Safety Instrumented Systems / Fieldbus

When to Use Wireless in Safety Applications

It Comes Down to Reliability, and Simple Differences Add Up to Significant Limitations

By William L. Mostia, PE

 The use of wireless devices has become ubiquitous in our lives, and is growing in the process, oil and gas industries. While first used for data communication with remote locations (e.g., SCADA), wireless applications have blossomed inside the fence of many plants and facilities. These applications generally started as monitoring points in applications where copper wire was not readily available or expensive to run, or in applications that were not feasible with wiring — generally in applications you couldn’t do in the past.

Success in these projects led to a desire to expand into control and, later, into safety applications. Using wireless technology for process control, which might have seemed almost blasphemous just a few years ago, is today gaining broader acceptance, at least for non-critical loops. A good deal of skepticism remains for critical process control and safety applications.

This expansion is not without controversy, particularly in the area of safety, but there is increasing pressure because of its perceived benefits to use wireless in safety and in applications that affect safety. Just how much wireless can we use in safety applications, including instrumented protective systems, such as safety instrumented systems (SIS) and other independent protection layers (IPL) and instrumented systems that provide increased safety? These can include situations where failure of the control system can serve as an initiating cause of a hazardous event.

Potential Places for Wireless in Safety
First, what type of applications are we talking about? We mentioned control systems, which are used to keep our processes under control and within the process safety limits. If you peruse any layer of protection analysis (LOPA), you will find that many of the initiating causes are listed as basic process control system (BPCS) failures. These systems use critical control loops, and their reliability is of equal concern as an IPL, offering a risk reduction factor (RRF) = 10. Using wireless for a critical control loop brings on safety concerns, just as it does for safety alarms.

The most obvious instrumented safety systems where wireless might be considered are safety alarms and safety instrumented functions (SIFs). The ISA S84 committee recognized that there was a desire by some in industry to use wireless in safety and commissioned Working Group (WG) 8, which is developing a technical report, "TR84.00.08. Guidance for Application of Wireless Technology to Safety Alarms.” This technical report provides guidance intended to demonstrate that the wireless system can be designed to be sufficiently robust to meet the requirements of an IPL. The potential use of wireless for SIS applications is still under discussion by the committee.

There are other safety-related applications that provide increased process safety, but are not considered IPL material from the LOPA perspective. These provide a risk reduction less than RRF = 10, provide an unquantified risk reduction, or exist downstream of the loss of containment. Examples of this are safety systems such as combustible or toxic gas detection, fire detection, leak detection and emergency shutdown switches. This brings up the concept of increased process safety — additional safety that can be provided over and above the minimum required by your risk assessment. This is a safety area where wireless potentially can be applied, particularly where increased safety is better than no safety.

Wireless vs. Wired: The Important Differences
Currently accepted signals for safety I/O include 4-20 mA and on/off 24 Vdc and 120 Vac. Digital fieldbus in safety has experienced limited, but growing, acceptance. To compensate for concerns about using wired digital communication in safety applications, safety protocols such as ProfiSafe, Foundation fieldbus FF-SIS and vendor proprietary protocols (e.g., Delta V SISNet, Honeywell SafeNet, Triconex Safe Peer-to-Peer, etc.) were developed. Concerns about using digital fieldbus in safety also led the ISA S84 safety committee to establish Working Group 6 on safety fieldbuses, which has issued technical report "TR84.00.06-2009, Safety Fieldbus Design Considerations for Process Industry Sector Applications.”

The open safety protocols generally use a "black-channel” approach (also called tunneling or "medium agnostic”). The approach uses a non-trusted transmission system (the network access points, couplers, routers, etc.) and a generic transport protocol (Ethernet) that is not safety-certified.

At this point in time, wired digital fieldbuses have general acceptance in industry for control and monitoring applications, so let us, as a point of discussion, assume that a digital safety fieldbus is acceptable for safety applications. What is the difference between a wired application and a wireless application? The three differences are the communication channel—wires vs. the atmosphere; wireless requires radios; and most wireless applications are on the input side where the field instruments are powered by batteries. The measurement or action and the conversion to/from digital information are the same; once decoded, they are processed the same way.

 

The fact that most wireless instruments are on the input side is not a great concern, but battery replacement requires management (although that condition is not unique to wireless safety application). If a black-channel safety protocol is used, most of the safety concerns for wireless are the same as for a wired application using the same protocol. This leads us to be primarily concerned with the reliability of the wireless channel to consistently transmit critical data.

Prey to Human Nature and Mother Nature
The general requirements for any safety signal channel are reliability, fail-safe action free from internal and external interference, and the level of support required. Reliability for an instrument loop is essentially the ability to perform what is required, when it is required and not to perform when it is not required. For a wireless connection using a standard fieldbus, many of the reliability requirements are the same. It must receive an accurate, error-free signal from the correct device in a timely manner. For safety applications, fail-safe action is desired and is provided by the digital safety protocols if used, which would similarly be applicable for the wireless channel. This fail-safe action may also make wireless less suitable for safety applications, as unreliability of the wireless channel may lead to an unacceptable level of spurious trips where loss of communication with the instrument is a vote to trip or to activate, in the case of safety or diagnostic alarms. Alarms with too many spurious activations lead operators to ignore or defeat them. The result can be a the perception that wireless is unreliable in safety applications.

The wireless channel, however, adds a unique set of challenges primarily due to the openness of the channel to outside influences, transmission path complexities and additional hardware sophistication. In a wired connection, we control the channel to a very large extent. Outside influences are primarily electromagnetic interference (EMI), radio frequency interference (RFI), which can be shielded against, and influences of our own making (by design, maintenance, operation, abuse, etc.).

With wireless, our control of the communication channel stops at the end of the antenna and with it, to a significant extent, our influence on reliability beyond what is provided by the communication protocol and by controlling the number of paths and interfaces between wireless and wire. Figure 1 illustrates a mesh arrangement where there are multiple communication paths to the redundant access points.

By its nature, wireless communication is open to outside influences from Mother Nature, as well as human influences. Mother Nature gives us lightning, weather, solar magnetic storms, solar plasma ejection, etc. Unintentional human influences can come from the increasing wireless nature of our society, as well the growing, wireless infrastructure in our plants and adjoining ones. Intentional influences include hackers and terrorists — a simple denial-of-service attack could wreak chaos on a system that depends on wireless. The ISA 99 committee, Industrial Automation and Control Systems Security, has been established to address cybersecurity and is working to address wireless system security issues. Standard wireless communication protocols typically also provide some form of encryption of the transmitted signals to help combat this.

Wireless communication channels inherently introduce more potential transmission latency and non-determinacy considerations, as well as the possibility of multiple identical signals, and transmission distance is limited by FCC/ITU regulations, (power) and installation (location), as well as varying seasonal and atmospheric conditions.

The level of sophistication to design, maintain and sustain a wireless system reliable enough for safety application is an order of magnitude over the equivalent wired safety fieldbus systems, and will place a greater emphasis on support by vendors, manufacturers and third parties. While on the surface, wireless links may be easier to install, the maintenance and management support required is much more sophisticated, and the lifecycle costs may be higher than an equivalent wired installation.

It All Comes Down to Reliability
The issue primarily comes down to wireless channel reliability and what occurs if it is unreliable. If a safety communication protocol is used, most of the safety reliability concerns are not greatly different than a wired fieldbus safety application, though malicious human interference adds an extra dimension. The RF design, installation, hardware and support are more complex and sophisticated, which can have a significant effect on reliability. On the spurious activation side, fail-safe action caused by wireless channel unreliability can lead to increased costs and safety concerns on restart, reduced system availability, and the perceived unreliability of safety and safety-related wireless applications.

Wireless has the potential to improve plant safety where wired systems are impractical, and can provide additional information to the operator that might not be readily available otherwise, increasing the plant’s overall safety.

William L. Mostia, PE, Fellow, SIS-TECH Solutions, is a frequent contributor to Control.