Safety Fieldbus is Approaching—with SIL 3

"The fieldbus is ready for practical use"—such was the conclusion of the fieldbus experience reports, presented in November 2004 at the general assembly of NAMUR (User Association of Process Control Technology in Chemical and Pharmaceutical Industries). This statement is based on several chemical and pharmaceutical production plants with all-digital control which have been fully operational for more than one year. These experiences of DSM, Sanofi-Aventis, Novartis and Clariant are compiled in the FuRIOS 2 Compendium. However, there was one downer: for safety-related systems conventional wiring needs to be installed in parallel to the fieldbus network, as the safety-related fieldbus based on IEC 61158-2 is not available, or not yet! At the Interkama+ fair in April 2006 in Hannover, Germany, the first samples of safety-related fieldbus devices were presented!

NAMUR Recommendation NE 97

NE 97 “Fieldbus for safety applications” was published in March 2003 and defines the principle on which safety-related signals can be transmitted via the fieldbus network. One of the basic assumptions is that these signals should be transmitted via the same cable as the standard process control signals, so additional parallel wiring is therefore not necessary. However, if one imagines a network with a maximum of 32 nodes and assumes SIL appraisal of that entire signal chain including signal processing and field devices (as with conventional point-to-point wiring), it is easy to gain an impression of the complexity of this task. On top of that there are the expenditures on money and time needed for SIL certification of all components, as a stable data basis for assessing operational reliability (proven-in-use) does not yet exist for the new fieldbus technology. In conjunction with modern software safety mechanisms, NE 97 offers an escape route out of this dilemma by considering the safety-related field device as three functional groups:

• The sensor or actuator itself only differs from its conventional twin in terms of fieldbus connection, so proven-in-use as defined by NE 79 is adequate here.
• A safety-related protocol stack is defined in the fieldbus software and certified in accordance with IEC 61508. Together with the safety PLC (SSPS), it ensures that data falsification or loss is certainly detected and corrected.
• The device manufacturer need only develop and suitably certify the interface between the certified protocol stack and proven-in-use sensor/actuator.

This appraisal enables dispensing with complex certification of the complete device. Moreover, as the safety-related protocol stack intercepts all data errors in software terms, a SIL appraisal of passive communication elements (i.e. fieldbus installation technology) is also not necessary. This naturally only applies where no signal processing occurs in the communication chain.

In addition, NE 97 gives recommendations on secure fieldbus topologies (see image "Topology of standard and safety-related fieldbus signals") and measures to be taken during system operation.

Status of Fieldbus Organisations

Both the "Profibus Nutzerorganisation (PNO)", the Profibus User Council, and the Fieldbus Foundation (FF) have taken up this challenge. The latter commenced a project at the end of 2002 to further develop Foundation Fieldbus H1 towards SIL 2 and SIL 3 standards. Safety-related function blocks were developed under the name “Fieldbus for Safety Instrumented Systems (FF-SIS)”. These meet IEC 61508 requirements and can be utilised parallel to standard function blocks complying with IEC 61158. This means that the familiar H1 protocol has not changed (Black Channel, see image "FF-SIS Structure")

The concept was approved by the German TÜV in February 2004, and Infraserv Höchst Technik (now R&M Industrie­service) was commissioned with validation testing in April. At the end of 2005 several major endusers and manufacturers started test procedures at Shell DSM in Antwerp, The Netherlands.

With regard to Profibus, well over 3000 systems are in operation with PROFIsafe. The PROFIsafe profile for PA devices in process automation was approved in December 2004, and certification of devices will started soon. This profile follows the recommendations of NE 97, too (see image "PROFIsafe for PA"). At the Interkama+ 2006 fair in Hannover, Germany, the first field devices and installation concepts were presented.

Fieldbus Installation Technology and Safety Fieldbus

Although the installation technology as illustrated above is not subject to SIL appraisal, it should be characterised by maximum availability and reduce signal interference to a minimum.

Although the latter does not lead to hazardous situations, due to the safety mechanisms inherent in the certified protocol stack, continuous operation of the system can be impaired. The insulation, redundancy and protection concepts of FieldConnex® as well as comprehensive diagnostic options enable the realization of optimally-protected topologies for future applications involving safety-related fieldbuses.

Protecting Your Process