MANY FIELDBUS organizations are developing their first fieldbus safety products. A few of these companies recently released them. These fieldbus organizations say their fieldbus safety devices comply with their appropriate safety standard. This, in turn, indicates that the device is compliant with and consistent with IEC 61508 and verified by TÜV or some other safety organization.
However, the “check mark” doesn’t mean the device itself is safety certified to a certain SIL level. The manufacturer and associated safety-certifying organizations will continue to be responsible for having their device certified to the appropriate SIL rating. Most safety fieldbus specifications are designed so devices can achieve a SIL 2 rating. With proper engineering design, a SIL 3 rating is possible.
Most safety buses use a “black-channel” model as their basis. So, rather than developing a new communications protocol from scratch, their safety protocols can add protections and other features to ensure timing/transmission and communications integrity between devices. It’s these enhancements that make the bus a “safety bus” and, in many cases, allows sharing of the infrastructure between that safety bus and conventional control communications. Even though the standards allow sharing of the physical layer for safety and control communications, I don’t feel that too many users, if any, will mix the two systems.
One of the other major advantages of using a “black-channel” model is that the physical layer for the safety network will be the same as the “standard” protocol and, if desired, one network could contain both safety- and non-safety-related devices.
This article’s accompanying figure shows how IEC 61508 requirements have been added to either end of the H1 communications channel to meet the needs of the safety system. Typical enhancements made to the device include:
- Watchdog timer, which is an additional internal timer added to the device to ensure that communications occur when they are supposed to, and to verify that all the internal diagnostic functions in the device are working properly.
- Cycle Redundancy Check (CRC), which is made on all messages to verify that the series of bits is not corrupted in transmission.
- Transmission Sequence Check, which ensures that received data arrives in the correct order or sequence, and that it’s the most current transmission. This ensures that information being received isn’t stale and from an earlier message than is expected by the system time.
FIELDBUS SAFETY EXTENSIONS
Besides these features, various protocols have additional requirements unique to their implementation.
Overall, fieldbus safety system implementation likely will follow the same adoption cycle as the original network, with devices being available for some time before associated host systems can take advantage of their new functions and features. The lack of host systems/logic solvers and associated engineering tools/software supporting safety functions will be the Achilles heel that slows the adoption of safety fieldbus. I don’t know any engineer who will install a safety fieldbus system without these tools being available and certified.
The device manufacturers have developed these devices to the IEC 61508 standard. However, end users installing this equipment must understand their responsibility for maintaining compliance with IEC 61511. Before installing a fieldbus safety system, be sure to work with consultants who are not only knowledgeable about fieldbus implementations, but also about safety system designs.
|About the Author|