Safety fieldbus in the process industries
As end users discover the benefits of fieldbus with their process automation systems, many are beginning to wonder why they haven't been able to enjoy similar benefits with their safety instrumented systems (SIS).
Safety fieldbus promises advanced diagnostics, as well as capabilities that will make interlock testing easier, a task that must be repeated year after year. Distributed control system (DCS) users are enjoying these benefits today with standard fieldbus, but ironically, users don't need to test those interlocks with the same frequency as the safety interlocks.
The history of safety fieldbus
The concept and application of digital communications within a safety system is not new. In fact, safety bus communications have been used in commercial systems since the first programmable safety systems appeared on the market in the late 1980s.
The most common safety fieldbus found within programmable safety systems is the communications bus between controller modules and I/O modules, often referred to as the system I/O bus. The results of an undiagnosed failure in these communications could be disastrous (eg, inputs and outputs turning on and off at random). Therefore, the safety integrity level of the entire system requires that these communications occur reliably, timely and without corruption. Over the years, manufacturers have developed a variety of proprietary, safety-certified I/O buses that meet these requirements and have been certified as part of their overall system.
As systems grew larger, it became important to be able to send safety-critical signals between systems. In response, manufacturers developed proprietary communications protocols to support failsafe, peer-to-peer communications over system-wide communications buses which again were certified as part of the system.
In the late 1990s, several manufacturers of automation products for machine safety applications developed safety-certified fieldbuses suitable for use in safety systems up to EN 954-1 Category 4 and SIL 3 applications according to IEC 61508. These buses support a variety of machine safety sensors such as light curtains, laser scanners, limit switches and emergency stop pushbuttons. Examples include SafetyBus p, Interbus S, PROFIsafe, AS-i Safety@work, and DeviceNet Safety.
Safety fieldbus machine safety circuits are less complex and less costly to design, install and commission due to far fewer cables and connections. Furthermore, they have been shown to improve reliability and lower maintenance costs due to the availability of comprehensive diagnostics. For these reasons, the machine automation sector has rapidly adopted safety fieldbus. For example, PROFIBUS International recently announced that the number of PROFIsafe-enabled systems in operation around the world has passed 20,000. In terms of safety devices, this represents nearly 18.8 million nodes.
Safety communications get approvals for process applications
Why has the process automation sector not adopted safety fieldbus for process safety applications?
One reason may be that many national and application-specific standards related to the application of safety instrumented systems prohibited the use of bus communications for safety-related signals. For example, clause 220.127.116.11 of ANSI/ISA S84.01-1996 stated: "Each individual field device shall have its own dedicated wiring to the system." Another reason may be that clause 4-18.104.22.168 of NFPA 8502-1999 stated: "Signals that initiate mandatory master fuel trips shall be hardwired."
Recently, however, this way of thinking has changed with the 2003 release of the international standard IEC 61511 entitled, 'Functional safety — Safety instrumented systems for the process industry sector.' This standard, which was adopted in the US in 2004, as ANSI/ISA 84.00.01-2004, states in clause 11.6.3 that "Each individual field device shall have its own dedicated wiring to the system input/output, except in the following cases ... a digital bus communication with overall safety performance that meets the integrity requirements of the Safety Instrumented Functions (SIF) it services." This statement has opened the door for manufacturers to begin developing process instrumentation utilising SIL-certified safety communication buses.
In response, several standards organisations have begun developing recommendations and guidelines regarding the use of safety fieldbus in the process industries. NAMUR NE 97 'Fieldbus for safety applications' was published in March 2003 and defines the principle on which safety-related signals can be transmitted via the fieldbus network.
ISA Standards Panel 84, in order to address concerns from members that digital fieldbuses may be implemented with a detrimental impact on safety, formed Working Group 1 (SP84, WG1) to develop further guidance and address high-level safety fieldbus issues. WG1 has drafted a technical report offering guidelines for the replacement of the current 4–20 mA safety instrumented systems with safety fieldbus devices and protocols entitled, 'ISA TR- 84.00.06: Safety fieldbus Design Considerations for Process Industry Sector Applications'.
Will safety fieldbus be accepted in the process industries?
One of the first hurdles that must be overcome, before safety fieldbus is readily adopted by the process industries, is proving that safety fieldbus can be as safe and reliable as traditional 4–20 mA systems.
The issue of safety is easier to address because the dangerous failure rates of an IEC 61508 certified safety fieldbus have been quantified. Therefore, most experts agree that SIF can be designed to provide up to SIL 3 protection, provided they utilise an IEC 61508 certified protocol with a defined PFDavg. This can be modelled by assigning a PFDavg value to the 'wire' and associated communication equipment between the instrument and the system when analysing the SIF. One often overlooked advantage of safety fieldbus is that the I/O card is no longer necessary, so the card and its associated PFDavg can be eliminated. In fact, the elimination of hardware could actually make a safety fieldbus SIF safer than a 4–20 mA equivalent.
The issue of availability is more difficult to address because data and modelling tools are not yet available that can analyse the mean time to spurious trip (MTTFs) of both traditional and safety fieldbus architecture options. However, as the technology emerges, users can expect suppliers of SIL verification software to branch into this area as well. Users can also expect suppliers to develop improved fault-tolerance for fieldbus systems, both standard and safety.
The future of safety fieldbus in the process industries
One clear message from end users is that they are looking forward to the ability to integrate their SIS instrumentation into their asset management systems. Continuous access to the condition information in intelligent SIS components will enable analysis of the safety performance of the SIS, helping users avoid spurious trips.
In the absence of an available digital safety fieldbus for process automation, some end users have turned to HART technology as an interim method of achieving this goal. However, since HART is not, and most likely never will be, a safety-certified protocol, the challenge is finding a way to use the HART data in a way that won't interfere or degrade the safety function.
The subject of periodic proof testing is one of the first topics to arise in discussions with users about safety fieldbus and asset management for SIS. This is because while most companies are able to design safety instrumented systems that work fairly well, many of them cannot be tested without extraordinary effort. Safety fieldbus enables access to the data and diagnostic information needed for an automatic reporting system.
While it remains to be seen how quickly it will be adopted, there is no question that safety fieldbus technology is growing. Strong support from the major process fieldbus organisations (Profibus and Foundation Fieldbus) and process automation suppliers, coupled with advantages in reduced installation, maintenance and testing costs, will certainly propel this technology along the same path as standard fieldbus — perhaps even faster.
Meeting safety requirements can often be achieved with the simple architecture of single loop...
Many machine safety-related misconceptions continue to be widespread in manufacturing.
As industries begin to rely more heavily on automation, the general consensus is that new...