Communications: electrical – Condition responsive indicating system – With particular system function
Reexamination Certificate
2002-07-12
2004-03-02
Hofsass, Jeffery (Department: 2636)
Communications: electrical
Condition responsive indicating system
With particular system function
C340S003100, C340S003200, C340S005100, C700S012000, C700S083000
Reexamination Certificate
active
06700483
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to a method and system for resynchronizing a list of alarm states of a device that monitors or controls a process or a system, in whole or in part.
BACKGROUND OF THE INVENTION
An alarm state is a warning to a user of an event. Notifications are used to indicate and warn the user that an alarm state has changed, for example, from an inactive to an active state or from an active to an inactive state (the latter also called return-to-normal). A common type of alarm used, for example, by a process control system against an unwanted situation is based on testing of a process measurement, also known as a process variable. Analog process variables, such as temperatures, pressures, flows, levels, and the like, are often tested against high limits and low limits. When a process variable value becomes higher than a high limit, a high alarm becomes active and a notification is generated. Likewise, when a process variable value becomes lower than a low limit, a low alarm becomes active and similarly a notification is generated.
It is common to have two levels of alarm that behave similarly, using, for example, a high-high limit and a low-low limit. Another type of alarm is associated with a deviation from a current desired operating point, referred more commonly as a setpoint. When the process variable deviates from a setpoint more than the specified deviation-high-limit or deviation-low-limit, a deviation-high or deviation-low alarm becomes active, as appropriate.
For discrete process variables, such as a high-limit sensor or an over-temperature sensor, the apparatus itself indicates one of two-states such as “On” or “Off”, “Yes” or “No”, “Normal” or “Abnormal”, “True” or “False”, etc. The occurrence of an unwanted state can be used to set an associated alarm active. The limits that are used for testing of an unwanted state are alarm limits or alarm condition limits. Examples of alarm conditions are high, high-high, low, low-low, deviation-high, deviation-low, and discrete. Alarm condition states or alarm states are said to be either active or inactive.
Additionally, there are times when a process variable is expected to exceed an alarm limit, so an alarm condition state and alarm notification are not wanted. An example would be when equipment is desired to be shut down. An alarm condition disable state, or simply alarm disable state indicates that an alarm state should be disabled and rendered inactive for the associated alarm condition. Return-to-normal notifications are usually issued when an active alarm condition is rendered disabled.
U.S. Pat. No. 6,138,049 describes a notification system for handling the generation and distribution of notifications concerning the occurrence of events. According to the patent, a notification is an indication of some abnormal or exceptional situation relating to a controlled process, its measurement and control equipment. For example, notifications may comprise alarms, system events, operator messages, and the like. The notification system includes a supervisory controller and a plurality of process controllers.
The supervisory controller is associated with each of the process controllers, directly or indirectly, to allow the exchange of information. The supervisory controller monitors characteristics (e.g., status, temperature, pressure, flow rate, current, voltage, power, utilization, efficiency, cost and other economic factors, etc.) of the process, either directly or indirectly through the process controllers. Depending upon the specific implementation, such monitoring may be of an individual process, a group of processes, or the whole facility.
The integrity of the data concerning the aforementioned process characteristics can be degraded by the occurrence of various operation events, such as supervisory controller startup, supervisory controller failover, process controller startup, process controller failover, control network communication failure and recovery and addition (via configuration) of a new process controller. A notification recovery system is provided to restore the integrity of the data after the system resumes normal operation.
The notification system includes a recovery procedure to restore the data integrity when normal operation resumes after the occurrence of any of the aforementioned events. The supervisory controller issues a recovery command to the process controller that is associated with the devices that provided the affected data. The process controller then executes a recovery program that provides the current values of the alarm states of its associated devices to the supervisory controller.
The notification system of the patent works very well when the devices and process controllers are compatible with one another, i.e., the devices and process controllers are native devices and native process controllers. However, the recovery procedure described in the patent does not address the situation of a control system that also has a non-native device, i.e., a device that is incompatible with the native devices and the native process controller.
There is a deficiency in some non-native devices, for example those devices that conform to the Foundation Fieldbus specifications ISA-S50.01-1992. The response to the reading of the current alarm condition states from any device is performed at a lower priority than the generation of notifications of on-going changes to those same alarm condition states (i.e., notification of a new active alarm condition or notification of a return-to-normal of a previously existing active alarm condition). Hence, the results of the reading of current alarm condition states can be incorrect due to the lack of guaranteed sequencing of the related communication messages.
Specifically, after requesting the reading of an inactive alarm condition state from a device in order to ascertain current alarm states, the response can be placed in a communications output buffer in the device. However, before it is communicated over the network, the alarm may become active (changing to the active state), causing an active alarm notification message to be placed in the same device's notification output buffer, which is separate from the read-response output buffer. Since notifications are specifically permitted access to the network at a higher priority than responses to reading the alarm condition states, the active alarm notification can be received by a notification manager first, even though placed in its output buffer later. Then the response to the reading of the alarm condition states may be received, indicating that the alarm condition is inactive. The notification manager can then falsely conclude that the alarm condition is inactive when, indeed, it has just become active.
Symmetrically, after requesting the reading of an active alarm condition state from a device in order to ascertain current alarm states, the response can be placed in a communications output buffer in the device. But before it is communicated over the network, the alarm may return to normal (changing to the inactive state), causing a return-to-normal notification message to be placed in the same device's notification output buffer, which is separate from the read-response output buffer. Since notifications are specifically permitted access to the network at a higher priority than responses to reading the alarm condition states, the return-to-normal notification can be received by a notification manager first even though placed in its output buffer later. Then the response to the reading of the alarm condition states may be received, indicating that the alarm condition is active. The notification manager can then falsely conclude that the alarm condition is active when, indeed, it has just become inactive.
What is needed is a mechanism to reliably ascertain the current alarm condition states from such non-native devices so that, for example, a notification manager can be guaranteed to be able to re-synchronize its alarm database with that of the devices after a communications l
Chernoguzov Alexander
Hodson William R.
Blount Eric
Hofsass Jeffery
Honeywell International , Inc.
Miologos Anthony
Ohlandt Greeley Ruggiero & Perle L.L.P.
LandOfFree
Alarm recovery method and system using two notification... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Alarm recovery method and system using two notification..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Alarm recovery method and system using two notification... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3208873