Networked Safety: Mainstream or Marketing?

The rollout of the Fieldbus Foundation’s FF-SIF safety protocol has sparked considerable interest and many questions about the protocol itself and about networked safety in general.

Aw 2975 Foundation Bus
A year ago, an A-list group of automation users and equipment suppliers gathered in Amsterdam. Though there are many reasons for going to Amsterdam, these folks came to witness a demonstration of the Foundation Fieldbus Safety Instrumented Functions (FF-SIF) protocol at the Shell Global Solutions technology center. Promulgated by the Fieldbus Foundation, FF-SIF is an attempt to bring the advantages of fieldbus technology, with its nonproprietary two-way digital communication, to the process safety realm, facilitating a high degree of integration between process control and safety. Products for the demo were supplied by a host of vendors, including ABB, Emerson, Siemens and Yokogawa.

Among the many devices tested with the new protocol were Foundation Fieldbus-enabled safety valves with Partial Stroke Testing (PST) capability. PST is one of the key innovations in safety devices in recent years. Traditionally, shutdown valves have been operated by pneumatics or solenoids, and have had only two positions: open or closed. Because they were used so infrequently, they often became stuck, and troubleshooting or testing them was a time-consuming, manual operation.

The advent of valve positioners made partial-stroke testing, or checking the valve by moving it a small degree, feasible. Initially, these were too expensive for widespread use, but in the last decade, the cost of valve positioners has fallen dramatically, making their use not only feasible but highly affordable.

Other areas of focus included an array of pressure, level, temperature and diagnostic devices. Importantly, the demo also evaluated system integration capabilities with asset management and Basic Process Control System (BPCS) platforms.

Audun Gjerde, consultant, instrumentation and plant automation, of Shell Global Solutions, conducted the demonstration, and he liked what he saw. By employing FF-SIF, he said, “Shell expects enhanced diagnostics through a fully integrated asset management system. We also anticipate less testing of final elements, thanks to smart testing and diagnostics, as well as online testing and partial stroke testing. This will result in early detection of dangerous device failures—and fewer spurious trips.” Improved testing and diagnostics, he notes, should enable plants to run for longer periods of time without shutting down for testing.

New era?

The protocol has received approval from accrediting agency TÜV Anlagentechnik GmbH, and the Fieldbus Foundation confidently predicts that suppliers will be submitting FF-SIF compliant devices for TÜV approval this year, with many major end-users specifying FF-SIF systems for new projects by 2011. All of this is good news for FF-SIF backers, but beyond that, it’s also another indication of a major change underway in the world of safety systems.

To appreciate the extent of this change, it helps to step back a bit in time. Traditionally, safety was a stand-alone system, which meant different and roughly parallel human-machine interfaces (HMIs), configuration tools, communications, data and event historians, asset management and other requirements for a plant’s safety instrumented system (SIS) and BPCS. This separation was a requirement not only for process systems, such as those now being addressed with FF-SIF, but in the discrete manufacturing world as well.

“The safety solution was completely separate from the automation system,” says Dan Hornbeck, manager, safety business development, for vendor Rockwell Automation Inc., Milwaukee. “Also contributing to this reactive and separate approach were the limitations of safety technology, which often required machines to come to a full stop and be in a “safe state” for repair, maintenance or any time operator access was needed.” Because this downtime decreased productivity, operators and maintenance personnel often felt pressure to bypass the safety system, risking their own safety in the process.

“Such risks are no longer needed or acceptable, thanks to progressive, enforced global standards, significant technological innovation and risk management,” Hornbeck says.

These technological innovations have come in two forms. Some are device focused and driven by the growth of digital technology, such as PST and the “safety zones” that can be engineered into today’s production lines and equipment, and then managed independently, allowing maintenance without shutting down an entire system.

There have also been safety developments at the input/output (I/O) device level in discrete manufacturing. Consider the TwinSafe products from Beckhoff Automation LLC, Burnsville, Minn., which are designed to allow machine builders and end-users to create safety systems (e-stops, light curtains, safety doors, and other devices) using safe I/O terminals that can be used without a dedicated safety programmable logic controller (PLC).

The other involves advances in networking and communications technology, and has made possible a networked and integrated approach to safety. This development, notes Hornbeck, has been driven by the need for greater efficiency and lower costs, “the same market dynamics that have led companies to integrate other control disciplines.” FF-SIS is one of the latest and most prominent examples of this trend, but it isn’t the only contender.

Many players

On the discrete side, the Open DeviceNet Vendors Association (ODVA), Ann Arbor, Mich., has its CIP Safety, an adjunct to its common industrial protocol (CIP). Because ControlNet, DeviceNet and EtherNet/IP are part of ODVA and support CIP, they can now accommodate CIP Safety as well, and do it over copper wire, fiber-optic cable or via wireless. There is also ProfiSafe. Backed by PI International of Karlsruhe, Germany, the ProfiBus/ProfiNet organization, it has been around for a decade and, PI International claims, already has considerable application in the process industries. For end-users who wish to move to a more networked approach to safety, tools clearly are at hand.

There is, as always, a potential downside. First, there are some good reasons why safety and control functions have traditionally been separated. The biggest one, among process industry users, is the fear that a failure of the BPCS will take down the SIS. Then there’s security. A control system is accessed by many people and is often updated or tweaked, which raises the possibility that the safety system might be inadvertently affected.

That’s why many leading process control vendors already offer some degree of safety-control integration, but buffered by a separation strategy. Approaches vary, and include using separate hardware for the SIS but sharing a common communications bus with the automation system, and equipping the SIS with its own operating system. Some vendors, such as ABB Inc., Cary, N.C., favor the “same but separate” model backed by ARC Advisory Group Inc., Dedham, Mass. Specifically, ABB’s System 800xA High Integrity safety system hosts both safety and process control applications in the same controller, providing logical rather than physical separation.

“Foundation SIF is being promoted as delivering…benefits through reduced total cost of ownership,” says Mike Boudreaux, DeltaV SIS product marketing manager at process controls vendor Emerson Process Management, Austin, Texas. “Many of these benefits are delivered in DeltaV SIS today, through the use of device diagnostics integration using Hart [Communication Protocol].”

“FF-SIF will bring advantages to safety systems similar to what FF has done for process systems,” predicts Victor Hoang, technical solutions engineer, safety instrumented systems, North America, for Yokogawa Corp. of America, Newman, Ga. This will include cost reduction through things such as asset management, multi-drop capability and various other features. Still, he insists, these benefits will be realized in the future when FF-SIF is implemented, while end-users can have these sorts of benefits now with Yokogawa’s safety solution.

The wait

How long will industry have to wait for the benefits of FF-SIF? The Fieldbus Foundation expects to see some product in the next year. While noting that “development of FF SIF is moving ahead full steam,” Robin McCrea-Steele, senior safety consultant for Invensys Process Systems, Plano, Texas, expects that “the first TÜV-certified FF SIF field devices and logic solvers will start to become available in the next year or two.”

Of course, this won’t be a full complement of products, leading Luis Duran, Americas region safety systems business development, ABB, to observe that complete FF-SIF solutions may be hard to implement for some time while safety certified devices make their way into the market. “This situation will drive end-users that want to implement solutions with the new technology to have to develop ‘hybrid’ solutions where traditional analog (pure 4-to-20 milliAmp with or without Hart) and networked (FF-SIF) will need to be combined to implement a complete solution.”

Over time, Duran reasons, this situation will sort itself out after large numbers of approved FF-SIF devices are available in the marketplace, “but initially this may be a hard situation for end-users to justify.”

Despite these caveats, Duran is convinced that open, in general, is the way to go. “As technologies advance, it will usually be best for the majority of end-users if industrial standards are widely used instead of proprietary solutions, regardless of the subject, and safety network implementations will be no different. “

He adds that, “As FF-SIF is now a growing choice for greenfield automation implementations, it is likely that it will also grow in the process industries as a choice for safety.  FF-SIF, driven by end-user influenced requirements, will provide freedom of choice from suppliers, long-term security due to that broad base of suppliers, and a wide range of support options as most suppliers will eventually offer products and service to meet market requirements.”

Charles Larson points to the importance of newer industry standards in opening the door to networked safety, and thus making possible the “freedom of choice from suppliers” that Duran spoke of. “The advent of the [International Electrotechnical Commission] IEC 61508 standard provides a means to determine the risk of failure for microcontroller- and software-based systems, and thus makes it possible to determine the safety level of safety systems that will use a digital communications network, such as Foundation Fieldbus,” notes Larson, the director of technology for automation components vendor Moore Industries-International Inc., North Hills, Calif.

Standards

IEC 61508, primarily for suppliers, and its complementary IEC 61511, primarily for process industry end-users, along with [American National Standards Institute/International Society of Automation] ANSI/ISA 84.01, which follows the IEC 61511 standard, apply to safety-instrumented systems. They include performance and lifecycle criteria that allow users to quantify system reliability through failure rates based on fault detection, fault tolerance and probability of failure on demand (PFD).

Networked safety is software-dependent safety, and, as Larson notes, “As anyone who has worked on safety software can attest, certifying the reliability of software for safety purposes is an involved and time-consuming process.” Another caveat comes from Helge Hornis, manager, intelligent systems, Pepperl+Fuchs Inc., a Twinsburg, Ohio-based automation components vendor. Although keen on the value of networked solutions, he cautions that buyers should ascertain the degree of backward and forward compatibility. Another important issue is configuration software and tools, says Hornis.  Will the tool that’s available today still work in five years?  And if not, what is the cost of keeping up with software developments?

Still, the benefits of networked safety are considerable, and Larson insists they are felt not only in the realm of cost, but in the realm of safety as well. “The increased diagnostics that are available with digital networks make it possible to identify failing components before they trigger a system shutdown. These factors can contribute both to reducing the risk of a dangerous failure and to higher availability.

“If one has any doubts about the future direction of safety systems,” Larson adds, “one only has to consider that the aircraft with the best safety records—records which are good enough to meet SIL (Safety Integrity Level) level 4—operate completely on computer-controlled fly-by-wire systems. Despite the complexity of software based systems, with proper design, they can provide greater protection and availability than ever before.”

Subscribe to Automation World's RSS Feeds for Feature Articles

More in Control