1. Field of the Invention
The invention relates to process automation field devices and, more particularly, to a method for safely parameterizing an electrical device, where a parameter input by a user on a control unit is transmitted to the electrical device and stored therein with write protection, the stored parameter is transmitted back to the control unit and displayed at the control unit for confirmation by the user, and the confirmation is transmitted to the electrical device.
Such parameterizable electrical devices include, for example, process automation field devices such as measuring transducers or valve positioners.
2. Description of the Related Art
When parameterizing electrical devices or systems that perform a safety function and therefore require certification in accordance with the basic International Electrotechnical Commission (IEC) safety standard 61508, it must be ensured that safety-relevant parameters actually correspond to those input by the user and that they can no longer be changed without a new user input. Each safety-relevant parameter is re-displayed for the user in a diverse format and the user individually confirms each parameter to validate the parameters. Here, it must be ensured that the parameters transmitted for the purpose of confirmation correspond to the values actually stored in the device. As long as there is no validated set of parameters, safety-related operation of the device is not possible.
EP 1 662 346 A2 describes different methods for safely parameterizing an electrical device, here an automation field device. Here, the parameters can be directly input on a display and control unit (on-site control) of the field device or on a separate control unit (e.g., a laptop or Highway Addressable Remote Transducer (HART) handheld device), which is connected to the field device through a field bus or is directly connected to a service interface of the field device, and is transmittable from there to the field device.
As described in EP 1 662 346 A2, during on-site input, it is possible to monitor the parameters that have been input in that each individual character is displayed on the display unit of the field device and, following input, all values are re-displayed and are confirmed by the user.
When inputting the parameters with a separate control unit, it is possible to write and revise the data in the control unit. The control program writes the data input by the user to the field device over the service interface or the field bus, re-reads out the data stored in the field device and compares them with the input values. In this respect and to increase safety when writing and reading, the data can be transmitted with different data types to exclude systematic or random errors in the transmission protocol.
Safety-relevant parameters must be stored in the field device with write protection so that they cannot be subsequently changed. In order to ensure that only a write-protected parameter, i.e., a parameter which can no longer be changed, is reported back to the control unit and is confirmed as being correct there. In other words, in order to prevent a parameter from being reported back to the control unit and being confirmed as correct there before it has been stored with write protection, it is conceivable to generate a check value, such as a cyclic redundancy check (CRC) value. The CRC value is generated both for the parameter input on the control unit and for the parameter that has been stored in the field device with write protection, using the same checking algorithm in each case and both check values are compared for a match when reporting the stored parameters to the control unit. However, the use of check values is not possible if, as mentioned above, the data are transmitted with different data types when writing to the field device and reading from the field device.
Finally, EP 1 662 346 A2 describes the possibility to additionally input the parameters, which have been input on the field device directly or with the separate control unit connected to the field device, on a monitoring device. The same checking program runs in the field device and in the monitoring device respectively, and uses the parameters which have been input to respectively generate a check value, such as a CRC check value. The check value determined by the monitoring device must then be input on the field device and the input of the parameters is accepted only if the check value calculated in the field device matches the check value calculated by the monitoring device and input on the field device.