In WO 2004/013585 A1, concerns an embodiment of a field device, which can be used in safety-critical applications in the field of process automation. The invention is not, however, limited to the field of process and manufacturing automation, but can also be applied in safety-critical applications in automobile sector, etc.
In automation technology, especially in process automation technology, field devices are used, which serve to determine and monitor process variables. Examples of such field devices are fill level measuring devices, flow measuring devices, analytical measuring devices, pressure and temperature measuring devices, humidity and conductivity measuring devices, and density and viscosity measuring devices. The sensors of these field devices register the corresponding process variables, e.g. fill level, flow, pH-value, substance concentration, pressure, temperature, humidity, conductivity, density or viscosity.
Also subsumed under the term “field devices” are, however, actuators (e.g. valves or pumps), via which, for example, the flow of a liquid in a pipeline or the fill level in a container is changeable. A large number of such field devices are available from members of the firm Endress+Hauser.
In modern automation technology plants, as well as in the automobile sector, field devices are, as a rule, connected over communication networks (such as HART-multidrop, point to point connection, Profibus, Foundation Fieldbus or CAN-Bus) with a superordinated unit, which is referred to as a control system or superordinated control unit. This superordinated unit is used for control, diagnosis, visualizing, and monitoring functions as well as in the start-up and servicing of field devices. Additional components which are necessary for operation of fieldbus systems and connected directly to a fieldbus (especially components used for communication with the superordinated units) are likewise frequently referred to as field devices. These supplemental components are, for example, remote I/Os, gateways, linking devices, controllers or wireless adapters. These are also subsumed under the term “field devices”.
The software component of field devices is constantly increasing. The advantage of the use of microcontroller-controlled intelligent field devices (smart field devices) lies in the fact that, via application-specific software programs, a plurality of different functionalities can be implemented in a field device; thus, program changes can be performed relatively easily. The high flexibility of program-controlled field devices is, on the other hand, countered by a relatively low processing speed (and therewith a correspondingly low measuring rate) as a result of the sequential progression through the program.
In order to increase the processing speed, ASICs (Application Specific Integrated Circuits) are, whenever economically justified, applied in field devices. Through the application-specific configuration, these chips can process data and signals substantially faster than a software program can. ASICs, are, consequently, especially excellently suitable for computationally intensive applications.
A disadvantage in the application of ASICs is the fact that the functionality of these chips is firmly predetermined. A subsequent change in functionality is not readily possible in such case. Furthermore, the use of ASICs is only worthwhile in the case of a relatively large number of pieces, since the developmental effort and the therewith connected costs are high.
In order to avoid the drawbacks of the firmly predetermined functionality, in WO 03/098154 A1, a configurable field device is described, in the case of which a reconfigurable logic chip in the form of an FPGA (Field-Programmable Gate Array) is provided. In this known solution, the logic chip, which has at least one microcontroller (which is also referred to as an embedded controller), is configured at system start. After the configuration is finished, the required software is loaded into the microcontroller. The reconfigurable logic chip required in such case must have at its disposal sufficient resources (particularly logic, wiring and memory resources) to fulfill the desired functionalities. Logic chips with many resources require a great deal of energy, which, in turn, from a functional point of view, makes use thereof in automation possible only to a limited degree. A disadvantage of using logic chips with few resources (and, thus, with a smaller energy consumption) is the considerable limitation in the functionality of the corresponding field device.
Depending on the particular application, the field devices must satisfy a most varied range of safety requirements. In order to satisfy the particular safety requirements (e.g. the SIL-standard “security integrity level”, which plays a large roll in process automation), the functionality of the field devices must be fashioned in a redundant and/or diverse manner.
Redundance, or redundancy, means increased safety through doubled or plural design of all safety-relevant hardware and software components. Diversity means that the hardware components (e.g. microprocessors or A/D converters) located in the various measuring paths come from different manufacturers and/or are of different types. In the case of software-components, diversity requires that the software stored in the microprocessors originates from different sources, e.g. comes from different companies, or different programmers, as the case may be. Through all these measures, it should be assured that a safety-critical failure of the field device, as well as the occurrence of simultaneously arising systematic errors in the provision of measured values, are excluded with a high probability. It is also known additionally to design individual essential hardware and software components of the evaluating circuit in a redundant and/or diverse manner. Through redundant and diverse design of individual hardware and software components, the degree of safety can be further increased.
An example of a safety-relevant application is fill-level monitoring in a tank in which a burnable or explosive liquid—or also a liquid which is not burnable, but instead presents a hazard to the environment—is stored. Here, it must be assured that the supply of liquid to the tank is immediately interrupted as soon as a maximum reliable fill level is reached. This, in turn, presupposes that the measuring device detects the fill level with a high reliability, and that the measuring device works faultlessly.
In WO 2009/062954 A1, a field device is described, which has a sensor functioning according to a defined measuring principle. Also present is a control/evaluation unit, which, as a function of a safety standard required for the particular safety-critical application, conditions and evaluates, along at least two equal-valued measuring paths, the measurement data delivered by the sensor. The control/evaluation unit is at least partially embodied as a reconfigurable logic chip having a plurality of partially dynamically reconfigurable function modules. In each case, the control/evaluation unit configures the function modules in the measuring paths as a function of the particular defined safety-critical application, and does so in such a manner, that the field device is designed according to the required safety standard.
Problematic in the case of the known embodiment is the fact that a malfunction (e.g. a short circuit or a temperature change) in one section automatically influences other sections. Crosstalk onto other sections takes place, meaning that the field device could deliver defective measurement results, and thus no longer works reliably. This presents a high risk, especially in safety-critical applications, a situation which is not acceptable.