Reliability is a prime concern in condition-indicating or control instrumentation. Since instrument systems that are immune to failure do not exist, it is desirable for instrument systems to fail in a manner which causes the least troublesome indication or control action. Instruments are commonly specified as having a fail-safe state which is that state assumed by an instrument's output upon loss of power to the instrument. Desirably this state is the one which causes the least troublesome indication or control action. This type of system will fail safely for those failures which have the same effect on the output as does loss of power.
In the control of industrial processes it may be desirable to use information about a process at a remote location. An example of such a situation is centralized monitoring or control. Information must then be transmitted from the process via a transmission medium to a remote receiver where the information is displayed or acted upon. The transmission medium itself is subject to failure, though, and may not generally be assumed to fail in a manner which causes the least-damaging response at the receiver. Thus, transmission of a signal may nullify the fail-safe capability of the signal transmitter. Consider, for instance, an on-off instrument whose output is the making or breaking of a set of contacts wherein the contacts are open upon loss of power. The output is to be transmitted to a remote receiver by a pair of wires, one connected to each contact. The signal present at the receiver is either a very high impedance or a very low impedance. The received signal may be due to normal operation of the contacts in the transmitter or to open or shorted signal transmission wires, so the receiver in such a system cannot distinguish failures from normal operation. It is small comfort that some failures will fortuitously give the least-damaging result.
Various techniques exist for detection of failures in the generation and transmission of signals, alerting users to such failures, and taking the least-damaging action. For instance, redundant systems may be used and differences between redundant outputs interpreted as evidence of a failure. If a sufficient number of redundant systems is used, the proper output may be assumed to be the majority output. Another approach is to apply checking signals at various points in the signal path and verifying at the receiver that the appropriate effect is present. See, e.g., U.S. Pat. No. 3,202,976 to Rowell. Such checking signals may be substitutions for or modulations of the signal which is the result of a measurement, and may be applied periodically by a timing mechanism or in response to reception of the effects of such a checking signal. Both approaches gain their ability to detect failures at the expense of increased cost and complexity. In the case of redundant systems, two systems are required to detect a failure and three systems are required to determine the proper output in the event of failure in one system. This approach thus entails considerable expense. The checking signal approach requires the provision of supervisory apparatus, checking signal generators, and additional transmission media for either the checking signals themselves or control signals, all at extra expense. Moreover, the checking signal mechanisms themselves increase the probability of system failure, and a process shut down due to checking mechanism failure, albeit one which causes the least-damaging result, may be less desirable than a functioning process with instruments whose failures will not be detected. Another shortcoming, common to both approaches discussed above, is their requirement of signal transmission media. In large manufacturing facilities the distance between a transmitter and a receiver may be on the order of a mile. The cost of such a long transmission channel may be the dominant expense in an instrument system, so the cost of additional channels for redundant systems or checking signals may have a great impact on system cost. Also, there may be requirements of intrinsic safety for transmitter and transmission media, and the cost of protecting additional transmitter or transmission channels against intrusion of hazardous energy levels may be large.
The transmission of electrical signals over long distances poses threats to system reliability by increasing exposure to deleterious environmental effects such as radio-frequency interference (RFI) and high energy transients. A practical embodiment of a fail-safe system for transmission of electrical signals should therefore be immune to such hazards.
Another consideration in a system for transmission of signals is that a fault in one system component should not cause damage to other system components. If this is not the case, then consequential failures may prolong the down time of a system which fails.
The present invention provides a fail-safe instrument system without the drawbacks of prior art systems. It should be noted, however, that the prior art techniques may be applied to a system in accordance with this invention, and that the benefits obtained by such application may be greater than those obtained by use of prior art techniques by themselves. For instance, a system is disclosed with two redundant instruments which may be used with a single transmission channel, and in which failure of one instrument still allows determination of the proper output.