Under 35 U.S.C. 119, this application claims the benefit of a foreign application filed in EUROPE, and having Serial No. 0012342.8, filed Oct. 27, 2000, which is incorporated by reference in its entirety.
The present invention relates to a field device for monitoring a manufacturing process and for actuating manufacturing process variables, and being able to detect a power supply failure.
In general, field devices are used in a manufacturing process to monitor the process and to actuate process variables. Typically, actuators are placed in the manufacturing field to drive different process control elements, such as valves and sensors. Further, transmitters are installed in the manufacturing field to monitor process variables, such as fluid pressure, fluid temperature or fluid flow.
Actuators and transmitters are coupled to a control bus to receive and transmit process information to a centralized controller that monitors the overall operation of the manufacturing process. This control bus may be implemented as a two wire loop carrying a current that provides a power supply for operation of the field devices.
In such control systems, communication is typically executed through a field bus standard, which is a digital communication standard according to which transmitters may be coupled to only a single control bus to transmit sensed process variables to the central controller. Examples for communication standards include ISA 50.02-1992 section 11 and HART(copyright), which overlays communication on a 4-20 mA processor variable signal.
Intrinsic safety is an important aspect of those control systems. When a field device is located in a hazardous area without explosion proof equipment, the electronics in the field device should be intrinsically safe. In general, intrinsic safety means that the electronics must be designed in a way that no sparks and no heat are generated thereby even when one or more electronic component failures occur at the same time.
Usually, intrinsic safety is achieved by having additional protective elements protect the electronics under a failure condition. Design specifications and certifications for the protective elements vary depending on the specific type of application (e.g., the type of explosive gas used within a manufacturing process).
FIG. 1 shows a peripheral part of a manufacturing process control system. As shown in FIG. 1, the peripheral part of the control system may comprise a first bus segment 10 of the intrinsic safe type and a second bus segment 12 using, e.g., the RS485 standard for data communication. The intrinsically safe field bus segment 10 and the RS485 bus segment 12 are coupled through a bus coupler 14. Further, the side of the intrinsically safe field bus segment 10 not attached to the bus coupler 14 is connected to a terminating circuit 16 that helps to avoid reflections on the intrinsically safe field bus segment 10.
As also shown in FIG. 1, to each bus segment 10, 12 there is connected at least one field device 18, 20, and 22. Each field device is either an actuator, a transmitter or another I/O device receiving/transmitting information. The field devices 20, 22 attached to the intrinsically safe field bus segment 10 may be powered through an electric current received from the intrinsically safe field bus segment 10 leading to a voltage drop across the field devices 20, 22. Typically, the intrinsically safe field bus segment 10 will be operated under a field bus protocol or any other appropriate protocol that allows for exchange of digital information.
As shown in FIG. 1, the field devices 20, 22 coupled to the intrinsically safe field bus segment 10 exchange information through modification of the current flowing into each field device 20, 22. For digital communication a basic value of the current of the intrinsically safe field bus segment 10 is modulated to be increased or decreased by predetermined offset value, such as 9 mA for the field bus standard. This modulation of the current flowing into either the field device 20 or the field device 22 leads to a modification of the voltage UB on the intrinsically safe field bus segment 10, with the voltage modification being used to provide digital communication.
FIG. 2 shows a more detailed schematic circuit diagram of the field devices shown in FIG. 1. As shown in FIG. 2, the intrinsically safe field bus segment 10 may be summarized into an equivalent circuit diagram with an ideal voltage source 24 and a resistor 26 to model AC voltage impedance and to fulfill intrinsic safety requirements for spark protection, current limitation, and power limitation in an hazardous area.
As also shown in FIG. 2, each field device is connected to the intrinsically safe field bus segment 10 with two wires 28, 30 also being connected to a discharge protection unit 32. At the output of the discharge protection unit 32 there is provided a modulating unit 34 which allows modulation of the operating current flowing into the field device.
The modulating unit 34 is connected in series with a power conversion unit 36 that is adapted to map the operating current flowing over the modulating unit 34 into a suitable power supply signal for a controller unit 38 connected to the output of the power conversion unit 36 and an actuator/sensor unit 40 being controlled by the controller unit 38.
As also shown in FIG. 2, the controller unit 38 is divided into a master controller and a communication controller 44. While the communication controller 44 controls the operating current modulating unit 34 to achieve a modulation of the operating current and therefore exchange of information between the intrinsically safe field bus segment 10 and the field device, the main control of the field device is carried out by the master controller 42.
Therefore, the master controller 42 not only controls the communication controller 44 but also controls either actuators 46, 48 or a sensor 50 in the actuator/sensor 40. For each actuator 46, 48 there is provided a dedicated digital/analog converter unit 52, 54, while for the sensor 50 there is provided an analog/digital converter 56.
FIG. 3 shows a more detailed schematic circuit diagram of the power converter unit 36 shown in FIG. 2. As shown in FIG. 3, the power conversion unit 36 comprises a capacitor 58 connected across the input terminals of a DC/DC converter 60. Operatively, the capacitor 58 achieves a stabilization of the input voltage Ui to the DC/DC converter 60. The output voltage Uo of the DC/DC converter 60 is then forwarded to the subsequent controller unit 38.
Operatively, each field device 20, 22 connected to the intrinsically safe field bus segment 10 receives an operating current from the intrinsically safe field bus segment 10. When sending information from the field device to the intrinsically safe field bus segment 10, the current value for the operating current is determined through the modulating unit 34 under control of the communication controller 44. In other words, according to the control signal supplied from the communication controller 44 to the modulating unit 34, the operating current supplied to the field device and thus also the voltage of the intrinsically safe field bus segment 10 varies to achieve digital communication.
Further, to receive information in the field device the communication controller 44 maintains the resistance value of the modulating unit 34 constant. Therefore, in case a different field device triggers a change of the voltage on the intrinsically safe field bus segment 10 the remaining field device(s) connected to this intrinsically safe field bus segment 10 may detect this change of the voltage via the connection lines 28, 30 for further processing thereof in the control unit 38. This digital communication mechanism is used to provide the master controller 42 in each field device with control information for activation of the actuators and/or sensors for manufacturing process control and surveillance.
As also shown in FIG. 2, each field device presents an effective capacitance Ceff to the intrinsically safe field bus segment 10. It is for this reason that the discharge protection unit 32 is inserted between the intrinsically safe field bus segment 10 and the field device to avoid a discharge of the effective capacitance Ceff onto the intrinsically safe field bus segment 10 and therefore a disturbance of the communication process. Another reason is to avoid an overall capacitance on the intrinsically safe field bus segment 10 that might lead to the generation of sparks when somewhere a short circuit occurs on the intrinsically safe field bus segment 10.
On the other hand, in case the voltage of the intrinsically safe field bus segment 10 breaks down and therefore also the power supply to each field device, this power supply failure is not detected immediately by the controller unit 38 shown in FIG. 2 due to the energy stored in the field device, e.g., in the capacitor 58 shown in FIG. 3 or other capacitive/inductive circuit components in the field device stabilizing internal DC voltage. It is for this reason that there occurs a delay between a decrease of the voltage on the intrinsically safe field bus segment 10 and the detection thereof at the controller unit 38 in case of a power supply failure. However, once the controller unit 38 detects such a power supply failure it is not possible to store data in internal memories of the controller unit 38 that may be, e.g., related to internal states of the controller unit or sensed process variables or stored actuator command values since no more energy is available within the field device to carry out such a data saving procedure.
In other words, since the controller unit 38 detects a power supply failure only via the signal supplied from the power conversion unit. 36 (i.e., an internal component of the field device) this detection is delayed with respect to the actual power supply failure on the intrinsically safe field bus segment 10 so that valuable time for the saving of internal data and actuator command values and sensed process variables in the controller unit 38 is lost.
In one general aspect, a power supply failure on the intrinsically safe field bus is detected through detection of a signal that is in direct relationship to the voltage on the intrinsically safe field bus segment without any delay caused by energy storage, rather than internally within a field device.
This technique makes use of the signals at internal nodes of the discharge protection unit of the field device that are not affected by the effective capacitance of the field device. This provides for detection of a power supply failure on the intrinsically safe field bus of a manufacturing process control system in an efficient manner.
For this reason, as soon as a power supply failure occurs on the intrinsically safe field bus segment, a node signal will decline simultaneously with the voltage of the intrinsically safe field bus segment. It may therefore be used as an indication of power supply failure.
An important achievement of the described technique is to avoid the impact of internal energy storing elements (e.g., capacitors) on the power failure supply detection by deriving an interrupt signal for power supply failure indication in the first circuit stage of the field device for direct supply to the controller unit. Therefore, immediately on decline of, e.g., the voltage on the intrinsically safe field bus segment, the controller unit becomes aware of such a power supply failure.
Since a certain time interval expires between breakdown of the voltage on the intrinsically safe field bus segment and the power supply to the controller unit due to the energy stored internally in the field device, this time interval may be used to save data stored in the controller unit, e.g., command data for the actuators, measurement data from the sensors or internal states thereof. Therefore, a controlled restart of the field device after recovery of the energy supply thereto is provided. Also, the described technique allows significant improvement of the safety characteristic of the field device as any undefined controller states (e.g., false command values for the actuators) may be strictly avoided.
Yet another important advantage is (as internal states, command and measurement data are saved) that the field device is fully operative immediately after recovery of the energy supplied thereto, thus avoiding time consuming resetting mechanisms in the manufacturing process control system or, even worse, an uncontrolled operation in the manufacturing field.
In one implementation, the discharge protection unit may include at least two rectifying elements inserted into the current path of the operating current with identical conducting directions being connected in series. Either an input signal or an output signal to a selected rectifying element may then be supplied as an interrupt signal to the controller unit for a power supply failure detection.
The use of a cascade of rectifying elements with an identical conducting correction enables an easy variation of the redundancy level in the discharge protection unit, i.e. the degree to which a discharge of energy from the field device onto the control bus is avoided. The higher the number of the rectifier elements, the higher the redundancy level and degree of protection.
The discharge protection unit may include four rectifying elements connected in a full wave rectifier bridge network topology. An additional rectifying element also may be connected to a bridge arm node of the rectifier bridge network to increase the discharge protection redundancy level.
The use of a bridge network topology allows adaptation to different bus voltage polarities when connecting the field device to the intrinsically safe field bus segment. This implementation is particularly useful when considering different communication standards that use different bus polarities.
Also, when a further rectifier element is connected to the bridge arm node of the full wave rectifier bridge, intrinsic safety may be increased since the additional rectifier element blocks reverse current flow and related discharge of energy from the field device to the intrinsically safe field bus segment.
An additional discharge protection element may be inserted into the line connecting an interrupt signal output terminal of the discharge protection unit and the controller unit.
Increasing the intrinsic safety through insertion of rectifier elements into a current path also may be applied to the supply of the interrupt signal to the controller unit. In other words, the provision of a discharge protection element in the line for the supply of the interrupt signal to the controller unit allows achievement of the same level of intrinsic safety for the supply of the operating current to the field device and the supply of the interrupt signal to the controller unit.
Triggering of the interrupt at the controller unit and the internal saving procedure in the controller unit may be achieved using predetermined thresholds that are selected such that the interrupt signal is safely issued and a safe storage of internal states after a power supply failure is ensured. Thus, the described techniques provide the ability to detect a power supply failure on the intrinsically safe field bus as soon as possible to ensure that enough energy for the saving of internal states in the control unit of the field device is available.
In another implementation, upon receipt of the power supply interrupt, the controller unit turns off those power consumers in the field device which are not necessarily involved in the data saving procedure, e.g., liquid crystal displays or LED diodes.
The described power management techniques achieve a longer time period for the saving of important data in the controller unit of the field device and thus a contribution to intrinsic safety of the field device.
The method and saving of internal states and data may be carried out according to a predetermined priority scheme. The method is particularly useful when data of different relevance and importance are stored in the memory of the controller unit Typically, in view of scarce energy resources, the described techniques may be configured to initially save the most important data and to subsequently save data of less relevance.
Here, it should be noted that different priorities may exist for different applications and that the method may be suited to improve operable safety for different applications through adaptation of predetermined priorities for the saving of internal data/states for each single application.
In another implementation, a computer program product may be directly loadable into the internal memory of a field device controller comprising software code portions for performing the method when the product is run on the field device controller.
Therefore, the described techniques also may be implemented on computer or processor systems. In conclusion, such implementation leads to the provision of computer program products for use with a computer system or more specifically a processor comprised in, e.g., a field device controller.
Programs defining the functions of the described techniques can be delivered to a computer/processor in many forms, including, but not limited to, information permanently stored on non-writable storage media, e.g., read only memory devices such as ROM or CD ROM discs readable by processors or computer I/O attachments; information stored on writable storage media, such as floppy discs and hard drives; or information conveyed to a computer/processor through communication media such as networks, telephone networks, or the Internet through modems or other interface devices. It should be understood that such media, when carrying processor readable instructions implementing the concept represent alternate implementations.
The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features will be apparent from the description and drawings, and from the claims.