a. Field of the Invention
This invention relates to an apparatus and method for output current control in an Industrial Process Control System, in particular for an Industrial Process Control System suitable for:                Emergency Shutdown systems        Critical process control systems        Fire and Gas detection and protection systems        Rotating machinery control systems        Burner management systems        Boiler and furnace control systems        Distributed monitoring and control systems        
Such control systems are applicable to many industries including oil and gas production and refining, chemical production and processing, power generation, paper and textile mills and sewage treatment plants.
In industrial process control systems, fault tolerance is of utmost importance. Fault tolerance is the ability to continue functioning safely in the event of one or more failures within the system.
Industrial process control systems are usually specified to have a particular Safety Integrity Level. Safety Integrity Level (SIL) is defined as a relative level of risk reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function.
Within European Functional Safety standards four SILs are defined, with SIL 4 being the most dependable and SIL 1 being the least. A SIL is determined based on a number of quantitative factors in combination with qualitative factors such as development process and safety life cycle management.
b. Related Art
Fault tolerant systems are expensive to implement, and it is desirable to utilize an architecture which provides flexibility so that differing levels of fault tolerance can be provided depending upon the specified SIL.
Fault tolerance may be achieved by a number of different techniques, each with specific advantages and disadvantages.
One way in which fault tolerance may be achieved is by providing “redundancy.” Critical circuits are replicated and perform identical functions simultaneously and independently. The data outputs from replicated circuits are compared, and action taken depending upon the results. For example in a triplicated system a two out of three voting system may be implemented where if any two of the outputs agree then those values are assumed to be correct. Such solutions, whilst effective, are complex and costly to implement.
Another approach to fault tolerance is the use of hot-standby modules. This approach provides a level of fault tolerance whereby a standby module maintains system operation in the event of module failure. With this approach there may be some disruption to system operation during the changeover period.
Fault tolerant systems ideally create a Fault Containment Region (FCR) to ensure that a fault within the FCR boundary does not propagate to the remainder of the system. This enables multiple faults to co-exist on different parts of a system without affecting operation.
Fault tolerant systems may also employ dedicated hardware and software test and diagnostic regimes that provide very fast fault recognition and response times to provide a safer system.
Safety control systems are generally designed to be “fail-operational/fail-safe.” Fail operational means that when a failure occurs, the system continues to operate: it is in a fail-operational state. The system will continue to operate in this state until the failed module is replaced and the system is returned to a fully operational state.
There are several problems associated with the use of hot standby modules. A fault must be accurately detected, the faulty module needs to be isolated quickly, and the standby module needs o be deployed quickly. Furthermore, it is necessary to have a system which ensures that the standby module is in working correctly itself order to take control.
It is difficult to achieve fault tolerant output modules for a current source due to the need for coordinating the sharing of current between replicated elements of a fault tolerant design to maintain the correct demanded current in the event of a failure. This invention provides an improved output module providing a current source, for use in fault tolerant industrial process control systems which overcomes some of the problems associated with the use of hot standby modules.