Process control networks, such as those used in chemical, petroleum, or other processes, generally include a centralized process controller communicatively coupled to one or more field devices which may be, for example, valve positioners, switches, sensors (such as temperature, pressure and flow rate sensors), etc. These field devices may perform physical control functions within the process plant (such as opening or closing a valve), may take measurements within the process plant for use in controlling the operation of the process plant, or may perform any other desired function within the process plant. The process plant may also include various other equipment, such as reactor tanks, filters, dryers, generators, turbines, heaters, etc. Process controllers have historically been connected to field devices and equipment via one or more analog signal lines or buses which may carry, for example, 4-20 mA (milliamp) signals to and from the field devices and/or other equipment. In the past couple of decades or so, however, the process control industry has developed a number of standard, open, digital, or combined digital and analog communication protocols such as the FOUNDATION™ FIELDBUS (hereinafter “Fieldbus”), HART®, PROFIBUS®, WORLDFIP®, Device-Net®, and CAN protocols which can be used to implement communications between a controller and field devices and equipment. Generally speaking, the process controller receives signals indicative of measurements made by one or more field devices and/or other information pertaining to the field devices, uses this information to implement on a processor therein a typically complex control routine stored on a computer-readable medium in the process controller, and generates control signals which are sent via the signal lines or buses to the field devices and equipment to thereby control the operation of the process plant.
A typical process plant will include numerous field devices taking measurements and performing physical control functions, as well as other process equipment. The various field devices and equipment will, at times, require maintenance and/or calibration. For example, a temperature sensor may require calibration on a regular basis (e.g., every six months), a control valve may require periodic lubrication, a reactor tank may require periodic cleaning, a turbine may require periodic lubrication, etc. Moreover, in the event that a field device or piece of equipment experiences a malfunction or a failure, maintenance may be required to restore the field device or equipment to an accuatable operating condition or otherwise remedy the malfunction. In some instances, a maintenance technician may perform the required operations (e.g., calibration, diagnostic tests, etc.) on equipment or field devices remotely (e.g., from an asset management system, such as the AMS Suite, sold by Emerson Process). In other instances, the required tasks (e.g., lubrication, replacement, etc.) may require a maintenance technician to attend to the equipment or field devices in the field.
Typically, when maintenance personnel require physical access to equipment in an industrial environment, the application of lock-out/tag-out procedures ensure personnel safety by providing physical and administrative safeguards to prevent the accidental operation or re-energization of the equipment while work is underway or, in any event, before it is safe to do so. In an electrical power distribution facility, for example, maintenance personnel may de-energize a piece of equipment (e.g., a distribution bus) by, for instance, opening a circuit breaker supplying the voltage and current to the equipment. A locking mechanism may physically lock the circuit breaker in the open (i.e., safe) position, and each person whose safety depends on the circuit breaker remaining open may place a personal padlock on the locking mechanism. In this manner, the locking mechanism prevents the circuit breaker from being closed (and prevents the equipment from being re-energized) until each maintenance technician has removed his or her padlock from the locking mechanism, thus ensuring that all maintenance personnel involved agree that it is safe to re-energize the equipment.
In a process control environment, similar concerns exist with regard to safeguarding equipment, processes, and personnel. For example, many process plants implement administrative procedures for performing maintenance. The administrative procedures are designed and implemented with the goal of preventing a maintenance technician, for example, from sending commands to (or otherwise making changes to) equipment and/or field devices, which changes could cause the product to be destroyed, cause materials to be wasted, or cause equipment to malfunction during a process. Another goal of the procedures is to protect maintenance personnel while the personnel perform maintenance on the various equipment by, for example, ensuring that a process operator does not cause process control equipment to begin operating while a maintenance technician is performing maintenance on the equipment (e.g., ensuring that a turbine does not begin operating while the technician is changing a fan blade on the turbine).
Unlike the physical interlocks that exist in many industrial environments, there is no formal method for coordinating the “lock out” of field instrumentation, associated with a process automation system, between the host control system, used to control the process, and the asset management system, used to track and maintain the process equipment. When a maintenance technician prepares to perform work on assets under control of the process control system, administrative work processes that rely on verbal communication dictate the transfer of control between the plant operator and maintenance technician. With the pervasiveness of digital communications and networking in process automation systems, it is becoming increasingly easy for plant personnel to make mistakes with verbal procedures, and the impact of the mistakes may be more significant.