01 March 2003
Road rules of busing
Skeptics vs. proponents of bus safety networking.
By Ellen Fussell
Protecting production and lives is what having an effective safety system is all about. But if something goes wrong because your system fails to shut off a valve, and it leads to a hydrocarbon leak—and possibly death, you've got a problem. Traditional safety systems that string together CPUs have been around for years, so what's all the buzz about a safety bus? Industry experts share differing opinions about the viability of today's buses for safety networking. Some say hard wire is the only safe way and requires a new standard. Some say what we have now will work fine in the process industry.
"The whole industry is interested in a safety bus because users would like to be able to have many devices on one link to replace the wire," said Bob Adamski, director of Premier Consulting Services in Irvine, Calif. But because nobody has come up with a solution using hard-wired connections, the concept seems rather futuristic.
Here's the catch in the process industry: "If you're protecting a high-level device and it's somehow corrupted by high radio frequencies or a bug in the system, it corrupts the signal, and you may get a high level, it may not see it, and it won't trip, where in a hard-wired device, there's nothing to corrupt it. It's hard wired, not connected to any communications," Adamski said.
"If you take a transmitter out in the field, you connect it with two wires. But you can only connect one device to it," Adamski said.
The reality with fieldbus used today is "you can take that same link [it may be wire or fiber optic] and put many devices on there. So the only difference between fieldbus [used today] and a safety bus is that for safety, you have to make sure it's as safe and reliable as that hard-wired device."
And according to some, today's safety bus doesn't meet that need for safety—at least in the process industries.
Experts are now working on a standard to determine requirements for a safety bus—is it as reliable as hard wired? It has to be noncorruptible, Adamski said. He added there's no standard for a safety bus for process industries, "which is why we formed the SP84 committee."
"If we can assure that the requirements for a safe and reliable safety bus are met, the rest is easy," Adamski said. "Do you think nuclear power plants will ever apply safety bus? What if it doesn't work? What do they do instead? They apply several layers of protection and make sure everything is hard wired."
MAJOR PLAYER IN THE FIELDBUS
The Fieldbus Foundation, of course, is also a big player in the safety bus initiative. It has launched the Fieldbus Foundation Safety Instrumented Systems (FFSIS) project, which involves manufacturing representatives and members of the End User Council, some of whom are on the SP84 committee. The team will develop concepts as well as write a safety requirements specification and manual using IEC 61508. And the end users will develop the end user application note, or safety manual, using IEC 61511.
"The foundation's reaction to an SP84 safety bus specification is supportive, as we see this being very useful to the industry," said Fieldbus Foundation president Rich Timoney. "However, it must be compliant with IEC 61508 and IEC 61511 requirements," he added.
Timoney said that the International Electrotechnical Commission (IEC) and ISA efforts would benefit from the FFSIS project and other consortium efforts. But the SP84 project should "be sure to have FFSIS concepts included and should have experts who are intimately familiar with the FFSIS concepts."
Some of the benefits are lowering the cost of wiring and, in some cases, even the I/O modules or the central processor, Adamski said. There's a substantial cost savings because you're running several transmitters off of one wire. There are life cycle benefits, too, he said. Companies can do advanced diagnostics, and they can use it for asset management.
"You can get a lot of information—more automated testing. The people applying fieldbus today have the incentive of wiring and asset management. They're able to do some clever software algorithms to improve the efficiency of the plant," Adamski said.
But while he said a reliable and safe safety bus isn't a reality, "in the meantime we're still using hard wired. If we do get requirements, we may apply it in phases. We may just use it for outputs or maybe just the inputs. It could be applied in different phases and different parts of the network."
Another big issue surrounding fieldbus is interoperability. There are so many vendors, Adamski said. "One bus may have a transmitter for 15 different vendors. Will they all talk to the bus?" And while he admitted a reliable safety bus is way down the road, it's still a major issue.
"Even with a lot of Foundation fieldbus devices, you can't necessarily mix and match, having true interoperability," said Paul Gruhn, president of L&M Engineering in Houston. "It's almost comical in the sense people want open systems with fieldbus, but what they're doing is recognizing those systems aren't as interoperable as they want. So they're buying Foundation fieldbus and all devices from one vendor. They're doing what they did 15 years ago—the very thing they wanted to get away from."
Yet Gruhn said he believes Foundation fieldbus is getting closer, "if they're not already there."
Profibus, Siemens' IEC-approved fieldbus protocol, includes H1 and H2 layers (high-speed and low-speed, respectively).
"The lower speed is where you put process devices like transmitters and positioners. The H1 in the fieldbus world runs at the same speed as Profibus's low speed: at 31.25 [kilobits per second]," said Tanmoy Basu, senior product manager for fieldbus technologies at Siemens in Spring House, Pa.
Yet Profibus is different from the proposed fieldbus safety bus "because they don't have field devices talking to each other. They're talking to a controller but over a two-wire serial link," Gruhn said. So while there are savings in the industry, "it won't work in the analog control world because of the time of the variables passing back and forth."
ProfiSafe, which is the safety layer used in the Profibus protocol, is not hardware. It's not a chip but essentially software. And while ProfiSafe is used effectively in the machine industry, Adamski said, it isn't reliable for the process industry.
"If anything happens [in the machine industry], the worst is that you'd damage a part. The problem is that [ProfiSafe] doesn't apply to process industries—the chemical and pharmaceutical plants and the refineries, which include 70% to 80% of where safety systems are applied. On the machine floor it is being used, but with different requirements."
HOW PROFISAFE WORKS
While experts recommend the basic process control system should be separate, Basu said, ProfiSafe challenges that notion and says you can run safety applications in basic process control systems without losing any of the enhanced reliability expectations.
"Imagine a system, a ProfiBus, where you have a controller, which is the master, and a bunch of slaves doing basic process control. Some slaves are remote I/O blocks bringing different types of signals," he said. ProfiSafe can instigate a remote I/O block, which is different from a basic process control system in the sense that it has additional software loaded to do certain safety checks. Additional software is loaded to the remote I/O on the controller end to check the same safety checks that are done on the slave end.
"Some of the typical issues or concerns people have when they build safety systems is there could be repetition of signals," Basu said. Some I/O repeatedly sends the same value, whereas in reality, a value has changed. "Messages could get resequenced from being sent from the I/O to the controller. There could be data corruption or failures in signal transmission," he said.
ProfiSafe, by applying certain checks in a fixed format in the data that comes from the I/O slave to the controller, can prevent any of these failures from occurring in the system.
"Profibus started out in the manufacturing industry, but people have the misconception that it doesn't work in the process industry," Basu said.
Yet there's already a refinery in Germany using it. "ProfiSafe takes your outputs to a safe mode if there is a failure or fault in the system." So to address the issue of it not being hard wired, "yes, the emergency shutdown system has two wires, but it will always give you a break and shut your system down," he said. "It has a lot of methods to detect faults and takes action based on those statistical checks."
"ProfiSafe is not a proprietary protocol because the standard was developed under Profibus International and isn't owned by another company, Basu said. "While Fieldbus Foundation is made up of many companies, similarly ProfiSafe is a standard developed by Profibus International."
ProfiSafe has been implemented by some Siemens components, but there's a long list of companies—HIMA, Weidmueller, Phoenix—that have developed components to work with ProfiSafe, Basu said.
"You could buy a HIMA component and have ProfiSafe working in a Siemens system or any other control vendor's system—it could be ABB. It has to be those vendors that are implementing this technology. And not everybody is making Foundation fieldbus components either."
"Thousands of vendors make Profibus devices, but interoperability isn't going to happen in the short term with ProfiSafe," Gruhn said. "There are major concerns over interoperability because of the variable involved with critical safety issues. There's no ProfiSafe device for that; there are discrete on/off devices used in the machine tool industry but no analog devices in the process industry." IT
German refinery revamps
During the past 60 years, DEA Mineral÷l AG had undergone several revamps to keep up with market demands and economic turns. The Heide, Germany-based plant processes about 4 million tons of crude oil into fuels such as petrol, diesel, and kerosene, using up to 15 different types of crude oil.
To comply with upcoming stringent exhaust gas emission values for cars with low sulfur fuels, the plant decided to upgrade systems with comprehensive modernization and restructuring measures. After evaluating five systems, the company decided to go with Siemens because of its integrated fail-safe technology and Profibus-PA fieldbus technology.
The Simatic PCS7 process control system uses integrated fail-safe technology (ProfiSafe), in which 25% of all I/Os are automated. It combines standard and fail-safe peripherals in the fault-tolerant and fail-safe automation system, so the system no longer needs separate fail-safe systems and costly couplings.
The intrinsically safe Profibus-PA or field multiplexer with redundant Profibus-DP interface operates through decentralized recording of process signals direct in the field. ET200M peripherals are responsible. And with the integrated explosion protection isolation, the refinery no longer needs one of its usual explosion protection isolation levels.
Marianne Ocon, DEA's department head of electronics, measurement, and control technology, said a PCS7 system in this configuration had never been used before in a refinery. And during the two years of the project phase, the DEA and Siemens teams overcame time and component development delays but forged ahead as a replica system was developed at Siemens.
When all was said and done, plant employees were excited about the system. Hydrocracker workers in particular benefited because they could see alarms and trend curves from four large screens in the control room during the entire process.