In automation technology, especially in process automation technology, field devices are used that serve to determine and monitor process variables. Examples of such field devices are fill level meters, flow meters, analytical meters, pressure and temperature meters, humidity and conductivity meters, and density and viscosity meters. The sensors in such field devices capture the relevant process variables, e.g. the fill level, flow, pH value, substance concentration, pressure, temperature, humidity, conductivity, density or viscosity.
The term “field devices” in the scope of this invention also includes actuators, e.g. valves or pumps, which for example serve to modify the flow of a liquid in a pipe, or the fill level in a container. The company group Endress+Hauser offers and distributes a large variety of such field devices.
Generally, field devices in modern automation technology plants are linked to a higher-level unit via communication networks such as HART multidrop, point-to-point connections, Profibus, and Foundation Fieldbus, the higher-level unit being referred to as control systems or control centers. This higher-level unit is used for process control, process visualization, process monitoring and for start-up and operation of the field devices. Additional components needed for the operation of fieldbus systems that are directly connected to a fieldbus and are in particular used for communication with the higher-level units are also often referred to as field devices. Such additional components usually are e.g. remote I/Os, gateways, linking devices, controllers or wireless adapters.
Depending on the application, the field devices must meet very different safety requirements. In order to meet the respective safety requirements, e.g. IEC61508 (SIL (safety integrity level) standard), the field devices must be designed redundantly and/or diversely.
Redundancy means increased safety due to the double or multiple design of any safety-relevant hardware and software components. Diversity means that the hardware components, e.g. a micro-processor, used for the various measuring channels are made by different manufacturers and/or are of a different type. For software components, diversity requires that the software saved in the micro-processors comes from different sources, i.e. from different manufacturers and/or programmers. All those measures are designed to ensure that a safety-critical failure of the field devices as well as simultaneously-occurring systematic errors in the provision of measuring values is excluded with a high probability.
One example of a safety-relevant application is the fill level control in a tank which contains a flammable or a non-flammable but water-polluting substance. In such a case, it must be ensured that the feeding of liquid into the tank is immediately interrupted as soon as the maximum acceptable fill level is reached. This in turn requires that the measuring device detects the fill level with a high level of reliability and works without errors.
For the solutions already known, the measuring channel is designed redundantly and/or diversely, but the voter, usually a micro-processor, represents the Achilles heel of a field device that is to satisfy high and maximum safety requirements. The micro-processor is designed monolithically. If any dangerous error (according to the nomenclature of the above-mentioned standards) occurs, the field device fails. In order to satisfy the requirements of SIL 3, the percentage of dangerous errors of the total of all possible errors may reach a maximum of one percent. This safety level cannot be reached using a traditional micro-processor.
In order to solve this problem, a field device is described in DE 102012106 652.3 (published international application WO 2014/124792 A1), whose voter is designed as a majority voter and comprises three stages:                a comparator stage which compares the output signals provided by the individual measuring channels;        an error recognition stage which recognizes errors occurring in a measuring channel by suitably linking the output signals from the comparator stage, and        an output selection stage.        
The content of DE 10 2012 106 652.3 (WO 2014/124792 A1), especially with regard to its reference to the voter, is to be considered included in the subject matter disclosed within this present patent application. Furthermore, WO 2014/124792 A1, DE 10 2013 100159.9, discloses a field device that satisfied the high safety levels even in the area of the current output module, e.g. in a 4-20 mA two or four wire field device. The corresponding disclosed content should also be considered part of the content of this patent application.
If a malfunction in one of the measuring channels occurs, such a malfunction is rectified by a reconfiguration control that reconfigures the faulty measuring channel. However, if the malfunction occurs in the reconfiguration control itself, correct reconfiguration processes can no longer be ensured once a malfunction occurs in one of the measuring channels.