The factory had issued a recommendation to flash an earlier generation of fieldbus interface cards, also known as H1 cards. Like many microprocessor-based devices (home routers and smart phones, for example), a flash involves installing new firmware in the appliance, so named because, while it’s software, it’s more immutable than your smartphone apps. You may have noticed these tasks invariably mean the device goes offline and reboots after the new image is installed. But in this case, the systems specialist failed to notice the H1 card in question was not redundant, and once the process was started, it couldn’t be reversed. What would happen to the control valves on the affected segments?
There was some indigestion for the minutes it took for the H1 card to come back online, but to everyone’s relief nothing dire happened—the valves’ default behavior was to hold last position and when the card was once again fully functional, the associated loops picked up where they'd left off. Measurements and final control elements effectively never went offline. While field power was maintained over its two-wire communications network, valves held and measurement devices continued measuring, awaiting the host system to send or request an update. The site had effectively tested and demonstrated a valuable feature of two-wire fieldbus—the controls could ride through a host system faux pas without the process being adversely affected.
It was not unknown for a DCS or PLC to allow some manner of configurable behavior for its conventional I/O, but it was found to have some disastrous results when such a configuration was poorly understood. Scary consequences, like a fuel gas valve remaining open when its temperature controller was no longer getting updates, persuaded many end users to simply default to all I/O going to the shelf or to a no-power state. Bumpless initial conditions recovery from a loss of communications from the host was also uncertain—no one was really sure the recovery would be smooth.
Bumpless recovery from a communications loss was solved by fieldbus, which employed mode shedding and recovery for many of its connected function blocks, especially those connecting to final control elements. Setpoints to an output block and feedback from it included messages buried in its status—the other characteristic of a digital fieldbus signal besides its numerical value. This facilitated a smooth re-initialization of the controller.
So at least three important and valuable aspects of two-wire fieldbus were demonstrated by the unplanned experiment: 1) field power to devices was maintained despite the absence of a functioning interface; 2) field devices had configurable behavior upon loss of communications, which contributed to overall control system robustness; and 3) provisions existed in the protocol to ensure bumpless initialization on resumption of communications. In our eagerness to extend Ethernet to the field, we should ensure such properties of fieldbus are maintained.
It's not uncommon to employ media redundancy for traditional Ethernet when employed in applications requiring high availability, like process controls. It’s interesting to contemplate how frequently there’s a demand to switch to the backup network. Ring topologies are not as easy to deploy, and special hardware is needed to facilitate a switch to the backup or reverse path. The network appliance needed to make the ring reverse may itself needs to be redundant. Is it? Is it hot-swappable? Indeed, with field Ethernet networks, our concerns shift from the media itself to the many active devices and transducers needed to make it function. The media may remain unbroken, but the copper-to-fiber converter—or the non-redundant power supply supporting it—may fail.
Achieving fieldbus-like fault tolerance for two-wire Ethernet should likewise focus on its most vulnerable components. I would argue it isn’t the media (two-wire twisted pair copper) but the switches and power supplies through which we might connect dozens of field devices. “Etherbus” field devices need to ride out network disruptions in a manner that permits recovery without adversely impacting the process we’re monitoring and controlling. Like old H1 fieldbus, thoughtful accommodations for fault tolerance, robustness and bumpless recovery from most network faults are critical for adoption.
