This present disclosure relates generally to safety relays for use in process control systems and, more specifically, a safety relay having independently testable contacts.
Process control systems, like those used in chemical, petroleum or other processes, typically include one or more centralized process controllers communicatively coupled to at least one host or operator workstation and to one or more field devices or relays via analog, digital or combined analog/digital buses. The field devices, which may be, for example, valves, valve positioners, switches, and transmitters (e.g., temperature, pressure, and flow rate sensors), perform functions within the process such as opening or closing valves and measuring process parameters. The relays, which may be solid-state relays, mechanical relays, protection relays, overcurrent relays, safety relays, etc., perform functions within the process to replicate a signal, open and/or close mechanical actuators, valves, and/or switches to selectively convey power and/or other signals to field devices, etc. The process controllers receive signals indicative of process measurements made by the field devices, relays, and/or other information pertaining to the field devices and relays, use this information to implement one or more control routines, and then generate control signals that are sent over the busses or other communication lines to the field devices and/or relays to control the operation of the process. Information from the field devices, relays, and the controllers may be made available to one or more applications executed by the operator workstation to enable an operator to perform desired functions with respect to the process, such as viewing the current state of the process, modifying the operation of the process, testing the operation of the process, etc.
Some process control systems or portions thereof may present significant safety risks. For example, chemical processing plants, power plants, etc. may implement critical processes that, if not properly controlled and/or shut down rapidly using a predetermined shut down sequence, could result in significant damage to people, the environment, and/or equipment. To address the safety risks associated with process control systems having such critical processes, many process control system providers offer products compliant with safety-related standards such as, for example, the International Electrotechnical Commission (IEC) 61508 standard and the IEC 61511 standard.
In general, process control systems that are compliant with one or more known safety-related standards are implemented using a safety instrumented system architecture in which the controllers, relays, and field devices associated with the basic process control system, which is responsible for the continuous control of the overall process, are physically and logically separate from special purpose field devices and other special purpose control elements associated with the safety instrumented system, which is responsible for the performance of safety instrumented functions to ensure the safe shutdown of the process in response to control conditions that present a significant safety risk. In particular, compliance with many known safety-related standards requires a basic process control system to be supplemented with special purpose control elements such as logic solvers, safety certified field devices (e.g., sensors, safety relays, final control elements such as, for example, pneumatically actuated valves), and safety certified software or code (e.g., certified applications, function modules, function blocks, etc.)
As previously discussed, safety instrumented systems may include safety relays, which may require a relatively high degree of diagnostic coverage and fault tolerance. For example, a hardware device fault tolerance of two implies that two components of the device could fail and the function would still be performed by the device. From these requirements, safety relays have been developed that provide multiple switching elements to break an electrical path between, for example, a power source or other signal source and a field device. Generally, these safety relays use multiple force-guided relays that have mechanically linked relay contacts. As a result, the relay contacts move together when one or more relay coils are energized or de-energized. However, such force-guided relays are expensive to maintain and operate because such relays must be physically removed from the process to test the operation of the relays. Similarly, if a fault exists on the relay, such as one or more inoperable contacts (e.g., one or more welded contacts), the process must shut-down to replace the faulted relay.
In accordance with one aspect, a process control system, which may control a plurality of field devices, includes an example relay module configured as a safety relay that has independently testable relay contacts. More particularly, an example safety relay is configured with a plurality of relay coils coupled in parallel and a plurality of series coupled relay contacts associated with the relay coils, wherein the operation of each of the relay contacts is testable in response to a signal applied to the relay coils.
In accordance with another aspect, an example safety relay includes a plurality of relay coils, a plurality of switches, and a plurality of relay contacts. More particularly, the relay contacts are connected in series and the relay coils are connected in parallel such that each relay contact is independently controllable by its respective one of the switches.
In accordance with still another aspect, an example method to test a safety relay such as, for example, the example safety relays having independently testable contacts is described. The example method provides a process to open a switch on the example safety relays to independently control a respective one of a plurality relay contacts and to test an electric potential associated with the plurality of relay contacts. The electric potential identifies the operability or inoperability of the relay contact controlled by the switch to determine, for example, if the relay contact is welded.
In general, the apparatus and methods described herein relate to safety relays that may be used, for example, within a process control system and, in particular, a safety instrumented process control system to provide a redundant, testable, and fault-tolerant system. More specifically, in one example implementation a safety relay having independently testable contacts is disclosed. The example safety relay is configured with a plurality of relay coils coupled in parallel and a plurality of series coupled relay contacts associated with the relay coils, wherein the operation of each of the relay contacts is testable in response to a signal applied to the relay coils. In the instance of one or more inoperable relay contacts (e.g., welded contacts), the signal may identify the respective faulted relay contacts based on a measured electrical characteristic (e.g., an electric potential, an electric current, etc) of the relay contacts.
In another example implementation described herein, a safety relay is configured to enable a safety relay to be tested while one or more field devices, which may be controlled by the safety relay, remain operable from a power source during the testing. More particularly, the example safety relay includes a bypass switch to provide an alternative electrical path between the power source and the field devices.
In another aspect, an example method to test safety relays is described. The example method provides a process to open a switch on the example safety relays to independently control a respective one of a plurality relay contacts and to measure an electrical characteristic (e.g., an electric potential, an electric current, etc.) of the plurality of relay contacts. The electrical characteristic identifies the operability or inoperability of the relay contact controlled by the switch to determine, for example, if the relay contact is welded.
Thus, in contrast to known safety relays, the safety relays described herein enable a human operator, an electronic controller, and/or any programmable device to test the operability of the safety relays. Consequently and in comparison to known safety relays, the example safety relays described herein provide a high-degree of testability to further enhance safety. Also, the example safety relays described herein may enable field devices and process control systems to operate continuously during such testing and, therefore, the operational impacts to the field devices and process control systems are significantly reduced. Accordingly, the testing of the example safety relays described herein may not require outages or other such termination of the operations of field devices and/or process control systems, which may entail significant production costs and time. For instance, the testing of the example safety relays and, thus, the safety of field devices and/or process control systems can become more frequent since because such testing may not involve operation stoppages.
The controller 120 may be coupled to a plurality of smart field devices 140 and 142 via a digital data bus 132 and an input/output (I/O) device 128. The I/O device 128 provides one or more interfaces for the controller 120 and any other device coupled to the digital data bus 132 (e.g., the smart field devices 140 and 142, the relay module 150, etc.) to collectively communicate with signals sent and received through those interfaces. For example, the I/O device 128 may be implemented by any type of current or future standard interface, such as an external memory interface, serial port, general purpose input/output, or any type of current or future communication device, such as a modem, network interface card, etc. The digital data bus 132 may be any physical arrangement that provides logical communications functionality, such as, for example, parallel electrical buses with multiple connections, bit-serial connections, both parallel and bit-serial connections, switched hub connections, a multidrop topology, a daisy chain topology, etc. The smart field devices 140 and 142 may be Fieldbus compliant valves, actuators, sensors, etc., in which case the smart field devices 140 and 142 communicate via the digital data bus 132 using the well-known Fieldbus protocol. Of course, other types of smart field devices and communication protocols could be used instead. For example, the smart field devices 140 and 142 could instead be Profibus or HART compliant devices that communicate via the data bus 132 using the well-known Profibus and HART communication protocols. Additional I/O devices (similar or identical to the I/O device 128) may be coupled to the controller 120 to enable additional groups of smart field devices, which may be Fieldbus devices, HART devices, etc., to communicate with the controller 120.
In addition to the smart field devices 140 and 142, the controller 120 may be coupled to a relay module 150 via the digital data bus 132. The relay module 150 may respond to signals sent from the controller 120 via the data bus 132. For example, the relay module 150 may respond to a signal from the controller 120 and subsequently open and/or close one or more switches on the relay module 150. In the discussion herein, a relay module may comprise one or more relays that provide one or more electrical switches to open and/or close, not necessarily simultaneously, in response to an electrical signal. The components of the relay or relay modules may include solid-state electronic component(s) and/or electromechanical component(s) to provide this functionality. Additionally, the controller 120 may obtain the value of an electrical characteristic such as, for example, an electric potential, an electric current, a resistance, etc. of the relay contacts on the relay module 150 via the digital data bus 132.
The relay module 150 may be coupled to a non-smart field device 144 via a hardwired link 134, which may respond to a signal transmitted from the relay module 150 in response to a signal received at the relay module 150 from the controller 120. The non-smart field device 144 may, for example, operate at a high voltage and/or amperage via an alternating or direct current path. The relay module 150 may be electronically coupled to the field device 144 to control the conveyance of power and/or other signals to the field device 144. Thus, in operation, the relay module 150 may be used to apply power to the field device 144, remove power from the field device 144, or apply/remove any other signal to/from the field device 144. Further, although the example relay module 150 is shown coupled to a single non-smart field device (e.g., the non-smart field device 144), the example relay module 150 may be coupled to a plurality of field devices.
In addition to communications via the digital data bus 132, the controller 120 may be coupled to an example relay module 151 and field devices 180 and 182 via hardwired circuits 170 and 172. The hardwired circuits 170 and 172 may implement a digital or combination analog/digital communication protocol (e.g., HART, Fieldbus, etc.) or any analog communication protocol. Similarly, the example relay module 151 and the field devices 180 and 182 may be implemented as field devices implemented with conventional 4-20 milliamp (mA) or 0-10 volts direct current (VDC) circuitry or as field devices implemented with solid-state components.
The controller 120 may be, for example, a DeltaV™ controller sold by Fisher-Rosemount Systems, Inc. and Emerson Process Management™. However, any other controller could be used instead. Further, while only one controller is shown in
As depicted in
A safety instrumented function may be implemented using a sensing device, a logic solver, a relay, and/or a final control device (e.g., a valve). The logic solver may be configured to monitor at least one process control parameter via the sensor and, if a hazardous condition is detected, to operate the final control device via the relay to effect a safe shut down of the process. For example, a logic solver (e.g., the logic solver 160) may be communicatively coupled to a pressure sensor (e.g., the field device 146) that senses the pressure in a vessel or tank and may be configured to signal a relay module (e.g., the relay module 152) to cause a vent valve (e.g., the field device 148) to open if an unsafe overpressure condition is detected via the pressure sensor. Of course, each logic solver within a safety instrumented system may be responsible for carrying out one or multiple safety instrumented functions and, thus, may be communicatively coupled to multiple sensors, relay modules, and/or final control devices, all of which are typically safety rated or certified.
As shown in
The relay module 152 may be a safety certified or rated relay module that can be used to effect a controlled shut down of the process control system 10. While the example safety instrumented portion 14 of the process control system 10 is shown with a single relay (e.g., relay module 152), the process control system 10 may be implemented with a plurality of relays or relay modules. Additionally, while the relay module 152 is shown coupled to a single field device (e.g., field device 148), the relay module 152 may instead be coupled to a plurality of field devices. Because the relay module 152 may be a safety certified or rated relay, the logic solvers 160 and 162 and the controller 120 may redundantly communicate with the relay module 152 via links 164-168. The communications between the logic solvers 160 and 162, the controller 120, and the relay module 152 may be implemented to test the fault tolerance of the relay module 152 to insure the fault tolerance of the process control system 10. As described in greater detail below, the controller 120 may, for example, test the relay module 152 by sending signals to open and close switches within the relay module 152 and/or to measure an electrical characteristic associated with a set of relay contacts of the relay module 152.
The field devices 146 and 148 may be smart or non-smart sensors, actuators, and/or any other process control devices that can be used to monitor process conditions and/or effect a controlled shut down of the process control system 10. For example, the field devices 146 and 148 may be safety certified or rated flow sensors, temperature sensors, pressure sensors, shut down valves, venting valves, isolation valves, critical on/off valves, contacts, etc. While only two logic solvers, two field devices, and one safety relay are depicted in the safety instrumented portion 14 of the example process control system 10 of
The example relay module 204 may be configured to connect the field power source 206 to and disconnect the field power source 206 from the field actuator 208 to control the operation of the field actuator 208. For example, when the logic solver 202 signals via the hardwired connector(s) 210, the relay module 204 may disconnect (e.g., to close the field actuator 208) or connect (e.g., to open the field actuator 208) the hardwired connectors 212 and 214 to source or cease supplying current from the power source 206 to the field actuator 208. The logic solver 202 and the relay module 204 are more commonly configured to de-energize-to-trip (i.e., to decrease potential or apply substantially zero potential across the hardwired connector(s) 210 to change the state of the relay module contacts to remove power from the field actuator 208), but may be configured to energize-to-trip (i.e., to increase or apply a substantially non-zero potential across the hardwired connector(s) 210 to change the state of the relay module contacts).
However, the operation of each of the relay contacts 330-334 is not independently testable because the relays 310-314 are directly coupled in parallel between the first node 302 and the second node 304. More particularly, all of the relay contacts 330-334 are responsive to the same signal that is applied to all of the relay coils 320-324 at the same time. As a result, if the first relay contact 330 becomes inoperable (e.g., welds, fuses, melts, etc.) and the second and third relays 322 and 324 remain operable, the electrical path between the first and second nodes 306 and 308 will still open despite the welded relay contact 330. Therefore, the example safety relay 300 is not fully testable because testing cannot readily identify a reduction in hardware fault tolerance, such as one or two inoperable relay contacts.
The term “node” as used herein includes an electrical point within a circuit and may, for example, correspond to an electrical connection or connector, an electrical termination point, a point at which an electrical measurement can be made, etc. Additionally, while the example safety relays 400 and described in connection with
The example safety relay 400 is fault-tolerant such that when an electric potential is removed from the first and second nodes 440 and 442 and the switches 402-406 are closed, any one of the three energized relay coils 420-424 can open its respective one of the relay contacts 430-434 to open the electrical path between the third and fourth nodes 444 and 446. Also, the example safety relay 400 is fully testable because during a field test, as described below, the switches 402-406 can be used to independently operate or control the relay contacts 430-434 to determine, for example, if any one of the three relay contacts 430-434 is inoperable (e.g., welded contacts). The example switches 402-406 may be implemented to be manually operated by a human operator or, as described below, by a programmable logic controller (“PLC”), a personal computer similar to the example processor system 1200 shown in
The example safety relay 700 further includes a resistor 750 and a light-emitting diode (“LED”) 752 to emit light if the electric potential between the first and second node 740 and 742 is large enough to bias the LED. The LED 750 provides an indicating light to a human operator that the example safety relay 700 is powered. Additionally, the example safety relay 700 includes transistors 762, 764, and 766 that connect to respective ones of the switches 702-706. Also, diodes 772, 774, and 776 are coupled to transistors 762-766 and the relay coils 722-726. In operation, the diodes 772-776 limit the voltage across and shunt the sudden change of current flow through the relay coils 722-726 that may result when the electric potential applied across the relay coils 722-726 rapidly changes. For example, when the electric potential across the first and second nodes 740 and 742 changes from a positive to a substantially zero voltage, a resultant magnetic field from the relay coils 722-726 may produce substantial voltage transients (e.g., flyback).
The transistors 762-766 may be configured to provide high-input impedance to substantially limit the current flowing through the switches 702-706 and provide a solid-state device to switch the current to the relay coils 722-726. Thus, in a hazardous environment, which may benefit from and/or require certified or explosion-proof components, the example safety relay 700 is configured to enable switching without creating an igniting spark or arc. For instance, the example safety relay 700 may be configured within petrochemical, chemical, and pharmaceutical environments that contain explosive gases or dust during normal operations and/or abnormal circumstances. For example, when switch 702 is open and the transistor 762 is switched off (e.g., a controlling voltage is applied across the gate and source to increase conductivity between the drain and source), the current through and the electric potential across the switch 702 is substantially zero. Thus, when the switch 702 closes, substantially zero discharge occurs across the contacts of switch 702 (e.g., substantially zero sparking, substantially zero arcing, etc.). Similarly, when the switch 702 is closed and the transistor 762 is switched off, current through and the electric potential across the switch 702 is substantially zero. Thus, when switch 702 opens, substantially zero discharge occurs across the contacts of switch 702 (e.g., substantially zero sparking, substantially zero arcing, etc.).
Additionally, the transistors 762-766 may be configured to provide high-output impedance substantially constant current sources to drive the relay coils 722-726 from a relatively small electric potential across the first and second nodes 740 and 742. In such a configuration, the transistors 762-766 provide more immediate switching capabilities and prevent the relay coils from entering saturation. For example, when the transistor 762 is switched on (e.g., a controlling voltage is applied across the gate and source to increase conductivity between the drain and source), the current to the relay coil 722 is relatively constant and, subsequently, the magnetic field across the relay coil 722 is relatively constant. When the transistor 762 is switched off (e.g., a controlling voltage is removed from the gate and source to decrease conductivity between the drain and source), the current to the relay coil 722 ceases quickly and, subsequently, the magnetic field across the relay coil 722 collapses rapidly.
To test the example safety relay 800, a human operator can manually operate the bypass switch 860. As shown in
The example bypass switch 860 may be implemented using, for example, a manual spring-loaded switch or a timed switch, which ensures that a human operator cannot leave the bypass switch 860 in an incorrect position (e.g., the relay contacts 830-834 decoupled from the fourth node 846). Additionally, the example bypass switch 860 may use a force-guided mechanism, so that a human operator cannot test the safety relay 800 if the bypass switch 860 is inoperable (e.g., the contacts of the bypass switch 860 are welded).
Also, in the example safety relay 900, the switches 902, 904, and 906 and the bypass switch 960 are coupled to a data bus 944 such as, for example, the data bus 132 of
Turing in detail to
If the electrical characteristic is determined (e.g., a substantially zero electric current or an electric current less than a predetermined value flowing through the relay contacts 932-936 of
If the example safety relay testing process 1008 of
The processor platform 1200 of the example of
The processor platform 1200 also includes an interface circuit 1230. The interface circuit 1230 may be implemented by any type of interface standard, such as an external memory interface, serial port, general purpose input/output, etc. One or more input devices 1235 and one or more output devices 1240 are connected to the interface circuit 1230.
At least some of the above described example methods and/or apparatus are implemented by one or more software and/or firmware programs running on a computer processor. However, dedicated hardware implementations including, but not limited to, application specific integrated circuits, programmable logic arrays and other hardware devices can likewise be constructed to implement some or all of the example methods and/or apparatus described herein, either in whole or in part. Furthermore, alternative software implementations including, but not limited to, distributed processing or component/object distributed processing, parallel processing, or virtual machine processing can also be constructed to implement the example methods and/or apparatus described herein.
It should also be noted that the example software and/or firmware implementations described herein are optionally stored on a tangible storage medium, such as: a magnetic medium (e.g., a magnetic disk or tape); a magneto-optical or optical medium such as an optical disk; or a solid state medium such as a memory card or other package that houses one or more read-only (non-volatile) memories, random access memories, or other re-writable (volatile) memories; or a signal containing computer instructions. A digital file attached to e-mail or other information archive or set of archives is considered a distribution medium equivalent to a tangible storage medium. Accordingly, the example software and/or firmware described herein can be stored on a tangible storage medium or distribution medium such as those described above or successor storage media.
To the extent the above specification describes example components and functions with reference to particular standards and protocols, it is understood that the scope of this patent is not limited to such standards and protocols. Such standards are periodically superseded by faster or more efficient equivalents having the same general functionality. Accordingly, replacement standards and protocols having the same functions are equivalents which are contemplated by this patent and are intended to be included within the scope of the accompanying claims.
Additionally, although this patent discloses example systems including software or firmware executed on hardware, it should be noted that such systems are merely illustrative and should not be considered as limiting. For example, it is contemplated that any or all of these hardware and software components could be embodied exclusively in hardware, exclusively in software, exclusively in firmware or in some combination of hardware, firmware and/or software. Accordingly, while the above specification described example systems, methods and articles of manufacture, persons of ordinary skill in the art will readily appreciate that the examples are not the only way to implement such systems, methods and articles of manufacture. Therefore, although certain example methods, apparatus and articles of manufacture have been described herein, the scope of coverage of this patent is not limited thereto. On the contrary, this patent covers all methods, apparatus and articles of manufacture fairly falling within the scope of the appended claims either literally or under the doctrine of equivalents.
Number | Name | Date | Kind |
---|---|---|---|
7242196 | Yudahira et al. | Jul 2007 | B2 |
20010002101 | Magnussen | May 2001 | A1 |
Number | Date | Country |
---|---|---|
102006030911 | Sep 2007 | DE |
Number | Date | Country | |
---|---|---|---|
20080079318 A1 | Apr 2008 | US |