Voices: Rezabek

Tolerate less redundancy

Today, with Foundation fieldbus, the old redundancy paradigm no longer applies. Chances are, though, it isn’t free. So where should you apply it to achieve the fault tolerance you need?

Focus on FieldbusBy John Rezabek, Contributing Columnist

While designing our first Foundation fieldbus (FF) segments in 1999, we had a one-day training session for our engineers and designers. Someone cracked open the case of the proposed FF power conditioners and we were aghast to find multiple integrated circuits (ICs) and (gasp!) fuses. A single point of failure for our multi-loop segments! There were red faces and bulging veins, and during the ensuing weeks, I was perhaps a bit more unpleasant toward our system integrator than normal.

Our attitude was compounded by a new supplier that had relatively modest redundancy in its system. Bulk DC power, controllers, and controller power supplies were redundant, but nearly everything else was simplex. We became less confident this supplier fully appreciated the demands the plant placed on us: basically to never shut down.

One way we found comfort was fieldbus backup link active scheduler (BLAS). In theory, if the system had a bad day, control on the segment would continue uninterrupted. However, for this to function, one needs reliable segment power. The theoretical segment power conditioners, made up of basic inductors, capacitors, resistors, etc., could be considered a simple device, akin to the 250 ohm dropping resistor in a legacy system. But to make them more compact and efficient, manufacturers used ICs. These were not simple devices.

After much agonizing, our supplier saved the day with a redundant solution that was effectively a really simple device.

We put the bulky redundant conditioners only on that 20% of the segments we considered critical. We used the non-redundant devices, those with the ICs and fuses, on the remaining 50 segments, which had between three and 15 devices. Most of the valves in the plant were Level 3, which means they could go to their fail positions without causing a shutdown. We applied this engineering judgment because then, as now, redundancy cost more, took up more space, supported fewer instruments per segment, generated more heat, and added complexity.

The irony is—after six years under continuous power and 90% of it running as a continuous process—none of the non-redundant power conditioners ever failed in a way that caused a valve to go to its fail position. Nearly half of them did fail, but not in a way that caused more than nuisance alarms or controller-mode shedding. Many, maybe most, failure modes don’t result in a process upset. Simply put, all components, especially those with improved diagnostics, can have sufficient fault tolerance without being redundant.

Today, we have a good selection of redundant power conditioners, redundant H1 cards, and even solutions that accommodate redundant H1 trunks. But they aren’t free.

Redundancy became commonplace in the late 1980s when second-generation DCSs, in response to demands for improved fault tolerance from the large process industries, began to offer redundancy at the power supply, controller, I/O, network, and HMI levels. We justified redundancy’s increased cost, complexity, and system footprint in light of the dire consequences of a process shutdown. By achieving fault tolerance for the DCS, we could deliver a solution that was equally, if not more, fault tolerant than pre-DCS, single-loop solutions.

Sometimes it seems we have a whole generation of systems specialists who only remember that TDC-3000 was vastly more fault-tolerant than TDC-2000, largely due to available redundancy at all levels. I was among those who dismissed any PLC or DCS that didn’t offer redundant controllers, I/O, power, and networks for any application more demanding than wastewater treatment or filter cleaning.

Today, with Foundation fieldbus, the old redundancy paradigm no longer applies. Chances are, though, it isn’t free. So where should we apply it to achieve the fault tolerance we need?

Have you noticed the “spurious trip rate” statistic that falls out of SIL analyses? Even the most obsessively redundant, bulletproof automation can potentially shut down the plant. Maybe it’s every 30 or 18,000 years, but it’s not never.

Why not use something similar for our basic controls? Hey, suppliers, we users need tools that have inserted statistics for MTTF and so on, so we can judiciously apply redundancy to components and services where we need it. On my next project, if I mess with all the old Level 1, 2, 3 stuff, I want to be able to tell my project manager I know precisely where to apply redundancy to achieve the fault tolerance demanded by operations.


  About the Author
John RezabekJohn Rezabek is a process control specialist for ISP Corp. in Lima, Ohio. You can reach John at jrezabek@ispcorp.com.

More from this voice

Title

Smart Pipe--One Bus to Rule Them All

What Revolutionary Technology Is Coming Along That Will Kill Fieldbus?

06/05/2012

Digital Integration Commissioning: Take It Easy!

To Fully Exploit the Capabilities of Digitally Integrated Field Devices, Field People Need to Touch the DCS. Let the Plebs Touch the DCS!

07/05/2012

Easier Commissioning with Wireless

With a Capable System, the End User Is Mouse-Clicks Away From Knowing 99% of What He Needs to Know About the Device Without Ever Lifting a Wire

07/30/2012

How Can Incompatible DCS and Asset Management Suppliers Get Along?

One Throat to Choke: When a Site Has an Installed Base of Incompatible DCS and Asset Management Suppliers, It May Have to Revert to the Host's Offerings

09/04/2012

One Remarkable Transmitter

Two Decades Ago Engineers Saw No Value in Smart Transmitters, but Today They Have All Finally Accepted the Fully Digital Transmitter and Its Value

10/03/2012

When to Use Control in the Field

Exploiting Control in the Field Is Never an All-or-Nothing Proposition

11/02/2012

Trunk Testing Tribulation

It's Challenging to Power Down Segments While the Plant is Down, Let Alone While a Process Is Up. Powering Down Is Not an Attractive Option

12/04/2012

Fieldbus Flavor of the Month

We May Be Missing Real Innovation in Our Field. Lets Adopt the Latest Controls or Instrument or Network Technology Flavor

01/03/2013

Contemplating Couplers, Part 1

What's the Purpose of a Coupler, Aside from Being a Handy Gadget for Landing the Segment's Trunk and Spurs?

01/31/2013

Why Industrial Couplers Aren't Commodities?

Maybe We Should Ask If Couplers Can Be Procured on the Basis of Cost Only

02/26/2013

Is Field-Based Control More Secure?

If We Hide Our Controls in Field Devices, Are We More Immune From the Infections of the Higher-Level Networks?

04/03/2013

Fieldbus is Dead! Long Live Fieldbus!

The Competing Communications Technology That Presumably Will Replace All These Buses, Including Process Fieldbuses, Is Ethernet

05/02/2013

Fieldbus Savings the Same in Dollars or Yuan

There's Been Too Much Hype About the Cost Savings of Fieldbus. The Same Thing Can Be Done With Remote I/O

06/11/2013

Is Fieldbus a Three-Beanie Copter Problem?

There Is Work Going on to Simplify Selecting and Designing Useful Fieldbus Applications. It Remains to Be Seen if We'll Ever Get to Fieldbus for Dummies

07/11/2013

Wireless Measurements

A Minute to Measure It: Hazardous-Area-Capable Multiplexers and I/O Bus Extenders and Modules Can Simplify Heat Exchanger Measurements, Providing a Quicker Method Than Routing a Cable for Process Monitoring and a More Reliable Method Than Portable Measurements

08/07/2013

No KISS for Digital Integration?

If KISS ("Keep It Simple, Stupid") Is the Tactic to Survive the Combat, What's the Strategy?

09/09/2013

They'll Make a Better Software Fool

Because We're Working With Hazardous Processes, We Have to Think Through the Consequences of Every Errant Mouse Click

10/11/2013

Foolproof Fieldbus II

Sometimes Our Well-Intentioned Attempts to Make a System "Foolproof" Create as Many Hazards as We Were Aiming to Prevent

11/07/2013

You Want More Foolproof Fieldbus?

Should We Shut Off All the Diagnostic Messages and Risk Missing Some Valuable Intelligence During Start-Up, or Leave Them All Enabled and Deal with the Nuances of the Configuration Later?

12/17/2013

Fieldbus: Do Fence Me In!

Just Because You Can Put 12 Devices on Each Fieldbus Segment, Doesn't Mean You Should

01/14/2014