a. Field of the Invention
This invention relates to testing and protecting an output module for an Industrial Process Control System in particular for an Industrial Process Control System Suitable for exemplary systems such as:                Emergency Shutdown systems;        Critical process control systems;        Fire and Gas detection and protection systems;        Rotating machinery control systems;        Burner management systems;        Boiler and furnace control systems; and        Distributed monitory and control systems.        
Such control systems are applicable to many industries including oil and gas production and refining, chemical production and processing, power generation, paper and textile mills and sewage treatment plants.
b. Related Art
In industrial process control systems, fault tolerance is of utmost importance. Fault tolerance is the ability to continue functioning in the event of one or more failures within the system.
Fault tolerance may be achieved by a number of different techniques, each with its specific advantages and disadvantages
An example of a system which provides redundancy is a Triple Modular Redundancy (TMR) system. Using TMR, critical circuits are triplicated and perform identical functions simultaneously and independently. The data output from each of the three circuits is voted in a majority-voting circuit, before affecting the system's outputs. If one of the triplicated circuits fails, its data output is ignored. However, the system continues to output to the process the value (voltage, current level, or discrete output state) that agrees with the majority of the functional circuits. TMR provides continuous, predictable operation.
However, TMR systems are expensive to implement if full TMR is not actually a requirement, and it is desirable to utilise an architecture which provides flexibility so that differing levels of fault tolerance can be provided depending upon specified system requirements.
Another approach to fault tolerance is the use of hot-standby modules. This approach provides a level of fault tolerance whereby the standby module maintains system operation in the event of module failure. With this approach there may be some disruption to system operation during the changeover period if the modules are not themselves fault-tolerant.
Fault tolerant systems ideally create a Fault Containment Region (FCR) to ensure that a fault within the FCR boundary does not propagate to the remainder of the system. This enables multiple faults to co-exist on different parts of a system without affecting operation.
Fault tolerant systems generally employ dedicated hardware and software test and diagnostic regimes that provide very fast fault recognition and response times to provide a safer system.
Safety control systems are generally designed to be ‘fail-operational/fail-safe’. Fail operational means that when a failure occurs, the system continues to operate: it is in a fail-operational state. The system should continue to operate in this state until the failed module is replaced and the system is returned to a fully operational state.
An example of fail safe operation occurs, for example if, in a TMR system, a failed module is not replaced before a second failure in a parallel circuit occurs, the second failure should cause the TMR system to shut down to a fail-safe state. It is worth noting that a TMR system can still be considered safe, even if the second failure is not failsafe, as long as the first fault is detected and announced, and is itself failsafe.
It is desirable to automatically test failsafe digital output channels. In particular it is useful if a short circuit fault in one of the two series switches may be detected.
It is desirable to test the digital output channels for the ability to be de-energized without requiring the presence of a minimum load current in order for its interruption to be detected. This is especially useful in a fault tolerant output channel configuration where two outputs are concurrently driving the same load in parallel.
Ideally digital output channels and their loads are protected from over-voltage transients, ideally monitoring for open and short circuit faults in an energised as well as de-energised state.