The terms"control"and"control systems"refer to the control of a device or system by monitoring one or more of its characteristics. This is used to insure that output, processing, quality and/or efficiency remain within desired parameters over the course of time. In many control systems, digital data processing or other automated apparatus monitor the device or system in question and automatically adjust its operational parameters. In other control systems, such apparatus monitor the device or system and display alarms or other indicia of its characteristics, leaving responsibility for adjustment to the operator.

Control is used in a number of fields. Process control, for example, is typically employed in the manufacturing sector for process, repetitive and discrete manufactures, though, it also has wide application in electric and other service industries. Environmental control finds application in residential, commercial, institutional and industrial settings, where temperature and other environmental factors must be properly maintained. Control is also used in articles of manufacture, from toasters to aircraft, to monitor and control device operation.

Reliability is among the key requirements of any control system. A controlled manufacturing process, for example, that occasionally produces a bad batch is wholly unacceptable for many purposes. Given the expense of manufacturing individual process control components that achieve satisfactory levels of reliability, designers have turned to redundancy. This typically involves using two or more control elements in place of one. The duplicated units can be sensors, actuators, controllers or other components in the control hierarchy.

Thus, for example, U. S. Patent 4,347,563 discloses an industrial control system in which redundant processing units serve as bus masters"of the moment,"monitoring status information generated by primary processing units. If a redundant unit detects that a primary has gone faulty while executing an applications program, the redundant unit loads that program and takes over the primary's function. A shortcoming of these and many other prior art redundancy schemes is their imposition of undue computational or hardware overhead. U. S. Patent 4,058,975, for example, has the disadvantage of requiring a computer to continually compare the outputs of multiple temperature sensors monitoring a gas turbine.

Implementing such solutions can be difficult in some situations and impossible in others. The latter may prove true if the control elements or configuration do not support communications or processing necessary to implement the necessary redundancy protocols.

The self-validating sensors described in U. S. Patents 5,570,300 and 5,774,378 (assigned to the assignee hereof and the teachings of which are incorporated herein by reference) represent a significant advance in the art. Such sensors provide not only estimates of control variables (e. g., pressure or temperature) being monitored, but also information about the uncertainty and reliability of those estimates. Thus, for example, a sensor can generate a validated measurement signal (VMV) representing a best estimate of a control variable being monitored, a validated uncertainty signal (VU) identifying the uncertainty in VMV, a status signal (MV) indicating the status of VMV (e. g.,"clear,""blurred,""dazzled,""blind,"), and a device status signal indicating a status of the sensor itself.

Notwithstanding the advent of self-validating sensors, still more flexible mechanisms for avoiding fault are desired. This is increasingly so as the art shifts to control architectures that permit the"hot"insertion or replacement of control elements.

An object of this invention is to provide improved methods and apparatus for control and, more particularly, improved such methods and apparatus that provide for avoidance of detected faults.

A further object of the invention is to provide such methods and apparatus as facilitate maintaining continuous operation of a process, environmental, industrial or other control system in the face of actual or potential degradation of a sensor or other control element.

A still further object of the invention is to provide such methods and apparatus for use with self-validating control elements and particularly, for example, with self-validating sensors.

Summary of the Invention The foregoing are among the objects attained by the invention which provides, in one aspect, a control system with components that respond to actual or potential faults, e. g., in sensors or other field devices, by automatically switching to other sources of desired control or process variables.

Thus, in one aspect, the invention provides a control system with first and second control components that generate first and second"source"signals, respectively, representing substantially identical or related process control variables. A third control component, which normally processes the first source signal, responds to actual or potential degradation of that signal (or the control component that generated it) for processing the second source signal in lieu of the first.

By way of example, a process control system according to this aspect of the invention can have a first sensor that generates a temperature reading of a reactor vessel and a second sensor that generates a pressure reading of that same vessel. A control processor can be arranged to process the reading generated by the first sensor, e. g., as part of a temperature control loop. In response to indications of actual or potential degradation of the first sensor, the control processor can process readings from the second sensor, e. g., in lieu of those from the first.

Further aspects of the invention provide a control system as described above in which the first control component (e. g., the first sensor in the above example) generates a confidence signal indicative of actual or potential degradation of the first sensor. Where the first component is a self-validating sensor, that confidence can be a measurement value (MV) status signal and/or a device status signal, both as described above. The third control component (e. g., the control processor in the example) can identify actual or potential degradation of the first control component from that confidence signal.

Still further aspects of the invention provide a control system as described above in which the second control component (e. g., the second sensor in the example) generates a signal identifying the control variable (e. g., temperature or pressure) output by it. The second component can transmit that signal, e. g., to a distributed registry, for storage. The third control component can retrieve the identifier signal from the registry in the event of actual or potential degradation of the first source signal, thus, permitting identification of the second source signal as a potential substitute for the first.

Yet still further aspects of the invention provide a control system as described above in which the control components and/or registry are coupled via bus, a network and other communications media, by way of non-limiting example, compatible with any of Foundation Fieldbus, Profibus, DeviceNet, InterBUSTm and Modbus"standards, among others.

Other aspects of the invention provide process, environment, industrial control systems and methods in accord with the foregoing.

These and still other aspects of the invention are evident in the drawings and in the description that follows.

Brief Description of the Drawings A more complete understanding of the invention may be attained by reference to the drawings, in which Figure 1 depicts a digital data processing system of the type with which apparatus and methods according to the invention may be practiced; Figure 2 illustrates controlled processes, along with a fault-avoidance process control system according to the invention for controlling them; and Figure 3 is a flowchart depicting operation of a fault-avoidance process control system according to the invention.

Detailed Description of the Illustrated Embodiment Figure 1 depicts a digital data processing system of the type with which apparatus and methods according to the invention may be practiced. The system includes one or more controllers I OA, I OB or other digital data processors that monitor and/or control one or more manufacturing, industrial or other processes 12A, 12B. The illustrated controllers 10A, l OB represent hardware or software processes executing on workstations, microprocessors, embedded processors,"smart" field devices, or other digital data processing apparatus of the types commercially available in the marketplace, constructed and operated in accord with the teachings herein to achieve fault-avoidance in process control.

Workstation 11 represents a personal computer, mamframe computer or other digital data processing device that can be used, e. g., by an operator, to monitor and/or administer controllers 10A, l OB. While workstation 11 can be independent of the other devices shown in the drawing, it can alternatively incorporate functionality of controllers 10A, lOB. Conversely, monitoring and/or administrative functionality of workstation 11 can be contained in microprocessors, embedded processors, controllers,"smart"field devices that serve other functions in the control system.

Network 14 provides a communications medium for the transfer of data and control information among components of the control system, including, controllers 10A, l OB, workstation 11, blocks 32-42, and field devices. Though illustrated to represent a LAN, WAN, or global network (Internet), those skilled in the art will appreciate that element 14 may comprise a bus or other communications medium through which information may be transferred. In preferred embodiments, at least portions of the network 14 comprise buses compatible with industry standards such as, by non-limiting example, Foundation Fieldbus, Profibus, DeviceNet, InterBus and/or Modbus@.

Figure 2 illustrates in greater detail processes 12A, 12B and a control system according to the invention for controlling them. In the illustration, exemplary process 12A is a manufacturing process including conventional processing equipment, such as by way of non-limiting example conveyors, aeration tanks, and so forth. Control of the process 12A is effected through flow sensors, pressure sensors, temperature sensors, level sensors, valves, recorders, positioners, or other sensors or actuators operating with outputs and inputs in the range of 4-20 mA or 1-5 V dc, or otherwise, per proprietary or industry protocol (collectively,"field devices"). In the illustrated embodiment, these include valve 24 that governs the rate of fluid flow to a reactor vessel 25, whose temperature and pressure are monitored by sensors 16,18. These also include flow sensor 20 that monitors the outflow of vessel 25 to tank 21. In a preferred embodiment, one or more of the sensors are"smart"field devices, i. e., sensors or actuators that include embedded processors, microprocessors or other digital data processing capacity, operating in accord with the teachings herein.

Whether of the"smart"variety or otherwise, one or more of the sensors 16,18,20 can be of the self-validating variety that output estimates of measured process variables (e. g., pressure, temperature, flow, respectively), along with information about the uncertainty and reliability of those estimates. Preferred self-validating sensors include, by way of non-limiting example, those taught in incorporated-by-reference U. S. Patents 5,570,300 and 5,774,378. Such sensors generate a validated measurement signal (VMV) representing a best estimate of a process variable being monitored, a validated uncertainty signal (VU) identifying the uncertainty in VMV, a status signal (MV) indicating the status of VMV (e. g.,"clear,""blurred,""dazzled,""blind,"), and a device status signal indicating a status of the sensor itself.

Monitoring and control of processes 12A, 12B is further effected through controllers 10A, 10B that are coupled to field devices 16-30, as well as to one another, via network 14. The controllers execute control strategies in the conventional manner known in the art as modified in accord with the teachings herein.

To this end, the controllers 10A, 10B comprise blocks and/or other executable software components (collectively,"blocks") 32-42 that model field devices, processing apparatus and other aspects of the controlled process 12A and that monitor and/or control the states and interactions therebetween, e. g., via execution of control algorithms (or portions thereof) or otherwise. In the illustrated embodiment, blocks 32-42 comprise blocks of the type utilized in the I/A Seriest systems marketed by the assignee hereof and/or objects of the type disclosed in co-pending commonly assigned patent applications 60/139,071, filed June 11,1999, entitled "Omnibus and Web Control,"60/144,693, filed July 20,1999, entitled"Omnibus and Web Control,"60/146,406, filed July 29,1999, entitled"Bi-Directional Entities for Maintaining Block Parameters and Status in a Process Control System,"and 60/149,276, filed August 17,1999, entitled"Methods and Apparatus for Process Control (AutoArchitecture),"the teachings of all of which are incorporated herein by reference. The blocks 32-42 may represent other software and/or hardware components capable of executing on or in connection with controllers 10A, 10B.

For example, the blocks may be various types of function blocks, or the like, as defined and executed within the aforementioned Foundation Fieldbus, Profibus, DeviceNet, hiterBusTm and Modbuss or other industry standards.

Blocks 32-42 operate in the conventional manner known in the art, as modified in accord with the teachings herein for fault avoidance. Thus, for example, controller 10A includes supervisor 32, temperature controller 34 and flow controller 36, each of which may include further blocks (not shown). Supervisor component 32 initiates process control functions, including activation and execution of blocks 34,36. Block 32 also generates a temperature supervisory set point, e. g., based on operator input. Block 34 is a temperature controller that utilizes a proportional-integlal-derivative (PID) or other control algorithm to generate a flow set point based on the temperature set point from the supervisor object 32 and on temperature readings from sensor 18. Block 36 serves as a flow controller that, too, utilizes a PID or other control algorithm to set a flow level, e. g., for valve 24, based on the flow set point from block 34 and on flow readings from sensor 20.

In process control terminology, supervisor 32 is referred to as a"source"for temperature controller 34 and, more accurately, for the temperature set point parameter used by controller 34.

Temperature sensor 18 is also a source for controller 34. The flow controller 36, conversely, is referred to as a"sink"for temperature controller 34 and, more accurately, for the flow set point parameter generated by it. Like terminology can be applied to the other elements and parameters that are sources (i. e., suppliers) or sinks (i. e., consumers) of information produced within the system.

The illustrated apparatus includes one or more registries 42-48 to maintain information about the field devices 16-32. These can be contained in memory or other data stores within workstation 11, within the processors 10A, 10B, within smart field devices 16-32, within stand- alone storage devices (as illustrated), or otherwise. Where more than one registry is provided, they can be distributed among domams and, indeed, among the field devices themselves. The registries can be implemented as pointers, symbols, objects, variables, vectors, tables, records, databases, files, or other data structures or stores. They can be implemented as stand-alone entities or, for example, within other system components such as function blocks, or the like, as defined and executed within the aforementioned Foundation Fieldbus, Profibus, DeviceNet, InterBus and Modbus or other industry standards.

The registries maintain information about the control or process variables monitored by sensor-type field devices. Thus, for example, entries in registry 42 can indicate that sensor 16 monitors the pressure of vessel 25 and that sensor 18 monitors the temperature of that vessel.

Registry 44, by way of further example, can indicate that sensor 20 monitors flow in the conduit between vessel 25 and tank 21. The registries can also maintain information about process variables governed by actuator-type sensors. Other information can be maintained in the registries, as well, for example identifiers of sources and/or sinks of each of the elements in the process control system.

In the illustrated embodiment, each process control component 32-42 maintains, e. g., in its own dedicated store or in a registry, identities of the process variables supplied to it by the "sources."Identities and other information regarding the sources can be maintained as well. Thus, for example, temperature controller 34 maintains an internal store indicating that one of its sources, sensor 18, supplies the temperature of vessel 25.

Figure 3 is a flowchart depicting how the process control system of Figure 2 provides for fault-avoidance. In steps 50-52, each field device"registers"with the system upon"hot"insertion, installation or commencement of operation. In the illustrated embodiment, registration is performed by sensor-type field devices, e. g., pressure, temperature and flow sensors 16-20, and entails generating an identifier indicating which process variable is monitored by each sensor. Thus, for example, sensor 16 generates an identifier signal indicating that it monitors the pressure of vessel 25, while sensor 18 generates a signal indicating that it monitors the temperature of that vessel. These identifier signals are stored in registry 42, or elsewhere, as discussed above.

The identifier signal generated by the field device can be based, for example, on information stored in the sensor, or otherwise supplied to the system, e. g., by a field technician prior to (or concurrent with) insertion. Alternatively, by way of further non-limiting example, it can be based on keys, tags or other physical indicia installed on or in the field device.

In step 54, controllers 10A, 10B commence operation, monitoring and/or controlling operation of processes 12A, 12B.

In step 56, each component 32-42 (Fig. 2) monitors its sources to identify actual or potential degradation of the information supplied by them. Where the sources are self-validating field devices, as described above, the recipient component (or sink) utilizes the above-described status signals as means of determining actual or potential fault. In this regard, for example, temperature controller 34 can identify as faulty a source (e. g., sensor 18) generating an MV signal of"blurred,""dazzled,""blind." For sources that are not self-validating, the recipient process control components, i. e., blocks 32-42, can monitor process variables, statistically or otherwise, to identify actual or potential degradation. Still other elements resident in the controllers and/or in the control system (e. g., other field devices) can monitor sources and notify recipients of actual or potential degradation. The detection of fault by recipient components or other elements can be based on principles paralleling those discussed in incorporated-by-reference U. S. Patents 5,570,300 and 5,774,378, or otherwise.

In step 58, processing continues in the normal course unless an actual or potential fault is detected in a source (e. g., temperature sensor 18). Upon detection of such a fault, the recipient component (e. g., temperature controller 34) seeks a replacement source. Step 60. Alternatively, another component or element in the system (e. g., supervisor component 32) seeks a replacement on behalf of the recipient.

In either event, the replacement is identified via a search of registries 42-48 for a source that provides an identical or related process variable to that identified as actually or potentially faulty. Thus, for example, in the event readings from temperature sensor 18 are detected as actually or potentially faulty, readings from another temperature sensor (not shown) on the same vessel 25 could be identified for use as replacements.

In the illustrated embodiment, pressure sensor 16 is deemed to provide a"related"process variable, since the temperature of the contents vessel 25 can be determined with acceptable accuracy from its pressure.

In still further embodiments, replacement readings are taken from sensors or other process control components that measure (or otherwise generate) an identical or related process variable but that normally output another process variable. Examples of this include multimeasurement sensors, e. g., a flow sensor 20 implemented as a CFT10 Series I/A SeriesX mass flow transmitter of the type commercially available from the assignee hereof. Though such a sensor typically outputs a flow reading, it measures temperature (along with other flow-related variables) in order to normalize the flow reading. Upon determining that temperature readings from sensor 18 are actually or potentially faulty, temperature controller 34 can utilize the temperature readings generated by mass flow sensor 20 as replacements. This is likewise true of (i) multimeasurement sensors that measure or otherwise generate"related"process variables, such as pressure in the above example, and (ii) blocks and other process components that generate identical or related process variables by way of calculations performed during execution of a control algorithm or otherwise.

If no replacement source is found (step 62), the operator is notified. Step 64. System operation may nonetheless continue, depending on the nature of the fault.

If a replacement source is found (step 66), its outputs are coupled to the inputs of the recipient component The manner in which this is accomplished varies in accord with the specific nature of source/sink coupling in controller 10A. For example, if each component (e. g., temperature controller 34) maintains pointers to its sources (e. g., temperature sensor 18), replacement is effected by substituting a pointer to the replacement element (e. g., pressure sensor 16) for that of the actually or potentially faulty element (e. g., temperature sensor 18). Alternatively, if source information is coded into component via a configurator (not shown), such a configurator may be employed to impart sufficient information to effect replacement. In the event that the replacement source does not provide identical information to that provided by the actually or potentially fault source, the recipient executes appropriate conversions (e. g., pressure-to-temperature conversions) and/or compensates for differences in uncertainty or accuracy, e. g., using alternate control algorithms in order to insure proper operation.

Once a source, previously detected as actually or potentially faulty, resumes normal operation (e. g., as a result of physical repair or replacement by a technician or as a result of termination of a transient fault condition), it can be coupled back into the system-thus, in effect, replacing its replacement. For example, a repaired source can register with the system upon being brought on-line and, in the process, send a local or system-wide notification, e. g., over medium 14 or portions thereof. Recipients or sinks of information generated by the repaired source can recouple with it, as described above. Such recoupling can be predicated, for example, on a comparison of tolerances, accuracy or other operational parameters of the repaired source and the replacement that had been substituted for it on detection of the original fault condition.

Described above are methods and apparatus achieving the desired objects. Those skilled in the art will appreciate that the embodiments described herein and shown in the drawings are examples of the invention and that other embodiments incorporating one or more of the mechanisms and techniques herein, or equivalents thereof, fall within the scope of the invention.

Thus, for example, further embodiments of the invention provide environmental control systems utilizing apparatus and methods like those herein to monitor and/or control heating, ventilation, cooling, and other environmental factors. Yet still further embodiments of the invention provide industrial control systems, manufacturing control systems, or the like, that also utilize apparatus and methods like those herein to monitor and/or control respective industrial, manufacturing or other processes.

In view of the foregoing, what is claimed is: