In process automation technology, field devices are often employed, which serve to register and/or influence process variables. Serving for registering process variables are sensors, such as, for example, fill-level measuring devices, flow measuring devices, pressure and temperature measuring devices, pH-redox potential measuring devices, electrical conductivity measuring devices, etc., which register the respective process variables, fill-level, flow, pressure, temperature, pH-value and conductivity. Serving for influencing process variables are actuators, for example valves or pumps, via which the flow of a fluid in a section of pipeline or the fill-level in a container can be changed. In principle, all devices which are employed near the process and which deliver or work with process-relevant information are referred to as field devices. In addition to the aforementioned sensors and actuators, generally, units that are directly connected to a fieldbus and which serve to communicate with the superordinated units (e.g. remote I/Os, gateways, linking devices, etc.) are also referred to as field devices. A large number of these devices are produced and sold by the Endress+Hauser Group.
In modern industrial facilities, field devices are, as a rule, connected with superordinated units via fieldbus systems. Normally, the superordinated units involve control systems or control units, for example a PLC (programmable logic controller) or a DCS (Distributed Control System). The superordinated units are used, among other things, for process control, process visualizing, process monitoring as well as in the start-up of the field devices. One or more of such superordinated units can, in such case, be directly connected to the fieldbus, to which the field devices are connected, and/or be connected to a superordinated communication network.
In a field device, a plurality of parameters are provided. Parameters of a field device include, for example, a measuring range, limit values, units, etc. By writing and reading the parameters of a field device—which is also referred to as configuring (or parametering) the field device—the functionality of the field device can, in each case, be adapted corresponding to the intended use. The configuring of a field device is, as a rule, performed during the start-up of the field device. To the extent that changes should be performed during operation, a configuration can also partially occur during operation. A changing, activating and/or deactivating of parameters of a field device occurs, in such case, by a write accessing of the parameters. By a read accessing, parameters of the field device can be read out; a change in the parameters does not, in such case, occur.
For accessing parameters of field devices—especially for reading and writing parameters of field devices—servicing programs, which are also referred to as servicing, or operating, tools, are provided. Such servicing tools can, in such case, be implemented on the field device itself, on a superordinated unit and/or on a servicing device, such as, for example, a portable personal computer (laptop), a portable handheld servicing device (handheld), a PDA (Personnel Digital Assistant), etc. An accessing of parameters of a field device via the servicing tools can, in such case, occur automatedly, in the context of an application, or manually, by a user. As a rule, servicing tools make available to a user (who would like access to parameters of a field device) a corresponding user interface. A communication connection between a servicing device (e.g. a personal computer, portable handheld servicing device or PDA) and the field device is produced either via the fieldbus, to which the field device in question is connected, or directly via a corresponding service interface of the field device. A servicing tool which is implemented on the field device itself enables a user to access the field device on-site. In addition to providing access to field devices as explained, servicing tools can also have still other functions.
Until now, access rights are statically defined in a field device, which means, especially, that once set, or defined, access rights to parameters of the field device remain unchanged over time (assuming they are not changed again). During the start-up of a field device, a parameter change is relatively non-critical, since such a change does not directly affect the process of a plant. In some operating states of a field device, however, parameter changes are to be conducted only as a matter of exception and with high care, especially in an operating state in which the field device is integrated into the process of a plant, and changes to the parameters settings can directly affect the process (operating state: on control). In this case, a parameter change which is incorrect or which is undergone at an incorrect point in time can have an unforeseeable effect on the process. A static definition of access rights thus has the disadvantage, that in some situations, in which parameter changes are relatively non-critical, more extensive access rights are desirable; whereas in other situations, in which parameter changes are critical, the defined access rights are possibly too extensive.
In a plant of process automation technology, a field device is, as a rule, connected for communication not only with one, but rather with a plurality of servicing tools. In such case, a coordination of accessings by the different servicing tools often does not occur. This can lead to two servicing tools accessing parameters of a field device simultaneously, or at such short time intervals, that an unpredictable behavior and/or an error occurs in the current application. For example, it can occur that a first servicing tool accesses the field device, and loads all or a part of the parameters of the field device into the associated processor unit, on which the servicing tool is implemented. These data are then available as offline data, which means that a change of the same data (in the processor unit) does not directly affect the associated parameters in the field device. The parameters are then, for example, changed offline by way of the servicing tool, and then loaded back into the field device. After this loading, the changed parameters then exist as online data in the field device. If, in parallel—that is, at the same time or overlapping in time—to the parameter change via the first servicing tool, another parameter change is also performed in the field device via a second servicing tool, it can then occur that the parameter change of the first or the second servicing tool is unintentionally overwritten, or that the parameter change of the first servicing tool is not compatible with the parameter change of the second servicing tool. This can lead to unpredictable behavior in the process, or to the occurrence of errors.
Until now, existing measures have not been sufficient to reliably avoid the above-mentioned causes for possible error. In known servicing tools, an identification method, by which users must first identify themselves (for example, through a password or through biometric data) is, as a rule, provided. Depending on the type of task and the technical knowledge of the relevant person, predetermined accesses are enabled via the servicing tool. In this way, for individual persons, only such accesses are enabled for which, in each case, these persons are authorized. This mechanism does not prevent, however, that two or more persons access in parallel the same field device via different servicing tools. Additionally, this mechanism cannot prevent that a user unintentionally changes parameters of a field device which is currently in the operating state “on control”, and that errors in the process are caused thereby.
Additionally, the use of so-called hardware-switches in field devices is also known. Such involves, for example, mechanical switches, which are placed directly on the field device, and whose actuation leads to the field device being blocked from parameter changes of any type. Disadvantageous in such case, is, however, the fact that, in order to both block parameter changes as well as for canceling this blocking, the field device in question must, in each case, be located on-site, and the relevant switches must be actuated. Additionally, such a switch cannot effectively and reliably eliminate the causes for error set forth above.