This was originally posted in the "Old info..." thread I started but which has moved well down the list and gotten somewhat lengthy in the process. I was not sure if Chuck the Night Driver saw my response to him and I also thought it might be useful to others so I am reposting it here.

Chuck's question dealt with embedded systems and loss of communication integrity in a hierarchical control system. My answer is as follows:

OK Chuck, I'll give it a try.

The so called handshaking between regulatory and supervisory control systems is typically just an acknowledge (ACK) or negative acknowledge (NAK). Lets say a tank level controller gets its setpoint from a higher level controller every 5 seconds and transmits its current feedback at the same interval. The supervisory controller may also be getting its target from a batch scheduling or other optimizing controller which it is communicating with on say a 30 second interval. The actual control logic for a PID controller is typically about 10% of the total lines of code used to implement it. The rest is control mode handling (Local to remote, Auto to manual, etc.) and error handling logic (excessive error, unexpected change, etc.) This is the subtlety that most people who have not had direct experience with industrial control systems miss. To address your question, if communications is lost between the different levels in the hierarchy, the controllers automatically 'shed' their control mode to the next lower mode. If it was in cascade mode, it switches to auto and if it was in auto, it switches to manual. What this means is that the controllers will either control to the last valid setpoint it received or hold the output at the last valid position. Since industrial processes are largely static in nature, this is the correct fail-safe mode.

Now, lets assume that some moron used an absolute date implicitly in the calculation of an operating point target at some point in this chain. When the year changes to '00' you will likely get a calculation of zero or infintiy, depending on whether you divide or multiply. All control loops have high and low limits on inputs and outputs. If an output limit is reached, an alarm is triggered. If an input alarm is reached, the input is rejected, the last valid input is held, and the control loop sheds to its fail safe mode. If you are familiar with analog instrumentation, you may know that the standard rnage of measurments is 1 to 5 volts or 4 to 20 milliamps. The reason for this is so that a feedback reading of zero volts or zero milliamps is (correctly) interpreted as a failure and not a valid measurement of zero.

I would also disagree with Mr. Cook's assertions that all things must work correctly to operate safely and most must work to operate at all. Most industrial processes are designed to be inherently stable (rememeber, all of these industries were in operation long before computer control came into being) and at any given time in any plant, there are dozens of loops in manual mode or instrumentation requiring calibration or replacement. The term is called 'graceful degradation' and is inherent in any control system design. At some point, the number of failures will cause a problem but no one failure of a control valve or transmitter will shut down a plant. As far as his examples and how they relate to Y2K, TMI was caused by mechanical and human error and the others all sound like mechanical defects or failures, not the result of a software bug. Tragic cases but not really relevant.

-- Another NORMal Person (ANP@BettyFord.com), March 23, 1999

-- Mutha Nachu (---@igotchurback.com), March 23, 1999.

Whatever happened to Drum Programmers for sequencing and on-off, proportional, integral, derivative, and reset control for process control???

Who was the 'genius' who scrapped analog in favor of this nightmare??

Hey, my father's sliderule is made from tropical rainforest mahogany and genuine African Elephant ivory. Back then, NOTHING anyone could do would SHUT THE WORLD DOWN!

-- K Stevens (Chiam@aol.com), March 23, 1999.