Control Module

ISA-88 defines the control module as "the lowest level grouping of equipment in the physical model that can carry out basic control". In practice, a CM is one of:

• Discrete valve — solenoid + actuator + open/closed feedback.
• Modulating valve — positioner + valve + position feedback.
• Pump — motor + run/stop + overload + amp feedback.
• Loop — PID controller with sensor, output, and tuning parameters.
• Indicator — sensor with scaling and alarm thresholds.
• Composite — small grouping (e.g. a vessel-fill CM that pairs a level sensor with a fill valve).

A CM is the smallest thing that can be commanded — Open / Close, Start / Stop, Setpoint = X — and that reports back a state and feedback.

The CM's value is encapsulation: nothing outside the CM writes to its internal tags. A valve CM exposes Open and Close commands plus Open and Closed feedback bits; the internal solenoid energise and feedback wiring are hidden. Consequences:

• Replacing the valve with a different vendor's model changes the internal CM logic, not the upstream callers.
• Adding an interlock ("do not open if downstream is closed") happens inside the CM, not scattered through phase code.
• Maintenance can substitute spare devices without rewriting upstream logic.
• Diagnostics live with the CM — "valve failed to open" is a CM-level fault, surfaced upward.

A clean CM exposes a small command set and a clean state model. Example for a discrete valve:

Mode arbitration determines who can issue commands. In Auto, the parent EM drives; in Manual, an operator with the right role; in Maintenance, only maintenance personnel.

Many safety and process interlocks belong at the CM level — close to the device, hard to bypass from above. A CIP supply valve's interlock "do not open if process valve is open" lives inside the CM; phase code cannot accidentally violate it.

• Process interlocks — implemented in the CM, can be bypassed only with role + audit trail.
• Safety interlocks — implemented in a separate safety PLC (per IEC 61511); the CM observes the safety status as an input.
• Override management — manual overrides are time-bounded, role-gated, alarmed and audit-trailed.
• Permissive logic — "start command is rejected unless prerequisites are met" — typically lives in the CM or the parent EM, never in higher-level phase code.

CMs are the primary source of process data. Tag values (commands, feedbacks, faults, modes) flow:

1. PLC scan — CM updates its tags every scan (typically 10–100 ms).
2. OPC-UA / OPC-DA — historian collector pulls or subscribes to tags.
3. Historian — stores time-series with compression.
4. MES — pulls aggregated values into the batch record at phase boundaries (start, exit, IPC sample) and important deviations live.

The BMR records summary values (peak temperature, average rpm, end-of-phase value) plus any deviations; the historian carries the full waveform. Together they satisfy ALCOA+ and Annex 11 expectations.

• Phase code writes directly to PLC tags — breaks CM encapsulation, makes refactoring impossible.
• CMs without mode arbitration — operator switches to manual during an Auto phase and silently corrupts the batch.
• Faults reported only as a generic "fault" bit — diagnostic narrative impossible.
• Interlocks duplicated in phase code AND CM — inconsistent behaviour at edge cases.
• Safety interlocks in CM instead of safety PLC — SIL rating cannot be claimed.
• Overrides without expiry — temporary fix becomes permanent invisible state.
• CM tag naming inconsistent — historian collection coverage is patchy.
• Manual mode does not pause the batch — operator actions go unrecorded.