992-11-05 1992-11-05 Control system for machinery and/or plant apparatus

Country Status (1)

Country Link
GB (1) GB2272611A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2290389A (en) * 1994-06-18 1995-12-20 Int Computers Ltd Monitoring arrangement for a computer system
FR2760582A1 (en) * 1997-03-07 1998-09-11 Gen Electric COMMUNICATION SYSTEM HAVING A FAULT TOLERANCE CHARACTERISTIC AND ITS IMPLEMENTING METHOD
GB2328352A (en) * 1997-08-12 1999-02-17 Lucent Technologies Uk Limited Redundant communication network
US6230281B1 (en) 1998-08-26 2001-05-08 Lucent Technologies, Inc. Geographic redundancy protection method and apparatus for a communications network
GB2360856A (en) * 2000-03-30 2001-10-03 Llanelli Radiators Ltd Fault monitoring and safety takeover in an intelligent control unit
EP1355457A1 (en) * 2002-04-19 2003-10-22 Yamaha Corporation Communication management system and apparatus
WO2016202847A1 (en) * 2015-06-15 2016-12-22 TRUMPF Hüttinger GmbH + Co. KG Inverter for charging and/or discharging batteries

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0033228A2 (en) * 1980-01-24 1981-08-05 Forney International, Inc. Industrial control system
GB2104247A (en) * 1981-07-13 1983-03-02 Nissan Motor Automatic control of i c engines in vehicles
EP0168019A2 (en) * 1984-07-09 1986-01-15 Hitachi, Ltd. Controller for heat power plant
GB2173977A (en) * 1985-04-20 1986-10-22 Stc Plc Local area network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0033228A2 (en) * 1980-01-24 1981-08-05 Forney International, Inc. Industrial control system
GB2104247A (en) * 1981-07-13 1983-03-02 Nissan Motor Automatic control of i c engines in vehicles
EP0168019A2 (en) * 1984-07-09 1986-01-15 Hitachi, Ltd. Controller for heat power plant
GB2173977A (en) * 1985-04-20 1986-10-22 Stc Plc Local area network

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2290389A (en) * 1994-06-18 1995-12-20 Int Computers Ltd Monitoring arrangement for a computer system
GB2290389B (en) * 1994-06-18 1998-03-11 Int Computers Ltd Monitoring arrangement for a computer system
FR2760582A1 (en) * 1997-03-07 1998-09-11 Gen Electric COMMUNICATION SYSTEM HAVING A FAULT TOLERANCE CHARACTERISTIC AND ITS IMPLEMENTING METHOD
US6298376B1 (en) 1997-03-07 2001-10-02 General Electric Company Fault tolerant communication monitor for a master/slave system
GB2328352A (en) * 1997-08-12 1999-02-17 Lucent Technologies Uk Limited Redundant communication network
US6230281B1 (en) 1998-08-26 2001-05-08 Lucent Technologies, Inc. Geographic redundancy protection method and apparatus for a communications network
GB2360856A (en) * 2000-03-30 2001-10-03 Llanelli Radiators Ltd Fault monitoring and safety takeover in an intelligent control unit
GB2360856B (en) * 2000-03-30 2004-06-23 Llanelli Radiators Ltd Intelligent control unit
EP1355457A1 (en) * 2002-04-19 2003-10-22 Yamaha Corporation Communication management system and apparatus
EP1450527A3 (en) * 2002-04-19 2004-09-01 Yamaha Corporation Communication management apparatus
US7443806B2 (en) 2002-04-19 2008-10-28 Yamaha Corporation Communication management apparatus and method for an audio data communication management system
US7990890B2 (en) 2002-04-19 2011-08-02 Yamaha Corporation Communication management apparatus and method for an audio data communication management system
WO2016202847A1 (en) * 2015-06-15 2016-12-22 TRUMPF Hüttinger GmbH + Co. KG Inverter for charging and/or discharging batteries

Also Published As

Publication number Publication date
GB9223182D0 (en) 1992-12-16

Similar Documents

Publication Publication Date Title
JP4776374B2 (en) Redundant supervisory control system and redundant switching method for the same system
US5023873A (en) Method and apparatus for communication link management
US6112249A (en) Non-disruptively rerouting network communications from a secondary network path to a primary path
JP5592931B2 (en) Redundancy manager used in application station
US7085956B2 (en) System and method for concurrent logical device swapping
EP0346946A1 (en) Communication line controller
EP0649092A1 (en) Method and apparatus for fault tolerant connection of a computing system to local area networks
JPH03106144A (en) Mutual connection of network modules
CN110967969B (en) High availability industrial automation system and method for transmitting information by the same
JPH06202978A (en) Logical route schedule device and method of execution
CN1322422C (en) Method and apparatus for automatically bringing a cluster system into operation following a repairable failure
CN105045164A (en) Degradable triple-redundant synchronous voting computer control system and method
CN105005232A (en) Degradable triple redundancy synchronous voting computer control system and method
GB2272611A (en) Control system for machinery and/or plant apparatus
US6618819B1 (en) Sparing system and method to accommodate equipment failures in critical systems
CN205068032U (en) Computer control system is decided by vote to synchronization that can demote
US20020184571A1 (en) System and method for effecting recovery of a network
US20070270984A1 (en) Method and Device for Redundancy Control of Electrical Devices
US20020083365A1 (en) Segmented protection system and method
US6370654B1 (en) Method and apparatus to extend the fault-tolerant abilities of a node into a network
JPH05160876A (en) Management method for communication control processor
RU2740683C1 (en) Method of redistributing functions between automation devices in case of faults in an automated system
CN116841185A (en) Industrial control system architecture capable of realizing high-real-time multi-level dynamic reconstruction
JP3121487B2 (en) Communication system connecting processor modules
JP2001359180A (en) Digital cross connect system, digital cross connect providing method and computer program

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)