Patent Application
20200096962
The invention relates to a method for parameterizing a field device, in particular a safety-critical field device, which can, for example, be used as a field device for process instrumentation in an automated industrial plant or a power plant and to a field device that can be parameterized correspondingly.
Automated industrial plants use a wide variety of field devices for process instrumentation to control processes. These are frequently provided with an operating unit upon which, for example, the field device is parameterized by user input for its operation within an automation system of the plant or for displaying process data relating to the field device. Transducers, frequently referred to as sensors, are used to acquire process variables, such as temperature, pressure, flow rate, filling level, density or gas concentration of a medium. Controlling elements, also referred to as actuators, can influence the process sequence as a function of acquired process variables in accordance with a strategy specified by a higher-ranking controller, such as a programmable logic controller or a control station. Examples of actuators include a control valve, heating or a pump.
Networks for data communication via which the field devices are frequently connected to the higher-ranking controller, frequently use fieldbuses operating, for example, in accordance with the protocols PROFIBUS, Highway Addressable Remote Transducer (HART) or Foundation Fieldbus (FF). The configuration, commissioning and monitoring of the automation application implemented with the automation system is performed via a control system. Examples include supervisory control and data acquisition (SCADA) system, Windows Control Center (WinCC) and Process Control System (PCS) such as Simatic PCS 7. In particular, the project planning, parameterization, commissioning, diagnosis and maintenance of field devices can, for example, be performed with the tool Simatic Process Device Manager (PDM).
Special safety requirements apply to the parameterization of field devices, in particular safety-critical field devices, used for the measurement and monitoring of safety-critical plants, systems or processes. Plants subject to requirements according to International Electrotechnical Commission (IEC) standard 61508, i.e., requirements relating to the functional safety of electronic systems that perform safety functions, entail the problem that field devices for commissioning and parameterization generally only have unsafe interfaces, such as HART, PROFIBUS, FF or PROFINET. Consequently, the only communication paths available for communication between the field device and the parameterization unit, which is referred to as an engineering system in the present application, are unsafe paths on which the transferred data may possibly be corrupted. In such an environment, safe remote parameterization, which also includes the steps validation, i.e., verification of the validity of the parameters, and possibly fault acknowledgement, cannot be implemented according to functional safety requirements of, for example, the requirement level Safety Integrity Level 3 (SIL3) without additional technical measures, because the unsafe communication environment on its own could result in a corruption of the parameters. Problems could also be caused by concurrent accesses to the same field device, which could occur, for example, during the commissioning of a plant if a plurality of users wish to put numerous field devices into operation simultaneously.
DE 10 2010 062 908 B4 discloses that the validation of the parameterization of devices can in principle also be performed on site with the aid of a display provided on a field device. For this, the parameters input are displayed on the field device's display. A parameter list in the user's possession containing the parameter IDs (parameter identification codes) and parameter values that correspond to the parameters can be used to verify the correctness of the individual parameters. If the displayed parameters match those shown in the list, the user can confirm, for example, by signing an inspection record that the user-validated parameter values conform to the prespecified values and that, in addition, the correct safety-critical field device has been verified. However, this procedure has the disadvantage that parameter lists for complex field devices usually include a large number of device parameters so that visually checking the individual parameters is very laborious and has a certain susceptibility to errors. Moreover, on-site operator access to safety-critical field devices is frequently difficult.
To avoid these disadvantages, the above-mentioned patent describes a method with which, for validation of the parameters of a field device, in each case a checking characteristic is calculated via a prespecified calculation function, on the one hand, by the field device based on the deposited parameters and a device ID (device identification code) and, on the other, by a, possibly remote, engineering station based on the available parameter list and the device ID. The checking characteristics obtained are compared with one another. The comparison can be performed via the engineering station or the field device.
However, this has the disadvantage that, even in the case of conformity of the calculation function used in the engineering system and in the field device, discrepant checking characteristics could result even though there is sufficient conformity between the parameterization of the field device and the parameter list provided in the engineering system.
In view of the foregoing, it is therefore an object of the invention to provide a method for parameterizing a field device and a field device suitable for performing the method, which avoid the aforementioned disadvantage and which moreover enable functionally safe remote parameterization of the field device even via an unsafe network.
This and other objects and advantages are achieved in accordance with the invention by a method for parameterizing a field device and a field device suitable for performing the method, wherein for a clear presentation of the parameterization in accordance with the invention, a first, second, third and fourth logical interface are used. However, reference should be made to the fact that the first interface and the second interface can be the same physical and logical interface. Similarly, the third and the fourth interface can be the same. However, it is important that the parameter is rewritten from the field device to the engineering system using a logical interface that is data-diverse with respect to the interface used to parameterize the field device. In this context, data diversity means that at least different data formats are used for the transfer. For example, the at least one parameter can be transferred via the first logical interface to the field device in the form originally defined in the transfer protocol, while the parameter is, for example, transferred back to the engineering system in a string representation that differs therefrom. The use of data diversity fulfills a requirement for functional safety during the transfer. The same thing applies to the two transfer directions of the first checking characteristic between the field device and the engineering system.
The calculation of a first checking characteristic, which can, for example, be performed using a method known from DE 10 2010 062 908 B4 cited in the introduction, occurs solely via the field device. This has the advantage that no algorithms need to be implemented in the engineering system, i.e., outside the field device, in order to calculate the checking characteristic, thus avoiding the risk of the implementation of the method on engineering systems from different manufacturers leading to different checking characteristics. Hence, this advantageously provides a method for parameterizing a field device that enables a reliably functioning validation of the parameter independently of the respective manufacturer of the engineering system used. Furthermore, the use of an electronic device description file loaded into the engineering system for the commissioning of the field device has the advantage that this does not have to implement any specific calculations of checking characteristics or any methods intended for this purpose in the engineering system. This results in an advantageously high degree of interoperability of the device description file.
The fact that the method is predominantly implemented in the field device means that observance of the procedure is substantially enforced by the field device. The creation of the device description file can be concentrated upon designing a user guide on the engineering system in which a user is prompted to perform a visual check of the parameterization and the device ID on an operating unit of the engineering system and, following a successful verification, to enter a checking characteristic calculated by the field device and displayed on the operating unit of the engineering system for acknowledgement. In addition, advantageously, no special measures are required in the engineering system.
The device ID is included in the calculation of the checking characteristic. As a result, the method permits parameterization of a field device even when the installation of the field device in the plant is retained because it is ensured, via the device ID, that the parameters of the correct field device are being validated and because this avoids problems that could otherwise potentially occur, for example, as the result of multiple occupancy with field devices on fieldbus branches. The method can advantageously be applied independently of the existing automation structure and, for example, in the event of a hierarchical structure, permits the incorporation of the engineering system in any level. The method also advantageously permits parameterization of a field device during the normal operational sequence of the respective plant because no signals are generated that disrupt the other parts of the plant or could influence their functional reliability. In the case of temporary safety faults, triggered, for example, by EMC-interference, the possibility of parameterizing a field device via a remote engineering system and the possibility of activating the field device's safe mode remotely is of great advantage.
In order to keep track of the set of parameters to be verified visually in the validation by the user on a display of the engineering system, a differentiation can be made between user parameters, here referred to as SCUP (safety-critical user parameters) and installation parameters, referred to as SCIP (safety-critical installation parameters). Preferably, only SCUP are offered for a verification of their validity.
Particularly in the case the commissioning of larger plants, it should be assumed that a certain amount of time is consumed by pauses between the individual steps. For example, tanks and piping have to be assembled with pumps etc. Therefore, there is often a time lag between the installation of a field device and the parameterization, validation and function testing of the field device. In order to ensure that a user always knows the point at which commissioning is to be continued, it is particularly advantageous, for example, that the state of a completed validation of the SCUP is deposited in a memory of the field device to ensure that commissioning can be continued at this point. Hence, the progress of the commissioning, even after on/off cycles, is advantageously deposited in the device.
The field device is advantageously provided with write protection in the form of a user-settable PIN code (personal identification number). This measure is commonly used with safety-critical field devices. In order to ensure that the SCUP deposited in the field device cannot be incorrectly changed, an activated write protection is a precondition for transition to the state of completed validation and for remaining there.
On completion of the validation, in accordance with its parameterization, the field device calculates a second checking characteristic with the SCUP and the SCIP and makes the second checking characteristic available to the user on a display of the engineering system so that the user can record the second checking characteristic and verify it to check for any changes in the interim. If there were any changes to the parameterization during the commissioning or in the subsequent operation of the field device, there is also a change to the second checking characteristic calculated by the field device. Hence, the user can also check the validity of the parameterization after on/off cycles. If the second checking characteristic currently calculated by the field device no longer matches the recorded checking characteristic, the user is required to verify the parameterization or repeat the parameterization process. This advantageously enables the integrity of the parameterization to be ensured and suitable measures can be taken in the event of an impermissible change to the parameterization.
The completion of the validation of the SCUP can advantageously be followed by a function test during commissioning to establish the validity of the installation parameters, referred to as SCIP. If the user confirms that the function test has been passed, the SCIP are validated and the field device changes to safe mode. If a fault is established during the function test, then the user is required to cancel the procedure. The field device then changes to unsafe mode. The performance of the function test is not mandatory and can also be skipped via an appropriate user input. However, this is not recommended, although it may be an acceptable solution for certain applications.
In one particularly advantageous embodiment of the invention, the field device comprises an automatic state machine, which differentiates at least between the states unsafe mode, validation, safe mode and safety fault. Advantageously, the automatic state machine drives and monitors the sequence during commissioning, i.e., the automatic state machine ensures observance of a prespecified procedure. The state transitions established in the automatic state machine only occur in the case of valid operator inputs or data transfers between the engineering system and the field device. Invalid entries or data transfers are rejected or ignored and the field device does not change to safe mode, for example.
Other objects and features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims. It should be further understood that the drawings are not necessarily drawn to scale and that, unless otherwise indicated, they are merely intended to conceptually illustrate the structures and procedures described herein.
The invention and embodiments and advantages are explained in more detail below with reference to the drawings, which depict an exemplary embodiment of the invention, in which:
It should be understood, the control system 2, the commissioning tool 3 and the engineering station 4 can be implemented by any number of computing units, for example, in contrast to the exemplary embodiment depicted, by only one computing unit which then combines the functions of the three components mentioned.
The field devices F1, F2, . . . Fn are each supplied with a safety manual, which describes the exact sequence during the performance of the method. In addition, device description files matching each of the field devices F1, F2, . . . Fn are supplied, where these specify the sequence of the method in the engineering system 4 and operate interfaces so that the data required for the dialogues described in the safety manual is made available.
It should be understood, as an alternative to a device description file written in Electronic Device Description Language (EDDL), the method can be supported on the engineering station side 4 by means/methods such as Device Type Manager (DTM) or Field Device Integration (FDI).
Before validation is entered, the field device has been completely parameterized, such as via SIMATIC PDM over the interface S1 (
Tag: KV1474-F30
Product name: SITRANS P 410
Serial number: 12345678-12345
For this, the serial number can, for example, be read out via the interface S1 (
Write protection is provided for the device parameters to exclude the possibility of the parameters being changed by unauthorized users or because the device is addressed incorrectly. Transition from the safe mode 40 to validation 41A, 41B is only possible when write protection is activated for the parameters SCUP and SCIP. For the validation process, the write protection is partially deactivated for the user so that only the user inputs required for changing the state of the field device according to
Proceeding from the state 40, the unsafe mode, if the user wishes, it is then possible to follow a direct path 43 to enter the state 42, the safe mode. The user is responsible for the functional safety of his/her plant and is hence responsible for deciding whether or not validation should be performed. This path 43 should only be taken if it can be ensured that parameterization was correct on the delivery of the field device. Therefore, this is not recommended and is only possible with on-site operation on the field device.
On the other hand, a path 44 for entering the state 41A in which first a validation of the user parameters, SCUP, is performed is recommended.
If the fact that the user parameters, SCUP, have already been validated is deposited in the field device memory, then they do not need to be validated again and this step can be skipped. For this, the state of a successful validation of the user parameters, SCUP, is stored in the field device thus enabling, in the event of validation being interrupted, for example, after an on/off cycle, re-entry after the most recently completed step of the validation of the user parameters, SCUP.
If no previous validation of the user parameters, SCUP, has occurred, to enable the validation of the user parameters, SCUP, to be performed by the computing unit 20 (
Data diversity between the first logical interface S1 and the third logical interface S2 is achieved because an additional address space is used for access via the third logical interface S2 and because, when the parameters are transferred via the first logical interface S1, the data is represented in the form originally defined in the transfer protocol, such as parameterization via SIMATIC PDM, while in the case of back-transfer via the third logical interface S2, a string representation is used. The calculation of the validation Key P1 inter alia includes the device ID. Consequently, the validation key is then unique for each field device even if the parameterization of different field devices is identical. This is, for example, advantageous with a redundant 1oo2 (1 out of 2) architecture in which two field devices of the same type are used.
In addition to the above-described output of the device ID, the user parameters, SCUP, communicated by the field device and the validation key are output on the display of the operating unit 6 of the engineering system 4 (
Measurement Range: 100 mbar
validation key: 56789.
For validation, the user now verifies the correctness of the user parameters, SCUP, and the device ID displayed on the operating unit 6 of the engineering system 4 (
When the correctness of the displayed values has been acknowledged, the validation key input is transferred via a fourth logical interface, which is formed as data-diverse with respect to the second logical interface S1, to the field device where it is deposited as a received first checking characteristic P1′ in the memory 21. In the described exemplary embodiment, data diversity is achieved because the back-transfer of the validation key to the field device occurs as a pure numerical value, while a string format is used for the transfer of the validation key calculated in the field device to the engineering station. It should be understood, the required data diversity could alternatively be achieved with reversed data formats for the two transfer directions. The fourth interface used can, for example, be the same interface S2 that is already used to implement the third logical interface.
Transition into the state 41B or 42, only occurs in the event, that it is established in the field device that the received validation key P1′ matches the validation key P1 calculated previously by the field device. In addition, the validation key P1′ is rejected by the field device if the third logical interface S2 was not used for the back-transfer of the user parameters, SCUP, from the field device to the engineering system.
A change of state results in a change to the value of the state code Z (
in turn occurs jointly with the above-described display of the device ID thus enabling unique assignment to the respective field device. The user can record the respective value of the fingerprint P2 for the field device in the user documents thus enabling the validity of the parameterization with reference to the fingerprints P2 even after on/off cycles. This ensures the integrity of the parameterization even after downtimes and despite any concurrent accesses to the parameterization of the field device. If a value of the fingerprint P2 currently calculated by the field device no longer matches the recorded value, a change to the parameterization of the field device is identified and the user can verify the parameterization and if necessary, perform a re-parameterization and validation.
Although it is possible to skip the function test in accordance with the path 46 in
Following the parameterization of a field device, the recommended method, controlled by the automatic state machine ZA (
First step: Verification of correct parameterization and the validation thereof with the aid of the validation key P1, which includes the device ID, and
Second step: Confirmation that a function test has been passed with a new display of the device ID to ensure input to the correct field device.
For a transition from the safe mode into the unsafe mode, the automatic state machine again requires two steps, although these are not depicted in
First step: The user requests the desired transition and confirms the device identification and
Second step: The user reconfirms the request for the desired transition.
Only then does the state of the field device change to the unsafe mode. If the input of the confirmation required in the second step does not take place within a prespecified time, then the field device returns to the state safe mode.
For purposes of clarity,
The method comprises, transferring, by the field device Fx, the at least one parameter SCUP via a third logical interface S2 which is data-diverse with respect to the first interface to the engineering system 4 and outputting the at least one parameter SCUP on the display 6, as indicated in step 510. Next, the device ID SN is transferred by the field device Fx to the engineering system 4 and output on the display 6, as indicated in step 520.
Next, a first checking characteristic P1′ input by a user after visual checking the at least one parameter SCUP and the device ID SN on the engineering system 4 in a predefined format is transferred to the field device Fx via a fourth interface S2 which is data-diverse with respect to the second interface, as indicated in step 530.
Next, the received first checking characteristic P1′ comparing by the field device Fx to the calculated first checking characteristic P1 to validate the at least one parameter SCUP, as indicated in step 540.
Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2017 205 832.3 | Apr 2017 | DE | national |
This is a U.S. national stage of application No. PCT/EP2018/058543 filed Apr. 4, 2018. Priority is claimed on German Application No. 102017205832.3 filed Apr. 5, 2017, the content of which is incorporated herein by reference in its entirety.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2018/058543 | 4/4/2018 | WO | 00 |
