Oil field process control system

Abstract

An oil field process control system including a field versatile control gateway component that interfaces with a plurality of field devices using a broad range of hardwired and wireless protocols, offering in-the-field monitoring and control of each of the field devices and communicates with a remote central control room, exchanging data between the control room and the field using a multiplexed protocol that offers high data speeds and bandwidth, enabling a significant reduction of the amount of wiring, and conduits and other infrastructure expenses that would otherwise be incurred for such a highly reliable communications system.

Claims

1. A process control system, comprising: a. a plurality of field versatile control gateways (FVCGs) that interface with field devices, each of the plurality of FVCGs comprising a microprocessor, memory, routing database, routing module, protocol translator, wireless interface card and antenna, wherein the FVCGs provide for control-in-the-field capabilities, and wherein the FVCGs communicate with field devices using one or more protocols selected from the group 4-20 mA, Fieldbus Foundation H1, on/off interface, wireless, and serial, EI, and wherein the FVCGs provide for multiplexed communication of data between the FVCGs and a central control location via one or more of a hardwired HSL protocol, a wireless connection, or a hardwired HSL protocol and wireless connection, and wherein the routing database and routing module provide for routing of data between the field devices and the FVCG microprocessor and between the FVCG microprocessor and a central control location, and wherein the protocol translator provides for conversion of field device data from 4-20 mA, Fieldbus Foundation H1, serial, EI, and on/off interface protocols into HSL protocol for communication with the central control location; b) a plurality of versatile control interfaces, located in the central control location, that collect data that is transmitted to and from the FVCGs; c) a central versatile control switch, located in the central control location, that collects data transmitted to and from the versatile control interfaces and that interfaces with a distributed control system; and d) a plant routing controller, located in the central control location, that provides supervisory control of the routing of data within the process control network; and e) and an interface with a distributed control system (DCS) and an emergency shutdown (ESD) controller.

2. The process control network of claim 1, wherein one or more of the plurality of FVCGs communicate with one or more other FVCGs via HSL or a wireless protocol.

3. The process control network of claim 1, wherein each of the plurality of FVCGs includes an alarm module that monitors the health of the communications channel between the FVCG and each field device, and between the FVCG and associated versatile control interface, and reports any faults detected to the CCR and/or PIB and assigns an alternative available healthy communication path for data transfer.

4. The process control network of claim 1, wherein one or more of the plurality of FVCGs that is communicating with an associated FVCG includes an alarm module that monitors the health of the communications channel or channels between the FVCGs, reports any faults to the CCR and/or PIB and assigns an available healthy communication path between the FVCGs for data transfer, and assigns an alternative healthy communication path between the FVCGs for data transfer if the main assigned communication path health quality degrades.

5. The process control network of claim 1, wherein the central versatile control switch accesses and shares emergency shutdown and DCS data via a mapped Intelligent Safety and Control Integrator (ISCI) interface.

6. The process control network of claim 1, wherein the logic-in-the-field capabilities includes the use of an FVCG to perform local control functions, including a local emergency shutdown function.

7. The process control network of claim 1 in which the DCS is the primary control system and the FVCG is activated as the primary control system in the event of DCS failure or malfunction, or in the event of failed or degraded communications on the DCS.

8. The process control network of claim 1 in which the FVCG is the primary control system and the DCS is activated as the primary control system in the event of a failure or degraded communications on the FVCG.

9. The process control network of claim 1 in which a central logic solver is the primary emergency shutdown control system and the FVCG is activated as the primary emergency shutdown control system in the event of a failure of the central logic solver or degraded communications between the central logic solver and the FVCG.

10. The process control network of claim 1 in which the FVCG is the primary emergency shutdown control system and a central logic solver provides for secondary emergency shutdown control in the event of failure of the FVCG or degraded communications between the central logic solver and the FVCG.

11. The process control network of claim 1, wherein the central versatile control switch supports double or triple redundancy.

12. The process control system of claim 1, wherein the ESD controller performs an emergency shutdown function upon demand, and wherein one or more of the plurality of FVCGs performs logic-in-the-field functions for equipment that is geographically remote from the plant control room.

13. The process control system of claim 1, wherein the ESD controller performs an emergency shutdown function upon demand, and wherein one or more of the plurality of FVCGs performs logic-in-the-field functions to provide redundancy in the event the ESD controller emergency shutdown function is not performed because of communications failure or degradation.

14. The process control system of claim 1, wherein the DCS includes an alarm module that monitors the health of the FVCG, reports any faults to the CCR and/or PIB, and transfers the FVCG's control-in-the-field functions back to the DCS if the FVCG health quality degrades.

15. The process control system of claim 1, wherein the ESD controller includes an alarm module that monitors the health of the FVCG, reports any faults to the CCR and/or PIB, and transfers the FVCG's logic-in-the-field functions back to the ESD controller if the FVCG health quality degrades.

16. The process control system of claim 1, wherein the logic-in-the-field capabilities includes a plurality of FVCGs to perform a sequential local emergency shutdown function for multiple pieces of equipment.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Preferred embodiments of the invention are described herein below with reference to the drawings wherein:

(2) FIG. 1 illustrates prior art oil field process control system;

(3) FIG. 2 illustrates the new oil field process control system;

(4) FIG. 3 illustrates components within the field versatile control gateway;

(5) FIG. 4 illustrates power distribution to the FVCGs;

(6) FIG. 5 illustrates components within the versatile control interface;

(7) FIG. 6 illustrates a method of transferring control from the FVCG to the DCS;

(8) FIG. 7 illustrates a central versatile control switch; and

(9) FIG. 8 illustrates proposed connectivity between a DCS and ESD controller.

DETAILED DESCRIPTION OF THE INVENTION

(10) FIG. 1 schematically illustrates a prior art oil field process control system 100. Main plant DCS 110 is integrated with emergency shutdown (ESD) controller 120, via wiring 115 (typically high-speed Ethernet). The DCS is connected via cabling 117 to conventional input/output marshalling cabinets 140, and via cabling 116 to Fieldbus Foundation power supplies and marshalling cabinets 130. The DCS 110, ESD controller 120, and marshalling cabinets 130 and 140 can be located in a PIB or CCR 190.

(11) The conventional I/O marshalling cabinets 140 are wired to numerous conventional field devices 160 via JBs 150, with cables 145 routed between the marshalling cabinets 140 and the JBs 150, and cables 155 routed between the JBs 150 and the field devices 160. These cables 145 and 155 typically include twisted shielded pairs for analog signals (such as 4-20 mA signals from pressure transmitters and 4-20 mA signals to proportional control valves) and nonshielded wires for discrete control signals (such as inputs from position switches, limit switches, torque switches, and the like, and open and close signals to valve controllers).

(12) The FF power supplies and marshalling cabinets 130 are wired to numerous FF field devices 175 via JBs 170, with H1 trunk cable routed between the marshalling cabinets 130 and the JBs 170, and H1 spurs routed between the JBs 170 and the FF field devices 180.

(13) FIG. 2 schematically illustrates an embodiment of the new oil field process control system of the new invention 200. The system is composed of four primary parts: the FVCGs 270 that interface with field devices, the versatile control interfaces 250 that collect data that is transmitted to and from FVCGs 270, a plant routing controller 230, and a central versatile control switch 220. The central versatile control switch 220 supports double or triple redundancy, so that if the primary circuit fails the secondary redundant circuit will take over, or in the case of triple redundancy, so that if both the primary and secondary circuits fail, the tertiary redundant circuit will take over. While three versatile control interfaces 250 are shown in FIG. 2, the specific number of devices depends on power limitations and the capacity of the central versatile control switch 220 to handle messages. If needed, an additional central versatile control switch 220 can be added to support additional versatile control interfaces 250. The new system configuration is unique in the arrangement of both the conventional communications and wireless ISA100 communications methods at the FVCG level and the conversion and routing of high speed digital communications at the field level, eliminating the need for various wiring cabinets that existed in the prior art. The flexibility of using best in class field instruments and connecting them all within a common FVCG/SJB as appropriate for wellsite control and safety requirements is the key element of this invention. The invention encompasses a local field interface with the flexibility to use hardwired analog signals, hardwired (multi-drop) Fieldbus Foundation signals, discrete (on/off) signals, wireless signals (ISA100, HART, etc.) in any combination as required to provide a self-contained local control system capable of monitoring and managing the control, safety and functional testing requirements at a wellsite and communicating status signals with the central control room of a main plant, such as a gas/oil separating plant (GOSP).

(14) Main plant DCS 210 is connected to central versatile control switch 220 via wiring 215. The DCS is connected through the central versatile control switch 220 to a plant routing controller 230 (via wiring 225), to an adaptive logic and simulation unit 240 (via wiring 226), and to versatile control interfaces 250 (via wiring 225). The DCS 210, central versatile control switch 220, plant routing controller 230, adaptive logic and simulation device 240, and versatile control interfaces 250 are located in a PIB or CCR 295. The DCS 210 is also connected through the central versatile control switch to the ISCI 280 via wiring 227. The ISCI 280 is located in the field.

(15) The versatile control interfaces 250 interface with numerous field devices 290. These interfaces can be made via conventional (prior art) JBs 260of the prior art with cables 255 routed between the versatile control interfaces 250 and the JBs 260, and cables 265 routed between the JBs 260 and the field devices 290. The versatile control interfaces 250 can also interface with field devices 290 via the FVCGs 270 of the invention. The communication between the versatile control interfaces 250 and the FVCGs 270 can include hardwired paths 257 and wireless paths 258. The FVCGs 270 can communicate directly to field devices 290 via either a hardwired path 274 or a wireless path 278. FVCGs can also communicate with other FVCGs via either a hardwired path 276 or a wireless path 279. FVCGs can also communicate with prior art JBs 260, via hardwired path 275. Additional novel features of the present invention include new functions made possible by the introduction of the plant routing controller and the central versatile control switch that allow new levels of integration of emergency shutdown logic and adaptive logic.

(16) FIG. 3 schematically illustrates components of a representative components within the field versatile control gateway (FVCG) 300, which include a central processing unit (CPU) 325 with, e.g., a Windows-based operating system that provides control-in-the-field capabilities. Also included is a routing database 330 and routing module 340. Routing module 340 routes of data from field devices to and from the CPU 325, and also provides routing of data to and from other FVCGs and to and from the CCR or PIB. Routing module 340 also provides multicast of the same data packet over M+1 links. This designation means that one link is the primary link and M additional links serve as hot redundant standby links. If the originally designated primary link fails, e.g., due to continued CCR failure, the first designated redundant link will become the new primary link, and the failed primary will be designated as an out-of-service link. The M+1 link design ensures that critical data is accurately transported over the link connecting the FVCG to the CCR. Routing database 330 contains primary and alternative routes, instrument addresses and neighboring addresses, and is dynamically updated by the plant routing controller (PRC).

(17) FVCG 300 also includes alarm module 335, power management and conditioning module 310 and power terminal block 315. Power management and conditioning module 310 not only provides power for the FVCG 300 internal electronics, but also supplies regulated power to field devices. Fuses or circuit breakers and transient voltage surge suppression devices (TVSS) are also included within the enclosure of FVCG 300. Power and communications are provided from FVCG 300 to field devices through a common cable. Alarm module 335 monitors the health of the wireless communications with the field devices. Diagnoses include: diagnosis of process signal health for transmitters (such as temperature, pressure, level, etc.), the health of device electronics, power fluctuation, the health of communications from and to the central control room, etc. The logic within FVCG 300 is configured by the user to take the appropriate action upon recognition of a diagnosed fault, based upon the risk associated with the wellsite control function, the type of fault detected and the redundancy provided.

(18) FVCG 300 also includes uplink interface card 345, data bus 350 and power cables 320, and converter/protocol translator 355. The converter/protocol translator 355 provides the protocol translation/encapsulation, for example, from 4-20 mA, H1, EI, serial, wireless, or HSE, to the HSL format. The HSL format is based on single-mode fiber, multimode fiber and Ethernet communications that will provide the uplink to the CCR or PIB.

(19) A number of interface cards can be used, including a wireless interface card 380, a 4-20 mA interface card 375, an H1 interface card 370, EI card 390, serial interface card 365, and an on/off interface card 360. The HSL uplink interface card 345 can be configured as standard Ethernet (IEEE 802.3) with 1 Gbps data rate, or as Fieldbus Foundation HSE. While prior art systems commonly include HSE and H1 links, it is foreseeable that H1 connections will be replaced by standard Ethernet (IEEE 802.3) with 100 Mbps link, and HSE connections replaced by standard Ethernet (IEEE 802.3) with 1 Gbps data rate.

(20) FVCG 300 is modular in the sense that interface cards of various types (HDL, HSE, H1, 4-20 mA) can be added depending on the interface type needed for a particular process application. There are 8 slots for 4 redundant pairs of wired cards, with each card capable of interfacing with 32 field devices. The number of cards varies with the installation, and the number shown are for illustrative purposes only. All cards are provided as redundant pairs.

(21) In addition, there are redundant wireless cards (only one wireless card is shown in the figure), consisting of two interfaces supporting star/mesh topologies for up to 256 field devices.

(22) Finally, there is one redundant interface connecting FVCG 300 to the CCR or PIB; or, alternatively, connecting an FVCG to an intermediate FVCG connected to the CCR or PIB. The uplink interface card supports M-redundant high-speed data links, by multicasting the same data packet to the versatile control interface (VCI) over the M-redundant links to achieve mission-critical highly reliable communications. Communications between the FVCG and CCR or PIB can thus be conducted through the wired M-redundant link, or alternatively through the redundant wireless link, or alternatively through both the wired M-redundant link and redundant wireless link.

(23) Thus, each FVCG 300 can support 128 wired inputs, 256 wireless connections, and an M-redundant high speed data link, e.g., an uplink to the CCR or PIB.

(24) FIG. 4 illustrates an embodiment of a power distribution design for the system of the invention. Power enclosure 405 includes redundant power conditioning units 420 and a UPS 430. Also included are two or more power distribution nodes, with the embodiment showing four power distribution nodes 440, 450, 460 and 470. The power conditioning units 420 receive power from redundant sources, such as an external power supply, e.g., utility power, and local emergency generators, e.g., diesel or natural gas units. Each power distribution node 440, 450, 460 and 470 obtains its primary power from the external power supply; however, in the event that this power is interrupted, the UPS 430 will provide power until the emergency generators are started or the external power supply is restored.

(25) Preferably, each FVCG 480 in the field is supplied by power from at least two power conditioning units (N+1), to ensure a very high level of reliability and availability of mission-critical power. In the embodiment shown, each FVCG 480 is fed by cables 445, 455, 465 and 475 from, respectively, power distribution nodes 440, 450, 460 and 470. FVCG 480 receives N+1 power cables, i.e., a primary cable and N redundant cables, to power the FVCG internal subsystems and provide power to the associated field devices. The power received from the CCR or PIB over the N+1 links is shared across the N+1 cables. Thus, the loss of one cable out of the N+1 will not have an immediate adverse effect on the availability of power required for operation of the FVCGs and associated field devices.

(26) FIG. 5 schematically illustrates components of a representative versatile control interface 500 which include power management and conditioning module 510, power distribution node 515 and power cables 560. Also included are: routing table 520 that incorporates a processor and a memory (database) containing routes and algorithms for routing; routing module 530 that does the actual routing, whereby a received packet or message from a port is transferred to its output port based on the routes and algorithms of routing table 520; data bus 535; and converter/protocol translator 540. Also included is an uplink interface card 525 for communications with the FVCGs, an uplink interface card 550 to the DCS, and a wireless interface card 545.

(27) The FVCG has two modes of operations: 1. Mode one as a smart controller as part of the plant control system complementing the functions of the DCS. In this mode, the FVCG provides a number of functions: a. A local process controller for local devices or units associated with the FVCG, including the ability to perform control in the field. b. Routing across local units or equipment, and routing to and from the CCR. c. Protocol conversion across various field process devices and interfaces. d. Power management and feed to local devices associated with the FVCG. e. Serving as a redundant backup in the event of DCS failure. f. Multi-interface capabilities to various protocols. g. High speed connectivity to CCR. 2. Mode two as a smart safety controller as part of the plant safety and shutdown system complementing the functions of the ESD controller: a. Act as a local safety logic solver or controller for local devices or units associated with the FVCG, including the ability to performing logic in the field. b. Routing across local units or equipment, and routing to and from the CCR. c. Protocol conversion across various field safety devices and interfaces. d. Power management and feed to local devices associated with the FVCG. e. Serving as a redundant backup in the event of ESD controller failure. f. Multi-interface capabilities to various protocols. g. High speed connectivity to CCR.

(28) The FVCG can be used as a smart controller and communication interface/routing manager for the plant control system, or it can be used as safety controller and communication interface/routing manager as part of the overall plant safety system. However, the same FVCG cannot and should not be used for both, in order to ensure that the separation of the safety and control system within the plant.

(29) A proportional-integral-derivative controller (PID controller) is a control loop feedback mechanism (controller) widely used in industrial and the process control systems. A PID controller calculates an error value as the difference between a measured process variable and a desired setpoint. The controller attempts to minimize the error by adjusting the process control outputs. The PID controller algorithm involves three separate constant parameters, and is accordingly sometimes called three-term control: the proportional, the integral and derivative values, denoted P, I, and D. Simply put, these values can be interpreted in terms of time: P depends on the present error, I on the accumulation of past errors, and D is a prediction of future errors, based on current rate of change. The weighted sum of these three actions is used to adjust the process via a control element such as the position of a control valve, a damper, or the power supplied to a heating element. The concept of control in the field was introduced by Fieldbus Foundation to allow classical PID type control to happen within a field device that was serving as the master for the other multi-drop devices. In other words, this allows PID control to migrate to the field level instead of being processed within the DCS or CCR. In this invention, control in the field is used to mean capturing information on the bus and using it to add value or make decisions within the FVCG.

(30) Similarly the term logic in the field is used herein to refer to taking cause-and-effect type inputs and outputs (C&E) and relating them to each other to make decisions based on the inputs available to the smart master field mounted device via a bus architecture or a local controller such as the FVCG. Within this context, the FVCG will manage the multiple digital inputs/outputs or analog inputs/outputs of the I/O module at the local/field level instead of using the central ESD controller. Alternatively, the FVCG can act as a redundant or backup logic solver for the main and central logic solver. FIG. 7 illustrates the central versatile control switch 700, incorporating a power management & conditioning unit 710, a routing table 720, a routing processor and logic unit 730, and HSL interface cards 740.

(31) FIG. 6 illustrates a method 600 in which a series of messages are exchanged reflecting a transfer of process control responsibility from the FVCG to the DCS, e.g., upon a determination being made that the FVCG is overloaded or degraded. In step 605, a Request Control Transfer message is sent from the DCS to the FVCG. A request message includes the following data:

(32) TABLE-US-00001 Destination Source Message Command Reason Time Criticality Components Address Address Overhead Type (1) for T.sub.D (3) (4) Involved (5) Control Transfer (2)

(33) The command type, (1), can either be a command to transfer process control from DCS to FVCG, or to transfer process control from FVCG to DCS. In the example shown in FIG. 6, control is being transferred from the FVCG to the DCS.

(34) The reasons for control transfer, (2), can include DCS failure, FVCG failure, failure of communications between the DCS and FVCG, an FVCG environmental condition, e.g., excess heat, humidity, vibration, loading level, a process disruption not controllable by the FVCG, a voluntary decision (such as conducted for maintenance or a testing requirement), or operator's intervention. An example of a process disruption not controllable by the FVCG would be a signal from a gas oil separating plant to decrease or cease production from an individual well. Both FVCG and DCS controls are needed, providing redundancy in the event of loss of local control or shutdown, in which case remote control or shutdown can be accomplished. In addition, some incidents that might not be detected locally at a FVCG might be detectable at a DCS in the central control room, such as a pipe leak remote from a well.

(35) If there is a complete FVCG failure, the failure mode of each field device will be dependent upon the individual device configuration used. For example, a conventional smart valve controller communicating via 4-20 mA analog with HART diagnostics or Foundation Fieldbus to the FVCG will fail open or closed, as configured by the user. Because all communications is lost, the user will conservatively configure this fail-safe state to reduce exposure to risk. However, provided the FVCG remains healthy, additional options defined within the local state-based logic may be selected by the user when device level faults are detected within valves or process sensors to improve overall safety and reliability.

(36) The time T.sub.D, (3), is the time, such as 13:45.351, at which control should be transferred by the FVCG and assumed by the DCS, in the present example.

(37) The message criticality (4) can be normal, critical, or emergency level. Message criticality outlines what functions are transferred from the DCS to the FVCG. For a normal status, the FVCG will monitor process conditions, alarms, and maintain diagnostic logs. For a critical status, the FVCG will additionally perform functions such as closed-loop control and open-loop control. For an emergency status, the FVCG will additionally perform emergency shutdown functions.

(38) The components involved (5) will be the systems, components, and instruments, for which control is to be transferred from the FVCG to the DCS in the example.

(39) In step 610, an Acknowledgement of Control Transfer message is sent from the FVCG to the DCS. An acknowledgement message includes the following data:

(40) TABLE-US-00002 Destination Source Message Acknowledgment Address Address Overhead Type (1)

(41) The acknowledgement type (1) can either be an acknowledgement of the control transfer request, an acknowledgment of the requested time to drop control, an acknowledgment of the criticality level, an acknowledgment of system parameter status, an acknowledgment of a system parameters update message, or an acknowledgment of the control dropped message.

(42) In step 610, an Acknowledgement of Control Transfer message is sent from the FVCG to the DCS. An acknowledgement message includes the following data:

(43) TABLE-US-00003 Destination Source Message Acknowledgment Address Address Overhead Type (1)

(44) The acknowledgement type (1) can either be an acknowledgement of control transfer request, an acknowledgment of the requested time of transfer, an acknowledgment of the criticality level, an acknowledgment of received system parameters, an acknowledgment of received system update message, or an acknowledgment of control dropped message.

(45) Similarly, in step 615, an Acknowledgment of Time of Transfer message is sent from the FVCG to the DCS. In step 620, an Acknowledgment of Criticality Level message is sent from the FVCG to the DCS.

(46) In step 625, a System Parameter Status message is sent from the FVCG to the DCS. A system parameter status message, and the related system parameters update message, includes the following data:

(47) TABLE-US-00004 Destination Source Message System Timing Address Address Overhead Parameters Synchronization Status/Update Check Message (1), (2)

(48) The systems parameters status message (1) provides the current status of each piece of equipment or instrument involved in the transfer of control. The system parameters update message (2) provides notification when the status of a particular instrument or equipment is changed.

(49) The timing synchronization check provides an exchange of local time to the destination and source devices to ensure correct timing of the control exchange.

(50) In step 630, an Acknowledgement of System Parameter Status message is sent from the FVCG to the DCS. Acknowledgment messages have been described in step 610, above.

(51) In step 635, an Update Before Transfer message is sent from the DCS to the FVCG.

(52) In step 640, an Ack-Update-Before-Transfer message is sent from the DCS to the FVCG.

(53) In step 645, a Control to be Dropped message is sent from the FVCG to the DCS. This is a control exchange message, which includes the following data:

(54) TABLE-US-00005 Destination Source Exchange Mode Timing Address Address (1) Synchronization Check (2)

(55) The exchange mode (1) can be either a control to be dropped message, as in the case of step 645, a control taken message indicating that the secondary device has taken control, or a control dropped message indicating that the primary device has ceded control to the secondary device.

(56) As described earlier, the timing synchronization check (2) provides an exchange of local time to the destination and source devices to ensure correct timing of the control exchange.

(57) In step 650, a Control Taken message is sent from the DCS to the FVCG, signifying that the DCS has taken control. Note that this message is sent at predetermined time T.sub.D. In step 655, a Control Dropped message is sent from the FVCG to the DCS, confirming that the FVCG is no longer in control.

(58) In step 660, an Acknowledgment of Control Dropped message is sent from the DCS to the FVCG. Acknowledgment messages were described previously, for step 610.

(59) Thus, steps 625, 630 and 635 described messages communicating system parameter status, acknowledgment of such, and update before transfer messages. These are intended to synchronize the DCS and FVCG systems in terms of the most up-to-date parameters. The control to be dropped message of step 645 indicates that the FVCG will transfer control to the DCS at time T.sub.D and after execution of a function instructing the DCS to take control. Acknowledgment is then received that the DCS is aware that FVCG will drop the control function at time T.sub.D. Thus, step 645 ensures a smooth handoff. In step 650, the DCS informs the FVCG that the DCS has taken the control at time T.sub.D and then, and only then, will the FVCG drop the control function, as described in step 655. That is, the FVCG cannot drop a control function until that control function is taken by the DCS, as a control function cannot be unattended. Conversely, the invention guarantees that there will not be two controllers governing one process.

(60) One additional type of message is possible. This message, not shown in the example illustrated in FIG. 6, is a Time to Transfer Control Change Request message, which includes the following data:

(61) TABLE-US-00006 Destination Source Time to Transfer Timing Address Address Control Function Synchronization (1) Check (2)

(62) This message requests a change of the time previously selected to transfer the control function. The time change could be either earlier or later than the previously selected time. For example, a FVCG might want a transfer of control to occur at a particular time, while the DCS might prefer a different time due to other activity such as a system upgrade, downloading patches, etc.

(63) As described earlier, the timing synchronization check, (2), provides an exchange of local time to the destination and source devices to ensure correct timing of the control exchange.

(64) FIG. 8 schematically illustrates a connection between a control system 800 and emergency shutdown system 835. In the control system 800, the DCS 815 is connected to central versatile control switch 820, which also connects to a plant routing controller 805, an adaptive logic & simulation unit 810, versatile control interfaces 825, and an intelligent safety and control integrator (ISCI) 830. In the emergency shutdown system 835, the ESD controller 855 is connected to central versatile control switch 850, which also connects to a plant routing controller 840, an adaptive logic & simulation unit 845, versatile control interfaces 860, and an intelligent safety and control integrator (ISCI) 865. U.S. Pat. No. 8,645,888 is incorporated by reference, disclosing certain aspects of the interconnection between a control system and an ESD system.

(65) While preferred embodiments of the present invention have been illustrated and described herein, it will be apparent that such embodiments are provided by way of example only. Numerous variations, changes and substitutions also be apparent to those skilled in the art without departing from the invention, the scope of which is to be determined by the following claims.