Fieldbus systems offer many advantages to process companies, not the least of which is the elimination of “home run” wiring and the snake’s nest of twisted-pair wiring in field-mounted marshalling cabinets. Fieldbus eliminates all this because it allows up to 32 devices to be wired together over a single twisted-pair digital “network” or segment.
However, fieldbus systems present a problem: What happens if the segment cable or the power conditioner driving the segment cable fails? Depending on where the failure occurs, the entire segment-with all 32 devices-could go down. An entire process unit could then go off line.
One answer is to provide redundancy wherever possible, to ensure that any single failure cannot take down an entire process unit. Redundancy can be employed in two basic ways:
- Redundant Power Conditioners
- Redundant trunks
A redundant power conditioner has two power conditioners, both powered by a load-sharing pair of 24Vdc power supplies. Such a system can survive the failure of either 24Vdc power supply or either power conditioner. If a failure occurs, the unit automatically and bumplessly switches all load to the backup unit. It also has an alarm output to indicate that a failure has occurred. If any of the individual modules fail, replacements can be “hot swapped” into place without shutting down the segment.
The power conditioner modules plug into a DIN carrier, which can accommodate four or eight modules, to provide redundant power for two or four fieldbus segments. For a redundant configuration, each pair of power conditioner modules requires two power supply inputs and one connection to the fieldbus segment. Installation is not difficult, because a redundant power conditioner requires no changes to be made to the fieldbus segment, device couplers or interface card.
However, in most cases (depending on the vendor), the DIN carrier can accommodate simplex (non redundant) or duplex (redundant) power conditioners, but not both. That is, you cannot mix redundant and nonredundant power conditioners in the same DIN carrier. Therefore, when determining which critical fieldbus segments will have redundant power conditioners, take care to plan fieldbus wiring so that the critical segments are routed to the proper DIN carrier.
Redundant Trunks
In a critical process segment, it may be necessary to provide
redundancy on the main segment cable or “trunk.” This protects a
process unit from going down if something happens to the main cable,
such as a forklift running over the cable, water getting into the
conduit, or any of a host of problems that can occur in the field.
If the system can be switched to a backup or redundant segment, then
the process can continue operating.
It is important to note that fieldbus instruments can continue to operate by themselves if communication to the host DCS is lost. In FF installations, the field devices can talk to each other, and continue monitoring and control operations according to the last setpoints provided by the DCS. However, they cannot continue to operate if the trunk cable is broken, because the cable provides power to the instruments.
One way to provide redundancy is to duplicate the entire segment. This requires a duplicate interface card (such as an H1 card for FF), a duplicate power conditioner, duplicate cable, duplicate device coupler, and duplicate field instruments. When one segment fails, the DCS switches over to the backup segment.
While this is an extremely expensive hardware solution, it does provide redundancy for every device in the segment. No matter what fails, a backup exists. To install such a system, you must determine the conditions that will cause the DCS to switch segments, and program the DCS accordingly. Check with your DCS vendor to make sure the DCS can identify a segment failure. Some DCSes can only determine that an interface card failed.
If this is the case, you must devise some way of determining that a segment failed. It is possible to set up a software scheme that periodically polls the fieldbus devices, asking for device status. If none of the devices respond, the software could conclude that the segment has failed, and call for the DCS to switch to the backup segment. However, maintenance procedures then become very complex, with special overrides to cater for out-of-service devices, etc.
An alternative method is to use a fault-tolerant segment with parallel interface cards, parallel power conditioners, dual trunks and one field device coupler. This eliminates the need to duplicate field instruments and avoids difficult maintenance issues, while still improving the segment MTTF by between 7 and 10 times, at virtually no extra cost. The power conditioners determine when a cable break occurs, cut power to the failed trunk, and use the backup cable immediately. This “fault-tolerant” approach simplifies installation, because it does not require any special programming of the DCS.
When the fault-tolerant system detects a cable break, it deprives the H1 card of power, so the DCS knows that a failure occurred and can switch to the backup H1 card. It also gets an alarm from the power supply, indicating that a failure occurred. And, because the power conditioners have Auto-Termination capability, the proper segment termination is set automatically.
The fault-tolerant system does not require any other special hardware; in fact, the DIN-rail power conditioner modules can be installed in the same DIN rack as conventional modules.
No special installation wiring is necessary in the field. It is probably advisable to route the two segment cables differently, so that the same physical incident-such as a wayward forklift-does not take out both cables at the same time.
If a certain type of field instrument is prone to failure, a redundant instrument can be installed, and wired into any spare spur on the device coupler. The DCS, of course, has to be configured accordingly, so it recognizes a device failure and knows to switch to the backup instrument.
Working in Hazardous Areas
Three methods are available for installing fieldbus in hazardous
areas:
- Intrinsically safe systems
- Explosionproof cabinets
- Nonincendive equipment
Intrinsically
safe (I.S.) circuit designs limit the electrical energy at the
device to a level below the
explosive limits of the environment and remain safe with a component
failure. An intrinsically safe circuit, as defined by the NEC, is “a
circuit in which any spark or any thermal effect is incapable of
causing ignition of a mixture of flammable or combustible material
in air under prescribed test conditions.” An I.S. circuit uses a
safety device such as a safety barrier to limit the power in the
hazardous environment and, because I.S. is considered to be very
safe, this type of system can be worked on while energized without
gas clearance testing (commonly referred to as a “hot work permit”).
An explosion proof design and installation (flameproof/Exd in Europe) requires that if a fuel were ignited inside the device enclosure, the enclosure will contain the energy of ignition and disperse it into the classified area at a level low enough to prevent a secondary ignition from occurring outside the enclosure. Explosion proof designs require special installation methods, as well as requiring the electrical devices and enclosures to be rated explosion proof (NEMA 7/9) for the proper area classification. This type of system cannot be worked on while energized without a gas clearance certificate.
A nonincendive circuit, as defined by the NEC, is “a circuit, other than field wiring, in which any arc or thermal effect produced under intended operating conditions of the equipment is not capable, under specified test conditions, of igniting the flammable gas-air, vapor-air or dust-air mixture.” Nonincendive circuit designs do not take component failure into consideration, thereby offering a reduced level of safety by comparison to the intrinsically safe circuit design and are therefore only allowable in Division 2/Zone 2. There are two fundamental types; non-arcing which cannot be worked on whilst energized without gas clearance testing, and energy-limited, which is more like a poor man’s I.S. and can be disconnected ‘live.’
While all three methods have been used for fieldbus installations, the most popular-especially in Europe-is intrinsic safety. One might consider that this is an historical hangover; I.S. systems were great for analog electronic modules that needed frequent access in the field and for the adjustment of limit switches on valves. Fieldbus devices have no physical adjustments accessible in the field or otherwise, and all changes are made through the segment communications, so putting yourself through the pain of I.S. fieldbus (and it can be very painful indeed) is not necessary at all! However, company specifications don’t always follow technology very fast so we will describe how to minimize that heartache.
Installing Intrinsically Safe Systems
Intrinsically safe methods for fieldbus include:
- Entity
- FISCO
- Split Architecture Entity
An Entity
system requires “barriers;” that is, devices that limit the amount
of current that can enter
the hazardous area. In general, Entity systems are highly reliable,
especially when based on simple resistive current-limiting.
Intrinsically-safe fieldbus was originally based on the FOUNDATION
fieldbus FF816 specification, which allowed Entity parameters for
field devices to be at least 24V/250mA/1.2W. These barriers allow
about 80mA for Gas Groups A, B, C, D (NEC)/II (IEC), or four devices
per segment.
The major problem in installing an Entity system is the large number of barriers required, and the amount of cabinet space required in the “safe area”. Because each barrier can work with only four fieldbus devices, this requires a large number of fieldbus segments. For example, a conventional (non-hazardous) segment with 16 x 20mA fieldbus devices would have to be separated into four segments in a hazardous area. Each segment requires an H1 or PA interface card, power supply/conditioner, barrier, trunk cable and a device coupler.
FISCO (Fieldbus Intrinsically Safe Concept) provides 115mA, allowing a FISCO power supply to power about five conventional 20mA fieldbus devices. WARNING! WARNING! Some FISCO fieldbus devices are designed to take lower current (12mA or 15mA) and some less-scrupulous manufacturers use that value to claim that FISCO systems drive more devices; however, be aware that less current usually means less capability in the devices themselves.
FISCO also introduces a drawback: the complexity of the FISCO electronic current-limiting design itself and the requirement to have multiple such circuits in series (current-limiting must still be available even if a circuit fails in an unsafe way) means that the overall MTTF of these units is much lower than users might expect. FISCO systems are also much more expensive because of the high cost of the FISCO power supplies and fieldbus devices.
Installation of FISCO is similar to an Entity system: the FISCO power supplies are mounted in the safe area. The rules for using FISCO allow only 1000m (3250 ft) of cable in total and only 60m (195ft) spurs, about half that of a ‘normal’ fieldbus. This should not pose a problem in most installations, because of the limited number of devices on each segment.
A
split-architecture system puts part of the barrier in an isolator
and part of it in each of the spurs of a field-mounted device
coupler. By splitting the intrinsically safe current-limiting method
in this way, the system can put a full 350mA on the trunk that leads
into hazardous areas with Gas Groups C&D, and still have
intrinsically-safe spurs that match FF816 Group A&B approved
devices.
This overcomes both the FISCO and conventional Entity restrictions
on available current. Up to 16 devices can be put on a segment,
nearly four times as many as an Entity or FISCO system.
Installation is much simpler, because fewer devices and segments are required. In general, a splitarchitecture system requires only 25% of the cabinet space of an Entity or FISCO system.
One problem you may encounter during installation is incompatibility of conventional and FISCO devices. In previous implementations, the split-architecture design has been based on device Entity parameters of 24V, 250mA and 1.2W (values which the I.S. power supply must guarantee not to exceed and which are specified in IEC61158-2 and associated documents). FISCO devices, on the other hand, are associated with Entity values of 17.5V, 380mA and 3.8W, so it has not been possible for Entity systems to easily demonstrate compatibility and safety with FISCO devices. This had become an issue with some device manufacturers who have specified FISCO approvals for their devices but not Entity approvals, and with some older devices which have Entity approvals but not FISCO.
A recent enhancement in split-architecture systems is the incorporation of FISCO-compatibility at the field device coupler. Having FISCO and Entity compatibility at the device coupler in a splitarchitecture design enables all users to implement intrinsically safe fieldbus with any desired mix of approved devices without the limitations in cable lengths and reduction in MTBF that results from a pure FISCO system.
Removing and Replacing Instruments
Maintenance people want to be able to remove devices from fieldbus
segments in hazardous areas without turning off the whole segment,
and without going through complex disconnection procedures and
mechanical interlocks, if they can be avoided.
In Zone 1 applications, simply specify a device coupler approved for Zone 1 that also has a magnetic interlock on each spur. The technician puts the key in the slot, which isolates the spur, and makes it accessible for re-wiring without shutting down the segment. This works particularly well if IEC/AEx standards are being followed, since that particular device coupler can fit inside a low-cost GRP enclosure (Exe/AExe approved) with spurs fully accessible in Zone 1. Some device couplers are designed and approved for use in Zone 1 and Zone 2 with flameproof Exd devices.
For flameproof Division 1 applications, live de-mateable plug/socket combinations are available from many manufacturers. If an application demands live exposure in Division 1 or connection into Zone 0, then field barriers can be used which allow intrinsically-safe (I.S.) spurs to be attached to the nonintrinsically safe trunk.
Cost issues involve the amount of time a maintenance technician must spend removing and replacing instruments. If the process is laborious, it might take hours to follow all the safety procedures. If the process simply requires a key, then an instrument can be disconnected in a few seconds.
Many of the installation headaches discussed in this two-part article can be minimized through careful selection of fieldbus equipment at the beginning of the project.
