Method and system for redundancy management of distributed and recoverable digital control system

US 8,260,492 B2
Filed: 05/04/2006
Issued: 09/04/2012
Est. Priority Date: 08/05/2005
Status: Active Grant

First Claim

Patent Images

1. A method for redundancy management comprising:

providing a plurality of computing units each comprising;

a plurality of redundant processing units for generating one or more redundant control commands; and

one or more internal monitors for detecting one or more data errors in the control commands;

providing a plurality of actuator control units having a pair of redundant computational lanes for analyzing control commands and providing feedback to the processing units; and

initiating a selective and isolated recovery of one or more monitored applications in a processing unit of the plurality of processing units while one or more other applications remain undisturbed in the processing unit when;

one or more data errors are detected in the one or more monitored applications by one or more of the internal monitors;

orone or more data errors are detected in the one or more monitored applications by one or more of the actuator control units;

wherein the recovery restores the most recent error-free congruent set of state data for any one or more of the selected applications simultaneously.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for redundancy management is provided for a distributed and recoverable digital control system. The method uses unique redundancy management techniques to achieve recovery and restoration of redundant elements to full operation in an asynchronous environment. The system includes a first computing unit comprising a pair of redundant computational lanes for generating redundant control commands. One or more internal monitors detect data errors in the control commands, and provide a recovery trigger to the first computing unit. A second redundant computing unit provides the same features as the first computing unit. A first actuator control unit is configured to provide blending and monitoring of the control commands from the first and second computing units, and to provide a recovery trigger to each of the first and second computing units. A second actuator control unit provides the same features as the first actuator control unit.

Citations

18 Claims

1. A method for redundancy management comprising:
- providing a plurality of computing units each comprising;
  
  a plurality of redundant processing units for generating one or more redundant control commands; and
  
  one or more internal monitors for detecting one or more data errors in the control commands;
  
  providing a plurality of actuator control units having a pair of redundant computational lanes for analyzing control commands and providing feedback to the processing units; and
  
  initiating a selective and isolated recovery of one or more monitored applications in a processing unit of the plurality of processing units while one or more other applications remain undisturbed in the processing unit when;
  
  one or more data errors are detected in the one or more monitored applications by one or more of the internal monitors;
  
  orone or more data errors are detected in the one or more monitored applications by one or more of the actuator control units;
  
  wherein the recovery restores the most recent error-free congruent set of state data for any one or more of the selected applications simultaneously.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, further comprising:
    - computing a blended command for one or more of the control commands; and
      
      initiating recovery in one or more of the applications when the difference between a control command generated by a processing unit and the blended command exceeds a threshold value.
  - 3. The method of claim 2, further comprising:
    - excluding from the blended command a processing unit command for a recovering application for a specified recovery period;
      
      wherein the recovering processing unit command is not permanently excluded from the blended command before the specified recovery period has expired, and wherein the recovering processing unit command is permanently excluded from the blended command when the recovering application fails to correctly recover during the specified recovery period.
  - 4. The method of claim 2, further comprising:
    - analyzing the control commands generated by each of the processing units; and
      
      adjusting the computed blended command so that the control commands generated by the processing units result in a substantially equalized control command.
  - 5. The method of claim 1, further comprising:
    - comparing a blended command output with a computed command;
      
      disregarding the blended command output when deviations between the blended command output and the computed command exceed an established limit for a specified time;
      
      selecting a blended command output from a plurality of blended command outputs;
      
      comparing the selected blended command output with an actuator position feedback signal; and
      
      initiating an actuator shutdown command when deviations between the selected blended command output and the actuator position feedback signal exceed an established limit for a specified time.
  - 6. The method of claim 1, wherein the method is implemented in redundancy management of a recoverable digital control system.
  - 7. The method of claim 1, wherein the method is implemented in redundancy management of a computing platform.
  - 8. The method of claim 1, wherein the method is implemented in redundancy management of one or more actuator control units.
  - 9. The method of claim 1, wherein the method is implemented in redundancy management of one or more smart actuators.
  - 10. The method of claim 1, wherein the method provides coordinated redundant control of actuators by the actuator control units.
  - 11. The method of claim 1, wherein the method validates and responds to each valid command from the actuator control units, and safely disengages an actuator when no valid command is received during an established limit for a specified time.
  - 12. The method of claim 6, wherein redundancy management actions are distributed throughout the system so that multiple elements of the system can be in a recovery state at any one time.
  - 13. The method of claim 1, wherein redundancy management actions support multiple recoveries of redundant elements from multiple monitors in real time.
  - 14. The method of claim 1, further comprising duplicating state variable data stored in one or more memory devices in the computing units.
  - 15. The method of claim 6, further comprising restoring a duplicate set of state variable data when a soft fault is detected so that one or more processing units can resume processing using the duplicate set of state variable data.
  - 16. The method of claim 10, wherein at least one of the actuator control units detects attempts of other actuator control units to control the same actuator, and stops attempting to control the same actuator as another actuator control unit, while attempting to establish control of an actuator that is not being driven by any other actuator control unit.
  - 17. The method of claim 10, wherein at least one of the actuator control units reports actuator status to a computing unit to allow fault isolation actions by the computing unit.

18. A method for redundancy management comprising:
- providing a plurality of computing units each comprising;
  
  a plurality of redundant processing units for generating one or more redundant control commands; and
  
  one or more internal monitors for detecting one or more data errors in the control commands;
  
  wherein the processing units each include a recovery mechanism, the recovery mechanism comprising;
  
  a duplicate memory;
  
  an even frame memory, wherein the recovery mechanism is configured to duplicate state variables computed during even computational frames into the even frame memory; and
  
  an odd frame memory, wherein the recovery mechanism is configured to duplicate state variables computed during odd computational frames into the odd frame memory;
  
  wherein the even frame memory and the odd frame memory toggle back and forth duplicating state variables into the duplicate memory for computational frames in which no fault is detected;
  
  providing a plurality of actuator control units having a pair of redundant computational lanes for analyzing control commands and providing feedback to the processing units; and
  
  initiating a selective and isolated recovery of one or more monitored applications in a processing unit of the plurality of processing units while one or more other applications remain undisturbed in the processing unit when;
  
  one or more data errors are detected in the one or more monitored applications by one or more of the internal monitors;
  
  orone or more data errors are detected in the one or more monitored applications by one or more of the actuator control units;
  
  wherein the recovery mechanism creates and restores an error-free congruent set of state data for any of the one or more monitored applications selected for recovery.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Stange, Kent, Hess, Richard, Kelley, Gerald B, Rogers, Randy
Primary Examiner(s)
Chen, Shelley

Application Number

US11/381,652
Publication Number

US 20070033435A1
Time in Patent Office

2,315 Days
Field of Search

714/15
US Class Current

701/34.3
CPC Class Codes

G05B 9/03 with multiple-channel loop,...

Method and system for redundancy management of distributed and recoverable digital control system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for redundancy management of distributed and recoverable digital control system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links