CN100485557C - Coordination of field device operations with inefficacy and bypasses in process control and safety system - Google Patents

Abstract

A process control or safety system can reconcile logic in the process control or safety system and these operation state by using functional block logic even the on-site operation state is started by exterior of the process control or safety system. The logic in the input or voting functional block corresponding to the on-site arrangement can monitor or determine the time for disposing the on-site arrangement into the testing or calibrating mode, and start adequate bypass or override function automatically corresponding to the detected arrangement status of the on-site arrangement. Analogously, the functional block logic can remove bypass or override function automatically when the on-site arrangement is disposed in the normal operation configuration state.

Description

Coordinate the field device operation with invalid with ignoring in process control and the security system

The application is a partial continuous application, requirement is that " On-LineDevice Testing Block Integrated Into a Process Control/Safety System (being integrated into the on-line equipment test component in process control/security system) ", sequence number are No.10/404 from the title of common pending trial, the right of priority of 156 U.S. Patent application, this application was submitted on April 1st, 2003, and the full content that this application discloses is introduced with for referencial use especially at this.

Technical field

The present invention relates generally to be used for the process control and the security system of process facility, more specifically, relate in process controller or security system controller, by using invalid or ignoring (bypass oroverride) and coordinate the field device operated system.

Background technology

As be used in Process Control System in chemistry, oil or other process, generally comprise one or more process controllers, process controller is connected at least one main frame or operator's workstation and one or more field device communicatedly by the bus or the circuit of simulation, numeral or analog/digital combination.Field device for example can be valve, valve positioner, switch and transmitter (transmitter) (as, temperature, pressure and flow rate sensor), in the process facility, carry out function separately, as open or close valve and measurement process parameters.Process controller receives the signal of the expression process measurement that is recorded by field device, and/or the out of Memory relevant with field device, come executive control program with these information, produce control signal then, this control signal is sent to field device by bus or circuit, comes the operation of control procedure.Information from field device and controller, be available generally for one or more application of carrying out by operator's workstation, so that the operator can carry out any desired function relevant with process, operate or the like as current state, the modification process of layoutprocedure, view procedure.

In addition, in many processes, provide independent security system to come the major issue of relevant safety in the testing process facility, when the problem that may cause or cause grave danger in the facility produces, overflow, explode or the like as toxic chemical, this security system will be in facility self-closing valve, cut off equipment dynamic, switch flow or the like.These security systems generally have one or more separate controllers that separate with standard procedure control controller, are called logic solver, and they are connected to safe field device by independent bus or the communication line that is installed in the process facility.Logic solver field device safe in utilization detects the process situation relevant with critical event; as the position of some safety switch or shutdown valve, overflow in the process or underflow, important power produces or operation of opertaing device, the operation of fault test set or the like, in the process facility, detect thus " incident ".When detecting an incident, safety governor is taked some deleterious effects that move restriction event, as shut-off valve, turn off equipment, cut off power or the like from the section of facility.Normally, these actions comprise safety equipment are switched in the error (tripped) or " safety " pattern of operation that this Design Pattern is to prevent serious or dangerous situation in the process facility.

For example, when the signal that receives from field device is bad, when the logic in the field device is in bad or during off-order mode, perhaps start this ignore or when invalid when send manual ringing from operator's workstation, functional block utilogic in safety instrumented systems or the logic solver is programmed, and this logic is ignored or the use of invalid signals or the detected status of field device.For example, to some analog inputs (AI) or the programming of numeral input (DI) functional block, to ignore or the invalid logic that offers in the security system controller, prevent that output that the security system controller logic uses field device (promptly, the output of AI or DI piece), be used for determining whether incident takes place as effectively input.But these functional blocks generally provide and manual relevant this ignoring or invalid signals of activation signal, and for example when field device was safeguarded, this manual activation signal was sent by operator or slip-stick artist.

Similarly, generally in safety instrumented systems, use as redundant input equipments such as transmitter and switches and come the interior incident of detection system, provide higher safety integrity or process variable to measure validity.In this system, need in shutting down logic, provide the voting logic function sometimes, come that the deterministic process situation is allowed or dangerous according to redundancy input.This voting logic is quite simple, because the majority voting that it generally only needs to determine this input detects whether event conditions takes place.In addition; be " Voter Logic Block Including 0perational and Maintenance Overridesin a Process Control System (comprise operation in the Process Control System and safeguard invalid voting logic module) " as title; sequence number is No.10/409; ground described in detail in 576 the U.S. Patent application; procurator of the present invention has been given in this patented claim; and introduce especially with for referencial use at this; it can offer the voting functional block with invalid and performance that ignore, comes for example to prevent the shutdown system operation between the starting period in Process Control System; make the maintainer can on one or more input equipments, carry out attended operation; allow temporarily to ignore selected process situation or the like.

But in general, these are ignored or are invalid, particularly safeguard and ignore, and are manually booted by operator or maintainer when maintenance program begins.For ignoring in voting logic or the logic solver or invalid automatically actuated situation, these are invalid with to ignore generally the action of taking with flogic system relevant, as start-up routine, lag characteristic or the like, and with the field device state in from normal condition to test or the outside of align mode start change irrelevant.Like this, the past is at the scene during the device to test program run, the slip-stick artist coordinates ignoring of field device or invalid, when making it consistent with the mode of operation of logic solver in the system instrument system, at this moment, this coordination is manual procedure and the influence that is subjected to human factor error thus.For example; when device is gone up the operation maintenance program at the scene; the slip-stick artist has to manually provide one to ignore enabling signal to the fail safe instrument logic; cause and relevant with field device ignore signal or input from field device as input blocks such as AI, DI or voting logic piece; discern or the detection incident according to the field device signal so that prevent security logic, and start shutdown procedure.Functional block in the logic solver does not have mechanism to be used for the outside startup variation of field device state is identified as test mode, and mechanism is not used for providing automatically ignoring or invalid result as this variation of field device of equipment output.

Therefore; if before starting the field device test; the slip-stick artist has forgotten that manual setting is ignored or be invalid in logic solver, and logic solver may detect problem according to the signal from institute's test site device in facility, and unnecessary startup shutdown procedure.This shutdown procedure in the process facility material and the loss of time aspect waste very big, and harm or danger close are arranged, if particularly just manually operation of testing of equipment from facility bottom for the people who carries out testing of equipment.In addition; manually ignore or invalid if in the security logic solver, be provided with; after maintenance program is finished; the slip-stick artist may forget remove this invalid or ignore; therefore reduced the performance of security system; and when according to effectively but the field device of having ignored is measured or during a kind of procedural application like this of situation, may cause starting the failure of shutdown procedure.

Have, typical field device combines write-protect mechanism, designs this mechanism and prevents from the configuration change of unauthorized source to field device again.Particularly, field device combines the write-protect variable usually, and this variable prevents that field device from disposing any change in being provided with, and allows this change when not being provided with when being provided with.In addition; many these field devices must stand power cycle; discern the variable condition of this write-protect variable; make field device enter the configuration that test mode (as fixed current pattern or calibration mode) could change field device; the write-protect variable must be set to not guard mode, and field device must be by powering up the circulation of program.When the system that makes more be not subject to the unauthorized of field device change influence the time; this write-protect feature makes usually only can move manual test on the device at the scene; because reset write protection variable field device is placed can the state of test site device after, field device will manually close electricity and power on.When field device is in guard mode, because field device write-protect mechanism must manually change or close, so generally be difficult to or in fact can not make the security logic solver to automatic starting outfit test of field device or calibration procedure.

Summary of the invention

Process control or safety instrumented systems functions of use piece logic are coordinated the logic in process control or safety instrumented systems, make it consistent with the field device mode of operation, even when these modes of operation are started by the outside for process control or security system.Particularly, input relevant with field device or the logic of voting in the functional block can monitor and determine when in relevant field device built-in test or the calibration mode, and automatically starting detects relevant suitably the ignoring or invalid function of field device situation with this.Similarly, when field device was put in the normal manipulation mode of getting back to them, the functional block logic can be removed automatically and ignore or invalid function.This ignoring with invalid automatic startup helps to prevent the security system in the process facility is started the result of shutdown procedure as the testing of equipment that manually boots, and this manually boots testing of equipment and is finished by the handheld device that for example appends on the field device.Similarly, ignore and help to prevent that because user's ignoring of having forgotten that manual removal is provided with in order to allow testing of equipment or invalid, security system can not normal running in the process facility and cause with invalid automatic removal.

Have again, flogic system and the programming of field device available commands subclass, even when the field device write-protect, this subclass also can be by security logic system start-up, field device is placed test or calibration mode.In this case; flogic system and field device can have the supplementary protection instruction that combines the mechanism that writes a self-criticism; required as IEC61511; but when field device still is configured to write-protect; this instruction can make that also field device enters fixed current pattern or calibration mode, and can send and start.New instruction need be by the protection of field device write-protect mechanism, because they are started by source known and that be commissioned, as the security logic system.But these new instructions make flogic system can change the configuration of field device, field device is placed test or calibration mode, and do not need to power on or other manual processs.So the needed maintenance function of field device can be coordinated with secured fashion by the security logic system, and can not make field device suffer other undesired configuration changes.Similarly, even when field device write-protect otherwise, security system and field device also can be stored in instruction that transmits between field device and the logic solver and the record of replying, and provide and take whole daily records of moving on the field device.If desired, additional subset of instructions can as manufacturer's specific classification of Hart instruction in, and can move with the instruction of existence that field device is supported thus.Use this manufacturer communication capacity, logic solver is the state of on-site supervision device continuously.

Description of drawings

Fig. 1 is the block diagram with example procedure facility of security system, this security system combines Process Control System, and use one or more configurable AI, DI and voting functional block, come ignoring and invalid action in automatic control system shutdown and the maintenance process facility;

Fig. 2 is the block diagram of a configurable voting functional block among Fig. 1, combines to ignore and invalid function;

Fig. 3 comprises a table of ignoring a plurality of exemplary voting scheme of input, and this is ignored input and can be used by the voting functional block among Fig. 2;

Fig. 4 is an exemplary table, represents when an input state giving the voting functional block is bad the mode that the voting scheme can be demoted; With

Fig. 5 is the block diagram of an input function piece, have field device state-detection and enable logic, this logic install at the scene with functional block in relevant ignore and invalid function between communicate to connect, be used for according to the field device state that is detected in security logic solver inner control logic, and be used to control the field device configuration.

Embodiment

Referring now to Fig. 1,, process facility 10 comprises the Process Control System 12 that combines security system 14 (being illustrated by the broken lines), this security system running usually is safety instrumented systems (SIS), monitor and the invalid control that provides by Process Control System 12 that the possible safe operation with process facility 10 maximizes thus.Process facility 10 also comprises one or more host works station, computing machine or user interface 16 (it can be personal computer, workstation, PDA of any kind or the like), they can be by facility personnel visit, as process control operator, maintainer, safety engineer or the like.In example shown in Figure 1, show two user interfaces 16, by public correspondence circuit or bus 22, be connected to two independent process control/ security control nodes 18 and 20 and configuration database 21.Communication network 22 can use any bus-type of thinking usefulness or non-bus-type hardware, use and anyly think the hardwired or the wireless communication configuration of usefulness and use any communication protocol usefulness or suitable of thinking, realizes as Ethernet protocol.

In general, in the node 18 and 20 of process facility 10 each all has the Process Control System of comprising equipment and security system equipment, they link together by bus structure, and this structure can be arranged on the pedestal (backplane), and different equipment is in this pedestal.Node 18 is illustrated as and comprises process controller 24 (it can be a controller redundancy to) and one or more Process Control System I/O (I/O) equipment 28,30 and 32 among Fig. 1, and node 20 is illustrated as and comprises process controller 26 (it can be a controller redundancy to) and one or more Process Control System I/ O equipment 34 and 36 simultaneously.Each Process Control System I/ O equipment 28,30,32,34 and 36 communicates to connect on the field device of one group of relevant process control, is illustrated as field device 40 and 42 among Fig. 1. Process controller 24 and 26, I/O equipment 28-36 and controller field device 40 and 42 have been formed the Process Control System 12 of Fig. 1 usually.

Similarly, node 18 comprises one or more safety system logic solvers 50,52, and node 20 comprises safety system logic solver 54 and 56 simultaneously.Each logic solver 50-56 is an I/O equipment, has processor 57, execution is stored in the security logic module 58 in the storer 79, and communication link fetches control signal is offered security system field device 60 and 62, and/or from security system field device 60 and 62 received signals.In addition, each in the node 18 and 20 comprises information propagation equipment (MPD) 70 or 72, communicates to connect by ring bus web member 74 (only showing part in Fig. 1) each other.Safety system logic solver 50-56, security system field device 60 and 62, MPD70 and 72 and bus 74 formed the security system 14 of Fig. 1 usually.

The process controller 24 and 26 only mode of example can be the DeltaV that is sold by Emerson Process Management ^TMController or any other are want the process controller with type, use I/O equipment 28,32 and 32 (for controller 24), I/O equipment 34 and 36 (for controller 26) and field device 40 and 42, this process controller of programming provides process control function (using the module of so-called control module).Especially, one or more process control block (PCB)s that are stored in wherein or otherwise are associated with it are finished or supervised to each controller 24 and 26, and communicate by letter with 42 and workstation1 4 with field device 40, come to think the mode control procedure 10 of usefulness or the part of process 10 with any. Field device 40 and 42 can be any field device of wanting with type, as sensor, valve, transmitter, steady arm or the like, and can abide by any opening, proprietary or other communications or programmed protocol of thinking usefulness, for example comprise HART or 4-20ma agreement (being used for field device 40 as shown), any field bus protocol as

Fieldbus agreement (being used for field device 42 as shown) or CAN, Profibus, the AS-Interface agreement only enumerates several names.Similarly, I/O equipment 28-36 can be the process control I/O equipment of any known type that uses any suitable communication protocol.

Security logic solver 50-56 among Fig. 1 can be any security system opertaing device of wanting with type, this equipment comprises processor 57 and storer, this memory stores is suitable on processor 57 the security logic module 58 carried out, uses field device 60 and 62 that the control function relevant with security system 14 is provided.Certainly, safe field device 60 and 62 can be any field device of wanting with type, abides by or uses any known or think the communication protocol of usefulness, those agreements as mentioned above.Especially, field device 60 and 62 can be the field device type of relevant safety, and the type is traditionally by independent, special-purpose relevant safe control system control.In process facility 10 shown in Figure 1, safe field device 60 is described as using communication protocol special-purpose or point-to-point, and as HART or 4-20ma agreement, and safe field device 62 is illustrated as the use bus communication protocol, as the Fieldbus agreement.Safe field device 60 can be carried out any function of wanting, as shutdown valve, cut-out switching function or the like.

Shared pedestal 76 (being represented by the dotted line that passes controller 24 and 26, I/O equipment 28-36, security logic solver 50-56 and MPD70 and 72) is used in each in node 18 and 20, controller 24 and 26 is connected to process control I/ O card 28,30 and 32 or 34 and 36, and be connected to security logic solver 50,52,54 or 56, be also connected to MPD70 or 72. Controller 24 and 26 also communicates to connect bus 22, and is operating as the bus arbitrator of bus 22, and each I/O equipment 28-36, logic solver 50-56 are communicated by letter with any workstation1 6 by bus 22 with 72 with MPD70.

As being appreciated that, each workstation1 6 comprises processor 77 and storer 78, and this memory storage is suitable for the one or more configurations and/or the browse application of execution on processor 77.Configuration application 80 and browse application 82 are illustrated as in the exploded view of Fig. 1 and are stored in the workstation1 6, and diagnostic application 84 is illustrated as and is stored in another workstation1 6 simultaneously.But if desired, the application of these and other can be in different workstation1 6 or is stored and carry out in other computing machines relevant with process facility 10.In general, configuration is used 80 and is provided configuration information to the safety engineer, makes the safety engineer can dispose the element of some or all process facilities 10, and store this configuration in configuration database 21.As use the 80 part configuration actions of carrying out by configuration, the safety engineer can generate control program or the control module that is used for process controller 24 and 26, can generate the security logic module 58 that is used for any and whole security logic solver 50-56 (comprise be used in security logic solver 50-56 or even be generation in controller 24 and 26 and programming input, voting and other functional blocks), also can pass through bus 22 and controller 24 and 26, control that these are different and security module download to suitable process controller 24 and 26 and security logic solver 50-56 in.Similarly, configuration is used 80 and be can be used to generate and download other programs and logic to I/O equipment 28-36, any field device 40,42,60 and 62 or the like.

On the contrary, browse application 82 can be used to provide one or more users of being shown to, as giving process control operator, security operator or the like, if need especially, this demonstration be included in each view separately or in same view about the information of Process Control System 12 and security system 14 states.For example, browse application 82 can be the alarm display application, and receiving alarm is indicated and shown the alarm indication to the operator.If desired, this alarm browse application can adopt as the U.S. Patent No. 5 of title for " Process Control System IncludingAlarm Priority Adjustment (comprising the preferential Process Control System of regulating of reporting to the police) ", 768, s' the U.S. Patent application No.09/707 of " Integrated Alarm Display in a ProcessControl Network (integrated alarm in process control network shows) " in 119 with title, the form that discloses in 580, these two files are all passed on to the application's procurator, and introduce with for referencial use especially at this.But will understand, the alarm demonstration of these patents or alarm hurdle can receive in integrated Alarm Display and show from both alarms of Process Control System 12 and security system 14, operator's workstation1 4 of carrying out the alarm display application will be sent to from system 12 and 14 both alarms thus, and will from different equipment, alarm can be identified as.Similarly, the operator can use the mode same with the process control alarm, handles the safety alarm that shows in the alarm hurdle.For example, operator or user's available alarm display approval safety alarm, closed safe alarm or the like, this action will be used communicating by letter on bus 22 and the pedestal 76, send message in the security system 14 suitable process controllers 24,26, take the corresponding actions relevant with safety alarm.In similar fashion, another browse application can show from Process Control System 12 and security system 14 both information or data, these systems can use parameter, security and the benchmark of same type and kind thus, and feasible any data from one of system 12 and 14 can be integrated in the demonstration or view that usually provides for Process Control System.

Diagnostic application 84 can be used to finish the process control of facility 10 and diagnosis or the maintenance program in the security system.This diagnostic application can be carried out any diagnosis or maintenance process of wanting with type, as operational process and valve test, start-up course or the like, one or more AI, DI that can or cannot use in process facility 10 or voting functional block provide invalid, prevent the security system operation that is caused by diagnostic routine according to the input from one or more equipment.Similarly, handheld configuration or testing apparatus 85 can be connected to any field device 40,42,60 and 62, carry out configuration, test and calibration process on these field devices, one or more AI, DI in process facility 10 or voting functional block transmit or do not transmit and ignore or invalid signals simultaneously.

In any situation, use 80,82 and 84 and any other application can independent configuration and other signals send each process controller 24 and 26 and each safety system logic solver 50-56 to, and can be from each process controller 24 and 26 and from each safety system logic solver 50-56 reception data.These signals can comprise the process class information relevant with the operating parameter of control procedure field device 40 and 42, also can comprise the relevant level of security information of operating parameter with the relevant safe field device 60 of control and 62.When security logic solver 50-56 is able to programme when coming identifying class information and level of security both information, security logic solver 50-56 can distinguish between two types information, and can not or realize by the programming of process rank configuration signal.In one example, the programming information that is sent to Process Control System equipment can comprise some field or address, and they are by the security system recognition of devices and prevent that those signals are used for to the security system device programming.

If desired, compare with the hardware and software design that is used for process control I/O card 28-36, security logic solver 50-56 can use identical or different hardware or software design.Be used for the use of the substitute technology of equipment in Process Control System 12 interior equipment and the security system 14, can minimize or eliminate the hardware or software failure that causes jointly.In addition, comprise that the security system equipment of logic solver 50-56 can use any isolation and safety technique of thinking usefulness, reduce or eliminate the chance that unauthorized changes, make practiced relevant security function thus.For example, security logic solver 50-56 and configuration use 80 can require to have special right level others, perhaps be positioned at the people at special workstation place, come the security module in the logic solver 50-56 is changed, this power rank or position are different from process control function are changed required power, access level or position, this process control function by controller 24 and 26 and I/O equipment 28-36 carry out.In this case, only there are those to specify in the fail-safe software or are positioned at the people at the workstation place that mandate changes security system 14, have to authorize and change relevant safe functioning, minimized error chance like this security system 14 operations.As being appreciated that ground, in order to realize this security, processor evaluation in the security logic solver 50-56 is used for the input information of appropriate format and security, and resembles and operate the person of guarding the gate, and the level of security control module of carrying out in the security logic solver 50-56 58 is changed.

The use of pedestal 76 in each node 18 and 20, make security logic solver 50 and 52 and security logic solver 54 and 56 is can be each other local communicates by letter, the security function that coordination is realized by each these equipment, the data that communicate with one another, or carry out other integrated functions.On the other hand, MPD70 and 72 operations still can communicate with one another security system 14 parts that are arranged on many different locations in the facility 10, the safe operation after the different nodes place of process facility 10 provides coordination.Especially, make with process facility 10 different nodes 18 and 20 relevant security logic solver cascades communicatedly with MPD70 and 72 that bus 74 connects and to be in the same place, consider the cascades of relevant security functions in the process facility 10 according to the priority of being distributed.In addition, the two or more relevant security function at place, different location in process facility 10, interlockable or interconnection, and move special line need not for each safe field device of facility 10 each individual region or intranodal.In other words, MPD70 and 72 and the use of bus 74 make the safety engineer can design and dispose security system 14, in fact this system is distributed in and spreads all in the process facility 10, but has the different assemblies of its communication interconnect, and the relevant safe hardware that has nothing in common with each other is communicated with one another when needed.This feature also provides the scalability of security system 14, because when needing additional security logic solver, perhaps when new process control node was added on the process facility 10, it can be added on the security system 14 additional security logic solver.

If desired, but functions of use piece programming mode is carried out and safety equipment 60 and 62 relevant control actions logic solver 50-56 programming.Especially, as as shown in a safety control module 58a of logic solver 54 (being stored in the storer 79) stretch-out view, safety control module can comprise the functional block of group communication interconnection, can generate this functional block and download to logic solver 54, is used in process 10 operating periods enforcement.As shown in fig. 1, control module 58a comprises two voting functional blocks 92 and 94 that have with the input of other functional blocks 90 communication interconnects, and this functional block 90 for example can be other functional blocks that analog input (AI), numeral input (DI) functional block or design come to provide to voting functional block 92 signal.Voting functional block 92 and 94 has at least one output, be connected to one or more other functional blocks 91, this functional block 91 can be simulation and exports the target effect functional block of (A0), numeral output (D0), realization target (cause) and effect logic, can receive from the output signal of voting functional block 92 and 94 and control safety equipment 60 and 62 controls of operating and diagnostic function piece or the like.Certainly, safety control module 58a can think that the mode of usefulness programmes with any, comprise and one or more voting functional blocks any kind functional block together, this functional block with any want with or useful mode dispose, carry out any function of wanting.In addition or alternatively; can be directly connected to safety system logic as other input function pieces such as AI and DI functional blocks; be used to provide the security logic control module; the security logic control module is by starting one or more stop devices when the generation of one or more incidents; response detects these incidents by AI or DI functional block.

Like this, when the stretch-out view of safety control module 58a among Fig. 1 comprises numeral voting functional block 92 with five numeral inputs and the simulation voting functional block 94 with three analog inputs, be appreciated that, can create any amount of different security logic module 58, and in each Different Logic solver 50-56, use, each these module can comprise any amount of AI, DI, voting or other input function pieces, and this functional block has any input of wanting quantity of wanting to communicate to connect with mode other functional blocks with any.Similarly, if for example using in the Fieldbus network, voting functional block 92 and 94 can be any fieldbus type of functionality piece or is connected to any other functional block there, can be provided with in other equipment and realize, as installing in 62 at the scene.If use in that security system is outside, voting functional block 92 and 94 and other input function pieces can be at process controller 24,26, I/O equipment 28-36 realizes in field device 42 grades.As common sense ground, the redundancy input that is provided by redundant sensor or transmitter in the security system 14 typically is provided voting functional block 92 and 94, and applies the voting scheme to these inputs, and next input determines whether to exist security system error situation according to all that.In addition, can to these decide by vote functional block programme start in the safety system logic ignore or invalid.

Fig. 2 is a block diagram, illustrates to have the assembly of ignoring with the voting functional block 94 of the example of invalid function among Fig. 1.Voting functional block 92 is simulation voting functional blocks, because it handles the analog input signal of sending by for example analog input (AI) functional block 90.Usually, voting functional block 94 comprises three inputs that are designated as IN1, IN2 and IN3, and they are suitable for receiving the analog input signal from redundant sensors in the process facility 10 for example or other redundant elements, as from field device among Fig. 1 60 and 62.Each input IN1, IN2 and IN3 are offered error bounds checking piece 95a, a 95b or 95c and a predetermined threshold check piece 96a, 96b or 96c.Input and pre-set limits that error bounds checking piece 95 will be delivered to the there compare, and determine whether that input signal has reached the value (this value can be value higher limit, lower limit or preset range in) relevant with the error situation.In a similar fashion, predetermined threshold inspection piece 96 will be delivered to its input and preset predetermined threshold and compare, determine whether that input signal has reached the value (this value can be value higher limit, lower limit or preset range in) relevant with alarm that indicates the error situation or warning, though the error situation does not also exist, be about to take place.In fact, predetermined threshold checks that piece 96 can produce alarm or event signal, though expression is dangerous or other unfavorable situations also do not exist, is about to take place.

(for example this output can be digital signal in the output of each error bounds checking piece 95 and predetermined threshold inspection piece 96, when reaching boundary or predetermined threshold in piece 95 and 96, this digital signal is set to higher limit) be delivered to one group of input and ignore and forbid one of piece 98a, 98b and 98c.Input is ignored and is forbidden that piece 98 carries out input inhibit on each input IN1, IN2 and IN3, make and to forbid one or more these inputs, that is to say, in voting functional block 94, do not use them to determine whether that the error situation exists or whether predetermined error alarm condition exists.Each input is ignored and is forbidden that the output that piece 98 will be used for relevant error boundary situation offers error voting logic piece 100a, and the output that will be used for relevant predetermined threshold situation offers predetermined error voting logic piece 100b. Voting logic piece 100a and 100b carry out any voting logic of operating wanted, and come to determine whether that according to its input error situation or predetermined error alarm condition exist.

Error voting logic piece 100a and predetermined error voting logic piece 100b are respectively to forbidding or invalid block 102 provides error signal and predetermined error alarm signal (when these situations are determined to exist), this is forbidden or invalid block can forbid deciding by vote functional block 94 during for example wanting to forbid deciding by vote the startup or other work, working time or maintenance program of functional block 94 operations, and any error signal or predetermined error alarm signal output are provided.Forbid that piece 102 sends determined error output signal (being labeled as Out) and forbids the result of piece logic as 100a operation of error voting logic piece and startup, develop determined Pre_out signal in addition and forbid the result of piece logic as 100b operation of predetermined error voting logic piece and startup.The Out signal can be used to drive the operation of the shutdown procedure in the security system 14 among Fig. 1, and the Pre_out signal can be used to provide alarm, the imminent fact of error situation in the expression process facility 10.Certainly, if be starved of, Out and Pre_out signal also can be used for other purposes.

Voting functional block 94 can comprise one group of parameter, some in them in Fig. 2, be indicated in they be used for wherein piece above or below, for example during the configuration of voting functional block 94, they are set, realize or specify the operation of voting functional block 94.Especially, use slip up boundary (Trip_Lim) and predetermined error boundary (Pre_Trip_Lim) parameter, be provided with or set up the error boundary that is used in the error boundary piece 95, and the predetermined error boundary that is used in the predetermined threshold inspection piece 96 is set.Error boundary and/or predetermined error limit parameter can be identical for each different piece 95 and 96, perhaps can be provided with separately for each piece 95 and 96.Similarly, error hysteresis (Trip_Hys) and predetermined error hysteresis (Pre_Trip_Hys) parameter are used for being provided with piece 95 and 96 and must propagate the hysteresis that causes between slipping up continuously.That is to say, in case piece 95 or 96 detects an input signal that is higher than (or being lower than) boundary, the lagged value of the lagged value of kind of hysteresis parameter (being used for piece 95) and predetermined error lag parameter (being used for piece 96) was determined before error signal (or predetermined error signal) is closed, perhaps make the second error signal (perhaps predetermined error signal) can be by this piece setting before, how far input signal must (or top) be propagated below boundary.

Voting functional block 94 also has the inside error type configuration parameter of Trip_Type by name, and this parameter limits input and/or the relevant normal and error state value of output with voting functional block 94.For example, when voting functional block 94 was configured to " outage error (De-energized to Trip) " (it can be default value), the values for normal operation of output was one, and the error state value is zero.On the contrary, when voting functional block 94 was configured to " error that powers on (Energized to Trip) ", values for normal operation was zero, and the error state value is one.Thisly determine initially to check that at error bounds checking piece 95a, 95b and 95c place and at predetermined threshold piece 96a, 96b and 96c place carry out that they are respectively with to import IN1, IN2 and IN3 corresponding.Type of detection (Detect_Type) parameter can be used to determine more whether the contrasting greater than (upper limit) of error boundary perhaps contrasted less than (lower limit).This relatively is created in suitable error bounds checking piece 95 and predetermined threshold is checked piece 96 places, whether has reached predetermined boundary to determine input signal.

As being appreciated that, the output of each error bounds checking piece 95 will represent whether error has been represented by corresponding input IN1, an IN2 and/or IN3.As mentioned above, safeguard invalid or ignore to ignore by input and forbid that piece 98 uses each independent input IN1, IN2 and IN3, prevent that those inputs are used in the voting logic of being used by voting logic piece 100.When for example providing when just safeguarding on the input signal field device to voting functional block 94 at transmitter or other, this override feature is starved of.When using voting logic to determine to slip up output according to a plurality of inputs, maintenance is ignored always not necessary, because not necessarily can cause slipping up to the signal error voting (this possibility is owing to providing the service action on the sensor of this input to cause) of error.But, this function of ignoring is needs, prevents that the mistake during the service action from slipping up, and may need in some voting logics, as in the voting logic scheme of alternative, in this scheme even from the existence of the single error signal of redundant sensor, also will cause error.

When an input is ignored when forbidding that piece 98 causes that an input is left in the basket, even this input value has surpassed the boundary by error boundary or predetermined error limit parameter regulation, the input of being ignored also will be can't help voting logic piece 100a and 100b to be made and is used for producing error signal or predetermined error alarm signal.In order to ignore, to ignore permission (Bypass_Permit) parameter and at first can control whether to import to ignore and allow in primary importance.In general, if be provided with the Bypass_Permit parameter or activated it, ignoring in the input will be allowed; And if the Bypass_Permit parameter is not set or does not activate it, will not allow the input ignore.Ignore when forbidding piece 98 applicable to all when single Bypass_Permit parameter, will ignore for each input and forbid that piece 98a, 98b, 98c are provided with the independent permission of ignoring.

If be provided with the Bypass_Permit parameter or activated it, the BYPASSx parameter can be used for causing that one or more ignoring forbid piece 98 operation so, input IN1, IN2 that forbids being correlated with or the use of IN3.X in the BYPASSx parameter represent to import IN1, IN2 or IN3 which lost efficacy.If desired, can forbid input more than one in any special time, perhaps configurable voting functional block 94 once only allows to forbid an input.Bypass_Permit and BYPASSx parameter can think that the mode of usefulness is provided with or issues with any, as by the operator's the Show Button on operator or the maintenance screen, physics keyswitch, enter the discrete input of safe mode, by configuration, control, demonstration or diagnostic application, by another input function piece (below will describe in more detail), perhaps by any other mode.Certainly,, do not need to use and ignore permission, the default value of Bypass_Permit parameter can be set, in the configuration of voting functional block 94, to activate if in any special enforcement of voting functional block 94.

Ignore overtime (Bypass_Timeout) parameter and can be used to be provided with the time total amount, after this time total amount, be provided for ignoring of a piece 98, make this ignore automatic expiration.In this case, each input is ignored and is forbidden that piece 98 can comprise the timer of ignoring as in one group of timer 110, and this timer is set to the Bypass_Timeout parameter value, and this timer can count down when ignoring beginning.In this case, input is ignored and is forbidden that piece 98 can forbid the use of relevant input, closes up to BYPASSx, or arrives zero up to ignoring timer.As being appreciated that ground, ignoring timer and can be used to guarantee at the fixed time to remove after the total amount and ignore.

If desired, also configurable input is ignored and is forbidden piece 98 to providing reminder alarm as users such as operator, safety engineer, technicians, reminds the user or makes the user note ignoring nearly overtime.If one ignore overtime on configuration ignore for disappearing or not activating, so by reminder time (REMINDER_TIME) parameter be set to certain nonzero value, can be before overtime notice be given user or other operators.In this case, if ignore the timer non-zero but less than the reminder time parameter, and arbitraryly ignore the input voting and be error, can activate reminder alarm and provide alarm to the user, expression is ignored the timer expiration and will be shut down along with upcoming.If do not ignore the input voting for error,, do not need to activate it yet although still can activate alarm.But,,, cause that error voting logic piece 100a produces the error signal because have other enough input votings for slipping up even be appreciated that error can not arrived immediately yet when overtime alarm is ignored in activation.

In one embodiment, only ignore overtime the time when first, ignore timer and just can equip again.But, can be write parameters but ignore timer, make after having notified overtime generation soon, can use operator's indicator knob (or some other suitable technology) to increase and ignore timer, prolong and ignore the time.For example when maintenance program still at the scene on the device when carrying out, provide the input of ignoring to voting functional block 94, this feature can prolong the user to ignore the time.In addition, for example only when this ignores timer expired, ignore when activating, ignore overtime notice and just can be used for indicating purpose.In this case, though reminder time parameter be set to zero, when ignoring timer expired, also can reminder alarm be set to effectively.Yet if reminder time, parameter was a nonzero value, this prompting will take place prior to overtime (if this input voting is error).Reminder alarm can be the alarm of confirming or do not confirm with ignoring alarm.

The voting logic of being carried out by voting logic piece 100a and 100b can be " N selects M (M out of N) " logic function.According to this function, from all N input, must there be M input voting to be error.For example, voting functional block 94 can be configured to 3 votings of selecting 2 (2oo3), this means that output at voting logic piece 100a is set to slip up before the state value, two in three inputs must meet the error boundary, and before predetermined error voting logic piece 100b was set to predetermined error alarm value, two in three inputs must meet predetermined error boundary.N value in " N selects M " function is determined that by the input quantity of not forbidding the M value determines that according to the piece inner parameter that is called error quantity (NUM_TO_TRIP) its default value can be set to be equal to or less than any value of wanting of N in the configuration.Common voting scheme for example can comprise three selects two (2oo3), alternative (1oo2), two to select two (2oo2) or the like.But, also can use any other voting logic.Because other features of piece 94, voting functional block 94 also can be used for the application of single transmitter, as selecting in one (1oo1) the voting function logic situation one.

In general, 1oo2 or 1oo1 voting scheme will need to safeguard ignores function, because during the service action, must cause the error situation that is provided with by voting logic piece 100a even forbid a transmitter in one way, this mode causes the error situation that detects in the input for the voting functional block 94 of this transmitter.But, need to be configured to the determine voting functional block of error of multilist still can from ignore function, be benefited, be used for a plurality of measurable behavior during the maintenance program.

Ignore input IN1, IN2 or an IN3 a kind of realization voting functional block 100a and the 100b in can be in two ways.Can make the input quantity that needs to determine error situation (or predetermined error alarm condition) reduce one, perhaps can make this input quantity remain unchanged.For example, when voting logic piece 100a is configured to 2oo3 voting logic piece, and when input IN1, IN2 or an IN3 ignored, the voting scheme can be changed into 1oo2 voting scheme afterwards, and the meaning is that the input quantity that need decide by vote for error has reduced by one (with available input quantity together).Alternatively, when selected input was ignored, 2oo3 voting scheme can be changed into 2oo2 voting scheme, and the meaning is to decide by vote input quantity for error remain unchanged (even available input quantity has reduced one).When ignoring when input, ignore accurate quantity that option parameter can be used to determine the error needs and reduced one or do not have.Fig. 3 illustrates the result of this option in several different voting schemes.The voting logic scheme of not forbidding importing and disposing is shown among Fig. 3 first tabulation; Secondary series among Fig. 3 is represented the voting logic when having forbidden an input and having used the initial configuration quantity M that judges error; Among Fig. 3 the 3rd tabulation is shown when having forbidden an input and will having judged that error quantity M has reduced voting logic for the moment.Certainly, other input inhibit also can cause similar change in the value of expression in Fig. 3 second and the 3rd row.Come what may, error voting logic piece 100a (with predetermined error voting logic piece 100b) can not judge that the required input actual quantity of error is reduced to less than one with being used to usually, and when may importing of voting error reduces to zero,, will forbid error as in 1oo1 voting scheme.

The default behavior of forbidding piece 98 is ignored in configurable input, once only allows an input to ignore.This function can be executed by the write-protect feature, prevents that second input from ignoring.Alternatively, can ignore a plurality of inputs simultaneously.If desired, the BYPASSx parameter can have additional write-protect, and this requires before the BYPASSx parameter is provided with, and is provided with to ignore permission BYPASS_PERMIT parameter or be true.

After error voting logic piece 100a place carries out voting, select M voting scheme according to selected N, can use error and postpone to open time parameter TRIP_DELAY_ON, made before the OUT signal change is for the error state value, must move for (its default value can be provided with at zero second place) voting error situation of configurable time cycle.In a similar manner, can use error late release time parameter TRIP_DELAY_OFF (its default value can be provided with at zero second place), when voting is removed for the error state, promptly, when determining that according to its input error voting logic piece 100a the error situation does not exist, come time delay, the OUT signal returns to normal status value around here.Certainly, error postpones to open time parameter and the late release time parameter of slipping up can have different and any value of wanting, and may be used on the OUT signal that produces by error voting logic piece 100a and the Pre_out alarm signal that produces by predetermined error voting logic piece 100b on, or be applied to both one of on.If desired, error postpones the time of opening and the error late release time cycle can be error voting logic piece 100a and predetermined error voting logic piece 100b separate configurations, and can be followed the trail of by a timer 110.

As mentioned above, forbid that piece 102 is for starting or other operate invalid function.If desired, this invalid function can be started by another functional block, as in the input function piece (as below with more detailed description ground).For example, may need to deactivate the output of voting functional block 94, force the OUT signal to be in normal condition, be used to start or the short cycle of other interim operational scenario, comprise some field device test situation.This forbid or invalid function for example can be used to cancel the lasting error request that is produced by voting functional block 94; because process or its appropriate section are in stopped status; field device is in its maintenance situation or the like; allow the process start-up routine to enter more thus; here the process values that provides in the input place of voting functional block 94 no longer is the value that the expression error should start, the value that perhaps feasible all complete maintenance programs can be carried out on one or more field devices.

In an example, forbid that piece 102 can comprise default action, when reception can be indicated by the startup that the Startup parametric representation is set, forbid that piece 102 forces the OUT signal, if desired, arrive normal status value with the Pre_out signal, in a configurable time cycle that limits by start delay (STARTUP_DELAY) parameter.Forbidding that piece 102 can comprise starts the timer that counts down, and as one of timer 110, this timer is set to the value by start delay parameter regulation, and begins to count down after starting indication receiving by start-up parameter.When the counter that counts down was overtime, error voting logic piece 100a and predetermined error voting logic piece 100b recovered normal error and detect.Can dispose like this and forbid piece 102, make that the continuous setting of start-up parameter can not influence start-up time when starting the timer countdown.Alternatively, can allow the new setting of each start-up parameter to equip the startup timer again, make and to avoid the error that will take place overtime the time.

Be similar to import to ignore and forbid piece 98, forbid that piece 102 can have prompting function, this function for example can be ignored parameter by setting and open.When this prompting function was ignored (maintenance is ignored) running for input, it also served as to start to ignore running in identical in fact mode.Thus; when start timer when disposing greater than zero but less than (REMINDER_TIME) parameter of configurable reminder time (this parameter can be provided with); and when enough voting error is arranged; the reminder alarm situation becomes effectively; expression is ignored and will be expired; according to the value of input IN1, IN2 and IN3, will cause shutting down.

If desired,, that is to say that when not having enough voting errors for the configurable time cycle, the startup timer can be in addition or automatic expiration alternatively when input when stablize.Can follow the trail of this stabilization time by stablizing timer, and this timer can be one of timer 110, and when the output of voting logic piece 100a is stablized test example as to the non-error or the normal value in cycle at fixed time.In this case, in the time of the countdown of startup timer, but when having enough voting errors, should not stablize the timer reverse countdown, and when the error voting meets or exceed the quantity of slipping up required, can reset.If stablize value stabilization time that timer has reached configuration, start timer with regard to reset-to-zero, and recover normal error detecting function.Certainly, stablize the end of timer and do not reset, but when enough error voting, can reset at any time place during startup begins to locate and starts disable period in cycle start-up time.

In addition, the time is ignored in startup need or not decide by vote input IN1, the IN2 of functional block 94 and the value of IN3 based on fixed time period, but instead, can or not take place based on the generation of incident.In this case, start reset parameter or its and become and be provided with or true time when being provided with, start and ignore end, this can produce along with the detection of incident.In this mode, startup is ignored the existence that can be dependent on unascertainable time span incident or is not existed.

If desired, the state of input IN1, IN2 and/or IN3 can be used to influence the action of voting functional block 94, and this state behavior upstate option parameter is provided with.As being appreciated that ground, in many systems, as in HART and Fieldbus system, transmitter or other field devices will be with process variable signal or process values transmit status signals, and wherein status signal is represented the state of transmitter itself.This status signal can represent that transmitter is in normal or good state, perhaps is in abnormality, and as bad or other unfavorable states, this state can cause that the process variable value that is sent by transmitter is a dubiety.Thus, can determine to import the status input signal that provides to IN1, IN2 and the IN3 of voting functional block 94, and be used for realizing voting scheme or mode, wherein input will be used in the voting scheme.

If desired, the voting scheme of being used by piece 100 can be set, make that the transmitter of a failure (that is input with defective mode) can not start error automatically when other transmitters are represented the effective value of measured process variable effectively.When considering status input signal, an option will always use the value of input IN1, IN2 or IN3, and ignore the state of input.In this mode, hard crass needn't cause shutdown, and will allow if having time to repair.Another option will be handled the defective mode in the input, be similar to input is ignored, and forbid in the same mode of piece 98 ignoring with input as mentioned above, prevent that this input voting is for slipping up.If input state is bad, the 3rd option will be thought of as the error voting to input automatically.This can be disposed default option, provide safe highest level to 1ooX voting scheme.Fig. 4 illustrates when being defective mode for input signal of above-mentioned each option, the mode that several shared voting schemes are all demoted.For example, as shown in Fig. 4 first row first row, when this input value of total use, 2oo3 voting scheme is downgraded to 2oo3 (if be non-error value from the signal value of bad transmitter) or 1oo2 voting scheme (if be error value from the signal value of bad transmitter) effectively.On the contrary, as shown in Fig. 4 first row secondary series, if do not use the value of bad transmitter, then 2oo3 voting scheme is downgraded to 2oo2 voting scheme (or can be downgraded to 1oo2 scheme according to selected override feature).Similarly, as shown in Fig. 4 first row the 3rd row, if the value of bad transmitter is treated to the error voting, so no matter what the actual value of this signal can represent, 2oo3 voting scheme all will effectively be downgraded to 1oo2 voting scheme.

Certainly, the use of voting functional block 94 input states can be carried out identical or different processing in each error voting logic piece 100a and predetermined error voting logic piece 100b.If desired, 0ut signal and Pre_out signal condition can be set to Good, unless all inputs of not ignoring all are defective mode, under the sort of situation, the state of Out and Pre_out signal can be set to Bad.If desired, do not ignore when being input as defective mode, the alarm condition parameter of the bad input of expression can be set by voting functional block 94 when any.

As will understand ground from top discussion, the voting functional block can comprise thus therein to be ignored and invalid function.But in the past, this function is started by the pattern or the state of the input of voting functional block, and perhaps the manual ringing that is sent by the operator starts, and as by operator's display device 16, starts this function.But configurable input function piece itself is when surveying field device when and placing with irrelevant configuration of field device normal running or pattern, as test or calibration mode.For example, HART equipment can place the fixed current pattern, checks the input of logic solver and writing of relevant on-the-spot circuit, perhaps carries out calibration, after doing like this, can use Hart to communicate by letter and represent that field device is in the fixed current pattern.Logic solver is used an input function piece, can detect this fixed current pattern, and interior the ignoring or invalid function (voting functional block as described above is ignored or invalid function) of enable logic solver automatically, handle relevant input, as ignore from field device.Similarly, the detectable field device of input function piece returning from the fixed current pattern to normal manipulation mode, and can comprise removing and ignore or invalid logic, guarantee automatically that thus the input of field device is used in the security logic, come the incident in the detection process facility.Certainly, other remove logic, and time out feature as described above also can be used to remove by ignoring or invalid feature that the input function piece detects automatically.

Fig. 5 illustrates input function piece 120, in this case, this functional block is the AI functional block, combines logic, the automatic configuration status of surveying relevant field device of this logic, and use this state generation or interior the ignoring of being surveyed or invalid function of enable logic solver.As shown in Figure 5, functional block 120 communicates to connect field device 125, voting logic piece 127 and other safety system logics 129.Input function piece 120 can comprise standard traffic stack 130, and this communication stack uses anyly thinks that the communication protocol of usefulness communicates by letter with field device 125, like an elephant standard communication protocols such as HART communication protocol or Fieldbus communication protocols.Certainly, communication stack provides software, is used for field device 125 communications, receives standard (perhaps if desired, also the can be off-gauge) communication from field device 125, if desired also can be to field device 125 transmission information.

Equipment disposition detects piece 132 and is connected to communication stack 130, receives information and decoding from field device 125, to determine the configuration status of field device 125.Standard software is not presented among Fig. 5 but is included in the input function piece 120, is used for communicating by letter with field device, receives the signal from field device 125, decodes and translates these signals, produces the IN1 signal in output place of functional block 120.The IN1 signal can offer for example decides by vote that any other thinks the piece of usefulness in functional block 127 or the safety system logic.

Input function piece 120 can comprise that also equipment disposition detects piece 132, equipment disposition detect piece 132 for example can receive and detect signal from field device 125 (as, information), this signal indication field device 125 has placed fixed current pattern (expression field device 125 externally places test pattern by the handheld configuration equipment 85 of for example Fig. 1) or some other abnormal operation configuration modes.If desired, equipment disposition detects piece 132 can be regularly or in response to detected variation in the device situation at the scene, transmit signal and give field device 125, inquiry causes the signal of field device 125 in response to expression field device 125 configuration statuses thus about the configuration state of field device 125.

Detect after the variation of state from the normal running configuration status to the abnormal operation configuration status of variation in the configuration state or field device 125, equipment disposition detection piece 132 sends a signal to be ignored/invalid logical block 134, this piece uses anyly to be want that usefulness/suitable logic starts and ignores or invalid (relevant with field device 125), and ignores or invalid signals offers and decides by vote functional block 127 this.For example, along with detecting by field device 125 being placed for example fixed current pattern, be placed in the detection mode, invalid/ignorance logic 134 can generate automatically to be ignored or invalid, be used in the voting functional block 127, prevent to decide by vote in the functional block 127 use facilities in the detection incident output signal from field device 125.In similar mode, along with detect field device 125 from the test or calibration mode (as, the abnormal operation configuration status) places normal manipulation mode, invalid/ignorance logic 134 can remove automatically before send to the voting functional block 127 ignore or invalid, make output signal that voting functional block 127 reuses field device 125 (promptly thus, the IN1 signal), the incident in the detection process facility.

In this mode, input function piece 120 comprises logic, even the change of disposing when field device is caused by external unit, and do not have other universal time coordinateds of safety system logic, this logic also can be ignored and invalid use with the variation automatic synchronization in the field device configuration.The result of this coordination, when field device places test, calibration or other abnormal operation states by Any user or source, security system will be ignored or invalid input from field device automatically.On the contrary, when field device from test, calibration or other abnormal operation configuration statuses when placing normal operating state, security system will be removed invalid automatically or ignore, thus with use in the security system invalid with ignore the state of coordinating field device.

When surveying field device for returning normal operating state, invalid/ignorance logic 134 is described as removing invalid or when ignoring, invalid/ignorance logic 134 replaceable or other employings or automatic removal of ignoring invalid based on timer, as relevant with voting functional block 94 among Fig. 2 recited above those.Like this, invalid/ignorance logic 134 can comprise logic, when ignoring or the timer expired of invalid startup back the time, this logic is removed this automatically and is ignored or invalid, remind user time to expire or time expiration soon, or adopt and 94 interior relevant above-mentioned any other action of removal invalid or that ignore of voting functional block.

In addition; even when field device 125 is in the write-protect state; security system also can and need not manually be assisted by user or operator by field device 125 being placed test, calibration or other abnormal operation states from normal operating state, further coordinates the test of field device.Especially; input function piece 120 can comprise equipment disposition controll block 140; even when field device 125 is in the write-protect state, equipment disposition controll block 140 also can be visited one group of instruction 142, and will instruct 142 to send to the configuration setting that field device 125 changes field device 125.If desired, equipment disposition controll block 140 can be in response to the signal that is provided by other logics in the logic solver, it is SIS logical one 29, cause the variation in the field device configuration, make logical one 29 can pass through operation field devices such as test procedure, calibration procedure thus, as the part of safety system logic.

The subset of instructions that instruction 142 can be particular arrangement produces configuration variation even field device 125, also can cause field device 125 by write-protect, as from normal manipulation mode to fixed current pattern or the like.Such one group of instruction need be added in the instruction group of being discerned by field device 125 usually, and thus, to need field device 125 programming, come according in the security logic system for example from the reception of one or more useful signals of equipment disposition controll block 140, activate these configuration variation.Such cover instruction can comprise the Command 35 of HART agreement, and this instruction is to be used for disposing " writing value range " instruction of HART equipment again.Certainly, also can use other write commands from HART or other agreements.

In example shown in Figure 5, field device 125 comprises representative communication stack 150, and this stack use is any to be wanted to use or known communication protocol, communicates by letter back and forth with field device 125.Field device 125 also comprises the configuration Control Software of the configuration status of controlling field device 125.This configuration Control Software can be the standard configuration Control Software, as is used in the known field device, and this software uses write-protect parameter 154 to control whether obtained desired configuration change.But; programmable configuration Control Software 152 is discerned from one group of the source of being commissioned instruction 142, and Tathagata is from known logical OR process controller, and when write-protect parameter 154 still is set to guard mode; after one of these instructions effectively receive, start the change of field device 125 configurations.In this mode; logic controller, process controller or other sources of being commissioned can change the configuration of field device 125; and do not need write-protect parameter 154 is changed into not guard mode (this also will make other configuration change be undertaken by other undelegated sources), do not need to force field device by power cycle.If desired, instruction 142 can comprise the instruction that makes configuration change, as from normal operating state to test or align mode, perhaps vice versa, and can comprise the appointment of command source,, sends the equipment of instruction that is.Also can be to field device 125 programming, only when instruction 142 by special source (as functional block) or equipment sends or during initialization, startup is by the configuration change (no matter whether being provided with the write-protect feature of field device 125) of one of this instruction 142 appointment.In this mode, even when field device 125 write-protects, as being limited by write-protect variable 154, instruction 142 also can be sent by the source of being commissioned, and causes the configuration change in the field device.

In anything part, use new instruction group, logic solver can make and cause that field device 125 enters or leave test or calibration mode by field device 125 configuration changes.Except causing that field device enters fixed current pattern or the calibration mode, these new instructions also can be in conjunction with the mechanism of writing a self-criticism, and desired as IEC61511, when field device 125 still was configured to write-protect, these new instructions also can send and start.But new instruction does not need write-protect mechanism 154 protections by field device 125, because they are by source known and that be commissioned, i.e. security logic system start-up.As the result of these instructions, the security logic system can be that field device is coordinated necessary maintenance function in the mode of safety, and need not make field device 125 suffer other undesired configuration changes.

If desired, part as this process, the equipment disposition controll block 140 of input function piece 120 and/or field device 125 both or one of can comprise daily record 160 and 162, this daily record stores or record is caused by equipment disposition controll block 140 information and configuration change, and the response that produces by field device 125 to these information.Certainly, these daily records can be with any standard, known or think that the mode of usefulness disposes.In this mode; even when field device 125 otherwise during write-protect; but security system and field device 125 be replying between save command record and field device 125 and the safety system logic solver also, and the complete daily record of being taken action on the field device 125 is provided.

If desired, and as above carry, in case place test, calibration or other abnormal operation patterns, the subclass of instruction 142 is only started by logic solver, as starting by equipment disposition controll block among Fig. 5 140, guarantee that logic solver in the source of only being commissioned such as the security system 14 can use these to instruct and be configured change, although field device 125 can be by other sources operations, as by handheld configuration equipment 85 among Fig. 1 etc.Have again, if desired, can equip field device 125, make it only can or have variation in the configuration, guarantee that thus any configuration change of field device 125 is all consistent with the operation of security system 14 by logic solver configuration.

When being used to provide the input function piece of coordinating between field device and the logic solver to be specifically described as the AI functional block, the functional block of any kind able to programme such as AI, DI, voting or other input function pieces provide this function.Like this, when equipment disposition steering logic 140 and equipment disposition snooping logic 132 diagrams and when being described as in the input function piece, providing, this logic can replace or be set in addition in other functional blocks, comprises separate functional blocks relevant with logic in the logic solver.In addition, when being described as in logic solver binding and using, equipment disposition described here is surveyed and controll block 132 and 140 can be used in the controll block or routine of other types, as realizing in carrying out conventional procedure control function piece those are as Fig. 1 middle controller 24 and 26 li or carry out Control Software in any other equipment of control action.Have again, provide and ignore or during invalid signals when the input function piece 120 among Fig. 5 is described as voting functional block 127 in the security logic system, input function piece 120 can replace or provide this invalid or ignore signal to other elements in the security system (or Process Control System) in addition, causes that the other types relevant with those systems are ignored or other invalid functions.Like this, above invalid and explanation override feature of the voting functional block that provided only represent a kind of example of mode can use ignoring or invalid signals of automatic generation therein, do not think to use these to ignore or the sole mode of invalid signals.

When describing in the example that is using HART communication protocol, equipment disposition described herein is surveyed can think that communicating by letter of usefulness and device protocol use with any other with steering logic, as agreements such as Fieldbus, Profibus, CAN.In addition, this logic can be used in the Foundantion Fieldbus agreement or in any other system, security function is or can be used for field device fully therein.Like this, when being illustrated as when controlling in the autonomous device from field device, equipment described herein is surveyed and configuration logic can be installed in self at the scene and realized.

When Fig. 1 represents that security logic system 14 uses the voting functional blocks to receive input from AI, DI or other input function pieces, system logic system 14 can use the input from any other type of functionality piece, maybe can be with the input that produced as the other types signal in the process facility 10.For example, and as being appreciated that ground, in security system, can provide support structure in a level above communication stack, be used to read I/O value and equipment state/situation/mode signal, and be used to extract any other instruction or the information that equipment room sends, allow in equipment, be configured the detection of change.This structure can also be used in other control languages, as ladder logic, order menu, state exchange and custom feature piece language, only list several names, by observing or read the signal that the expression state changes, perhaps in the operation of other in these language, configuration change or other change in the expression system, and this will cause ignoring in the security system or invalid startup or do not start.

Have again, when voting functional block 92 and 94 output map among Fig. 1 are shown when being connected to the output function piece, as AO, DO or as cause and realize other functional blocks such as functional block or control routine, these outputs can be connected to any other and want with type, relevant with security logic system 14 functional block, as order functional block, grading function piece or the like, perhaps even can be directly connected in other application or programmed environment in the process facility 10.Similarly, when logic functions of use piece programming pattern described herein was realized, identical logic can be provided in the other types programmed environment, and still regards functional block as used herein as.Like this, when functional block description described here is when being used in the security system of process facility or process control environment, these or similarly functional block can be used on during standard procedure controls environment, perhaps be used for except other think the use of usefulness security system.

When realizing, any element described herein comprises input block, decides by vote piece, forbids piece, voting logic piece, equipment disposition are connected or the like with detection piece, signal, realize in the software that can in any computer-readable memory, store, as on disk, on laser or the CD or on other storage mediums, in the RAM of computing machine or AOM or the processor or the like.Signal described herein and signal wire can adopt any form, comprise actual line, data register, memory location or the like.Software described herein can adopt any form, is included in the application software of carrying out on multi-purpose computer or the processor, the hard coded software in perhaps burned for example Application-Specific Integrated Circuit (ASIC), EPROM, EEPROM or any other firmware device.Similarly, this software can use any known or think the transmission method of usefulness, be included on the computer readable disk or on other transferable Computer Storage mechanism, perhaps, pass to user, process facility, operator's workstation, controller, logic solver or any other computing equipment by communication channel such as telephone wire, the Internet, WWW, any other LAN (Local Area Network) or wide area network or the like (this transmission is considered as and provides this software identical or interchangeable by transmitting storage medium).In addition, this software can directly provide, and need not modulate or encrypt, perhaps can by use before the traffic channel any suitable modulated carrier and/or encryption technology modulation and/encrypt.

Certainly, functional block described herein can use any external procedure control communication protocol (comprising Fieldbus agreement or DeltaV agreement in addition) to realize, and can be used to communicate by letter with the functional block of any kind, comprise and the similar or identical any functional block of any difference in functionality piece of assert or supporting especially by the Fieldbus agreement.In addition, when the input in this embodiment and the voting functional block can be Fieldbus " functional block ", note, using of " functional block " speech is not limited to the Fieldbus protocol definition and is those of functional block herein, alternatively, can be piece, program, hardware, firmware of any other type or the like, control system and/or the relevant entity of communication protocol with any kind, this communication protocol can be used to realize some process control routine function, perhaps have predetermined setting or agreement, be used for providing information or data to other these functional blocks.Like this, although functional block typically adopts the object form in the object based programming environment, but this is situation not necessarily, alternatively can be employed other logical blocks, come to carry out specific control (comprising input and output) function at the process facility or in controling environment with any programming structure of thinking usefulness or pattern.

Therefore, when the present invention described with reference to specific example, this example only was used for explanation rather than restriction the present invention, those those of ordinary skill in this area apparently, can do to change, increase or deletion disclosed embodiment, and not break away from the spirit and scope of the invention.

Claims (57)

1. functional block entity, be used in and have communication link and fetch in the process environment of processor of the one or more field devices of control, in this field device at least one is to can be configured to multiple different configuration status, this state comprises normal running configuration status and at least one abnormal operation configuration status, and this functional block entity comprises:

Computer-readable medium; With

Functional block is stored on the computer-readable medium and is suitable for carrying out on processor, and this functional block comprises:

Input, it is suitable for receiving the input signal from the process environment, and input signal is represented the configuration status of at least one field device;

Detecting unit, it is connected to input, detects when this at least one field device is in the abnormal operation configuration status; With

Forbid logic, when it is in the abnormal operation configuration status when this at least one field device, produce inhibit signal automatically, to ban use of further signal from this at least one field device.

2. functional block entity as claimed in claim 1 is forbidden wherein that logic produces and is ignored signal, is used to ignore the use from the further signal of this at least one field device.

3. functional block entity as claimed in claim 1 forbids that wherein logic produces invalid signals, is used for the judgement that invalid use is carried out from the further signal of this at least one field device.

4. functional block entity as claimed in claim 1, wherein functional block comprises second input, is used to receive the further signal from this at least one field device.

5. functional block entity as claimed in claim 1, wherein detecting unit is according to the input signal from described at least one field device, detect further when described at least one field device enters the normal running configuration status from the abnormal operation configuration status, and wherein when described at least one field device is in the normal running configuration status, forbid that logic removes inhibit signal automatically, allow use from the further signal of this at least one field device.

6. functional block entity as claimed in claim 1, wherein said at least one field device comprises the write-protect variable, and when described at least one field device can switch between normal running configuration status and abnormal operation configuration status the State Control of this variable; Wherein functional block comprises that further stored configuration changes the storer of instruction, when the write-protect variable is in the following time of state of forbidding between normal running configuration status and abnormal operation configuration status switching described at least one field device, this configuration change instruction makes this at least one field device change between normal running configuration status and abnormal operation configuration status; And wherein functional block comprises commander sender, sends the configuration change instruction to this at least one field device, causes described at least one field device generation configuration change, and without reset write protection variable.

7. functional block entity as claimed in claim 6, wherein functional block comprises daily record, represents when functional block sends the configuration change instruction to this at least one field device.

8. functional block entity as claimed in claim 7, wherein functional block comprises another daily record, when described at least one field device has responded the configuration change instruction that receives from functional block in expression.

9. functional block entity as claimed in claim 1, wherein input is suitable for receiving the input signal that meets HART communication protocol.

10. functional block as claimed in claim 1 wherein at the fixed time after the total amount, forbids that logic is suitable for removing automatically inhibit signal.

11. functional block according to claim 10 wherein further comprises notification logic, notifies the described inhibit signal of user to be activated second schedule time total amount.

12. functional block as claimed in claim 10 wherein further comprises notification logic, after the total amount, forbids notifying this inhibit signal of user to be removed before the logic removal inhibit signal at the fixed time.

13. functional block as claimed in claim 1 further comprises notification logic, notifies the described inhibit signal of user to be activated a schedule time total amount.

14. a Process Control System that is used in the process environment comprises:

Field device configurablely is provided with multiple different configuration status, comprises normal running configuration status and abnormal operation configuration status, and wherein field device produces the signal of relevant process;

Communication link; With

Controller is connected via communication links to field device, and is suitable for using the interior control activity of signal implementation environment of relevant process, and this controller comprises:

Processor;

Signal receiving unit, it is suitable for carrying out on processor, by the one or more signals of communication link reception from field device;

Detecting unit, it is suitable for detecting according to the one or more signals from field device when field device is in the abnormal operation configuration status; With

Forbid the unit, when it is in the abnormal operation configuration status when field device, produce inhibit signal automatically, in process environment, carry out the control activity by controller, forbid from the use of the relevant process signal of this field device.

15. Process Control System as claimed in claim 14, wherein detecting unit is further adapted for according to the one or more signals from field device, detects when field device enters the normal running configuration status from the abnormal operation configuration status; And wherein when field device is in the normal running configuration status, forbid that the unit removes inhibit signal automatically, allow to carry out use from the relevant process signal of field device by controller.

16. Process Control System as claimed in claim 14, wherein field device is a sensor.

17. Process Control System as claimed in claim 14, wherein field device is the valve by controller control.

18. Process Control System as claimed in claim 14, its middle controller is the security system controller, uses the signal of relevant process to come the interior shutdown procedure of start-up course environment.

19. Process Control System as claimed in claim 14; wherein field device comprises the write-protect variable; when field device can switch between normal running configuration status and abnormal operation configuration status the State Control of this variable; and its middle controller comprises that further stored configuration changes the field device dispensing unit of instruction; when the write-protect variable is in the following time of state of forbidding between normal running configuration status and abnormal operation configuration status switching field device, this instruction is suitable for causing that field device changes between normal running configuration status and abnormal operation configuration status.

20. Process Control System as claimed in claim 19, its middle controller or field device comprise daily record, write down when controller transmission configuration change instructs to field device.

21. Process Control System as claimed in claim 19, its middle controller or field device comprise daily record, write down when field device changes between a normal running configuration status and abnormal operation configuration status and another normal running configuration status and abnormal operation configuration status.

22. Process Control System as claimed in claim 19, its middle controller further comprises logic, sends a signal to the field device dispensing unit, makes the field device dispensing unit cause field device to produce configuration status and changes.

23. Process Control System as claimed in claim 14, wherein the abnormal operation configuration status of field device is the fixed current pattern.

24. Process Control System as claimed in claim 23, wherein field device is observed the HART agreement.

25. Process Control System as claimed in claim 14 forbids that wherein the unit is suitable for removing inhibit signal after the total amount at the fixed time.

26. Process Control System as claimed in claim 25 further comprises notification logic, notifies the described inhibit signal of user to be activated second schedule time total amount.

27. Process Control System as claimed in claim 25 further comprises notification logic, after the total amount, forbids notifying the user will remove inhibit signal before the unit removal inhibit signal at the fixed time.

28. Process Control System as claimed in claim 14 further comprises notification logic, notifies the described inhibit signal of user to be activated a schedule time total amount.

29. control system that is used in the process environment, have field device and the communication link that is connected to field device, this field device can be configured to multiple different configuration status, comprises normal running configuration status and abnormal operation configuration status, and this control system comprises:

Storer;

Processor;

First control routine, it is stored on the storer, is suitable for carrying out on processor, uses first signal from field device to come process control function in the implementation environment; With

Second routine comprises:

Input, it is suitable for by the secondary signal of communication link reception from field device, expression field device configuration status;

Detecting unit, it is suitable for according to secondary signal, detects when field device is in the abnormal operation configuration status; With

Forbid the unit, it automatically produces inhibit signal when field device is in the abnormal operation configuration status, and provides this inhibit signal to first control routine, forbids use from field device first signal by first control routine.

30. control system as claimed in claim 29, wherein second routine stores and is suitable for carrying out on processor on storer.

31. control system as claimed in claim 29 further comprises the second memory and second processor, wherein second routine stores and is suitable for carrying out on second processor on second memory.

32. control system as claimed in claim 29, wherein detecting unit is further adapted for according to the secondary signal from field device, detects when field device enters into the normal running configuration status from the abnormal operation configuration status; And wherein when field device is in the normal running configuration status, forbid that the unit is suitable for removing automatically the inhibit signal from first control routine, allow to carry out use from first signal of field device by first control routine.

33. control system as claimed in claim 32, wherein first control routine is the security system control routine, uses first signal from field device to come shutdown procedure in the start-up course environment.

34. control system as claimed in claim 29 is forbidden wherein that the unit produces and is ignored signal as inhibit signal, makes and whether carry out in the evaluation of process control function that first control routine does not use first signal from this field device.

35. control system as claimed in claim 29, forbid that wherein the unit produces invalid signals as inhibit signal, make that first control routine is the implementation control function not when use first signal determining in first control routine when whether the logical expressions process control function of implementation function should be carried out.

36. control system as claimed in claim 29, wherein this field device comprises the write-protect variable, and when field device can switch between normal running configuration status and abnormal operation configuration status the State Control of this variable; And wherein control system comprises that further stored configuration changes the 3rd routine of instruction; with the sender unit that the configuration change instruction is sent to field device; when the write-protect variable is in the following time of state of forbidding between normal running configuration status and abnormal operation configuration status switching field device, this configuration change instruction causing field device is changed between normal running configuration status and abnormal operation configuration status.

37. control system as claimed in claim 36, wherein the 3rd routine is connected to first control routine communicatedly, and is suitable in response to the control signal from first control routine, changes instruction to the field device transmission configuration.

38. control system as claimed in claim 36, wherein the 3rd routine comprises daily record, the record configuration change instruction when the 3rd routine sends to field device.

39. control system as claimed in claim 36, wherein second routine comprises daily record, the configuration change that sends to field device in response to the 3rd routine instructs, and writes down when field device changes between a normal running configuration status and abnormal operation configuration status and another normal running configuration status and abnormal operation configuration status.

40. control system as claimed in claim 29 forbids that wherein the unit is suitable for removing inhibit signal automatically after the total amount at the fixed time.

41. control system as claimed in claim 40 further comprises clock, determines the preset time total amount.

42. control system as claimed in claim 40 further comprises notification logic, after the total amount, forbids notifying user's inhibit signal to be removed before the unit removal inhibit signal at the fixed time.

43. control system as claimed in claim 42 forbids that wherein the unit makes the user increase the preset time total amount before forbidding that inhibit signal is removed in the unit.

44. control system as claimed in claim 29 further comprises notification logic, notifies the described inhibit signal of user to be activated a schedule time total amount.

45. method that is used in the process environment controller, with the logic in the field device tuning controller, wherein field device is connected via communication links to controller, and configurablely be set to multiple different configuration status, comprise normal running configuration status and abnormal operation configuration status, this method comprises:

Reception is from first signal of field device, and uses first signal to carry out the control function relevant with process environment;

By the secondary signal of communication link reception from field device, the configuration status of this signal indication field device;

According to secondary signal, detect when field device is in the abnormal operation configuration status from field device; With

When field device is in the abnormal operation configuration status, forbid the use of first signal in the execution control function automatically.

46. method as claimed in claim 45 wherein detects the secondary signal that further comprises according to from field device, detects when field device enters the normal running configuration status from the abnormal operation configuration status; And wherein forbid automatically comprising and when field device is in the normal running configuration status, allow the use of first signal in the execution control function automatically.

47. method as claimed in claim 45, wherein control function is the security system control function, uses from the shutdown procedure in the first signal enabling process environment of field device.

48. method as claimed in claim 45, wherein field device comprises the write-protect variable, and when field device can switch between normal running configuration status and abnormal operation configuration status the State Control of this variable; And wherein this method comprises that further stored configuration changes instruction; when the write-protect variable is in the following time of state of forbidding switching field device between normal running configuration status and abnormal operation configuration status; the instruction of this configuration change is suitable for causing that field device changes between normal running configuration status and abnormal operation configuration status; concurrent delivery is put and is changed instruction and give field device, makes field device generation configuration change and without reset write protection variable.

49. method as claimed in claim 48 further comprises storing daily record, this daily record represents when controller transmission configuration change instructs to field device.

50. method as claimed in claim 48 further comprises storing daily record, the configuration change instruction when field device response slave controller receives is represented in this daily record.

51. method as claimed in claim 45, wherein forbid the use of first signal in the execution control function automatically, comprise producing and ignore signal that this ignores signal makes the logic that is used for judging execution control function whether not use first signal in the execution control function whether evaluating.

52. method as claimed in claim 45, the use of wherein forbidding first signal in the execution control function automatically comprises the generation inhibit signal, when using first signal determining logical expressions control function of execution control function should be carried out, this inhibit signal makes and is used for the logic execution control function not of execution control function.

53. method as claimed in claim 45 wherein forbids being included in the use that allows first signal in the execution control function after the schedule time total amount automatically automatically.

54. method as claimed in claim 53 is wherein forbidden automatically comprising and is used clock to determine the preset time total amount.

55. method as claimed in claim 53 wherein forbids being included in after the schedule time total amount automatically, after the schedule time total amount and allow making of first signal to be used for notifying the user will allow the first signal execution control function before the execution control function automatically.

56. method as claimed in claim 55 after wherein forbidding automatically being included in schedule time total amount, allows to use before the first signal execution control function automatically, makes the user can increase the preset time total amount.

57. method as claimed in claim 45 wherein forbids being included in after the schedule time total amount automatically, notifies the user to prevent to use first signal to come execution control function.

Images