High integrity control system architecture using digital computing platforms with rapid recovery

US 20040098140A1
Filed: 11/20/2002
Published: 05/20/2004
Est. Priority Date: 11/20/2002
Status: Active Grant

First Claim

Patent Images

1. A control system architecture for controlling a plant, the system comprising:

a computing units system having a plurality of redundant processing units, each of the processing units being configured to generate at least one of a plurality of redundant position signals for the plant and where each processing unit is configured to self initiate rapid recovery; and

an adaptor coupled to the computing units system and configured to receive each of the position signals, to compute a mid-value for the position signals, and to initiate a rapid, recovery in one of the redundant processing units if the difference between the position signal generated by that processing unit and the mid-value exceeds a threshold value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A control system architecture suitably includes sufficient computation redundancy and control command management to isolate and recover a faulted processor and/or to recover all processing units in the redundant system without adverse effects. Computational redundancy may be provided with multiple processors and/or processing units within computers or computing platforms. In addition to isolating and recovering from internal faults, various embodiments allow computing units to detect faults in other system elements such as sensors, adaptors, actuators and/or effectors. Further embodiments may also include one or more actuator adaptor units that detect faults in other system components and issue discrete instructions to trigger a recovery. In some embodiments, the recovery is performed within one or two computing frames, or otherwise in a short enough time period so as to have only minimal affects, if any, on system performance or redundancy.

Citations

26 Claims

1. A control system architecture for controlling a plant, the system comprising:
- a computing units system having a plurality of redundant processing units, each of the processing units being configured to generate at least one of a plurality of redundant position signals for the plant and where each processing unit is configured to self initiate rapid recovery; and
  
  an adaptor coupled to the computing units system and configured to receive each of the position signals, to compute a mid-value for the position signals, and to initiate a rapid, recovery in one of the redundant processing units if the difference between the position signal generated by that processing unit and the mid-value exceeds a threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 further comprising an actuator coupled to the adaptor, wherein the actuator is configured to receive an actuator control signal from the adaptor.
  - 3. The system of claim 2 further comprising an effector actuated by the actuator to produce a desired result in the plant as a function of the actuator control signal.
  - 4. The system of claim 1 wherein the rapid recovery is essentially instantaneous.
  - 5. The system of claim 1 wherein the redundant processing units are configured such that there is no synchronization between the processing units.
  - 6. The system of claim 1 wherein the computing units system is configured to receive a feedback signal from the plant.
  - 7. The system of claim 1 wherein each of the redundant processing units are configured to receive at least one of a plurality of position feedback signals from the effectors, and wherein the effector position feedback signals are communicated from the adaptor to the processing units by way of the computing units system.
  - 8. The system of claim 7 wherein the effector position feedback signals are configured in the redundant processing units to equalize the position signals produced by the redundant processing units.
  - 9. The system of claim 7 wherein the effector position feedback signals are configured to further equalize the position signals produced by the redundant processing units, by providing small adjustments, to the mid-value.

10. A method of controlling a plant, the method comprising:
- generating a plurality of redundant position signals, each of the position signals being generated by one of a plurality of redundant processing units and where each processing unit is configured to self initiate rapid recovery;
  
  computing a mid-value for the redundant position signals; and
  
  initiating a rapid recovery in one of the redundant processing units if the difference between the redundant position signal generated by that processing unit and the mid-value exceeds a threshold value.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10 further comprising the step of restoring state variables from a hardened memory within each processing unit to the redundant processing unit during the rapid recovery of that processing unit.
  - 12. The method of claim 10 wherein the rapid recovery is performed essentially instantaneously.
  - 13. The method of claim 10 wherein the self initiating step is performed by one of the redundant processing units.
  - 14. The method of claim 10 wherein initiating steps are performed by an adaptor coupled to the processing unit.
  - 15. The method of claim 10 further comprising adjusting thresholds in the adaptor in response to the initiation of a rapid recovery in one of the redundant processing units.
  - 16. The method of claim 10 further comprising the step of equalizing the plurality of redundant position signals as a function of the average of the positions of each effector.

17. A method of operating an actuator adaptor, the method comprising:
- receiving a plurality of position signals, each of the position signals being produced by one of a plurality of processing units;
  
  computing a mid-value for the position signals;
  
  selecting a control output as a function of plurality of the position signals; and
  
  initiating a rapid-recovery in at least one of the plurality of processing units when the difference between at least one of the position signals and the mid-value exceeds a pre-determined threshold.

18. A method of recovering a control system, the method comprising:
- providing redundant processing units, wherein each of said redundant processing units is configured to perform a rapid recovery from a fault;
  
  sensing a fault in one of said redundant processing units; and
  
  initiating an essentially instantaneous rapid recovery in one of said redundant processing units in response to said fault.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The method of claim 18 wherein said sensing step occurs within one or all of said redundant of the redundant processing units.
  - 20. The method of claim 18 wherein an adaptor is coupled to a computing units system containing said redundant processing units, and wherein said sensing step occurs within said adaptor.
  - 21. The method of claim 18 further comprising storing values of control and logic state variables in each of said redundant processing units.
  - 22. The method of claim 21 wherein said recovery of each redundant processing unit comprises resetting said redundant processing unit to an initial state and loading the processing unit with said stored status of various control and logic state variables.
  - 23. The method of claim 18 wherein said recovery executes within one computing frame.
  - 24. The method of claim 18 wherein the recovery of a said one processing unit does not effect a said second processing unit or any other said redundant processing unit.
  - 25. The method of claim 18 wherein the recovery of said second processing unit does not effect said first processing unit or any other said redundant processing unit.
  - 26. The method of claim 18 wherein the recovery executes within one computing frame.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Hess, Richard

Granted Patent

US 6,813,527 B2
Time in Patent Office

Days
Field of Search
US Class Current

700/3
CPC Class Codes

G05B 9/03 with multiple-channel loop,...

G05D 1/0077 using redundant signals or ...

High integrity control system architecture using digital computing platforms with rapid recovery

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

High integrity control system architecture using digital computing platforms with rapid recovery

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links