Safety via Fieldbus—Hanging by a Wire?

Fieldbus is breaking new ground in discrete and process safety networks, a bastion of hard-wired systems. Users are drawn by promises of easier troubleshooting and maintenance.

By Peter Welander, Control Engineering June 1, 2009

Safety networks have long been a bastion of hard-wired thinking. Conservative users believe they can only offer real protection if they use systems that are unquestioned, and that comes only with direct wiring and segregated functionality. The problem is that those systems are expensive and not particularly user-friendly when it comes to maintenance and troubleshooting.

Back in the pre-fieldbus days when all sensors, instrumentation, and actuators were wired that way, many users longed for systems that could automate diagnostics, reduce wiring, and simplify configuration and setup. HART offers a partial answer, but users found that a fieldbus network was capable of communicating more sophisticated information. Those that started using fieldbus topology for discrete and process sensors enjoyed the benefits of bi-directional communication and diagnostics. So the next question became, “When can we do this with safety devices?”

Some operators ask this question more readily than others. Those who find the idea of putting a whole group of conventional devices on one cable scary will find the notion of doing that to safety sensors doubly troubling. Others have fully embraced safety on fieldbus for discrete manufacturing, and interest in process applications is growing.

Putting safety functions on fieldbus is different than conventional instrumentation. Most people assume that a safety network has to be a souped-up version of a normal fieldbus, incorporating a higher level of communication reliability. While this is logical, it isn’t what happens. In fact, a safety fieldbus creates a platform that is actually independent of the transmission medium. In other words, the safety system makes no assumptions as to the effectiveness of the network. While this seems counterintuitive, it is critical to the real concept.

Profisafe and AS-Interface Safety at Work were the first widely-available safety protocols that could be used over a fieldbus network, and were released at about the same time in 1998. Neither is a fieldbus itself, but they add safety functions to their respective networks. For example, Profisafe has to function over Profibus DP, Profibus PA, or Profinet. In 2005, the ODVA group released CIP Safety, which can function on EtherNet/IP, ControlNet, and Device-Net platforms.

Different concept for send/receive

At the heart of a safety protocol is the way in which it sends and receives safety messages, rather than the medium that transmits them. Here are the critical functional elements:

First, the transmission medium is considered a black channel. The safety system doesn’t care how the safety messages are carried—it can be fieldbus, Ethernet, wireless, or whatever, it doesn’t matter. This is the reason protocols often operate on multiple networks.

Second, the safety system has to detect errors in messages that can normally go undetected. Each safety message uses a cyclical redundancy check (CRC) that can indicate if a message has been corrupted. Fieldbus protocols normally use a frame check sequence (FCS) to verify normal messages; safety applications require more extensive examination added to the basic FCS.

Third, safety messages have to move through the network in a specific sequence and period of time.

In a 2008 interview that was released as a Control Engineering podcast, Erich Janoschek of TÜV Rhineland described a safety fieldbus network as a specialized mail messaging process. His example of a black channel is the normal way the post office delivers a letter. To make safety messages stand out as special in the normal mail, you could put them in yellow envelopes. “If you sendthe yellow envelopes with normal mail, you cannot say how they’re carried, by airplane or ship or whatever,” he says. “But when the recipient gets a yellow envelope, he can see if it is torn or damaged before accepting it and reading the message. The recipient also knows thata message has to arrive every day, and if the yellow envelope doesn’t arrive, he shuts down the system.”

While the safety functions operate independently of the network, a network that cannot perform reliably would be a constant headache. If communication is not reliable, messages can be corrupted or lost entirely, both of which should trip the system.

“Why does a system trip?” asks James Powell, P. Eng., communications product manager for Siemens Milltronics Process Instruments. “You could have something going on in the process, and you want it to trip, or you can have it trip because of a communication error in your system. Safety busses are very big on being absolutely sure that the message gets there correctly, and you don’t miss one. The big emphasis is on undetected errors.

“The worst case scenario for a safety system would be to have a communication channel that’s borderline, because you’re going to get a whole lot of nuisance trips. Both Profibus and Foundation Fieldbus have a rock-solid communication channel, and that performance is easy to achieve as long as proper design and installation procedures are followed,” he says.

From discrete to process

Fieldbus safety protocols were first put to work in discrete applications. AS-Interface Safety at Work typically involves functions such as emergency stop devices, safety gates, active opto-electronic protective devices, and other types of safety monitors.

Most Profisafe applications in discrete manufacturing run on Profibus DP. The Profibus Trade Organization (PTO) claims the installed base of Profisafe nodes reached 410,000 at the end of 2007, and projected an 80% growth rate in 2008. It can handle many of the same types of applications as AS-i and interface directly, but it also offers a higher degree of sophistication that allows for more elaborate applications integrated with manufacturing lines and robotics, such as integrated safety functions in drives. Similarly, CIP Safety operates primarily on device-level networks.

Fieldbus Foundation’s Bill Tatum anticipates that sensor devices for the SIF platform will be available sooner and in a wider variety than communicate information to the DCS as desired.

Safety networks have been very slow to break into process manufacturing applications, and in fact barely exist there at all. The Profisafe protocol has been available for use with Profibus PA networks since its introduction, but the instrumentation industry has done little in the way of developing appropriate flow, pressure, level, and temperature sensors that are certified for safety applications and have fieldbus connectivity. This demand vs. availability conundrum often happens with new technologies.

“Devices that communicate with Profisafe have not been developed fast enough,” says Charlie Fialkowski, process safety manager for Siemens. “I know Siemens has one differential pressure transmitter that can speak Profisafe that we can use for a safety application. We have a fully redundant, fault tolerant safety controller that’s certified with a Profibus/Profisafe communicating backplane. So, we can send the communication protocol out into the field, but there’s nobody to talk to.”

In search of safe devices

The Fieldbus Foundation (FF) has been developing its SIF (Safety Instrumented Functions) protocol for several years, and has now reached the point that vendors and users have joined forces to create demonstration projects. Like Profi-safe via Profibus PA, the success of FF SIF will depend on users and vendors both embracing the technology sufficiently to begin manufacturing usable numbers of devices and controllers to provide a critical mass for users. Given the similarity of the two platforms, it will not be difficult for a company manufacturing a certified sensor for one to extend it to another.

Device manufacturers who are used to the requirements of safety instruments should have relatively little difficulty adding fieldbus connectivity. However, those that have never attempted to make safety devices will likely find the process challenging.

“We are currently helping a few vendors get through this process, and basically we see two categories,” says Dr. Michel Houtermans, president, Risknowlogy. “There are the ones that are in the safety business and have certified safety products; they just need to add the fieldbus protocol. On the other hand, we have those who are in the fieldbus world, and have never made a safety product.

“For the latter category, it’s much more difficult because they haven’t had any knowledge of the safety standards. They need to demonstrate that the safety product itself is actually a safe product. That’s when they need to comply with IEC 61508, and for most of them, that is a completely new world. They need to go through a steep learning curve and, luckily for them today, there is a lot more information available so it goes faster. But even today, it takes anywhere from six months to two years to get this done,” he says.

Safety functions on a fieldbus like Profibus PA or Foundation Fieldbus in a process manufacturing context do not require any special wiring. In fact, the same physical layer hardware supports both operations.

Ian Verhappen, director of industrial networks for MTL says they’re ready for safety now. “Black channel means that the physical layer is unaffected by the safety bus,” he says. “The power supplies and field device couplers are the same. Only the end devices change, and the host system or logic solver has the new function blocks. We’re just the phone wire to get the message from one place to another.”

There is nothing to preclude the possibility of deploying safety and normal control instrumentation on the same fieldbus segments, although the comfort level of users may cause them to keep those functions separate. Moreover, there is no reason that safety devices cannot report data to the control system. A pressure or level sensor that is a safety device can also send its process variable to the control system via interaction between the safety logic solver and DCS.

Problems with one wire

The biggest technical drawback with fieldbus in general and safety particularly has been the concern of multiple devices on one cable. Even if the network is rock-solid, if something happens to the cable, all the devices on that segment can be lost. This has been especially problematic to many users in process industries. Fortunately, fault tolerant wiring topologies can reduce this likelihood significantly.

“The industry has been talking about safety fieldbus for 10 years,” says Fialkowski. “But it’s never developed to the point that people would actually take the leap of faith and go forward. One of the sticking points was its lack of fault-tolerance capability: You have a single pair of wires running out to multiple devices with all of them coexisting on that single pair of wires. But if that pair of wires gets compromised for whatever reason, you lose all those devices and that’s not a good thing. We overcame that three or four years ago and came up with the ring bus technology that gave you fault-tolerance capability in the physical layer.”

Mike O’Neill, director, MooreHawke Fieldbus division of Moore Industries, knows of customer concern about a cable failure bringing down an entire segment. “MooreHawke (for one) has a fieldbus physical layer that provides two trunks, where one continues operation in spite of a break or short-circuit in the other,” he says.

“Both trunks are normally active and alarms if one fails,” O’Neill adds. “This allows a system to claim a very low probability of failure on demand. There is no special software required at the host and the power conditioners are the same units MooreHawke offers for regular non-safety fieldbus. This system was used by HIMA in its FF-SIF demonstration package at Shell Global Solutions, Amsterdam, in May 2008.”

For users, putting safety on a fieldbus brings a huge benefit in the form of improved device diagnostics. Vincent Palughi is a senior engineer for Chevron, and has been involved heavily in deployment of sophisticated device communication protocols.

“From Chevron’s perspective, I think the ability to get those online diagnostics will be huge” Palughi says. “The asset management systems that are connected to smart devices help you bring the plant up faster, with commissioning times reduced. And I think we can lengthen the testing interval. Normally you might have to test a device every year, but maybe we can push that out farther because we have so much confidence in the diagnostics. There are a lot of potential benefits that we’re going to try to take advantage of.”

Bill Tatum, director of marketing for the Fieldbus Foundation, looks for initial adoption of SIF in oil and gas applications: “Right now, in a typical refinery, because of the zone classifications, they can only use fieldbus on about 30% of their applications. With this SIF technology, they can take it up to the neighborhood of 70% to 80% of the plant. It’s going to more than double the number of possible fieldbus devices in an existing refinery. The real goal of this is to get the diagnostics data that users want—the same as they’re getting through the fieldbus systems in their regular control environment. This is key to achieving a proactive maintenance goal.”

Author Information

Peter Welander is process industries editor. Reach him at .