I am trying to work with a number of standards committees to have FoundationFieldbus be accepted for use in Safety Systems. However, one of the firstthings I need to have is a 'justification' for this work... this is whereyou come in. Can you please reply to the list with answers to the followingquestion:Why do Users need to apply Fieldbus Safety Systems?I await your replies.IanIan VerhappenSyncrude Canada Ltd.PO Bag 4009, MD 0032Fort McMurray, Alberta T9H 3L1P 780 790-4079, Cell 799-6017F 780 790-5190verhappen.ian@syncrude.com

I would really like to have had smart instruments because of the diagnosticsand the redundancy. I believe that we could increase the reliability of thefield elements under the same premiseas the 1oo2D and 2oo4D systems.Erwin Icayan

IanThe answer is not that they must but that they would like to. The samejustification exists for field devices in safety systems as in conventionalcontrol. They would like the wiring savings, the commissioning savings,less terminals, less maintenance, etc. Also, with the increased diagnosticsavailable with fieldbus (smart) devices the reliability of the measurementsmust be improved and therefore improved safety and availability. I hopethat this is what you were looking for?TrevorTrevor MacDougallTechnical SpecialistSpartan Controls

Ian:In my opinion there are two good reasons for applying FF to safety systems.First, since FF devices have a great wealth of diagnostics that can beautomatically scanned to verify the health of field devices, covert failurescan be turned into overt failures. Thus by using FF prudently we will havesafety systems with lower probability of failure on demand, betteravailability, fewer spurious trips and fewer field devices. Second, many industrial control systems today utilize both Basic ProcessControl Systems and Safety Instrumented Systems which are totally separated.Often, the amount of I/O dedicated to the Safety System is as large as theBasic Process Control Sytem or greater. Thus, if FF is used only on BPCS,then the owner has to provide two different stores of spares and havemaintenance personnel with heavy experience in two different technologies.By applying FF to Safety Sytems, the store of spares will be halved in somecases and the skill sets of the maintenance forces will be reduced.Of course, using FF has some great hurdles to leap. There is the mind setthat digital devices just can not be trusted for Safety, regardless. Also,the current analysis tools for evaluating PFD and other safety criteria weredeveloped on principles 10 to 15 years old that do not really take intoaccount the value of detailed diagnostics.Regards,Charles HillGranherne Houston, FieldPlan

Ian,From and end user point of view we see many advantages once FF technologycan be used for safety system applications.First of all, the various areas of Capex savings are of interest - reducedwiring cost, reduced installation cost, reduced commissioning time.But more important will be the utilisation of the diagnostics and advanceddiagnostics capabilities.This functionality will increase overall system reliability and availabilityand as a result will reduce spurious trips.Furthermore, the advanced diagnostic features - especially for the processinterface area - can in future provide an increased overall diagnosticscoverage factor what will result in lower test intervals for a requiredProbability of Failure on Demand (PFD).Envisaging a future PCS with both a process control bus and a separatesafety system bus, this approach will enable easy and extensive use of theMeasurement Validation & Comparison concept.Peter EigenraamInstrumentation & Plant AutomationShell Global Solutions International B.V.

IanA few general items based on our present Malampaya project experience, wherewe have approximately 1500 FFb devices. Our safeguarding system is designedto meet the requirements of IEC 61508. We therefore used TUV approvedtransmitters with HART communications.In order to utilise some of the HART diagnostic capabilities the HART isstripped from the analogue signal and input into AMS HART, which is atpresent a stand-alone system but with plans to fully integrate it into thecontrol platform AMS. Foundation Fieldbus safeguarding devices would haveallowed us to fully integrate the safeguarding into the AMS and thereforeuse the full AMS ( Asset Management System) diagnostic capabilities. Thenumber of elements in the loop ( the HART stripper) could have been reducedtherefore reducing the failure possibilities. We also implement aMeasurement Validation algorithm which compares the values of thesafeguarding transmitter with that of a process transmitter mounted on thesame part of the process. Using FFb devices for all of the transmitterswould probably enable a simpler way of achieving this in AMS. Commonality of spares and training are other drivers.Reduced cabling, marshalling cabinets etc could be important on an offshoreplatform due to the reduced weight and installation foot print.Would you please change my email reference to ken.jones@shell.com.phRegardsKenKen JonesSnr. Instrumentation EngineerShell Philippines Exploration B.V.

It has always been beneficial having the same technology for allautomation systems including Safety Systems, especially when we couldintegrate all subsystems as a single integrated system. When SafetyStandards do not allow integrating with other Automation Systems,segregation may be one alternative.Manufacturers benefit of manufacturing Safety Systems products asstandard product with other automation products, hence lowering thecost; Users benefit the lower cost, inventory, and human resource;Engineering Contractors benefit of implementing single technology forthe entire automation system.Best Regards,Waskita Indrasutanta

Ian,I find this whole debate on Safety fascinating.I agree totally with Charles Hill on the ability of modern diagnostics toconvert hidden (covert) failures into revealed (overt)failures but I canthelp thinking that we may be approaching this issue from the wrong angle.IEC 61508 has certainly focused our minds on the subject and what it says isthat we must do a calculation on the "Equipment Under Control" (pipes,pumps, valves, tanks,etc. and the control system) and determine, what is the"Risk" to life and limb.Then quite separately we have to determine what is an "Acceptable Risk" inour modern society and apply a black box (the safety system) to increasethe integrity of the total system to a point where the Risk is reduced fromthe Initial Risk to the Acceptable Risk.The debate so far has been about gaining approval to use FF technology inassociation with the black box Safety System.Surely, if we can demonstrate a level of integrity that allows the use of FFin Safety Systems we must also be able to demonstrate a similar level ofRisk Reduction in the basic control system. Unless, of course, we end upmaking two levels of equipment which defeats the whole object of theexercise.I am totally convinced that the application of FF technology and widespreaddiagnostics are increasing the reliability of control systems by an order ofmagnitude and as such it is reducing the level of Risk Reduction necessaryin the safety system but we don't know what these are and as such it can'tbe used. A point a prominent End User made in a marketing meeting held inBrussels last year.If we could start the ball rolling with a quantified analysis of theincreased reliability that FF brings,I am sure it would make the next stepin the long path to safety a lot more easy. We may discover some limits inthe technology that prevent us going the full distance but I also feel thatwe can achieve a great deal with what we have.Your original question was one of justification.The use of FF technology and advanced diagnostics will increase thereliability of control systems to a point where the necessary Risk Reductionin the Safety System is very much reduced and in some cases the controlsystem will satisfy totally the statutory requirement of Acceptable Risk.RegardsChris Allen (CJA Consulting)

Ian,Normally, a FF system would form the plant Basic Process Control System(BPCS)which would provide basic plant control, alarms, monitoring, data analysisetc.Where additional risk reduction is required, this would be providedby aseparate system, conventionally often hardwired. IEC 61511 sets a lowerlimitof 10-5 per hour on the frequency with which a BPCS which does not comewithinthe scope of IEC 61511 should be assumed to place a demand on the safetysystemsand an upper limit of 10 on the risk reduction which could be claimedin aprotective role. If claims better than these limits are made, then thesystemmust meet the requirements of IEC 61511. There will be pressures in thefutureto consider the use of modern technologies such as FF in safety systemsdue totheir lower cost, their operational advantages and the decliningavailability ofnon-fieldbus devices. For example, a separate safety fieldbus systemcould beprovided, dedicated to the provision of risk reducing safety trips.AdvantagesAn important feature of FF is that all devices have a high level ofdiagnostics,some having predictive diagnostics, i.e. the device can detect anincipientfailure before actual failure occurs. The diagnostics run continuouslyunlikein HART devices in which the diagnostics run only on demand; thismight betypically every 10-15mins.Because much more information than just an analogue value or digitalstatecan be sent along the fieldbus, devices (sensor and actuators) can informthesystem about potential problems before a failure occurs, e.g. instrumentworking environmental trends, valve wear, transmitter fouling. Becausetheprocessing power to monitor an instrument resides within the instrument,diagnostics specifically tailored to the instrument, and therefore muchmorecomprehensive and sensitive, can be provided.More diagnostics means a lower proportion of undetected dangerousfailures.A lower undetected dangerous failure rate and better stability means thatthere is a reduced need for scheduled maintenance and therefore a reducedprobability of human factors induced failures.An instrument can report its own status (e.g. failed, no input) withoutrelying on the DCS to detect failure. As above, this self-monitoring canbemuch more comprehensive and sensitive than could be provided externallybyjust monitoring the 4-20mA signal. The probability of an undetectedfailureis therefore lower.The status (e.g. failed, stuck) of actuators can be reported to thesystem.This is impossible with a one-way 4-20mA signal controlled actuator.Sinceactuators are often the least reliable part of a control system, thisfeaturecould result in significant increases in availability.The very concept of diagnostic coverage as used in IEC 61508 and IEC61511has little meaning for most sensors and actuators unless the featuresonlymade possible by FF are used.For critical control functions, the self-diagnostics makes it possible tohave redundant instruments without majority voting, the system rejectinganinstrument reporting itself as bad or uncertain.Actuators can be programmed to go to a predetermined state oncommunicationsfailures or associated sensor failure. Thus the probability of unsafefailure modes can be reduced.Because many device faults are self-diagnosed, the maintainer has tospendless time in the field investigating faults. In the nuclear industry,thiscould mean less dose uptake.Because the data is transmitted in absolute terms (e.g. 10mBar not4.7mA),instruments cannot be incorrectly scaled.As FF become more popular 4-20mA/HART will fade away. This may seem a bitfarfetched but how many 'simple' 4-20mA transmitters can you buy today don'thave HART on them?A number of concerns arise from the use of FF sensors. These concerns areassociated with the integrity of the sensors themselves, due to theuncertaintyof the failure modes of the software, with their potential to undermineindependent systems, and with their additional features that can modifytheirmethod of use. The software associated with fieldbus cannot be claimed to befunctionally simple or extensively testable.regardsTom Nobes - BNFL

I have just completed a Project which included a large liquid and gasincinerator. This device is fired by Natural Gas and fron the safetyprespective is treated like a boiler. To meet the requirements of ourinsurance company we must install a "Certified Control System" which isfail safe. Traditionally these systems were hardwired logic, a typicalmauufactures is Hima.On this project I installed a Hima system that is programmable,with aserial interface to the control system - Delta V. The programmable systemprovides a lot of flexability over the hardwires system, is more reliableand takes up less space.I wanted to use FF technology on the project but I could not due to theserestraints. I did install FF instrument on non cafety critical elementsonly.I know it is in Emerson game plan to introduce a Safe Delta V controlledSIL Level 2 to the best of my knowledge. I dont know the elease date yet.On safety application I do not want separate system, I want one controlsystem with seamless integration. Many elements may be "standardcontrollersand FF nodes" but where required in critical application I mayneed a controlled with a SIL rating and FF noded with "proved Failsafe"communications.I hope this answers you question.Emmett (GSK)

Ian, These comments are related to both process emergency shutdown and fireand gas systems.* To gain the advantages and efficiencies of Fieldbus systems-wiring,multidropping, footprint, I/O reduction etc.* The self diagnostics and advanced features available from a digitalsystem mean that in effect a FF installation in a safety related systemenables greater integrity and plant availability.* Transmitter comparison techniques can self validate, again leadingto greater integrity.* The time stamping by FF devices ensures accurate sequence of eventreporting.* FF Transmitters with dual processors will mean that possibly theywill be given a higher SIL rating under certain configurations, thusreducing the redundancy requirements.* HSE may result in the development of mini high reliability andavailability safety systems which will interface to multiple hosts becauseof interoperability. This gives the opportunity to easily test "packages"eg., compressors and turbines and then readily connect to the main Host.* Ease of Interface with the Host as a result of interoperability.* Reduced cost, weight and complexity of hardware.* A FF system provides a "scalable solution", therefore changes canbe readily accepted (subject to rigorous change control of course).* Harness the digital information providing effective asset management(maintenance) solution and integrating into procurement and logisticmanagement.* Utilising process control inputs for typically SIL1 applicationsie., PCS inputs interfacing with SIS.* Common platform for maintenance, thus minimising costs associatedwith multiple technologies.* Remotely operated facility interface much improved with digitaltechnology benefits.* FF technology means that self diagnostics can fail the instrument tofail safe mode.* FF, being digital means that new diagnostic advances can be readilyimplemented.The major hurdle to address in our opinion is that of FF competence forinstrument manufacturers, suppliers, systems designers, engineers,technicians (design,installation, commissioning and maintenance). As this isnew technology these personnel are generally not yet competent. Thereforeit would be foolhardy in the short term to implement a system without thisissue being addressed. The first action must be to train these people viaFF accredited courses such as those put on by SAIT in Canada which arelikely to be shortly licensed here in Australia too. Furthermore we considerinstallation of a FF process control system must be a pre-requisite before asafety system be considered. This will provide confidence that FF competenceis at a level appropriate to installing FF in a safety system context.Kind Regards, Jim Russell/ Tiong LimWoodside Energy LtdPerth, Western Australia

Craig has a valid point here, and it is what the committee hope to addressthrough its efforts. What is required prior to starting work is the reasonto do it in the first place, which is what all the useful comments peoplehave provided will do. Thanks everyone and if you have any more please post.Ian VerhappenSyncrude Canada Ltd.-----Original Message-----Your feedback has been very constructive !!!Surely FF is just the signal transmission protocol (just like 4-20 mA)and your wiring design will depend upon what safety architecture youare implementing (eg. 1oo1, 1oo1D, 1oo2, 1oo2D, 2oo2, 2oo3, 2oo4).The other emails outline the reasons and benefits for using FFtechnology, but the missing link is in a manufacturer developingthe right hardware design to satisfy the above architectures andalso meet with IEC 61511 certification. The safety system MUSTbe fail safe and carry the right approvals.........BPCS are not safety systems, they can fail dangerous !!!Best Regards;CRAIG LINGARDKROHNE Australia Pty. Ltd.

The Flexible Function Block provides some of the possibilities you mentionAndrew, though the issue still remains of increasing the confidence level,through analysis and verification that the communications backbone itselfwill not fail.Ian VerhappenSyncrude Canada Ltd.-----Original Message-----This leads to all sorts of other possibilities - How about FF functionblocks for the logic? This could enable, in some instances, for the entireSIS- Sensors, Logic Solver, and Final Element, being implemented on one (ormore with LDs and HSE) segment. How does the concept of distributed logicaffect reliability / availability determination?Andrew Houghton, Kvaerner

Ian,Can I make a comment on Craig Lingard's response please.Craig is correct in saying that the manufacturers have to design and getapproved devices that meet the required SIL level but the communicationsprotocol also has to be proved to be safe. It's no good having ultrasafedevices if the comms let you down.The point I was trying to make in my previous note was that the advent ofsingle loop integrity and advanced diagnostics will reduce the chances of anunsafe failure in the Process Control System and as such will reduce thelevel of Risk Reduction necessary in the Safety System.Now, having said that, we may find that when we start to do an analysis onthe FF protocol, that insufficient data is available to guarantee what theregulatory authorities consider to be safe. If we can't demonstrate anadequate level of Safety we must assume that it is not. Although this maynot be true.If we are looking for a place to start, try this. As an example, we couldexamine the mechanism that FF uses to check that each message sent isreceived in the correct location. We could then do an analysis on theprobability of failure which will give a better understanding of the safetylevel to which it can go. We could then examine each aspect of the protocoland build up a complete picture of the likelihood of failure.I am not an expert in this area but my understanding is that Profisafe havesatisfied the authorities through this route. They have defined all of thepossible failure states and then demonstrated a recovery path for each ofthese conditions.Just a few thoughts.RegardsChrisCJA Consulting

Dear Mr. Houghton,I think you are on the right path. The entire FOUNDATION(tm) architectureincluding H1, function blocks, linking devices and HSE should be considered.Particularly interesting are the function blocks because they actuallyinclude a shutdown path. The blocks in the FOUNDATION(tm) programminglanguage detect failures but also propagate the status along with the valuesand are used for failsafe shutdown (FF called this "fault-state" instead onadvise of layers...). For example, if a sensor or communication fails thePID loop goes into manual mode or can optionally initiate failsafe in thevalve. This is an excellent mechanism but this part of the technology shouldalso be examined from a safety perspective. The mechanism in the blocksallow you to strike the correct balance between safety and availabilitybecause you can select if less serious faults shall cause a shutdown or notetc. Because this logic is "built-in" into the regulatory control blocks theneed for additional logic is drastically reduced. This reduces the chancesof mistakes and makes verification easier. For additional functions I guessthe flexible function block can be used.I believe distributed architecture is the future of safety: "Increasedavailability through distributed safety". This means that when a fault isdetected only a small part has to be shutdown. The rest can continueoperating resulting in a better overall availability. Because status ispassed along all values that go from one "controller" (instrument) toanother and any communication failure would result in shutdown a distributedarchitecture is safe. And as mentioned by many already, the increaseddiagnostics makes it even safer.You can reduce cost by using a single transmitter with built-in diagnosticsinstead of 1oo2 or 2oo3 style discrepancy checking requiring 2 or 3transmitter to measure one point.Check out chapter 10 in the book: "Process fieldbuses - Engineering,Operation and Maintenance"Jonas Berge (Smar)

Ian,I fully aggree to the statement Chris does.PROFIsafe take following issues into consideration- Repetition- Deletion- Inserting- Resequencing- DataCurruption- Delay- Masquerade- FiFo failure in the linkand find solutions to eliminate!regardsE+H Process Solutions AGLudger Füchtler / Product Marketing Fieldbus

I too find this discussion stimulating and revealing. There seems to be a"religious" attitude toward IEC 61508 and the whole question of using FFB tocommunicate safety data. My conclusion is that a properly configured FFBprovides a far more secure data path than any alternative, and is betterthan any of the so-called safety buses. I suspect that a properlyconfigured Profibus-PA/DP system is also as secure.The purpose of a safety system is to assure rapid and immediate shut-down(SSD) when trip logic indicates shut-down is required. It must do this witha minimum of overhead and latency. In machine control, where all sensorsare two-state switches, the SSD logic is simple and may not even requireintelligence. In complex processes, shut-down may require many steps (likea batch procedure) to assure that human life is preserved.With the addition of dual H1 FFB interfaces, and the use of dual sensors,FFB can provide the full redundancy necessary to comply with the detectionof sensor failure. This goes beyond anything required in 61508. Use ofredundant control level buses (FFB HSE or ProfiSafe) can extend the safetysystem to levels of reliability such that simple bus failures need not causea safety trip. Remember that redundancy is not required for a safetysystem - ANY failure must be immediately detected and if so, the safety tripoccurs. Adding redundancy only allows the definition of ANY to change.All safety buses require diagnostic testing to be sure that all safetyinstruments and the bus itself remains intact. FFB and Profibus bothperform this activity each and every scan as a normal part of theirprotocol. So does ControlNet and DeviceNet if they are properly configuredfor safety.Dick Caro============================================Ri chard H. Caro, CEOCMC Associates

To start, you all (or in Texas terms - y'all) are certainly more experiencedin this topic than I would ever hope to be. But it does raise one otherinteresting possibility. It seems to have the bull by the horns (anotherTexas concept?) in regard to how FF can be applied to a plethora of safetysystems, etc. The thing that strikes me is who is trying and testing thesevarious claims and developing the data base everyone needs in order to makethe best possible decisions?To get right to the point, why not set up a place like Lee College's PilotPlant to act in a more proactive role vis-à-vis application tests and thelike? It makes sense to me that the surest way to get answers is to set upthe problem, define the test to study the problem, do it, analyze it, andreport back on the findings. Of course this would require some front endcosts, but if costs, labor, and technical expertise needs were properlydistributed, it would not place too great a burden on any one organization.Being impartial and experienced in managing proprietary concerns, thecollege may be a logical location for going after specific plant-relatedissues. What I am proposing is not that heavy on the research side, butleans more towards the application of what is already there. As an example,we can theorize all day about what happens when a crane accidentally takesout a valve positioner on top of a pipe rack. If it can be addressed withavailable data, than fine, the question is answered. On the other hand, itis possible that for some applications, the only way to find out for sure(and to use as data to convince others such as regulatory agencies) may beto actually do it. Not wanting to use a shotgun to kill a fly, I would morethan likely emulate the crane with a well placed blow from a 10 pound sledgehammer (wearing appropriate safety gear, of course). If the data suggests anew mouse trap needs to be designed, the data could also be forwarded to theappropriate institution or research body for further study.I bring this up not because the school needs the work, but because it is acommon theme which surrounds many of the topics presented in this forum. Iam certain applicable tests are being done somewhere. However, I also thinkit is time to do something to establish a consistent means for performingsuch tests and disseminating the results as broadly as possible. Any thoughts? Chuck Carter Center Director Fieldbus Education Center Lee College Baytown, TX

Why not employ TUV to perform a PFD test, they are the experts onSAFETY.....Best Regards;CRAIG LINGARDKROHNE Australia Pty. Ltd.Regional Sales ManagerIt is funny that this subject should come up...last night I went to alecture on the Space Shuttle control system in Houston. As I understand itexcept for cabin fire and gas detection all other flight controls and safetysystem use redundant buss for flight critical I/O. In the case of theShuttle a redundant buss is termed a "string" and the Shuttle has four"strings" with four computers ( controllers ) in a redundant set. Not todifferent from the duel redundant safety system that we use. Their safetyevaluation is very similar to that used by industry.THXRandy MarekMcDermott

Not a Fieldbus solution but a relevant document.IanHere is the milspec information http://ewhdbks.mugu.navy.mil/1553-bus.htmTHXRandy-----Original Message-----From: Marek, Randy If you use the HIMA safety system you can use their A1Digs to collect theI/O and then pass it to their HQ51 logic resolve over their TUV certifiedredundant data hiway. The difference is the I/O is connected using 4-20'sor discretes not a buss. On firm terra we gain the benefit of reducedwiring cost, what we do not gain is the diagnostic in the I/O that Fieldbusgives us... and a safety system that could use Fieldbus diagnostics and canalarm on the ill health of a sensor before failure is far better in the longrun in my mind.THXRandyRandy Marek, P.E.Automation Section LeaderJ. Ray McDermott Engineering

Remember Deming: Steal shamelessly. The Military has had the milspec from1973, and has been using it in aircraft. NASA has used fly-by-wire for theShuttle from the get go. So this gives one insight into the through processfor using a buss safety critical processes. Something the process industryhas only begun to do. Using a single Fieldbus will probability not meet theneeds, but duel redundant may... and eight is probability a bit much. THXRandy Marek, P.E.Automation Section LeaderJ. Ray McDermott Engineering

Sorry I accidently sent you an unfinished mail.Regarding Randy Marek's comments, HIMA are not the only company offeringcertified fail safe communications, the certification being based on thePLC function block used for "Handshaking" the data transfer. As Iunderstand it, it is not the actual link which is certified as this wouldhave to include any other communucation hardware used in between.Regarding Derek's comments on additional diagnostics, it is true that morediagnostics gives more information on the device performance, which is animprovement on no diagnostics. However, in the safety systems environmentthe integrity of any programmable safety critical system is determined bythe coverage factor of the diagnostics. High Integrity systems utiliseboth reference and comparison diagnostics to ensure a high coverage factor(95% plus). Of the <5% uncovered errors most will be only nuisanceconditions but some may be safety critical and may take time to manifestthemselves (waiting for the right combination of conditions). I am notaware that Fieldbus diagnostics currently have a substantiated "CoverageFactor", and what happens when a device is replaced with a later release ora different supplier? Is the segment diagnostic coverage affected? Ibelieve this is a risk area and that Fieldbus should not be used for safetyapplications until it has been assessed as a safety system and not just acontrol system.I am concerned that the control environment is not fully aware of therigour needed in proving safety system integrity and Fieldbus technologyraises many more questions not just in system design but also in changecontrol on operational systems.Best RegardsIan Ramsay-ConnellSystems Sales Support ManagerYokogawa United Kingdom Ltd.Waterside HouseWoodley HeadlandMilton KeynesMK6 3BYENGLANDTel DDI : +44 (0)1908 304503Switchboard : +44 (0)1908 695505Mobile : +44 (0)7810 518225Fax : +44(0)1908 695510e-mail : ian.ramsay-connell@yokogawa.co.ukGeneral email : systemsales@yokogawa.co.uk________________________ ________________________________________________Th is e-mail has been scanned for all viruses by Star Internet. Theservice is powered by MessageLabs. For more information on a proactiveanti-virus service working around the clock, around the globe, visit:http://www.star.net.uk___________________________________ _____________________________________

This posting at ISA Safety may clarify:-- quote --1. A Fieldbus architecture can be implemented by using small I/O safetysystems in the field with communication via serial link to the SCADA /DCS. If safety related signals need to be sent via the serial link, thisserial communication has to be TUV approved.2. As long as the SCADA is only monitoring there is no problem. But ifsafety signals have to be transmitted then it is not possible. A safetycommunication can only be established between two safety systems. TheSCADA can not generate a safe shut down signal in the first place,because it is not a safety system.3. I am not aware of any company developing a safety fieldbus. I guess,the IEC 61508 will apply there as well. >Berthold RuhbachHIMA Paul Hildebrandt GmbH + CoKG-- unquote --Best Regards,Waskita Indrasutanta

Ian,

I see great information on safety systems for gas and petrochemical, but has anyone considered qualification with the NRC? In terms of technology advance and market now is a very opportune time to consider providing a qualified system for nuclear reactor applications. From what I am seeing in your post, this would definitely add another layer to your effort. From my experiences in this industry, discussions with vendors who have undergone NRC qualification, and discussions with petrochemical I&C engineers, the nuclear requirements could be considered more difficult. Concepts to consider are single failure, common mode failures, EMI/RFI, Environmental Qualification, Cyber Security, etc. Some documents to consider are the NRC's RG-1.53, RG-1.180; EPRI's EPRI-1003585, EPRI-1002835, and TR-106439.

The same benefits seen by other industries could be applied to nuclear as well. Cabling reductions, improved diagnostics, truly distributed control, etc. all are beneficial to 1E equipment.

I have not designed any FF based control system before. Could anybody send me the technical docs so that i can understand the subject from very beginin level and can start my understanding on this subject.

You could start with chapters 3 and 8 of the yellow book "Fieldbuses for Process Control: Engineering, Operation, and Maintenance" buy online:
http://www.isa.org/fieldbuses

ParthaSarkar,

As a starting point, you could view a few of our fieldbus multimedia clips (http://www.hmtutorials.com/Downloads.htm). We have an on-line and a CD-ROM version of a "Foundation Fieldbus Concepts" tutorial. The media is well laid out and uses an explorer type GUI (http://www.hmtutorials.com/distance/detail.htm). Visit our web site for a sample exam (http://www.hmtutorials.com/exams/ffc-intro1/ffc-intro1.html) to test your knowledge.

We would like to offer you and all Fieldbus Forum members a 30% discount for all on-line distance learning purchases. You can enter the coupon code "forum01" on the order form to get the discount. The CD-ROM option is also available from ISA (http://www.isa.org/Template.cfm?Section=Distance_Learning1&template=/Ecommerce/ProductDisplay.cfm&ProductID=7303).

I hope this helps.

Hey Ian,

You do bring up a good question. Is Foundation Fieldbus ready to take on safety functions?

Here are a couple of points to highlight:

1- We need to look at the current situation: do we have reliability issues with the BPCS FF? If there are issues, then it maybe a bit too early to use FF for safety applications. Noise suscpitablity is an example.

2- Yes, FF will allow the diagnostics to be used and therefore the system would have some predictive maintenance data that could prevent major shutdowns and loss of production. This is good news, but how reliable are the diagnostic data? Can anyone answer with exact figures? What if I tripped on false diagnostics?

3- The number of devices on a certain segment would drastically decrease
for safety applications due to the fast scanning requirements. Typically an ESD loop is executed at much faster rate (150 - 400 msec) than the DCS/BPCS loop.

4- Remmeber you're adding more components to the segment such as the wiringblock and terminators in the field. You will have to study their probablity of failure on demands (PFD) and failure rate data.

My take on this issue is that YES FF is the best way to go from the ease of operability point of view. The real question is reliability. Remember when I have a demand to close a valve or shutdown a process, I want this system to perform its intended function as expected.

Thank you

Hamad Balhareth
Saudi Aramco

In any SIL calculation, there are elements that take into account the PFD and spurious trip rate. Safe failure percentage is another variable. So if using a bus, the aspects of the communication protocol that contribute to these elements would affect the risk reduction and spurious trip rate of the given SIF.

How is this different from a point-to-point wired system? Can't we achieve a similar level of diagnostic coverage on a "field" network, as the current SIS suppliers achieve on IO cards in a chassis? Aside from speed, how is 8 transmitters on a single non-redundant FF network different from 8 HART-smart transmitters connected to a conventional IO card?

Depending on the target SIL, a disconnected transmitter = a FF transmitter that isn't communicating, and is either a vote to trip (higher spurious trip rate) or "not" a vote to trip (e.g., logic degrades to 2oo2 instead of 1oo2). Same for both instances, isn't it?

Is the difference - at the moment - more than the diagnostic coverage? Once the diagnostic coverage on FF is comparable to what we have now on TUV qualified conventional IO, will a field network "look" any different to the logic?

More often than not, the contribution of sensors and logic solver to the PFD is small compared to the final element(s). FF will only make this better.