a. Field of the Invention
This invention relates to protection against reverse current flow in an output module for an Industrial Process Control System in particular for an Industrial Process Control System Suitable for exemplary systems such as:                Emergency Shutdown systems;        Critical process control systems;        Fire and Gas detection and protection systems;        Rotating machinery control systems;        Burner management systems;        Boiler and furnace control systems; and        Distributed monitory and control systems.        
Such control systems are applicable to many industries including oil and gas production and refining, chemical production and processing, power generation, paper and textile mills and sewage treatment plants.
b. Related Art
In industrial process control systems, fault tolerance is of utmost importance. Fault tolerance is the ability to continue functioning safely in the event of one or more failures within the system.
Fault tolerance may be achieved by a number of different techniques, each with its specific advantages and disadvantages.
An example of a system which provides redundancy is a Triple Modular Redundancy (TMR) system. Using TMR, critical circuits are triplicated and perform identical functions simultaneously and independently. The data output from each of the three circuits is voted in a majority-voting circuit, before affecting the system's outputs. If one of the triplicated circuits fails, its data output is ignored. However, the system continues to output to the process the value (voltage, current level, or discrete output state) that agrees with the majority of the functional circuits. TMR provides continuous, predictable operation.
However, TMR systems are expensive to implement if full TMR is not actually a requirement, and it is desirable to utilise an architecture which provides flexibility so that differing levels of fault tolerance can be provided depending upon specified system requirements.
Another approach to fault tolerance is the use of hot-standby modules. This approach provides a level of fault tolerance whereby the standby module maintains system operation in the event of module failure. With this approach there may be some disruption to system operation during the changeover period if the modules are not themselves fault-tolerant.
Fault tolerant systems ideally create a Fault Containment Region (FCR) to ensure that a fault within the FCR boundary does not propagate to the remainder of the system. This enables multiple faults to co-exist on different parts of a system without affecting operation.
Fault tolerant systems generally employ dedicated hardware and software test and diagnostic regimes that provide very fast fault recognition and response times to improve the reliability of such systems.
Safety control systems are generally designed to be ‘fail-operational/fail-safe’. Fail operational means that when a failure occurs, the system continues to operate: it is in a fail-operational state. The system should continue to operate in this state until the failed module is replaced and the system is returned to a fully operational state.
An example of fail safe operation occurs, for example if, in a TMR system, a failed module is not replaced before a second failure in a parallel circuit occurs, the second failure should cause the TMR system to shut down to a fail-safe state. It is worth noting that a TMR system can still be considered safe, even if the second failure is not failsafe, as long as the first fault is detected and announced, and is itself failsafe.
It is desirable if output channels and their loads are protected from reverse currents flowing back into the output channel with minimal power loss. This would allow external sources to apply power to the loads without the risk of the output module interfering with the load, or the external source interfering with the digital output module.
It is also desirable to provide a power feed combiner that provides the following benefits:                Low loss.        Power feed reverse current shutdown.        Testability.        Over-temperature fault protection.        
Conventionally a simple power diode may be used to block reverse currents, and two simple power diodes may be used to commonly “OR” two power feeds and to prevent reverse current in one or other of the feeds.
However, the heat generated by such diodes is excessive, preventing the use of such simple techniques in a system module for the present application.
Therefore, there is a need for a system of protecting against reverse current flow that is both economical, can withstand the electrical conditions commonly associated with the loads of Industrial Process Control Systems, and that is easy to implement.